STE WILLIAMS

Interested in using hardware security keys to log into online services more securely? Well, now you can make your own from scratch, thanks to an open-source project that Google announced last week.

Google has released an open-source implementation called OpenSK. It’s a piece of firmware that you can install on a USB dongle of your own, turning it into a usable FIDO or U2F key.

FIDO is a standard for secure online access via a browser that goes beyond passwords. There are three modern flavours of it: Universal Second Factor (U2F), Universal Authentication Factor (UAF), and FIDO2.

UAF handles biometric authentication, while U2F lets people authenticate themselves using hardware keys that you can plug into a USB port or tap on a reader. That works as an extra layer on top of your regular password.

FIDO2 does away with passwords altogether while using a hardware key by using an authentication protocol called WebAuthn. This uses the digital token on your security key to log straight into a compatible online service.

To date, Yubikey and Google have both been popular providers of FIDO-compatible keys, but they’ve done so using their own proprietary hardware and software. Google hopes that by releasing an open-source version of FIDO firmware, it will accelerate broader adoption of the standard.

Google has designed the OpenSK firmware to work on a Nordic dongle, which is a small uncased board with a USB connector on it. It handles all the communication channels supported by FIDO2, including not just USB but wireless ones like Bluetooth Low Energy (BLE), and near-field communications (NFC). That means you could use a Nordic chip flashed with OpenSK as a wireless security key if you like.

As an open-source project, there are some caveats that make this more of a research project than an official alternative to manufactured security keys for board hackers. For one thing, Google has only tested the firmware with two Nordic boards: the nRF52840-DK and the nRF52840-dongle. There’s no reason you couldn’t try it on other boards, but there’s little certainty that it’ll work. Also, while Google tested the firmware against CTAP 2.0, which is a protocol that’s part of FIDO2 that enables digital keys to work with a browser, the FIDO Alliance hasn’t certified OpenSK, which means it can’t call the project FIDO Certified.

Finally, there’s the cryptography. Google hasn’t yet hooked up the cryptography code embedded in the hardware with its firmware. Instead, it wrote the cryptography algorithms itself in Rust. It says:

Those implementations are research-quality code and haven’t been reviewed. They don’t provide constant-time guarantees and are not designed to be resistant against side-channel attacks.

Rust is a language known for security measures like memory safety. The firmware also includes an operating system called TockOS, which is sandboxed so that things happening in the firmware don’t affect the underlying kernel.

Strictly speaking, this is more for hardware hackers to experiment with than for producing certifiably secure hardware security keys, which is why Google was careful to use the term ‘developer key’ when it blogged about OpenSK. Still, we’re sure that won’t stop people from doing it anyway. Google has even provided 3D printer plans for a Nordic case, for those so inclined.

This isn’t the only open-source FIDO toolkit available. CrowdSupply successfully crowdfunded Somu, a tiny open-source security key that supported FIDO2. There’s also another key called Solo. Both of these are designed for consumer use, while Solo Hacker is for hackers and makers to tinker with.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ku-9LnVkKCo/

“We got scammed!” said a London art dealer after business email compromise (BEC) scammers inserted themselves into a months-long conversation about the sale of a £2.4 million (USD $3.1 million) John Constable painting, spoofing their emails to make it look like the messages came from Simon C. Dickinson Ltd.

“No, we got scammed,” said the Dutch museum Rijksmuseum Twenthe, which now has the work by the 19th century English landscape painter and whose money got whisked away by fraudsters who transferred the funds to a Hong Kong account.

According to Claims Journal, lawyers for the two organizations have pointed fingers at each other’s clients, telling a London High Court that it was the other guy’s duty to maintain email security or to independently confirm that the bank details it received were legitimate.

That’s what BEC scammers do: they spoof emails to convince a target that they’re supplying product X in order to receive payment Y, so please make sure to send payment to bank account blah-blah-blah.

Rijksmuseum Twenthe, a museum based in Enschede, Netherlands, tried to file eight claims over the heist of its payment for the landscape painting, including that Dickinson owed it “a duty of care” to maintain reasonable email cybersecurity. Judge Mark Pelling dismissed the museum’s application but said it could seek an alternative way to claim for damages and try again to amend its claims against Dickinson.

Oh, puh-leeez, said Dickinson’s lawyer, Bobby Friedman, who told the court that the museum should have taken the basic step of independently confirming that the bank details received in an email were genuine.

How could the art dealer have known there was fraud afoot? It would have been horrified it if had known, he said. Claims Journal quoted Friedman’s written submissions:

Instead of accepting the reality of the situation, the museum has reacted by pursuing a series of hopeless claims against SCD, in the hope of pinning the blame for the museum’s mistake on SCD.

But Dickinson did know, according to the museum’s lawyer, Gideon Shirazi. Its negotiators were in on the email conversations but did nothing to point out that the emails were spoofed to look like they came from Dickinson, he told the court:

Silence would give rise to an implied representation. By saying nothing, they said everything.

Dickinson still hasn’t been paid. The museum still has the painting and won’t give it up, Friedman told the court. Thus, the dealer can’t sell the piece elsewhere, and it can’t pay the (undisclosed) owner, he said.

According to NL Times, the painting in question is A View of Hampstead Heath: Child’s Hill, Harrow in the Distance, a masterpiece of rolling hills and fleecy clouds that are as easy to put handcuffs onto as the hackers who got away with all that money.

Speaking of fleece …

How to keep from being fleeced

There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.

As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

Cabarrus County, which fell for a BEC scam to the tune of $1,728,083, which it paid to a scammer posing as a building contractor says it’s doing just that: it’s hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes, and it says that it’s held training for staff and also implemented external checks to validate data received by the county.

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Also, here are more tips, for both individuals and businesses:

Watch out for typos
As we saw in the case of crooks who nabbed the proceeds from that $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.

Watch out for weird requests.
In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

Report it.
Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vWiUkpnODiM/

How many illegal robocalls do you get?

As in, those spoofed numbers made to look like a neighbor’s calling, calls coming in even though you’re on the National Do Not Call Registry, scammers trying to get you to cough up your personal information?

However many you get, it’s too much, since nearly all robocalls are illegal. And we already know that as of September 2019, the number of robocalls flooding US phones was 200 million per day.

Would it be any comfort at all to learn that the US Federal Trade Commission (FTC) has growled at the VoIP companies whose technology fuels this engine of misery?

Last week, the FTC sent letters reminding 19 of the Voice-over-IP (VoIP) companies that enable “fraudsters and abusive telemarketers to call consumers at a fraction of a penny per minute” that they could be held liable, with potential civil penalties of up to $43,280 for each and every one of the calls.

We’ve brought civil actions against companies for facilitating illegal telemarketing, and we can do it again, the FTC warned. The government agency has already taken these actions:

December 2019: the FTC sued a VoIP service provider in FTC v. Educare, where it alleged that defendant Globex Telecom Inc. facilitated a bunch of telemarketers allegedly selling sham credit card interest rate reduction services. You know the type: those “100% money back guarantee if the promised rate reduction fails to materialize!” scammers.

May 2018: in FTC v. James B. Christiano, the agency sued technology companies that knowingly provided software and servers used by a quartet of illegal robocallers, even though the technology companies didn’t contract directly with the illegal telemarketers. Three VoIPs allegedly provided autodialers used to place billions of illegal robocalls, as well as allegedly supplying the technology used by robocallers in at least eight prior FTC cases.

It also pointed out in its letters – which were sent to unnamed VoIP providers – on Tuesday, the day before it sent the letters to the providers, the US Department of Justice (DOJ) brought civil actions against two VoIP companies and their owners. The DOJ alleges that the companies knowingly transmitted robocalls that impersonated federal government agencies, meaning they allegedly committed and conspired to commit wire fraud.

The letters, signed by FTC associate director Lois C. Greisman, directed the VoIP service providers to guidance on how to stop aiding and abetting the crooks and thereby becoming crooks themselves.

On Thursday, FTC Bureau of Consumer Protection Director Andrew Smith said in a release that the companies can consider themselves on notice:

VoIP service providers play a unique role in the robocall ecosystem, allowing fraudsters and abusive telemarketers to call consumers at a fraction of a penny per minute These warning letters put VoIP providers on notice that we will take action when they knowingly facilitate illegal robocalls.

---

Latest podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WgDkr2jGNg4/

Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction.

The concept proposed by the company’s Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website.

This dodges today’s hazard that phishing websites can first fool people into entering their password and username, before asking them to submit the correct 2FA code sent to their phone to the same bogus site.

But for the idea to be feasible, three problems must be overcome.

The first of these is that today’s codes are sent in a range of text formats that makes extracting the correct 2FA data and website domain difficult.

For example, PayPal’s 2FA codes look something like this:

Your security code is 123456. You code expires in 5 minutes. Please don’t reply.

Or gaming platform Steam:

Your Steam verification code is AB1C2.

Or Facebook:

Use 123456 to login to Facebook.

And so on, with each system sending slightly different equivalents that even heuristic analysis technology struggles to interpret without making errors. The messages also rarely embed the domains to which the codes relate.

Apple’s suggestion is a lightweight text format designed to be “about as simple as it gets,” which would look like this:

747723 is your XYZ.com authentication code.
@XYZ.com #747723

The first line being used to identify the message to the recipient, the second being the part that apps would process, including the correct URL.

Users receiving one of the new 2FA texts wouldn’t have to do anything. The data would be automatically extracted by the app doing the authentication.

On borrowed time

Now for the second problem – to become universal, this is something all the big names would need to sign up for.  So far only Google seems interested while Mozilla and Microsoft have yet to make their positions clear.

But even if they jump aboard there’s a third problem lurks, namely the growing feeling that SMS text verification is an inherently insecure idea companies need to stop using, period.

Bolting on improved security would be to ignore deeper worries such as SIM swap fraud where criminals receive security codes after hijacking the mobile user’s account.

A lot will depend on Google, which in recent times has promoted what it sees as more secure alternatives to receiving SMS codes such as authentication apps, the WebAuthn standard or hardware tokens.

More recently, however, it’s taken a more pragmatic approach and suggested improving SMS communication using initiatives such as Verified SMS for Messages designed to authenticate organisations sending SMS messages including, in theory, their 2FA codes.

This looks like an acceptance that imperfect security channels such as SMS aren’t going away and that the world will continue to use them for a while yet. Better, then, to get on with improving their security while they last.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EmuD8lIFjiU/

FIC 2020 Western military alliance NATO could have reacted with force to the 2017 WannaCry ransomware outbreak that locked up half of Britain’s NHS, Germany’s top cybergeneral has said.

During a panel discussion about military computer security, Major General Juergen Setzer, the Bundeswehr’s chief information security officer, admitted that NATO’s secretary-general had floated the idea of a military response to the software nasty.

General Setzer said: “The secretary-general of NATO talked last year [about]… the WannaCry attack of 2017, [which] especially had consequences for hospitals in the UK, could also be a subject for the NATO.”

The German army officer said this supported the idea that military thresholds for responding to hacking attacks should be deliberately vague, adding that just because someone hacks you doesn’t restrict you to only hacking them as a response.

He said: “If we are talking about this special domain [of cyberspace], then if you go with military means, as an answer, the threshold doesn’t mean you have to answer in the same domain. It’s the risk of the opponent, what is your answer if you decide [an attack on a computer network] is above the threshold?”

The wider discussion focused on military cybersecurity challenges. Major General Rafael Garcia Hernandez, chief of Spain’s cyber defence command, said that his soldiers were meeting their French counterparts to learn from each other. He added the meeting was “not just the commanders. No, no, the technical people too… we are quickly learning what cooperation means.”

In the compartmentalised world of military network security, such meetings and idea-sharing sessions are relatively rare – especially when compared to the private sector. Some countries are nervous about revealing exactly how they get their information, as Captain William Wheeler, US Cyber Command’s director of plans and policy, explained.

Wheeler, formerly a US Navy pilot before joining the tech industry, said: “In the cyber world, many times we run up against challenges with sharing some of the information from an intelligence collection standpoint. But when you think about it, do I need all that information or do I just need the basis – pieces of information [from which I can] take action?”

The American also shed some extra light on US Cyber Command’s concept of “persistent engagement”, which he said was “defensive in nature” and consists in part of “continuously looking for those cyber actors trying to do harm”.

At the invitation of a host government, Capt Wheeler said, US military cyber teams “go out and work with them to operate on their networks, to look for this type of… malicious cyber activity.” Once they find something of interest, they “collect that malware, that information, and bring it back, be able to share that with commercial industry who can then get it out to everyone.”

As for the Huawei 5G kerfuffle in the UK and the EU earlier this week, the captain declined to be drawn on Chinese policy specifically but, in his upbeat southern US drawl, said: “I will tell ya this. The relationship that the European partners have with the US on the military side is absolutely outstanding. We realise we’ve got to work together and we’ll find a way.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/03/wannacry_could_have_triggered_nato_german_general_says/

FIC 2020 EU companies aren’t taking out insurance against attacks on online assets because the companies selling coverage aren’t organised enough – while Brits are more likely to pay off ransomware crooks than others.

Insurance that pays out if your company gets hit by an online attack is a tricky subject. While it is an obvious business area for the insurance industry to move into, a panel discussion at France’s Forum international de la cybersécurité last week heard there’s not enough public information on the risks to insurers of offering cyberattack policies.

Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

READ MORE

Edward Samsom of the European Insurance and Occupational Pensions Authority, an EU body set up by a so-called “committee of wise men”* to regulate insurance companies across the political bloc, observed that even dipping a toe into the world of ransomware and hackers was a risk in itself.

He said: “There is an operational risk from the insurer’s perspective. From the security side, itself, an insurer is one of the most vulnerable companies, maybe, in the market when it comes to cybersecurity.”

Speaking alongside Samsom was Frederic Rousseau of the French arm of insurance firm Hiscox, who, through a translator, bemoaned his industry’s early “lack of consistency” revealing that “five or six years ago” potential customers “were faced with a market which didn’t speak with one same voice”. Potential customers, he argued, were less likely to pay for insurance products unless the EU market was able to explain precisely what it would and wouldn’t pay out on.

Avoiding payouts through lawsuits

The “what is covered” argument was sharply highlighted by a number of high-profile court cases brought by insurance companies against their own customers, in efforts to evade paying out in the aftermath of cyber incidents.

Pascal Steichen of Luxembourg trade association Security Made in Luxembourg agreed: “I think that people are aware that this market is immature.” But said insurers lashing out against their own customers was putting off clients: “I don’t think they’re afraid of the [sort of] clause that says ‘in any case the insurance will not pay'” after a cyber attack.

Part of that nervousness about honouring insurance policies is because insurers offering these products aren’t sure how large their losses will be if they’re claimed against. Christophe Madec of French insurance broker Besse said, in translation: “In liability insurance damages, we know the price of a liability [for] car insurance. For cyber, it’s a little bit more vague.”

Samsom nodded, chipping in to say that one of “the most important goals” for insurers ought to be having “a prudent calculation of the premium” as well as “prudent reserves” for large payouts: “I can imagine there might be some risks that are very hard to cover.”

Other insurers have pondered whether they can squirm out of paying on policies by invoking clauses intended to rule out coverage if a war starts.

Later on, Rousseau observed: “British people would say it’s more [important] to pay the ransom because you’ve got to pick your cause. If you can’t deal with the subject in time, you won’t be able to provide the sanctions which would be strong enough to counteract the benefit of insurance. Some other parts of the market would say ‘No you should not pay the ransom’. Insurers have got different approaches.”

Madec closed the discussion by shrugging: “It’s true for any insurance matter; we’ve got to get more knowledgeable.” ®

Bootnote

* A somewhat dated term for ad hoc expert groups in policy-making, as seen on the EIOPA website’s about page: “The European Insurance and Occupational Pensions Authority (EIOPA) was established in consequence of the reforms to the structure of supervision of the financial sector in the European Union. The reform was initiated by the European Commission, following the recommendations of a committee of wise men, chaired by Mr [Jacques] de Larosière, and supported by the European Council and Parliament.”

We imagine beards, robes and knobbly sticks played a large part in this process.

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/03/cyber_insurance_fic2020/

Roundup It has been a busy week in infosec, though here’s a few more security news bites to mull over.

Storm clouds approaching Azure

The bug-hunters at Checkpoint have laid claim to the discovery and reporting of two serious, and now patched, security flaws in Microsoft Azure.

According to Checkpoint, the vulnerabilities would have potentially allowed a malicious virtual machine to break out of the Azure hypervisor protections and access the VMs of other tenants. In the wrong hands, the bugs would have had serious consequences.

The vulnerabilities, one designated CVE-2019-1234, and another not given an official number, have long since been patched after being privately disclosed to Microsoft. Still, the full story is an interesting read and a reminder that, just because your servers are hosted remotely they are not free of potentially serious security vulnerabilities.

Wawa data spotted for sale

Back in December, US convenience store chain Wawa suffered a network intrusion that resulted in the loss of customer payment card data. Now, unfortunately, some of that data has been found for sale to fraudsters.

Researchers with Gemini Advisory say the pilfered card details are being put up for sale on a notorious cybercrime marketplace called “the joker’s stash.”

There is some good news to be had, as it seems like the high-profile of the Wawa attack, combined with the limited geographic reach of the locations hit will limit some of the damage from fraudsters.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast have significant exposure. Notably, major breaches of this type often have low demand in the dark web,” the security firm explained.

“This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise.”

That said, anyone who was included in the Wawa breach should probably looking into getting their payment cards replaced, just to be sure.

East Anglia uni pays students after data theft

Mark this one under “poor security will cost you.”

East Anglia University in the UK says that the fallout from an errant email has cost it six figures in payouts.

The BBC says that after a staffer accidentally sent out the private personal health records of 298 students back in 2017, it has had to cough up settlements totaling £142,512 to those who were exposed.

Apple posts fixes for iOS and Mac bugs

Anyone who uses an Apple product will likely be asked to update soon, as the Cupertino electronics giant has dropped a set of patches for nearly every piece of kit it sells.

Among the fixes are security updates for iOS and macOS, the two major operating systems from Cook and Co. While there aren’t any massive risks posed by the patched flaws (for example, none of the bugs are found in the WebKit browser engine), users and admins should look to get the patches in place before malware writers begin to take aim at them.

Maze ransomware operators dump data

The Maze ransomware has been in circulation for some time now, claiming some major infections, including one in Pensacola, Florida.

However, not everyone who was hit by the ransomware has paid the Bitcoin demands, and now the criminals behind the infection are dropping the data of companies that don’t meet their demands.

Expect some serious hacks to come out of this.

Xbox opens bug bounty program

Microsoft has given security researchers yet another way to scare up some cash with the launch of an Xbox bug bounty program. Those who discover and report vulnerabilities in the Microsoft gaming platform will be able to get payouts as high as $20,000.

While bug bounty programs are not the end-all-be-all of corporate security, Microsoft has been better than most when it comes to handling reports and getting patches in place.

Malta bank hackers nabbed

The UK National Crime Agency says it has arrested three people in connection to a hacking attack on a Maltese bank last year.

In this case, the three men caught were suspected to have committed crimes including fraud, theft, and money laundering in connection with the attack. One of the trio was caught at Heathrow returning from a trip to China, while the other two were arrested in Belfast. Two others were arrested in connection with the case earlier in January.

Researcher finds DoD site running cryptocoin miner

The US Department of Defense has issued a rare shout-out to a private sector security researcher who spotted and reported an active attack on one of its sites.

Bug-hunter Nitesh Surana spotted a DoD site running a vulnerable version of Jenkins along with a suspicious script. On further inspection, it was found that someone had taken advantage of a code injection vulnerability to place a cryptocoin mining script on the government site.

The issue was reported in early January on HackerOne, and following a few weeks of investigation and cleanup, was disclosed to the public on January 31. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/03/security_roundup_jan_31/

Criminal charges have been dropped against two infosec professionals who were arrested during a sanctioned physical penetration test gone wrong.

On Thursday, the Des Moines Register – no relation – reported that a judge in Dallas County, Iowa, formally dismissed the third-degree burglary and possession of burglary tools allegations against Coalfire employees Gary DeMercurio and Justin Wynn.

Back in September, Coalfire had been hired by the judicial branch of the US state of Iowa to put its IT systems and physical security to the test. As such, DeMercurio and Wynn were tasked with sneaking into one of the state’s courthouses – in Dallas County – at night and accessing the building’s PCs to infiltrate its computer network.

During the attempted break-in, an alarm was tripped, county deputies arrived, and the men were detained. After the Coalfire pair – and Iowa officials in a phone call – explained the situation to the plod, Wynn and DeMercurio were about to be let go and sent on their way.

And that’s when things got stupid.

The Dallas County sheriff rolled up, and in a stunning display of state-versus-county pettiness, overruled the Iowa officials who said the test was allowed, and booked the pair on burglary charges despite it being clear there was no criminal activity. The sheriff was furious that a courthouse in his jurisdiction had been broken into by two guys authorized by the Mid West state’s bureaucrats. The charges were later reduced, and the men were released on bond.

The case, understandably, created a stir among security professionals, and led to a re-examination of security testing contracts and procedures.

Now, with the prosecution agreeing to drop the charges, and the legal red tape and bureaucratic posturing finally wrapped up, Coalfire is trying to be diplomatic about a situation it has every right to be furious over.

“We are pleased that all charges are dropped in the Iowa incident,” CEO Tom McAndrew said in a statement.

“With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/31/dumb_charges_dropped_in_iowa/

Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.

A new month is upon us, and with it a new contest! Submit your caption for John Klossner’s latest cartoon (above) in the Comments here, and our editors will reward the winner with a $25 Amazon gift card. The contest ends Feb. 29 — you get an extra day, courtesy of leap year.

If you don’t want to enter a caption, help us pick a winner by voting on the submissions. Click thumbs-up for those you find funny; thumbs-down, not so. Editorial comments are encouraged and welcomed.

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/name-that-toon-private-(button)-eye/b/d-id/1336936?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The recent attack messages use new techniques to extort Bitcoin payments from Ashley Madison users hit in massive 2015 data breach.

Five years after a huge data breach at extramarital affair website Ashley Madison gave criminals access to the credentials of roughly 32 million users, some victims are being hit once again, this time with a highly personalized extortion attempt.

The extortion message includes detailed personal and financial information on the victim and demands a Bitcoin payment (the equivalent of $1,000 on up) to ensure that incriminating details won’t be shared with friends, family, and employers. The message includes two factors that are becoming more popular in criminal attacks: Details of the ransom payment are in an encrypted .PDF file attached to the email, and the .PDF includes a QR code at the top as a way to access payment information.

Both of these newer details are attempts to evade email filters that increasingly target criminal attack content. According to researchers at Vade Secure, which published a blog post on the new attack, the form of the attack is similar to other messages in a wave of “sextortion” attacks that have been ongoing since July 2018.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ashley-madison-breach-returns-with-extortion-campaign/d/d-id/1336937?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple