STE WILLIAMS

Crooks are now taking to encrypted messenger Telegram to tout their online how-to courses on cybercrime, according to risk management biz Digital Shadows.

Russian criminals have for some time now taught classes over the internet on how to rip off folks and credit card companies. Digital Shadows, which chronicled this trade last year, said this week there has been a shift over the past 12 months from publicizing these courses on marketplaces to attracting wannabe hackers via Telegram.

After the AlphaBay and Hansa cyber-souks were, ahem, neutralized in 2017, scumbags are now advertising on other platforms various hacking and payment-card cloning e-learning courses, complete with webinars, tutors, and reading lists.

Typically, a few free lecture videos are shared via Telegram to promote the marketing-savvy crooks’ cybercrime masterclasses. For example, a tutor held a botnet-related lecture on the messaging system to advertise a new “University of Cybersecurity and Anonymity” course and its dedicated website.

Website of the self-styled ‘University of Cybersecurity and Anonymity’

A seat at the classroom table costs $1,100, payable in Bitcoin, Digital Shadows’ Rafael Amado detailed on Thursday:

With a slick website, experienced tutors, and course structure that would not look out of place for the most established and legitimate education providers, this example demonstrates how cybercriminals are looking to further professionalize their offerings and monetize their expertise by training less-sophisticated actors.

To further entice students, the University of Cybersecurity and Anonymity has even produced its own minute-long video advertisement, which has been played over 3,000 on mainstream video sharing platforms. This particular programme is priced at 75,000 Rubles ($1,100 USD), payable in Bitcoin, and offers four different global courses, three practicing tutors, 70 unique lectures and over 40 educational days.

These programmes of lectures and workshops educates aspiring script kiddies on currency laundering, cash withdrawal scams, social engineering, botnet creation, and the use of exploits. As such it goes way beyond offering basic card-cloning techniques.

There’s a wide range of cybercrime e-learning services. At the lower end of the scale are guides offered for as little as $1, which typically involve no tutor interaction nor any course material. The University of Cybersecurity and Anonymity, by contrast, claims to offer a fully-comprehensive, immersive, and tutor-led experience.

Online tutorials are also used as a bartering medium between miscreants. For example, one forum user offered free card-cloning tutorials specifically for ripping off eBay and PayPal users to another member in exchange for a favourable review.

Carding forums allow crooks to rate individual vendors – a feature nicked from legit online shops – and positive reviews can bring in more trade. In the example cited by Digital Shadows, the vendor attempted to up-sell stolen credit card information alongside the offer to trade a guide for 5* reviews. “This practice of using online tutorials as a freebie to then advertise a wider array of services is not uncommon,” according to Amado.

By understanding miscreants, defenders can look to increase friction at every stage of the cybercriminal process, we’re told.

“The evolution of online cybercrime and carding courses is a worrying trend for organisations and consumers, with more amateur actors having access to the training needed to embark on a cybercriminal career,” Amado concluded. “Nevertheless, a knowledge of these trends and the techniques being advertised in these courses gives us a valuable insight into the methods being used to target individuals and businesses.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/24/cybercriminal_courses/

Facebook’s refusal to hand over the data it holds on users’ web activity is to be probed by the Irish Data Protection Commissioner after a complaint from a UK-based academic.

Under the General Data Protection Regulation, which came into force on 25 May, people can demand that organisations hand over the data they hold on them.

Although a similar right existed in the UK before, crucially, it’s now free to make these subject access requests (SAR) – and so many people decided to test the law.

Unsurprisingly, Facebook was a prime target, but its responses have failed to impress.

The crux of the issue is the data the firm slurps up via its Facebook Pixel, the widely used tracking code on multiple websites and the subject of much debate during the heat of the Cambridge Analytica scandal.

Because, although the Zuckerborg offers people a way to access the data collected on the platform – for instance, ad preferences – these tools don’t provide the information collected off it.

Michael Veale, who works at University College London, submitted a SAR to the social media giant on 25 May asking it to hand over the information it has collected on his browsing behaviour and activities off Facebook.

However, the firm declined to do so, effectively saying it was too difficult to locate the info within its humongous data warehouse.

Veale argued that this is unsatisfactory because – as it could be used to infer religion, medical history or sexuality – it is highly personal and sensitive data, and so made a formal complaint to the Irish Data Protection Commissioner (Facebook’s European HQ is in Ireland).

In his complaint – shared with The Register – Veale said that he wanted to know whether Facebook has web history on him in medical domains and his sexuality.

“Both of these concerns have been triggered and exacerbated by the way in which the Facebook platform targets adverts in highly granular ways, and I wish to understand fair processing,” he said.

Veale added that he had used the public tools Facebook offers, but that they had proved “insufficient”.

The Irish DPC has now opened a statutory inquiry into the matter, telling Veale that it anticipated the case will be referred to the European Union’s brain trust, the European Data Protection Board, as it involves cross-border processing.

“I hope to refute emerging arguments that the data processing operations of big platforms relating to tracking are too big or complex to regulate,” Veale told El Reg.

“By choosing to give user-friendly information (like ad interests) instead of the raw tracking data, it has the effect of disguising some of its creepiest practices. It’s also hard to tell how well ad or tracker blockers work without this kind of data.”

Getting into Facebook’s Hive mind

Facebook slurps information about your device, the websites you visited, apps you used and ads you’ve seen via Facebook business tools and plug-ins, such as the Like button, on partner sites.

This is stored alongside an identifier for that person, whether you have an account or not, and whether you’re logged in or not.

In a “Hard Questions” blog post in the aftermath of Mark Zuckerberg’s awkward testimony in the US, Facebook said this information was used for safety and security, and to improve both its own and its partners’ services.

But – as revealed earlier this year in an emailed response to activist Paul Olivier Dehaye shared with with the House of Commons digital committee – the firm said it can’t share this with users.

The Social Network said the information was stored in a Hive data warehouse, which was “primarily for backup purposes and data analytics”, noting that this kind of architecture was necessary due to the sheer volume of data created.

Data stored in Hive is kept separate from the relational databases that power the Facebook site, it said, and is primarily organised by hour, in log format.

However, Facebook said the information in Hive “is not readily accessible” as it isn’t stored on a per user basis – rather it is log data stored in tables split into partitions.

Because it isn’t indexed by user, in order to extract a user’s data from Hive, each partition would need to be searched for all possible dates in order to find any entries relating to a particular user’s ID.

“Facebook simply does not have the infrastructure capacity to store log data in Hive in a form that is indexed by user in the way that it can for production data used for the main Facebook site,” Zuck’s minions said.

‘Staggeringly sensitive’ info should be shared

Privacy campaigners have little time for this argument. As Veale noted in his complaint to the Irish DPC, this is “very clearly personal data”.

Indeed, as anyone who has decided to clear their browsing history will know, a manual scan can elicit a fair amount of detail – so the application of machine learning over millions of users could be used to distinguish more nuanced patterns.

“Web browsing history is staggeringly sensitive,” Veale said, pointing out it can be used to infer information on sexuality, purchasing habits, health information or political leanings.

He added that, even if it wasn’t stored alongside a user ID, research has shown it is possible to re-identify web browsing histories to individual data subjects using only publicly available data.

“Any balancing test, such as legitimate interests, must recognise that this data is among the most intrusive data that can be collected on individuals in the 21st century,” Veale said.

Moreover, Veale argued that this information – which will indicate which organisations hold data on them – forms a crucial piece of the jigsaw for people who want to understand who has access to their data and how it is used.

“This is a critical transparency tool to ensure legality of a complex data chain involving millions of organisations,” Veale said, pointing out that Facebook has 2.2 million active installations of trackers.

‘Don’t blame the data subject for your data warehouse’

Veale also took issue with the claims made in Facebook’s refusal – which also came a month after the deadline imposed on organisations under the GDPR.

For instance, it cited Article 12(5), which relates to requests that are “manifestly unfounded or excessive”, in particular because of their repetitive nature.

But Veale has never made the request before and argued that the sensitivity of the data means it isn’t manifestly unfounded.

Moreover, he pointed out that if the request is excessive, it is only because the amount of data collected and sent to Facebook is too large for one of the biggest companies in the world to retrieve.

“Which seems to be a breach of [GDPR’s requirement for] data minimisation rather than my fault as a data subject requesting this data,” he observed.

In response, the DPC said it had initiated a formal statutory inquiry about the complaint, which will examine whether Facebook has properly met its obligations and whether its response had contravened the GDPR.

The DPC confirmed to The Register that the inquiry had been initiated, but neither it nor the EDPB could comment further on an open inquiry. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/24/irish_data_protection_commish_opens_inquiry_on_facebook_data_transparency/

T-Mobile US has fallen victim to a data breach, the company confirmed in a brief note on its website.

The breach was spotted on 20 August by the firm’s cyber-security team, it said, and was plugged the same day.

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile US warned.

According to a report by Vice’s tech news offshoot, Motherboard, around two million customers – 3 per cent of T-Mobile US’s subscribers – were affected by the breach.

The US telco said none of the customers’ financial data or social security numbers were lifted and no passwords were compromised.

“However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

T-Mo added that it had reported the breach to “authorities”, without specifying who those authorities were. The breach was caused when “an international group” of hackers accessed a server through an API which was said not to have any “very sensitive data” available through it.

“As a reminder, it’s always a good idea to regularly change account passwords,” it chirpily added.

EE, which absorbed T-Mo’s UK operations, confirmed to El Reg that no Brits were affected. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/24/t_mobile_us_data_breach/

Network Computing
Darkreading

IBM research scientist Marc Stoecklin discusses combining artificial intelligence and basic obfuscation tools to create DeepLocker, a proof-of-concept that wouldn’t release any payload until the attacker reaches its ultimate target. Filmed at the Dark Reading News Desk at Black Hat USA 2018.

‘);
}

‘);
}

Comments

‘);
}

‘);
}

Live Events

Webinars

More UBM Tech
Live Events

0 Comments

0 Comments

1 Comments

0 Comments

0 Comments

0 Comments

0 Comments

0 Comments

0 Comments

0 Comments

0 Comments

0 Comments

Cartoon

Latest Comment: oops. You’re right. My mistake. JK

The Biggest Cybersecurity Breaches of 2018 (So Far)

Reports

The State of IT and Cybersecurity

IT and security are often viewed as different disciplines – and different departments. Find out what our survey data revealed, read the report today!

Bug Report

googletag.display(‘div-gpt-ad-961777897907396673-15’);

[close this box]
• Tweet This
• [close this box]



Article source: https://www.darkreading.com/attacks-breaches/ai-based-poc-deeplocker-could-conceal-targeted-attacks/v/d-id/1332603?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors – after the previous wording outlawed public benchmarking of the chips.

The software, released this month, counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic.

Following The Register‘s report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens called out Intel for trying to gag netizens.

Intel’s gagging order came in the form of this license clause: “You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results.” That made it impossible for free-software bastion Debian to push Intel’s microcode to its users as a security update.

The reason for Intel’s insistence on a vow of silence is that – even with the new microcode in place – turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow – and that move comes with a potential performance hit. Red Hat, which evidently didn’t get the memo to shut up about benchmarks, earlier this month noted: “The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range.”

Predictably, Intel’s contractual omertà had the opposite effect and drew attention to the problem. “Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks,” said Lucas Holt, MidnightBSD project lead, via Twitter.

Use Debian? Want Intel’s latest CPU patch? Small print sparks big problem

READ MORE

In response to the outcry, Intel subsequently said it would rewrite the licensing terms. And now the fix is in.

Via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: “We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community.”

The reworked license no longer prohibits benchmarking.

Perens, in a phone interview with The Register, approved of the change.

“This is a relatively innocuous license for proprietary software and it can be distributed in the non-free section of Debian, which is where is used to be, and it should be distributable by other Linux distributions,” he said.

As to how Intel managed to shoot itself in the foot, Perens speculates that whoever wrote the text did not consider where the microcode was going and what the implications could be.

“You can’t expect every lawyer to understand CPUs,” he said. “Sometimes they have to have a deep conversation with their technical people.”

Let the tests begin. ®

Booted-note

OpenBSD supremo Theo de Raadt today reiterated his plea to people to disable Intel’s hyper-threading for security reasons. “DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS,” he carefully suggested in a mailing post post to OpenBSD developers and users.

“Take responsibility for your own machines: Disable SMT in the BIOS menu, and upgrade your BIOS if you can. I’m going to spend my money at a more trustworthy vendor in the future.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/23/intel_microcode_license/

A former NSA translator who leaked a classified report into attempted Russian hacking of US voting systems has been sentenced to 63 months behind bars.

Reality Winner received the longest sentence ever imposed for the unauthorized release of government information to the media. Her defenders argue she should be hailed as a whistleblower who performed an important public service.

Back in May 2017 and just a few months in her job at America’s National Security Agency, Winner printed out a classified dossier that detailed attempts by Kremlin agents to hack into US voting systems – and smuggled it out of the security agency in her underwear. She then mailed it anonymously to Snowden fan club newsletter The Intercept, which later published the five-page report.

Winner confessed she acted out of anger over what was happening to her country, one of the world’s leading democracies. At the time, speculation was rife about Russian interference in the US presidential elections, and the same morning she printed off the report, President Trump fired FBI director James Comey in a move most consider an effort to shut down investigations into that meddling.

The dossier she leaked revealed that American intelligence agencies knew of Russia’s determined efforts to hack into voting systems – something that, when it was made public, came as news to even the election officials in Florida whose systems had been targeted.

It also pointed to a wider pattern of behavior of interference that is being probed by special investigator Robert Mueller among others.

Defenders of Winner’s actions have pointed to the fact that a significantly greater depth of information about those hacking efforts is now a matter of public record thanks to Mueller’s indictment of 12 Russian agents, released in July this year.

To the max

Regardless, the judge in Winner’s case, James Randal Hall, sitting in a federal district court in southern Georgia, today gave her the maximum sentence allowable. An initial maximum sentence of 10 years was reduced in order to limit courtroom discussion of confidential information.

It is the longest-ever sentence in the US for someone who has leaked confidential documents to the media – and one that many feel is disproportionate given the actual damage caused. The report covered the attempted hacking of voting systems by Russian agents and as such did not put anyone’s life at risk, nor reveal the identity of any agents, nor even disclose any methods foreign intelligence agencies were not already aware of.

In 2013, a former FBI agent was sentenced to 43 months for leaking classified information about a foiled Yemeni bomb plot; in 2015, former CIA agent Jeffrey Sterling was sentenced to 42 months in jail for leaking classified information over plans to disrupt Iran’s nuclear program. In 2013, John Kiriakou, a former CIA agent, was given 30 months for revealing the identity of an undercover agent.

Initially, Winner had pled not guilty convinced that a jury would decline to find her guilty given the broader context. But the government removed the option of a jury trial by prosecuting her under espionage laws. She changed her plea to guilty.

In court on Thursday, Winner apologized to the judge, and said she accepted “full responsibility” for her “undeniable mistake.”

