STE WILLIAMS

A British hacker who worked for a Russian crime syndicate has been sentenced to six years and five months in jail after a National Crime Agency (UK) investigation. Zain Qaiser was found to have received at least £700,000 (US$914,105) from his activities involving blackmail and malware, which began in 2012 and continued through 2018.

According to authorities, Qaiser would pose as a legitimate ad broker to buy online advertising unit from pornographic websites. He would then use the space to post ads that would direct victims to websites hosting malware, including the Angler Exploit Kit (AEK) and Reveton ransomware. Victims would pay blackmail and data ransoms using cryptocurrency that would then be laundered through a complex series of global transactions.

Authorities said Qaiser spent most of the funds he received on stays in high-end hotels, prostitutes, gambling, drugs, and luxury items.

Qaiser admitted to 11 offenses, including blackmail, fraud, money laundering, and computer misuse. He was jailed at Kingston Crown Court.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/british-hacker-jailed-for-role-in-russian-crime-group/d/d-id/1334378?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as “pure hype.” This practice of mocking new technology isn’t productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

A Digital Disconnect
As companies consider the role of emerging technology in their digital transformation journeys, security teams are often sitting on the sidelines. A lack of engagement with the business is a major contributing factor. Many security leaders still haven’t made the time to understand how the company operates, how it generates revenue, and how it plans to continue to grow. Also to blame is the security community’s kneejerk response is to bash and discredit emerging technologies. Blockchain is just the latest example. There are legitimate use cases for blockchain; supply chain management is just one.

One of the primary roles of security leaders is to understand and effectively communicate risk. Scoffing when another new technology emerges, prevents us from doing this. Instead, we need to better understand the benefits so that our revenue-generating business partners can safely utilize them.

Brace for Impact
Autonomous vehicles, consumer Internet of Things devices, 5G, 3-D printing, and drones are just a few of the new technologies highlighted at this year’s Consumer Electronics Show. They’re on the verge of going mainstream now and should already be on your radar if your business can take advantage of them in any way. For some technologies in earlier stages of development, check out Soonish: Ten Emerging Technologies That’ll Improve and/or Ruin Everything by Kelly and Zach Weinersmith. Think about the security implications associated with bioprinting or, even further out, brain computer interfaces.

In this “The World Is Flat” global environment, security leaders must understand that emerging technology can lead to first-mover and competitive advantage. How can CISOs prepare for the risks that new technologies can introduce to the organization? Here are five lessons I’ve learned that can help:

1. Don’t just focus on the adversary; focus on your business. Spend time talking to business leaders to truly understand how your company operates. Review marketing plans, technology road maps, financial reports, forecasts, and business development plans. Build a relationship with a board member to understand longer-term goals and pressures on the business. If you don’t understand your business model, you have little chance of building an effective threat model for your program.
2. Do more “homework” by talking to internal resources. Meet with the CTO and line-of-business CTOs periodically because those teams assess new technologies. If your business has an enterprise architecture team, try to get one of your resources regularly engaged with team members. Those teams are at the forefront of digital transformation initiatives, and security and privacy should be key components of those efforts. Many organizations start their annual planning in late summer, so use budget season to your advantage. Work with business leaders to understand the emerging technology they want to deploy and are including in their upcoming budgets.
3. Make a concerted effort to track emerging technology. Get on the road and start attending conferences focused on your industry and the new technologies and services that are becoming available to address challenges and create opportunities. Reading what industry analysts have to say about top emerging technologies to watch is a good way to know if you’ve covered your bases. You should also monitor early adopters in your space by looking at their Securities and Exchange Commission filings, annual reports, and press releases. You can use Google alerts to track them. Of course, if you’re learning from your competitors then chances are you’re already late to the game — but it’s better to know than not.
4. Start understanding the risks of emerging technology. Actually using a new technology is the best way to see how it may introduce risk to your organization. Get it into one of your labs or talk to the business engineers who already have it in their labs to leverage their knowledge and expertise. If you don’t have the skill set, resources, or time, then work with consultancies or security researchers to take advantage of their capabilities so you can get up to speed faster.
5. Finally, don’t believe the hype. Just because #INFOSEC Twitter makes fun of something doesn’t mean you should discount it. Don’t blindly buy into the negative hype around emerging technology. Ubiquitous vendor marketing also does us no favors as it predisposes us to cynicism. Skepticism is OK, just be objective as you evaluate the emerging technology.

Remember it is our job to understand and communicate the risk of emerging technologies. An approach like Gandalf the Gray screaming “you shall not pass to emerging technology” is not advisable. Your organization, and your career, are better served with something like, “you can pass; however, we need to make sure that you understand the risks associated with taking this path.”

Related Content:

• 7 Steps to Start Your Risk Assessment
• 7 Ways Blockchain Is Being Used for Security
• Transforming into a CISO Security Leader
• Ex-NSA Director Rogers: Insider Threat Prevention a ‘Contract’

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick … View Full Bio

Article source: https://www.darkreading.com/risk/stop-mocking-and-start-enabling-emerging-technologies-/a/d-id/1334300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Yahoo has reached a $117.5 million settlement with victims whose personal data – email addresses, passwords, phone numbers, birthdates – was exposed in a breach of 3 billion accounts.

The massive breach affected every Yahoo user account in existence in August 2013, a disclosure that surfaced during the company’s integration into Verizon Communications. Yahoo has been criticized for its slow response to three security incidents affecting billions of people between 2013 and 2016, when the breach was reported. The full damage was unknown until October 2017.

In March 2018, Yahoo agreed to pay $80 million in a class-action securities litigation brought by shareholders who said the company purposely misled them about its security practices. It also agreed to pay a $35 million fine to the Securities and Exchange Commission for misleading investors. At the time, a separate class-action suit was being brought by victims of the 2013 breach.

In January 2019, US District Judge Lucy Koh rejected a version of this settlement because it didn’t specify the total value or amount victims could expect to receive as a result, Reuters reports. The $117.5 million settlement still requires Koh’s approval.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/yahoo-reaches-$1175m-breach-accord-following-failed-settlement/d/d-id/1334379?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

KASPERSKY SECURITY ANALYST SUMMIT – Singapore – Meet the next generation of carding and identity theft: a newly discovered, large online marketplace that sells not only stolen credentials but also the victims’ online fingerprints that allow criminals to dodge anti-fraud systems while using the pilfered online accounts.

A Kaspersky Lab researcher here today revealed his team’s discovery of the so-called Genesis darknet market that deals in these digital doppelgangers. Genesis sells more than 60,000 stolen, legitimate digital identities for anywhere from $5 to $200 each, using stolen information about the users’ online digital characteristics – such as their devices’ operating system, browser, GPU, DNS, and online behavior patterns – used by financial institutions’ anti-fraud systems to confirm online transactions are being conducted by account owners and not fraudsters.

These so-called digital masks, used together with the victim’s login and passwords for his or her online accounts, allow a criminal to pose as that very user: an evil online doppelganger that can then cheat anti-fraud systems. Genesis is a Russian-speaking operation that to date deals in mostly stolen US and Canadian consumer online accounts, as well as from Europe, said Sergey Lozhkin, a Kaspersky Lab security researcher who headed up the investigation of Genesis.

Lozhkin said this combination of stolen logins with the victim’s digital “mask” is not really a new cybercriminal technique – the capability was traded in small, private forums in the past – but Genesis represents the first large criminal enterprise to sell them commodity-style. “This is the first big operation coming from this … it’s the next generation of carding,” he said.

It’s difficult for fraud prevention systems to spot these digital doppelgangers because they pose so convincingly as the legitimate accountholder, including information on the victim’s online buying history, computer screen size, and other information from their browsers and cookies. Without that identifying information, fraudsters can’t consistently cash in on stolen payment cards.

“When a bad guy enters your credit card information, in most cases he won’t succeed because the anti-fraud [system] will find him out as he’s trying to enter multiple cards from one device,” Lozhkin said. That’s because a user’s browser typically contains a wide variety of parameters associated with him or her, data that’s used by anti-fraud systems to verify a user.

Genesis also includes in its digital doppelganger sale a plug-in for Chromium-based browsers that downloads and installs the victim’s identifying information into the browser. “This plug-in is widely configured: you can use a fingerprint, change a fingerprint, and generate a fingerprint. It’s all done in one click,” he said. It basically spoofs the victim’s user behavior online, along with the “fingerprint” information, and the criminal appears to the anti-fraud system as the legitimate user.

The tool lets criminals search for specific types of stolen accounts, such as eBay, Amazon, and Chase, and even from specific countries. Lozhkin said law enforcement has been alerted about Genesis, which has been operational for about a year.

Another similar tool available to carders outside of Genesis is the Tenebris browser that comes with a built-in generator of unique user behavior fingerprints, he said. This allows a criminal to launch online fraud from the browser.

The main defense from your digital doppelganger? Multi-factor authentication, which thwarts any abuse of stolen credentials and digital masks, according to Lozhkin.  

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/digital-doppelganger-underground-takes-payment-card-theft-to-the-next-level/d/d-id/1334374?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Jackson Cosko, a former Senate staff member, has pled guilty to five federal crimes: two counts of making public restricted personal information, one count of computer fraud, one count of witness tampering, and one count of obstruction of justice.

According to evidence, federal authorities were alerted to the data theft when the Wikipedia pages of three US senators were edited to include home addresses and personal phone numbers, information that is considered restricted. The information breach is known as “doxxing,” defined in the government announcement as ” … the act of gathering, by licit and illicit means, and posting on the Internet personal identifying information (PII) and other sensitive information about an individual.”

Cosko who has admitted to being angry about losing his job at a computer administrator’s office earlier that year, broke into his former employer’s office at least four times and stole information, which was then made public in a possible attempt to influence the senators around the time of a nomination to the US Supreme Court. Cosko was arrested after a witness saw him in the office and confronted him.

Cosko could be sentenced to between 30 and 57 months in prison. Sentencing is scheduled for June 13, 2019.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/guilty-plea-in-senate-data-theft/d/d-id/1334373?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Credential stuffing — where attackers use e-mail addresses and passwords stolen from one site to attempt to access other sites — took off in 2018, with nearly 30 billion documented attempts recorded by Internet infrastructure firm Akamai, according to its new report.

The attacks are enabled by easy-to-use software and widespread botnets that can take lists of usernames and passwords and try to log into a variety of sites. On average, Akamai saw more than 115 million attempts to use stolen credentials per day, and three times during the year the attacks spiked to more than 250 million attempts per day.

The widespread attempts to log into a variety of services mean that companies need to be on watch, says Martin McKeay, a security researcher and editorial director at Akamai.

“This is not something that just happens to someone else,” he says. “This is not something that you can ignore. It is a constant problem.”

Attacks that attempt to access sites using stolen or easy-to-guess credentials have become increasingly popular. In March, for example, the FBI warned management-software firm Citrix that attackers had breached the company’s network using a low-volume credential-stuffing attack — known as credential spraying — where an attacker sends a relatively low number of attempts to each targeted server. Indoing so, the attacker can avoid triggering hard limits on the number of log-in attempts.

In its recent report, security firm Rapid7 also found that credential stuffing attacks had taken off, ostensibly because so many username-password pairs have been stolen from compromised sites.

“There are now upward of 1.5 billion credentials floating in the wild ready for use by malicious miscreants at an exposed service near your data,” the company stated.

Akamai found that attackers most often targeted retail sites, video-streaming services, and entertainment companies. Because the company defined a credential-stuffing attack as a log-in attempt using an e-mail address, financial firms did not show up often in the data set, as most financial firms do not allow customer to log in with an e-mail address.

Online groups are after all sorts of credentials, McKeay says.

“They are looking at getting your streaming credentials, and they are looking for your gaming credentials — there is a large market for these things,” he says. “If they can go and prove that what they have is a valid set of credentials, there is money to be made there.”

The popularity of credential-stuffing attacks is also driven by easy-to-use software, the Akamai report stated. A tool named SNIPR is a popular entry-level program for targeting the simplest targets, such as gaming networks and video-streaming services. Another tool, known as STORM, allows for custom configurations that are traded and sold on the Dark Web, according to Akamai. 

Other tools are designed to test stolen credentials’ validity. Credentials proved to be valid have a much higher value in online black markets. In January, security researchers found a collection of 773 million e-mail addresses and 21 million passwords for sale on the Dark Web. 

Intuit warned users of TurboTax in February that the reuse of usernames and passwords had allowed attackers to compromise an unknown number of accounts. 

“Based on our investigation, it appears that an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source,” the company stated in a letter sent to consumers. 

Akamai urged companies to continue to educate users on the reasons for using unique passwords paired with a password manager. And users should request two-factor authentication whenever a service offers the security measure.

“When discussing [attack takeover] and [all-in-one] scripts, criminals often complain about the use of multifactor authentication, which is a particularly effective method of stopping most of their attacks,” the company stated in its report.

Related Content

• Attackers Continue to Focus on Users, Well-Worn Techniques
• Citrix Breach Underscores Password Perils
• Credential Compromises by the Numbers
• Inside the Two Types of Account Takeover Attacks
• 773 Million Email Addresses, 21 Million Passwords For Sale on Hacker Forum

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/credential-stuffing-attacks-behind-30-billion-login-attempts-in-2018/d/d-id/1334371?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple