Google China hit by 

cyber attack
WHAT HAPPENED?
Google said in a blog post on Tuesday that in mid-December it discovered a
"highly sophisticated and targeted attack" on its corporate infrastructure
originating from China that led to theft of its intellectual property. It said it
discovered as part of its investigation that at least 20 other large companies, in
the areas of Internet, finance, technology, media, and chemical, had been
similarly targeted.

The attack on Google involved attempts to access the Gmail accounts of Chinese
human rights activists, but only two accounts were accessed and the contents of
e-mails were not exposed--only account information like the date the account
was created, Google said.

Separately, Google discovered that accounts of dozens of Gmail users in the U.S.,
China, and Europe who are human rights advocates "appear to have been
routinely accessed by third parties," not through a security breach at Google, but
most likely as a result of phishing scams or malware placed on the users'
computers, the company said.

In a separate blog post, Google said it believed that Google Apps and related
customer data were not affected by the attack. "The route the attackers used was
malicious software used to infect personal computers," the post said.

What companies were targeted?

About 15 minutes after Google released its blog post saying there were at least 20
companies targeted, Adobe Systems issued a blog post saying that it became
aware on January 2 of a "computer security incident involving a sophisticated,
coordinated attack against corporate network systems managed by Adobe and
other companies...At this time, we have no evidence to indicate that any sensitive
information--including customer, financial, employee or any other sensitive data--
has been compromised." Researchers at VeriSign iDefense said the number of
targets was 34, all in Silicon Valley.

Separately, a law firm in Los Angeles involved in litigation against China said on
Wednesday that it had been targeted in a China-based attack this week. Gipson
Hoffman & Pancione said employees received e-mails Monday and Tuesday
masquerading as communications from within the company that included Trojan-
laden attachments or Web links. The firm filed a $2.2 billion lawsuit last week on
behalf of Solid Oak Software against the Chinese government alleging code from
the Cybersitter Web content-filtering program was copied and put it in China-
created Green Dam Youth Escort software. It is unclear whether this attack is at all
linked to the attacks on Google and the other companies.

Who was behind the attacks?

Google did not specify how it knows the attacks originated in China and did not
outright blame the Chinese government. Sources said it is typically difficult to find
evidence specifically leading back to Chinese officials in computer attacks. Google
must have some solid evidence for it to take such drastic action and risk losing
millions of dollars in revenue from the Internet's largest market. Researchers who
have investigated these attacks said they were traced to China several ways and
that they share characteristics with previous attacks linked to the Chinese
government. The attacks used command-and-control servers based in Taiwan that
are commonly used by or on the behalf of the Chinese government, according to
iDefense.

How were the companies targeted?

It is possible the attackers used multiple exploits and multiple, tailor-made
Trojans for different targets. Microsoft said on Thursday that a newly discovered
vulnerability in Internet Explorer was used in the attacks. Initially, malicious PDFs
targeting a hole in Adobe Reader were suspected to be culprits, but Adobe said
on Thursday that it has no evidence that is the case.
What was stolen from the companies?
iDefense says source code was targeted at the companies and that most of the
attacks appear to have been successful. Google said some intellectual property
was stolen but did not elaborate. The company also said limited account
information of two Gmail users was accessed. Texas-based hosting provider
Rackspace confirmed early on Wednesday that a server at the company had been
compromised and used in the attacks.

Is there a way consumers can protect

themselves from this?
Although these attacks targeted corporations, consumer computers can be
targeted in the same way. Computer users should be wary of opening
attachments or clicking on links in e-mails from people they don't know or that
were unsolicited. People should keep their antivirus and security software up to
date, as well as use the latest versions of operating system and application
software on their machines, and install patches. There are also programs, like AVG
LinkScanner, that can protect people from visiting sites hosting malware.

To avoid phishing scams, people should contact companies directly to verify that a
suspicious e-mail is legitimate, not give out personal information requested in e-
mail and change passwords frequently.
 Alteryx Data Leak
what happened?
 Cybersecurity company Upguard said it discovered the exposed data on

Oct. 6, 2017, in a cloud-based repository, and made its discovery public on

Dec. 19, 2017.

 The repository that was exposed contained a range of U.S. household data

from Alteryx, an Irvine, California-based marketing and data analytics

company.

 Alteryx’s data sets appeared to belong to Experian, a credit reporting

agency.

 Upguard alerted Alteryx about the exposed data sets, and Alteryx secured

the database last week, according to a Forbes article.

What household data was exposed?

The data included 248 fields of information for each household. The information
ranged from addresses and income to ethnicity and personal interests. Details
included contact information, mortgage ownership, financial histories and
whether a household contained a dog or cat enthusiast.

Not included in the data: names.

Although individual names were not included in the data, it’s possible that data
thieves could cross-reference stolen information with other available public
information.

For instance, someone could use a street address to search for property tax
information. That property tax information often includes the name of the property
owner. In this way, someone could “piece together” an individual by combining
the different sources of information, which could ultimately lead to identity theft.
 Equifax's Crisis
The credit bureau announced that they suffered a cybersecurity incident, where
over 143 million U.S. customers’ personally identifiable information (PII) was
breached. This is a big deal. In fact, it’s being referred to as one of the worst
breaches in history, considering the extent of the information that has been
stolen.

Timeline Of Response
Equifax told the world that they discovered the breach on July 29th, though only
announced it publicly on September 7th. That’s over a month later. they could
have come out with an announcement right away, and suffered through months
of worried customer complaints, media frenzy, criticism and so forth. On the other
hand, they could wait to have more information, develop a strong proactive
response strategy, and get ahead of the story from the beginning.

Adequacy Of Their Crisis Communication

To demonstrate true, unquestionable, care and concern.

• To be informative and to address and answer, to the most extent possible,

the key concerns of their stakeholders.

• To communicate consistently across all channels, stakeholder groups and

regions.

• To communicate in plain English, not using corporate or legal talk.

• To comply with appropriate jurisdictional laws and regulations concerning

breached PII.

Equifax’s Crisis Website:

Equifax launched a crisis website as their crisis communication home base.

This is a strategy I often develop with clients. It’s great because it provides a
dedicated place to communicate with stakeholders. They also placed a big
banner at the top of their corporate website’s homepage, pointing people to
the crisis website for continued information and updates concerning the
breach. I like how big this banner is, as no one can accuse them of trying to
hide their news and updates!

Their crisis website is clean, organized and detailed. One thing that is often
missing from organizations’ crisis response is clearly identified stakeholder
groups and answers to each group’s individual questions and concerns.
Equifax clearly understands the necessity of addressing and providing the
relevant information to each of their stakeholder groups, not just to
consumers, the media, or the general public, for example.

For example, on their crisis website, they have three dedicated FAQ’s: one
for general questions that apply to everyone, one specific to consumers (the
impacted stakeholder group), and one specific to investors. This is a strong,
needed, and often neglected, strategy of response.

How to save yourself?

 Having discussions with your teams to better understand the risks,
impacts and variables of this type of scenario;

• Developing escalation protocols, action plans, and communication

strategies that will help you effectively manage all aspects of this type
of crisis, in real-time; and

• Developing partnerships with the appropriate experts, whom you

may need to call upon in the event of a breach.
 Russian Hackers Amass
Over a Billion Internet
Passwords
A Russian crime ring has amassed the largest known collection of stolen Internet
credentials, including 1.2 billion user name and password combinations and more
than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential

material gathered from 420,000 websites, including household names, and small
Internet sites. Hold Security has a history of uncovering significant hacks, including
the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a
reluctance to name companies whose sites remained vulnerable. At the request of
The New York Times, a security expert not affiliated with Hold Security analyzed
the database of stolen credentials and confirmed it was authentic. Another
computer crime expert who had reviewed the data, but was not allowed to
discuss it publicly, said some big companies were aware that their records were
among the stolen information.

“Hackers did not just target U.S. companies, they targeted any website they could
get, ranging from Fortune 500 companies to very small websites,” said Alex
Holden, the founder and chief information security officer of Hold Security. “And
most of these sites are still vulnerable.”

There is worry among some in the security community that keeping personal
information out of the hands of thieves is increasingly a losing battle. In
December, 40 million credit card numbers and 70 million addresses, phone
numbers and additional pieces of personal information were stolen from the retail
giant Target by hackers in Eastern Europe.

But the discovery by Hold Security dwarfs those incidents, and the size of the
latest discovery has prompted security experts to call for improved identity
protection on the web.
“Companies that rely on user names and passwords have to develop a sense of
urgency about changing this,” said Avivah Litan, a security analyst at the research
firm Gartner. “Until they do, criminals will just keep stockpiling people’s
credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no
connection between the hackers and the Russian government. He said he planned
to alert law enforcement after making the research public, though the Russian
government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they
appear to be using the stolen information to send spam on social networks like
Twitter at the behest of other groups, collecting fees for their work.But selling
more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email
address, Social Security number or password can be used for identity theft.
Because people tend to use the same passwords for different sites, criminals test
stolen credentials on websites where valuable information can be gleaned, like
those of banks and brokerage firms.

Like other computer security consulting firms, Hold Security has contacts in the
criminal hacking community and has been monitoring and even communicating
with this particular group for some time.

The hacking ring is based in a small city in south central Russia, the region flanked
by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their
20s who know one another personally — not just virtually. Their computer servers
are thought to be in Russia.“There is a division of labor within the gang,” Mr.
Holden said. “Some are writing the programming, some are stealing the data. It’s
like you would imagine a small company; everyone is trying to make a living.”
 Yahoo: hackers favourite
target?
In 2014, Yahoo! announced it had suffered a cyber attack in 2014 that affected
500 million user accounts constituting the largest massive hacking of individual
data directed against a single company. Names, dates of birth, telephone numbers
and passwords were stolen. While the company assured users that banking data
had not been affected, it nonetheless recommended caution. Prior to this event,
in 2012, the hacker “Peace” had sold 200 million usernames and passwords for
$1900.

in March, Yahoo! confessed to being hacked once again. This time, "only" 32
million accounts were affected. But the cyberattack relaunched the investigation
of the 2014 hack, as the attackers used a tool stolen that year, allowing them to
create malicious cookies and log in without passwords. A direct result of this is
that the firm was bought by Verizon in 2017 for $ 4.5 million instead of the $ 4.8
million announced in 2016. Update (Dec 2018): Yahoo has now admitted that all
of the 3 billion user accounts had been hacked in 2013. This cyber-attack is the
most significant in Internet history.

Will you be the next?

While the previous cyber attacks are impressive, many more are taking place
every day in different business sectors or through different means. This summer,
the ransomware Wannacry and NotPetya made headlines. More recently, HBO
lost 1.5 terabytes of data, including TV show episodes, scripts, manager emails
and some Game of Thrones actors’ phone numbers. Dozens of US energy
suppliers have also been attacked and hackers can cut electricity anywhere in the
United States at any time. How to protect against cyber attacks? Updating IT
systems is the first step, but the best is to continuously detect vulnerabilities and
fix them quickly to avoid attacks. This is why our full stack security solutions were
developed: to allow our customers to better manage their vulnerabilities and give
them the means to improve the security of their systems.
2019 update: The answers to many of the risks identified in this blog are mostly
unchanged and most of them in theory are simple. However, implementing the
right solutions for your business and especially maintaining their effectiveness
heavily depends on the organization and training its employees to be aware of
illicit activity.

Our security experts suggest you have a solid security baseline (or ‘Cyber
Hygiene’), in which you ensure the most obvious risks are addressed early.
Amongst this should be a continuous Vulnerability Management program, with
periodic manual pen tests on key-risk areas. After setting this baseline, you should
start addressing focus areas that are most crucial to your organization and in turn
the most likely areas a hacker would be interested in. For example, if you see an
increase in targeted phishing campaign towards C-level executives, you want to
have specific phishing and awareness campaigns around that specific topic.

For organizations with in-house development teams, embracing the ‘Shift-left’

mentality would be a logical next step. As you want to ensure your deliverables
are as secure as possible before delivering it to your customers. In doing so, you
might want to roll-out an effective developer security awareness program and
help the DevOps teams to become more agile and change to DevSecOps-
champions. Integrating a flexible security scanning solution into the development
lifecycle, which helps the developers instead of only providing them with more
work.

Critically take a look at what your organization’s security needs are and employ
the right security solution that best fit in with your business goals and your staff.