STE WILLIAMS

Webcast While a prevention layer around your network is important, don’t forget you need detection and response practices to deal with threats once they’re in your systems – and to mitigate their effects quickly and thoroughly.

Basically, an old-school firewall just isn’t going to cut it, though we all know that.

With such a heavy focus on detection and response now, it makes huge sense to start thinking about how to oversee these operations, especially in increasingly complex cloud and hybrid cloud environments.

That’s where managed detection and response (MDR) comes in. As an approach, managed detection and response aims to help a system more closely track threats across systems, deployed across your system but monitoring and managing your existing real estate of tools and solutions.

With an emphasis on tracking specific security events and employing analytics on those events, managed detection and response is a great way to compliment your security team’s existing skills with those of a managed provider who can go deep in all the areas they’ll need to.

On March 25, 2020 at 4pm GMT / 9am PT, a webcast, brought to you by Open Systems, will discuss MDR: Open Systems’ Dave Martin will tell The Reg’s Tim Phillips why your organization needs it, how you can get your corporate stakeholders on board, and how best to implement it when you decided to bring it in.

Integrating disconnected products, optimizing automation in threat detection, improvising response time and quality, and making the very best use of your existing security skills – no matter how scarce – are the main topics of conversation.

Sign up for the webcast: Why you need managed detection and response.

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/cyber_security_webcast_open_systems/

Visibility into phishing attacks by content delivery networks and security firms shows many domains fail to be classified as malicious.

More than 20% of the sites used for phishing are not detected by current blacklists as malicious, even days after the start of an attack, according to new research published by internet-services firm Akamai.

The result is that at least 2.4 million visitors to those websites have encountered a potentially malicious attack in a four-month period starting last October, including a spike around Black Friday of nearly 400,000 victims, Akamai concluded. The phishing pages mimicked the legitimate sites of more than 20 different brands using graphics and resources stolen from those sites, the company said.

That the infrastructure of a fifth of phishing attacks is not detected for some time underscores the dangers that phishing continues to pose, says Or Katz, a security researcher at Akamai.

“The fact that we are still seeing a lot of phishing attacks, and we don’t see coverage for those 20% of those malicious URLs, limits our ability to defend against phishing,” he says. “At the end of the day, a lot of these scams are highly effective.”

Phishing continues to be a popular — and effective — technique for attackers. In 2019, nearly a third of all breaches involved a phishing attack, making it the top threat action used in successful breaches, according to Verizon’s “2019 Data Breach Investigations Report” (DBR). While that report showed click rates on links in simulated phishing attacks have declined significantly — down to 3% in 2018, from nearly 25% in 2012 — the incidence of phishing remains high.

Phishing e-mail messages, for example, accounted for almost 90% of all high-risk e-mail blocked by security firm Trend Micro, and 44% of those phishing attacks attempted to convince users to part with their credentials, up from only 9% in 2018, the company said in its “Cloud App Security 2019 Report,” published on March 10.

The reason is clear: Attackers are attempting to escape detection and collect credentials to use against other cloud services, the company said.

“Perhaps the simplest possible reason for this increase is that threat actors have been busy updating their phishing websites to reflect a new set of links to avoid detection by antivirus software,” the company stated. “It’s also possible that a number of new groups have begun launching campaigns with their own batch of URLs, hence the massive increase in the detection of unknown URLs.”

The most convincing phishing attacks use content stolen from branded sites as camouflage to fool the victim. More than 1,300 URLs were used for phishing in the four months Akamai collected data, Akamai stated in its analysis.

The majority of the victims of the attacks appear to be from South America, while 28% were from South Asia, Akamai stated. While the company tallied at least 2.4 million potential victims based on visitors requesting resources from its network, that is a conservative estimate and is likely much higher, Akamai stated.

Akamai detected phishing domains and URLs by watching for sites that request resources from known legitimate websites, such as images, cascading style sheets (CSS), or legitimate libraries and services. After gathering information from a victim, many phishing sites will send the user back to the legitimate site to assuage suspicions. 

“This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security,” the company said. “With that sense of security and trust established, victims often end up giving away personal or sensitive information.”

The Akamai data did not indicate whether the victims were mobile users, but the Verizon 2019 DBIR found that an increasing number of those who click on phishing links — 18% in 2018 — were mobile users. Mobile devices have less capability to convey information that could tip users off to malicious sites, Verizon stated in the report.

“[O]n the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions,” the Verizon report stated.

Related Content:

• Researchers Find 670+ Microsoft Subdomains Vulnerable to Takeover
• Avoiding the Perils of Electronic Communications
• Exploitation, Phishing Top Worries for Mobile Users
• Forget Hacks… Ransomware, Phishing Are Election Year’s Real Threats
• Emotet Preps for Tax Season with New Phishing Campaign

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/blacklists-miss-21--of-phishing-attacks-internet-traffic-reveals/d/d-id/1337289?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If the number of women in cybersecurity equaled the number of men, the US would see an economic gain up to $30.4 billion, research shows.

The global cybersecurity workforce must grow by 145% to meet demand, (ISC)² reports; more than 4 million jobs will be left unfilled if it doesn’t. A new study finds closing the gender and skills gaps could boost the US and UK economies by $30.4 billion and £12.6 billion, respectively.

In a new study, Tessian researchers worked with the Centre of Economics and Business research, and polled and interviewed female cybersecurity practitioners, to analyze the economic effects of the gender gap and skills gap. They learned if both were minimized and the number of women in cybersecurity equaled the number of men, the total contribution of the cybersecurity industry could grow to reach $138.1 billion and £41.3 billion in the US and UK economies, respectively.

Addressing the wage gap between women and men could also drive an economic boost. If women in the industry earned as much as men, a change that 28% of women say could encourage more female talent to enter the industry, it could bring billions more. Women in the US earn 17% less than men; in the UK, the gender pay gap is 19%. If the salaries were equal, researchers say, the US economy would grow by $12.7 billion; the UK economy by £4.4 billion.

Two-thirds of women agree there is a gender gap in cybersecurity, but it isn’t the only challenge they face. Other hurdles include lack of industry awareness, as reported by 43% of women on average, as well as lack of clear career paths (43%), lack of requisite skills (33%), and lack of role models (23%). Women in larger organizations (500+ employees) are nearly three times as likely to cite lack of gender balance as a challenge they’ve faced, researchers report.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/gender-equality-in-cybersecurity-could-drive-economic-boost-/d/d-id/1337290?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Prepare for the future by adopting a risk-based approach. Following these five steps can help.

The role of the CISO is rapidly changing to include managing safety risks and protecting sensitive information, according to a recent Garner report. This shift is being driven by the deployment of cyber-physical systems (CPS) such as Internet of Things (IoT) devices used in building management systems and healthcare facilities, as well as operational technology (OT) devices used in manufacturing plants, oil and gas facilities, energy and water utilities, transportation, mining, and other critical industrial infrastructure.

Because CPSs encompass both the digital and physical worlds, they are prime targets for adversaries seeking to cause major safety and environmental incidents and/or operational disruption. Examples include the TRITON attack on safety systems in a petrochemical facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro ransomware attacks.

In addition, last August Microsoft reported that it observed a Russian state-sponsored threat group using IoT smart devices as entry points into corporate networks, from which they attempted to elevate privileges to launch further attacks. More recently, we’ve also seen attackers compromising IoT building access control systems to pivot deeper into corporate networks.

Industry analysts estimate that some 50 billion IoT devices will soon be deployed worldwide, dramatically increasing the attack surface. Because these embedded devices can’t be protected by agent-based technologies — and are often unpatched or misconfigured — CISOs need new strategies to mitigate IoT security risk. Otherwise, it’s not hard to imagine that regulators and corporate liability lawyers will soon hold C-level executives negligent — and even personally liable — for failing to implement safety-related security controls.

Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing CPS and IoT/OT risk called consequence-driven cyber-informed engineering (CCE). Based on this INL approach, here are five steps that all organizations should consider prioritizing in the near future:

1. Identify crown jewel processes: You can’t protect everything all the time, but you can protect the most important things most of the time. Therefore, ruthless prioritization of the functions whose failure would result in major safety or environmental incidents, or operational disruption, is key. Through conversations with business owners, infrastructure managers, and OT personnel, identify the things you most need to protect upfront.

2. Map the digital terrain: Identify and categorize all connected assets in the organization, regardless of whether they’re considered IT, IoT, building management systems (BMS), OT, or smart personal devices, such as Alexa and gaming systems. This includes understanding how information moves through your network and who touches the equipment, including third-party vendors and maintenance contractors with remote access connections.

3. Illuminate the most likely attack paths: Analyze risks and vulnerabilities in your network to determine the most likely attack vectors to your crown jewel assets and processes. This can be done using automated threat modeling as well as by using red-team exercises to identify other entry points, such as social engineering and physical access to your facilities.

4. Mitigate and protect: Once you have an idea of the most likely attack paths, develop a prioritized approach for mitigating risk. This can include steps such as reducing the number of Internet-accessible entry points, using zero-trust micro-segmentation policies to segregate IoT and OT devices from other networks, and patching critical vulnerabilities that are present in the most likely attack paths. Ongoing compensating controls are primarily around leveraging continuous network security monitoring and agentless security to immediately identify suspicious or unauthorized behavior — such as a CCTV camera browsing Active Directory.

5. Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the enterprise means being accountable for all digital security — whether it’s IT, OT, IoT, or CPS. Creating unified security monitoring and governance requires a holistic approach to people, processes, and technology. Technical aspects include forwarding all IoT/OT security alerts to the security operations center and leveraging existing security information and event management (SIEM), security orchestration automation and response (SOAR), and prevention mechanisms (firewalls and network access control systems) to rapidly respond to IoT/OT incidents, such as rapidly quarantining devices that have been detected as sources of malicious traffic.

Proactively Preparing for the Future
Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are motivated, determined, and highly capable of causing disruption and destruction.

Industry experts agree that determined attackers will eventually find a way into your network, so a better strategy is to deploy monitoring to spot them in the early reconnaissance stages of the kill chain in order to mitigate attacks before they can cause any significant damage. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversaries were inside the network for several years before being discovered due to a bug in their malware that inadvertently shut down the plant for a week.

It is imperative for boards and management teams to recognize the new safety and security risks posed by IoT and CPS systems — and proactively prepare for them using a risk-based approach.

Related Content:

• 7 Malware Families Ready to Ruin Your IoT’s Day
• 3 Ways to Strengthen Your Cyber Defenses
• How to Secure Your IoT Ecosystem in the Age of 5G
• How Enterprises Are Attacking the Cybersecurity Problem

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

Phil Neray is VP of IoT Industrial Cybersecurity for CyberX, a Boston-based security firm founded by blue-team experts with a track record of defending critical national infrastructure. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, … View Full Bio

Article source: https://www.darkreading.com/risk/how-the-rise-of-iot-is-changing-the-ciso-role/a/d-id/1337231?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Should you happen to be in a meeting with an ICS vendor, here are some terms you will need to know so as to not be laughed out of the room.

Question: I want to work in industrial IoT security. What lingo do I need to know?

Tanner Johnson, senior cybersecurity analyst at Omdia: The industrial IoT (IIoT) is a market in a state of major expansion. The adoption of IoT technology, and its incorporation into areas of manufacturing and critical infrastructure, introduces both significant challenges and opportunities. Should you happen to be in a meeting with an industrial control system (ICS) vendor, here are some terms you will need to know so as to not be laughed out of the room:

DCS: A Distributed Control System is a digital operations mechanism comprised of controllers distributed throughout the facility, and it is configured using various physical components to measure and control a specific process (known as a control loop). This design instructs the various system tasks to be performed in a sequential manner, allowing for greater automation by focusing on the execution of specific processes. These controllers can be a single, discrete component or a part of a larger complex function, such as a SCADA system.

SCADA: Supervisory Control and Data Acquisition is an operations mechanism designed for higher-level data collection, aggregation, and collation. While a DCS is driven by preprogrammed and automated sequential processes, SCADA systems are driven only by events, which in turn are programmed to trigger additional actions within the facility. This helps to reduce the load of information that needs to be managed by the host computer. Additionally, these systems can be deployed over long distances and cover large-scale processes at multiple locations. The various SCADA control actions are executed by RTUs or PLCs.

RTU: Remote Terminal Units are electronic devices designed to provide a means of interfacing various objects in the physical world with the digital components of a DCS or SCADA system. RTUs transmit telemetric information on the status and behaviors of connected objects within the facility to the control system. In turn, they are instructed on how to interact with the connected objects.

PLC: Programmable Logic Controllers are usually small digital computers designed for various configurations that offer both digital and analog inputs. Additionally, these devices can be hardened against harsh environments factors like temperature and electrical interference. Their high level of reliability, interoperability, and simplicity of programming make them desirable for large-scale environments.

These components comprise the foundation of our IIoT ecosystem, which is essential for an efficiently functioning critical infrastructure. As a result, it is essential that each of these components be protected from compromise. The disruption of services for the industrial market is not only costly, but under certain circumstances it can pose substantial risks to national security.

Related Articles:

• 6 Factors That Raise The Stakes For IoT Security
• Securing Our Infrastructure: 3 Steps OEMs Must Take in the IoT Age
• IoT Malware Campaign Infects Global Manufacturing Sites
• Siemens Shares Incident Response Playbook for Energy Infrastructure

 

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/i-want-to-work-in-industrial-iot-security-what-lingo-do-i-need-to-know/b/d-id/1337292?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As privacy experts constantly remind everyone, when it comes to tracking using web fingerprinting, users can run, but they simply can’t hide.

Most people assume third-party cookies are the main way they’re tracked from website to website and across different web sessions, and to a large extent that’s still true.

More recently, however, browsers and adblockers have started clamping down on this way of profiling users, which is why a second technique dating back a decade has come to the fore. It’s called browser profiling, aka the ‘cookieless monster’.

It works by analysing dozens of characteristics of a user’s software and hardware setup, which taken together form a unique pattern or fingerprint.

Having created this, advertisers track users as they browse by noticing every time that pattern pops up on sites across the web.

Even settings meant to protect privacy such as the failed DoNotTrack request can be used to aid fingerprinting collection.

It sounds almost impossible to stop, but not according to the makers of the Brave browser, which is using its latest developer build to test a new defence against fingerprinting: confusing fingerprinting collection algorithms by randomising some of the data they collect. As Brave explains it:

By making your browser constantly appear different when browsing, websites are unable to link your browsing behaviour, and are thus unable to track you on the web.

The main targets of this are the numerous Web APIs such as WebGL, the Canvas API and AudioContext that make it easy for developers to add graphical and other media features to websites.

But these can also be exploited invisibly by fingerprinting collection. For example, in canvas fingerprinting, a website uses the HTML5 API to render a hidden text element, generating a unique hash value of how this is done that varies minutely from machine to machine.

Brave tries to “poison” this value by randomising some of the data sent back to the website, in principle generating a different value every time it is accessed.

Although fingerprinting has a lot of possible APIs and network IDs to utilise, Brave’s concept is that it is only necessary to disrupt a few to confuse surveillance.

The company offers a demo site which users can visit to see how their fingerprint value remains constant between visits, even when browser data and cookies are deleted, or when using incognito mode. When repeated with Brave’s developer version, by contrast, each value should be different.

Why not just block the APIs outright? Because that might break a lot of websites users value.

The downside of blocking fingerprinting is that the technique is also used for legitimate reasons, for example by banks to detect account takeover (the criminal’s browser not being the same as the legitimate account holder’s).

The interesting aspect of Brave’s anti-fingerprinting is that the company seems determined to compete head-on with Mozilla’s Firefox, which from version 72 has blocked fingerprinting by blocking third-party requests from companies known to use the technique.

This is unlikely to be as effective as Brave’s technique. Not coincidentally, Mozilla said in January that:

The path forward in the fight against fingerprinting will likely involve both script blocking and API-level protections.

Which sounds as if the same technique now adopted by Brave will eventually turn up in Firefox at some point.

Brave hasn’t said when the feature will be rolled out. But after the slow-motion emergence of cookie control, it looks as if browser makers might finally be about to get serious about tackling fingerprinting.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1gp7dDOSQzo/

A Manhattan federal judge on Monday declared a mistrial in the case against ex-CIA employee Joshua Adam Schulte, who was accused of stealing a huge cache of classified hacking tools – dubbed Vault 7 – from the US Central Intelligence Agency and leaking it to WikiLeaks.

WikiLeaks called the initial document dump – published on 28 February 2017 and containing 8,761 documents and files – “Year Zero”. It included documents and files from an isolated, high-security network inside CIA headquarters in Langley, Virginia.

On 7 March 2017, WikiLeaks launched a new series of leaks, which it claimed would be the largest dump of confidential documents on the CIA in history.

Year Zero painted an intimate picture of the US’s cyber-espionage efforts: Vault 7 included cyberattack tools including malware, viruses, Trojans and weaponized zero-day exploits, including those that target a wide range of big tech companies’ most popular products: iPhones, Wi-Fi routers, Android devices, and IoT gadgets. In fact, the dump made one thing clear: the CIA can use the Internet of Things (IoT) to hack anything, anywhere.

Schulte was working at the CIA’s Engineering Development Group at the time of the code theft. He was charged with 13 counts in connection with the alleged theft of national defense information from the CIA; giving the huge cache to WikiLeaks; criminal copyright infringement; and receiving, possessing and transporting about 10,000 child abuse images and videos.

The FBI claimed to have found an “encrypted container” with child abuse imagery files tucked beneath three layers of password protection on Schulte’s PC. The FBI accused Schulte of maintaining lousy security, saying that each layer was unlocked using passwords Schulte previously used on one of his cellphones. FBI agents also claimed to have identified internet chat logs in which Schulte and others discussed distributing child abuse imagery as well as a series of Google searches for such imagery that Schulte allegedly conducted.

Schulte pleaded not guilty to the charges, claiming that the images were on a server he’d maintained for years in order to share movies and other digital files. He argued that between 50 and 100 people had access to that server, and any one of them could have been responsible for the illegal content.

The jury found Schulte guilty of lying to the FBI and of contempt of court. But when it came to the far more serious charges of turning over the spy tools to WikiLeaks, the jury couldn’t reach consensus. Schulte, 31, still faces up to five years on the lesser counts.

On Monday, after US District Judge Paul Crotty declared a mistrial, he ordered both sides back to court on 26 March 2020, when the government is expected to push for a new trial.

The mistrial is embarrassing: prosecutors spent years pulling the case together, and they devoted four weeks of testimony in an effort to portray Schulte as a vindictive and disgruntled employee who put US security at risk by leaking information on how the CIA spied on foreign adversaries.

Prosecutors portrayed the Vault 7 leak as a well-planned theft orchestrated by Schulte, whom they claim gave hackers access to the CIA’s top-secret hacking tools.

According to The Register, the CIA has had a rough time proving that it was Schulte who stole the tools from a secure server in the heart of CIA headquarters. The agency has come up with a convoluted explanation for how he might have pulled off the heist by saving a backup to a thumb drive and then reverting the system to a previous state to cover his tracks, but in the end, all it has is circumstantial evidence. The government hasn’t been able to show any direct proof that Schulte sent the files to WikiLeaks.

The CIA has tried to fill in the gaps by pointing to how Schulte has acted before and after the confidential documents were stolen, including that he downloaded Wikileaks’ cover-your-tracks software. Also, while in prison, Schulte had a contraband phone with which he opened a Twitter account – named @freejasonbourne, referring to the fictional CIA operative played by the actor Matt Damon – so that he could, as the prosecutors put it, launch an “information war” against the US.

Schulte’s defense lawyers have argued that the CIA’s computer network not only had crappy passwords – 123ABCdef and mysweetsummer among the main ones – but that those weak passwords were also published on the department’s intranet. The defense also argued that the network had widely known security vulnerabilities, the New York Times reports. Thus, it’s possible that other CIA employees, or foreign adversaries, could have breached the system.

On Monday, the jurors deadlocked on eight counts, including illegal gathering and transmission of national defense information. It’s no wonder they’ve been unable to reach agreement on Schulte’s guilt or innocence – the “there’s more here than meets the eye” is strong with this one.

The Times’ description of the “scramble” inside CIA headquarters following the discovery of the leak includes this scene:

Sean Roche, a top CIA official at the time, said he got a call from another CIA director who was out of breath. ‘It was the equivalent of a digital Pearl Harbor,’ he testified.

Schulte’s defense called their client an easy scapegoat: somebody who, having filed complaints about prank-playing, Nerf gun shooting colleagues, just didn’t quite fit in. “He had antagonized virtually all of his co-workers at the CIA,” the Times succinctly puts it.

The Register has yet more details about another suspicious character: one of Schulte’s colleagues, identified only as “Michael,” who was found to have a screen capture of “the very server the Vault 7 tools were stolen from at the time that they were allegedly being stolen.”

Hmm… that’s unusual, the government has admitted. Michael didn’t say he was actively monitoring the server at the time, and the screengrab only showed up months later in a forensic deep dive by the Feds, the Register reports.

When asked about it, Michael refused to cooperate, and the next day the CIA suspended him.

No wonder the jury was hung. This case is murky, which is most particularly dismaying given the high stakes involved.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n2-3QuBUhw0/

The FBI on Saturday arrested the alleged owner of Deer.io: a Russia-based marketplace for buying and selling credentials for hacked accounts siphoned off of malware-infected computers, victims’ personally identifiable information (PII), as well as financial and corporate data.

According to the arrest warrant, the suspect, Kirill Victorovich Firsov, was arrested at the John F. Kennedy Airport, in New York.

The unsealed indictment claims that Deer.io started up around October 2013 and claims to host over 24,000 active shops. They’re doing brisk business, with sales exceeding $17 million to date, selling hacked accounts for video streaming services like Netflix and Hulu and social media platforms such as Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook). It also sells phony social media accounts, which are popular for crooks running online dating scams.

Court documents claim that Firsov is a Russian hacker and allegedly the administrator of Deer.io. He not only managed the platform, the indictment alleges; he also advertised it on other cyber forums that catered to hackers.

Out of all the shops on Deer.io, the FBI still hasn’t found a single legitimate business advertising its services and/or products, and it’s been looking. The Bureau reviewed about 250 storefronts and found thousands of compromised accounts posted for sale, including gamer accounts, along with files containing user names, passwords, US taxpayer IDs, dates of birth, and addresses for victims, who are largely located in Europe and the US.

Deer.io offers a “turnkey” online storefront design and hosting platform on Russian servers that are beyond the reach of US law enforcement, according to court papers. Besides helping cybercrooks to advertise and sell their products, much like an underworld Shopify or Squarespace, Deer.io also offers services, such as help with criminal hacking.

Buying a storefront to peddle your criminal products and services is quite cheap at around 800 Russian Rubles (USD $11) per month, and Deer.io guides the seller through an automated set-up to upload their wares and to configure cryptocurrency wallets to collect payments.

A criminal who wants to purchase from stores on the Deer.io platform can just use a web browser – there’s no fussing with tools to get to Dark Web hidden sites. The site even contains a search function, so buyers can search for hacked accounts from specific companies or PII from specific countries.

Earlier this month, the FBI went shopping. It bought approximately 1,100 compromised gamer accounts from a Deer.io store for under $20 in Bitcoin. That got it user names and passwords – which would be enough to enable someone to make purchases from those accounts at the expense of their real owners.

For about $170 in Bitcoin, the FBI also picked up about 999 individual PII accounts. On the same day, it bought another 2,650 accounts for about $522 in Bitcoin. That got the agents names, dates of birth and US Social Security numbers: all the data you need to do identity theft and pull off financial fraud. All of these purchases confirmed that Deer.io shops are selling the real deal: it was all authentic information, as opposed to fake data.

As of Tuesday morning, this was what some of the Deer.io storefronts were offering for sale:

According to ZDNet, Deer.io first came to light in a now-removed Digital Shadows report published in June 2016. Its first claim to fame came when a well-known hacker – Tessa88 – used a Deer.io shop to sell user data hacked from MySpace and LinkedIn.

According to ZDNet’s Catalin Cimpanu, he got a message from the Deer.io admin – believed to have been Firsov – back in 2016. The admin ducked Cimpanu’s question about selling hacked data, but they did claim that the site was working within Russian law. From that email:

deer.io works according to the laws of the Russian Federation.

Our clients can create shops that do not violate the laws of the Russian Federation. We block shops that sell drugs/stolen bank accounts. We will also block any shop if requested by Roskomnadzor or the competent authorities of the Russian Federation.

(Roskomnadzor, also known as the Federal Service for Supervision of Communications, Information Technology and Mass Media, is the Russian federal executive body responsible for censorship in media and telecommunications.)

The Feds haven’t outlined what led them to finger Firsov as the alleged admin of Deer.io, but security journalist Brian Krebs has traced a line of clues, starting with a Twitter profile that says he’s a security researcher and developer who currently lives in Moscow.

That account includes tweets about Firsov having discovered a number of serious security flaws in the Telegram messaging app, as well as references to winning multiple “capture the flag” hacking competitions.

Krebs goes on to note that the admin for a popular online crime forum posted on Tuesday about Firsov being a 28-year-old from Krasnodar, Russia who studied at the Moscow Border Institute – a division of the Russian Federal Security Service (FSB).

Firsov is slated to be arraigned later this week. He’ll be facing two felony counts: aiding and abetting of trafficking, and trafficking of stolen information.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nGKS79mvCJI/

Exclusive A critical crown court IT system and thousands of laptops used by the UK’s Ministry of Justice run on Microsoft’s obsolete and unsupported Windows XP operating system, The Register can reveal.

As recently as March 2019, the ministry was paying hundreds of thousands of pounds for a VPN to support 2,000 Windows XP laptop users – news that comes as the department admits that a critical court IT system is also running on XP boxen.

Rumours began circulating on Twitter last week after a barrister wondered whether the criminal courts’ DARTS audio recording system was running on Windows XP.

Ben Rowe wondered aloud whether something he was told in court about the use of XP, the obsolete Microsoft operating system for which all updates ended years ago, was true.

I was informed today that DARTS, the system which makes and stores recordings of all Crown Court matters runs on Windows XP – the operating system that is no longer supported by Microsoft and is particularly vulnerable to ransomware attacks (e.g. NHS). @CEOofHMCTS, any comment?

— Ben Rowe (@benmrowe) March 5, 2020

The Register asked the MoJ whether this rumour, as well as a similar one about the XHIBIT court listings system, was true. We also asked whether the ministry is paying Microsoft for an extended support licence. Such a licence would mean that even though general updates – including critical security patches – for Windows XP ended years ago, the MoJ was still receiving upgrades for the elderly OS.

Yet when looking at public MoJ spending data for the first half of 2019, El Reg was only able to find a £600,000 payment to Vodafone described as “cost of providing secure Virtual Private Network to 2,000 Windows XP laptop users” made in March last year. There were no entries in spreadsheets examined by The Register for payments directly to Microsoft.

A ministry spokesman would only say: “We are in the process of upgrading our courts’ computer systems. We have robust security in place as well as a specialist team constantly checking for threats.”

He did, however, tell El Reg that while the MoJ wasn’t going to discuss specifics, one of the two court systems was running on Windows 10 machines – and the other is said to not be internet-facing. XHIBIT is used to generate public court listings data to show which cases are being heard in crown courts every day.

Apart from the obvious, what does this mean?

Twitter personality CrimBarrister, a practising criminal lawyer, explained for El Reg what a hack against either of DARTS or XHIBIT would mean. DARTS was first introduced in the late 2000s to replace human stenographers; the last stenography contract ended in March 2012.

“On a very basic level if DARTS isn’t functioning at all – say it’s down due to a [denial-of-service] hack – then that court room can’t sit unless they brought in a manual stenographer,” explained the barrister.

CrimBarrister continued: “If someone hacked into DARTS for content, then potentially evidence or legal argument which was for some reason being given in private could be published when it shouldn’t be, or evidence being given in court could be passed to a witness who shouldn’t get to know in advance what another witness had said, or to, for example, criminal associates.”

Crown courts in particular are full of legal arguments about whether evidence gathered by police should be revealed to juries. A criminal wanting to disrupt an ongoing trial could access DARTS and publish a recording about a piece of evidence which was ruled out by the judge. If the jury heard that argument, the entire trial would have to be abandoned.

Ministry of Justice abandons key plank of £280m IT project

READ MORE

The barrister concluded: “Like many of the issues facing the crown courts these days, it seems the technical security and integrity of important systems like the recording of trial evidence as it is being given is being left wide open to hacking and interference simply due to a lack of funds to make simple updates to the system.”

Jonathan Black, a past president of the London Criminal Court Solicitors’ Association, told The Register: “It is bizarre that the MoJ and HMCTS have at best taken their eye off this ball,” adding: “Too often we receive communications from the CPS asking us to delete information containing personal information that were served unintentionally, yet vulnerable individuals unknowingly have their sensitive details available online.”

Last year The Register revealed that a core plank of the MoJ’s Common Platform Programme, intended to introduce sweeping new IT-based reforms to the courts, had been shelved. Before that the National Audit Office had given the MoJ a thorough dressing-down for its plans, which were based in part on making thousands of redundancies to save money. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/windows_xp_ministry_justice_vpn_workaround/

Whisper, a mobile app for sharing those thoughts you’d rather not make public, turns out to be better at sharing secrets than keeping them, spilling a whopping 90 metadata fields associated with users in an exposed database.

The app, launched in 2012, is intended as a way for people to “share real thoughts and feelings, forge relationships and engage in conversations on an endless variety of topics – without identities or profiles.”

But as reported by The Washington Post, security researchers found 900 million user records publicly accessible online, exposing both deliberately public and private metadata that could serve to identify supposedly anonymous users of the app.

That 5TB, 75-node database, which has been locked away since Monday, when the company and law enforcement were notified, presents a risk that some app users could be identified and linked to supposedly anonymous posts and potentially sensitive associations, such as membership in fetish groups, hate groups and suicide support groups, for example.

It’s not clear how long the data has been exposed or whether anyone copied the exposed info before it was secured. The data did not include usernames, but did include fields like age, gender, nickname, country, interested_in, IP address and timezone. User-submitted images and videos were available as well, but hosted elsewhere in cloud storage buckets.

In a phone interview with The Register, Dan Ehrlich, security consultant with Twelve Security, said colleague Matt Porter had spotted the unprotected Whisper ElasticSearch database.

List of Whisper metadata fields in exposed database

Ehrlich observed that while Whisper makes maybe five fields of metadata public in posts, the posts available in the ElasticSearch database have about 90 metadata fields (see above) associated with them, including last known geolocation and the actual password token – usable for logging in as that user.

Using the command line tool cURL, the researchers were able to do just that by sending a Base64-encoded key and token to the message API endpoint. “It is possible to log in as any user anywhere,” according to Ehrlich.

Among the records was a list of international military bases intended, as the Post tells it, for a never-realized suicide study. Those records, in conjunction with geolocation data, might provide a way to infer membership in the military. Given Whisper’s financial ties to Tencent, which invested in the company in 2014, and reports that Chinese companies like Tencent work with Chinese government entities, Ehrlich said there was reason to be concerned.

According to Ehrlich, the database contains a significant amount of information associated with millions of minors who use the app, despite the fact that the app is only supposed to be available to those 17 or older.

Collecting and keeping

He also points out that Whisper appears to have kept data since 2012 without deleting it. “It is not clear if all records have been kept, but a very overwhelming majority of them certainly have,” he explained, pointing to an associated Amazon S3 bucket called “whisper-deleted.s3.amazonaws.com” and the presence of record types that store groups from which users have unsubscribed and previous usernames.

The Whisper app also scores users on their likelihood to be a sexual predator, in the predator_probability data field. Some 9,000 users had a probability assessment of 100 per cent and another 10,000 were rated at 50 per cent, according to data provided by Ehrlich.

The Register asked Whisper’s parent company, Media Lab, to explain how it makes that calculation. We also sought comment from Whisper. We’ve not heard back.

In a statement provided to the Post, a company spokesperson insisted it doesn’t track users and that its internal database (a different one, presumably) is not publicly accessible.

In 2014, The Guardian reported that Whisper was tracking the location of its users, even those who declined to be tracked. Whisper’s editor-in-chief at the time claimed The Guardian was lying, prompting the paper to defend the accuracy of its reporting. Whisper received a letter inquiring about the report from then US Senator Jay Rockefeller (D-W.Va.), leading to a response (PDF) from CEO Michael Heyward and the firing of Whisper’s editorial team.

Ehrlich believes Whisper’s representations at the time did not accurately portray its data collection practices. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/secret_sharing_app_whisper_shared_secrets_in_exposed_database/