Quishing Attacks

This is a new term to me.

Quishing:

a business email compromise (BEC) attack that uses QR codes in embedded PDF documents to redirect victims to phishing URLs.

 There is a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which apparently has a user-friendly interface to enable the orchestration of phishing attacks. Good to know there are services making it easy to launch cyber attacks.

This new approach uses QR codes embedded in PDF documents to direct victims to the bad URL. I think we are all getting better at spotting bad links and avoiding them. QR codes input the URL without you getting a good look at it. At interesting vulnerability. Plus you are likely using a mobile device to scan the QR code and redirect to the website. Most mobile devices are personal don’t have the robust enterprise protections of the office device.

This new Quishing Attack takes you to a face Microsoft 365 login page and has some hacks to get around two-factor authentication.

The Quishing attacks were first targeted at financial institutions. This must have included broker-dealers because FINRA published an alert.

Sources:

The Russian Hack of the EDGAR

A few years ago Ukranians hacked EDGAR to obtain nonpublic earnings information and used that information to trade stocks. The hackers made about $1.4 million and spread that information to associates for about $4.1 million in total profit. Now a bigger hacking plot has been discovered and it has bigger international implications.

The Securities and Exchange Commission brought fraud charges against five Russian nationals for engaging in a multi-year scheme to profit from stolen corporate earnings announcements obtained by hacking into the systems of two U.S.-based filing agent companies before the announcements were made public. These companies helped to “Edgar-ize” documents for filing in the EDGAR system. It looks like the SEC did a good job of securing its systems. This private provider did less so.

It was more lucrative. The SEC claims that the hacking group made over $80 million in profits. Maybe they made better use of the information than the Ukrainians did in their plot. Or maybe the five Russians had more capital.

The Russians hacked into the providers’ public company clients’ filings include, among other things, Forms 8-K and related exhibits, which consist of press releases containing the public companies’ earnings announcements. The Providers’ public company clients can use the platforms to create, edit, and submit their filings to the SEC through the EDGAR filing system. The weak security was at provider instead of the main database.

It looks like the hackers were not just hacking the SEC filings. Some of the five are implicated in the alleged hacking around the 2016 election.

One of them was just scooped up in Switzerland and has been extradited back to the United States for charges. Vladislav Klyushin. He had flown to Switzerland for a ski vacation at the Zermatt ski resort. It looks like US intelligence learned of the travel and had the Swiss pick up Klyushin at the airport. Russia and the US fought over extradition, with the US eventually winning and putting him on plane to face charges.

The five hackers worked at a Russian information technology firm called M-13 that specialized in penetration testing and other services. Looks like they were wearing white hats and black hats.

Sources:

Cyber Crackdown on Email

The Securities and Exchange Commission sanctioned three broker-dealer/investment advisers for failures in their cybersecurity policies and procedures that resulted in email account takeovers. Each of the firms was using cloud-based email accounts that were hacked. The three firms had not mandated multi-factor authentication for access to the email accounts.

The SEC claimed failure under Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”). The Safeguards Rule requires financial institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. Those policies and procedures have be reasonably designed to

  1. Ensure the security and confidentiality of customer information;
  2. Protect against anticipated threats or hazards to the security or integrity of customer information; and
  3. Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The SEC did not claim that any customers were harmed, money stolen, or any malicious use of the compromised information. The SEC claimed that the firms failed to design and enforce written cybersecurity policies in a sufficient manner as it related to cloud-based email accounts. The firms either did not require multi-factor authentication or failed to completely implement multi-factor authentication.

Simple takeaway from these actions: If you firm is using web-based email system, mandate multi-factor authentication.

Sources:

Data Privacy Comes to Real Estate

New York City passed a law imposing specific requirements on real estate owners in the city. As buildings are becoming “smarter” landlords are collecting more data about the building coming in, moving around inside, and exiting from their buildings.

This is largely for good intentions. It makes the elevators more efficient. It makes the heating and cooling systems more efficient, reducing the carbon footprint of a building. It makes the building more secure.

But of course, this data could be used for bad acts. New York City’s Tenant Data Privacy Act is trying to limit the use of this data for bad purposes.

The law is limited to residential buildings in NYC. Even if that’s not applicable to you, it provides some good items for compliance officers to think about when it comes to property data privacy.

  • Consent. Building owners have to get tenants’ express consent “in writing or through a mobile [app]” before collecting certain data from tenants.
  • Privacy policy. Building owners need a “plain language” privacy policy to tenants that discloses how data is collected and how it used.
  • Safeguards. Building owners must implement security measures to protect tenants’ data and the data of any other users of the smart access system.
  • Data destruction. Building owners must destroy data in specified timelines.

As for the bas use of data, the law prevent apartment building owners from using the data to harass or evict a tenant.

Sources:

SEC Cybersecurity Update

The Securities and Exchange Commission Commission’s Office of Compliance Inspections and Examinations issued examination observations related to cybersecurity and operational resiliency practices taken by SEC registrants.

This compilation of observations is based on OCIE’s observations of broker-dealer, investment advisers, clearing agencies, national securities exchanges and other firms that OCIE has taken a look at. It’s not clear if these observations are from cyber sweeps or the full body of exams.

But it doesn’t matter. The report is full of good things and acts as a roadmap for good practices.

If you noted that the types of firms covered has a lot of variety, you are correct. The Report acknowledges that there is no “one-size fits all” approach to cybersecurity.

[A]ll of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.

The report is very concise so I’m not going to list all of the items. Matt Kelly highlights a few of his favorites on cybersecurity. I think the report can be used as a roadmap to review your firm’s cybersecurity.

The SEC is taking things a step further and talking about resiliency. It’s ridiculous to think that any firm can make itself immune to an attack or failure.

[If] an incident were to occur, how quickly can the organization recover and again safely serve clients?

You need a plan. You need an inventory of your services and systems. You need to know how to substitute a system so that you can still deliver services to your clients.

Sources:

Phishing Attacks and Securities Law

The Nigerian prince email scams at home have been supplanted by phishing attacks on company accounting groups. The problem has become big enough that the Securities and Exchange Commission released a report indicating that falling victim to this kind of cyber attack could be considered a failure in the company’s internal accounting controls.

The Federal Bureau of Investigation estimated that these so-called “business email compromises” had $675 million in adjusted losses in 2017 based on almost 16,000 complaints. This makes it the biggest out-of-pocket losses from any class of cyber crime during this period.

The SEC focused on nine of these complaints that came from public companies with a combined loss of almost $100 million. Two of those were the biggest, losing more than $30 million each.

The phishing attacks are lumped into two categories: internal impersonation and vendor impersonation.

The internal impersonation is phishing attack, usually a fake email from the CEO. The common elements in the email are

  • the need to keep the transaction secret from other company employees
  • Time-sensitivity
  • foreign transactions
  • directed at mid-level employees not typically involved in the transactions
  • directed at mid-level employees who rarely communicated with the executive being spoofed in the email

The external impersonation is phishing attack generally involving a hack into a vendor’s email system. Then the hacker would send a change of payment instructions to the company, re-routing the payments to the hackers’ accounts. As a result, the company would make a payment on an outstanding invoice to a foreign account controlled by the hacker instead of the real vendor account. The victim company would usually discover the fraud when the real vendor complained about a lack of payment.

The SEC points out that these two types of attacks do not involve a sophisticated use of technology. They rely on weaknesses in accounting controls. The SEC is not suggesting that every public company that is the victim of a one of these attacks is in violation of the internal accounting controls requirements of the federal securities laws. But it’s also not saying that it might be in some cases.

Sources:

Compliance Lessons From Star Wars – Hacked

With the pending release of Episode VIII – The Last Jedi, I’m joining Tom Fox in tying compliance and the Star Wars franchise together. Starting at the beginning with Star Wars, or what is now Episode IV – A New Hope, the climax is the destruction of the Death Star.

One of the complaints about the movie is the plot hole allowing “the ultimate power in universe” to be destroyed by a a group of small fighters. As we learned in Star Wars – Rogue One, the Death Star was hacked. The developer left a back door: a small, two meter-wide thermal exhaust port which would lead straight to the station’s main reactor.  The developer leaked the plans to rebels who launched their attack.

Clearly, the Securities and Exchange Commission is very focused on cybersecurity. Particularly, since the SEC’s EDGAR database was hacked last year. In speeches, actions and warning about exam priorities, the SEC puts cycbersecurity at or near the top of the list.

The focus on cybersecurity is not just to take the steps to harden your systems to prevent the hack, but creating a response plan in case you discover you are been hacked or have been hacked. Clearly, a flaw in the defense of the Death Star was not sending out enough imperial fighters to counter the rebel attack. The defense plan never expected an attack by small ships.

The death of Grand Moff Tarkin was not taking the threat seriously.

OFFICER
We’ve analyzed their attack, sir,
and there is a danger. Should I have
your ship standing by?

TARKIN
Evacuate? In out moment of triumph?
I think you overestimate their
chances!

Tarkin underestimated the chances and disappeared from the Star Wars movies until last year’s Rogue One prequel to Episode IV. Never underestimate a cyber-attack on your firm.

As many cybersecurity experts have told me, it’s not “if” you will be subject to an attack, it’s “when” you will be subject to a cyber-attack. Don’t suffer the imperial oversight failure of Tarkin. Be vigilant for weakness.

May the Force be with you.

Although Tom decided to ignore Episodes I-III in his posts, I will advocate for using the “machete order” for viewing the movies: IV, V, II, III, VI.

The key problem is that Mr. Lucas changed the end of VI so that Anakin is now played by Hayden Christensen. You will have no idea who that person is if you have not seen II or III. Plus II and III fill in the backstory of Anakin. You will note that Episode I, the worst of the movies, is left out. That removes Jar-Jar almost completely, removes midochlorians, and removes trade disputes. In return, you get a bigger universe, a better understanding of the threat posed by the emperor, and the redemption of Anakin.

 

 

New SEC Cyber Enforcement Initiative

Now that the Securities and Exchange Commission has some first-hand experience with cybersecurity and getting hacked, it has launched a new initiatives to address cyber-based threats.

There is new Cyber Unit originating in the enforcement division. Robert A. Cohen will be Chief of the Cyber Unit, stepping away from being Co-Chief of the Market Abuse Unit. The cyber unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information
  • Violations involving distributed ledger technology and initial coin offerings
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts
  • Cyber-related threats to trading platforms and other critical market infrastructure

According to Francine McKenna, one hacking case may involve the SEC itself. According to Ms. McKenna, the enforcement lawyers had a case based on non-public information stolen from the SEC’s system. It was this case that forced them to tell SEC Chairman about the breach.

Sources:

When You Look And Find That You Are The Problem

Cybersecurity is hard. It’s nearly impossible to stop an attack. If someone really wants in, they can continue to attack and attack until they find a gap. It’s hard to know that you have been breached until well after the breach. It may be just as hard to figure out what was accessed and what damage has been done. It’s hard to know what the right response should be.

Of course, I could be talking about the enormous Equifax breach. But this time it’s the Securities and Exchange Commission.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. … Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

SEC Chair Clayton noted that the breach did not “result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

If that is the standard for cybersecurity, then that is what the SEC should also use in its enforcement against investment advisers and broker/dealers. Instead we have cases like the one against R.T. Jones where there was no resulting losses to its clients, only the potential loss of data.

As is typical with a company with bad news, it buries the bad news in a pile of other disclosures. The SEC did the same thing. It spent one paragraph revealing the breach in an eight-page statement chiding the industry to be better about cybersecurity and touting its own initiatives.

The SEC’s statement, like Equifax’s revelation, did not explain why there was a such a lengthy delay between the announcement and the discovery of the breach.

The likely result of the breach is that the hackers were able to access EDGAR filings before the general public and trade on that information before the general public.

Sources:

Cybersecurity Wrap Up – Take Two

The  Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a new Risk Alert this week on cybersecurity. The risk alert summaries observations from their phase 2 cybersecurity examinations conducted in 2015 and 2016. In phase 2, OCIE examined 75 firms, including broker-dealers, investment advisers, and registered funds.

The examinations focused on written policies and procedures regarding cybersecurity and testing the implementation of those procedures. The exams also sought to better understand how firms managed their cybersecurity preparedness by
focusing on

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5.  training; and
  6. incident response.

What are firms doing right?

  • Conducting periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
  • Conducting penetration tests and vulnerability scans on systems that the firms considered to be critical
  • Using some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
  • Ensuring regular system maintenance, including the installation of software patches to address security
    vulnerabilities.
  • Having business continuity plans and response plans.
  • Identifying cybersecurity roles and responsibilities for the firms’ workforce.
  • Verifying customer identification before transferring funds
  • Conducting vendor risk assessments

What are firms doing wrong?

  • Policies and procedures were not reasonably tailored to the organization.
  • Not conducting annual reviews
  • Not reviewing security protocols at least annually
  • Inconsistent instructions on remote access
  • Not making sure that all employees received cybersecurity training
  • Not fixing problems found in penetration tests

The risk alert finishes with the elements the OCIE sees as indicative of a firm implementing robust cybersecurity controls. I think most CCOs should grab a copy of the risk alert and sit down with their policies and CTOs to see how they stack up against those elements.

Sources: