Category: Managing Threats & Attacks

1
Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid
2
K&L Gates Supports Safer Internet Day 2019
3
Is Microsoft giving us a window to our personal data?
4
Biggest data leak in German history
5
Emergency warning system hacked
6
China in breach of cyber-security pact
7
China’s main security agency linked to cyber intellectual property theft
8
Beware of third party data breaches
9
US, Russia and China don’t pledge to fight cybercrime
10
Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

K&L Gates Supports Safer Internet Day 2019

By Cameron Abbott and Wendy Mansell

Today is Safer Internet Day and K&L Gates is a proud supporter of this yearly international event which raises awareness of cyber issues and online safety concerns.

K&L Gates has a strong focus on promoting and advocating for a safer internet through the Cyber Civil Rights Legal Project. This project helps victims of non-consensual pornography known as ‘revenge porn’ by providing pro bono legal assistance to individuals suffering from these cybercrimes.

Revenge porn is a serious invasion of privacy and K&L Gates assists in having the images removed from the internet. This cyber epidemic is taking place around the world and due to K&L Gates global legal presence, these services can be provided to victims internationally.

K&L Gates further supports Safer Internet Day through the working relationship being built with the Office of the eSafety Commissioner,who is responsible for coordinating the event in Australia.

The theme for this year’s event is “Together for a better internet“, which encourages the development of respect, responsibility, reasoning and resilience skills when using the internet. K&L Gates is actively striving for a better internet through focusing on improving online safety and fighting against cybercrimes.

Is Microsoft giving us a window to our personal data?

By Cameron Abbott and Allison Wallace

We often blog on this page about personal information being breached, data being hacked, systems being compromised – and tell cautionary tales of the difficulties businesses can experience if they experience a data breach.

So what if there was a good news story? A way to know what information there is out there about you, so that if it is compromised, you can take control? Microsoft may just be working on such a solution.

Multiple websites (see here and here) have now reported on Microsoft’s “Project Bali” – which, although still in a private testing phase is accessible to a lucky few, by invite only.

The Project Bali website reportedly describes the tech giant’s project as “a new personal data bank which puts users in control of all data collected about them” and will allow users to “store all data (raw and inferred) generated by them ..[and] to visualise, manage, control, share and monetise the data”.

It is reported that the project was borne from a Microsoft Research paper in 2014 that delved into the concept of “Inverse Privacy” – allowing consumers to access the data that any given business holds about them, increasing transparency, something consumers value.

In theory, Project Bali seems like a good antidote to the increasing number of privacy incursions we are seeing (such as this and this). However, whether the idea is commercialised and becomes publicly available, only time will tell. We will keep you posted.

Biggest data leak in German history

By Rob Pulham, Warwick Anderson and Wendy Mansell

A 20 year old German man orchestrated a serious and sophisticated data breach which affected more than 1000 people.

The attack was focused on German and European politicians at all levels including German Chancellor Angela Merkel, President Frank Walter Steinmeier and hundreds of public figures and celebrities.

The 20 year old hacker took to Twitter to drip feed the information depicted as an advent calendar by releasing new data each day in December. Information exposed included contact details, credit card and financial information, chat records, photographs and other personal information.

Reuters’ reported that the hacker is a student who lives at home with his parents, has no formal computer education and was motivated by irritation over statements made by politicians and public figures.

The widespread nature of this attack has resulted in a number of government officials calling for tighter laws.

It is clear that no-one is safe from a data breach – even those elected representatives who enact the laws designed to protect against them.

Emergency warning system hacked

By Warwick Andersen, Rob Pulham and Allison Wallace

A new year, and a new hacking incident – this time, it was the Early Warning Network (EWN) – a text and email service used by councils around Australia to warn locals of emergency situations.

On its Facebook page, EWN stated that a hacker was able to access its system, sending out messages via text, email and landline stating that EWN had been hacked and that the receiver’s personal data was not safe. The message also included links to support email addresses and a website.

EWN said that the hack was quickly identified and systems shut down, with no-one’s personal information compromised during the attack. The attack is believed to have originated within Australia, involving compromised login details.

While EWN said that personal information was not compromised by this incident, it serves as a timely reminder for businesses to check and test their information security processes and data breach response plans – and if one isn’t in place, to implement one.  The Office of the Australian Information Commissioner reported that it received 550 notifications of data breaches from the time the notifiable data breach legislation commenced on 22 February 2018 to 30 September 2018.

If you’d like to find out more about the legislation, or what your business can do to protect itself, check out this 60-second video by Cameron Abbott.

China in breach of cyber-security pact

By Cameron Abbott and Wendy Mansell

It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.

The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.

In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.

Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.

Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.

A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.

Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research.  It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships.  Physical acts of a similar nature would not be so easily accepted.

China’s main security agency linked to cyber intellectual property theft

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Beware of third party data breaches

By Cameron Abbott and Keely O’Dowd

A study by Ponemon Institute found the percentage of US and UK companies that faced a data breach because of a vendor or third party is growing. In the US alone, 61% of surveyed respondents confirmed that their organisation had experienced a data breach caused by a third party, which is up 5% from last year and 12% from 2016.

Ponemon Institute’s research also found that 22% of surveyed respondents admitted they did not know if they had a third party data breach during the past 12 months and more than three quarter of companies thought third-party cyber security breaches were increasing.

These research findings suggest to us that businesses must do more to guard against third party data breach risks. This may involve:

  • conducting due diligence on third party vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship;
  • including robust privacy and data security clauses in contracts with third parties, including the requirement that the third party notify you of actual and suspected data breaches; and
  • keeping a register of all third party vendors your business engages and the types of personal, sensitive of confidential information the third party vendors accesses, stores or shares on behalf of your business.

The third party landscape is becoming increasingly complex and businesses need to better manage and understand what exactly their vendors are up to and doing to protect their data.

US, Russia and China don’t pledge to fight cybercrime

By Cameron Abbott and Wendy Mansell

Fifty countries including Japan, Canada and many EU nations have come together with over 150 tech companies, pledging to fight against cybercrime. United State’s tech giants such as Facebook, Google and Microsoft have also joined the party.

The United States, Russia and China however have decided not to sign on. Each has no doubt very different reasons for this – the disappointment is mostly directed to the US. However it is a shame that Russia and China did not also feel the weight of the international community pressure to accept these principles.

The effort to combat cybercrime is being led by France, with French President Emmanuel Macron claiming that it is urgent that the internet is better regulated.

The countries and companies involved are fighting against illegal online activity like censorship, cyber interference in elections, hate speech and trade secrets theft.

The pledge has been made in a document titled the “Paris call for trust and security in cyberspace”.

Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

By Cameron Abbott and Colette Légeret

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.