STE WILLIAMS

Recently, I shared with you how alarmingly simple it was to not only “hack” my own email account but then to use that compromised account to hack my other online accounts. Given how SIM-swap attacks on cryptocurrency exchanges escalated in 2019, I wanted to better understand these modern-day bank heists as we go into the new year. My hunch was that SIM swappers were using hijacked phone numbers like a set of keys to open locked doors into a world of online crypto accounts. Would I (or a hacker) have the same success hacking my crypto exchange accounts using just my phone number?

The first step in hacking my cryptocurrency accounts was gaining access to my personal email account with just a phone number. As I did in my first “hacking” experiment, I chose the “forgot password” option on my Yahoo account and was able to reset the password using only my publicly available username (my email address) and an SMS code sent to my mobile phone.

The fact that I only needed to type in the SMS code sent to my mobile phone indicates that single-factor authentication was in place here, not two-factor authentication (2FA). 2FA is the practice of authenticating to an account using (1) something you know, (2) something you have, or (3) something you are (biometrics). In the case of the SMS code, I simply had to type in “something I had” without a second factor proving my identity. This means a hacker who SIM-swapped my phone number would be able to reset my email account within a matter of minutes, even though I added my number to these accounts for added security. (You can read more about how SIM swapping works in my earlier experiment.)

After resetting my email password with an SMS code sent to my phone number (which could have been swapped to a hacker), the next step involved using that email access to identify and reset passwords on my cryptocurrency accounts. For a cybercriminal, the end goal is transferring bitcoin or other crypto assets to the attacker’s crypto wallet.

I navigated to my first cryptocurrency account (let’s call it Account #1), entered my publicly available email address as my username, and chose the “forgot password” option. Account #1 sent an email message to my now “hacked” Yahoo account. I was able to click the password reset link, enter an SMS code from my (SIM-swapped) mobile phone, and change the password on Account #1.

I tried the same technique with my second crypto exchange account (Account #2). This account did offer the option for application-based 2FA (such as Google Authenticator), but I had disabled that in favor of traditional password authentication. Given these settings, when I clicked “forgot password,” I received a simple password reset link to my (hacked) Yahoo account that allowed me to set a new password and gain full access to Account #2.

At this point, I had gained access to an email account and two cryptocurrency accounts in about 10 minutes or less. These steps demonstrate how an attacker receiving text messages to a compromised mobile number could take over email accounts and easily gain access to crypto funds. Had I been an attacker, I could have quickly transferred crypto assets from my exchange accounts to a series of other crypto wallets and laundering sites that would funnel the money through various untraceable paths. This would leave the victim with little recourse to recoup the stolen assets.

Some cryptocurrency platforms have built-in mechanisms to prevent a SIM swapper from facilitating such a quick compromise of accounts. For example, one exchange where I opened an account (Account #3) allows single-factor authentication but implements a 24-hour lockout period before the password reset will take place. This effectively times out SIM swappers who have a short window in which to empty accounts before the stolen number is retrieved by its rightful owner.

This table highlights the variability in SMS authentication security options offered by crypto exchanges:

As I learned firsthand, several exchanges still allow for password resets via a link sent to an email account, which could easily be hacked by a SIM swapper in control of a phone number. Most exchanges offer stronger application-based 2FA for resetting passwords, but many still allow users to default to weaker single-factor authentication. For example, my Account #2 defaulted to application-based 2FA during registration, but users can log in before enabling this setting.

Similarly, while Account #1 offers more secure forms of 2FA such as application-based options, it also allows users to opt for SMS-based authentication settings that created the vulnerability in this experiment. Traditional bank accounts generally require more in-depth authentication to reset a password, such as Social Security number or security questions. Until cryptocurrency accounts implement similar password reset requirements, SIM swappers will continue to target these exchange accounts using the techniques outlined above.

It’s clear that the true vulnerability at the heart of SIM-swap attacks on crypto accounts lies in crypto exchanges’ and email providers’ variable implementation of 2FA. Until all crypto exchanges force the implementation of more secure application-based 2FA, these vulnerabilities will continue to allow for SIM-swapping attacks against crypto accounts.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Nicole Sette is a Director in the Cyber Risk practice of Kroll, a division of Duff Phelps. Nicole is a Certified Information Systems Security Professional (CISSP) with 15 years of experience conducting cyber intelligence investigations and technical analysis. Nicole served … View Full Bio

Article source: https://www.darkreading.com/endpoint/mechanics-of-a-crypto-heist-how-sim-swappers-can-steal-cryptocurrency/a/d-id/1336658?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Haruki Murakami had running on his mind when he wrote, “Pain is inevitable. Suffering is optional.” For many in cybersecurity, the inevitability of painful security issues is followed by the suffering of finding the right language to fully describe the consequences. The question is whether there are accurate ways to talk about security pain without restricting the language to “dollars lost” and “records exposed.”

When cybersecurity experts are asked whether dollars and records are enough to paint a full picture of the pain a breach or cyberattack inflicts, most say “no.” Coming up with a consistent set of alternatives, though, is challenging.

“This is a difficult question because misery comes in many forms during a breach,” says Bob Maley, chief security officer at NormShield. In addition, he asks, “How do you quantify misery?”

Some of the most common ways executives use to try to quantify their misery can be misleading, says Joseph Carson, chief security architect at Thycotic. “Every time there’s a new data breach, we tend to focus on the wrong context. Sometimes the number of records is irrelevant,” he maintains, explaining, “Not all data breaches are equal.”

Hidden wounds

An example of a cybersecurity incident that’s severe but difficult to measure with these two standard metrics is a credential breach at an online dating service.

Ameya Talwalkar, co-founder and chief product officer at Cequence, points out that these credentials could then be used to launch romance scams against the site’s customers. The customers, who might be somewhat emotionally fragile to begin with, find someone, strike up a “relationship” and then have their trust broken when the new contact asks for money, receives it, then disappears.

“There’s a significant unmeasured and un-talked about emotional toll there,” says Talwalkar, followed by the victim’s reluctance to continue using the site. It is impossible to measure the aggregate total of what might have been if not for a significant credential breach, he says, but it’s still critically important to take such effects into account.

No records lost doesn’t mean no cost

The case against using number of compromised records as one of the sole metrics for a cybersecurity event is strengthened when the event doesn’t involve any records.

Mary Galligan, managing director of cyber risk services for Deloitte Touche, says that attacks against operational systems cause pain, too. “A disruption to service or loss of service mean that there would be other metrics that would matter,” she says.

Galligan continues, “You would have to take into account the cost of whether there is going to be an increase in my insurance premiums. Is there going to be a loss of customer relationships? Is there going to be lost contract revenue? Is my company’s name going to be of less value in the marketplace?”

Another example: Talwalker described a small banking organization whose web-facing patient portal was hit by a bot swarm bent on credential stuffing. The problem wasn’t that the attacks were being successful — it’s that there were so many of them.

The bank, Talwalker says, had sized its application delivery infrastructure to comfortably handle a million session logins per day — a rate that seemed prudent given the company’s customer base. The bots, though, began hitting the server with more than 40 million login attempts per day.

The result, he says, is that, “Your application becomes unavailable, which means your real customers are not able to do business by the application.” And if the executives panic and order an infrastructure sized to handle the 40 million daily attempts, it means they’ve sized the system some 40 times larger than should be required — and paid a large price for doing so.

Helpful frameworks

Being able to answer these difficult-to-quantify questions is especially important for companies that live within rigorous regulatory domains, Galligan says.

“If you’re in financial services, it’s the Fed or the FDIC saying, hey, we need to have standard definitions of the cyber risk.” Other regulated industries, such as healthcare, have similar concerns with different regulators. 

Galligan says that her meetings show her that the executive boards of companies both large and small are desperate to find ways to talk about cybersecurity pain, with or without metrics. She points to an existing cybersecurity framework that can help with the conversation.

“The majority of the companies and institutions are talking about it in the context of the NIST framework,” Galligan says. The NIST Cybersecurity Framework is mandatory for most federal government departments and agencies to follow, and completely optional for private entities. In addition to prescriptive sections on how to protect various assets and parts of the infrastructure, the NIST Framework has standard labels and metrics that can be used in planning, post-mortems, and discussions with partners on cybersecurity.

Maley refers to the work of the FAIR cyber risk framework as one that can help organizations figure out the proper metrics and the most powerful ways to discuss them. The FAIR (Factor Analysis of Information Risk) framework has been adopted by thousands of organizations from Fortune 500 down to small companies that may not even have a dedicated cybersecurity team.

Regardless of the size or nature of the business, Gallager says that every board and IT team has something in common: “You’re going to have to make these business decisions with incomplete or at times inaccurate information,” she says. The sheer speed of cybersecurity incidents make them unlike any other consistent threat businesses have faced.

The result, she says, is, “…something that can’t be quantified, and I don’t know if it’ll ever be able to be quantified — the stress and the pressure and the long tail of the cyber breach that these executives go through.”

Related Content:

• The 20 Worst Metrics in Cybersecurity
• 4 Ways to Soothe a Stressed-Out Incident Response Team
• Navigating the Deluge of Security Data
• The Year in Security, 2019
• 6 CISO New Year’s Resolutions for 2020

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-cybersecuritys-metrics-of-misery-fail-to-describe-cybercrime-pain/b/d-id/1336704?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Landry’s — restaurant chain and operator of 60 properties, including Bubba Gump Shrimp Co. and McCormick Schmick’s — has disclosed a security incident affecting customers’ payment cards.

In 2016, Landry’s installed a payment-processing system that uses end-to-end encryption technology at all its restaurants, the company said in a New Year’s Eve press release. It recently discovered unauthorized access to the network that supports the payment-processing systems in its restaurant and food-and-beverage outlets. The malware used in the attack was designed to search for payment card data from cards used in person on systems at the affected locations.

On the point-of-sale terminals protected with encryption technology, the malware was unable to read payment cards, Landry’s says. However, in some cases, waitstaff accidentally swiped cards on order-entry systems, which are used to enter food and beverage orders and swipe Landry’s Select Club rewards cards. These transactions were not protected; the cards involved could be affected by the malware loaded onto the system.

“The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems,” Landry’s officials explained in a statement. “Landry’s Select Club rewards cards were not involved.”

The malware looked for “track data,” which sometimes involves the cardholder name as well as card number, expiration date, and internal verification code. Cards accidentally swiped between March 13, 2019, and October 17, 2019, could be vulnerable, though Landry’s notes access may have occurred as early as January 18 for some locations.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “SIM Swapping Attacks: What They Are How to Stop Them.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/landrys-restaurant-chain-discloses-payment-security-incident/d/d-id/1336708?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Dark Web is a bustling market and economic engine. Just ask the cybercriminals who are making excellent money selling wares and finding work there.

“Into the Web of Profit,” a study released earlier this year by Dr. Michael McGuire at the University of Surrey, also backs that up. The study examines what is being sold on the Dark Web. Categories of goods include credit card information, login credentials to financial accounts, stolen subscription credentials, and usernames and passwords of all kinds.

Also available: services and jobs, according to Alex Guirakhoo, strategy and research analyst at Digital Shadows.

“In February 2019, the threat group TheDarkOverlord was seen advertising monthly payments of over $60,000 to tempt recruits willing to join their extortion schemes,” Guirakhoo says.

So how much does cybercrime pay? A separate study, also conducted by McGuire, dives into the details of how much cybercriminals earn. McGuire interviewed 50 convicted or active cybercriminals, and spoke with dozens of experts from law enforcement, financial institutions, and IT security companies. Total cybercrime revenues are around $1.5 trillion, he found. And the cybercriminals earning the most are making as much as much as $2 million a year.

Yes, you read that right. The highest earners take home more than $167,000 a month. Lower wages hover around 75,000 a month. And as Guirakhoo notes, certain skills net a better income.

“Technical skills are always in high demand,” he says. “Job offers for developers of malware, like ransomware, remote access Trojans, or banking Trojans are common sights on criminal forums. Much like real-world jobs, wages can be even higher based on technical and language skills, and cybercriminal recruiters have also offered bonuses to those with a proven tenure.”

The Most Profitable Markets And Services   
McGuire’s “Web of Profit” report details not only how much money cybercrime can net, but which markets are the most lucrative. Here’s how profits break down by criminal venture:

• Illegal online markets: $860 billion
• Trade secret, IP theft: $500 billion
• Data trading: $160 billion
• Crimeware/Cybercrime-as-a-Service (CaaS): $1.6 billion
• Ransomware: $1 billion

While ransomware is at the bottom of the list, Digital Shadows’ research shows it’s one to keep a watch on, Guirakhoo says.

“Due to its popularity, ransomware is definitely one of the more lucrative cybercriminal gigs out there,” he explains.”These attacks have become much more targeted. Attackers are going after the organizations they know are most vulnerable and most likely to meet ransom demands.”

Guirakhoo also points to ransomware-as-a-service, or RaaS, as a way experienced cybercriminals are monetizing their skills, “without doing a lot of the dirty work themselves,” he says. “GandCrab is a great example of this. The developers of the wildly popular RaaS closed up shop this past May, citing profits of $2 billion, although the accuracy of their claims is debatable.”

Falling Out of Favor
What’s not so hot anymore? Exploit kits, which is a type of toolkit that can be used to engineer attacks on systems in order to distribute malware or perform other malicious activities.

“Black hat exploit kit development is something that we haven’t seen too much of recently,” Guirakhoo says. “This aligns with the downward trend of the use of exploit kits in general. People will flock to what is most popular and profitable.”

Related Content:

• Cyber Extortionists Can Earn $360,000 a Year
• ‘It Saved Our Community’: 16 Realistic Ransomware Defenses for Cities
• Demystifying the Dark Web: What You Need to Know
• To Pay or Not To Pay? That Is the (Ransomware) Question

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/cybercrimes-most-lucrative-careers/b/d-id/1336700?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybercriminals innovate when necessary, but like any successful enterprise, they also harvest low-hanging fruit wherever they can find it. Targeting older, vulnerable systems that have not been properly secured is not just an effective attack strategy, it is the primary cause of the vast majority of security breaches. Which is why, as Fortinet researchers recently discovered, that cybercriminals target vulnerabilities 10 or more years old more often than they target new attacks. And in fact, they target vulnerabilities from every year between 2007 and now at the same rate as they do vulnerabilities discovered in 2018 and 2019. 

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities, as well as exploiting the expanding attack surface – especially with the convergence of operational technology (OT) environments with IT. OT can be thought of as hardware and software that monitor and control industrial equipment and processes – think valves, pumps, and thermostats, for example.

And with OT-IT convergence in the wings, it’s critical that companies ensure they are taking the necessary precautions in their own organization.

Recycling threats
Judging by conversations with security professionals from global enterprises and the intelligence community, as well as 20 years of threat research, it’s clear that some fundamentals still need attention. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. While many of these pose a significant, and perhaps even existential threat, most cybercriminals are content with a business-as-usual approach.

In our most recent report, FortiGuard Labs detected a rise in attempts to inject and execute code/commands on target systems. That’s nothing new, but it does seem to be reaching new heights. This trend may indicate threat actors are expanding their tactics for exploiting systems. Simply put, attackers want more bang for their buck. Attacking vulnerable services was in vogue years ago, before companies started shoring up their publicly exposed services. As a result, phishing attacks became their main delivery vehicle for implanting malicious code onto target systems. 

But it’s possible that attackers could be going back to (or reincorporating) some of their old-school tactics, especially as organizations over-rotate on training users and updating their secure email gateways to detect and reject phishing attacks. Attackers love to focus their efforts where/when defenders aren’t watching. Could this recent trend indicate that organizations have let their guard down on their exposed services as a result?

Operations under attack
There is no question that traditional OT systems are among the most vulnerable assets inside any organization. In fact, Gartner analysts have found that an alarming percentage of OT networks and assets – and their security implications – have lain undiscovered and unmanaged for many years. 

OT vulnerabilities and related exploits can also affect verticals outside of heavy industry, including healthcare environments that rely on patient monitoring devices and MRI machines, or transportation systems that utilize internal OT systems to manage and control things like air traffic.

There are other security challenges, including: IT outages that impact customer-facing systems; the inability to properly identify, measure and track risk; and the interruption of business operations due to a catastrophic event. Worse, these challenges are being compounded by a lack of security expertise inside organizations – not only within their own in-house staff, but also with the third-party vendors with whom they outsource their security and other critical services. 

This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals often have little experience with OT environments.

This opens a huge security gap. Of the organizations with connected OT infrastructures, 90% have experienced a security breach within their SCADA/ICS architectures – with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). 

And as discussed earlier, quite a few of these attacks target older technology – especially unpatched applications and operating systems. OT security operations have traditionally relied on Purdue model hygiene and air-gapped isolation from the IT network for protection. As a result, visibility derived from protocol analysis and deep packet inspection is not yet widely deployed. This means that not only are older attacks highly successful in OT environments, but a great number of those attacks seem to be repetitive as there is no way to correlate attack strategies with vulnerable systems.

Bad actors also infiltrate devices through the many different OT protocols in place. While IT systems have largely been standardized through TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and even geographies. This can create quite a challenge, as security managers have to create disparate defensive systems to secure their environment. And as with legacy IT-based malware attacks, these structural problems are exacerbated by a lack of security hygiene practices within many OT environments that are now being exposed due to digital transformation efforts.

Securing the IT-OT Environment 
For many organizations, competing effectively in today’s digital economy requires converging IT and OT environments. But unless great care is taken, the result will be a broadened attack surface that is widely available to adversaries. The best way to mount a defense is by adopting and implementing a comprehensive strategic approach that simplifies the solution, and engages both IT and OT experts throughout an entire organization: 

• Strategic alignment of executives: All team leaders must understand and agree to the business objectives and benefits of converging these resources. Common goals, clearly defined outcomes, and a clear-eyed understanding of the risks and consequences will help all teams drive towards an effective solution.

• Joint task force: A highly effective approach is to bring representatives from all impacted teams together to voice concerns, debate strategies, scope out the project and develop a common set of processes. Their first objective should be to educate each other on the challenges such a project entails. 

• Test and re-test: Every step of the project outlined by the joint task force needs to be run, sometimes repeatedly, in a controlled environment before turning it on in a production network. There is a lot at stake, so fine-tuning operational controls, security measures, and contingency plans before applying them to a live environment is essential.

By creating a converged framework that includes built-in cybersecurity, OT system owners will be able to confidently move forward in a digitally transformed business while sustaining safe and continuous operations.

Related Content:

• Digital Transformation Exposes Operational Technology Critical Infrastructure
• Alliance Forms to Focus on Securing Operational Technology
• Why It’s Imperative to Bridge the IT OT Cultural Divide
• Airports Operational Technology: 4 Attack Scenarios

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Article source: https://www.darkreading.com/application-security/operational-technology-why-old-networks-need-to-learn-new-tricks/a/d-id/1336681?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft this week announced it had gained a court order to take control of 50 domains used by a threat group believed to operate out of North Korea.

The US District Court order effectively allowed Microsoft to shut down the domains, which had been used by the so-called Thallium hacking group to target government employees, think tanks, universities, and organizations associated with human rights work and nuclear proliferation — most of them in the US, but also some in Japan and South Korea.

Thallium employs spearphishing attacks, some of which portend to come from Microsoft, in order to fool the victims into giving up their email account credentials. According to Microsoft, Thallium typically sets up a mail-forwarding rule in the hacked email account that allows the attackers to receive the victim’s emails, even when the victim changes his or her password. 

The group is known for planting a backdoor known as BabyShark and KimJongRAT on the victim’s machine.

The legal action by Microsoft follows previous such takedowns by the company of a Chinese nation-state group called Barium, a Russian nation-state group called Strontium, and an Iran-based group called Phosphorus.

“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Tom Burt, corporate vice president of customer security and trust at Microsoft, wrote in blog post today announcing the legal action. 

Read the full post here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “SIM Swapping Attacks: What They Are How to Stop Them.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-shuts-down-50-domains-used-by-north-korean-hacking-group-/d/d-id/1336705?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple