STE WILLIAMS

Friday is upon us, and with it another On Call story from those poor souls who have to answer the phone when everything goes wrong. Not all heroes wear capes and, as we’ll see, remember to ward their Linux servers from an enthusiastic boss.

“Hans” is the contributor of today’s tale, and his story takes place some 15 years ago, the era of the Friends finale, Shrek 2 and, of course, Shaun of the Dead.

In what will be a familiar story for many readers, Hans was the one-man-band IT department for a rapidly growing business. “When I started,” he told us, “it was like 400 employees. Five years later it was 1,200.”

Naturally, IT resourcing didn’t keep pace with the business’s growth.

Hans was on the road, heading to a new office location to set up some IT gear, when The Call came in: “I got a call from the company owner that something was wrong.”

As it transpired, something was very, very wrong. There was: “No internet access, all subsidiaries are offline, no email and all ‘production’ stopped.”

Whipping out his notebook and plugging in his trusty PC card modem (remember those?) Hans connected to the internet and logged into the company’s modem.

“Back then,” he recalled, “small companies like us did not have any corporate network from a big telco but managed everything on their own. This means that it had to be cheap.”

“Cheap” meant a DIY router made from a home-built server running Linux. The server had been set-up to be a jack-of-all trades, acting as “Firewall, Router, VPN Gateway, Groupware Server, Timeserver and some other things.”

What could possibly go wrong with such a set-up?

Hans connected, checked the logs and found the problem was “an unplanned restart about an hour ago.”

He discovered that none of the services were running on the Linux server because whatever fool had set the thing up had configured the running state to be different to what was the default following a restart. “Changing the run state was therefore a quick fix to get everything to work again,” he recalled happily.

The cause of the failure was a mystery. Hans checked in with The Boss and discovered that a user in a remote location had complained that he was unable to log in to the terminal server. Since Hans was out, The Boss (in a most unboss-like fit of business ownery helpfulness) decided to check out the machine in question. It all looked fine, but right after he checked the “Internet and Email had a problem as well…”

In fact, everything had had a problem straight after that innocent check.

Like a sleuth in paperback of the finest pulp fiction, Hans pondered the problem and, after asking a few more pointed questions, came up the sequence of events that led to the world dropping out of the bottom of the data centre.

The Boss had trotted to the server room, opened the rack, turned on the CRT (a CRT!) and hit Ctrl-Alt-Delete to bring up the Windows Server login dialog. Only after that did he hit the button to bring up the Terminal Server on the KVM switch.

What the boss didn’t fully comprehend was that the switch was pointing at the Linux box, and that particular key combination could do terrible things to a console. Unbeknownst to The Boss, he’d “triggered the reboot of the machine sending it to a maintenance mode.”

“All could have been prevented,” sighed Hans, without “a boss who had enough access to be dangerous” and a user with a locked account.

“The very next day… The Boss handed over his key to the server room, understanding that most things he can do in there could cause more problems than solving any.”

Quite.

The story, however, does not end there, as Hans confessed to us that he “had kept quiet that I might have forgotten to change the default behaviour of a Linux console to NOT reboot when confronted with a Windows User, and having a production system start into maintenance mode by default…”

Oh, Hans.

Ever had to defrock The Boss after a call-out revealed power gone to the head? Or had someone blunder into a cock-up of your own making? Send an email to On Call to share the pain. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/27/on_call/

A London man who tried to extort $100,000 from Apple by threatening to dump data from millions of iCloud accounts and then shut them down will be spending the holiday season at home, despite being sentenced in court last week.

Kerem Albayrak, 22, from North London, ended up pleading guilty to three offences – one charge of blackmail, and two charges of unauthorised access.

The UK’s National Crime Agency (NCA), which investigated the crime, reported last week that Albayrak was given a two year suspended jail term, 300 hours of unpaid work and a six month electronic curfew for threatening to delete 319 million iCloud accounts.

Albayrak had a month of fame back in March 2017, apparently using the Twitter handle “Turkish Crime Family”, where he claimed to have recovered passwords for an ever-increasing number of iCloud accounts that were his blackmail bargaining chip with Apple:

[2017-03-21] 200 Million iCloud accounts will be factory reset on April 7 

[2017-03-22] The number of Apple credentials have increased from 519m to 
             627m, we are convinced it will keep growing until 7 April 2017

[2017-03-22] Update: We are still strengthening our infrastructure and 
             acquiring more servers for 7 April 2017

[2017-03-22] If Apple does not figure out a way to stop us they'll be 
             facing serious server issues and customer complaints

According to the NCA, Albayrak first contacted Apple on 12 March 2017, presumably revealing that he had login details for at least some iCloud accounts, and demanded a “fee” for deleting his database instead of putting it up for sale online.

The hush money he wanted was $75,000 in cryptocurrency or $100,000 in the form of 1000 iTunes cards of $100 each.

A week later, says the NCA, Albayrak raised the $75,000 “fee” to $100,000 after posting a video on YouTube showing himself logging into and using two different iCloud accounts.

He also apparently told Apple he’d upped the ante: not only did he want more money, he was also planning to do a bulk “factory reset” of hundreds of millions of accounts.

(We’re guessing that the evidence in this video is why Albayrak faced two Computer Misuse charges of unauthorised access, given that he demonsrated himself not only possessing other people’s passwords but also actually using those passwords by logging in to further his crime.)

Apple contacted US and UK law enforcement following the blackmail demands, and the NCA took up the investigation from there, arresting Albayrak shortly afterwards.

NCA investigators say that Albayrak told them at the time:

[O]nce you get sucked into [cybercrime], it just escalates and it makes it interesting when it’s illegal. […] When you have power on the internet it’s like fame and everyone respects you, and everyone is chasing that right now.

What to do?

The NCA says that “the data Albayrak claimed to have was actually from previously compromised third-party services which were mostly inactive.”

In other words, it sounds very much as though Albayrak got a bunch of paswords from existing breaches, and tried those passwords on iCloud accounts in the same name.

That’s known in the trade as credential stuffing, and it’s a stark reminder why you should never use the same password on more than one account, no matter how inconsequential those accounts might seem.

So, our tips here boil down to the basics:

• Pick proper passwords. Use a password manager to help you choose a different, randomly generated password for every account instead of using your cat’s name followed by fb for Facebook, tw for Twitter, ic for iCloud and so on. If there’s a pattern to your passwords, you can assume that the crooks will figure it out.
• Use two-factor authentication (2FA). Those six-digit login codes that get texted your phone, or generated by a special app, are different every time. That means your password is no longer enough on its own for a crook to login to your account and mess around with it.
• Don’t leave old accounts abandoned. If you stop using a service, shut down your account completely so that there’s no chance of a crook coming along later and apparently acting in your name. A password manager helps here – unlike you, it won’t forget how to login to accounts it hasn’t used for ages.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wV7IpBooz0s/

Breaching British Airways, Ticketmaster, and Macy’s, Magecart attack groups sharply rose in sophistication and pervasiveness this year — and show no signs of slowing down.

In mid-October, an online criminal group used embedded code to skim personal and financial information from visitors who purchased goods while shopping on Macy’s e-commerce site.  

While the retail giant notified customers on Nov. 15, the company has yet to release details of the attack. For example, hHow many customers were impacted by the breach remains unknown.

Researchers, however, believe the intruders belong to a loose grouping of cybercriminal gangs known as Magecart groups, named for their habit of skimming financial details from shopping carts and, often, the Magento e-commerce platform. 

This particular group had upped its game: The attackers had tightly integrated their information-gathering code into two parts of the website and had knowledge of how Macy’s e-commerce site functioned, security firm RiskIQ said in a Dec. 19 analysis.

“The nature of this attack, including the makeup of the skimmer and the skills of the operatives, was truly unique,” said Yonathan Klijnsma, head researcher with RiskIQ, in his analysis. “I’ve never seen a skimmer so meticulously constructed and able to play to the functionality of the target website.”

The Macy’s breach is the latest success for the broad class of Magecart attackers. In 2018, Magecart groups breached Ticketmaster, Newegg, and British Airways, with seven different groups targeting e-commerce sites and skimming customer information, according to threat intelligence firm RiskIQ. In 2019, attackers hit Macy’s, SixthJune, and the American Cancer Society, and the number of Magecart groups researchers were tracking ratcheted up to 16. 

The groups are not unified and run the gamut from state-sponsored intelligence operations to low-level criminals using downloaded tools, according to RiskIQ. Some groups use automated tools to hit as many vulnerable sites as possible. One group — labeled Group 4 — uses obfuscation and targeting to try to blend into the victim’s website’s files. Another — Group 5 — tries to compromise third-party suppliers.

Yet the combined activity of all these groups has caused major breaches this year and hundreds of millions in fines, because many companies found themselves the target of fines under European Union’s newly minted General Data Protection Regulation (GDPR). One victim, hotel chain Marriott, will likely have to hand over £99 million (US$124 million), while air carrier British Airways could see a £183 million (US$229 million) fine under GDPR.

“Overall, poorly secured sites combined with a few serious vulnerabilities resulted in a very successful year for Magecart threat actors,” says Matthew Gluck, a senior analyst with Flashpoint.

The situation is only set to get worse.

(continued on next page)

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/theedge/the-year-of-magecart-how-the-e-commerce-raiders-reigned-in-2019/b/d-id/1336678?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New malware distribution techniques and functionality updates are sure to put more pressure on enterprise organizations in 2020.

The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.

Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

Some recent developments include growing collaboration between threat groups on ransomware campaigns; the use of more sophisticated evasion mechanisms; elaborate multi-phase attacks involving reconnaissance and network scoping; and human-guided automated attack techniques.

IT and security groups that are already under pressure to respond will be challenged even more by the growing sophistication of the ransomware threat, experts note. While municipal governments, schools, and other perceived “soft” targets will continue to bear the brunt of the attacks, no organization will really be safe.

“We would assume that the larger and more important an organization is, the more attractive a target it poses for extortionists,” says Fedor Sinitsyn, senior malware analyst at Kaspersky. But “any company or organization should be aware of [the] threat and plan accordingly,” he notes.

With the current reliance on digital infrastructure, any network disruption equals loss of money. Taking into account the disastrous effects of ransomware, the recovery period for some organizations could end up being long and painful, Sinitsyn says.

Going From Bad to Worse

2019 turned out to be a far more active year for ransomware than many might have anticipated given the declining overall volume in attacks last year.

Emsisoft recently estimated that ransomware attacks have cost US government agencies, educational establishments, and healthcare providers alone more than $7.5 billion this year. According to the security vendor, up to December 2019, at least 759 healthcare providers, 103 state and municipal governments and agencies, and 86 universities, colleges, and school districts have been hit in ransomware attacks.

In addition to financial losses the attacks have resulted in emergency patients being redirected to other hospitals, medical records being lost, property transactions being halted, surveillance systems going offline, and other very real-world consequences, Emsisoft said.

Several developments suggest that the situation in 2020 is likely going to be at least as bad, if not actually worse.

One troubling trend is the growth in instances of threat groups collaborating with each other to enable easier delivery of malware. Security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware.

Such collaboration is allowing threat groups to distribute ransomware more easily without having to do any initial breaching of a network on their own.

Carl Wearn, head of e-crime at Mimecast, describes the advent of collaboration across criminal groups with differing specialties as one of the most significant ransomware developments in 2019. “Malware threat actors are increasingly trading their work,” he says. “This leads to hackers selling access to already compromised networks.”

The highly targeted use of ransomware via precursor infections to ascertain a suitable ransom payment is another big issue, Wearn says.

In many attacks, threat actors have first infected a target network with malware like Emotet and Trickbot to try and gather as much information about systems on the network as possible. The goal is to find the high-value systems and encrypt data on it so victims are more likely to pay.

“If we look at the big picture, we will discover that what is changing is the threat actors’ approach to distributing the Trojans and selecting their victims,” Sinitsyn says. If five years ago almost all ransomware was mass-scale and the main distribution vector was via spam, nowadays many criminals are using targeted attacks instead.

“Threat actors carry out a reconnaissance in order to find a large corporation or a governmental entity or a municipal network and try to breach their defenses,” Sinitsyn says. Since the criminals know with whom they are dealing, they tend to set the ransom amount significantly high.

Another trend to note is the increase in incidents where criminals not only encrypt the victim’s data, but also exfiltrate some of it during the infection, Sinitsyn says. It gives the threat actors additional leverage for extorting money. “In case the victim is reluctant to pay up — [because] for example, they have consistent backups offsite — the criminals will threaten to release some of the stolen data into public,” he adds. One example of ranomware being used in this way is Maze, a tool that some believe was used in a recent attack on Pensacola, where threat actors are demanding a $1 milion ransom.

Growing Malware Sophistication

A majority of ransomware families deployed in the wild is of the cookie-cutter variety. Even ransomware that uses obfuscation to get around some kind of detection usually ends up being detectable when it starts to actually encrypt files. However, some threat actors are using very sophisticated tools, says Andrew Brandt, principal researcher at Sophos. As one example, he points to ransomware that use “kill lists” to try and terminate anti-malware tools.

Another example is ransomware that sets itself up as a service running in Windows’ built-in Safe Mode, then reboots the system into Safe Mode before beginning to encrypt the hard drive, he says. “Booting into Safe Mode effectively terminates nearly all endpoint protection tools,” Brandt says. Sophos recently spotted the Safe Boot feature added to Snatch, a ransomware sample used in targeted attacks that the security vendor has been tracking for a year.

“Among the most notable advancements is an increase in ransomware attackers employing automated active attack techniques,” Brandt says. These are attacks where threat-actors use automated malware to quickly profile an infected environment and laterally spread within a targeted network or trigger simultaneous infections across multiple machines within the same environment, Brandt says.

Many of the most troublesome recent ransomware campaigns — including those involving Ryuk, Lockergoga, Robbinhood, and Sodinokibi — have involved the use of active attack techniques, according to Sophos.

Kaspersky researchers in December also reported identifying a new type of ransomware targeting Network Attached Storage (NAS) devices that organizations use to back up data. The vendor described the malware as posing new risks for organizations because NAS devices are generally perceived as secure technology.

Going Mobile

If all this wasn’t enough, some believe that mobile devices could start getting targeted as well.

Joel Windels, chief marketing officer at NetMotion Software, points to data from the 2019 Verizon Data Breach Investigations Report showing users as more susceptible to phishing attacks on mobile devices, and another report about Chinese hackers breaching 10 global cellular providers. “All of the pieces are in place for an increase in mobile ransomware in 2020,” Windels says.

“We expect to see the first concerted ransomware attacks target mobile applications running on Android,” he says.

The same combination of factors – unsupported, outdated, and unpatched systems – that led to the surge in ransomware attacks on local governments and others will drive attacks on mobile devices. “As OS fragmentation becomes a bigger issue for Android devices, in particular, many devices are being left unsupported with older software and less frequent security patches,” Windels notes.

Related Comments:

• Ransomware ‘Crisis’ in US Schools: More Than 1,000 Hit So Far in 2019
• 8 Head-Turning Ransomware Attacks to Hit City Governments
• 5 Security Resolutions to Prevent a Ransomware Attack in 2020
• 2019 Online Malware and Threats: A Profile of Today’s Security Posture

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-situation-goes-from-bad-to-worse/d/d-id/1336664?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Even companies with the reach, capital, and innovative capacity of Microsoft or Google will struggle to adhere to the tenets of California’s new consumer privacy law.

In November, Microsoft published a blog post announcing the company’s intention to “honor” the binding principles of the California Consumer Privacy Act, known as CCPA, across the US. When CCPA goes into effect in the state of California on January 1, 2020, Microsoft has committed to extending its compliance to the regulation across all US states.

CCPA is regarded by data privacy advocates as one of the most sweeping data privacy regulations in the US to date. CCPA is somewhat similar to the General Data Protection Regulation (GDPR), the data privacy law in the European Union, in that companies are required to disclose to their users what personal data of theirs is being collected, whether it is sold, and to whom. It also allows users to opt out of any sale of their data. Users must also have access to their data and be able to request that a company delete it — better known as the “right to be forgotten.”

PR Stunt or Cybersecurity Leadership?
As a professor, cybersecurity researcher, and entrepreneur, I am glad to see a company the size of Microsoft acknowledge that consumer data privacy should be a greater priority in the tech industry. We have seen time and time again how companies abuse their access to customer data and fail to provide proper protection around it. (Facebook is a prime example.) It’s worth noting that other large tech firms such as Apple are also speaking out and providing leadership regarding data privacy. Even Google is hearing the message with a number of initiatives to protect the privacy of its users.

While I applaud Microsoft, Google, and other companies for leading the way with ambitious data privacy policies, I also have a healthy dose of skepticism about the motivations for doing so, and also about their ability to actually execute on this. When I first read the news, my immediate reaction was: This sounds like a PR stunt to me — great in theory but doing the work will take much longer than a few weeks, which is now how long we have before CCPA goes into effect. Even a company with the reach, capital, and innovative capacity of Microsoft or Google is going to struggle to adhere to the tenets of CCPA nationally.

We have already seen this struggle with compliance to GDPR in Europe. To date, nearly half a billion euros in fines have been levied against companies that have violated GDPR. Some of these violations were flagrant abuse, such as the Dutch hospital fined because of lax controls over access to patient records. In that case, 197 hospital employees accessed a Dutch celebrity’s medical records.

But in other cases, the fined company violated GDPR through lax policies of third parties or by the behaviors of their own customers. In an early Dark Reading column, I explored the ramifications of the British Airways data breach involving an orchestrated phishing campaign that compromised the personal data of almost 500,000 customers of the airline. In that instance, customers were targeted with phishing emails and were directed to spoof websites that looked enough like British Airways’ real site to fool them into giving up their account credentials.

Liability for Data You Control and Behavior You Can’t
In Microsoft’s blog, the company states:

In addition to guaranteeing the rights of individuals to control their personal information, we believe privacy laws should be further strengthened by placing more robust accountability requirements on companies. This includes making companies minimize the data they collect about people, specify the purposes for which they are collecting and using people’s data, and making them more responsible for analyzing and improving data systems to ensure that they use personal data appropriately.

By its own standards, Microsoft must take a hard look at its approach to detecting and responding to phishing campaigns if the company intends to adhere to CCPA nationwide. Microsoft websites are consistently among the most targeted by spoof websites as part of orchestrated phishing attacks. In fact, only PayPal is more frequently targeted by spoofing attacks. Additionally, phishing attacks against Microsoft Office 365 users are on the rise, and the methods used by attackers are becoming increasingly sophisticated.

In response to the proliferation of phishing attacks, Microsoft has said that users who enable multifactor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. But as the recent YouTube phishing attack illustrates, MFA is not the savior we all hoped it would be. There are multiple tools available on the Dark Web that help hackers easily bypass MFA, without the victim ever knowing.

The Limits of MFA SSL
Neither can one rely on SSL as a way to verify which sites are safe to visit. The latest report from the Anti-Phishing Working Group (APWG) reveals that two-thirds of all phishing sites reported in the third quarter of 2019 were employing SSL protection. The report notes that this was the highest percentage of spoof sites using SSL since tracking began in early 2015, and “is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.”

The APWG report also reveals that SaaS and web email sites remained the biggest targets of phishing. Microsoft is one of the largest providers of these services in the world. If the company is serious about adhering to the mandates of CCPA across the country, then a stronger approach to phishing detection and response will be vital. The CCPA at its core intends to regulate companies to provide protection of their customer’s data. This is easily pierced by phishers who trick users to provide access to their data at the originating website.

Companies preparing to comply with CCPA in the state of California alone, never mind deciding to expand compliance nationally, must now be able to detect phishing attacks quickly. To date, too much emphasis has been placed on the email component of the pushing attack. But filtering out suspected phishing emails doesn’t go far enough. Spoof websites must be identified quickly, then taken down before they’re successful at stealing customer data. Failure to do so will not only lead to fines but also damaged brand reputation and diminished customer trust.

Related Content:

• Rethinking Website Spoofing Mitigation
• How to Get Prepared for Privacy Legislation
• 6 Actions That Made GDPR Real in 2019
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has … View Full Bio

Article source: https://www.darkreading.com/operations/honoring-ccpas-binding-principles-nationally-wont-be-easy-/a/d-id/1336653?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Lots of us have the day off today, but there are plenty of people who don’t, including a veritable army of of IT techies, helpdesk staff, sysadmins…

…and if you’ve ever been on IT duty over the Christmas period, you’ll know what a tricky time it can be.

If all goes well, and some years it does, you end up having a quiet and peaceful time of it, and you say to yourself, “That wasn’t so bad. I might just put myself forward for next year, too.”

But you can only relax with hindsight, meaning that you can’t really relax at all while you’re on duty.

If something goes wrong, you have to spot it, investigate, make a plan, and fix it – sometimes all on your own.

If you fix it, you’re merely doing your job, so you won’t get any special thanks just because it’s Christmas – remember, most people are off work so they probably won’t even notice.

But if you don’t manage to fix it, well, that’s a different story!

Most people are off work, don’t forget, so they’re relying on you more than ever, and they probably will notice, and once they’ve noticed, they’ll feel very strongly about the matter, and they’ll be sure to tell you.

So, if you’re on duty right now, we know you’re supposed to keep focused.

You’re not supposed to distract yourself with not-strictly-relevant-to-work pastimes such as playing online games, watching cat videos or wrapping unsuspecting colleague’s desks in silver foil as a New Year’s joke.

But you can use your “waiting for bad things to happen” time for work-related personal development.

So, we’ve picked our favourite Serious Security and Anatomy of… technical articles of recent years, in the hope you’ll enjoy perusing them…

…or at least find them useful to keep pre-opened in “emergency browser tabs” that can hurriedly be brought to the foreground used as important reference texts if needed.

ARTICLE 1: CRYPTOGRAPHY

Serious Security: What 2000 years of cryptography can teach us

ARTICLE 2: DATA OVERFLOW

Serious Security: GPS week rollover and the other sort of “zero day”

ARTICLE 3: RANDOM NUMBERS

Anatomy of a pseudorandom number generator – visualising Cryptocat’s buggy PRNG

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZNDC9xQ8HQ0/

Here they are: the baddest stories and the biggest lessons, from 2010 to 2019.

From a totally made-up hoax that shocked the world, through a social networking app that promised what it couldn’t deliver, to a larger-than life cybercelebrity who was busted in a military-scale takedown operation…

…here’s our take on the megaissues of the past decade.

From the bizarre, through the crazy, all the way to the outright impossible – there’s still plenty to learn from all these stories.

---

2010 – FACEBOOK PROFILES

Want to see who has viewed your Facebook profile? Take care…

This sort of scam is still a huge problem. Crooks offer you a way to access “unauthorised” features in your favourite apps or social networks – but you have to sign up, or hand over lots of personal data, or install a shady app first.

---

2011 – ONLINE HOAXES

Facebook to start charging this summer? Hoax spreads across social network

New hoaxes appear all the time, and old ones come round regularly. The problem is that people share them just in case they’re true, even when they clearly aren’t, and that keeps them going… and going, and going.

---

2012 – THE MEGAUPLOAD BUST

Kim Dotcom now a “real life James Bond villain” in latest Megaupload bombshell

Larger-than life New Zealand entrepreneur Kim Dotcom ran the world’s biggest file sharing site, Megaupload. The authorities didn’t like that, and moved in for a massive arrest and takedown. Dotcom is still fighting extradition to the USA – but this is how the saga started.

---

2013 – SNAPCHAT’S NON-VANISHING SELFIES

Snapchat images that have “disappeared forever” stay right on your phone…

What a cool idea! A social network where your risque and cheeky selfies would self-destruct after a few seconds – all the fun with none of the embarrassment. Turns out that truly deleting data is much harder than you think.

---

2014 – TALKING ANGELA

The Talking Angela witch hunt – what on earth is going on?

A cartoon cat that can chat to you. Innocent fun? Or a front for child abuse? After years of background rumours, millions of people started openly accusing this app of being a front for paedophilia, even though there wasn’t a shred of truth in any of the claims.

---

2015 – GETTING BUSTED ON THE DARK WEB

3 ways to get busted on the Dark Web

By 2015, the Dark Web’s infamous “Silk Road” online souk had been shut down, and its operator, Ross Ulbricht, was in prison for life. But how could that have happened if the Dark web is meant to be anonymous and secret?

---

2016 – LOCKY RANSOMWARE

“Locky” ransomware – what you need to know

Ransomware attacks started in earnest back in 2013, with the Cryptolocker ransomware. “Locky” is one of the other early ransomware names that everyone remembers – and by the time Locky was widespread, it was pretty clear that ransomware was a threat that wasn’t going away…

---

2017 – VOICE ASSISTANTS

Know the risks of Amazon Alexa and Google Home

Voice assistants like Alexa and Google Home burst on the scene in a blaze of understandable popularity. But do they enhance your lifestyle, or threaten your privacy? We tell you what you need to know.

---

2018 – SEXTORTION

Beware sextortionists spoofing your own email address

We’ve all received them: the crooks send an email saying they have a video of you watching porn, and they want money in return for deleting it. Even if you dont watch porn, the crooks say they have malware on your computer – and they send you a genuine password to “prove” it. What can you do?

---

2019 – ZERO-DAY HOLES

Serious Chrome zero-day – Google says update “right this minute”

This year’s biggest story so far turns out not to be about data breach, or a ransomware attack, or a massive cybercrime bust… but about a security bug in Chrome that even Google thought was bad enough to advise, “Like, seriously, update your Chrome installs… like right this minute.”

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-rmg75GSUo4/

A week ago, a concerned Naked Security reader shared with us a “send us money or else” email that was a bit different from others he’d received in the past.

The claims and the demands followed a predictable theme – one that we call sextortion because of the connection between sexuality and extortion.

Simply put, the scammers open their game by telling you they’ve infected your computer with spyware, so they can spy on both you and your screen at the same time.

And, guess what?

They’ve got side-by-side screenshots of your browser window and images from your webcam, taken while you were watching porn, and they’ll share their juicy video with everyone you know…

…unless you pay hush money into a specified Bitcoin address.

But the modus operandi – the way last week’s email was delivered – was a bit different different from usual.

The crooks had hidden their whole email rant inside an inline image, presumably to stop text-scanning email filters from picking up on keyword combinations such as porn, Bitcoin and webcam.

Of course, if an email filter can’t extract keywords from the image, then you can’t copy and paste the vital Bitcoin address either, so the crooks provided a QR code instead.

And, just in case a really keen email filter tried to do optical character recognition (OCR) on the image to recover the original text, the crooks had used numerous slightly wacky versions of common English letters such as A, E, I, O and U – scattering them liberally with accents and other marks that are widely used in many languages but never appear in English.

Well, our diligent reader just reported that the same crooks have made a reappearance just in time for Christmas, warning him to “stop shopping and f***ing around” and to start taking their threats seriously.

They’ve not only got a new Bitcoin address to receive payments this time, but have also dropped the price slightly, from $1767 to $1500.

(Although they want payment using bitcoins, for reasons of anonymity, the amounts they’re demanding are given in US dollars; presumably you’re expected to convert at the going rate when you pay up.)

Despite the price drop, however, there’s no mistaking that this demand, timed to align with Christmas, has a much more aggressive and menacing tone.

The crooks are now implying that they know more than just what’s happening on your computer, as though they’re able to spy on you much more generally than via your laptop webcam:

Yea, I know what you were doing the past couple of days. I have been observing you. [By the way,] nice car you have got there.

They’ve also signed off much more aggressively:

If you want to save yourself, better act fast, because right know you are f***ed. We will not leave you alone, and there are many people on the groups that will make your life feel really bad.

What to do?

This whole scam – both the first email and this even more odious follow-up – is just that: a total scam based on a pack of lies.

As always, our advice is simply to “delete the email and move on,” but we know that you probably have friends and family who might not be sure that’s a safe thing to do.

There’s something deeply unsettling about receiving threats to spread terrible stories about you – even if you never watch porn and know perfectly well that the threats are fake news, who knows how other people might react to falsehoods if they’re told a believable and salacious story about you?

What if the crooks don’t have the porn video but they do have malware on your computer?

If you’re visiting less tech-savvy friends and family this Christmas, why not show them the What to do When.. videos on our brand new YouTube channel?

Let us help you set their minds at rest on a range of “who knows what to believe?” topics including romance scams, data breaches and sextortion.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9oxseBcWbcM/

A 22-year-old Londoner has been given 300 hours of community service and a State-enforced bedtime after trying to blackmail Apple with hundreds of millions of previously compromised login credentials.

Kerem Albayrak, 22, demanded Apple give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards. If the maker of shiny white electronic stuff didn’t comply, Albayrak said he would factory-reset 319 million iCloud accounts and “dump his databases online if his demands were not met,” according to the National Crime Agency.

On 12 March 2017 Albayrak emailed Apple Security claiming to have iCloud account details which he planned to sell online on behalf of his “internet buddies.” A week later he filmed himself accessing two apparently random iCloud accounts, posting the video on YouTube and sending the link to Apple, as well as multiple media outlets.

Two days later the demand increased to $100,000 and a threat to factory-reset every iCloud account he had access to. Last year CNBC quoted analysts estimating that Apple hosted around 850 million iCloud accounts, meaning Albayrak was threatening just under a third of all iCloud accounts in existence.

Apple contacted law enforcement in the UK and US and the NCA led the UK investigation. Later in March 2017, officers from the NCA’s National Cyber Crime Unit arrested Albayrak at his home in north London, helping themselves to his phone, computers and hard drive. Investigators found phone records showing Albayrak was the spokesman for a hacker group calling themselves the “Turkish Crime Family”.

The NCA investigation confirmed Apple’s findings that there were no signs of a network compromise. The data Albayrak claimed to have was actually from previously compromised third-party services which were mostly inactive.

When asked about some of his activities, Albayrak told NCA investigators: “Once you get sucked into [cyber crime], it just escalates and it makes it interesting when it’s illegal,” with the agency’s press statement quoting him as saying: “When you have power on the internet, it’s like fame and everyone respects you; and everyone is chasing that right now.”

At the start of this month Albayrak pleaded guilty to one count of blackmail, having already admitted two counts of unauthorised acts with intent to impair the operation of or prevent/hinder access to a computer. A judge at Southwark Crown Court sentenced him on Friday 20 December, and the Londoner was given a two-year suspended prison term, 300 hours of unpaid work and a six-month electronic curfew.

Anna Smith, a senior investigative officer for the NCA, said in a canned statement: “During the investigation, it became clear that Albayrak was seeking fame and fortune. But cyber-crime doesn’t pay. The NCA is committed to bringing cyber-criminals to justice. It is imperative victims report such compromises as soon as possible and retain all evidence.”

Computer Misuse Act sentences are relatively light. Last week a grudge-holding IT contractor who tried to wreck airline Jet2’s Active Directory domain was sent down for five months despite a Crown court judge declaring that the perp had committed a “deliberate act with a high level of sophistication and planning.” As an exclusive analysis by The Register revealed earlier this year, headline CMA sentences usually range from 6-9 months or 18-24 months.

Next year sees the formal launch of a campaign by some British infosec companies to reform the CMA. It is thought that the public sector, particularly the NCA, is also keen to redraw Britain’s main anti-hacker laws. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/24/kerem_albayrak_apple_icloud_blackmail_sentenced/

As organizations fear the proliferations of connected devices on enterprise networks, the private and public sector come together to address IoT vulnerabilities.

The Internet of Things is bringing every aspect of our lives online. Phones, watches, printers, thermostats, lightbulbs, cameras, and refrigerators are only a handful of devices connecting to home and enterprise networks. This web of products is seemingly intended to make everyday tasks more convenient; unfortunately, their weak security gives attackers an easy route in.

“[The IoT] is still a computer on a network, but it’s different,” says Joseph Carson, chief security scientist with Thycotic. Unlike traditional PCs, the functionality for IoT devices is very specific; further, they’re designed to be inexpensive and simple to deploy. As more employees bring devices into the workplace and connect them to Wi-Fi, the challenge to protect them escalates.

Enterprise devices not historically connected to the Internet are now part of the IoT, complicating the issue, adds Deral Heiland, IoT research lead at Rapid7. He points to multi-functional printers, which he says have long been a corporate security risk. Modern printers can control myriad functions, send data over the Internet, or print remotely via the cloud.

“One of the big things I run into at a lot of organizations is, ‘What really is the IoT?'” he says. “Things that weren’t on the IoT a decade ago, which have always been in the environment, have morphed into IoT technology.” As a result, many businesses don’t understand the full breadth of devices putting them at risk.

Routers, printers, and IP cameras are among the most prominently discussed devices in corporate IoT security. Cybercriminals are studying the IoT attack surface, figuring out what works and doesn’t work, and how they can profit from vulnerabilities in connected devices. A recent Trend Micro report sheds light on how attackers profit from the IoT: many sell access to hacked IoT devices built into botnets; others extort owners of connected industrial equipment.

In particular, security experts point to the Mirai botnet as a turning point for connected device security. Mirai and its variants “seem to be the big one these days,” says Jon Clay, Trend Micro’s director of global threat communications. The botnet has “stifled creativity” in the underground for this type of malware: it’s open-source and free, so attackers don’t have to work very hard.

“The attack surface is growing incrementally,” he says. “There are so many new devices coming online.” Criminals are narrowing their focus on IoT, evolving from ransomware or point-of-sale malware to specifically targeting connected devices.

Compounding the danger of IoT threats is the rise of nation-state attackers, who are targeting firmware at scale or leveraging connected devices in DDoS attacks. They don’t have to attack a major entity in order to have far-reaching effects, either: as NotPetya demonstrated, a nation-state actor could target one single component supplier to have devastating consequences.

Organizations’ attitude toward IoT security is similar to their approach to smartphones several years back, Heiland says. Now, they’re in the early stages of how they’ll improve their business model and put together processes to stay secure. At the same time, standards and regulations are emerging to inform manufacturers how to build security into these devices from the start.

Where Businesses and Manufacturers Fall Short

A combination of poor device security and higher interest among attackers is driving businesses to pay more attention to the IoT. “The attack surface they’re responsible for has grown so immensely,” says Mike Janke, CEO of DataTribe, where a group of advisory CISOs uses the term “shadow IoT” to refer to the smartwatches, headphones, and tablets appearing on networks.

“That’s a big pain because [the CISOs] are ultimately responsible,” he continues, noting most don’t have the budget, people, or resources to combat the problem. “It’s very frustrating.”

Many companies continue to struggle with patch management efforts, adds Clay, which adds to the challenge as IoT device manufacturers typically require users to apply updates. “A lot of these devices aren’t traditional PCs,” he explains. “Even though they have operating systems and applications inside, they aren’t treated like a server or a PC is in an organization.”

Carson advises organizations to consider the function of IoT devices before permitting them on a corporate network. Is it a data collector or aggregator? Can the rest of the network be accessed through the device? Does it introduce new threats? Who owns the device; can they view or download data? He suggests personal devices be required to access a guest network.

                                                                      (Continued on Next Page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/iot-security-how-far-weve-come-how-far-we-have-to-go/d/d-id/1336673?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple