NewsBites Volume XXV – Issue 17

Top of the News

2023-02-24

Bitmining Operation Discovered in School Crawlspace; Charges Filed Against Former Town Employee

In December 2021, a routine inspection of Cohasset (Massachusetts) Middle/High School revealed anomalous wiring, duct work, and computers in a crawlspace beneath the building. The town called in the US Coast Guard Investigative Service and the US Department Of Homeland Security to remove the equipment and investigate how it got there. A former assistant facilities director for the town of Cohasset has been charged with vandalizing the school and “fraudulent use of electricity.”

Editor's Note

I’m sure this will be a Netflix mini-series in a few weeks! Remember the days of having to check the PBX phone bills for employee misuse? “Bitmining” means doing that for the electric bill. But, a good overall reminder that unauthorized use (by employees or intruders) of computing systems needs to be detected.

John Pescatore

Cryptocurrency mining requires a lot of electricity to both power and cool the equipment. If you can figure that piece out, then the mining operation can be profitable. I am a bit surprised that in a high energy cost state like Massachusetts, government officials didn’t notice the spike in electricity costs sooner, to bring this crypto mining capper to a close.

Curtis Dukes

Cryptomining uses a lot of power, so in places like New England where power is expensive, it's hard to be profitable unless you find a way to offset that cost. In this case, about $17.5K of power was purloined from the school. If you're not already watching for unexplained spikes in your power bill to detect mining, add that to your list.

Lee Neely

Can you imagine you and a friend setup a crypto miner in high school and the US Coast Guard is called? I am sure some 15-year-olds are completely freaked out right now. The question is what happens next? Hopefully, they are guided in the right direction and not treated solely as criminals.

Moses Frost

Microsoft 365 Defender Expands Attack Disruption Capabilities

Microsoft is expanding the public preview of its automatic attack disruption capabilities to include business email compromise (BEC) and human-operated ransomware attacks. In a separate story, Microsoft is now force-installing Microsoft Defender for Individuals when users install or update Microsoft 365 apps.

LastPass Says Engineer’s Home Computer Was Compromised

Password manager LastPass says that an attacker infiltrated a DevOps engineer’s home computer and installed a keystroke logger. The infection allowed the attacker to access a decrypted corporate vault.

The Rest of the Week's News

2023-02-27

CISA Director: “We Need Security Designed in From the Beginning, Right Out of the Box”

In a speech at Carnegie Mellon University on Monday, February 27, US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly decried the industry’s practice of releasing products that are riddled with security issues. Easterly said, “Strong security has to be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on.”

Editor's Note

It’s one thing to speak to the need for strong security by ICT vendors, another entirely to measure for compliance. The US is a signatory to the International Common Criteria Recognition Arrangement, which sets the requirements for evaluation of ICT products. It’s mostly been a failure: high cost to the product vendor, lengthy evaluation process, lack of demand by consumers, stifled innovation, and inability to maintain state of security. Until we develop and mandate new criteria for implementing “strong security as a standard feature in [vendor] products,” adherence to cybersecurity best practices, such as the CIS Critical Security Controls, is the only defense.

Curtis Dukes

The lack of effective self-regulation and focus by vendors, including cybersecurity vendors, on good cybersecurity is coming home to roost for those vendors. It is interesting to see how governments are now looking at introducing regulations to force vendors to improve their cybersecurity. The EU is already implementing this with its EU Cybersecurity Certification (https://www.enisa.europa.eu/topics/certification/eu-cybersecurity-certification-faq) which requires vendors to meet minimal cybersecurity requirements for at least 5 years for the product or service.

Brian Honan

In-depth testing, unit/acceptance testing should be verifying both function and security features in products. With pressure to deliver faster, at all costs, the temptation is to let users find the issues. While I like the analogy of users being "crash test dummies", the reality is in the automotive industry, testing is risk based, life-safety is well vetted, while IT security is less so, as evidenced by car hacking activities. Your risk model has to be modified to include not only cyber security in development and testing, but also consider the impacts and potential liability for customers (internal and external) damaged by security flaws from your product.

Lee Neely

We have been saying this for almost as long as many of the readers here have been alive. I am not sure if this is a good or bad thing at this point. What I can tell you is that we will see how much security matters over the next few years as the world is trending into a much larger war footing.

Moses Frost

Hear, hear! While the market has demonstrated a clear preference for openness, generality, flexibility, feature rich, and early, the quality of our most popular software is an embarrassment to its authors, not to say a disgrace. Patches are so numerous and frequent as to suggest a reservoir of vulnerabilities both known and unknown. The result is a fragile infrastructure that makes us vulnerable both to criminals, all the time, and to nation state adversaries in times of armed conflict.

Moses Frost

US Marshals Service Breach Exposed Sensitive Data

On February 17, the US Marshals Service (USMS) detected a cybersecurity incident involving ransomware and data exfiltration on one of its stand-alone systems. According to a USMS spokesperson, “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

Telus Investigating Reports of Leaked Data

Canadian telecommunications company Telus is investigating the possibility of a breach. Earlier this month, what appears to be company source code and some employee data were being proffered on the dark web.

Dish Network Customer Service and Website Outage

US satellite television service Dish Network is experiencing an outage that affects customer service portals, bill paying, and its websites. There are also reports that Dish Anywhere app and other IPTV services are unavailable and that VPN tools are not working, keeping Dish employees locked out of systems.

Fixes Available for Vulnerabilities in WordPress Houzez Theme and Plugin

A pair of critical vulnerabilities in the Houzez WordPress theme and Houzez Login Register plugin. The flaws can be exploited to gain elevated privileges; both are being actively exploited. The issue in the Houzez theme is fixed in version 2.7.2 or later; the issue in the Houzez Login Register is fixed in version 2.6.4 or later.

NewsCorp: Hackers Were in Our Network for Two Years

Media giant NewsCorp has disclosed that hackers were dwelling on its network for two years. The incident was detected in 2022; notification letters recently sent to affected individuals reveal that the attackers had initially gained access to the network in 2020.

Three Arrested in Netherlands in Connection with Data Theft Scheme

On January 23, police in the Netherlands arrested three individuals in connection with a criminal enterprise involving data theft, extortion, and money laundering. The suspects allegedly stole personal data belonging to tens of millions of people; the compromised information includes bank account and payment card account numbers, social security numbers, and passport data.

Ireland’s Data Protection Commissioner Fines Centric Healthcare Over Actions Taken in Wake of Ransomware Attack

The Irish Data Protection Commissioner (DPC) has fined Centric Healthcare €460,000 (489,000 USD) in connection with a 2019 ransomware attack affecting the healthcare organization’s network. While Centric notified the DPC two days after they detected the incident, the DPC determined that some of Centric’s actions inadvertently deleted data that could have helped investigators.