STE WILLIAMS

Bouxtie had everything you can dream of in a Silicon Valley startup. A stupid name (it’s pronounced “bow-tie”), a vastly over-confident CEO with a story, millions in VC money, and a nonsensical business model built around an app.

And yet this week its chief exec Renato Libric pleaded guilty, in a US federal district court, to committing wire fraud involving $1.5m.

The Croatian-born entrepreneur moved to Redwood City, California, to join the San Francisco Bay Area’s ranks of other terrible upstarts, having peddled his vision of personalized digital gift cards for retailers like Amazon, Gamestop, Best Buy, and Macy’s in his home country.

The 39-year-old was advised to move to the Bay Area by none other than Richard Branson, according to his own telling in a puff-piece published by Forbes. “He told me, ‘Renato, you have a much bigger vision than can be realized here. You are too small for Europe and the UK, but if you really want to change the world and have those kind of big ideas, the money is in San Francisco’,” Libric was quoted as saying.

Why software engineers should ditch Silicon Valley for Austin

READ MORE

His goal was to disrupt the vast gift card market – worth more than $100bn in America – and in trying to do so, he managed to pick up $4.5m in venture capital from 2015 to 2017.

Libric arrived a little too late to easily cash in on the latest tech boom, though. By the time he set up shop in the Golden State in the mid-2010s, everyone in Silicon Valley was asking for evidence of revenue – you know, money – before investing, and Bouxtie was not impressing.

A Seattle company led a seed-funding round for Libric’s business in 2015, but it needed more – and so the entrepreneur turned to a Las Vegas organization late last year to get investment. That company also wanted to see evidence that its money wouldn’t go down the drain. At which point, according to the FBI and US Department of Justice, he decided the best solution was to paint a vision of financial success that did not closely align with reality.

“Libric admitted that an essential purpose of the scheme was to overstate the financial condition and prospects of Bouxtie, and to induce potential investors to believe Libric had authority to sell shares in Bouxtie to investors,” Uncle Sam’s prosecutors explained in an announcement of his guilty plea.

“Libric took multiple steps to convince members of a Las Vegas-based company to invest over a million dollars in Bouxtie. As part of the scheme, Libric fraudulently suggested to representatives of the potential investors that a large publicly-traded corporation was interested in purchasing Bouxtie at a price of $150 million.”

Ah, that was what you shouldn’t have done

And here’s where he crossed the line – he then forged the signature of an exec from the public corporation that was supposedly interested in buying his upstart. He also falsified his startup’s bank statement, showing that it had over $2m in the bank when in fact there was little more than $7,000.

And then he forged signatures from his own company’s board of directors on a document that said he could enter in a “loan” from the Las Vegas company that could be later converted into Bouxtie shares.

To his credit, Libric knew what VCs wanted: big buyout offers – there were three companies lined up to buy Bouxtie according to the Forbes article. The source? Um, Renato Libric.

But it worked. Libric got $1.5m from the Las Vegas company. And immediately transferred $130,000 into his personal checking account.

But it turns out that offering companies the ability to send personalized gift cards – you could add a picture or special message when sending the digital card to an employee – wasn’t a high-margin business. And lots of businesses figured they could just, you know, do the same thing dozens of different ways without paying a startup for the pleasure. Post-it note, anyone?

With his guilty plea in a San Francisco court this week, Libric will be sentenced in November. He faces a maximum of 20 years in prison and a $250,000 fine. The lesson? Don’t forge other people’s signatures. If there’s a one thing that Silicon Valley can agree on it’s that those signatures – especially on checks that clear – are sacred.

Sorry, Renato, you were a bullshitter – but not a Silicon-Valley-grade bullshitter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/07/bouxtie_ceo_wire_fraud/

Apple has removed an app called Adware Doctor:Anti Malware Ad from the macOS App Store following claims it sent users’ browser histories to a remote server in China.

The app’s misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in early August. What’s more, this appears not to be an isolated incident: Malwarebytes on Friday noted that several different macOS App Store apps have been spotted siphoning off folks’ data.

Another security researcher, Patrick Wardle, working in conjunction with Privacyis1st, published an analysis of Adware Doctor on Friday, which appears to have encouraged Apple to take action.

As Wardle – an expert in Apple security – noted, Adware Doctor, which sold for $4.99, was the fourth-highest grossing app in the “Paid Utilities” category of the macOS App Store.

Exfiltrated

The developer was identified as “Yongming Zhang.” Wardle suggested this may be a reference to “Zhang Yongming,” a Chinese serial killer. It’s not certain the programmer is Chinese or is based there, but it appears the exfiltrated data was being sent to servers in China.

According to Thomas Reed, director of Mac and mobile security at Malwarebytes, the antivirus corp has been aware of this lone developer since 2015.

“At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac,” he wrote. “We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.”

It should be said it wasn’t exactly the same name: Malwarebytes’ app was called AdwareMedic – without a space. Apple’s tolerance of similarly named apps explains why there’s currently still an app in the App Store called Adware Doctor – Adware Malware Remover, Browser Mail Cleaner.

Chatting to El Reg, Reed said: “There’s definitely a naming issue on the App Store, because this has happened twice, with two different scam apps on the App Store, both using the name Adware Medic. Also, before Apple removed the offending Adware Doctor app earlier today, there were actually two apps, from different developers, with that exact name. (The other remains on the store.) There’s also one called Total Adware Doctor.”

Reed’s post also points the finger at other apps for data harvesting: Open Any Files, Dr. Antivirus, and Dr. Cleaner.

Sandboxed

Wardle’s analysis delves into the techniques used by Adware Doctor to exfiltrate users’ browser history files from Chrome, Firefox, and Safari, a clear violation of user privacy expectations and App Store rules. He notes that the application also collects a list of running processes on the user’s device, something that he suggests skirts Apple’s app sandboxing mechanism.

Apple declined to comment on the record. The Register, however, has come to understand from people familiar with the App Store’s policies that accessing files in the user’s home directory is not a violation of sandboxing rules when the user has granted the app permission to do so. Secretly sending browser history files to a remote server, however, represents a violation of App Store Review Guidelines.

Whether system-level process enumeration should be prevented by app sandboxing for an app granted broad permissions to fulfill its purported malware hunting job isn’t clear.

Wardle told The Register: “There are conflicting reports about where process enumeration is in fact blocked by the sandbox.” In any event, Apple’s removal of Adware Doctor makes it clear there was a problem.

The imminent arrival of the next version of macOS, macOS Mojave, should improve the situation. The OS update extends sandboxing protection to browser history and cookies, so even were someone to grant home directory access, the app at least in theory would not be able to access those files.

Reed, however, urges caution. He concludes his post by saying, “It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. … I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/07/adware_doctor_removed_apple/

The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure.

That’s according to a dossier from the National Academies of Sciences, Engineering, and Medicine, which probed the fallout of alleged Russian meddling with America’s 2016 elections, and concluded that voting systems anywhere near the internet or a computer network were too vulnerable to be relied on to collect and tabulate vote counts.

“Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner),” the US-based academics recommended in their report this week.

“Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots. Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.”

The recommendations come after the eggheads looked into the various allegations of Russian government hackers menacing and infiltrating US state voting systems in an effort to sway the outcome of the 2016 elections – or at least muddy the waters.

As a result, the report claimed, nearly every part of the voter registration, balloting, and counting system needs to be reevaluated to not only make sure the systems are secure, but easy to audit and track throughout the election process.

‘Cyberattacks’

“Today, long-standing concerns about outdated and insecure voting systems and newer developments such as cyberattacks, the designation of election systems as critical infrastructure, and allegations of widespread voter fraud, have combined to focus attention on U.S. election systems and operations,” the team wrote.

“The issues highlighted in 2016 add urgency to a careful reexamination of the conduct of elections in the United States and demonstrate a need to carefully consider tradeoffs with respect to access and cybersecurity.”

Among the immediate recommendations is that elections systems, for the short term at least, be unplugged altogether. Finding that election authorities were unable to properly protect and manage their connected election systems, the report concludes that cables should be cut.

“At the present time, the internet (or any network connected to the internet) should not be used for the return of marked ballots,” the report read.

“Further, internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the internet.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/07/dump_electronic_voting/

‘Big Bang’ group returns with new campaign after last year’s RAT attacks.

The attackers who infected Palestinian law enforcement agencies with the MICROPSIA remote access Trojan (RAT) last spring have now been detected running surveillance attacks against the Palestinian Authority and other targets in the Middle East.

According to researchers at the Check Point Threat Intelligence Team, the attackers are sending phishing emails purporting to be from the Palestinian Political and National Guidance Commission. Attached to each messages is a self-extracting archive file that contains a malicious executable and a Word document, which serves as a decoy.

The modular malware can take screenshots of the infected machine and send them to the command-and-control server, locate and send a list of documents with file extensions .doc, .odt, .xls, .ppt, .pdf and others, log system details, reboot a system, and destroy the executable.

The threat actor is now dubbed “Big Bang” because some of the malware’s modules were named after characters in the television show “The Big Bang Theory.” Check Point researchers believe this is the same group that was discovered by Cisco Talos in June 2017.

Read more here. 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/palestinian-middle-east-targets-hit-with-new-surveillance-attacks/d/d-id/1332762?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

These methods may not yet be on your security team’s radar, but given their impact, they should be.

(Image: Verticalarray via Shutterstock)

As companies work to protect their cloud environments, they need to know which types of attacks are most likely to hit.

“Cloud has been around for years, but cloud security has only within the past year or so become a formal discipline,” says Matthew Chiodi, vice president of cloud security at RedLock. And as the cloud evolves, attackers are finding new, advanced ways to break into enterprise environments.

Public cloud security incidents often stem from a poor understanding of the shared responsibility model, which governs how cloud users and providers both shoulder the burden of security, Chiodi says.

“Many of the threats we talk about are the result of organizations not understanding the threat model of the public cloud,” he explains. Customers struggle to use security tools in the public cloud, and legacy enterprise tools don’t work in the dynamic nature of cloud environments.

Several types of threats are taking aim at the cloud, says Manuel Nedbal, CTO at ShieldX. “We see most of the attacks are either orchestration or cross-cloud attacks, or data center attacks,” he says, attributing the overall rise of these incidents to the rise in cloud adoption.

Here, the two cloud security pros point to different types of cyberattacks and explain how they affect cloud environments.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/8-attack-vectors-puncturing-cloud-environments/d/d-id/1332764?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The newest version of TLS won’t break everything in your security infrastructure, but you do need to be prepared for the changes it brings.

Transport Layer Security (TLS) is a foundation piece of modern Internet security. As the replacement of the earlier (and now deprecated) SSL, TLS encrypts the majority of sessions taking place via a web interface. And now, there’s a new version with new considerations for organizations giving their users and customers a more secure web experience.

In August, TLS 1.3 was defined in IETF RFC 8446. With that formal definition, the new version became available for implementation and a possible part of the requirements for a number of different regulations.

TLS 1.3 was not suddenly sprung on an unsuspecting world. The new standard went through 28 drafts to reach a production state and some products and services began incorporating TLS 1.3 compatibility over a year before the final version. Even so, articles have been written, and speeches given, about all the ways that TLS 1.3 will break current security protocols. So what is it about TLS 1.3 that leads to so much anxiety?

How TLS 1.3 is different

One of the important benefits touted for TLS 1.3 is improved performance, much of which comes because of a simplified “handshake” process between client and server when establishing a session. There are several technical reasons this is possible, but one of them is that a single negotiation — that of which encryption algorithm to use — is eliminated.

The server provides a key for an approved algorithm, the client accepts the key, and the session is begun. One strength of this scheme is that a number of older, weaker, encryption algorithms are no longer allowed, so several attack mechanisms become impossible.

When the server supplies an encryption key, it is valid for the particular session, and only that session. This leads to something called Perfect Forward Secrecy (PFS), which means that it’s impossible for a threat actor to capture a bunch of traffic, later discover the server’s encryption key, and then decrypt the captured traffic after the fact. This is, by itself, a major step forward in data security.

Why TLS 1.3 is important

While many organizations, especially those in finance and banking, have been proponents of TLS 1.3, there has not been universal joy at its adoption. The reason is that, despite the concerns of some security professionals, there’s no “back door” into the unencrypted traffic.

Why would security professionals, of all people, want a back door into encryption? The answer is visibility. Many enterprise security tools, especially those that do anything described as “deep packet inspection,” are essentially engaging in an authorized man-in-the-middle attack, intercepting encrypted traffic, decrypting and analyzing the contents, then re-encrypting the stream before sending it to its destination.

This sort of man-in-the-middle approach is relatively simple with an encryption key based on a server identity (rather than a session), but becomes vastly more complex with the scheme used by TLS 1.3. To put it bluntly, TLS 1.3 breaks many of the products used by organizations deploying TLS 1.2 for their encryption. Those organizations have concerns for both malware trapping and regulatory compliance since they may not have a way of inspecting the contents of communications going in and out of the network.

Network and application infrastructure companies have begun rolling out products that address the inspection issues in TLS 1.3. This is critical because both server software and browsers are beginning to be released that support or require the use of TLS 1.3. The real question will be how quickly organizations adopt the new protocol, a question that is more relevant given that, by some measures, more than half of all commercial web sites still have pages using TLS 1.0 for security.

Related content:

• Preparing for Transport Layer Security 1.3
• Ready or Not: Transport Layer Security 1.3 Is Coming
• 10 Ways to Protect Protocols That Aren’t DNS

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/tls-13-wont-break-everything/a/d-id/1332767?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The fact that the app likely has been exfiltrating data for years is “rather f#@’d” up, says the security researcher who reported the issue to Apple one month ago.

Apple has removed a top-rated ad blocker from its official Mac App Store after a security researcher discovered it to be quietly collecting and sending detailed user-browsing histories to a domain based in China.

The $4.99 Adware Doctor was until Friday morning listed as the fourth highest-selling app and top-grossing software product in the category of “paid utilities” in the Mac App store.

Its stated purpose is to protect users from malware and having adware served on their browsers. But the app has also been silently exfiltrating browser histories and other sensitive data from systems on which it is installed, says Patrick Wardle, founder and chief research officer of Digita Security and creator of Objective-See, a website for Mac security tools. 

“It also collects system info, a list of the user’s currently running processes, and also certain types of files that users have downloaded. It tries to access the user’s App Store history — but I believe a bug causes this to fail,” he says.

In a blog post Friday, Wardle said he had contacted Apple about the issue one month ago and informed the company about the app’s behavior. Even two years ago, in 2016, another security researcher had raised concerns about the same application trying to trick users into granting it administrative privileges on their devices, he said. But until Friday morning, Apple had not removed the app despite promising to investigate, Wardle said.

“There is rather a MASSIVE privacy issue here,” Wardle wrote. “The fact that [the] application has been surreptitiously exfiltrating users’ browsing history, possibly for years, is, to put it mildly, rather f#@’d up!”

Apple did not offer any explanation for why it might have waited so long to act. But according to the company, the app has been removed and the issue, which allowed Adware Doctor to access and exfiltrate privacy-sensitive content like browser history and cookies, has been mitigated in Mojave, the next version of the macOS.

A quick check by Dark Reading shows that the app is indeed no longer available for download from the app store for US users, at least.

Wardle, a macOS security veteran and frequent presenter at major security conferences like Black Hat, said he decided to investigate Adware Doctor after another security researcher tweeted an alert about the application stealing private user files last month.

After purchasing a copy of Adware Doctor, Wardle said he used a combination of static and dynamic analysis and quickly found the application to be behaving in a manner completely inconsistent with its stated purpose. Wardle discovered that when a user gives the application permission — by clicking OK — to remove extensions, cookies, and caches from his or her browser, the app ends up surreptitiously stealing the user’s browser history.

Apple apps downloaded from the company’s official Mac application stores typically are sandboxed, meaning that it is constrained in the kinds of files and user information it can access, Wardle said.

But since Adware Doctor is a malware detection and removal tool, it needs access to user data and files not normally available to other applications. When the application is first launched, it asks the user for permission to access files in his or her home directory and all files and directories under it so the files can be inspected for malware. Once a user has granted that permission, the tool — like any anti-malware product — has free access to files on the devices.

In Adware Doctor’s case, however, the app has been using the access to collect and exfiltrate data. “While some (such as a process list), perhaps have a legitimate reason for being collected by an anti-malware or anti-adware product, others such as the user’s browsing history seem to be a blatant violation of the user’s privacy,” Wardle noted.

According to Apple, the issue has been mitigated in the next release of macOS via a sandboxing mechanism that ensures an app won’t be able to access privacy-sensitive content after a user grants it permission to the home directory.

The fact that an app like this was allowed on Apple’s official app store — supposedly the most secure source for Mac software — should be a wake-up call for the company, says Matt Lock, director of sales engineering at Varonis.

“This isn’t the first time an app has collected data for questionable reasons, and it will not be the last,” he says. “The irony is that consumers downloaded the app to reduce adware, but got stuck with spyware in the process.”

Related Content:

• The Apple App Store Incident: Trouble in Paradise?
• Mac’s Biggest Threats Lurk in the Apple App Store
• New ‘Mac-A-Mal’ Tool Automates Mac Malware Hunting Analysis
• 2018 Pwnie Awards: Who Pwned, Who Got Pwned

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/apple-(finally)-removes-macos-app-caught-stealing-user-browser-histories/d/d-id/1332768?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A former NASA contractor has been arrested for allegedly sextorting nude photos out of women.

The US Department of Justice (DOJ) said on Wednesday that Richard Gregory Bauer, 28, a former contractor at NASA Armstrong Flight Research Center who used aliases including “Steve Smith,” “John Smith,” and “Garret,” was arrested by special agents with NASA’s Office of Inspector General.

Bauer allegedly targeted seven women with online threats to publish nude photos unless the victims provided him with additional explicit pictures. A 14-count indictment charges Bauer with stalking, unauthorized access to a protected computer, and aggravated identity theft.

According to the indictment, over the past several years, Bauer harassed his victims on Facebook and via email. Masking his identity, he told the women that he had nude photos of them… photos that he did, in fact, allegedly have for six of the seven victims. Bauer allegedly sent the women their nude photos, claimed to have more, and threatened to post the images online unless the women sent him additional photos of them undressed.

How did he get the photos? By allegedly hacking passwords for social media accounts. Using his real name, Bauer is said to have reached out to his victims on Facebook, asking them questions that were purportedly for a project he was working on for a “human societies class.”

Some of those questions were the same type of thing you’d use to reset your passwords, such as: What’s the name of your first pet? In what city did your parents first meet?

Well, that was probably overkill. Unfortunately, humans are so terrible at password recovery questions that sextortionists and other online crooks don’t have to go to all that much trouble to trick them out of us as Bauer allegedly did.

As Google researchers have shown, the kinds of questions that are easy to remember are often insecure because answers are common or distributed unevenly across the user population.

From Google’s 2015 paper:

Statistical attacks against secret questions are a real risk because there are common answers shared among many users. For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”.

Besides, many of the answers to password recovery options are easily found online, according to research by Ariel Rabkin:

…16% of questions had answers routinely listed publicly in online social networking profiles… Other questions can be found in publicly available records. For example, at least 30% of Texas residents’ mothers’ maiden names can be deduced from birth and marriage records.

Then again, humans, including the women who were targeted in Bauer’s alleged extortion scheme, are pretty easy-going when it comes to simply handing over whatever “secret” is protecting their accounts. Another researcher, Chris Karlof, was able to use email phishing to extract answers from 92% of his targets.

Likely the best a memory-challenged human can do, in order to avoid using common, easy to guess or poorly chosen answers, is to generate a random string of letters, numbers and special characters, and then store them in a password manager.

But back to Bauer: with answers in hand for password resets, he would have been able to hijack his alleged victims’ accounts. Beyond that phishing approach, malware can get a crook what he’s after, and the indictment alleges that Bauer used that path as well: it charges him with allegedly convincing victims to install malware by claiming that he needed the victims’ help in testing software he claimed to have written.

The malware gave him the ability to allegedly capture victims’ passwords. At least twice, he’s alleged to have used logins and passwords belonging to victims to log on to their Facebook and Google email accounts.

If convicted of the 14 charges in the indictment, Bauer would face a statutory maximum sentence of 64 years in federal prison, though maximum sentences are rarely handed out.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6zTLiULWbmA/

On Monday, the most outspoken member of a distributed denial of service (DDoS) gang – a British teenager – pleaded guilty to making bomb threats to thousands of schools and to a United Airlines flight between the UK and San Francisco while it was in mid-air last month.

According to the National Crime Agency (NCA), George Duke-Cohan, 19, pleaded guilty to three counts of making hoax bomb threats.

Security journalist Brian Krebs knows all about this guy. Krebs’s site, KrebsOnSecurity, was the recipient of one of multiple DDoS attacks carried out by Duke-Cohan’s group – which goes by the name “Apophis Squad” – over the past few months. Krebs reports that Duke-Cohan, who uses the aliases “7R1D3N7,” “DoubleParallax” and “Optcz1”, “was among the most vocal members” of this “group of internet hooligans.”

The gang also DDoSed ProtonMail.com: an end-to-end encrypted email service that, weirdly enough, many Apophis Squad members used. And taunted on social media. And whose servers they jumped all over.

ProtonMail wrote in a blog post on Thursday that its security team, along with help from other cybersecurity pros, began to investigate the gang almost immediately after the first attacks were launched.

It turns out that in spite of nyah-nyah bragging like this…

Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.

— APOPHIS SQUAD (@apophissquadv2) July 18, 2018

…Apophis Squad practiced lame operational security, ProtonMail said.

In fact, some of their own servers were breached and exposed online.

Krebs fed information to ProtonMail that enabled the email provider to identify Duke-Cohan as an Apophis Squadder in the first week of August.

The bomb threats had resulted in the evacuation of over 400 schools in the UK in March.

Duke-Cohan was arrested a few days after. Regardless, as of the end of August, he, or somebody else in his clique, was still gleefully rubbing their hands over the prospect of more threats when schools reopened this month:

Boi we can NOT wait for schools to go back! Hay! maybe we will offer FREE DDoS attacks to schools so students can g… twitter.com/i/web/status/1…

—
APOPHIS SQUAD (@apophissquadv2) August 24, 2018

Initially, it was thought that the March school threats came from warring Minecraft players, given that the messages looked like they came from Minecraft server VeltPvP. But the company said that the account had been spoofed and it was being “harassed by a group of cyber criminals that are trying to harass us in any way possible.”

In April, Duke-Cohan was already under investigation when he sent another mass email, to schools in the UK and the US, claiming that pipe bombs had been planted on their premises.

Then, on 9 August, Apophis Squad Tweeted about flight UAL 949 having been grounded due to their hoax threats. The incorrigible, already-arrested Duke-Cohan was on pre-charge bail for the school threats at the time, but he still must have had an urge to terrify innocent people, because he went right ahead and placed the bomb threat to the US-bound flight.

Here’s a recording of one of the phone calls placed to San Francisco Airport and its police.

In the call, Duke-Cohan pretends to be a worried father whose daughter contacted him from the flight to tell him it was being hijacked by gunmen, one of whom had a bomb.

When the plane touched down in San Francisco, it was placed in a quarantined area of the airport and subjected to an intense security search. The NCA says that all 295 passengers had to remain on board, resulting in disruption to their journeys and financial loss to the airline.

And, undoubtedly, a good amount of fear.

In the US and other countries, hoax bomb threats fall under the genre of crime called SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams. It’s the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Convicted SWATters such as Tyler Barriss will tell you that their intention isn’t to have anybody shot or killed. It is, rather, to shock or cause alarm. It doesn’t matter what Barriss’s “intention” was – it won’t buy back the life of 28-year-old Andrew Finch, whom police shot to death when responding to Barriss’s hoax call.

Fortunately, no deaths resulted from Duke-Cohan’s juvenile pranks. But that’s not to his credit: it was just roll-of-the-dice luck.

Like every other criminal who places these illegal calls, Duke-Cohan was playing a version of Russian roulette. The only difference is that he used somebody else’s gun and pointed it at strangers instead of his own temple.

Duke-Cohan was arrested (for the third time) in his bedroom in Watford, on 31 August. NCA agents found he was in possession of multiple electronic devices, in violation of his pre-charge bail conditions.

He’s in custody and due to appear at Luton Crown Court on 21 September.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8U3mfEP6TCw/

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don’t own – even if the certs are protected by PKI-based domain validation.

Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else’s domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they’re visiting a spoofed version.

Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a “weak off-path attacker” can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.

In a paper seen by The Register, to be presented at the ACM’s Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman’s team wrote:

The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker’s public key to a victim domain.

The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT’s team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker’s DNS server rather than a server belonging to the domain’s owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.

“The attack is initiated with a DNS request,” the paper explained. “To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives.”

The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim’s nameserver to calculate “the offset where the fragmentation should occur.”

The research team proposed a domain validation protocol they dubbed “DV++” to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

“To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain.”

Dr Shulman’s collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Editor’s note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/