STE WILLIAMS

Google is still allowing third-party developers to access its users’ Gmail data, it said in a letter to Senators last week.

Senators John Thune, Roger Wicker and Jerry Moran had quizzed Google in mid-July after the Wall Street Journal published a story about Google giving external app developers access to their users’ Gmail accounts.

The story prompted the trio to contact Google CEO Larry Page, asking him to clarify Google’s approach to third party email access.

They were especially worried given Facebook’s recent experiences with third party developers, they said:

In the wake of the Cambridge Analytica Scandal, in which a third party app developer for Facebook obtained large amounts of user data and shared it with a political consulting firm, the potential misuse of personal data held by large internet platforms and shared with third party developers is a matter of particular concern to the Committee.

It asked Page whether Google requires third-party developers to conform to any privacy policies and what they were, and whether the company knew of a developer sharing the data with anyone else. It quizzed him on how the manual review and suspension processes worked, and whether Google allowed its own employees to see the content of Gmail users’ personal mails.

In a response to the Senators, Susan Molinari, vice president of public policy and government affairs for Google’s Americas operation, explained that the company did let developers share data with others:

Developers may share data with third parties so long as they are transparent with the users about how they are using the data.

It relied on their adherence to its privacy policy to ensure that they were sharing the data appropriately, it added.

Google elaborated on this, explaining that third party developers wanting access to sensitive data like Gmail data must agree to the company’s privacy policy and complete a verification process. This includes a manual review of their privacy policy to ensure that they are requesting appropriate data for their purposes, explained the letter. After verification, it uses machine learning to monitor the apps for any changes in behaviour, and if it detects any then it will put them through the manual review process again.

Google gave some examples of reasons for suspending apps, including not being transparent with users, gaming its anti-spam protections, and asking for permissions that they didn’t need.

Privacy policies

This leaves privacy advocates with the same problem as they had when the WSJ story dropped in early July.

Firstly, it still means that third-party developers can read Gmail users’ email if they want to. It’s important to point out that they only get the email if users explicitly give them permission to access it when using their app, but that raises the second problem: It leaves the user responsible for ploughing through Google’s 4000-word privacy policy.

This policy doesn’t explicitly state that actual human people rather than computerised scripts may end up reading your email, by the way.

Google also makes it the user’s responsibility to read their third party developers’ policies, too, because they may have extra clauses about passing data on to yet more companies.

In short, Google’s answers to the Senators tells us what we already knew, and forces us to revisit a perennial question: How transparent and accessible should the privacy policies be?

Also tucked away in the letter was another gem. Google doesn’t let its own employees access user email, it said, unless the user explicitly asks it to, or for security purposes such as investigating a bug or abuse. The latter seems to give the company quite a bit of latitude in how it treats its users’ mail, depending on how tightly it wanted to interpret ‘investigating a bug’.

This news comes on the heels of another privacy incident involving private messages. Twitter said late last week that a bug may have sent users’ private direct messages to third-party developers who were not authorized to see them – and that the bug persisted for nearly 18 months.

Follow @DannyBradbury

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/osNvaqlJ4-8/

The European Commission (EC) has had it up to here with Facebook dragging its feet on providing more information about what it does with users’ data and is ready to slap it upside the head with sanctions, Vera Jourova, the European Commissioner for justice, consumers and gender equality, said at a news conference on Thursday in Brussels.

And oh, by the way, Facebook is a “channel of dirt” and I’ve closed my account, she said at the same conference when asked why she doesn’t have a Facebook account.

Jourova said that she had an account for a short time but was taken aback by the venomous comments and filthy language she received:

I didn’t expect such an influx of hatred, and I decided to cancel the account because I realized there would be less hatred in Europe after I do this.

She doesn’t want to avoid conversation with the people, she said – even the critical ones.

I speak to everybody who wants normal, honest, decent communication.

Regarding sanctions, Jourova warned Facebook that it has to comply with the EU’s consumer protection rules. Communication with users has got to get better – specifically, users need to be informed what data Facebook has collected about them. Otherwise, member states will levy fines.

In a Tweet, she alluded to the multiple revelations about Facebook sharing users’ data with third parties that have come out over the past few months, including the Cambridge Analytica fiasco.

I want #Facebook to be extremely clear to its users about how their service operates and makes money. Not many peop… twitter.com/i/web/status/1…

—
Věra Jourová (@VeraJourova) September 20, 2018

Facebook has until 31 December to act. Jourova said that she’s out of patience:

I am becoming rather impatient. We have been in dialogue with Facebook almost two years. Progress is not enough for me, I want to see the results.

If we don’t see progress, the sanctions will come. This is quite clear. We cannot negotiate forever. We need to see the results.

No wonder she’s out of patience: This has been going on for some time.

Back in February, the EC said that social media companies need to do more to fully comply with EU consumer rules. That call came on top of the same request having been made in March 2017 by the European Commission and Member States’ consumer authorities.

Facebook and Twitter, in particular, may have agreed to provide a dedicated email address for national authorities to use to call out infringements, but both companies shied away from promising that they’d respond to the issues in a given timeframe.

Also in February, the EC told AirBnB to inform customers about the total prices of bookings and extra fees – for example, service costs and cleaning charges – and to let consumers know whether their hosts are private individuals or professional.

In July, the EC had repeated its call to shape up, and Jourova said that the company had indeed made the “necessary changes to ensure full transparency.”

In contrast, Facebook hasn’t stepped up to the plate, Jourova said.

Facebook’s response, according to the BBC, was that it’s made some changes and will continue to cooperate.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P-Bgkx1NTxU/

What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust?

It’s easy to assume that databases are wiped by diligent IT staff just before they turn off the lights and close the door for the last time. At the very least that data should have been encrypted.

It has now emerged that something entirely different and more troubling took place when Canadian computer and electronics retailer Netlink Computer Inc (NCIX) declared bankruptcy in December 2017.

According to Privacy Fly researcher Travis Doering, the company simply abandoned much of its equipment in a hurry, which he discovered when it was offered for sale on Craigslist this August.

After arranging a meeting with the seller to examine the hardware, it turned out to comprise 20 Dell PowerEdge and Supermicro servers, 300 desktop PCs, 109 hard drives, and another 400-500 drives that had been inside NCIX desktops or sent to it for repair.

Now for the disturbing bit – it soon became clear that the valuable part of the deal was not the drives themselves but what was on them – 13 terabytes of data all told, including 385,000 database records containing names, email addresses, phone numbers and account passwords, 258,000 of which included full credit card payment details.

A separate Canadian database contained 3.8 million customer records gathered by NCIX between January 2007 and July 2010.

Doering even turned up numerous files belonging to NCIX’s founder Steve Wu, including personal documents and images of his family, plus large numbers of company emails, and intellectual property related to manufacturing.

Somehow the seller had got hold of passwords to access the databases while significant amounts of the data were not encrypted in the first place. The price for the data on its own: $15,000 (£11,500).

How did such a data catastrophe come to pass?

Doering’s guess is that NCIX’s landlord was owned money and quickly sold the dead company’s equipment to an auction house, where it was picked up cheaply by the contact who had offered it to him.

Given the calculated way the data was marketed for its value, it seems likely the equipment was targeted precisely because it might contain something that could be sold. Writes Doering:

This entire scenario could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed.

That’s problem number one – the company doesn’t appear to have been storing its databases securely. Problem number two is that nobody seems to be paying any attention to what happens to customer data when companies die.

The NCIX incident is a data breach by the back door, which would have gone unrecorded had a curious researcher not answered a Craigslist ad.

Worse than that, this is a type of data breach in which the victims will almost certainly never receive a notification email telling them what’s happened because the only record of their involvement is already in the hands of criminals.

For Canadian or US customers of NCIX during the last 15 years, they should assume any personal data or credit card information logged with them is now potentially in the hands of cybercriminals and raise any suspicious transactions with their bank.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/A-g6PUxB2GU/

The bots spewing out malicious login attempts by the bucketload appear to have cranked it up a notch.

According to Akamai’s latest State of the Internet report on credential stuffing (PDF), its customers alone were deluged by 30 billion malicious logins between November 2017 and June this year, an average of 3.75 billion per month.

This intensified during May and June, when traffic spiked to more than 4 billion malicious login attempts – a bad portent for what might be coming in the rest of 2018.

Credential stuffing is the technique of using a bot to try logins stolen during phishing attacks and data breaches on lots of other sites to see how many succeed. Because bazillions of netizens have the habit of reusing the same password over and over, plenty do succeed.

Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

READ MORE

The method, which took off two years ago, quickly gained popularity as cybercrims leapt upon the lucrative bandwagon.

According to Akamai’s senior director of security, Jay Coley, the primary aim of credential-stuffing bots is to test accounts to see whether stolen logins work. If they do, they’re sold to other criminals.

The rise of credential bot volume is being driven by its success. “If it wasn’t profitable, they wouldn’t do it,” said Coley. “They see this as like a goldrush.”

Volume is a double-edged sword for these miscreants. On the one hand, the bad guys need to try as many logins as possible in an attack, because more attempts equal a greater potential success of breaking into accounts. But ramp up volume too far and the defenders will notice, potentially mistaking traffic for a denial-of-service attack.

The preferred method was “low and slow”, trying to hide malicious logins within the normal traffic volumes. “The clever ones drip feed one or two logins per hour. They come in under the radar,” Coley observed.

The report also documented a large credential-stuffing attack where a US credit union noticed malicious login traffic had spiked from an every-day level of 800 per hour to 10 times that volume – 8,723 attempts per hour. Over the week, the union saw 315,000 malicious login attempts from nearly 20,000 different IP addresses. And yet with only 4,382 HTTP User Agent connections from fewer than 2,000 autonomous system numbers, the bot was small by the standards of the mega-bots people are used to hearing about, which might be why most of the active ones haven’t been given fancy names yet.

Most of the credential-stuffing bot traffic (2.82 billion attempts) originated in the US, with Russia accounting for a further 1.55 billion. The UK was a very distant sixth with under 200 million.

The US also accounted for the overwhelming majority of the target accounts. This might be partly skewed by the US bias in Akamai’s customer base but American criminals have also built larger “dictionaries” of US-oriented usernames and passwords after big breaches.

This implies that the rise in credential-stuffing bots is being fuelled by growth in the number of breached credentials that can be targeted.

Short of imposing authentication and magically abolishing crap passwords, can the bots be stopped?

Whether organisations in the sectors being targeted by these attacks are ready for extra layers of fraud detection is hard to assess, although history isn’t encouraging.

It seems more probable – like the bad password habits they have allowed their users to get away with for aeons – they’ll put up with a bad situation for as long as possible and invest when it’s too late. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/24/akamai_state_of_the_internet_report/

Roundup When we weren’t dealing with malware bricked-breweries, poorly-wiped servers or litigious vendors, we had a number of other security headaches to keep busy with.

Here’s a few of them.

Gov pay sites pilfered

Government pay portals were in the crosshairs of cybercriminals this week.

First, there was GovPayNow, who got the dreaded Brian Krebs treatment. The internet security sleuth reported that GovPayNow.com had been relieved by hackers of some 14m records.

These include payment receipts for government fees and fines as well as payment records for individual citizens. The site claims it has no record of any criminal activity being reported with the exposed data.

Meanwhile, FireEye claims that it has spotted a malware threat at Click2Gov, another site tasked with with collecting fees for city and county governments in the US.

According to FireEye, a number of Click2Gov servers were compromised using one of three Oracle Web Logic vulnerabilities and then used debugging tools and datamining malware to lift the payment card data of customers.

Perhaps most puzzling, FireEye says it doesn’t know who might actually be behind the sophisticated operation.

“The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application,” the firm said.

“Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another.”

Bondage for Bondars

A Latvian man who helped malware writers operate undetected will be spending the next decade and a half looking at the inside of prison cell.

Ruslan Bondars was sentenced this week to 14 years in prison for his role in operating Scan4You, a testing service that allowed cybercriminals to run their code by a number of popular antivirus engines to make sure their malware would be able to go undetected.

Among the most notorious of Scan4You’s patrons were the creators of the notorious Citadel malware and the perpetrators of the massive Target data theft.

Earlier this year, Bondars was found guilty of computer intrusion, conspiracy to commit wire fraud and conspiracy to violate the Computer Fraud and Abuse Act (CFAA).

Intel pops out fresh round of microcode patches

Relax, this isn’t for any new Spectre or Meltdown variants. Rather, this is an expansion of the ongoing Intel campaign to kick out firmware updates to motherboards that were vulnerable to Spectre v3 and Spectre v4, more accurately known as CVE-2018-3639 and CVE-2018-3640.

Intel released the first crop of these updates earlier this year, and with this week’s release Chipzilla is expanding that fix with additional processors. For most machines, the updates will be distributed to OS and/or mootherboard vendors who will then put them out to end users.

For some Linux builds (such as Debian) the microcode update can also be downloaded and updated manually.

NPR puts a number on ESS remote access boxes

Earlier this year, voting machine maker ESS admitted that for a period of time some of the management units it offered to local government election boards had contained remote access tools from PCAnywhere.

At the time, ESS downplayed the severity of the issue, claiming it was only a ‘limited’ subset of units it sold between 2000 and 2007 that contained the software. According to NPR, it was a whopping 300 jurisdictions that in fact had units that were shipped with the potentially vulnerable PCAnywhere.

It should be noted: the PCAnywhere software was only intended to be used for customer support, and it was never installed on any of the voting machines themselves (these were separate management and configuration systems) so there’s no reason to think the election outcomes were ever vulnerable. Still, not a great look for a company already under fire for its security policies.

Pegasus malware officially a global brand

NSO Group’s Pegasus surveillanceware has been on the market for around two years, and now researchers say the spyware has a global reach that would make most multinational corporations jealous.

CitizenLab reports that its latest analysis of the malware has found it operating in some 45 countries, usually in the hands of governments looking to keep tabs on its citizens.

As you might imagine, this isn’t sitting well with privacy and human rights groups, who note that many of those customers paying NSO top dollar have less than sparkling reputations.

“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services,” CitizenLab notes.

“In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of ‘legitimate’ criminal investigations.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/22/security_roundup_220918/

Analysis Nothing super-fuels a security sales pitch like the sort of threat it’s hard to ignore.

After China’s massive Aurora attacks on Gmail in 2009, it was the terror of Advanced Persistent Threats (APTs) that helped make fortunes for a new wave of security startups, post-incident forensic companies, and others peddling intelligence on the next attack.

These days, it’s the Wizard of Oz-like enigma of Russia, which doesn’t just hack systems, but uses fake news, confusion, and the tragic anger-of-the-commons as a sort of mind-hack on entire populations. Allegedly. How can anyone stop that?

The answer is that US capitalism re-hacks people’s minds back using a word that must make even the well-roubled cyber-miscreants of St Petersburg tremble – free service.

Symantec is the latest to serve up this idea by offering candidates, election commissions, and political parties in the forthcoming US mid-term election free access to its anti-spoofing service for email and websites, Project Dolphin.

Dolphin uses, the biz claims, “AI” to compare the site someone is visiting (e.g. a phishing page) with lots of examples of the real thing as a way of spotting anomalies. “The issues that plagued the 2016 election are still prevalent today and are likely to continue to persist through the midterm elections, into 2020, and into elections globally,” Symantec’s CEO Greg Clark said in a statement.

Get Zuck’d

Never one to be left out, Facebook launched its own “pilot program” designed to protect the Facebook accounts of anyone involved in US elections. “We’ll help officials adopt our strongest account security protections, like two-factor authentication, and monitor for potential hacking threats,” Team Facebook boasted.

Let’s not dwell on the irony that Facebook is where this whole Russian news manipulation strategy achieved lift-off, because the point Facebook is making is that it has been shaken well and truly out of its utopian net complacency.

It could be that Facebook’s pilot is a welcome political shield should CEO Mark Zuckerberg ever get called back for another uncomfortable day on US Congress’s naughty step, but the others have surely spied a new type of market.

Suddenly, they’re all at it. Symantec and Facebook’s decision to circle the wagons around elections echoes Microsoft’s announcement of AccountGuard earlier this month, itself an attempt to catch up with Google’s Advanced Protection Program (APP) from earlier in 2018. It’s as if protecting the honest men and women in US elections is the program no company can do without – perhaps by the time Yahoo announces its program we’ll know the fashion is over.

It’s no secret that almost any phishing attack can get through – eventually. Endpoint security tools struggle because there is no malware, only ruses designed to steal credentials. Until now, the industry’s clever answer was extra authentication, ignoring the fact that a lot of the most targeted people don’t seem interested in using it. In future, getting a protected email service might depend on it.

Still, having your political email account, portal, or website protected by a free service should be a no-brainer. The question is why everyone else won’t soon be asking for the same thing. That, of course, could be where the free bit ends, and the monthly subscription plan starts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/22/us_election_internet_security/

Website admins are urged to update their WordPress installations as soon as possible to the latest version following a rash of attacks exploiting known vulnerabilities in the web publishing software.

Researchers at Malwarebytes say miscreants don’t appear to be targeting any one specific bug, but rather a full array of flaws in older versions of WordPress and its various plugins.

“During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked,” noted MalwareBytes researcher Jérôme Segura on Thursday.

“One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September.”

According to Segura and researchers with Sucuri, the hackers have been exploiting flaws that allow them to inject malicious JavaScript code into pages, usually either inside an HTML header on a page or within the wp_posts table in the WordPress database.

From there, the nasty code loads when the WordPress site is accessed and redirects users to scam pages – most notably fake tech support sites and hard-to-remove “evil cursor” scareware screens.

So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

READ MORE

Admins are being advised to check their pages for signs of the injected JavaScript and, if possible, figure out where the attack came from.

“Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors,” Segura explained.

“More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin.”

WordPress is no stranger to large-scale attacks on its platform. The widely-used CMS is an attractive target for cybercriminals as its vulnerabilities most often provide an attacker with a way to covertly compromise sites and inject code for further attacks.

Earlier this year, fellow CMS vendor Drupal took its turn in the shooting barrel as attackers seized on a bug known as ‘Drupalgeddon‘ to inject things like cryptocoin mining scripts into pages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/21/wordpress_flaws_attacked/

Twitter is in full damage control mode after disclosing that it may have inappropriately exposed some unlucky twits’ private tweets and direct messages to strangers.

The 280-character shoutfest admitted on Friday that a bug present in one of its APIs from May 2017 to September 10, 2018, could have caused some messages to leak to certain third-party programmers. The biz claimed less than one per cent of its users would be affected, but seeing as Twitter is used by roughly 340 million people a month, you do the math. (OK, perhaps as many as 3.4 million.)

According to Twitter, the coding blunder in its webhook system required a very specific set of circumstances to trigger. If it did flare up, a person’s account activity would be routed to the wrong third-party application rather than apps connected to their account. Thus, copies of direct messages and protected tweet would end up in the hands of whoever built the application that incorrectly received that information.

“It is important to note that based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source,” Twitter said.

Here, in full, is what Twitter said would need to happen for the now-fixed bug to show up.

• Two or more registered developers had active Account Activity API subscriptions configured for domains that resolved to the same public IP.
• For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers — e.g. https://example.com/[webhooks/twitter] and https://anotherexample.com/[webhooks/ twitter ]
• Those registered developers had activity relevant to their subscriptions occur in the same 6-minute time period (relevant because of a cache-like behavior); and
• Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s datacenter.

If all those circumstances were met, the wrong developer would have been able to see subscribers’ activities – including DMs and protected tweets – for up to two weeks or, more likely, until no activity occurred for a six minute period.

Your Twitter app stopped working? Here’s why

READ MORE

Twitter is notifying all developers and users who would have potentially been exposed, though it claims it has yet to find anyone actually exposed.

“Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review,” Twitter said in its statement.

“Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/21/twitter_api_bug/

Attack against the Metropolitan Police Department was disrupted before malware could be sent to additional systems.

Just before the 2017 presidential inauguration, 126 computers controlling surveillance cameras for the Metropolitan Police Department of the District of Columbia were hit with a ransomware attack that disabled almost two-thirds of the cameras in the nation’s capital. Now, a Romanian citizen has pleaded guilty in federal court to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud.

As part of the plea agreement, Eveline Cismaru, 28, will cooperate fully in the investigation. She will be sentenced on Dec. 3.

According to evidence presented in the case, ransomware activated on the 126 computers would have resulted in a ransom of more than $60,000. In addition, some of the infected computers were converted to proxies for sending malware to other systems; when the scheme was disrupted, investigators say that Cismaru and her co-conspirator, Mihai Alexandru Isvanca, were in the process of attacking as many as 179,616 other computers using stolen e-mails, e-mail passwords, and banking credentials.

Surveillance capability was restored before the inauguration, and there is no evidence that any individual’s physical security was harmed or threatened because of the outage. Isvanca remains in custody in Romania while awaiting extradition to the US.

Read more here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/romanian-hacker-pleads-guilty-for-role-in-inauguration-surveillance-ransomware/d/d-id/1332869?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How Park Jin Hyok – charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks – inadvertently blew his cover via email accounts.

Park Jin Hyok and his colleagues at North Korea’s infamous, state-sponsored Lazarus Group hacking team moonlighted on the side as programmers and IT support providers for clients while working abroad in China sometime between 2011 and 2013.

Details disclosed on Sept. 6 of the US Department of Justice criminal charges filed against Park, aka Jin Hyok Park and Pak Jin Hek, show how the North Korean hacker appeared to inadvertently blow his cover by using the same email accounts for both his commercial work and his role in major cyberattacks attributed to Lazarus Group, including the hack of Sony Pictures Entertainment and the Central Bank of Bangladesh.

Park worked for Chosun Expo Joint Venture, a company that the DoJ has identified as a front for the North Korean government. One of the Chosun Expo Gmail accounts associated with Kim was also connected to another Gmail account with a similar handle. In addition, that second account was used for spear-phishing, reconnaissance of victims, and researching hacking methods, according to the DoJ filing.

The second Gmail account, under the alias Kim Hyon Woo, was used to set up or access three other email or social media accounts that targeted victims at Sony and Bangladesh Bank. “Although the name ‘Kim Hyon Woo’ was used repeatedly in various email and social media accounts, evidence discovered in the investigation shows that it was likely an alias or ‘cover’ name used to add a layer of concealment to the subjects’ activities,” the filing said.

Using free US email accounts like Gmail and Hotmail left Lazarus Group hackers open to search warrants by US law enforcement, notes Eric Chien, a fellow with Symantec’s Security Technology and Response division. There was “a lack of opsec” on Park and his team’s part in how they managed those accounts. “And through … these email addresses, they [the FBI] were able to connect the dots,” he says.

FBI investigators discovered connections among various email and social media accounts used by Park, including Facebook.

Park basically blew his cover by “cross-contaminating” his legitimate security work with his work for the North Korean government, Chien says. “Cross-mailing to those email addresses ultimately led to this guy’s resume,” so US officials even got his photo, he says. “This was pretty amazing.”

Park appears to be just one of Lazarus Group team behind the 2014 massive breach and doxing of Sony and the $81 million cybertheft at Bangladesh Bank in 2016, as well as the historic and global WannaCry attack in 2017, among other hacks.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, says Park appears to be an active member of the North Korean hacking team. “Most likely he probably got caught … because his opsec was not as strong as others” in the group, she says. “They were able to build this case against him based on all the mistakes he made.”

The weak opsec isn’t surprising when it comes to Lazarus Group, though, Chien says. “When you look at their attacks, a lot were rudimentary in the very beginning. They’ve definitely evolved and caught up,” he says. “But on the flip side, they’ve always been brazen and unpredictable … I’m not sure they really care” if they get unmasked, he says.

Park’s unmasking only scratches the surface of Lazarus Group members: It’s likely the FBI knows more about other members as well, experts say.

“Park was the only individual to whom the DOJ could reliably attribute many of these activities. Many other individuals and teams were involved, making it difficult to comment specifically on Park’s operational security,” says Bryan Burns, vice president of threat research engineering with Proofpoint. “The North Korean government works with many teams and loosely connected individuals who conduct cyberattacks on their behalf. Park was the only individual the DOJ could pinpoint given his extensive and lengthy activity.”

Overall, security researchers familiar with North Korean hacking operations say the charges basically reiterated many of the details already known about how Lazarus Group operates and targets its victims. “In a lot of ways, the way they operate that was more explicitly laid out in this [filing] was already well-known,” Moriuchi says, such as its uses of MD5 and the group’s malware.

But the high volume of indicators of compromise published in the filing was the most eye-popping and illuminating. “For me, it was more interesting, the sheer number of indicators released and how we can build on that from a research perspective to really map out the rest of this group,” Moriuchi says. “It was excellent work on behalf of the FBI and who got it declassified.”

Arrest on Paper
A warrant for Park’s arrest was issued on June 8 by the US District Court in Central California, and the filing was unsealed and released by the DoJ last week. He faces one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion.

But the likelihood that Park will ever step foot in a country with a US extradition agreement is slim, so the DoJ charges and possible maximum prison sentence of 25 years exist only on paper right now. In a statement last week, FBI director Christopher Wray said the publicly named charges of Park demonstrate the bureau’s goal of naming and shutting down malicious hackers.

According to the DoJ, Park allegedly also had a hand in targeted attacks on US defense contractors in 2016 and 2017, including Lockheed Martin, the main contractor for the Terminal High Altitude Area Defense (THAAD) missile defense system in South Korea. Lazarus Group was ultimately unable to penetrate the Lockheed Martin systems, according to the DoJ.

Related Content:

• Lazarus Group Builds its First MacOS Malware
• Asian APT Groups Most Active in Q2
• 8 Nation-State Hacking Groups to Watch in 2018
• Matching Wits with a North Korea-Linked Hacking Group

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-opsec-fail-that-helped-unmask-a-north-korean-state-hacker-/d/d-id/1332870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple