STE WILLIAMS

I’m a fan of Troy Hunt’s Have I Been Pwned? (HIBP) data breach project but being contacted by it three times in a month is unnerving.

In early September, HIBP sent me news that an email address used by me was among 711m found sitting on a server used to fuel the Onliner Spambot operation.

Given Onliner’s vast size, perhaps that wasn’t surprising, but last weekend I received two more unwanted emails from HIBP, this time relating to a previously unknown breach of 17.5m users of the Disqus comment system that happened in 2012, and a disclosed incident from 2014 affecting 9m users of URL shortener Bitly.

Clearly, the Disqus breach is the most serious of these because it wasn’t previously disclosed. But before delving into this, let’s remind ourselves why HIBP emails on disclosed breaches are also important.

A company announcing a data breach it is often telling its users that the company has been infiltrated and that their account data may have been accessed (because detecting an intrusion is one thing but figuring out what’s been stolen is something else again).

So an organisation might struggle to tell users if their data has actually been stolen and, even if it can do that, it can’t tell them what happened to the data after that.

HIBP alerts inform registered users that breached data has been detected in public, which confirms that it was stolen and may now be being traded and exploited. This part of the story tends to be ignored but it’s where the actions really starts.

But what of Disqus?

Just like me, it seems to have learned about the breach from HIBP. The good news is that having been informed, Disqus disclosed it to users within hours and reset affected users’ passwords, an unusually swift response. The bare facts:

• 17.5m accounts from 2007 to July 2012 are affected
• Anyone joining Disqus after July 2012 is not affected
• One third of passwords were exposed as salted SHA-1 hashes
• There “isn’t any evidence of unauthorized logins”

(Naked Security’s sister site Sophos News used Disqus from July 2013 to April 2017, a period after the breach.)

It’s disconcerting that Disqus has only just learned of a serious data breach from a third party, more than five years after it happened.

On the other hand, it would be far worse had it known for some of this time and not told anyone (see Equifax et al), or known but not properly assessed its size (see Yahoo’s expanding revelations).

The next question is what has Disqus done since 2012 that might improve security. On that score the company says:

At the end of 2012 we changed our password hashing algorithm from SHA‑1 to bcrypt.

That’s good because while SHA-1 hashes are better than passwords stored in plain text, they aren’t nearly as good as algorithms like bcrypt or scrypt (to find out why, read Paul Ducklin’s primer on how to store you users’ passwords safely).

LinkedIn infamously used unsalted SHA-1 at the time of its massive 2012 data breach with the end result that a large percentage were subsequently reported to have been cracked.

Disqus’s hashes won’t be as vulnerable as this because there were salted, which rules out old-style rainbow table cracking, but salting offers no guarantees.

It’s intriguing that Disqus only moved to bcrypt, one of several “slow” hashing techniques that date back nearly two decades, in 2012. Why wasn’t this more secure scheme adopted in the first place? Perhaps because while its slowness is an impediment to dictionary attacks, it also adds latency to the login process. Or maybe password security just didn’t look all that important in 2007.

However, perhaps fretting about passwords and accounts misses the important fact that, even without passwords, criminals have access to 17.5m email addresses they can use to set up phishing attacks and send spam to. This seems the most likely consequence of the Disqus breach.

It’s not one I’ll be worrying about too much give that HIBP tells me my email address has already been breached on four other occasions already – my address has been out there for years.

My deeper anxiety regards the following statement by Hunt:

I still have multiple other data breaches from the same set that Disqus came in and totalling tens of millions of records.

Disqus, it seems, is not the end of it.

Sometimes it can seem as if nobody much cares about data breaches any more. I, for one, am pleased that Hunt and HIBP is not among them.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PXIiSLtA6es/

This is a guest post by Sophos security expert James Burchell.
James has appeared on Naked Security and Sophos News before, live in person in videos and podcasts. This is his first written article – we’re looking forward to his next!

October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cyber­security in the workplace is everyone’s business.

Naked Security asked me what I’d do to make cybersecurity into a company-wide deal, rather than just relying on programmers and IT gurus to keep us all safe.

After all, even if we were able to write bug-free code and deploy it perfectly, cybersecurity would still be a massive problem, because one of the biggest risks to any organisation is a biological one – humans!

If you’re a techie or on the IT staff inside your company, you’ll know what I mean: you love users, yet you hate them; you call them n00bs; you deal with 1d10t errors on a daily basis.

Nevertheless, you also have to acknowledge that they’re inside every network, amongst some of your organisation’s most closesly guarded secrets.

So, here’s how I see the problem.

In today’s world, every organisation can be considered a high-tech business.

Modern technology enables your business to reach more customers, and allows your humans to be more productive, though sometimes in a less controlled way than you might like.

The same technology, unfortunately, allows the Bad Guys to reach your business in a myriad of different ways, too.

Believe it or not, most of the actions performed by your humans are not done with malicious intent.

Alice didn’t mean to lose her laptop, Bob didn’t realise that he was sending that email to the wrong person and Charlie genuinely thought he received a parcel delivery notification from his courier.

Yet, after nearly 30 years of trying and billions of pounds in investment, we are still struggling with cybersecurity because we often fail to recognise that the issue is more than just a technical problem.

The human firewall

So rather than looking at your humans and wondering about what PEBKAC [*] issues you’ll have to deal with next, instead look at them as having the potential to be individual human firewalls.

Weaponise them with enough knowledge to recognise a potential attack on their human emotions, and instil trust in them that they won’t be cast to the lions if they accidentally click on a link suggested by a hoodie-wearing hacker who’s sitting on the other side of the world.

Do that, and you will have one of the best detection and remediation systems that money can buy.

Create awareness

Create awareness around the office.

Get buy-in from a senior member of the organisation and consider having a dedicated area on the intranet where people can ask questions or as a place where you can post useful hints and tips, such as where to find great free security tools for personal use. (Sophos Home would be a good suggestion!)

Once you’ve created awareness, the natural progression is to measure who within your organisation is susceptible to phishing attacks – this is something that a phishing simulation toolkit can help you to identify.

If staff fail your phishing tests, don’t call them out or embarrass them – give them personal counselling to help them improve, to reduce the chance they’ll fall for phishing tricks again, and to get them on your side so they are ready to report potential security problems in the future rather than to sweep them under the carpet and hope no one notices.

Don’t ignore a particular department or person just because they are too busy or seem too important – those are great reasons for a cybercriminal to target them specifically, so make sure they’re included in your awareness activities.

Don’t be grumpy and mean

You’ll also win friends and influence people if you take care to show that not everyone in IT is there to be grumpy and mean.

Why not find a way to reward people for identifying potential security issues, all the way from keeping an eye out for tailgaters trying to slip into the building, to reporting dodgy emails with suspicious links and attachments?

Consider something as simple as having a jar of sweets or chocolate in the IT area so that people want to come and talk about security.

Or enter everyone who contacts you with a concern or reports a potential security issue into a monthly raffle for a prize such as a gift voucher.

Build a security team of everyone

Just think of the malware scare when Charlie clicked on that phishing email, and the position you found yourself in running around to figure out what happened.

Is it better for Charlie to hide what he’s done, fearing reprisal or ridicule from the IT team, or for him to approach you quickly and warn you about what just happened?

The latter would certainly put you in a better position to respond…

…so putting humans into your threat and risk assessments and creating a culture of security will put you and your business in a great position to face whatever comes next.

At the end of the day, every employee should be a part of the security team.

[*] PEBKAC = Problem Exists Between Keyboard And Chair.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z3X1CY3J-R4/

Cybercriminals in the Arab states are some of the most co-operative in the world, according to a new report by Trend Micro.

The study, titled Digital Souks: A glimpse into the Middle Eastern and North African underground (PDF), identifies the most popular kinds of hacking tools and commodities, and the most active countries in the region.

Hacktivism, DDoS attacks and website defacements are a staple in the Middle East. These tactics are often carried out by actors who harbour ideological mistrust towards the West as well as local governments. Major primary product categories are malware (27 per cent), fake documents (27 per cent), stolen data (20 per cent), crimeware (13 per cent), weapons (10 per cent), and narcotics (3 per cent).

Items sold on the underground in the region are entirely different to other parts of the world, where drug sales dominate the scene.

Crimeware sold includes a variety of cryptors, malware and hacking tools. Typical prices include worms at $1-$12, keyloggers for free up to $19, known ransomware for $30-$50, malware builders for free up to $500, citadel (FUD) for $150, ninja RAT (FUD) for $100, and Havij 1.8 (cracked) for free.

Similar to the Russian-speaking underground, cashout services also abound. These are platforms from which physical items, usually stolen, are converted into cash. These services are paid in bankcards, Bitcoin (BTC) or via direct cash transactions.

In the Middle East underground, DDoS services can be purchased by hacktivists and threat actors to further their ideology. The average is $45 per hour, with three-hour packages at $275, and involves the deployment of tools such as Low Orbit Ion Cannon (LOIC) or Lizard Stresser.

Malware-as-a-Service (MaaS) typically includes a purveyor, a malware developer selling a single binary or a combination of a binary and builder marketed as fully undetectable (FUD). Average prices are $20 for a binary, and $30–$110 for a binary with CC infrastructure. A binary-builder package costs around $150–$400.

Forums

Stolen identities are sold in forums across the region. The Arabic forum hack-int in Egypt sells stolen identities for $18. The demand for personally identifiable documents is influenced by geopolitical tensions – their buyers might want to flee active war zones, for instance. Cybercriminals can also purchase fake documents to perpetrate fraud or worse.

Virtual private networks (VPNs) are a mainstay of cybercriminal activity and are purchased due to the anonymity they provide. VPNs offered here are purportedly secure, don’t store logs, and have multiple hop points. Cybercriminals typically use these servers as either part of a botnet, or as a jumping-off platform for further attacks.

Hosting providers make significant profit by selling regionalised hosting spaces, which allows for local language and time settings in addition to faster connection speeds. A single IP connection and 50GB of hard disk space, for instance, are sold for $50. Smaller plans exist, and start as low as $3.

Hackers commonly share malware and insights with each other for free and for the common good, making it a fertile ground for the creation of collaborative groups. By contrast hackers in Western Europe and North America are more likely to work independently.

When malware and hacking tools are sold rather than shared, prices in the region are high. For example, a keylogger in the North American underground costs between $1-$4 but the same item in a cybercrime souk in the Middle East would cost up to $19. The willingness for members to share content for a mutual cause helps balance out the price differences.

In other marketplaces, like North America or Russia, purveyors mostly focus on selling their wares to forum participants and seldom band together to plan cyber attacks. Hacking as a service is unique to the Middle East and North African underground due to the ideology that drives its trade, Trend Micro said.

Trend Micro has seen that regional marketplaces closely reflect the societies in which they operate. Brotherhood and religious alliance transcend the illicit transactions that occur through digital marketplaces in the region, spawning a “spirit of sharing” mindset.

“The prevalence of giving services and malware away for free is interesting,” said Ihab Moawad, Trend Micro’s VP for Mediterranean, Middle East Africa. “Other underground marketplaces provide support to members, but the extent and willingness in this region is unique.

“The region is not at par in terms of scale and scope when compared to other regions, but the products and services available remain common and sophisticated.”

For the purposes of its research, Trend Micro defined the MENA underground as marketplaces, websites, and forums hosted within the regions. Arabic is the prevalent language, although some sites are in Turkish, Farsi, English, and occasionally French. While criminals sell commodities to and from the Middle East and North Africa, they are also operating globally. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/middle_east_cybercrime_markets/

Why security teams needs to take a cognitive approach to the increasing volumes of data flowing from sources they don’t control.

Every day, IT security teams are inundated with data — security events, network flows, configuration information, and so on — which then must be collected and analyzed for potential vulnerabilities. Your team probably has a solid, established approach or even a documented strategy for doing this. If so, great. But is that enough?

The data collected by most security tools, such as firewalls and antivirus software, is structured — that is, organized in an easily searchable, relational database. Structured data, however, amounts to only a small portion of a larger, more complicated puzzle. It’s the remaining unstructured data that security teams struggle most to collect, analyze, and act upon — and the amount of unstructured data only continues to increase.

Think of how much security data flows from sources you don’t control, including the massive swaths of unstructured data living on the Deep Web — from blogs, forums, or bookmarking sites. This unorganized, often text-heavy data accounts for a majority of the Internet’s data. IDG believes unstructured data is growing at the rate of 62% per year, and that by 2022, 93% of all data will be unstructured. How can IT teams keep pace? The answer could lie in cognitive security — the use of big data platforms, data mining, AI, and machine learning to analyze raw data whether structured and unstructured.

But first, let’s examine the problem.

Why It Matters
Understanding the magnitude of this issue requires examining the foundation of current security measures. Traditional security focuses on mitigating external threats — perimeter defenses to ward off the bad guys. As such, we often focus our security strategies on firewalls, antivirus software, and secure passwords.

Security innovation has almost always had this perimeter philosophy at its core. However, a myopic focus on perimeter protection severely limits the overall security strategy, potentially rendering it ineffective without complementary, proactive measures in place.

Consider the average IT organization’s reaction to the hundreds of thousands of daily security events. The process for today’s security teams involves analyzing data from antivirus software and firewalls, and then correlating that data to create a story, which in turn helps inform a solution.

In the process, security professionals are left with mountains of events to manually analyze and execute. Meanwhile, when they’re busy responding to old threats, new threats continue to arise undetected. Consequently, the entire team finds itself fighting fires instead of solving or preventing problems. That doesn’t leave much bandwidth for data aggregation and analysis.

Unstructured, Untold, Unknown
Next, let’s think about how we, as IT professionals, share and consume security information, particularly during a major crisis. The current norm for security professionals is to update websites and social channels to explain how they’ve addressed a particular security issue and simply hope it reaches all relevant and necessary parties. Take, for example, this year’s WannaCry attack.

The first real solution offered to organizations affected by WannaCry was explained via Twitter, by a user known as MalwareTech. Although certainly helpful, social is by no means a perfect means of circulating widely sought, urgent information to security teams around the world. Merely posting online assumes that in the middle of a major crisis, frantically busy security professionals are manually scouring the Internet for the information you’re providing — something few people have time for in calmer times, let alone when the proverbial sky is falling.

Information sharing is critical to IT security — not only within individual organizations, but in the security industry as a whole. We rely on one another to share information about new and known threats, and often benefit from each other’s knowledge and experience. Unfortunately, the majority of information generated and shared by security professionals about breaches, threats, malware, etc., is unstructured, and thus much more difficult to unearth and apply in real time, particularly during critical security events that require immediate action.

How much time is lost and how much damage done, simply because we lack access to or awareness of viable solutions provided by our industry peers? Or because we lack a strategy for gathering and analyzing the flood of unstructured data at our disposal? This is where cognitive security offers vital, immediate benefits.  

Welcome to the Cognitive World
A cognitive approach uses AI, data mining, and machine learning technologies to parse through thousands of security feeds and data sources — including the low-key, often invisible world of white- (and black-) hat bloggers and discussion forums — to aggregate and analyze unstructured and structured security data. Meanwhile, a security professional works to perform predictive data analysis, ultimately training the system on best practices, organizational policies, and more.

Over time, the system begins to learn on its own, including how to prioritize events and recommend responses. While cognitive security cannot replace existing security tools — antivirus software, for instance, or intrusion prevention systems — the data generated can be plugged into traditional perimeter defenses. As a result, IT pros gain a better understanding of their data’s meaning and how to convert insights into action.

Beyond the Perimeter
Unstructured data will only continue to proliferate. It’s time to get ahead of it so that security teams can better locate analyze and respond to threats. That requires thinking beyond the perimeter and embracing security technologies that will bolster traditional defenses and provide a more proactive, intelligent security strategy. 

Related Content:

• 10 Security Product Flaw Scares
• How to Live by the Code of Good Bots
• Security Orchestration Automation: Parsing the Options

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Charles Fullwood has more than 15 years of industry experience. He directs software sales engineering at Force 3, a federal IT solutions company, where he is responsible for developing and leading a team of software sales and delivery engineers. Before joining Force 3, … View Full Bio

Article source: https://www.darkreading.com/analytics/security-monitoring/unstructured-data-the-threat-you-cannot-see--/a/d-id/1330070?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Office of Inspector General takes the Federal Deposit Insurance Corporation to task for its response to breaches.

Cyber attackers waged 54 suspected and confirmed breaches on the Federal Deposit Insurance Corporation (FDIC) from 2015 to 2016, but the agency took an average of more than nine months to notify the estimated 113,000 individuals who were potentially affected, according to a recently released report by the FDIC Office of Inspector General.

The Chairman of the Senate Committee on Banking, Housing, and Urban Affairs called for the FDIC audit out of concerns raised by the data breaches that occurred between January 2015 to December 2016.

In conducting the sample audit, which reviewed 18 of the 54 suspected and confirmed breaches, the Office of Inspector General delved into the FDIC’s processes for evaluating potential risk to individuals’ personally identifiable information following the breaches, its notification processes, and the services that it provided to individuals post-breach.

“The implementation of these processes was not adequate,” the report states. The Office of Inspector General found the FDIC failed to complete key breach investigation steps, adequately document key assessments and decisions, and track and report key breach response metrics, according to the report.

Read more about the FDIC report here.

  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/fdic-incurs-54-confirmed-and-suspected-breaches-in-2-years/d/d-id/1330086?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security experts advise ‘immediate’ patching of critical DNS client vulnerabilities in Windows 8, 10, and other affected systems.

Microsoft today issued patches for three critical vulnerabilities in the Windows DNS client in Windows 8, Windows 10, and Windows Server 2012 and 2016 that ironically came via a security feature.

The heap buffer-overflow flaws discovered by researchers at Bishop Fox – and fixed via the new CVE-2017-11779 security update amid Microsoft’s October Patch Tuesday batch – could allow an attacker to wrest away full control of the targeted Windows machine without the victim taking any action at all. The bugs were found specifically in Microsoft’s implementation of one of the data record features used in the secure Domain Name System protocol, DNSSEC.

DNSSEC is a security layer for DNS that digitally signs and validates a DNS so it can’t be spoofed.

Nick Freeman, the Bishop Fox researcher who discovered the vulnerabilities, says Microsoft’s implementation of the NSEC3 (Next Secure Record version 3) feature for DNSSEC is the culprit. It’s not surprising to find such a flaw, he says, because whenever a new security technology is added to software, it opens the door for implementation weaknesses. “Microsoft’s implementation was poor” due to improper vetting of the format of the DNSSEC messages, says Freeman, who is a senior security associate with Bishop Fox.

“It wouldn’t surprise me at all if other [vendors’ DNSSEC] implementations” had vulnerabilities as well, he says.

For an attacker to exploit the DNSSEC vulnerabilities in Windows, he or she would need to be sitting on the same physical network as the targeted machine: that means a malicious insider, or an outsider who sets up a man-in-the-middle attack to intercept DNS requests from the victim’s machine. DNS requests can be anything from browsing the Internet, checking email, or even the machine performing its own lookups for software updates.

The attacker could then respond to the Windows DNS requests with malicious data that would elicit the vulnerabilities and corrupt the memory of the DNS client. It then would allow him or her to control the DNS flow, and ultimately gain control of the victim machine. “If someone was using a corporate laptop at a coffee shop and on WiFi, or hacked your cable router and you got hit … giving the attacker an entry point into the [corporate] network,” Freeman says. “They could then launch this attack against other systems on that network.”

The best protections from such an attack: steer clear of public WiFi or use a VPN while connected to it.

DNS security is typically an afterthought at most organizations, mainly because DNS is a relatively invisible network function behind the scenes that’s taken for granted. A recent survey found that three out of 10 companies have been hit with cyberattacks on their DNS infrastructure: and that’s only the organizations that actually are aware of these attacks. 

It’s been nearly one year since the massive DDoS attack on Domain Name Service (DNS) provider Dyn that disrupted major websites including Amazon, CNN, Netflix, Okta, Pinterest, Reddit, and Twitter.

Bishop Fox researchers, meanwhile, say they haven’t seen signs of the Windows DNS flaws being abused by attackers yet. They recommend “immediate” patching of vulnerable Windows machines to protect against such attacks, and released a detailed technical report on the findings. 

“This is a very traditional vulnerability, so it’s reasonable” for most attackers to be able to exploit it, Freeman says. 

Related Content:

• DNS a ‘Victim of its Own Success’
• 2016 DDoS Attack Trends By The Numbers
• Debunking 5 Myths About DNS
• Domain Abuse Sinks Anchors of Trust

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-patches-windows-zero-day-flaws-tied-to-dnssec/d/d-id/1330084?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s worse than Dracula sucking out your lifeblood? Dracula sucking out your lifeblood, bottling it and trying to sell it back to you.

The cyberbloodsucker in this case is David W. Kent, the man who in 2000 founded a recruitment and networking website, Rigzone, for professionals in the oil and gas industry. Ten years later, he sold it for a gushing geyser’s worth of money: DHI Group bought Rigzone off Kent for $51 million.

Four years after the sale of Rigzone, Kent slipped back into the site with an eye on a second windfall, using a number of cyber doors he’d left open during his tenure.

According to court documents (PDF), Kent also set up at least one employee to work at scraping all the member data from Rigzone. Next, he used the ripped-off Rigzone members’ details to plump up membership for his new site, Oilpro.com, which was in the same gas and oil business.

It gets better: next, Kent tried to entice DHI into buying the ripped-off members he’d stolen from them, offering to sell Oilpro to Rigzone.

Kent emailed the Rigzone CEO in October 2015. His sales pitch was classic marketing brag: Oilpro’s membership of 540,000 was grown by “LinkedIn style growth hacks”- in other words, Oilpro asked its members to upload their LinkedIn contacts and invite them to join Oilpro. In November, he told Rigzone that Oilpro had “a half dozen strategies that work well and are repeatable”. Plus, he later said, Oilpro was advertising on another site, Indeed.com.

In his conversations with Rigzone, Kent somehow neglected to mention his most effective strategy of all: waltzing into Rigzone’s database and sucking it dry. For this bundle of ripped-off members, Kent was looking for something like a $20m payoff. At least, that’s what he claimed that Oilpro had been valued at.

Michael Durney, president and CEO of DHI Group, said that the company smelled a rat – detecting unauthorized access to proprietary Rigzone information in early 2014.

According to the complaint, the tip-off was a Rigzone member who called customer support, asking why they’d received an email solicitation to use Oilpro’s services, even though they’d never provided any information to Oilpro.

Rigzone set up a honeypot to figure out who got into its members database. Namely, it set up two fake accounts in the database. Neither had a public-facing profile; all they had were names and email addresses that were only available through Rigzone’s members database.

Well, what do you know: in spite of not appearing anywhere publicly, both the fake accounts were solicited, via email, to join Oilpro.com. As the criminal complaint describes, the source of the access was from an IP addresses registered to Oilpro and to Kent’s home address. Between 2013 and 2016, Kent and at least one of his Oilpro employees accessed Rigzone’s data multiple times without authorization, slurping up details from more than 700,000 customer accounts.

The first round of hacks took place sometime between 17 October 2013 and 15 April 2014.

The rate of at which the Rigzone site received requests “suggests very strongly that they were sent using an automated computer program,” FBI Special Agent Evelina Aslanyan wrote in the complaint. They used a command to access resumes that had been “crafted to exploit a piece of source code unique to [Rigzone]”: one that was known only to a few individuals, including Rigzone’s founder, David Kent.

The Register quotes a transcript of Kent’s acknowledgement of his wrongdoing, in which he explained to the judge that he didn’t abuse anyone’s password:

The web pages I accessed didn’t necessarily have a log-in feature but I do believe I accessed those web pages without authorization.

The FBI arrested Kent in March 2016.

On Friday, Acting Manhattan U.S. Attorney Joon H. Kim said that Kent has been sentenced in Manhattan federal court to one year and one day in prison for intentionally accessing a protected computer without authorization

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/v8jECDLwhuY/

Cryptojacking is well on its way to becoming a new menace to internet hygiene.

In some cases internet publishers are making money by using the spare processor cycles of visiting surfers to mine cryptocurrency, but in other incidents, hackers have planted JavaScript that covertly takes over the systems – a process that has become known as cryptojacking.

Dodgy code capable of running the trick surfaced on TV channel Showtime.com late last month before it appeared on the official website of Portugal and Real Madrid football star Cristiano Ronaldo last week.

The script that was on his website has since been removed, said security researcher Troy Mursch.

Both incidents were associated with code called Coinhive, which was mining a digital currency called Monero. The Pirate Bay deliberately planted mining code on its site before owning up to the “test” some time later. In other cases, the mining was either the byproduct of malicious adverts or run via legitimate but compromised websites, as in both the Showtime and Cristiano Ronaldo cases.

CBS’s Showtime caught mining crypto-coins in viewers’ web browsers

READ MORE

Only diligent nagging by security researcher Mursch (@bad_packets) over several days to the developers behind the Ronaldo site secured the admission that the script wasn’t put there by them and the suggestion to talk to CR7’s management company.

Ronaldo’s people have yet to respond directly to The Register’s repeated requests for comment. “Since the code on @Cristiano’s was unthrottled, it was probably miscreants,” Mursch told El Reg.

The amount to be made for criminals is normally quite small, perhaps into the thousands of dollars. High traffic sites would be able to generate a lot more through legitimate advertising.

For miscreants, cryptojacking offers a number of advantages even though it’s less lucrative than serving up malicious ads that sling either malware or tech support scams.

Although some experts argue that crypto mining is a form of theft, it has the advantage of being much less likely to generate complaints. The technology exists in a grey area made more obscure because of the difficulty of knowing whether or not code is there with the permission of website owners or not. The presence of the code on sites does not affect their core functionality.

Coinhive touts itself as a way for website owners to quickly set up mining by using their JavaScript API. The technology is already being widely abused, as explained in a blog post by Malwarebytes here.

A list of sites running Coinhive can be found here. Another scripting nasty, dubbed CryptoLootMiner, has surfaced in other incidents. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/cryptojacking/

Hybrid cyber attacks on banks in former Soviet states has already resulted in estimated losses of $100m.

Security researchers at Trustwave report that cybercriminals are using mules to open accounts with counterfeit documents while hackers compromise the bank’s systems to obtain unauthorised privileged access and break into the network of third-party processors.

The hackers ultimately target privileged access to card management systems before activating overdraft facilities, and reducing the risk ratings associated with the counterfeit bank accounts. At this point the mules are able to withdraw funds from cash machines running up huge debts.

The crooks use a combination of opportunistic phishing, social engineering, and Windows exploits to gain entry into the banking systems. Trustwave reports that key loggers are planted on compromised networks to snaffle login credentials of bank employees authorised to approve overdrafts. Although the attacks originated in Eastern Europe/Russia, Trustwave believes that there is a very high probability that this technique will spread globally.

The multiple stages of a hybrid bank attack [source: Trustwave]

The SpiderLabs team at Trustwave found linked scams after it was asked to investigate a series of bank breaches originating in ex-Soviet countries during mid-to-late 2017. The actual amount of money stolen was different in each case, with the average amount around $5m (in cash), ranging from $3m to $10m.

The investigations revealed that multiple attacks shared a number of common features, such as large losses from what initially appeared to be legitimate customer accounts. In all cases, the theft took place using normal withdrawals from various cash terminals outside the bank’s originating country.

In some cases, the banks didn’t realise a breach had taken place and a significant amount of money was stolen well after the attack was completed. In a few cases, the malicious activity was reported to the banks by third-party firms responsible for processing the bank’s debit and credit card transactions. The common tie between all the scams was that money was stolen using legitimate cards provided by each bank. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/hybrid_bank_cyber_robbery/

Android 8.0 Oreo marks a major revamp of Google’s mobile operating system, putting in a number of new security-hardening measures.

Image Source: Maria Babak via Shutterstock

Google is serving up a number of new security features in it new Android 8.0 Oreo – one of which is expected to put it on par with Apple’s iOS when it comes to delivering software updates, say security researchers.

Android devices, which are notorious for falling behind on operating system (OS) updates and patches, should have a speedier path to the latest version of the OS under Oreo’s so-called Project Treble feature.

“Enterprises will be able to maintain a more up to date fleet of devices that are patched against vulnerabilities that can lead to the loss of data,” says Andrew Blaich, security researcher at Lookout.

The downside, however, is that existing devices that are not capable of supporting Android’s Project Treble are likely to be left behind. As a result, Blaich adds, enterprises that fall into that camp will need to shell out more money on newer devices to take advantage of the new security features.

Oreo, which launched in August, is available on Google’s Pixel and Nexus mobile devices. It will be rolled out in phases by the end of the year to other Android device manufacturers such as, Samsung, Motorola, LG, HTC, and others, according to Google’s developers blog.

Most phone vendors are actively porting the Project Treble abstraction layer over to their platforms, says Brian Chappell, senior director of enterprise and solutions architecture for BeyondTrust.

Even so, not all older Android devices updated with Oreo will also have Project Treble support, Blaich cautions.

Here are seven of the hottest new security features in Android Oreo, including Project Treble: 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/endpoint/key-new-security-features-in-android-oreo/d/d-id/1330075?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple