Cyber Victor – a leading blog on cyber security

The city of Naples, Florida, has confirmed that is lost $700,000 following a spear phishing cyber attack. “The funds were paid to a fake bank account the attacker provided while posing as a representative from the Wright Construction Group, which was doing infrastructure work on Eighth Street South in downtown Naples”, according to a news release.

The attackers sent an email disguised as coming from the Wright Construction Group, tricking a city employee into transferring the funds to a fake bank account under their control.

Fortunately, City Manager Charles Chapman confirmed that the attack did not breach the city’s data systems.

Recently, a number of cities in Florida were victims of cyber attacks: Riviera Beach, Key Biscayne, and others.

Read more about it here.

State Farm, an American group of insurance and financial services companies, disclosed that it has been a victim of a credential stuffing attack. The attack was discovered in July 2019. The company notified the impacted users, but didn’t disclose how many users were affected.

Credential stuffing occurs when bad actors steal usernames and passwords from one online account, and then try them on other online account, revealing additional user information.

In response to the attack, State Farm reset the passwords of the impacted accounts.

Read more about it here.

In September 2017, credit bureau Equifax announced that its systems had been breached. Between mid-May and the end of July 2017, the attackers gained unauthorized access to the personal information of about 147 million U.S. consumers. This information included people’s names, Social Security numbers, birth dates, addresses, and in some instances driver’s license number

Equifax has agreed to pay at least $575 million and up to $700 million to resolve consumer claims and multiple state and federal investigations stemming from the episode.

Consumers may file a claim up until January 22, 2020 and get up to $20,000, if they can prove damages.

Check whether your credit was impacted, file a claim, or read more about it here.

A hacker has stolen data from a Bulgarian government system, likely the National Revenue Agency (NRA), and sent it to local media. The hacker stole personal information of 5 million people, nearly every adult in Bulgaria, population 7 million people. The hacker bragged about stealing 110 databases from NRA’s servers, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11 GB of data, with local news outlets, but promised to release the rest in the coming days. Most of the data is very old, in some cases, information is dated back as far as 2007.

A Bulgarian CyberSecurity expert named Kristian Boykov was later arrested in connection with the data breach, and then released after his charges were downgraded.

Read more about it here.

The US Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal, the largest the agency has levied on a technology company. The $5 Billion are minuscule compared to the nearly $56 billion in revenue in 2018. Facebook has already set aside $3 billion aside in the first quarter of 2019, in anticipation of the settlement with the FTC.

In the Cambridge Analytica privacy scandal, the company was allowed to access the personal data of about 87 million Facebook users without their explicit consent. Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

Facebook and investors are now concerned about further restrictions and government oversight that might come with it.

Read more about it here.

The Village of Key Biscayne, Florida, was hit by a ransomware attack hit, shutting down its computer systems.

Village Manager Andrea Agha said a “data security event” occurred Sunday, June 23, 2019. She said that some permitting operations were handled manually, while some systems were kept off-line “in an abundance of caution.”

A special council meeting to discuss the issue was held, where it was decided to spend $30,000 on hiring a data recovery firm.

Read more about it here.

The city of Riviera Beach, Florida, agreed to pay $600,000 in ransom to decrypt its data, after a ransomware attack hit its computer systems.

The City Council board authorized its insurer to pay 65 bitcoins, valued at approximately $592,000. An additional $25,000 would come out of the city budget, to cover its policy deductible. “Without discussion on the merits, the board tackled the agenda item in two minutes, voted and moved on.”

The insurance company negotiated the payment on the city’s behalf.

The attack began on May 29, 2019, when an employee at the Riviera Beach police department opened a malicious email containing a link that once clicked, has allowed infecting the PC. The ransomware quickly spread inside the city infrastructure, causing several problems. The email system was disabled, employees and vendors couldn’t be paid by direct deposit and had to be issued checks manually, and 911 dispatchers were unable to accept calls.

Read more about it here.

Millions of Quest Diagnostics and LabCorp records have been breached

American Medical Collection Agency (AMCA), a billing processor for Quest Diagnostics and LabCorp, suffered a breach, compromising records of 12 million patients of Quest Diagnostics and 7.7 million records of LabCorp.

A June 3, 2019 filing with the U.S. Securities and Exchange Commission (SEC) by Quest, and a similar June 4 SEC filing by LabCorp, revealed that between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself. The information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers).

In response to this incident, both Quest Diagnostics and LabCorp suspended sending collection requests to AMCA.

Read more about it here.

Apple’s new Find My app will find your devices even if they are offline

At the company’s Worldwide Developer Conference keynote on on June 3, 2019, Apple executive Craig Federighi described a new location-tracking feature. The interaction is end-to-end encrypted and anonymous, even to Apple itself. The trick? You need to own at least two Apple devices.

Here is how the new system works:

• When you first set up Find My on your Apple devices, it generates a private key that is shared, communicated encrypted, among all your devices.
• Each device also generates a public key. This is the “beacon” that your devices will broadcast out via Bluetooth to nearby devices.
• That public key frequently changes, “rotates” to a new number.
• When someone steals your device, even if it is disconnected from the internet, it emits its rotating public key via Bluetooth.
• A nearby stranger’s Apple device, with no interaction from its owner, will pick up the signal, check its own location, encrypt that location data using the public key it picked up from your device, and upload to Apple’s servers.
• When you want to find your stolen device, you turn to your second Apple device, which contains both the same private key and has generated the same series of rotating public keys.
• Apple returns the encrypted location of your stolen device to your other device, which can use its private key to decrypt it and tell you the stolen device’s last known location.

Read more about it here.

Code hosting service GitHub announced it is offering new tools and security features to secure code:

-Security vulnerability alerts with business partner WhiteSource data
-Dependency insights: A tool showing code dependencies, security vulnerabilities and open source licenses.
-Token scanning: Scanning of tokens from AWS, Azure, GitHub, Google Cloud and more.

Read more about it here.