Monthly Archives: July 2017

Casino hacked through fish tanks private officer

Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

The report cites examples compiled from Darktrace’s threat detection technology. Darktrace makes security technology that sits on a company’s network and monitors the activity taking place. That could be anything from data transferred between computers or actions taken by a connected coffee maker.

When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

In another example of an unusual attack, smart drawing pads connected to insecure wifi were used to send data to websites around the world in what’s called a “denial of service” attack. A hacker had scanned the internet looking for vulnerable devices, and exploited them to try and flood other websites with too much traffic.

We’ve seen cybercriminals leverage connected devices for destructive purposes before.

Last year, the Mirai botnet took control of smart home devices, like security cameras, all over the world, effectively turning them into zombie machines directing web traffic to take down popular websites like Netflix and Twitter.

Fier, a former U.S. intelligence contractor, says he anticipates threats coming from more unexpected places. Phishing emails will be one way hackers can get onto systems. But things like insecure fish tanks connected to the internet will be another.

“In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors,” Fier said.

Travel Giant Sabre Confirms Its Reservation System Was Hacked

Just two months ago, the Sabre Corporation announced that it had hired security firm Mandiant to investigate a possible hacking incident. Now the company has publicly announced the results of that investigation. An unauthorized third party breached Sabre systems and was able to access customer payment data.

That’s not great news, considering the Texas-based company processes reservations for around 100,000 hotels and more than 70 airlines worldwide to the tune of $120 billion. If there is a silver lining, it’s that Sabre says that only the Sabre Hospitality System — which handles bookings for hotels from both consumers and travel agents — data was compromised. A company spokesperson also confirmed to me that “less than 15 percent of the average daily bookings on the SHS reservation system were viewed” while the attackers had access.

An Intercontinental hotel in New York City.

It’s still a very significant breach, especially since both payment card information and reservation details were accessed. In some cases, that included the customer’s name, email address, phone number, and address.

Like most industries, the travel sector has had to deal with a steady rise in cyber attacks in recent years. In 2016, InterContinental Hotels Group reported that more than 1,000 of its properties had been hit with “malicious software designed to siphon customer debit and credit card data,” according to security expert Brian Krebs. Earlier in the year, HEI Hotels & Resorts reported a similar incident at some of its Hyatt, Marriott, Sheraton, and Westin locations.

On June 6, once Mandiant had concluded its investigation, Sabre began notifying payment card providers, partners, and customers. The company says that it “has enhanced the security around its access credentials and the monitoring of system activity to further detect and prevent unauthorized access.” Sabre has also set up a call center to handle inquiries about the breach.

 

Network Safety: Experts Weigh In

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders