Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/31/2014
10:00 AM
Sergio Galindo
Sergio Galindo
Commentary
Connect Directly
Facebook
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Dear Cyber Criminals: We’re Not Letting Our Guard Down in 2015

Next year, you'll keep exploiting vulnerabilities, and we'll make sure our systems are patched, our antivirus is up to date, and our people are too smart to click the links you send them.

Dear Cyber Criminals,

Congratulations on a banner year! As cybercrime goes, you’ve had incredible success in 2014. In the past 12 months you’ve demonstrated that no one is too big or small to be a target: the US Government, Home Depot, JPMorgan, Apple, eBay, and Community Health Systems, just for starters. And you keep picking on poor Sony.

This past year, you exploited financial institutions like JPMorgan, where you helped yourselves to contact information for 76 million households and 7 million small businesses. You sat on its network for more than two months before a (rare) sloppy mistake gave you up. You even deleted your tracks, hampering investigators. JP Morgan spent $250 million this year on cyber security measures, which, thankfully, did prevent you from accessing its really critical data.

Retail wasn’t safe either. You tapped Home Depot for 56 million payment cards, costing it $62 million to recover from your handiwork. We are getting pretty used to news like this, and consumer confidence isn’t as easily shaken anymore. Not like in 2007 and 2008 when you cracked TJX and Hannaford.

At the tail end of 2013, you snagged a whopping 110 million payment cards from Target, one of the largest hauls in history. Quite simply, you have dominated the retail space.

You very cunningly attacked the $3 trillion US healthcare industry, including swiping 4 million electronic health records from Community Health Systems, each EHR worth 50 times more on the black market than a credit card number. The FBI Cybercrime Division even issued a warning to the healthcare community that its security measures were inadequate and couldn’t defend against a basic attack, let alone an advanced threat.

EHRs sell for about $50 a pop and can generate profit in many ways. The medical identity may be sold, so someone can get an operation they otherwise couldn’t afford. Details, like a mother’s maiden name, are most likely included as well -- extremely useful for identity theft. And then there’s that other sensitive information. EHRs contain personal info ranging from drug rehab to STDs and details you wouldn’t want anyone knowing. This information can be posted on the Internet, adversely affecting a person’s life, ruining career potential, and even opening one up to blackmail. The FBI acknowledged the value of this opportunity, calling healthcare “a rich new environment for cyber criminals to exploit.” Kudos for your accomplishments in this area.

Then there was Apple. That breach created one of the bigger media storms in 2014 and drew the most attention. This one was clearly just for fun and to remind us that you enjoy some celebrity gossip just like the rest of us. A classic phishing scam duped celebrities out of their logins, and some clever third-party forensics software allowed you to gain data right from iCloud. Then, you were kind enough to share your bounty of photos with everyone, ensuring that gossip sites and forums had a field day.

In 2014 you also demonstrated increasingly impressive organizational skills. You began selling your hacking services and running your organization in a very notably corporate fashion. The Blackshades malware reflects this growing sophistication. After infecting more than a half-million machines across more than 100 countries, you were shown to be running your hacking operation like a very organized and professional business, replete with paid staff, customer service personnel -- even a marketing director to promote Blackshades. Now that is some well organized crime!

The list goes on, pointing to an outstanding year. The cyber security market is estimated to be worth about $76 billion annually, and demand for security solutions is at an all-time high. Yet you remain effective. As we have improved at stopping you, you have improved your methods, making them more sophisticated and advanced.

In 2015, you’ll keep showing us why the cyber security market is as immense as it is and why it will never stop growing. Despite what we’ll spend to protect and educate ourselves, you’ll keep on doing what you do best: exploiting vulnerabilities in operating systems and people. You’ll continue to show that we can never let our guard down and must remain vigilant at all times. To that end, we’ll keep exercising best-practices by making sure our systems are patched on Tuesdays, our antivirus is up-to-date, and to teach people -- our softest spot in the armor -- to stop being duped into clicking the links you send them.

We'll see you on the battlefield next year. Be prepared. We will be.

– Sergio

Sergio Galindo has more than 20 years of global professional IT experience. Prior to his appointment as General Manager of GFI Software, he served as the company's CIO. He also spent 18 years managing global IT programs for large companies in the financial industry, including ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/5/2015 | 4:08:15 PM
Re: Whose keeping score?
Totally agree @Eric Kruse. It will be a combination of people, process and technology that will ultimately win the day. But we've got a long way to go!
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/5/2015 | 3:50:41 PM
Re: Whose keeping score?
Money cannot solve all problems, "technology".  Technology is used to assist in risk management.  The greater solution is the intel driven CND which takes into account people, process and technology in unison.  Anyone who tries to buy a magic bullet piece of equipment is in for a world of shock.  Saying that current methodologies are not working means that "conventional" methodologies need to be adapted to the organization's needs.  So in short, think don't buy.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/5/2015 | 3:27:31 PM
Whose keeping score?
 My reaction to the article is that the cybercriminals are winning! As Serigio writes, "as we have improved at stopping you, you have improved your methods, making them more sophisticated and advanced."  Definitely good for the investers in cyberecurity. But is throwing $76 billion in new technology going to solve the problem? 
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 1:29:08 PM
Healthcare
Fantastic Article.

 

Looking back on 2014 I can say one thing... I am glad I own Palo Alto Stock :).  All jokes aside some of the most concerning matters to me as you pointed out are electronic health records.  With the information listed on those documents all types of malicious activities can be conduct against an individual which would make getting one's identity and privacy back a non-existent.  So much for doctor/patient confidentiality and that form we have to sign for HIPAA.  The huge push for Electronic Medical Records, and the onboarding of so many into the medical system over the last year (#2 sector for 2014) baked on the bad habit of "we have to get it done now".

When I say getting it done now I talk about the general theories behind software development.  Everyone needs to make money, and you cannot have something in development for such a period that would make it unfeasible.  Let's face it and take those profits earned in the sector and start building resilient infrastructure, intelligence driven CND, and processes that protect our health information.
freespiritny25
50%
50%
freespiritny25,
User Rank: Apprentice
12/31/2014 | 11:46:21 AM
Cyber crime
Wow, seeing all of these breaches at one time really does demonstrate how deeply vulnerable we were and how sophisticated these cyber criminals really are. I was aware of these specific situations, but to read about all of these situations occurring all in 2014, really highlights how unprepared we were. Hopefully we will learn and limit the number of instances where history repeats itself in 2015.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...