Posted August 18, 2015
Welcome to the Cyveillance Weekly Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. Brief
Threat intelligence is constantly evolving. We publish this weekly security brief to keep our customers updated on the latest threats across a variety of industries. For the latest security news stories throughout the day, follow us on Twitter, and subscribe to our blog to stay up-to-date on highlights from our analyst research reports!
“CareFirst BlueCross BlueShield is facing a proposed data breach class action lawsuit filed by customers who allege their personal data held by the health insurance provider was hacked and that CareFirst failed to prevent that cyberattack. Approximately 1.1 million plan members were affected. […] It was in late May 2015 that CareFirst announced an unauthorized access to a single database had occurred in June 2014 which enabled unknown parties to potentially obtain names, dates of birth, email addresses and subscriber identification numbers of members who signed up before that date. CareFirst claimed information such as Social Security numbers or credit card information was not accessed. […] According to the complaint, […] claimed that CareFirst failed to adequately secure the computers storing customers’ personal information, despite becoming aware of an attempted data breach last year.”
“Two data-brokerage firms illegally sold the financial information of at least 500,000 people who applied for payday loans to a third party that stole millions from them, the Federal Trade Commission alleged in a case announced Wednesday. […] In a complaint filed [August 7], the government said that [the two firms] collected sensitive financial data about people seeking payday loans. They purchased some of the data from other outlets and obtained the rest through a variety of Web sites the companies owned that claimed to help people obtain payday loans. The firms then sold the data to others […] according to the FTC.”
– The Washington Post
Legal and Regulations
On July 31, the White House released a report on its 30-day cybersecurity “sprint,” launched on June 12 in the wake of the Office of Personnel Management (OPM) hacks. The report is brief, providing statistics on each agency’s use to-date of two-factor authentication (2FA), and highlighting the dramatic 30 percent jump in 2FA adoption since the outset of the cyber sprint. The July 31 report indicates that use of 2FA increased from about 42 percent to over 72 percent during the cyber sprint, which represents a significant jump in such a short time span, and immense progress after the 2011 initiative stalled at 42 percent in 2014. Fourteen agencies met the goal for stronger user authentication set at the beginning of the cybersecurity sprint, while ten agencies fell below the target. However, the report is silent regarding the results of the other goals to 1) deploy technology that scans for malicious activity, 2) patch critical vulnerabilities, and 3) limit the number of privileged users.
“The Square Reader, used by millions of businesses in the United States, could at one point be converted in less than 10 minutes into a skimmer that could steal and save credit card information, according to three recent [Boston University College of Engineering] grads. Their findings [were] presented […] at the Black Hat USA 2015 cybersecurity conference in Las Vegas. […] The trio also found that Square Register software could be hacked to enable unauthorized transactions at a later date. “The merchant could swipe the card an extra time at the point of sale,” says Moore. “You think nothing of it, and a week later when you’re not around, I charge you $20, $30, $100, $200… You might not notice that charge. I get away with some extra money of yours.””
– BU Today
“Ubiquiti, a San Jose based maker of networking technology for service providers and enterprises, disclosed the attack in a quarterly financial report filed this week with the U.S. Securities and Exchange Commission (SEC). The company said it discovered the fraud on June 5, 2015, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. […] Known variously as “CEO fraud,” and the “business email compromise,” the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”
Calling it the “largest-known computer hacking security fraud scheme,” the FBI charged nine people in indictments that allege they managed to break into three newswires and accessed embargoed press releases containing financial information. The FBI reports that the international scheme netted its participants $30 million in illegal profits. The suspects are accused of stealing confidential information about companies traded on the New York Stock Exchange (NYSE) and NASDAQ. The FBI said the group stole about 150,000 confidential press releases from the servers of newswires.