An inept cyber-criminal has been given a 20-month sentence behind bars after DDoS-ing the networks of a Wisconsin city, temporarily taking out its 911 center.
Randall Charles Tucker, 23, of Apache Junction, Arizona carried out the attacks on the City of Madison in 2015 as part of a wider DDoS campaign against various cities, according to the Department of Justice.
“In addition to disabling the City of Madison’s website, the attack crippled the city’s internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency,” the noticed read.
It’s unclear what his motivation was in launching the attack, although it came just days after a fatal shooting by a Madison police officer.
Tucker’s other exploits saw him DDoS the municipal computer systems in Phoenix suburbs Chandler and Mesa and user-generated video portal News2Share, the latter in a bid to persuade it to feature one of his videos.
These charges were reportedly dropped as part of the plea deal.
Tucker boasted of his crimes on social media, dubbing himself the “Bitcoin Baron,” and has also reportedly taken part in hacktivist campaigns like Anonymous #OpSeaWorld.
However, his attempts to portray himself as a moral crusader failed miserably. In one incident in 2015 he apparently DDoS-ed the city and police websites of San Marcos in Texas — demanding a local policeman who had assaulted a female college student be jailed and fired. That cop had already been sent to prison two years previously.
Tucker also launched an attack on a children’s hospital, reportedly defacing it with child pornography, which if true somewhat undermined his hacktivist credentials.
Alongside the jail sentence, Tucker was ordered by the court to pay restitution of over $69,000 to the victims of his attacks.
The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.
The Russian AV company warned that the latest activity could spell the start of new destructive malware campaigns from the group behind the threat.
“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again,” the firm explained.
“However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.”
Phishing emails were used to infiltrate and map out target networks ahead of a destructive campaign which disrupted the Pyeongchang Olympics earlier this year, leading the firm to speculate that this new activity could lead to similar.
It warned all biochemical-threat prevention and research organizations in Europe to bolster their defenses and run unscheduled security audits.
It’s not clear what the link between these new targets is, with the group behind it considered “a master in the use of false flags.” However, Kaspersky Lab claimed the TTPs and operational security techniques used by the group “bear a certain resemblance” to Sofacy/Fancy Bear/APT28, the notorious Kremlin hacking outfit that disrupted the 2016 US presidential election.
“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cyber-theft and another group or groups looking for espionage targets,” the vendor concluded.
“This could also be a result of cyber-attack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”
South Korean exchange Bithumb has been targeted by hackers for the second time in a year, this time losing over $31m in cryptocurrency.
A notice from the firm, one of the world’s largest digital currency exchanges, claimed that the attack began last night and was discovered this morning, with around 35bn won ($31.5m) taken.
The firm has halted deposits and withdrawals “for the time being” while it conducts a thorough review into what happened.
It claimed that all lost funds will be covered by Bithumb from its own reserve and that remaining assets were removed to a secure cold wallet.
Currencies affected are thought to include Ripple.
Bithumb is thought to be the sixth largest exchange in the world based on its trading volume of over $370m.
However, this isn’t the first time it has been a target for cyber-attackers.
Back in July 2017, hackers stole personal details on 30,000 customers after compromising an employee’s laptop. The resulting phishing campaign tricked them into handing over authentication codes which resulted in large scale theft from customer accounts.
The attacks continue to come thick-and-fast against digital currency exchanges. Bithumb rival Coinrail was targeted by hackers earlier this month in a raid which cost it $37m, around 30% of its total token/coin reserves. In December 2017, Slovenian cryptocurrency marketplace NiceHash was hit by a cyber-attack which led to losses of $64m.
The news will continue to serve as a warning to investors of the risks involved in putting money into the nascent cryptocurrency market.
North Korean hackers have been pegged in the past for spear-phishing attacks against cryptocurrency exchanges and illegal cryptomining, as they look to generate much needed funds for the Kim Jong-un regime.
IEEE member and professor of cybersecurity at Ulster University, Kevin Curran, argued that attacks on crypto-currency organizations have increased as the value of the currency has rocketed in recent years.
“If they do find your crypto-currency wallet or hack online crypto exchanges and transfer the coins — then it is basically gone forever. It is not that we cannot see which ‘wallet’ these ‘coins’ have been transferred into but rather that the stolen tokens can be transformed into ‘fresh’ tokens by using ‘mixing services’, which create new untraceable tokens,” he explained.
“Ultimately, remember that the European Banking Authority and others have warned that Bitcoin users are not protected by refund rights or chargebacks.”
A Chicago Public Schools (CPS) employee will be removed from their position after accidentally sending a mass email that included a link to a confidential spreadsheet on Friday evening, 15 June. The email exposed the private data of 3,700 students and families, according to the Chicago Tribune. The link, which wasn’t removed until Saturday morning, revealed students’ names, email addresses, phone numbers and student ID numbers.
Affected families were notified via the following email:
EMAIL TO FAMILIES: 7/15/2018
Earlier today, in an unacceptable breach of both student information and your trust, we mistakenly included your private student and family information in an email to you and more than 3700 other families who were invited to submit supplemental applications to selective enrollment schools.
We sincerely apologize for this unintended disclosure and ask that you please delete the information in question.
We are taking this matter very seriously, and a review of this incident is underway to determine how this breach occurred and ensure a similar matter does not occur again. Additionally, we will be removing the responsible employee from their position because violating your privacy is unacceptable to the district.
If you would like to speak with someone regarding this matter, please contact 773-553-2060.
CPS Office of Access and Enrollment
While the error will cost the employee their job, there is a greater question of liability as the employee was able to access a file stored on Blackboard that contained sensitive information without any required login.
CPS reportedly had initially believed that the file was an attachment, and it asked parents to delete the file. “So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard,” according to DataBreaches.net.
In an email to Infosecurity Magazine, CPS wrote, “To ensure no one else is able to pull down the improperly disclosed information, CPS had the sensitive file pulled from the network so that no one could retrieve it again. We also asked anyone who downloaded the data to remove it from their system."
"To help ensure an improper disclosure of this nature does not occur again, we immediately put in place additional technical restrictions regarding personnel who can send messages of this nature," CPS continued. "Moving forward, we are exploring additional technical safeguards that would help prevent data of this nature from being disclosed."
The potential damages a company can suffer from malicious insiders became a harsh reality for Tesla CEO Elon Musk, who expressed his disappointment at learning he had a saboteur within the Tesla ranks. The individual who allegedly engaged in damaging sabotage against Tesla was reportedly an employee disgruntled over not getting a promotion.
According to a report from CNBC, Musk sent an email to Tesla employees late Sunday revealing that a Tesla worker had engaged in “quite extensive and damaging sabotage” against the company. CNBC posted what it said was a copy of the email in which Musk said the sabotage included the use of false usernames to make changes to the code used in the Tesla Manufacturing Operation System, as well as “exporting large amounts of highly sensitive Tesla data to unknown third parties.”
As Musk noted, when an employee engages in such illicit activity, it is usually an act of revenge. "His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move."
"This is a major reminder as to why privileged access management is a must-have for organizations that deal with sensitive information or personal information and why least privileged is a practice being adopted by many organizations,” said Joseph Carson, chief security scientist at Thycotic.
However, in a recent Raytheon-commissioned survey of IT security professionals, insider threats ranked low on the CISOs' priority lists, with only 36% saying they consider malicious or criminal insiders to be a high risk.
"Taking things at face value, this [act of sabotage] is basically a smorgasbord of cybercrime, and it could have affected any company anywhere. You have an insider threat. You have altered data affecting the factory operating system. You have leaked proprietary data. You have credential theft. And you have it all, apparently, at the hands of a disgruntled employee. It’s time to make insider threat a top priority," said Michael Daly, CTO, cybersecurity at Raytheon.
The reality that employees can act without regard for the best interest of the company will likely be a major lesson for Tesla, but it's not its only struggle right now. It also confronts ongoing issues in its electric vehicle plant. Less than 24 hours after alerting employees to the sabotage, Musk shared news of another fire in its factory, which happened during the evening of Sunday, 17 June.
One of the consequences of constant connectivity is that the connected devices people use are vulnerable to attacks, which can expose not only personal but also location data, as a researcher from cybersecurity firm Tripwire recently discovered.
A new attack against popular home devices Google Home and Chromecast revealed a privacy issue: The devices can be used to find out where people live.
In an 18 June post, researcher Craig Young detailed how he used a technique called DNS rebinding to achieve code execution, allowing him to pinpoint precise locations of Google Home and Chromecast devices just by getting their users to open a website.
DNS rebinding uses a web browser to find devices on a user's network, a revelation that even surprised Young when he found not only that this attack is possible but also that Google was aware of the problem and had done nothing.
“It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication,” Young said.
The discovery presents both a privacy and a safety issue for users that browse the web from the same Wi-Fi as a Google Home or Chromecast because it opens up the possibility of cyber-stalking. A website’s operator can learn a user’s location, which makes it possible for a predator to physically stalk a victim in the real world.
Moreover, Young believes it's important for users of these kinds of devices to understand the broader implications and risks of this new attack, as there is the "possibility of more effective blackmail or extortion campaigns. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
As a method of mitigating exposure, Young said he has at least three distinct networks in his home at any given time so that if he is surfing the web on his main network, “a rogue website or app would not be able to find or connect to my devices. When using Chromecast, I need to then either switch networks temporarily or else use the sometimes glitchy ‘Guest Mode.’”
New research from Positive Technologies has discovered that almost half (48%) of web applications are vulnerable to unauthorized access, with 44% placing users’ personal data at risk of theft.
What’s more, 70% of the apps Positive Technologies tested proved susceptible to leaks of critical information, whilst attacks on users are possible in 96% of them.
In fact, every app the firm assessed contained vulnerabilities of some sort, with 17% having vulnerabilities that would allow an attacker to take full control over the app.
The majority of detected vulnerabilities (65%) were a result of errors in application development – such as coding errors – with incorrect configuration of web servers accounting for a third of them.
However, the research did discover the percentage of web apps with critical vulnerabilities (52%) had declined for the second year in a row, down from 58% the previous year.
“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Positive Technologies analyst Leigh-Anne Galloway. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”
Speaking to Infosecurity Eoin Keary, founder and CEO, edgescan, agreed that steps need to be taken to improve application layer security.
“DevSecOps needs to be embraced such that security is throughout the development pipeline,” he said. “Application component security management (software components used by developers) is still not common place in terms of supporting frameworks and software components and is a common source of vulnerability.”
A US woman has pleaded guilty to using data stolen in the notorious 2015 OPM breach to secure fraudulent loans.
Karvia Cross, 39, of Bowie, Maryland, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft and could theoretically face anything from two to 30 years behind bars.
She is said to have helped mastermind a wide-ranging fraud campaign, using OPM breach victims’ stolen identities to obtain personal and vehicle loans from Langley Federal Credit Union (LFCU).
“LFCU disbursed loan proceeds via checks and transfers into the checking and savings accounts opened through these fraudulent applications,” the Department of Justice explained. “Vehicle loan proceeds were disbursed by checks made payable to individuals posing as vehicle sellers, while personal loan proceeds were disbursed to LFCU accounts opened in connection with the fraudulent loan applications and transferred to accounts of others.”
Cross and others then withdrew the fraudulently obtained funds, the DoJ said.
Co-defendant Marlon McKnight pleaded guilty to the same charges on June 11.
The revelations are interesting as up until now the US government has blamed China for the devastating attack on the Office of Personnel Management. Some 22.1 million current and former US officials and their friends and family were caught in the breach, which included information on security clearance “background investigations” for military and intelligence roles.
That led many to speculate that foreign agents had co-ordinated the hack to obtain information which could be used to blackmail, coerce and intimidate US personnel and potentially even recruit spies.
It’s somewhat unusual therefore that the same data found its way presumably onto the cybercrime underground where fraudsters like Cross could access it, although there’s no official confirmation of this.
The breach itself was said to have been made possible after hackers stole credentials from a government contractor, something that could have been avoided with stronger security processes and implementation of multi-factor authentication.
Attacks on critical infrastructure (CNI) represent the biggest cybersecurity threat facing the UK, according to MPs.
NCC Group polled a representative sample of 100 MPs from all main political parties and found 62% believed compromise of key sectors including transport and utilities to be the biggest risk to the country.
Although all parties agreed on this, they were divided in their views on other threats.
Over two-fifths (42%) of Conservatives claimed a compromise of nuclear capabilities to be one of the top two threats, versus just 14% of Labour MPs. On the other hand, 44% of Labour MPs considered democratic interference to be a major threat, compared to only 16% of Conservative MPs.
On a positive note, MPs do seem to appreciate the consequences of poor cybersecurity. Three-quarters (75%) claimed to be concerned that a breach of their personal email could negatively affect the cybersecurity of the House of Commons, while 73% said that their constituents’ privacy would be the biggest concern emanating from such a threat.
NCC Group’s global CTO, Ollie Whitehouse, welcomed the seemingly high levels of awareness of cyber-issues among MPs.
“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nation,” he added. “MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber-risk head on.”
However, in a keynote speech at Infosecurity Europe earlier this month, parliamentarian and dotcom pioneer Martha Lane Fox argued that politicians are dangerously ignorant when it comes to understanding technology.
“We need to upskill our legislators dramatically if we’re going to cope with the challenges of the coming years,” she said. “We are very far away from having policymakers equipped to deal with the scale of the challenge.”
Security researchers have discovered seven vulnerabilities in nearly 400 models of IP camera from a well-known manufacturer, some of which could be exploited to remotely control the devices.
The team at security vendor VDOO made the discovery as part of wider research into a range of leading IoT products from a broad sweep of manufacturers.
It claimed to have responsibly disclosed the flaws to Axis Communications, which has since released new firmware to address the bugs in 390 models of its internet-connected surveillance cameras.
The vulnerabilities in question are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664.
VDOO claimed that by chaining three of these together, attackers could access the camera login page remotely via the network without needing to authenticate.
With full control over the devices they could access or freeze the video stream, move the lens or turn motion detection off, conscript the device into a botnet for DDoS, Bitcoin mining and other ends and even use it as a beachhead into the main network.
“To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers,” the firm concluded.
“We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways.”
VDOO also released some guidance for IP camera device manufacturers, claiming to have uncovered plenty of “bad architectural practice.” This includes privilege separation for processes, input sanitization, minimum use of shell scripts and binary firmware encryption.
This isn’t the first time Axis Communications has been singled out for attention by security researchers.
In July last year, IT security firm Senrio revealed Devil’s Ivy, a major flaw in the widely used gSOAP web services toolkit which made its way into potentially tens of millions of devices, including those produced by Axis.
Adware is easy money for cyber-criminals who install malware in advertisements. Researchers have discovered a new piece of malware dubbed Zacinlo that specializes in advertising fraud. According to Bitdefender, Zacinlo uses several platforms to pull advertising from, including Google AdSense.
Adware has long been used to augment the earnings of software developers who deliver free applications to consumers. It’s been a winning strategy for app developers whose products have landed in the hands of users around the globe, but the unspoken contract of "no financial strings attached" has been governed by the third-party advertisers. Advertisers absorbing the product’s cost in exchange for customer data is what gave rise to adware.
In a white paper released today, Bitdefender wrote that “adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.”
Zacinlo, spyware that has been running since early 2012, infects a user's PC and performs one of two tasks: it either opens invisible browser instances to load advertising banners and then simulates clicks from the user, or it changes ads loaded naturally inside the browser with the attacker’s ads in order to collect advertising revenue.
An interesting feature on this adware is that it includes a rootkit driver that protects itself, as well as its other components. Extremely rare and difficult to remove, rootkit-based malware is usually found in less than 1% of threats.
"Threats like Zacinlo clearly demonstrate that crime does pay. Advertising abuse has been known to happen for years, but Zacinlo takes this to a whole new level. The complexity and longevity, as well as the multitude of samples, shows that the team that operates it manages to defraud significant amounts of money from publishers and advertisers," said Bogdan "Bob" Botezatu, senior e-threat analyst from Bitdefender.
“Since the rootkit component attempts to subvert both the operating system and the security solutions running on top of it, I would highly recommend that – from time to time – users run a full security sweep," Botezatu said.
Two phishing campaigns have been targeting consumers of both the FIFA World Cup and one of its longtime partners, Adidas. One campaign attempts to lure victims into clicking on a malicious link under the guise of downloading a World Cup schedule of fixtures and a result tracker, while the second promises a “free” $50-per-month subscription for Adidas shoes.
Today Check Point announced that it has discovered a new phishing campaign linked to the start of the World Cup that targets soccer fans. A known malware that is often used to install potentially unwanted programs (PUPs) and toolbars, adware or system optimizers called DownloaderGuide is embedded in the attachment. Researchers discovered nine different executable files delivered in emails with the subject: “World_Cup_2018_Schedule_and_Scoresheet_V1.86_CB-DL-Manager.”
First identified on 30 May, Check Point said the campaign peaked on 5 June but has re-emerged since the start of the games. “Events that attract huge amounts of popular interest are seen by cyber-criminals as a golden opportunity to launch new campaigns,” Maya Horowitz, Check Point’s threat intelligence group manager, said in today’s press release.
“With so much anticipation and hype around the World Cup, cyber-criminals are banking on employees being less vigilant in opening unsolicited emails and attachments. As such, it is critical that organizations take steps to remind their employees of security best practices to help prevent these attacks being successful," Horowitz said.
The second phishing campaign, which targets Adidas customers, uses a different tactic, luring victims in with a homographic link that uses a vertical line in place of where the “i” in Adidas should be. “The use of punycode-based homoglyph email and web domains are an increasingly used technique to spoof users in email phishing attacks,” said Matthew Gardiner, cybersecurity expert, Mimecast.
“Given the thousands of possible iterations of a domain that are now possible with these internationalized domain names and the thousands of available top-level domains that are also available, such as .co, .cf, .ml and many others, there is no possibility of preregistering these domains to keep them out of the hands of the bad actors. The only reasonable approach is to have automated email security controls to detect these types of impersonation attacks to protect your organization. Expecting your users to figure it out is increasingly unrealistic,” Gardiner said.
Misconfiguring buckets in Amazon Web Service (AWS) can leave an organization's sensitive data exposed, indicating the risks of operating workloads in the cloud. A new research report reveals the immediate risks and threats that can be created by deploying workloads in public clouds without the proper security guardrails, security services, or security best practices.
On 19 June, 2018, Lacework is scheduled to release its research, Containers at Risk, which discovered more than 22,000 container orchestration and application programming interface (API) management systems on the Internet – Kubernetes, Mesos, Docker Swarm, and more – highlighting the potential for attack points caused by misconfiguration and weak protocols. The large majority (95%) of the open admin dashboards were hosted inside of AWS.
"The immediate issue is that if somebody gets access to container orchestration systems, they can do anything within the console, from accessing information to the actual machines. One of the big messages here is that the security people in companies that are migrating to the cloud need to get back in the fold. They need to bridge this big gap that exists between developers and security," said Dan Hubbard, chief security architect at Lacework.
On the heels of the Weight Watchers breach in which a Kubernetes console was left exposed on the web without password protection, the report is a reminder that organizations embracing the new technologies underlying modern IT infrastructure – public clouds, virtual machines, containers and API-based environments – need to continuously validate the configuration of their cloud resources for security best practices.
“Cloud misconfigurations are completely avoidable if organizations proactively monitor their cloud computing environments. The incident at Weight Watchers is just another reminder for organizations to ratchet up their compliance and security posture in the cloud,” said Varun Badhwar, CEO and co-founder, RedLock. "Cloud resources should be automatically discovered when they’re created and monitored for compliance across all cloud environments. Further, organizations should implement policy guardrails to ensure that resource configurations adhere to industry standards."
Calling the acquisition “a significant milestone in the execution of F-Secure’s growth strategy,” the move will see F-Secure gain a number of leading cybersecurity researchers, and also MWR’s products and services including the threat hunting platform Countercept and its suite of managed phishing protection services Phishd.
F-Secure CEO Samu Konttinen said: “I’m thrilled to welcome MWR InfoSecurity’s employees to F-Secure. With their vast experience and hundreds of experts performing cybersecurity services on four continents, we will have unparalleled visibility into real-life cyber-attacks 24/7.
“This enables us to detect indicators across an incredible breadth of attacks so we can protect our customers effectively. As most companies currently lack these capabilities, this represents a significant opportunity to accelerate F-Secure’s growth.”
MWR InfoSecurity CEO Ian Shaw, who will join F-Secure’s Leadership Team after the closing of the transaction in July, said: “We’ve always relied on research-driven innovations executed by the best people and technology. This approach has earned MWR InfoSecurity the trust of some of the largest organizations in the world. We see this approach thriving at F-Secure, and we look forward to working together so that we can break new ground in the cybersecurity industry.”
Security analyst Bob Tarzey told Infosecurity that as both F-Secure and MWR are Europe-based companies, this is not about extending global reach, although their market penetration is complementary to some extent.
“F-Secure will get three things: a managed security service provider capability, better enterprise reach (to date F-Secure has been more consumer/SMB focused) and some complimentary capabilities,” he said.
“Cisco’s 2015 acquisition of Portcullis was also a services play, and yes, as cybersecurity involves, all the main players need more services as well as product capabilities.”
Europol has taken major steps to disrupting a long-running global cybercrime group after eight arrests in the past year including one in Thailand announced last week.
The international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) was begun after an unnamed UK company was hit by a major cyber-attack in May 2017.
That attack was claimed by the infamous Rex Mundi group. A French-speaking member of the group called Europol following the incident to demand a €580,000 ransom in Bitcoin for non-disclosure of the customer data stolen or over €825,000 for information on how the group compromised the firm’s systems.
However, the UK Metropolitan Police, the French National Police (High Tech Crime Unit Central Office OCLCTIC-DCPJ) and Europol sprung into action and a month later five people were arrested by the French authorities.
This was followed by two more arrests in France in October last year and now the eighth arrest by the Royal Thai Police of a “French national with coding skills.”
“This case illustrates that cyber-related extortion remains a common tactic among cyber-criminals, as identified in the IOCTA 2017 [Internet Organised Crime Threat Assessment report],” said Europol. “As indicated in the report, for such financially motivated extortion attempts, attacks are typically directed at medium-sized or large enterprises, with payment almost exclusively demanded in Bitcoins.”
This is the kind of cross-border law enforcement co-operation that some experts have warned may become harder following Brexit.
The UK is dependent on the EU to help protect its security interests – including those in cyber-space. If it leaves, the UK might be able to renegotiate an agreement on info-sharing but it won’t have the benefits it currently has, such as direct access to the Europol database, or “the ability to involve itself into our intelligence projects and many other areas,” Europol director, Rob Wainright, said in February 2016.
The US-CERT has issued a new alert warning organizations of a fresh North Korean malware threat, a trojan linked to the Hidden Cobra APT group.
The latest Malware Analysis report was compiled by researchers at the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with other partners in the government.
The 11 malware samples listed in the report feature executables which “have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections.”
The majority are RC4 encrypted RATs designed to download and delete files, and proxy modules which open the Windows Firewall on victim machines to allow incoming connections.
The report claims that the so-called “Typeframe” malware is related to Hidden Cobra, an APT group linked last year by the CERT to the North Korean government.
The news comes hot on the heels of diplomatic efforts to improve ties with Pyongyang which resulted in the meeting of President Trump and Kim Jong-un last week.
However, North Korean hackers have long been blamed as a persistent state-sponsored hacking threat to the world. Government operatives are thought to have launched the WannaCry ransomware worm that did so much damage in May 2017.
Plus, the infamous North Korea-linked Lazarus Group was pegged among other attacks for the $81m raid on Bangladesh Bank and the devastating info-stealing and destructive malware attack on Sony Pictures Entertainment.
Advice from the US-CERT on mitigating the Typeframe threat includes keeping patches and AV up-to-date, disabling file and printer sharing services, restricting user permissions, enforcing strong passwords and firewalls on each workstation, scanning emails for suspicious attachments and monitoring web browsing.
Former FBI director James Comey used his personal email account to conduct official business, despite investigating Hillary Clinton for the same security oversight, a new report has revealed.
The long-awaited The Justice Department inspector general report was released late last week. It details the FBI’s handling of the investigation into Clinton’s use of a private email server when secretary of state, something that was used by Donald Trump to cast doubt on her suitability as a presidential candidate.
“We identified numerous instances in which Comey used a personal email account to conduct unclassified FBI business,” the report revealed. “We found that, given the absence of exigent circumstances and the frequency with which the use of personal email occurred, Comey’s use of a personal email account for unclassified FBI business to be inconsistent with Department policy.”
Comey apparently forwarded official emails to his personal webmail address when he wanted to work on an unclassified document which would be widely distributed: such as a speech or an FBI-wide missive.
As such, the former FBI boss claimed he had no concerns over the breaking of department policy “because there will always be a copy of it in the FBI system and I wasn't doing classified work there.”
Incredibly, Comey claimed the practice was necessary because he didn’t have an unclassified FBI connection at home that worked, and no one thought to fix it.
That betrays a serious failure of cybersecurity best practice at an institution that ought to know better.
Clinton responded with a short deadpan tweet: “But my emails.”
She has gone on record in the past as claiming that Comey’s investigation into the affair – and his reopening of that investigation just days before voters went to the polls, before closing it again – helped to cost her the presidency.
Ironically, several White House officials in the Trump administration have been accused of using personal email accounts for government business.
While working on a project for the US Department of Defense, Clarifai, a New York–based AI startup had a server compromised.
Multiple news outlets reported that Clarifai was working on the Defense Department’s Project Maven when a server was reportedly compromised, adding that the company failed to report the news to the Pentagon. Amy Liu, a former marketing executive at Clarifai, alleged that she was released from her post after insisting that the company report the compromised server, Wired reported this week.
The company disputes reports that it was targeted by Russian actors. “Wired’s story includes a number of allegations, which we strongly dispute,” a Clarifai spokesperson wrote in an email. “First and foremost, the security incident as described in the article was inaccurate and does not reflect what occurred.”
In a 13 June blog post, Clarifai founder and CEO Matthew Zeiler emphasized that the company did not experience a security incident that put government – or other customer – information at risk. Rather, the company identified an untargeted bot last fall, which Zeiler said was on an isolated research server located at a Clarifai data center.
“We quickly contained the situation and, with the services of an independent security firm, determined the bot did not access any data, algorithms or code. Also, the research server is separate from the infrastructure on which Clarifai customers run. Government customers in particular do not utilize Clarifai’s infrastructure,” the blog said.
The company wrote that it takes information security very seriously, asserting that it voluntarily notified customers following a full assessment, which included an external audit and report by a security firm.
Because Project Maven has itself been deemed controversial, the spokesperson also noted, “We make sure our employees understand the projects they are asked to work on and regularly accommodate requests to switch or work on particular projects of interest. It is deeply frustrating and disappointing to see these false allegations about our company. At Clarifai, we are committed to building the best technology for human advancement and doing so with integrity.”
Clarifai maintains that the former employee was terminated for lawful, legitimate business reasons. Infosecurity Magazine contacted former marketing executive Amy Liu, who shared a redacted copy of the lawsuit filed against Clarifai, which claims that "on or about Tuesday, November 7, 2017, Clarifai discovered that its systems had been hacked by an individual (or entity) from Russia, or that was running an IP address through Russia. It quickly became apparent that the hacker or hackers may have accessed Clarifai’s co-located servers without much trouble. While engaged in this 'investigatory' work, it appears that the binary file on Clarifai’s co-located server was 'accidentally' deleted. This had the effect of wiping away some evidence of the cyber-breach."
"Ms. Liu was offered a choice to be immediately terminated, or to resign with six weeks of pay, on the condition that she sign a separation agreement, which included an agreement to not disclose the hack," lawsuit states.
A Mexican campaign site was hit with a distributed-denial-of-service (DDoS) attack during the final presidential debate, which comes mere weeks before the 1 July election, fomenting concerns of election security.
The affected site, run by the National Action Party (PAN), targets front-runner Andrés Manuel López Obrador, but his party reportedly denies any involvement with the outage. The majority of traffic that caused the outage supposedly came from Russia and China, which may or may not correlate with the origin of the attack.
There are currently no clear signs of foreign hacking in Mexican campaigns, and cyber-experts have not yet identified who was behind the attack. One possibility, Reuters reported, is that “it could have been done by hackers for hire working on behalf of somebody looking to prevent people from accessing the PAN website.”
Tensions and nerves are high as Mexico prepares for its election, particularly after evidence of Russia’s meddling in the 2016 US presidential election. National elections are not the only targets of attack, though. Just this month, news broke of an attack on the Knox County, Tennessee, election commission website, elevating concerns of election security. Originally, the Knox County attack was reported as a DDoS, but new evidence suggests that the DDoS was only a smokescreen for a larger attack.
Knox News reported on the larger attack and spoke with deputy IT director David Ball, who said, “It was not an attempt to actually change any data or put anything onto our servers; it was an attempt to take things off of our servers, to read what was there … they were looking to get things, not give things.”
“DDoS is preventable through runtime application self-protection (RASP) or web application firewall (WAF) technology,” said Jeannie Warner, security manager at WhiteHat Security. “I believe all critical services and applications fronting PII [personal identifiable information] or transactional information should have some sort of application protection beyond what a next-generation firewall (NGFW) or intrusion prevention system (IPS) can offer."
“Additionally, because the DDoS absolutely can distract from a secondary attack, especially as an attempt to ‘cover the tracks’ of something invasive, it’s critical that all states and countries start prioritizing the hardening of anything having to do with the voting system,” Warner said.
A majority of consumers who participated in a recent study said that if they had their druthers, they would prefer account logins that do not require passwords. According to a study conducted in April 2018 by research firm Blink and authentication technology company Trusona, over 70% of consumers would opt for alternative authentication logins rather than traditional usernames and passwords, reflecting the evolution of user behavior with regard to password practices.
Between 1 April and 21 April, 148 people took part in the study. Without knowing the full extent of what information was being collected on them, consumers agreed to participate and interacted with a gift-idea–generation site. They were required to log in to the site three times a week, but they were given two different login options, “easy” and “classic.” The classic login required entering a username and password, while the easy option allowed customers to log in with alternative authentication factors that did not require a username and password.
“Because of the masked nature of this study, careful consideration needed to be made in designing the study and methodology to ensure participants were not aware of the actual purpose of the study,” the report stated. For the purposes of this use case, the end customer already had the Trusona Gifts service app installed and had a username and password for the service.
Of the total participants, 84% chose easy at least once, while only 47% chose classic at least once. There were a combined total of 1,704 login attempts, with 1,331 being successful, indicating a 78% successful login rate. “Among Classic logins, there were 370 failed attempts out of 847 total attempts to log in for a success rate of 56%,” the report said.
“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies,” said Robert Capps, VP and authentication strategist for NuData Security. “Using a multilayered authentication framework that combines behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment."
“Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the sessions," Capps continued. "Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”