Issue 45 - Week of Dec 28th

1.       In TalkTalk aftermath: After Target, Home Depot, JPMC were breached their stocks showed no noticeable impact, but when UK telecom giant TalkTalk joined the breach victim club in Oct'15, its stock took a jaw-dropping beating, and it hasn't recovered. A lot of people are wondering "why"? Was something different about talk Talk’s break-in, or are we now entering the era where cyber-attacks can damage more than a company's reputation. In the past there have been few examples like Heartland Payment Systems & Global Payment Systems, whose stock value eroded post cyber-attacks but in general, Shareholders don't have good metrics, tools, and approaches to measure the impact of cyber-attacks on businesses and hence it does not translate into a dollar value erosion.

2.       191 Million US Voters' Personal Info Exposed by Misconfigured Database: The database includes voters' full names, their home addresses, unique voter IDs, date of births and phone numbers. The database was discovered by a white hat hacker, fortunately, the database doesn't contain Social Security Numbers, driver license numbers, or any financial data, but it's still a massive amount of data when it comes to protecting users privacy and security. The crazy part of the data breach is no one is taking responsibility for the exposed database.

3.       Steam confirms DoS revealed user details: Gaming platform Steam has confirmed that a denial-of-service (DoS) attack took place on Christmas Day, has caused around 34,000 users to have their sensitive personal information returned and possibly seen by other users. The company is working on identifying affected users. Earlier in Dec'15, it was admitted that up to 77,000 accounts each month are hijacked on Steam, with users having their digital items stolen and sold, resulting in the company implementing increased security such as implementing two-factor authentication, Mobile Authenticator, self-locking features, and user notifications of any risk.

4.       BBC says website knocked down due to apparent DDoS attack: Service was out for more than three hours last week. Users received an error message and the broadcaster said on Twitter the outage was due to technical problems. BBC later apologized for the outage. A news story posted on the website said it had been due to a "distributed denial of service" attack in which a website is swamped with more traffic than it can handle. This is a relatively common way to target a website and temporarily make it inaccessible.

5.       Hyatt Hotels Reports Data Breach: Hyatt Hotels has announced a data breach affecting its customers' financial data, which at a later investigation proved to originate from a malware infection on its PoS systems. Hotel representatives did not specify what brands were affected, what hotel properties, and what kind of data was stolen. It is yet unknown if the malware infection was found on the hotels' own reservation system PoS, or on the payment processing system used by gift shops and restaurants located on the hotels' premises. In the past, data breaches have been reported by the Trump Hotel Collection, Starwood Hotels, and Hilton Hotels.

6.       Convenience meets continuing complexities: The Internet Of Things will help (and hurt) us all. The websites, apps and electronic devices that comprise the Internet of Things (IoT), make navigating personal and business tasks more convenient than ever, but their popularity also means a wider attack surface, expanse of data and range of vulnerabilities for threat actors to exploit. Industries, such as healthcare and manufacturing , that utilize a large number of connected devices and networked systems in the course of their everyday business are likely to face a wider range of security vulnerabilities and threats.

7.       Microsoft has pledged to inform users if their online communications (Outlook.com email and OneDrive) are being targeted and monitored by government entities: MS is the latest to follow the foot-steps of Facebook, Twitter, Google and more recently Yahoo to warn its users of state attacks. Experts’ advice the additional ways to keep personal data and accounts safe, is by not opening suspicious emails and clicking on links or downloading attachments. The links in the fraudulent emails will REDIRECT the users to malicious websites and attachments will deliver malware payloads, both of these can steal user credentials as well as compromise their systems.

8.       Tor Project launches bug bounty program: Anonymizing network Tor has secured the help of sponsors to launch a bug bounty network designed to stamp out vulnerabilities which may risk user privacy. The Tor Project is a non-profit organization which operates the Onion network, a relay-and-node system designed to make user tracking online very difficult. However no system is completely full-proof and there have been reports of Tor users being identified. There are several Govt. and people that are interested cracking Tor, for eg: A Cybersecurity firm offers up to $30,000 for previously unreported zero-day vulnerabilities impacting the Tor network.

9.       Indian Financial services continue to face high number of cyber threats: The scale and size of cyber-attacks on BFSI is the highest among all verticals. The technological changes such as mobile banking, mobile wallets, payment gateways have increased the potential attack vectors. Hackers continue to steal credentials and other sensitive information thru Phishing emails and Phishing websites, DDoS attacks are not infrequent, Internal threats are becoming serious. The solution for BFSI is comprehensive investment in PPT (People Process and Technology).

10.   Everything about you is already known (most probably): Increasing frequency of data breaches, such as the many seen in 2015 (780 breaches), are changing the way we think about PII - Personally Identifiable Information (177 million data records exposed in 2015). We are, in fact, moving to a “post-privacy” society, where it is not uncommon for an attacker to have access to information that we have previously considered as personal. Data Theft Prevention and post breach activities will become increasingly important though it will be hard to be fully prepared for such an unknown. Defenders must take careful stock of their data handling processes, be nimble in this changing technology landscape and invest in (re)training key personnel.