Lapses in cyber security are costing organizations dearly. This week, financial services firm Morgan Stanley agreed to pay a fine of $1 million to the Securities and Exchange Commission (SEC) to settle civil charges of security inadequacies. According to Reuters, the SEC charges came after a former financial adviser was able to access Morgan Stanley computers and client data for use at home. The bank's failure to protect customer data violates federal regulation known as the Safeguards Rule.
In another pricey cyber security incident, the University of Calgary forked over $20,000 (CAD) to cyberattackers after being hit with ransomware. According to CBC News, the cyberattack targeted staff and faculty emails only, not students. The ransom was paid and decryption keys sent to the university.
Unfortunately, ransomware attacks like this are continuing to increase in frequency, fueled by the rapid evolution of ransomware itself. A new ransomware, Zcrypt, is drawing particular attention thanks to its ability to infect targets through USB devices. According to a profile from Check Point, Zcrypt can automatically launch a file (invoice.exe) when a USB is plugged into a system. The ransomware is a troubling example of "old tactics in new vehicles" that allows it to be much more effective, according to the profile. Due to the destructive potential of the ransomware, Microsoft recently issued a security advisory urging users on older versions of Windows to take precautions against the new ransomware.
Other malware attacks have reared their heads this week, too. On Thursday, a cache of stolen Twitter accounts reportedly emerged on the dark web, likely due to malware attacks on users. According to ZDNet, a Russian hacker known as Tessa88 claims to have stolen millions of Twitter credentials including email addresses, usernames and passwords. Tessa88 claims to have gathered 379 million accounts, although this number may contain many duplicates or inactive accounts. An analysis by LeakedSource suggests the real number of accounts is closer to 32 million.
LeakedSource suggests that these stolen credentials are not a result of a Twitter breach but rather malware attacks on consumers themselves. According to the analysis, users likely became infected by malware that relayed passwords and usernames saved on Chrome and Firefox back to hackers. The group believes the data, which is now being sold for 10 bitcoins (roughly $5,820), was obtained in 2014.
Twitter also made the headlines this week when hacker group OurMine gained access to Facebook CEO Mark Zuckerberg's Twitter and Pinterest credentials. The group, who tweeted from Zuckerberg's account and changed the title of his Pinterest page, claimed to have gotten Zuckerberg's password from the recent LinkedIn credential dump (implying that the he reuses passwords between services). OurMine claimed that the Facebook CEO's used "dadada" as his password, which is worryingly weak by all password standards.
To close out this week, it's worth mentioning a couple of important mobile security patches. Google has released its June 2016 security update, which addresses 40 vulnerabilities in the Android operating system. Samsung has also issued updates for its Android devices to address the same vulnerabilities and a few device-specific security problems, including a "high-severity" flaw that allows criminals to bypass a device's factory reset protection.