UNM4SK3D: Deloitte, Cardiac Scan, and SVR Tracking
#hackedSomeone (or many groups of someones) has it out for US businesses. Another week and another breach in big business for the country. It was announced that 'Big Four' firm Deloitte is the latest to fall victim. You may know Deloitte as one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies, and large Fortune 500 multinationals, among others. Earlier this week, they announced they had suffered a cyber attack, resulting in the theft of confidential information, including the private emails and documents of some of their clients. In a statement released September 25th, the firm stated that their system had been accessed via an email platform from October 2016 through March 2017. While their statement also acknowledged 'very few' of its clients had been affected, it comes in the wake of serious breaches like Equifax and the SEC, which should already have companies on high alert.It appears Deloitte first became aware of the breach in March after hackers gained access to Deloitte's email server through an administrator account that wasn't secured using two-factor authentication (2FA). This granted the attacker unrestricted access to Deloitte's Microsoft-hosted email mailboxes. In addition to email access, there is the 'possibility' "usernames, passwords, IP addresses, architectural diagrams for businesses and health information" were also compromised. Since the initial announcement, Deloitte's internal investigation into the cyber incident is still ongoing.
In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte. As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators. -Deloitte spokespersonListen in for even more details on the Deloitte breach on this week's CyberWire podcast.
#authenticationApple's latest release, the iPhone X, which utilizes fingerprint authentication, retinal scanning, and advanced facial recognition, has been generating a lot of buzz over its' authentication capabilities. Move over iPhone. Researchers have developed a new authentication system that uses your heart. Yes, you read that correctly. Dubbed 'Cardiac Scan,' this method allows you to verify your identity without any user interaction other than being in close proximity to your device. It works by making use of " low-level Doppler radar to wirelessly and continuously map out the dimensions of your beating heart, granting you access to your device so long as you're near it." Simply, your device would be able to recognize you and sign into the device without any password or interaction, automatically logging you out if you step away from your device. Discovered by a group of scientists at the University of Buffalo, 'Cardiac Scan' uses your heart's shape and size as a unique biometric.According to these scientists, this method is special because your heart's shape and cardiac motions are unique to you. Of course, they only present in a person who is alive and are therefore harder to spoof than fingerprint or iris scanners. "The Cardiac Scan system takes about 8 seconds to scan a heart for the very first time, and after that, the system continuously recognizes your heart. Likewise, the strength of the signal is "much less than that of Wi-Fi, and other smartphone authentication systems, which emit harmful SAR (Specific Absorption Rate) radiation." While this method is not currently in use due to its size, the scientists hope that it could eventually be modified for smartphones and computers.
No two people with identical hearts have ever been found. And people's hearts do not change shape unless they suffer from serious heart disease. -Wenyao Xu, lead author on the paper and assistant professor at University of Buffalo's Department of Computer Science and EngineeringWant more on authentication methods? Read 'Biometric Verification as Identity Theft Protection.'
#passwordsJust when you think news of breaches might slow down, hackers hit the gas pedal. The latest report indicates login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online.Talk about a big crash. This leak means that the personal data and vehicle details of drivers and businesses using Stolen Vehicle Records (SVR) Tracking's service have been exposed. Under the scope of SVR's service, users can track their vehicles in real time by attaching a physical tracking device to vehicles. The Kromtech Security Center was the first group to discover "a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period." Within the open cache were details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), and IMEI numbers of GPS devices.Perhaps most terrifying is that SVR's car tracking device monitors a vehicle's location and stores it for over the past 120 days, meaning anyone with access to SVR users' login credentials could both track a vehicle in real- time and create a detailed log of every location the vehicle has visited. As stated by the Hacker News, this gives the hacker to potentially steal the vehicle outright or rob the vehicle owner's home when they are out. Kromtech has alerted the company of the misconfigured AWS S3 cloud storage bucket and it has since been secured, but it is still unclear whether the publically accessible data was accessed by hackers.
The total number of devices exposed could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking. -KromtechDive into GPS tracking with this video from Anthony Harris.
#factbyteAccording to new research published today by Accenture and the Ponemon Institute, in 2017 the average cost of cybercrime globally climbed to $11.7 million per organization, a 23% increase from $9.5 million reported in 2016, and represents a staggering 62% increase in the last five years. Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!