Indian Banks are Waking Up to a New Kind of Cyber-Attack*:
- Hackers recently infiltrated the systems of three government-owned banks, two headquartered in Mumbai and one in Kolkata, to create fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items.
- The banks are still unsure about the origin of the attack and the intention of the hackers.
- There was fraudulent duplication of letters of credit (LC) and the Indian bank may later face a monetary claim when the foreign bank tries to recover the money released against an LC or guarantee.
- Banks now have to match the documents shared through the SWIFT system with the actual documents in their system to find out whether systems have been misused; since there is no immediate loss of money, a bank may take a long time to sense that its SWIFT system has been hacked.
- Since June 2016, SWIFT systems of four Indian banks have been targeted.
*Source: Economic Times, January 16, 2017
Hacker Cracks Facebook with Remote Code Execution Bug*:
- Facebook has paid US$40,000 to vulnerability hunter Andrew Leonov for disclosing how the hacker gained remote code execution on its servers through the widely-reported ImageMagick flaw.
- Facebook's highest bounty pay out as of January 2014 stood at US$33,500 to vulnerability hunter Reginaldo Silva for a remote code execution bug.
- The open source ImageMagick tools are used by scores of web properties to resize, crop, and tweak pictures.
- Web property owners pounced to patch the bug within hours, a feat that could prove difficult for entities with enormous code bases such as Facebook.
- As of October 2016, Facebook had paid out US$5 million in bug bounties since 2011.
*Source: The Register, January 18, 2017
California Amends Its Data Breach Statute*:
- The California Legislature has again amended California's Data Breach Statute regarding the obligations of companies to disclose the breach of personal information stored in computerized data.
- Prior to the amendment, anyone conducting business in California that owns computerized personal information data was required to disclose a breach for any residents whose information was acquired by an unauthorized person.
- The amendment adds another element triggering the obligation to notify individuals of a security breach or suspected breach: now individuals must also be notified if the encryption key or security credential was acquired by an unauthorized person.
- The definition of "personal information" is sufficiently broad, that most companies will be impacted by this amendment if such data is stored in a computerized format.
- Personal information also encompasses user name and password information such that access to an online account can be gained.
- California's Data Breach Statute adds another layer to conducting business within the borders of California, and impacts companies of all sizes if they store computerized personal information.
*Source: JD Supra, January 13, 2017
Deutsche Bank Bans Text Messages, WhatsApp on Company Phones*:
- Deutsche Bank AG has banned text messages and communication apps such as WhatsApp on company-issued phones in an effort to improve compliance standards.
- Unlike e-mails, text messages can’t be archived by the bank, said a person with knowledge of the matter who asked not to be identified discussing internal matters.
- The policy also applies to private phones used by employees for work purposes, and communication apps such as WhatsApp, Google Talk, and iMessage are also prohibited.
- Deutsche Bank is working to improve compliance and clean up a reputation dented by a series of probes into its role in the sale of toxic debt, manipulation of interest-rate benchmarks and failure to prevent possible money laundering in Russia.
- Deutsche Bank has been slapped with more than $13.9 billion in fines and legal settlements since the start of 2008.
- Deutsche Bank spokesman Tim-Oliver Ambrosius confirmed the decision and declined to comment further.
*Source: Bloomberg, January 13, 2017
Cyber Fraud Scaring Investors Away From India*:
- Concerns over fraudulent practices and cyber security lapses have started clouding investment sentiment in India with one out of five top executives of global corporations expressing their apprehensions over investing here because of concerns around fraud.
- According to a 2016 study published by Kroll, 19% of the 545 respondents said they had be ‘dissuaded’ from investing in India due to such concerns; India ranks second only to China which saw 25% of the respondents sharing the same concern.
- Among the major reasons identified in the report that accounted for the frauds, 27% originated from conflict of interest at the management level, 27% from corruption and bribery, 27% from market collusion and 25% from internal sources.
- While the report indicated a bleak future for the Indian investment environment, it also noted that 68% of Indian companies were affected by fraudulent actions in 2016 compared to 80% in 2015.
- Companies were mostly targeted for their top secret business information, but there were also attempts to extract information about their employees.
- Unlike in the developed world, cyber security was never part of the priority list of Indian companies but steps like demonetisation and increased digitisation have brought discussions on cyber security to the foreground.
*Source: Economic Times, January 19, 2017
Hackers Cripple Leading Marijuana Sales System*
- Hackers recently took down the servers of MJ Freeway, a system that tracks marijuana sales and inventory, and helps dispensaries prepare regulatory paperwork.
- The company says no customer or patient information was stolen during the attack, but a large amount of data was corrupted.
- One medical non-profit, New England Treatment Access (NETA), notified clients in the days after the attack that sales would be slower than usual because staff would have to execute them manually.
- The recovery process appears to have been agonizing, requiring one-on-one work with clients to recover data and migrate to new infrastructure.
- An MJ Freeway spokesperson said the attack was specifically targeted at MJ Freeway, but the company reports that it has received no ransom demands, suggesting that the attack could have been personally or politically motivated.
- In a 2015 Bloomberg profile, the company’s services were described as something like SAP or Oracle for weed, with features like automatic sales reports, staff scheduling, and crop data tracking.
*Source: Fortune, January 15, 2017
Unknown Website Knows Who Your Family Members Are And Where They Live*:
- There's a lot of information about you in public documents if you've ever signed a lease or applied for a loan - your address, your age, sometimes the identify of your family members.
- It's well known that a lot of sites around the internet, such as Spokeo, collect and compile that kind of information into databases.
- One innocuous-seeming website, FamilyTreeNow.com, found itself at the center of controversy earlier this week when some people realized that you could get information like a person's address, family members, birth month, and phone number within minutes and without ever creating an account.
- Simply input your name and your state and see what it turns up for you.
- You can still opt-out, but FamilyTreeNow posted a statement saying opt out requests will be severely delayed due to high volume.
*Source: Business Insider, January 14, 2017