Underreactions Follow Cyberthreats Stemming From Google, Microsoft

The constant buzz credit union members hear nowadays does not only come from electronics they own but from warnings, and complacency from boards and themselves, surrounding cyberattacks attacks affecting their personal data.

In October, Google announced it would shut down Google Plus in August 2019, because the company learned through an internal audit (and a Wall Street Journal exposé) that a bug exposed 500,000 users’ data for some three years.

This week, Google revealed another problem, part of a November software update, where a Google Plus API, unmasked personal information of 52.5 million accounts. Google discovered the flaw, and corrected it by November 13.

“Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue,” David Thacker, Google’s vice president of product management, wrote in a blog post. The breakdown exposed nonpublic profile data – including name, age, email address, and occupation—and some data shared privately between users. “No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

Google also admitted in October that it had not disclosed the previous Google Plus security flaw to after it was discovered in March, about the same time Facebook faced controversy over Cambridge Analytica.

The announcement came on the day before Google CEO Sundar Pichai’s appearance before the House Judiciary Committee, where he was questioned on the company’s user data management.

Mark Weiner, chief marketing officer of San Jose, Calif.-based Balbix, which offers a breach avoidance platform, held, “This leak of user information adds to a growing list of exposed records in the past couple of weeks, behind the recent data breach announcements from Marriott, Quora and 1-800-Flowers. Google is stressing that the information was only exposed for six days due to a bug in their API, however significant damage can be done in a matter of minutes.”

Weiner added, “Unfortunately, most organizations today – even hyper-scale providers – do not have adequate visibility into the hundreds of attack vectors that could possibly be exploited by threat actors.” He suggested even when vulnerabilities or security gaps are detected, most organizations struggle in deciding what remediations to prioritize, given limited IT resources and staff. “In the coming months and years, organizations will increasingly rely on security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors.”

Meanwhile, in the UK this week, the Financial Conduct Authority highlighted issues cybersecurity experts fear may exist all over: that many boards aren’t prepared to handle cybersecurity issues-and discouraged them from relying on third-party providers to fill the gap.

The report warned: “Data and information about products, clients and business services are central to asset management and wholesale banking activities. A significant failure by a firm in these sectors to manage cybersecurity effectively could cause serious harm to its clients and to the markets in which it operates.”

Stephen Gailey, solutions architect, San Mateo, Calif.-based security management firm Exabeam, pointed out, “Many bank boards still do not understand the cyberthreat. They see the information security budget and feel that they are taking action, but they don’t fully engage with the CISO and their team.”

Gailey noted, the reality is whereas budgets have increased over the last 10 years or so, much of that spending focused on compliance and the insider threat. “The composition of these boards ensures that there is no information security experience at that level, and security professionals who can translate the threats and challenges into language the board will understand are still rare. There is little doubt that many bank boards are complacent about cyberthreats due in no small part to the lack of cyberexperience of their members.”

Many Individuals still remain on an attack course as email phishing remained the most common method of attack, representing one of every 100 emails received by enterprises, according to Clifton, N.J. based Comodo Cybersecurity’s Global Threat Report 2018 Q3.

In the study:

• The most frequently targeted brands by phishing in the third quarter went to Microsoft (19%), PayPal (17%) and Google (9.7%).
• Top three phishing emails ranked by subject line were: “Your account will be locked,” PayPal (40%); “Info,” FedEx (10%); and “August Azure Newsletter,” Microsoft (8%).
• The U.S. ranked No. 1 for both hosting of phishing sites (65%) and country of origin (36%).
• Phishing URLs are gaining in popularity, representing 40% of the total, although infected attachments remain the majority at 60%.

Comodo researchers cited one phishing email as representative of the increase in quality, making it harder for users to identify the risk. An email purporting to be a survey regarding Microsoft Azure’s newsletter displayed an authentic looking URL and logo, and did not have the telltale grammar or spelling errors that often give away phishing emails. Anyone clicking on the “Take the survey” button was sent to a malware-laden webpage to covertly infect them.

The Comodo Q3 report also reveals disturbing upticks in malware deployment surrounding major international elections and geopolitical crises. “These correlations clearly stand out in the data, beyond the realm of coincidence,” Fatih Orhan, vice president of Comodo Cybersecurity Threat Research Labs, said.