India's City Union Bank CEO Says Suffered Cyber Hack via SWIFT System*:
- Attackers this weekend made $2 million in unauthorized transfers from India's City Union Bank via the SWIFT financial network.
- The CEO of City Bank said that so far there is no evidence of internal staff involvement.
- City Union was able to block one of the transfers, totalling $500,000, that was being sent through a Standard Chartered Bank (STAN.L) account in New York to a Dubai-based lender.
- A second transfer of $372,150 was routed through a Standard Chartered Bank (STAN.L) account in Frankfurt to a Turkish account, although the Turkish lender blocked the transfer from being finalized.
- A third totaling $1 million was sent through a Bank of America (BAC.N) account in New York to a China-based bank.
- Brussels-based SWIFT has been urging banks to bolster security of computers used to transfer money since Bangladesh Bank lost $81 million in a February 2016 cyber heist.
- Banking security experts said Indian banks that rely on the SWIFT messaging platform needed to be more vigilant.
- Industry experts say more than 100 financial institutions in India are connected with SWIFT including the central bank.
*Source: Reuters, February 18, 2018
What Happened After the US Moved to Chip-Embedded Payment Cards?*:
- The US began its transition to chip-based credit cards in earnest in October 2015, after high-profile credit card hacks in the previous years.
- Currently, although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade.
- Chip-embedded cards aren't un-hackable, but they do make it harder to use stolen credit card numbers en masse as we saw in the Target's 2013 breach.
- Chip cards also can't prevent against Card-Not-Present (or CNP) fraud, which takes place when card information is stolen online, by mail, or over the phone.
- It's unclear whether the transition to chip-embedded cards will reduce fraud overall as shopping occurs at brick-and-mortar stores less and less often in the US.
- The transition to chip-embedded cards in the US started a full decade after retailers and credit card companies transitioned away from magnetic stripe credit cards in Europe, Australia, Brazil, and several other countries.
- The US is finally catching up, just in time for contactless and mobile payments to make physical credit cards less and less necessary.
*Source: ARS Technica, February 24, 2018
FedEx Customer Data Exposed on Unsecured S3 Server*:
- Data belonging to thousands of global FedEx customers was exposed on an unsecured Amazon Simple Storage Service (S3) server configured for public access.
- The exposed bucket belonged to Bongo International LLC, a company created to help North American companies market to customers around the world.
- Although the organization closed in 2017, data inherited from 2009-2012 remained available on the server, exposing personal identifiable information from citizens representing Canada, Japan, China, Australia, the EU, and other countries until the bucket was removed from public access this month.
- The server contained more than 119,000 scanned documents including passports, driver’s licenses, and security IDs.
- FedEx reports it has no evidence the data was compromised but is still investigating the matter.
- The company joins a growing list of organizations that have unintentionally compromised consumer data by failing to properly secure their Amazon S3 storage buckets.
*Source: Dark Reading, February 16, 2018
Sinovel Wind Group Found Guilty of IP Theft Valued at $800 Million*:
- Sinovel Wind Group, a manufacturer and exporter of wind turbines, and three of its employees have been convicted of trade secret theft following a trial in Wisconsin.
- The value of the technology stolen is estimated to be more than $800 million, and the victimized company American Superconductor (AMSC) lost more than $1 billion in shareholder equity.
- AMSC filed both criminal and civil complaints against Sinovel in 2011 because Sinovel breached their partnership agreement, and their intellectual property surrounding wind turbines had been taken and used to improve the Chinese electric grid.
- The Department of Justice (DOJ) filed a criminal complaint against Sinovel for its role in attempting to “convert a trade secret that is related to a product that is used and intended for use in interstate and foreign commerce.”
- Two Sinovel employees and one person employed by AMSC were convicted.
- From January 2011 through December 2012, the employees worked together to purloin the trade secrets of AMSC; AMSC notes that the value of the stolen technology and business loss was in excess of $800 million.
- None of the convicted employees are in US custody as they’re currently residing abroad.
- AMSC had to lay off over half of its global workforce – more than 700 individuals.
- Having a data loss prevention (DLP) capability within the AMSC infrastructure may have identified the activities of Sinovel early.
- The fact that AMSC was able to reconstruct the events from the data logs and stores is commendable and no doubt assisted in the prosecution of Sinovel.
*Source: CSO Online, February 21, 2018
May Wants Total Alignment with EU Data Rules After Brexit*:
- U.K. Prime Minister Theresa May proposed keeping Britain in total alignment with the European Union’s data-sharing rules after Brexit, something that would allow both intelligence agencies and business to continue to share information across borders.
- The U.K. regards the EU’s data rules, which are crucial to both companies and security agencies, as one of its successes within the bloc.
- Staying aligned would allow the sharing of information between offices in different countries confident that it was subject to proper protection rules.
- May even proposed “an ongoing role” for the U.K.’s data agency in setting the EU’s rules, and also she wants U.K. defense companies to be able to compete on a level-playing field for European projects.
- The speech was intended both to reassure her counterparts and to show how a new trade deal could be reached.
- A new treaty on security, as she proposed, would be vital to counter-terrorism work, but it would also serve a higher purpose: it would establish that, in some areas, the EU is willing to consider new types of relationships with third countries.
- The bloc’s chief negotiator has repeatedly insisted that no such option is available to the U.K. when it comes to trade.
*Source: Bloomberg, February 17, 2018
US Government in Epic Border Security Fail*:
- The US government has been left red-faced after it emerged that its Customs and Border Protection (CBP) has failed for over a decade to verify passports are authentic because it has not been able to properly read their built-in smart chip.
- Democratic Party senators Ron Wyden and Claire McCaskill sent a letter this week to the acting commissioner of the CBP demanding that the anti-forgery and anti-tampering features of the e-passports are utilized.
- The ‘smart’ passports, implemented in the US back in 2007, contain a chip on which is stored the holder’s information and cryptographic information to verify its authenticity, making it virtually impossible to forge.
- Countries that want to retain visa waiver status must also support e-passports for their citizens.
- CBP has been aware of this security lapse since at least 2010, and they still do not possess the technological capability to authenticate the machine-readable data in e-passports.
- The senators argued that “it is past time” for the features to be utilized, and urged the agency to work with experts to calculate the costs before developing and implementing a plan to validate the digital signatures in smart passports.
*Source: Info Security, February 23, 2018
Military, FBI, and ICE are Customers of Controversial ‘Stalkerware’*:
- Dozens of employees from US federal law enforcement agencies and the armed forces have bought smartphone malware that can, in some cases, intercept Facebook messages, track GPS locations, and remotely activate a device’s microphone, according to a large cache of data stolen by a hacker.
- The news highlights the popularity of consumer spyware not just among the general population, but also with members of the US government.
- The spyware company in question is Mobistealth, which sells its products to monitor children and employees.
- Users need to have physical access to the Android or jailbroken iPhone device to install the software.
- Contained in the Mobistealth data are customer accounts linked to email addresses from the FBI, DHS, TSA, ICE, and several different branches of the military.
- It is not clear whether the individuals paid for the malware themselves or through their respective organizations.
- The hacker behind the breach told Motherboard, in sum, that hacking Mobistealth as well as another spyware company they targeted was relatively easy.
- That brings up all sorts of questions not only about why officials purchased the malware, but the potential consequences of buying sensitive tools from such vulnerable companies.
- Data showing an official bought a piece of malware for potentially illegal purposes could leave them open to blackmail.
- The FBI and DHS declined to comment.
- It is difficult to determine why each user purchased malware – it may have been used in an official capacity for their job, to monitor their children, or perhaps it was used illegally.
*Source: Motherboard, February 23, 2018