STE WILLIAMS

The Pakistan Air Force is the apparent target of a complex new state-sponsored attack campaign.

Security house Cylance says a state-sponsored group – dubbed the White Company by researchers – has been looking to get into the networks of the Pakistani military in a long-term targeted attack campaign known as Operation Shaheen.

Over the last year, Cylance claims, the White Company group has been targeting members of the Air Force with phishing emails that contain remote access trojans which, in turn, install logging and command-and-control malware payloads if activated.

Operating in part behind the facade of a Belgian locksmith business, Operation Shaheen had at first sent out phishing emails with links to compromised websites, then later switched to emails with infected Word documents attached.

In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.

“We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target,” Cylance said.

“This is evident by the overriding themes expressed in document file names, the contents of the decoy documents, and the specificity employed in the military-themed lures.”

Ukraine claims it blocked VPNFilter attack at chemical plant

READ MORE

Once infected, the malware looks to cover up its tracks layering the payload within multiple packing layers and by evading antivirus packages, currently going undetected by Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.

This has lead the researchers to conclude that the group behind Operation Shaheen, the White Company, is a state-sponsored group with ample resources to carry out extended espionage campaigns.

Nailing down who exactly is behind the group, however, is proving more difficult for Cylance as there are no shortage of groups, both domestic and foreign, who would have an interest in spying on the Pakistani Air Force.

“Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all the nation states with well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel),” the Cylance report notes.

“They also draw attention from emerging cyber powers like India and the Gulf nations.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/12/pakistan_military_virus/

The World Economic Forum reports cyberattacks are a top enterprise concern following WannaCry and the rise of e-commerce.

A new report from the World Economic Forum (WEF) shows cyberattacks are the business risk of greatest concern in North America, Europe, and East Asia and Pacific (EAP) regions.

The WEF polled 12,000 private-sector decision makers from about 130 countries to compile its “Regional Risks for Doing Business” report, which illustrates regional impact of business risks. Taking all respondents into consideration, cyberattacks are fifth among the top 10 risks of concern. First is unemployment/underemployment, followed by failure of national governance, energy price shock, and fiscal crises.  

European businesses are most troubled by cyberattacks, which topped the list of concerns in 12 of 37 countries. Researchers note the broad impact of WannaCry on the UK’s health system and German rail system, pointing out that cyberattacks throughout Europe were up by one-third in the first quarter of 2018 compared with the previous year.

Cyberattacks are also the leading risk to doing business in EAP, topping the list for respondents from Japan, Indonesia, and Singapore. WEF calls Southeast Asia “the fastest-growing region in the world” in terms of Internet connectivity, with 3.8 million new users each month. Its online economy is set to reach $200 billion by 2025, making it a prime cybercriminal target.

In the United States and Canada, the growth of concern around cyberattacks mirrors the pattern in similar economically advanced regions. Researchers point out how greater reliance on e-commerce also poses a risk here. Data fraud or theft was another primary concern in North America, ranking third and seventh, respectively, on businesses’ list of top worries.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/cyberattacks-top-business-risks-in-north-america-europe-eap/d/d-id/1333247?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Pixabay

Article source: https://www.darkreading.com/vulnerabilities---threats/7-cool-new-security-tools-to-be-revealed-at-black-hat-europe/d/d-id/1333242?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook and Synack create programs to educate vets and grow employment opportunities while shrinking the cybersecurity talent gap.

Could America’s defenders find new roles in enterprise defense? It seems they could be, based on new programs designed to bring veterans into the cybersecurity workforce.

Facebook and Synack have both created initiatives to train vets in security skills and help prepare them for employment opportunities in the field. Initiatives such as these have the twofold benefit of training veterans for sustainable careers and bridging the security talent gap.

More than 65% of veterans experience difficulty in transitioning out of active duty, says former Secretary of Veterans Affairs Jim Nicholson, who also serves as an adviser to the Synack Veterans Cyber Program. The process requires a series of adjustments, USC researchers report: geographic location, careers, relationships, support systems, communities, and cultures.

Facebook, which is currently in the second round of its Cybersecurity University for Veterans, and Synack, which is launching its program now, both aim to make this process easier.

“I was apprehensive at first, not knowing the extent of what I was expected to do,” says Jonathan Killinger, who completed Facebook’s program and now works as a production engineer for the company. “The second I got there and connected with other students in the class, mostly vets, I instantly knew this was the place to be.”

Facebook launched Cybersecurity University for Veterans in 2017, in partnership with several universities, and recently graduated its first class. The program initially received over 1,500 inquiries and started with a class of 45 veterans, 33 of whom completed the course. Facebook’s goal is to teach the fundamentals of cybersecurity to veterans with technical backgrounds.

“It was a wide range [of experience],” says program manager Stephanie Siteman. “A lot had experience in the military doing IT jobs, technical jobs.” Some were in school, majoring in computer science, while others were currently working in tech and wanted to bridge the gap.

The course educates veterans on a range of security topics through a combination of sessions, videos, projects, and labs. Students complete both a weekly lab in-person and a weekly assignment, which takes the form of Capture the Flag for weeks 1-5 and pen testing and research for weeks 7-10. Week 6 focuses on vulnerabilities and exploits related to user authentication. A capstone CTF in weeks 11-12 tests their knowledge from the course.

“The course is quite lengthy and in-depth,” says Siteman, adding the students meet once a week for the 12 weeks. “It takes an average of 120 to 150 hours to complete … by no means it is an easy course.”

Facebook ultimately hired three of the veterans from its inaugural program, including Killinger, who gained his IT experience in active duty as a cyber operations technician in the Air Force. The program, he says, taught him about an industry and roles he didn’t know existed. While his current role isn’t security-specific, he says it has been helpful to add infosec skills.

“I’ve definitely been able to translate the skills I’ve learned here,” he says.

For the second round, Siteman says Facebook is adding more guidance with next steps to help its graduates enter the workforce. This includes scholarships to conferences like Def Con and Black Hat, which was attended by 19 veterans this past August, she adds.

The Synack Veterans Cyber Program is built on the idea that crowdsourcing veterans’ expertise can help them, their employers, and national security. Co-founder and CEO Jay Kaplan says the program has two phases: one helps train veterans who have been exposed to cybersecurity but need to develop their ethical hacking skill set, and another provides veterans with a security background a means of accelerating their job applications for the Synack Red Team.

“It’s helping find ways for the veterans leaving government service to utilize their skills, especially those with experience in cybersecurity, which many of them [have],” says Kaplan.

One of the key tenets of the program is to help veterans transition from government duty to the private sector, explains Anne-Marie Witt, director of product marketing and head of government programs. Synack kicked off its program launch with veteran recruitment events at San Jose State University and a talk at Operation Code in Washington, DC.

Applicants for full-time roles undergo a five-step process to assess their skills and trust, Witt says. “We’re looking for researchers and ethical hackers who are top caliber and highly trustworthy,” she notes. However, they don’t need a security background to apply for training.

Kaplan explains how Synack is working with federal agencies to evaluate applicants who come on board. Former military members, who often have security clearance, are ideal, as are former government employees with experience performing red team operations. But employees coming from development or other computer engineering backgrounds have a strong foundation to transition into the world of white-hat hacking, he says.

“Generally speaking, the good thing is if you have cyber experience, your transition to the private sector is much easier,” he adds. “Because our researcher community is 100% freelance, you can apply and get through processing in a few weeks, and you’re making money as soon as you’re on board.”

Related Content:

• 9 Traits of A Strong Infosec Resume
• Inside CSAW, a Massive Student-Led Cybersecurity Competition
• Vulnerabilities in Our Infrastructure: 5 Ways to Mitigate the Risk
• 5 Things the Most Secure Software Companies Do (and How You Can Be Like Them)

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/veterans-find-new-roles-in-enterprise-cybersecurity/d/d-id/1333250?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 50 nations and 150 global companies agree to join effort to fight cybercrime.

A group of 50 nations and 150 companies signed an agreement to fight cybercrime and other illicit activity, including election tampering and hate speech, on the Internet. French president Emmanuel Macron had pushed for the agreement, reached one day after a gathering of global leaders in Paris.

The French leader, calling for greater regulation of the Internet, said that there’s an urgent need for better regulation of the global network. As part of that effort, he said that Facebook has agreed to allow a team of French officials to observe the social network’s efforts to monitor and delete hate speech.

While agreed to by many, the statement, titled, “Paris call for trust and security in cyberspace,” was not universally accepted, with Russia, China, and the US among the holdouts. Some American companies, will, however, be involved.

For more, read here and here. 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/paris-agreement-on-cybercrime-falls-short-of-unanimous-agreement/d/d-id/1333251?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Windows 10 users were left livid late last week after Microsoft mistakenly told them that their licenses were invalid.

On Thursday, Windows 10 Pro and Enterprise customers began complaining online that Microsoft was declaring their license keys invalid. The users, who confirmed that they had legal copies of the operating system, were told that they were actually using Windows Home. When they checked, the Pro version was still installed.

The problem led to Windows deactivation, according to some:

My digital entitlement is gone from my Microsoft account and I have a Windows 10 Home key now. Windows is deactivated because I went from Windows 10 Pro to Home and it doesn’t match anymore.

The issue affected both Pro and Home versions of Windows 10 that had been upgraded from earlier versions of the operating system, along with clean Windows 10 installs, according to posters on Reddit.

One Windows user reported that purchasing a Windows 10 Pro key in the Microsoft store was listed as an option for him, even though he had already upgraded to Windows 10 Pro years ago. When he tried to repurchase the key, it would not let him.

Customers were confused by what seemed to be inconsistent responses from Microsoft. Microsoft Support’s Twitter account denied any knowledge of a problem with Windows activation:

@x_rus_x Hi there! Thank you for alerting us about this. There are no known issues regarding license deactivation.… twitter.com/i/web/status/1…

—
Microsoft Support (@MicrosoftHelps) November 08, 2018

It then fell to a mixture of customers and volunteer moderators to tell the rest of the customer base what was happening. One of them posted this response from a Microsoft live chat support agent:

I am very sorry to inform you that there is a temporary issue with Microsoft’s activation server at the moment and some customers might experience this issue where Windows is displayed as not activated. Our engineers are working tirelessly to resolve this issue and it is expected to be corrected within one to two business days.

An actual Microsoft employee then commented on the customer’s post to offer an official explanation, and a volunteer moderator on the company’s forums also stepped in to relay information about the issue.

The problem was with Microsoft’s activation servers, they said, which regularly check in with copies of Windows to validate their licence information. By mid-afternoon on Thursday, the company had issued a statement to promising to correct the problem:

We are working to restore product activations for the limited number of effective Windows 10 Pro customers.

By the end of the day on Thursday, the company had indeed fixed the problem, according to reports.

Users also said that they were able to run the Activation Troubleshooter program manually to fix the problem if Microsoft’s changes didn’t correct it automatically.

Some customers were irked by Microsoft’s regular online checks for operating system legitimacy. “And someone please once again explain why DRM for an operating system was a good idea?” quipped one. Another complained that Microsoft had created a system to deter pirates with its regular online checks but ended up causing trouble for paying users.

Unfortunately, this isn’t the first time that Microsoft has let users down with its constantly connected operating system, which also offers the ability to install updates automatically for users. Just last month, the company had to stop offering its October 2018 update after users complained that it was deleting files.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XRFoeAKyNcY/

Monika Bickert, Facebook’s global head of policy management, and Brian Fishman, head of counterterrorism policy said in a post on Thursday that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform.

As detailed in a criminal complaint, one of the alleged terrorist/sympathizer’s suggestions for fellow propagandists was to try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins to escape from Facebook’s notice, as it were.

Facebook’s continued work on tackling terrorist propaganda is bearing fruit.

Bickert and Fishman also reported that Facebook has removed 14 million pieces of content dubbed likely to come from terrorists, as determined by new machine learning technology; its hashing of images, videos, audio and text to create content fingerprints; and its long-suffering human reviewers (thank you, you poor souls).

They said that most of the content, which is related to the Islamic State (IS), al-Qaeda, and their affiliates, was old material that Facebook dug up by using specialized techniques.

Of course, 14 million pieces of content represents scarcely a drop in the ocean when it comes to the content-stuffed platform. Facebook was reportedly seeing 300 million photo uploads alone, per day, way back in 2012, and 2.5 billion content items shared: numbers that have ballooned since then.

Not to rain on Facebook’s parade, by any means: it’s doing important work, and it’s doing it in a landscape where terrorists keep coming up with new ways to game the platform.

How long does violative content stay up, and is that important?

Facebook emphasized that there are two metrics to measure success in this ongoing battle. One of those, median time for content to stay on the platform before takedown, is getting more attention than it likely deserves, given that old content that’s been around for a long time might not have had much reach at all. From the post:

We often get asked how long terrorist content stays on Facebook before we take action on it. But our analysis indicates that time-to-take-action is a less meaningful measure of harm than metrics that focus more explicitly on exposure content actually receives. This is because a piece of content might get a lot of views within minutes of it being posted, or it could remain largely unseen for days, weeks or even months before it is viewed or shared by another person.

Just as terrorists are always looking for ways to circumvent social media platforms’ detection, platforms need to keep improving their technology, training, and processes to counter their efforts, Facebook says. That takes time, and while the technologies and other improvements are maturing, they may not work all that efficiently.

New machine learning at work

Facebook says a new machine-learning tool produces a score indicating how likely it is that a given post violates its counterterrorism policies, which, in turn, helps its team of reviewers prioritize posts with the highest scores.

Sometimes, when the tool rates a post as highly likely to contain support for terrorism, it will be automatically removed. Humans are still the backbone of the operation, though: specialized reviewers are evaluating most posts. The only time that a post is immediately, automatically removed is when the tool is so confident about the nature of the content that its “decision” indicates it will be more accurate than Facebook’s human reviewers.

Facebook doesn’t want to show its hand to adversaries, so it isn’t giving away many details on what it’s improved. What it did say was that its machine learning is now working across 19 languages.

Facebook is also sharing some of its new content hashing advances with a consortium of tech partners that includes Microsoft, Twitter, and YouTube.

All of this is leading to an improvement in the removal of terrorist content. But the work never stops, Facebook said, and that includes addressing the threat of terrorism outside of the cyber world:

We should not view this as a problem that can be “solved” and set aside, even in the most optimistic scenarios. We can reduce the presence of terrorism on mainstream social platforms, but eliminating it completely requires addressing the people and organizations that generate this material in the real-world.

How to fend off the hijackers

We write about account hijacking quite a bit. Fortunately, many of the big social media platforms are supporting a way – app-based authentication – to protect our accounts from these attacks, which come in such forms as phishing and SIM swaps.

Using application-based 2FA (such as Sophos Authenticator, which is also included in our free Sophos Mobile Security for Android and iOS) mitigates a lot of the risk of SIM swap attacks because these mobile authentication apps don’t rely on communications tied to phone numbers.

Facebook says that besides using hijacked accounts, terrorists have been developing other tactics to get around account shutdown and content takedown:

Others have tried to avoid detection by changing their techniques, abandoning old accounts and creating new ones, developing new code language, and breaking messages into multiple components.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZZ2J9T08CWk/

Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention.

This one’s been named BCMUPnP_Hunter by discoverers Qihoo 360 Netlab, which says it’s infected at least 100,000 routers in the US, India and China since September.

The BCM part of that name refers to a security flaw affecting a Broadcom router software interface that was first made public in February 2013 by DefenseCode.

The UPnP, of course, is Universal Plug and Play, a longstanding and widely abused networking protocol designed to make it easy for devices to talk to one another without the need for complicated configuration.

We’ll skip the sermon about turning that off if you don’t need it (it’s not the only risky router interface that deserves this treatment after all), and merely note that Qihoo’s use of ‘Hunter’ at the tail end of this bot’s name is a warning.

BCMUPnP_Hunter feels like a despairing story for at least two reasons; the first being the range of products it affects.

The botnet covers 116 devices, including models from Billion, D-Link, Cisco Linksys (now Belkin), TP-Link, Zyxel, Broadcom itself, and several others.

The second is the age of the vulnerability, which doesn’t seem to have much reduced the number of at-risk routers even though it was quickly patched by the first vendor affected, Cisco Linksys, years ago.

It’s likely not all of the other vendors followed suit, and even when a patch was available, the infection numbers indicate that many router owners never applied it.

DefenseCode made this point in its 2017 follow-up research, but Qihoo 360 Netlab’s Shodan research estimates the number of at-risk routers at 400,000.

BCMUPnP_Hunter finds its prey by scanning for vulnerable UPnP on TCP port 5431, followed by UDP port 1900 used by Broadcom’s implementation.

The flaw is a relatively complicated, multi-stage affair that seems to have been written specially for the job, at the end of which the router is used to proxy traffic to mail systems such as Outlook, Hotmail, and Yahoo. The likely purpose: sending spam.

Botnet hell

Botnets are a way to steal someone else’s computing resources and distribute traffic across lots of ISP networks in a way that makes its activity harder to shut down than if it were coming out of a small group of servers.

Botnets could aim at other types of computer, but routers have properties that tick important boxes:

• There are lots of them
• They are always connected
• They have lots of security vulnerabilities
• Many owners pay them little heed
• Many are never patched.

It’s why router compromises have been a running theme on Naked Security for years and still keep coming.

This includes last summer’s VPNFilter botnet affecting dozens of vendors and half a million devices.

Or US-CERT’s warning that a Russian group called Grizzly Steppe was going after a range of network devices, including higher-end routers.

As for older routers that might never be patched, a sequence of problems with D-Link models underscores this theme.

What to do

Whether you own a router likely to be targeted by this threat or not, making sure your home router was updated recently should be a priority.

If it hasn’t been, look for an update on the vendor’s support page. If an update isn’t available, consider buying a new router from a vendor with a track record of updating its firmware on a regular basis, ideally every couple of months.

You can tell which vendors are good at that by visiting their support page and counting the number of recent updates for popular products.

In the past, these would have been few and far between but these days the best vendors take this issue seriously.

When you unbox your router, be sure to disable every interface you don’t plan to use, starting with UPnP before moving on to WPS, WAN web access, DMZ, port triggers/forwarding, and FTP.

Naturally, make sure you change the router’s default username and password, and the WPA2 Wi-Fi password, to something stronger.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OQMQpiWLwww/

A headmaster in a Chinese high school in Hunan has been fired for allegedly stealing electricity to mine cryptocurrency, reports the South China Morning Post.

According to local media, teachers got suspicious over “a whirring noise that continued day and night” and a whopping electricity bill: 14,700 yuan (USD $2,113, £1,628) for about a year.

‘Oh, that? It’s just the air conditioners and the heaters!’ the headmaster, Lei Hua, reportedly said.

Lei Hua is said to have picked up his first Ethereum mining rig for about 10,000 yuan (£1107, USD $1,437) and started cryptocoin mining at his home in June 2017.

As anybody who knows anything about mining for crypto will tell you, that surely led to a whopping electricity bill. In fact, the machine was eating up nearly 21 kilowatt-hours of electricity per day.

So to save money on his power bill, Lei allegedly relocated the machine to the school where he worked. By the time the setup was discovered about a year later, he’d allegedly plugged in another seven mining computers in the school’s computer room. His deputy headmaster also allegedly got caught up in the craze, picked up a ninth machine for himself in January, and added it to Lei’s eight rigs.

Lei was fired last month after the power thievery was detected. His deputy received an official warning. The profits went bye-bye: a local authority responsible for “discipline inspection” reportedly seized the money that Lei and his deputy allegedly made.

That computer room, with its nine Ethereum mining computers whirring, must have gotten pretty steamy. Matthew Hickey, a cyber-security expert at Hacker House, told the BBC that it would have been throbbing with all that power and activity:

The noise and heat of nine actively running mining machines would have been very noticeable.

Unfortunately, the cost of electricity really eats into profits, and stealing it is one way people are trying to maximize their revenue, he said:

By avoiding those costs it can drastically improve returns on a mining operation.

Power costs are not the only thing that can eat into that sweet, sweet cryptocoin payoff. Here’s another: plummeting cryptocurrency rates. Ethereum prices dropped over 70% from their peak in February and are currently trading at around USD $214.

If Lei and his deputy are in fact guilty, they won’t be the first to try to dig themselves out of the hole by stealing electricity. According to the SCMP, state news agency Xinhua reported that police arrested six people in northern Tianjin in April over stealing electricity from the local grid to power 600 Bitcoin mining machines.

The BBC also reported in February that scientists were arrested for allegedly mining Bitcoin with supercomputers at a secret nuclear warhead factory – the same one that made the country’s first nuclear bomb.

All of this makes sense, in a criminal, bottom-line way. To make real money with coin mining, you need a lot of electricity to deliver a whole lot of processing power on a whole lot of computers.

You’ve got options: you can rent space in a giant coin mining server farm – for example, in Iceland, where electricity is cheap, the weather is cold enough to stop your computers from melting down, and where mining was on track to zap more energy than households this year.

Then again, you can just steal other people’s electricity, by plugging into their outlets. But as those arrested for doing this will surely attest, that’s got the downside of being conspicuous.

That’s one reason why there’s arisen a newish form of malware called cryptojacking: the theft of electricity, processing power and air conditioning by inflicting malware that sneaks cryptominers into networks, browsers, coffee shops, and more.

You pay the bills, the crooks pocket the proceeds – no telltale computers, gangly cords, overly heated computer rooms or constant whirring involved.

If you’re curious to know more about cryptomining malware, SophosLabs published a technical report back in January that gives a fascinating look at just how much effort cybercriminals are willing to put into getting their cryptomining code accepted into the Android Play Store, and thus to have it rubberstamped by Google.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ojopg59ciyk/

Fresh from belatedly admitting that 9.4 million passengers’ personal data was stolen by hackers, Hong Kong airline Cathay Pacific has now admitted that it was under attack for three solid months before it took half a year to tell anyone.

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare

READ MORE

In its initial public statement on the hack, which saw names, nationalities, dates of birth, addresses, some people’s passport numbers, email addresses and more heading from its secure servers into the hands of as-yet unidentified miscreants, Cathay said it had detected “suspicious activity” beginning in March 2018.

In a submission made by the airline to Hong Kong’s Legco (its Legislative Council; broadly, the semi-autonomous Chinese territory’s equivalent of Parliament) reveals (PDF, 4 pages), ahead of a Wednesday hearing, Cathay said it knew that in March the “suspicious activity” was a full-scale attack on its servers.

“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.

Cathay has come under fire from various parties for waiting six months before telling the victims that their data had been illegally copied from the airline’s servers. The type of data stolen varied between passengers; only a relative handful (430) of credit card numbers were accessed, including 427 expired cards, it alleged in its Legco submission.

“The two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s). Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August,” added the airline, one of the more high-profile carriers in the Asia-Pacific region.

As an explanation for the delay in telling anyone about the hack, Cathay said it “wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice.”

We’ve asked Cathay for comment.

Local police, as well as legislators, have been notified. The airline has set up a dedicated website for people who think their personal data may have gone walkies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/12/cathay_pacific_hack_data_siege_3_months/