Winner was arrested just a few weeks after she mailed the document following an internal NSA investigation that was greatly assisted by a decision by The Intercept to send scans of the leaked document to intelligence officials to seek confirmation it was real. The journalists also indirectly revealed the location of the facility the documents had come from by pointing out it had been posted from Augusta, Georgia, near where she worked.

Fail

Unfortunately for Winner, The Intercept failed to protect its source by not obscuring telltale yellow dots on the printouts nor the document’s identification string.

Those hidden dots revealed that the document had been printed out by a printer with model number 54 and serial number 29535218 on May 9, 2017, at 6.20am. The document ID and title on the page also confirmed the exact file that had been printed. Rather than quote a summary of the dossier to the agency’s press office, without identifying the precise file nor its security markings, the publication sent exact copies of the printout into the hands of Uncle Sam’s spies.

Angst in her pants: Alleged US govt leaker Reality Winner stashed docs in her pantyhose

READ MORE

It was therefore extremely easy from that point for the NSA to identify who the leaker was from their printer logs – only six people had printed out the report. The spy agency also ran a check on anyone that had communicated with The Intercept and discovered that she had earlier sent an email to the site from her personal Gmail using her work PC asking for a transcript of a podcast. It then ran a check on all of Winner’s activities, turning up comments and chats that supported Edward Snowden and criticized American capitalism.

The Intercept subsequently gave some financial support to Winner’s legal defense. Following her sentencing Thursday for 63 months, the publication issued the following mea culpa: “We deeply regret the role that we played in failing to adequately protect an anonymous source…”

Only joking, of course it didn’t, the Intercept is never wrong. Instead it attempted to downplay its role by noting in a statement: “We did not know the identity of the source who had sent it to us. Shortly after we posted our story, we learned that Winner had been arrested two days earlier.”

So what about failing to cover up the tracking information on the document? “After an internal review, we acknowledged shortcomings in our handling of the document.” But before you imagine for one second that The Intercept failed its source, it quickly notes: “However, it soon became clear that the government had at its disposal, and had aggressively used, multiple methods to quickly hunt down Winner.”

See, there you go. Nothing to see here. Move along, move along. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/23/reality_winner_sentenced/

The malware-making gang of hackers dubbed Lazarus is said to be behind a crypto-coin-stealing nasty that infects Macs. This would be the first time this group has targeted Apple desktops.

Kaspersky Lab eggheads said today the fun-bucks generator, dubbed AppleJeus, is a port of another piece of malware Lazarus uses to commandeer Windows machines and siphon off alt-coins. The macOS strain was spotted on machines used by a cryptocurrency trading company in Asia.

Hiding itself as a legitimate piece of cryptocurrency trading software called Celas Trade Pro, AppleJeus first gathers information about the hijacked computer, and reports back to a control server. This allows the group to screen infected machines and pick out high-value targets – such as employees at currency exchanges.

If the Lazarus miscreants decide a victim’s Mac is worth further attacking, another tool is pushed to the computer to swipe crypto-coins and other data. A sample of AppleJeus is available if you want to pick it apart – with care, of course.

The researchers noted that Lazarus, a hacking crew believed to have ties to North Korea, appears to have gone to great lengths to conceal the operation, including creating a valid Comodo-issued digital certificate for the software, and a professional-looking HTTPS website for the fake trading tool.

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” said Vitaly Kamluk, head of Kaspersky Lab’s APAC Global Research and Analysis Team.

“For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies.”

In addition to basic protections like using up-to-date antimalware applications, Kaspersky Lab recommends that users enable multifactor authentication for their cryptocurrency trading accounts and consider keeping a single-use, isolated machine to serve as a hardware wallet.

“This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems,” the Kaspersky Lab researchers added.

“Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/23/lazarus_apple_macs/

Encrypted comms service Wickr has hooked up with Psiphon, a maker of censorship circumvention tools, to provide an alternative to domain fronting as a defense against prying eyes online.

Domain fronting is a technique for hiding requested network hostnames from those monitoring your internet traffic. It presents one hostname in the DNS request and TLS negotiation and a different one in the HTTP header. The goal is to show an innocuous hostname to potential censors while visiting a different website that’s not apparent to observers.

In recent years, a handful of secure comms apps favored by dissidents and journalists like Psiphon and Signal have employed domain fronting to hide network requests from scrutiny. That way, it appears, say, a phone app is connecting to a harmless server whereas it’s really connecting to a service that is otherwise banned or monitored.

However, earlier this year, both Amazon and Google put an end to the practice. Amazon said the technique can be abused, and Google insisted domain fronting only worked “because of a quirk of our software stack.”

Presumably, cloud providers found it awkward to explain to authorities in countries with strict censorship rules that citizens were using domain fronting on their platforms to evade monitoring.

On Thursday, Wickr and Psiphon (which supplies network support for Wickr’s app) rolled out a service called Wickr Open Access (WOA) that shields network traffic from snooping in a way that’s similar to domain fronting.

Feel a connection

Michael Hull, president of Psiphon, in an email to The Register described WOA as a “smart VPN” that chooses between the best connection from a set of multiple servers instead of a single domain front.

“Psiphon has developed many production grade custom Internet transport protocols and implements each in parallel when connecting to Psiphon servers (of which there are approximately 3,500 running at any time),” said Hull. “This multi-protocol approach is much more robust than the single domain fronting protocol that was run through Google and Amazon infrastructure.”

Traditional domain fronting, said Hull, relies on a single cloud provider to do something it wasn’t designed to do, in order to hide traffic. “This practice inevitably faced restrictions as it gained popularity simply because it put providers’ customers at risk of losing service/connectivity as a result,” he added.

Psiphon’s multi-server approach also attempts to avoid TLS fingerprinting by manipulating the TLS handshake in an attempt to confuse deep packet inspection systems, he said, pointing to Wickr’s ease of use as another part of the mix.

Both Wickr‘s and Psiphon‘s protocols are available on GitHub for public review.

When Wickr was started, it was for NGOs, said Wickr COO Chris Lalonde, in a phone interview with The Register. Now it gets attention from organizations interested in secure communications.

Pointing to the ongoing attacks on political campaigns, Lalonde said, “We’ve been so beat up by our adversaries that we have to figure out how to secure things differently.”

Security

Joel Wallenstrom, CEO of Wickr, says such security issues are particularly acute in enterprises.

“When these consumer products soak into the enterprise, there’s a point where people say, now I need to figure out how to control this,” said he, noting that’s happening with Slack, the popular group chat app.

Wallenstrom contends secure comms has become a necessity just to deal with network irregularities.

“I can tell you for certain there’s a major coffee shop that gives away free WiFi but they block UDP, which basically kills Voice over IP connections,” he said. “If you’re dropping into the local coffee shop to get something done, the user experience doesn’t work.”

“The user just wants the data to get where it needs to go,” said Wallenstrom. “And that’s what our job is. …We want to make sure there’s high availability around secure communication.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/23/wickr_slicker_with_fresh_network_tricker/

Will we ever see a truly global data security and privacy mandate?

The race to comply with the European Union’s General Data Protection Regulation (GDPR) by the May 25 deadline is over, but data security and privacy is a marathon, not a sprint. If the ever-evolving regulatory compliance landscape is any indication, GDPR is just the first of many mandates to come.

Although it certainly has been a headache for many organizations — with large firms allocating an average of $20 million to $25 million to become GDPR compliant — the GDPR is the catalyst for a much-needed global, all-encompassing data security and privacy law. This is something we need sooner rather than later.

Here’s the challenge: Companies around the world have long been relying on a patchwork of laws and standards to secure customer data and keep their trust. Every day, security and compliance professionals deal with an alphabet soup of regulatory acronyms made up of industry, federal, state, and local mandates and standards. For example, a financial services organization that handles cardholder data must comply with the Payment Card Industry Data Security Standard. If that organization operates in the US, it must also abide by the Electronic Funds Transfer Act, which protects consumers when they manage their finances electronically. Should that entity conduct business with an EU citizen, it is also beholden to the GDPR, even though these three regulations each have different requirements, some of which complicate or even outright contradict each other. You can see how compliance can become muddled — quickly.

The GDPR is a breath of fresh air. Its guidelines represent a better way of working toward keeping customer data safe. We have already seen some of its ripple effects, sparking conversations about how companies must handle, share, and secure personally identifiable information (PII), and putting pressure on brands to instill trust in their constituents. To this point, a recent Forrester Research survey shows that 61% of US adults expressed concern about the sharing of their data or online behaviors between companies.

In addition, the GDPR is sparking updated and new legislation. For example, Canada is considering amending the Personal Information Protection and Electronic Documents Act — its federal privacy law for private-sector firms — to include GDPR compliance. And the state of California just passed the California Consumer Privacy Act of 2018. Coming into effect in 2020, it is believed to be the strictest privacy law in the US.

Although these mandates are steps in the right direction, it will still be years before we have a truly global regulation. In the meantime, the compliance landscape will only become more complex, with no single silver-bullet solution. However, there are a few steps you can take today to prepare for the regulations of tomorrow.

1. Define your data. Step back and understand where your customers’ data is stored and map out the path it takes from the second it enters your system. Where does it go? How much do you have? How long are you storing it? Conduct a data discovery exercise that leverages artificial intelligence and machine learning to classify your information. Should a customer approach you to remove his or her data from a system (per GDPR’s “right to be forgotten“), you can do so swiftly.

2. Assume your organization will be breached. It’s no longer a matter of will we be breached, but when. For every customer record you hold, ask why you have it. If this data were stolen, could you provide a sound reason for storing it? For instance, if you are not a medical practice, can you justify holding a customer’s healthcare data? If you’re doubting whether you should hold a record, then don’t!

3. Don’t forget your team. Regularly train employees on basic security procedures, such as changing passwords regularly and looking out for phishing attacks. Clearly define your company’s security policies and hold employees accountable. The crux of the matter is that insider threats (whether a malicious staff member stealing data or an innocent employee clicking on an email attachment containing malware) account for nearly half of all security incidents. To mitigate these risks, limit data access and apply the principle of “least privilege” — if someone doesn’t need access to a record, he or she shouldn’t have the ability to access it.

4. Remove as much PII as possible from your business environment. When viable, remove as much sensitive data as possible from the IT infrastructure. This could mean off-loading it to a compliant third party or simply and securely purging your database. For PII you can’t remove, tokenize it and separate it from all other data so cybercriminals cannot obtain complete records. If you want to keep customer data past its shelf life, solely for statistical and research purposes, strip it of any personal identifiers such as names and addresses. As we like to say, “No one can hack the data you don’t hold.”

Related Content:

• 7 Places Where Privacy and Security Collide
• 6 Tips for Building a Data Privacy Culture
• California’s New Privacy Law Gives GDPR-Compliant Orgs Little to Fear
• Data Privacy Careers Are Helping to Close the IT Gender Gap

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info. 

Tim Critchley has been the CEO of Semafone since 2009 and has led the company from a UK startup to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups, including the BGF and Octopus. … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/the-gdpr-ripple-effect/a/d-id/1332630?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This isn’t the first time Lazarus Group has infiltrated a cryptocurrency exchange as the hacking team has found new ways to achieve financial gain.

Same goals, new tools: Lazarus Group is targeting cryptocurrency exchanges with macOS malware, a sign the nation-state group is developing attacks for a broader variety of platforms to achieve its goal of financial gain.

This is the first case in which Kaspersky Lab researchers spotted Lazarus Group using malware targeting macOS. It seems the group – believed to be out of North Korea – wants to ensure OS platforms don’t interfere with infecting targets, so it’s building malware for different operating systems. A version of the same malware tailored for Linux is reportedly in the works.

This should serve as a wake-up call for users of non-Windows platforms, researchers note.

Kaspersky Lab discovered the so-called Operation AppleJeus while investigating a cryptocurrency exchange attacked by Lazarus Group. Its target had been hit with a Trojanized cryptocurrency application recommended to the company via email. One employee opened the message and downloaded the third-party app, infecting their machine with an old Lazarus Group tool dubbed Fallchill.

Multiple reports, including one from US-CERT, in the past year have pointed to the reappearance of Fallchill. The malware, a fully functional remote access Trojan, has been leveraged in attacks on the aerospace, finance, and telecommunications industries since 2016. Kaspersky researchers used the appearance of Fallchill in this scenario as a base for attribution to Lazarus Group.

In Operation AppleJeus, the malicious code was pushed in an update to Celas Trade Pro, a cryptocurrency trading app from Celas Limited. The vendor has a valid digital certificate for signing software and legitimate-looking registration records for its domain. However, researchers couldn’t find a legitimate business located at the address noted on the certificate.

“When you start looking at bits and pieces behind the application, even that starts looking more and more illegitimate,” says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

When someone downloads the app only macOS, a hidden “autoupdater” module is installed in the background to begin immediately after the app is installed and after each system reboot. In most applications, updater components are used to download new program versions.

In the case of AppleJeus, the updater is used to collect information about the target machine and transmit the data back to the command-and-control server. If attackers decide it’s worth infecting, they send a software update to install Fallchill. The Trojan provides attackers with “almost unlimited access” to the victim machine, giving them leeway to steal valuable financial data or deploy additional tools to snatch information.

Mac Attack

Lazarus Group developed software to target both the Windows and macOS platforms, and the malware works exactly the same on both operating systems. The extension to macOS is a recent and very narrow trend, Baumgartner notes.

“For the most part we see APT, we see mass exploitations, we see a lot of malware targeting Windows users,” he explains. “This is the first time we’ve seen Lazarus in particular targeting macOS and users.”

Why the move to Mac? Baumgartner isn’t sure, but he speculates there is a possibility that cryptocurrency traders, and people on the cryptocurrency exchanges, are more interested – “and disproportionately interested” – in using macOS.

“There’s no answer as to why, but that is new for them and it is unusual,” he points out. Other threat groups, particularly Russian- and Chinese-speaking groups, have previously targeted macOS. It’s a new move for Lazarus Group, but this isn’t a one-time attack. “They’re broadening the platforms they support,” he adds. “They’re going to continue going after macOS.”

Because the Fallchill backdoor and C2 infrastructure have only been associated with the Trojanized cryptocurrency trading app, researchers believe the sole motive is financial gain.

Spotting Slip-ups: Where Lazarus Makes Mistakes

Baumgartner points out how Lazarus Group has a habit of dropping breadcrumbs, which simplify the process of attributing campaigns to the organization. One of the most interesting findings here comes from an additional backdoor hidden in hardcoded headers to communicate with the C2 server.

The Accept-Language HTTP header string revealed a language code associated with North Korea, which researchers say is unusual for malware. It seems the attackers forgot to change something in their developer environment, says Baumgartner.

“They make little mistakes every now and then that give us those insights into what is really behind this activity,” he continues. In a previous incident, a malware operator was using multiple IPs connecting between France and Korea, but one short connection was made from an unusual IP range originating in North Korea.

“They do drop breadcrumbs, and these are pretty good breadcrumbs.”

Related Content:

• New Mirai Variants Leverage Open Source Project
• Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor
• It Takes an Average 38 Days to Patch a Vulnerability
• 7 Serious IoT Vulnerabilities

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/lazarus-group-builds-its-first-macos-malware/d/d-id/1332653?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple