SecurityOrb.com’s Top 3 Security Hacks of 2017
In recent years security breaches have been a big topic as it has impacted many of our lives and 2017 is not different. SecurityOrb.com recently reviewed some of the most notable hacks of 2017 and compiled a list of the top 3 security breaches.
- Equifax – In July of 2017, Equifax one of the largest credit bureaus was hacked as the personal information of 145 million people were taken by cybercriminals. It was considered among the worst breaches of all time because of the amount of sensitive information exposed, including Social Security numbers, addresses and the maiden names of your mother.
- Leaked NSA Hacking Tools – In April of 2017, a hacking group called the Shadow Brokers leaked a bunch of hacking tools that belonged to the National Security Agency aimed at exploiting Windows-based systems. One to the tools leaked by the Shadow Brokers was used in the year’s biggest global cyberattack known as the WannaCry exploit.
- WannaCry – In May of 2017 the ransomware known as “WannaCry” targeted more than 150 countries and many of the businesses within those countries that were running outdated Windows software. The hackers behind WannaCry demanded money to unlock the files and more than 300,000 machines were effected across several industries, including health care, universities and car companies.
Let us know what you think of the list, what else should have been on the list in your opinion?
The Software Engineering Institute (SEI) Issues Advice on Ransomware
The Software Engineering Institute (SEI) of Carnegie Mellon University has released a blog post on best practices for preventing and responding to ransomware. This common malware captures, encrypts, and holds your data to extort a ransom. SEI’s top recommendation to thwart ransomware attacks is to back up your important files regularly.
US-CERT recommends that users and administrators review SEI’s blog post (link is external) and US-CERT’s Security Publication on Ransomware for more information.
Suspicious Activities on Hotels.com User Accounts
I recently received an email from Hotels.com stating an unauthorized user may have accessed user’s accounts and are urging customers to change their password. Read the actual email below.
“We are writing to make you aware of recent activity involving Hotels.com accounts that leads us to believe that some of your personal information, including your reward nights, may have been accessed by an unauthorized user. However, rest assured that your full credit card information was not compromised on our website.
On May 22-29, 2017, we detected unusual user activity with a number of accounts, including yours, which we believe resulted from an unauthorized user accessing the accounts using customers’ usernames and passwords. The accessed data could have included your name, address, e-mail address, hotel booking history, reward nights, and the last four digits of your stored credit card—but only if a user selected the option to save credit card numbers.
If we’re able to verify that free nights were recently removed from your account without your authorization, we will quickly restore those nights.
We are taking steps to ensure the continued security of your data, including resetting all compromised passwords. When you attempt to log in to your account, you will receive a message that will provide you with instructions on how to change your password.
The following are tips on how better to protect your account:
- To reset your password, click the “forgot your password” link and follow the instructions on the screen.
- Because an unauthorized user accessed your account using your username and password, we recommend that you create an entirely different password and one that is not shared with any other online service. Strong passwords are at least eight characters long, and contain upper and lowercase letters, plus numbers and symbols.
- Verify your account details are correct by validating your e-mail address, and other account information. If you notice anything unusual with your account details, please contact us.
The security of our customers’ account information is of the utmost importance to us, and we apologize for any inconvenience this issue may cause you. If you have questions, please feel free to contact Hotels.com at 800-246-8357. Please note that our Customer Service agents will not be able to assist you with changing your password—only you can change your password online.
Sincerely,
Hotels.com Customer Support”
Kmart Stores Battling Malware-Based Security Breach of its Store Credit Card Processing Systems. Again…
An article by Brian Krebs from KrebsonSecurity.com:
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems.
Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in common: They were all used at Kmart locations.
Asked to respond to rumors about a card breach, Kmart’s parent company Sears Holdings said some of its payment systems were infected with malicious software:
“We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”
“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”
Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”
Sears spokesman Chris Brathwaite said the company is not commenting on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.
Read the rest here.
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
EXECUTIVE ORDER
– – – – – – –
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
By the authority vested in me as President by the Constitution and the laws of the United States of America, and to protect American innovation and values, it is hereby ordered as follows:
Section 1. Cybersecurity of Federal Networks.
(a) Policy. The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities. The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises. In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.
(b) Findings.
(i) Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents. Information sharing facilitates and supports all of these activities.
(ii) The executive branch has for too long accepted antiquated and difficult–to-defend IT.
(iii) Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.
(iv) Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.
(v) Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.
(c) Risk Management.
(i) Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.
(ii) Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order. The risk management report shall:
(A) document the risk mitigation and acceptance choices made by each agency head as of the date of this order, including:
(1) the strategic, operational, and budgetary considerations that informed those choices; and
(2) any accepted risk, including from unmitigated vulnerabilities; and
(B) describe the agency’s action plan to implement the Framework.
(iii) The Secretary of Homeland Security and the Director of OMB, consistent with chapter 35, subchapter II of title 44, United States Code, shall jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).
(iv) The Director of OMB, in coordination with the Secretary of Homeland Security, with appropriate support from the Secretary of Commerce and the Administrator of General Services, and within 60 days of receipt of the agency risk management reports outlined in subsection (c)(ii) of this section, shall submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the following:
(A) the determination; and
(B) a plan to:
(1) adequately protect the executive branch enterprise, should the determination identify insufficiencies;
(2) address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(3) establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(4) clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by any agency in furtherance of chapter 35, subchapter II of title 44, United States Code, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and
(5) align these policies, standards, and guidelines with the Framework.
(v) The agency risk management reports described in subsection (c)(ii) of this section and the determination and plan described in subsections (c)(iii) and (iv) of this section may be classified in full or in part, as appropriate.
(vi) Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.
(A) Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.
(B) The Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding modernization of Federal IT. The report shall:
(1) be completed within 90 days of the date of this order; and
(2) describe the legal, policy, and budgetary considerations relevant to — as well as the technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies, to:
(aa) one or more consolidated network architectures; and
(bb) shared IT services, including email, cloud, and cybersecurity services.
(C) The report described in subsection (c)(vi)(B) of this section shall assess the effects of transitioning all agencies, or a subset of agencies, to shared IT services with respect to cybersecurity, including by making recommendations to ensure consistency with section 227 of the Homeland Security Act (6 U.S.C. 148) and compliance with policies and practices issued in accordance with section 3553 of title 44, United States Code. All agency heads shall supply such information concerning their current IT architectures and plans as is necessary to complete this report on time.
(vii) For any National Security System, as defined in section 3552(b)(6) of title 44, United States Code, the Secretary of Defense and the Director of National Intelligence, rather than the Secretary of Homeland Security and the Director of OMB, shall implement this order to the maximum extent feasible and appropriate. The Secretary of Defense and the Director of National Intelligence shall provide a report to the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism describing their implementation of subsection (c) of this section within 150 days of the date of this order. The report described in this subsection shall include a justification for any deviation from the requirements of subsection (c), and may be classified in full or in part, as appropriate.
Sec. 2. Cybersecurity of Critical Infrastructure.
(a) Policy. It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.
(b) Support to Critical Infrastructure at Greatest Risk. The Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, the heads of appropriate sector-specific agencies, as defined in Presidential Policy Directive 21 of February 12, 2013 (Critical Infrastructure Security and Resilience) (sector-specific agencies), and all other appropriate agency heads, as identified by the Secretary of Homeland Security, shall:
(i) identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities);
(ii) engage section 9 entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities identified pursuant to subsection (b)(i) of this section might be employed to support cybersecurity risk management efforts and any obstacles to doing so;
(iii) provide a report to the President, which may be classified in full or in part, as appropriate, through the Assistant to the President for Homeland Security and Counterterrorism, within 180 days of the date of this order, that includes the following:
(A) the authorities and capabilities identified pursuant to subsection (b)(i) of this section;
(B) the results of the engagement and determination required pursuant to subsection (b)(ii) of this section; and
(C) findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities; and
(iv) provide an updated report to the President on an annual basis thereafter.
(c) Supporting Transparency in the Marketplace. The Secretary of Homeland Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.
(d) Resilience Against Botnets and Other Automated, Distributed Threats. The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets). The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission, other interested agency heads, and appropriate stakeholders in carrying out this subsection. Within 240 days of the date of this order, the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort. Within 1 year of the date of this order, the Secretaries shall submit a final version of this report to the President.
(e) Assessment of Electricity Disruption Incident Response Capabilities. The Secretary of Energy and the Secretary of Homeland Security, in consultation with the Director of National Intelligence, with State, local, tribal, and territorial governments, and with others as appropriate, shall jointly assess:
(i) the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as defined in Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination), against the United States electric subsector;
(ii) the readiness of the United States to manage the consequences of such an incident; and
(iii) any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.
The assessment shall be provided to the President, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of this order, and may be classified in full or in part, as appropriate.
(f) Department of Defense Warfighting Capabilities and Industrial Base. Within 90 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation, in coordination with the Director of National Intelligence, shall provide a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks. The report may be classified in full or in part, as appropriate.
Sec. 3. Cybersecurity for the Nation.
(a) Policy. To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.
(b) Deterrence and Protection. Within 90 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
(c) International Cooperation. As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.
(d) Workforce Development. In order to ensure that the United States maintains a long-term cybersecurity advantage:
(i) The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Secretary of Labor, the Secretary of Education, the Director of the Office of Personnel Management, and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security, shall:
(A) jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education; and
(B) within 120 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.
(ii) The Director of National Intelligence, in consultation with the heads of other agencies identified by the Director of National Intelligence, shall:
(A) review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness; and
(B) within 60 days of the date of this order, provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review carried out pursuant to subsection (d)(ii)(A) of this section.
(iii) The Secretary of Defense, in coordination with the Secretary of Commerce, the Secretary of Homeland Security, and the Director of National Intelligence, shall:
(A) assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities; and
(B) within 150 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations on the assessment carried out pursuant to subsection (d)(iii)(A) of this section.
(iv) The reports described in this subsection may be classified in full or in part, as appropriate.
Sec. 4. Definitions. For the purposes of this order:
(a) The term “appropriate stakeholders” means any non-executive-branch person or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and the Secretary of Homeland Security under section 2(d) of this order.
(b) The term “information technology” (IT) has the meaning given to that term in section 11101(6) of title 40, United States Code, and further includes hardware and software systems of agencies that monitor and control physical equipment and processes.
(c) The term “IT architecture” refers to the integration and implementation of IT within an agency.
(d) The term “network architecture” refers to the elements of IT architecture that enable or facilitate communications between two or more IT assets.
Sec. 5. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(ii) the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be construed to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence or law enforcement operations.
(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
DONALD J. TRUMP
THE WHITE HOUSE,
May 11, 2017.
Congresswoman Clarke Acts to Protect Americans from Cyber-Terrorists and Hackers
Brooklyn, N.Y. – Congresswoman Yvette D. Clarke introduced, the “Cybersecurity Responsibility Act,” a bill directing the Federal Communications Commission (FCC) to establish regulations protecting communications networks from cyberattacks, which in recent years have disclosed without authorization the private information of more than one hundred millions Americans, and could have influenced the 2016 Presidential Election.
Hackers have illegally launched attacked on such companies as Target and J.P. Morgan Chase, as well as the Democratic National Committee. In each instance, existing cybersecurity programs were insufficient to protect highly-sensitive information.
House Energy and Commerce Committee Ranking Member, Congressman Frank Pallone, Jr. (D-NJ) and Congresswoman Yvette D. Clarke released the following statements:
Congresswoman Clarke: “Every few weeks we hear the same story: cyberattacks by hackers – some of whom are affiliated with foreign governments that are hostile to the United States – compromise sensitive information that should have remained private. As a result, Americans are concerned about the safety of the bank accounts and the contents of their emails and text messages. In addition, recent disclosures about Russian hacking of the Democratic National Committee in 2016 to benefit Donald Trump raise serious concerns that the results of the election were compromised.”
“It has become clear that we need to have a comprehensive policy on cybersecurity that protects personal information, from the pin number for your debit card to your email password to your medical records. With the authority to regulate international and interstate communications in the interest of the public, the Federal Communications Commission should collaborate with experts in cybersecurity to develop best practices that will allow internet providers and other companies to protect themselves and their customers from the threat of hacking. We have to fight any attack on our personal privacy – as well as the institutions of our democracy – from cyberterrorists.”
Congressman Pallone: “Our networks and devices are the hub of our digital lives. They can make our lives better and our economy stronger, but only when they are secure,” said Rep. Frank Pallone, Jr. (D-NJ) “I commend Congresswoman Clarke for proposing a new approach to protecting consumers from the growing barrage of cyber-attacks, especially from state-funded actors. This bill would ensure that Americans do not have to choose between innovation and security.”
The bill requires the FCC to issue the new cybersecurity regulations within 180 days of its enactment.
###
Christine L. Bennett
Press Secretary
Office of Congresswoman Yvette D. Clarke (NY-09)
2058 Rayburn House Office Building
T: 202.225.6231 | C: 202.306.0906 | E: Christine.Bennett@mail.house.gov
