STE WILLIAMS

Threat actor was active between 2009 and 2017, targeting military, government, and private organizations.

A threat campaign first spotted targeting Tibet and Uyghur activists in 2013 may have been much wider in scope than originally thought, a new analysis by Kaspersky Lab has revealed.

The security vendor made the discovery when trying to identify an advanced persistent group the US National Security Agency (NSA) had been quietly tracking when the ShadowBrokers outfit leaked many of the spy agency’s offensive tools in 2017.

One of the leaked tools had been used by the NSA to check for traces of malware and other artifacts tied to specific APT groups on compromised systems. Kaspersky Lab’s analysis of the tool revealed the NSA was using it to track 44 separate APT groups, many of them unknown and not publicly described at the time.

Researchers from the security firm decided to see what they could find about one of the APT groups the NSA was tracking, identified only as “framework #27” in the tool.

In a report Tuesday, Kaspersky Lab said its investigation showed the group — which it has dubbed “DarkUniverse” — targeted organizations in Middle Eastern and African countries, as well as entities in Russia and Belarus. 

Kaspersky Lab was able to identify at least 20 victims, including medical institutions, atomic energy bodies, telecommunications firm, and military organizations. DarkUniverse appears to have operated between 2009 and 2017 and then ceased activities altogether following the ShadowBrokers leak, Kaspersky Lab said.

“After the publication of [the ShadowBrokers] leak, no traces of this specific activity surfaced,” says Alexander Fedotov, malware analyst at Kaspersky Lab. “It is possible that the group is still active but now uses other instruments.”

DarkUniverse used spear-phishing emails to spread a malware tool that was designed to collect a wide range of information from infected systems, include keystrokes, emails, screenshots, and files from specific directories. The spear-phishing emails were customized for each target. Kaspersky Lab said its analysis showed the malware had been built from scratch and then constantly modified and updated to the point where the samples the group used in 2017 were completely different from the 2009 samples.

“Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable,” Kaspersky Lab said in its report this week.

Sophisticated Threat Actor
Fedotov describes DarkUniverse’s malware as relatively sophisticated and involving the use of at least one zero-day exploit (CVE-2013-0640) involving a security issue in Adobe Reader. Some of the techniques the group employed, including its use of the WebDev protocol to send stolen data to legitimate cloud services, were, in fact, adopted by other groups, he says.

“This report shows that there are actors with enough resources to develop a variety of similar-in-functionality and yet quite complex instruments at the same time and use them independently,” Fedotov says.

According to Fedotov, what makes DarkUniverse’s activity significant is the group’s apparent ties to the operators of ItaDuke, malware that first surfaced in multiple Uyghur- and Tibetan-themed attacks six years ago. Those attacks also involved the use of the same Adobe Reader 0-day exploit to drop ItaDuke on target systems. The attackers also used Twitter accounts to store command-and-control URLs.

Several unique code overlaps between the malware DarkUniverse developed and ItaDuke strongly suggest a link between the two.

“ItaDuke represented a very complex malware,” Fedotov says. “With this new discovery of a malware connected to ItaDuke and similar in its level of sophistication, we observed that the real scale of ItaDuke operation is much wider than it was previously considered.”

Fedotov wouldn’t speculate on whether DarkUniverse was likely nation-state-backed or which country it operated from, citing challenges associated with attributing threat activity to a specific actor or location.

Related Content:

• The Shadow Brokers: How They Changed ‘Cyber Fear’
• Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak
• APT Groups Make Quadruple What They Spend on Attack Tools
• Threat Actors Muddy Waters in Middle East with APT Hijacks, Fake Leaks in Q2 2019

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kaspersky-lab-analysis-shines-light-on-darkuniverse-apt-group/d/d-id/1336292?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There is no premium that will recover the millions of dollars your company spends on RD if your intellectual property is hacked and stolen.

Cyber insurance policies are designed to cover the costs of security incidents and breaches such as system forensics, data recovery, and legal and customer reparations costs. Typical incident types that are covered include invoice fraud, cryptolocker recovery, and insider threats. While cyber insurance has its place in a holistic approach to security, its place is misunderstood.

To start, it is imperative that organizations understand their critical digital assets and risks since the planful adoption of a cyber insurance policy is vitally important for managing premium costs and ensuring appropriate coverage. But cyber insurance is a post-fail risk offset and it should never replace a proper security program. When businesses overinvest in cyber insurance and underinvest in security controls, they are showing that they expect to be breached and have their insurers solve the problem, even though they won’t. Yes, it is true that the frequency at which data breaches are reported is astounding, and hefty fines under data privacy laws are being issued more frequently. But the better approach for organizations is to pursue a proactive security strategy that is properly balanced with cyber insurance.

Cyber insurance is a relatively new and rapidly growing industry that did not really start catching on until 2005. A recent report by Adroit Market Research claims that the cyber insurance market will exponentially increase from approximately $4 billion in premiums around the globe in 2019 to a value of over $23 billion by 2025. Fueling this prediction is companies’ reaction to recently enacted data privacy regulations around the world, such as the European Union’s General Data Protection Regulation (GDPR) in May 2018.

Organizations legitimately fear the hefty fines and costs of reparations that suffering a breach can cause, such as the penalties levied upon British Airways and Marriott, and look to their insurers for plans that can help offset the costs associated with breach notifications and other recovery expenses. Yet, overreliance on cyber insurance without investing in proper controls shows that an organization is prepared to suffer a data breach and not effectively defend against it. While insurers can offset some costs, they cannot repair a company’s reputation after a security incident or regain lost intellectual property (IP). The unfortunate truth is that if a company spends millions on research and development (RD) and that IP is stolen, there is no premium that can recover the costs of that investment.

The Cloud
Another factor contributing to the popularity of cyber insurance is the rapid adoption of the cloud. But too often, businesses use cyber insurance as a security blanket to cover their cloud migration and configuration mistakes, as opposed to developing a proactive security program that benchmarks and continuously tests the efficacy of its controls.

Organizations must also understand that cyber insurance providers are for-profit businesses that do not want to pay premiums for breaches that could have been avoided with a proper security program. Similar to how the long-term care insurance industry will deny coverage to applicants that fail a health assessment, it would not be surprising if insurers become more restrictive about claims and even deny coverage to companies that lack the proper controls. For example, an insurer may choose to not pay or reduce the amount paid on a premium for a business that suffers an email compromise attack that could have been mitigated by multifactor authentication (MFA).

The FUD Factor
In today’s constantly changing data privacy climate, there is no shortage of fear, uncertainty, and doubt surrounding insurers policies and claims classifications. One of the most famous examples of this involved Sony cyber insurer (Zurich American Insurance Co.)’s refusal to compensate the multinational conglomerate for an estimated $2 billion in losses from a 2011 data breach of 77 million users’ personally identifiable information. Even after Sony brought Zurich to court, Zurich let Sony know that its policy did not cover any third-party hacking incidents.

At the end of the day, cyber insurance cannot and should not be seen as a replacement for a properly developed cybersecurity program. Cyber insurance can help offset post-fail costs, but it will not cover the costs of losing IP and it will give no comfort if a security program is not properly designed. Not only will an effective security strategy help a business obtain cyber insurance in the first place, but choosing to test the efficacy of the controls will help organizations identify flaws before an attacker can find them. This method will also allow companies to improve the return on investment of their cybersecurity budgets by identifying and getting rid of overlapping controls while demonstrating to all stakeholders that they actually take security seriously.

Related Content:

• 6 Questions to Ask Once You’ve Learned of a Breach
• When Compliance Isn’t Enough: A Case for Integrated Risk Management
• How Can I Ensure Cyber Insurers Will Pay My Claim?

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Chris Kennedy is the chief information and security officer and vice president of customer success at AttackIQ. Kennedy joined AttackIQ from Bridgewater Associates where he was head of security for infrastructure technology and controls engineering. He brings more than 20 … View Full Bio

Article source: https://www.darkreading.com/risk/the-cold-truth-about-cyber-insurance/a/d-id/1336234?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ignite Amid the flood of news from Microsoft’s Ignite conference in Florida this week, Redmond dropped word of several new features and additions to its cloud services aimed at protecting user data.

Office 365 will be getting additional security protections through Application Guard, the sandboxing tool Microsoft debuted with its Edge browser. The idea is that Application Guard will isolate documents, preventing malicious code from escaping the app and damaging the rest of the system. The feature is currently in limited preview.

“You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents—all while benefiting from that same hardware-level security,” said Microsoft Security corporate VP Rob Lefferts. “If the untrusted file is malicious, the attack is contained and the host machine untouched.

Admins will also get additional tools to detect potential malware attacks and account theft in Office 365 with a new set of Advanced Threat Protection compromise alerts and automatic detection tools.

Imagine OLE reinvented for the web and that’s 90% of Microsoft’s Fluid Framework: We dig into O365 collaborative tech

READ MORE

Advanced Threat Protection for Microsoft Defender will also get new alert options to help admins spot and remove cloud apps installed by users without administrator approval. Microsoft says the new features will be “single click,” allowing admins to easily zap unauthorized services.

Admins wanting a bit of extra help with their security will be offered an experts-on-demand service through ATP to help with security investigations and assessments. Microsoft also said it will be adding more planning and reporting options for the Secure Score assessment tool.

For Azure, Microsoft is kicking the Sentinel service into general availability. First debuted at RSA earlier this year as a security information and event management (SIEM) system for the cloud platform, Azure Sentinel allows admins to better spot potential attacks.

Even Mac users are being invited in on the security bonanza, as Redmond says later this month it will be rolling out a port of its Enterprise Detection service for Apple fanbois. For those wanting to stick with Windows, Microsoft said its line of firmware-protected secure core PCs are on track to hit the market this holiday season. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/07/ignite_2019_security/

Disclosure The way we rate the severity of computer security vulnerabilities and bugs needs to change if people and businesses want to be better protected from malware and cyber-crime.

So says Marc Rogers, executive director of cybersecurity at Okta and head of security at the world’s biggest hacking conference DEF CON.

Speaking to The Register at Okta’s Disclosure conference in San Francisco this week, Rogers reckoned today’s methods of scoring and classifying security vulnerabilities reflects a dated system that didn’t take into account the way that modern attackers operate.

“The challenge is the whole vulnerability management space has been evolving,” Rogers said, “but it is being outpaced by the evolution of how we leverage attacks.”

In particular, Rogers said, approaches such as the CVSS scoring system led to an overemphasis on specific qualities of single vulnerabilities in isolation, and ignored the wider context, threat model, and potential for miscreants to exploit security weaknesses in a chain to cause unexpected damage. The old system of scoring security blunders from 0 (benign) to 10 (really bad) with various flags (eg, remotely or locally exploitable) just isn’t going to cut it, in other words.

For example, while a business would, ideally, swiftly patch a remote-code execution flaw that has a high CVSS score, lower-scored bugs, such as elevation-of-privilege and information-disclosure holes, might not be treated as a priority.

And yet hackers could, for instance, exploit a data-leak vulnerability to obtain enough information to log into a system, and then exploit the privilege escalation flaw to fully hijack that box. Thus, the two low-scoring bugs could wind up as bad if not worse than the scary remote-code execution flaw, and yet may not be seen as a priority due to their CVSS rating.

“It is complex, but there is nothing in the assessment process to deal with that,” Rogers said. “It has lulled us into a false sense of security where we look at the score, and so long as it is low we don’t allocate the resources.”

Then there is the context of a bug. Rogers noted that, for example, a vulnerability that lets an attacker print text on a screen would barely move the needle in terms of a CVSS score. If that bug were to be exploited on, say, an in-flight entertainment screen or police signage, a scumbag could spark panic and chaos on a par with any simple system takeover.

Before you high-five yourselves for setting up that bug bounty, you’ve got the staff in place to actually deal with security, right?

READ MORE

There are also cases where seemingly harmless or esoteric bugs become big headaches once hackers find creative uses for them. Rogers pointed to the Rowhammer attack, in which malware can alter data in memory that should be out of reach, as one such example. Flipping one or two bits in RAM doesn’t sound too destructive – until you flip just the right bits in kernel memory to gain root privileges.

“Just because a bug only allows you to do one small function, you don’t think about what the implications are,” Rogers said. “If you had assessed it based on just flipping bits, you would have thought it was just a physical vulnerability.”

While a solution will be hard to come by, Rogers believes the first step will be to take a wider view of how we classify vulnerabilities. Rather than simply look at the immediate results of an exploit, he sees the need to take into account what that exploit could mean for the rest of the system.

To do that, infosec staff will need to broaden their horizons and reach out to other communities.

“That kind of assessment requires intelligence from the system builder or operator to add that context,” Rogers explained. “We need to come up with a more dynamic process that takes in the CVSS score, but also factors in knowledge from the system.” ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/07/disclosure_marc_rogers/

Google, after more than a decade of dealing with Android malware, has formed an alliance with three security companies to help it defend its mobile platform.

The Chocolate Factory on Wednesday announced the App Defense Alliance, by which partners ESET, Lookout, and Zimperium will be able to scan Android apps submitted to Google Play prior to approval and distribution.

In a blog post, Dave Kleidermacher, VP of Android Security and Privacy, said the partnership involves integrating Google Play Protect malware detection systems with the scanning engines of its three partners.

“This will generate new app risk intelligence as apps are being queued to publish,” said Kleidermacher. “Partners will analyze that dataset and act as another, vital set of eyes prior to an app going live on the Play Store.”

Asked why Google need extra eyes, a company spokesperson said each partner has a unique approach that Google believes will complement its internal tech.

“Google scans each app multiple times before and after publish to the Play Store,” a company spokesperson told The Register in an email. “With the App Defense Alliance, we will now consider the union of all detection results, including our own when looking for red flags or bad behavior.”

More eyes may help, though Google’s efforts in recent years appear to be moving the needle in the right direction. In its 2018 Android Security Report, the company said less than 1 per cent of devices contained potentially harmful applications (PHAs) in 2014 and that figure remained more or less steady through 2018. But the installation rate of PHAs from Google Play declined 31 per cent in 2018 from the year before, if you exclude click-fraud apps which Google just started tracking last year.

PHAs – a polite term apparently designed to mitigate the risk of being sued for unjust disparagement – include trojans, spyware, phishing, and click-fraud apps. Unwanted software, which refers to apps that gather information without consent but aren’t necessarily harmful, is not part of the definition.

40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again

READ MORE

According to Google’s report, only 0.45 per cent of Android devices running Google Play Protect were found to have PHAs in 2018, down from 0.56 per cent in 2017. That’s a 20 per cent year-over-year improvement.

Such small percentages look larger when translated into actual device numbers. Google says there are over 2.5bn Android devices so 0.45 per cent of that amounts to more than 11 million PHA-afflicted devices.

The App Defense Alliance should help reduce malicious apps in the Google Play Store, but it doesn’t directly address Android apps installed from outside of the store, an area where Google nonetheless has been making some progress. Outside of Google Play, PHA installation attempts in 2018 declined by 20 per cent year-on-year, according to the report.

Even so, Christoph Hebeisen, director of security intelligence research at mobile security biz Lookout, suggests that access to Google Play app data will help mobile security for corporate customers, too.

“Google will be sharing app data with its partners, who will scan it and return its results to Google before app approval,” Hebeisen told The Register via email. “This early and unique access to app data will inform Lookout ML engines to detect and auto-convict malicious applications targeting the enterprise.”

Characteristically, Google remains focused on automated, scalable security measures rather than, say, hiring app reviewers or trying to weed out disreputable devs. The Register asked whether the App Defense Alliance will increase the scrutiny of individual developers for trustworthiness. Google’s spokesperson said, “We are not discussing the scope and format of signals shared within the Alliance at this time.”

We also inquired about whether the App Defense Alliance will help against code designed to play nice for a few months before going bad.

“All members of the alliance including Google Play Protect inspect app code as well as observed app behavior,” Google’s spokesperson said.

“While there are no 100 per cent guarantees that any given behavior will be observed when an app is run, but the combination of these techniques has proven powerful in order to find potential issues, whether they execute during testing or not.”

Perhaps most importantly, the Alliance does not remove the need for the mobile security software sold by Google’s partners. “The App Defense Alliance will help minimize app risks on Google Play, but a mobile threat defense solution is still needed to protect against other mobile risks, such as phishing, or device-based threats and network-based attacks,” said Hebeisen. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/android_security_posse/

Two now-ex Twitter employees have been charged with spying on behalf of Saudi Arabia – after they allegedly leaked internal records for accounts linked to critics of the Saudi royal family, including the assassinated journalist Jamal Khashoggi, while working for the social network.

A criminal complaint [PDF] filed in a US district court in California on Wednesday accuses Ali Alzabarah and Ahmad Abouammo of snooping for the Saudi government. Both men worked at Twitter’s headquarters in San Francisco from 2013 until 2015.

A third man, Ahmed Almutaiari, was also indicted, accused of acting as an intermediary between the Twitter workers and the Saudi royal family.

The trio were charged with acting as unregistered foreign agents on American soil, and Abouammo was additionally charged with falsifying evidence in a federal investigation. Alzabarah is a Saudi citizen, who came to the US in 2005 on a scholarship to study computer science and remained in the country. Almutaiari is also a Saudi citizen, and traveled to the San Francisco Bay Area in 2014 on a student visa. Abouammo is an American citizen.

Timeline: Abouammo

According to the Feds, it all kicked off in April 2014 when Abouammo, a media partnership manager at Twitter, was assigned the task of giving a Saudi news journalist a verified blue-tick on their profile. Through this effort, Abouammo wound up getting friendly with the personality’s PR firm, the Saudi Arabian embassy, and eventually Almutaiari, who claimed to represent the Saudi royal family, it is alleged.

Meanwhile, an unnamed Saudi foreign official was scheming to cultivate contact details of Twitter employees to coerce into handing over people’s personal information. This official, whose charity was connected to Almutaiari, managed to eventually get hold of Abouammo via email and calls, we’re told.

In December 2014, Abouammo was in London, England, for a Twitter conference where he also met the official and received what was likely a $20,000 watch as a gift, prosecutors claim. The next month, back in California, Abouammo tried to sell the timepiece on Craigslist, the Feds noted.

Crucially, by mid-December 2014, Abouammo was already using his partnership manager position to illicitly access the internal records of Twitter accounts and leak them to the foreign official, it is alleged. These records contained users’ personal information, such as email addresses and phone numbers. At least one of these leaked accounts belonged to a prominent critic of the Saudi ruling family, it is claimed.

Abouammo was, essentially, allegedly bribed by the official to extract email addresses and phone numbers from selected accounts and hand them over, up until the tech worker quit Twitter in May 2015. He subsequently moved to Seattle to join Amazon, and later quit the cloud giant to co-found a marketing startup in the area, we’re told.

Prosecutors noted that Abouammo was hired by Twitter to cover the Middle East and North Africa. He was told to manage the accounts of important people, from journalists to celebrities, and brands in the regions. The Feds also said a cash payment of $100,000 was wired to a bank account in Lebanon from which Abouammo would transfer funds to an account in the US.

When the FBI approached him at his home in Seattle, and questioned the transactions, Abouammo said he had earned it from a consulting contract. He produced an invoice for his supposed consulting work, which the FBI believed to be fake. He was subsequently cuffed by agents on Tuesday this week, and charged.

Timeline: Alzabarah

In February of 2015, the court documents state, Almutaiari spoke to Alzabarah – at the time a site reliability engineer at Twitter – via phone, they agreed to meet, and Alzabarah was dramatically whisked off to Washington DC to meet the shadowy foreign official – who by this point was the director of the private office of a member of the Saudi royal family.

Within a week of returning to the Bay Area from that mysterious visit, Alzabarah illicitly siphoned off the internal records of more than 6,000 Twitter accounts, 33 of which were previously flagged by Saudi Arabian law enforcement, and leaked them to the private office director, it is claimed.

One of the accounts, we’re told, belonged to Omar Abdulaziz, a political activist who was friends with Jamal Khashoggi, a columnist for the Washington Post and outspoken critic of the Saudi royals, who was murdered by Saudi agents last year. It’s understood Khashoggi, a permanent US resident, was assassinated under the orders of Saudi Crown Prince Mohammed bin Salman.

Alzabarah quit Twitter in December 2015, returned to Saudi Arabia, and worked for the royal family. He currently holds a B1/B2 US visa, but has not been back to America since.

Probe

“We would like to thank the FBI and the US Department of Justice for their support with this investigation,” a Twitter spokesperson told The Register. “We recognize the lengths bad actors will go to try and undermine our service. Our company limits access to sensitive account information to a limited group of trained and vetted employees.”

“We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable. We have tools in place to protect their privacy and their ability to do their vital work. We’re committed to protecting those who use our service to advocate for equality, individual freedoms, and human rights.” ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/07/twitter_employees_saudi_spy/

Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows – most often via e-mail – continue to enable big paydays.

In mid-October, the municipal offices of the city of Ocala, Florida, received a legitimate invoice from a construction company for nearly three-quarters of $1 million, a partial payment for construction of a new terminal at the Ocala International Airport. When the city paid the invoice, however, the money went into the coffers of criminals overseas. 

A massive bank hack? No. The criminals had impersonated the construction company nearly a month earlier and managed to convince a city employee to change the bank to which funds were paid, according to a report in the Ocala StarBanner. The $742,000 windfall for the criminals came after the legitimate company issued the invoice, and when the construction company notified the city five days later on Oct. 22, the money was gone.

“We take our city’s cyber security seriously and employees participate in mandatory trainings to arm them with the skills needed to identify and report these sophisticated campaigns,” Ashley Dobbs, Ocala’s marketing and communication manager, told the newspaper. “While we can’t change this outcome, we will continue to update and refine our cyber security systems and trainings to minimize future impacts.”

While ransomware continues to garner attention for its sheer disruptive power, businesses and government organizations continue to lose billions of dollars to impersonators who insert themselves into the victims’ financial workflow. Known most often as business e-mail compromise (BEC), the scam targets critical employees with phishing e-mails that specifically request they change the bank information for a particular vendor. When the company or organization pays future invoices, the funds are transferred to the fraudster’s bank account.

The number of attempts at e-mail impersonation have skyrocketed, jumping by 269%, according to messaging security firm Mimecast. In its quarterly E-mail Security Risk Report, the company found that only two-hundredths of a percent of e-mail messages involved impersonation, but that still amounted to more than 60,000 and more than double the number of messages with malware attached. In a previous survey, the company found that 85% of companies surveyed had experienced an impersonation attack in 2018.

“Businesses need to change their methodology and train users how to validate these e-mail messages,” says Josh Douglas, vice president of threat intelligence at Mimecast. “There really should be an additive layer to look for this malicious activity.”

The scheme has been lucrative for attackers. Nearly 180 countries and all 50 states have reported incidents of BEC, and reported losses have doubled in the past year, according to the FBI, which compiles statistics of compromises reported to the Internet Criminal Complaint Center (IC3). In the past three years, more than $26 billion in losses due to BEC have been reported internationally, the FBI said.

“Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds,” the agency said. “However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey.”

Ocala is just the most recent victim. 

In August, the city of Naples, also in Florida, paid about $700,000 to a scammer’s bank account after fraudsters changed the bank-routing information two months earlier, according to news reports. Two months later, the Japanese newspaper conglomerate Nikkei discovered that a New York City-based employee had been fooled into sending approximately ¥3.2 billion — about $29 million — on the order of what appeared to be a Nikkei executive. 

“Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong,” the company stated.

Companies need to make sure they are using multiple methods of verifying requests to change bank account information, Mimecast’s Douglas says. And improving security on large transactions is not enough, as the FBI noted that payroll transactions are also a big target.

“With CEO fraud a year ago, attackers were going large-scale and going after financials,” Douglas says. “We are seeing a lot more targeted e-mails at the financial and HR teams to get a single paycheck. That piles up quickly and does not raise as many alarms in the process.”

Related Content:

• Business Email Compromise Attacks Spike 269%
• How HR and IT Can Partner to Improve Cybersecurity
• 281 Arrested in International BEC Takedown
• More Than 99% of Cyberattacks Need Victims’ Help
• US Turning Up the Heat on North Korea’s Cyber Threat Operations

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/accounting-scams-continue-to-bilk-businesses-/d/d-id/1336290?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ailing Boeing has been hit with a double whammy of recent controversies alleging safety flaws with its 737 NG (not the fatally flawed Max) and the 787 Dreamliner.

Boeing whistleblower John Barnett claimed to the BBC this morning that up to 25 per cent of the emergency passenger oxygen systems aboard the 787 were defective and would not work when called upon.

In addition, Barnett alleged Boeing had lost track of defective parts in its North Charleston factory and some of those parts could have found their way aboard aircraft on the production line.

“Boeing South Carolina is strictly driven by schedule and cost,” he told the Beeb. Boeing denies his claims, telling the broadcaster: “Every passenger oxygen system installed on our airplanes is tested multiple times before delivery to ensure it is functioning properly, and must pass those tests to remain on the airplane.”

A US Federal Aviation Authority investigation from 2017 partly upheld Barnett’s claims about spare parts, with Boeing telling the BBC today that it had “fully resolved the FAA’s findings with regard to part traceability, and implemented corrective actions to prevent recurrence”.

Oh… NG!

The allegations could not come at a worse time for Boeing. Over the past few weeks, reports of cracks in the 737 Next Generation (NG)’s attachment between its wings and the fuselage surfaced. Reuters reported that 38 out of 810 jets inspected in accordance with Boeing instructions showed unexpected cracks in the so-called “pickle fork” assembly that joins the wing to the fuselage, a critical joint in the aircraft’s structure.

Already Boeing has been suffering financial problems as a result of the 737 Max grounding. The 737 NG design, comprising some of the most widely used models of the venerable 737 short-haul airliner, was supposed to be replaced by the Max. With the NG now potentially affected by a critical problem requiring expensive and time-consuming repairs that result in aircraft being grounded, Boeing’s last civilian airliner cash cow could now be wobbling.

Last quarter Boeing Commercial Airplanes, the company’s airliner division, posted a loss of $40m – as opposed to a profit in the year-ago quarter of more than $2bn.

While the results weren’t as bad as they could have been because the shrinking profit margin was “partially offset by a higher margin on the 787 program”, if the market is worried there are problems with the 787, then that last mainstay of Boeing’s commercial airliner business could also be at risk.

Although some airlines have grounded significant numbers of 737 NGs, including Australia’s Qantas, some are saying that it won’t be such a big problem as it appears to be on first glance.

Boeing’s share price appeared unaffected by this morning’s news, though the US stock markets had not yet opened by the time of writing. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/boeing/

Trend Micro today revealed one of its staff went rogue and illegally sold the personal information of roughly 120,000 of its customers.

The security software vendor said names, email addresses, ticket support numbers, and in some cases phone numbers, of around one per cent of Trend’s 12 million customers, were copied from an internal database by the worker and sold off to an outside scammer.

Payment card details are not believed to have been accessed, nor were any details from government or enterprise customer accounts, we’re told.

Trend said it caught wind the scheme back in August, when customers began to report receiving suspicious calls by people claiming to be Trend Micro support staff. After learning that the scammers seemed to know detailed information about the clients and their accounts, Trend started probing.

“We immediately started investigating the situation and found that this was the result of a malicious insider threat,” Team Trend said in announcing the leak. “The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent.

“Our investigation further shows that the criminals were only targeting English-speaking customers, and we have only seen data accessed in predominantly English-speaking countries.”

As you might imagine, the employee in question was immediately fired and the matter has been turned over to the cops.

ATTK of the Pwns: Trend Micro’s antivirus tools ‘will run malware – if its filename is cmd.exe’

READ MORE

Trend, which has offices all over the world, said it believes it has directly informed all of the customers whose information was stolen by the rogue insider, though the security specialist is still warning its consumer customers to be weary of any unsolicited calls claiming to be from Trend support staff.

“If you have purchased our consumer product, you should know that Trend Micro will never call you unexpectedly. If a support call is to be made, it will be scheduled in advance,” the vendor advised.

“If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support using our official contact details below.”

The leak is the latest in what has been a trying few weeks for Trend. Last month, the company’s flagship antivirus software was found to be harboring an embarrassing security flaw that could have been exploited to achieve remote-code execution. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/trend_micro_leak/

The NSA was unable to give a single example of how one of its most controversial spying programs has been useful in the fight against terrorism in a Congressional hearing on Wednesday morning.

The repeated refusal by NSA senior official Susan Morgan to provide any detail whatsoever about how the program – which the NSA and FBI are formally asking Congress to permanently authorize – has proved useful, left senators on the Judiciary Committee shaking their heads in disbelief.

Among those expressing their frustration were the two senators, Patrick Leahy (D-VT) and Mike Lee (R-UT), who co-sponsored the USA Freedom Act that the intelligence services are asking be reauthorized before it expires on December 15.

In response to requests from, among others, Senator Dianne Feinstein (D-CA), Lindsay Graham (R-SC), Leahy and Lee, among others, the NSA’s Morgan argued that it was only possible to give an answer to the question in a closed, classified session. The senators repeatedly rejected that position with Feinstein stating bluntly: “That’s inadequate. If you can’t give us any indication of specific value, there is no reason for us to reauthorize it.”

That wasn’t the only source of tension: both Leahy and Lee expressed their frustration with the failure of the Director of National Intelligence (DNI) to answer letters they had sent to him about why the NSA had shut down the so-called Section 215 spying program which allows the agency to gather the phone records of millions of Americans.

We’ve killed it. Now let’s keep it alive

Back in June 2018, the NSA unexpectedly announced that it had unlawfully collected hundreds of millions of call details from American citizens. The spy agency said it was unable to separate legitimate data from unlawful data and so as a result it was deleting it all. Then, just four months later, the exact same thing happened again – but we only learnt about it in June this year, eight months later, when a document outlining the second deletion was provided to a civil rights organization as part of an ongoing legal case.

Two months before that release, the NSA announced that as a result of the repeat failures of the program, it would discontinue the mass collection of data. But, amazingly, it is still asking Congress to permanently reauthorize the program in case it proves useful in future.

The ridiculousness of the situation was not lost on the senators. “We are only a month away [from the USA Freedom Act reauthorization],” noted Leahy, “and we don’t know what caused the mass overcollection, what companies were responsible, or why NSA was not able to separate the unlawful material from the lawful material.”

He went on: “And it’s not as if Senator Lee and I have not tried to gather this information… Almost a year ago, we wrote a letter to the Director and National Intelligence and the Justice Dept – and failed to get a response. Seven months later, we wrote again, and we have yet to get a substantive response.”

Leahy then made it plain that unless Congress gets some answers “there is no reason for us to reauthorize [the program]” and he called the NSA’s request to be given the permanent right to run several of its programs just in case they become useful in future “not appropriate.”

“We are legislating in the dark,” he complained.

Same old game

The NSA has repeatedly failed to provide lawmakers with information they have requested over long periods of time, and then only provided basic information on the eve of legislative renewals, as a way of pushing through reauthorization of controversial programs.

Most notably, the DNI spent over a year telling Senator Ron Wyden (D-OH) that it was working on a way to provide him with metrics on how many US citizens were included in a different spying database. It then declared, just a month before the program’s reauthorization, that it hadn’t been possible to do so, causing Wyden to vent his fury.

Adding insult to injury, it later emerged that that response was a lie and the intelligence services did in fact possess the very information that Wyden was asking for.

In response to today’s hearing in the Judiciary Committee, Wyden and Senator Martin Heinrich (D-NM) have called for a similar hearing in their own Senate Intelligence Committee.

“The public deserves information about this controversial surveillance law which has impacted hundreds of millions of law-abiding Americans,” they said. “It is particularly important that whichever committee marks up reauthorization legislation first hold an open hearing so that its members can elicit public information that will form the basis for their votes.”

But back to today’s hearing: the NSA played the same game again. Deputy assistant attorney general of the DoJ, Brad Wiegmann, told the hearing that he apologized that they had not been able to respond to the letters from Leahy and Lee over what went wrong with its spy program, but the delay was due to the Administration developing a position on the issue; something that was only achieved in August.

Drafty in here

To cries of exasperation and disbelief, Wiegmann then told the senators that he had hoped to bring a response with him to the hearing but that it was still in draft form. They would “have it this week,” he promised.

That response led chair Lindsay Graham to comment “well, that’s progress” but Senator Lee remained incensed: “I think we may need monthly hearings – to stay in contact on this,” he threatened. Sensing that he wasn’t being taken seriously, he immediately followed up: “I’m dead serious. We are not messing around here. I don’t appreciate a one-year delay.”

Despite the fireworks and clearly stated frustrations of the Senators, it’s not clear that Congress will act to cancel spying provisions within the USA Freedom Act. The intelligence services have proved extremely adept at playing the political game and in this case they are seeking a permanent reauthorization of all its programs, meaning they would never have to face Congress again with the risk of losing their powers.

Remember the FBI’s promise it wasn’t abusing the NSA’s data on US citizens? Well, guess what…

READ MORE

Wiegmann may have accidentally given away the intelligence services negotiating position, however, when – under repeat fire from the Senators – he suggested that the program could again be reauthorized for a few years, rather than permanently.

He explained the rationale for permanent reauthorization as follows: “Since it has been reauthorized so many times [four], at some point Congress should be confident enough that it can approve them permanently.”

He then, somewhat implausibly, said that he “didn’t know” of any privacy concerns that would stop that permanent reauthorization.

As for why spying programs that have never been used, have failed to work properly, or remain highly controversial should be reauthorized at all, the representatives of the NSA, DoJ and FBI all had the same answer: they are valuable “tools in our toolbox” and both the nature of terrorist organizations and technology continues to change over time, meaning that the intelligence agencies need the “agility” to evolve with them.

Based on events today in the Senate Judiciary Committee’s hearing room, that argument is not going to cut it. But then, as the NSA knows only too well, what senators say in public and what they end up doing when confronted with a decision are often not entirely consistent. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/nsa_spy_programs/