Hackers Spied on 100 US Bank Regulators' Emails for Over a Year

Hackers intercepted about 103 bank regulators' emails for more than a year, gaining access to highly sensitive financial information, Bloomberg News reported Tuesday, citing two people familiar with the matter and a draft letter to Congress. From the report: The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator's account, said the people, asking not to be identified because the information isn't public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft security team the day before had notified OCC about unusual network behavior, according to the draft letter.

The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks -- together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a "major information security incident."

"The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News. While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year.

oh oh I know this one

[Big Hairy Gorilla]

"social engineering".. ie. some joe actually gives his password away because someone asks for it?
or the more obvious, Just don't use Microsoft?

Re:

[Moryath]

This is why passwords should expire every 60 days. For EVERYONE.

But a question: is this legit? Why is the ONLY coverage a singapore (chinese-owned) paper???

Re: oh oh I know this one

[madbrain]

Periodic forced password changes are no longer advised under NIST SP800-63-4 .

Those who fall for social engineering attacks will also fall for them even after repeated password changes.

Re:

[NotRobot]

This.

60 day password rotation is not a solution. It only gives the bad actor a slightly shorter timeframe to perform their unsavory deeds. Meanwhile, it also encourages the users to use easier and guessable passwords, otherwise they'll forget their own passwords.

For something that actually works, try MFA, geolocation and device certificates instead. Preferably all three, but if you can pick only one, take the last one. Allowing known devices only based on device certificates is a killer.

Re:

[divide overflow]

But a question: is this legit? Why is the ONLY coverage a singapore (chinese-owned) paper???

The Straits Times is NOT Chinese owned.
It is owned by SPH Media Trust, a private company with no Chinese ownership.

Re:

[gtall]

"a private company with no Chinese ownership" that you know of.

Admins should never have access to email content

[misnohmer]

Administrators should not have access to emails of other users. They should be able to reset passwords if needed, but a) this would be noticed by the end user and b) for any account which has sensitive information in the email, all past emails should be encrypted and lost whenever a password is reset.

Re:

[Hoi Polloi]

In some businesses SEC rules require that email be retained for at least 6 years with 2 year having them readily available.

Re:

[misnohmer]

Then retain them, all encrypted, with decryption keys secured offline in a physical safe with good security somewhere. Now, to hack the emails you have to hack the system to get the encrypted emails, then rob the bank where the safe that holds the decryption keys are. There is a much greater chance someone would notice at least one of those events, than just admin getting hacked.

Re:

[nevermindme]

There should be content admins and operational admins, sort of standard setup for all the platforms I have been on. Content admins are certainly not IT, they hang off the legal departments budget. After 30 years of corp email, 99.9999999% of what fly's in a email should be in defined processes within service now, a survey, a KB, a Sharepoint report, A folder, a order processing app or CRM anyways.

Re:

[misnohmer]

First, ability for admins to lock someone out is different than their ability to read content of their Inbox. Second, you could setup redundant access, give 2 or 3 employees access to the same emails (copies?), rather than an admin having access to all emails, which is a single point of failure. Of course, if it's your business, you must balance convenience against security - no different than most people locking their cars or homes, but some just leaving them unlocked for convenience. Sometimes people lear

The dangers of the Microsoft software monoculture

[Mirnotoriety]

CyberInsecurity: The Cost of Monopoly [ccianet.org]

“How the Dominance of Microsoft's Products Poses a Risk to Security.”

“Microsoft’s efforts to design its software in evermore complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded. The monopoly product we all now rely on is thus both used by nearly everyone and riddled with flaws. A special burden rests upon Microsoft because of this ubiquity of its product, and we all need to be aware of the dangers that result from reliance upon such a widely used and essential product.”