STE WILLIAMS

Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

If compromised, it becomes a backdoor, giving an attacker control over the affected device.

That possibility set off alarms in May, with the disclosure of a vulnerability in Intel’s Active Management Technology, a firmware application that runs on the Intel ME.

The revelation prompted calls for a way to disable the poorly understood hardware. At the time, the Electronic Frontier Foundation called it a security hazard. The tech advocacy group demanded a way to disable “the undocumented master controller inside our Intel chips” and details about how the technology works.

An unofficial workaround called ME Cleaner can partially hobble the technology, but cannot fully eliminate it. “Intel ME is an irremovable environment with an obscure signed proprietary firmware, with full network and memory access, which poses a serious security threat,” the project explains.

On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.

HAP stands for high assurance platform. It’s an IT security framework developed by the US National Security Agency, an organization that might want a way to disable a feature on Intel chips that presents a security risk.

The Register asked Intel about this and received the same emailed statement that was provided to Positive Technologies.

“In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features,” Intel’s spokesperson said. “In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s ‘High Assurance Platform’ program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”

Positive Technologies in its blog post acknowledged that it would be typical for government agencies to want to reduce the possibility of unauthorized access. It noted that HAP’s affect on Boot Guard, Intel’s boot process verification system, remains unknown, though it hopes to answer that question soon. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/

A coalition of tech firms has taken down the WireX botnet, a malware network run predominantly off Android phones running subverted apps.

The botnet first popped up on security researchers’ radars on August 2 in a small way, and within weeks the number of infected nodes had reached the tens of thousands. It appears that the botnet’s infection software was being hosted in Google’s own Play Store, hidden in seemingly innocuous apps like media players and ringtones.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” Google said in a statement. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users everywhere.”

Estimates of the total botnet’s size vary, because infected nodes only ping in when the phone they are on is active – but it’s thought to be in the low six figures. The botnet was used to launch distributed denial of service attacks by spamming out HTTP GET requests until website connections crumbled under the load.

By August 17 the botnet had grown and spread over users in 100 countries, and the DDoS attacks were getting serious. Researchers found the rogue code and determined that it was possibly advertising click-fraud software that had been repurposed for DDoS attacks.

Infected apps were still running the advertised functions as normal, but were hiding other system processes under names like Device Analysis, Data Storage and Package Manager. The Android store has now been cleaned up and the researchers say the attack vector has been patched by Google.

Different pieces of the puzzle

“These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms,” Akamai said in a blog post. “Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”

The case also highlights yet another failure of Google’s Bouncer machine learning system, which is supposed to find and block malware-laden apps from the Play Store. While third-party Android app stores are routinely packed with infected apps, Bouncer has been touted by the Chocolate Factory as a way to ensure that its Play Store is clean.

But as we’ve seen with depressing regularity, Bouncer has been opening the door to many apps that have it fooled. It’s likely that developers are using the Bouncer system as a method to check new ways of hiding malware in normal-looking apps and refining their techniques to beat the system.

While malware does occasionally make its way into the Apple App Store, it’s relatively rare. That Google, with all its resources, can’t do the same isn’t very impressive and will only help the popularity of iOS. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/28/tech_firms_take_down_wirex_android_botnet/

One of the UK National Health Service boards hit by WannaCrypt earlier this year has again been infected by malware.

The Lanarkshire board manages the Hairmyres Hospital, Monklands Hospital, and Wishaw General Hospital in Scotland, and on Friday had to warn patients that it was only handling emergency cases.

Lanarkshire was one of the many NHS districts hit by the WannaCrypt ransomware attack earlier this year.

The latest infection took out the hospital’s staff rostering and telephone systems, and on Saturday morning NHS Lanarkshire posted this brief statement on its Facebook page:

“Due to NHS Lanarkshire IT issues, the staff bank system and telephone are offline and currently unavailable” (“staff bank” refers not to a financial service, but the system that tracks available staff – El Reg).

At the time, NHS Lanarkshire expected a 72 hour outage, and CEO Calum Campbell attributed the outage to malware, with systems taken offline to contain the outbreak with help from its IT provider.

A couple of hours later on Saturday morning, it posted an update requesting that people avoid visiting emergency departments unless absolutely necessary.

By Sunday, Campbell posted that staff had “worked overnight to secure and reinstate our IT systems”, adding that affected systems “are in the process of being fixed”.

Campbell apologised to patients affected by the outage and promised that their appointments would be re-scheduled.

In an unrelated report, security outfit Proofpoint last Thursday said it had spotted a ransomware it dubbed “Defray” targeting hospitals, via Word files entitled “Patient Report”, in the US and UK. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/28/wannacrypt_nhs_victim_lanarkshire_infected_by_malware_again/

The US government really, really wants to know about the people who planned protests on the day of Donald Trump’s inauguration as president in January. Now, after a legal tug-of-war and dialing back its demands, it won victory, though the judge’s go-ahead has shaved its demands back further still.

On July 17, the government had served the far-reaching search warrant (PDF) on DreamHost. That’s the hosting company used by disruptj20.org: a site that helped co-ordinate the Inauguration Day protest.

This week, for reasons it didn’t make clear, the government sharply dialed down its demands. DreamHost in essence said, “Well, that’s what we were after from the get-go,” (though it still has First and Fourth Amendment problems with the warrant), and a Washington DC judge on Thursday approved the warrant…

…with yet more restrictions on the data demand, mind you. As Reuters reports, Chief Judge Robert Morin, who will oversee review of the data, said the government has to specify what protocols will be put place to keep prosecutors from seizing the data of “innocent users”.

As we reported last week, DreamHost initially refused to comply with the warrant — compliance that, it said, would involve handing over the IP addresses of 1.3m visitors to the site, their contact information, their email content, and photos of thousands of people, all “in an effort to determine who simply visited the website”.

In its opposition motion (PDF), DreamHost said the warrant’s breadth violated the Fourth Amendment because it failed to describe with “particularity” the items to be seized. Asking for “all records or other information” pertaining to the site, including “all files, databases and database records” is far too broad, the company said. Complying with the warrant would also have First Amendment implications, given that it would give the government information on protesters and thus might lead to a chilling of free speech and association, DreamHost argued.

On Inauguration day, some rioters were armed with hammers, crow bars, wooden sticks and other weapons. Says the government, they

… moved as a cohesive unit for approximately thirty (30) minutes, traveling more than a dozen city blocks, as individual participants engaged in violence and destruction that caused hundreds of thousands of dollars’ worth of property damage and left civilians and officers injured.

According to the Washington Post, the cost of damage was actually in the tens of thousands. Six police officers were injured. More to the point, it was violent, people got hurt, and, understandably, the government wants to find those responsible.

Nineteen guilty pleas have resulted from the ongoing criminal investigation, and 200 charges are pending.

Well, we don’t know precisely what coffee the Department of Justice woke up and smelled, but on Tuesday, it filed a reply brief in response to DreamHost’s challenge to the search warrant, in which it walked back its information demand.

In its reply, the government said that yes, of course it respects Americans’ First Amendment rights to protest – peacefully – and to read “protected” political expression online. Online expression that the First Amendment doesn’t protect:

1. Obscenity
2. Fighting words
3. Defamation (including libel and slander)
4. Child pornography
5. Perjury
6. Blackmail
7. Incitement to imminent lawless action
8. True threats
9. Solicitations to commit crimes

The warrant is specifically looking to sniff out evidence of incitement to break the law or solicitations to commit the crime of rioting, the DOJ said in the reply brief.

The Warrant is focused on evidence of the planning, coordination and participation in a criminal act that is, a premeditated riot. The First Amendment does not protect violent, criminal conduct such as this.

The DOJ insisted that there was nothing wrong with the warrant, which covered emails between the site’s organizers and people interested in attending the protests, any deleted messages and files, subscriber information including names and addresses, and even unpublished photos and blog posts.

Without giving detail, the DOJ said that since the warrant was issued in July, it’s come into possession of new facts. It still wants pretty much all the information it initially requested with the search warrant, but in the reply brief, it promised to carve out and set aside information outside of the warrant, to seal it, and to leave it be, barring any future court order to the contrary.

It’s not going to identify political dissidents. Nor is it going to use the DreamHost data to chill free association or speech, the DOJ says, taking a jab at how vociferous DreamHost has been about its refusal to comply:

The Warrant… is singularly focused on criminal activity…

The government has no interest in records relating to the 1.3m IP addresses that are mentioned in DreamHost’s numerous press releases and Opposition brief.

The government submitted an amended list of what it wants to seize. Basically, it still wants everything, it said: it just planned to ignore whatever’s not related to criminal rioting. That means excluding the following from its original records request:

• Any unpublished media, including both text and photographs that may appear in blog posts that were drafted but never made public.
• Any HTTP access and error logs, meaning that “visitors’ IP addresses are largely safe,” DreamHost said on Tuesday.

At a hearing on Thursday, Morin acknowledged the tension between free speech rights and law enforcement’s need to search digital records for evidence. His order granting the government’s request for information therefore contains more safeguards than those the government had suggested. Besides requiring details on the protocols to protect innocent disruptj20 visitors, he also curtailed the time frame for records to those generated from October to Inauguration Day. The original scope of records demanded was from July 1 2016 to Inauguration Day on January 20.

Morin also instructed the prosecutors to explain exactly why anything they want to seize is relevant to the investigation.

After the government’s reply brief had scaled back data demands earlier in the week, DreamHost said that it saw the narrowing of scope as a “huge win” for internet privacy.

We absolutely appreciate the DOJ’s willingness to look at and reconsider both the scope and the depth of their original request for records. That’s all we asked them to do in the first place, honestly.

It may be a huge win, but it’s not a perfect win. DreamHost planned to submit filings to address outstanding First and Fourth Amendment issues at the Thursday hearing.

Reuters quoted Raymond Aghaian, DreamHost’s lawyer, following Morin’s addition of more privacy safeguards:

It’s a tremendous step in terms of further limiting what the government can do.

It’s not all sunshine and roses yet, though, Aghaian said: the company still has concerns about the chilling effect of data being turned over for government review and is considering an appeal, Reuters reports.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4ZE6oyXYWB0/

Your daily round-up of some of the other stories in the news

Airport arrest for alleged hacker

A Chinese man has been arrested in the US in connection with allegations that he conspired with hackers to breach a group of US companies’ computer networks.

Yu Pingan was arrested at Los Angeles airport shortly after arriving on a flight there, according to the BBC. The FBI alleges that Yu provided hackers with malware including the Sakula trojan, which has been linked to the breach at health insurance firm Anthem, when nearly 80m records were exposed, and the 2014 breach at the US Office of Personnel Management.

The charges allege that Yu, also known as “GoldSun”, was a key member of the gang that attacked US companies in California, Massachusetts and Arizona between 2011 and 2014. Yu conspired with two unnamed hackers to carry out the attacks, claims the FBI.

Samsung TVs bricked by update

You have to feel for Samsung: just days after the well-received launch of the Galaxy Note 8, which the Korean manufacturer hopes will erase memories of the battery issues that resulted in it withdrawing the Galaxy Note 7 last year, buyers of its high-end smart TVs are complaining that an update has bricked their devices.

The Guardian reported that “thousands” of recently bought TVs had been bricked, with owners of three models – the UE50MU6100K, the UE49MU7070 and the MU6409 – saying that the devices wouldn’t change channel or even boot beyond the splash screen after being turned on.

Samsung responded that “a small number” of TVs in the UK – fewer than 200 – had been affected by the firmware update that had been pushed out, adding: “Once this issue was identified, the update was switched off and we’re now working with each customer to resolve the issue.”

What’s unfortunate is that these are new and definitely not cheap TVs: one upset customer, reported the Guardian, had only bought the £1,400 TV two weeks ago. On Friday evening (BST), the support forum thread was 10 pages long, with some customers were complaining that they are having to wait until next week for a visit from an engineer to fix the problem.

Facebook closes 1m accounts a day

Facebook shuts down more than 1m accounts every day because of spam, fraud and hate speech, CNBC reported on Thursday.

Alex Stamos, chief security officer, pushed back at an event in San Francisco against suggestions that there were too many false positives among the accounts it shuts. “It’s not just a bunch of white guys” deciding what to take down, he told free-speech advocates.

Eva Galperin of the Electronic Frontier Foundation said at the event that “the work of takedown teams is not transparent. The rules are not enforced across the board. They reflect biases.”

Stamos pointed out that Facebook has to work within the law of more than 100 countries, with widely varying provisions on free speech, and added: “When you turn up the volume on hate speech, you’ll get more false positives and catch people who are just talking about it rather than promoting it.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SE_hvvrTsh0/

A university research project in Brazil has had its Tor relay node banned after it was caught harvesting the .onion addresses of visitors.

Marcus Rodrigues, a junior researcher with the University of Campinas in São Paulo, claims he and others were working to create a tool that could tell malicious hidden services from benign ones when they decided to begin poking .onion addresses and fetching their webpages in bulk.

“My research in particular is about malicious hidden services. I’m developing a method to automatically categorize a malicious hidden service by its content (eg, drug traffic website, malware propagation),” Rodrigues told The Register.

“We would then publish an academic paper containing up-to-date statistics regarding what kind of malicious websites there are on the dark web. We were also going to develop a platform on which the user could verify if a certain .onion website is trustworthy or malicious before entering it.”

To do this, Rodrigues says, he modified the node to collect specific data about the hidden services, though he notes nothing was collected that could de-anonymize the user or the specific service.

“That would provide information about the Hidden Services running at the time, such as their .onion addresses, their popularity and some technical data – none of which would allow me to deanonymize or harm the hidden service in any way,” he explained.

In a Tor mailing list post on Thursday, Rodrigues described the system in more detail:

My relay was harvesting .onion addresses and I apologize if that breaks any rule or ethical guideline.

We were conducting some research on malicious Hidden Services to study their behavior and how we could design a tool that could tell malicious and benign Hidden Services apart.

Because we focus mainly on web pages, we use a crawler to get almost all of the data we need. However, there are some statistics (such as the size of the Tor network, how many HSs run HTTP(s) protocol, how many run other protocols and which protocols do they run, etc) which cannot be obtained through a crawler. That’s why we were harvesting .onion addresses.

We would run a simple portscan and download the index page, in case it was running a web server, on a few random addresses we collected. We would also try and determine the average longevity of those few HSs. However, after collecting the data we needed for statistical purposes, the .onion addresses we collected would be deleted and under no circumstances we would disclose the information we collected on a specific .onion address we harvested. In addition, we would never target specific harvested HS, but only a random sample.

Unfortunately, as Tor administrators pointed out, harvesting addresses is a violation of the Tor Project’s ethical guidelines and, once caught, the university’s node was banned.

The moral of the story: always read the rules.

Now, Rodrigues says, his group is unable to bring its Tor relay node back online, and so far nobody from the project has given them any indication that the ban will ever be removed. Still, he says, the research will continue.

“I can use other methods to discover the Hidden Services,” he explains, “but none is as informative or as efficient.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/25/brazilians_waxed_for_slurping_tor_addresses/

The NSA has begun what is likely to be a determined PR campaign to retain mass spying laws as they head toward expiration at the end of the year.

In a post on its website titled “Section 702 Saves Lives, Protects the Nation and Allies,” America’s surveillance nerve center argues it “relies” on the controversial part of the Foreign Intelligence Surveillance Act (FISA) to “uncover the identities or plans of terrorists.”

The law has “played both a unique and decisive role in national defense,” it goes on, adding that it also “informs” the intelligence community’s “cybersecurity efforts.”

The post then goes on to claim that the NSA’s interpretation of Section 702 enabled it to reveal the identities of “overseas terrorists” responsible for an unspecified attack that resulting in the death of more than 20 people last year and claims it enabled them to “refute the terrorist organization’s denial of any involvement.”

It claims that in that case, the extra intel enabled the US government to launch operations against the unnamed group in question and that its “contribution to the fight probably hadn’t been factored into the adversaries’ schemes.”

The argument is a textbook example of how the intelligence services make their case for continued extraordinary powers even after it’s shown they abused those same powers.

The details are sufficiently vague and limited to prevent any independent analysis while also allowing the snoops to claim necessary operational security. The case is also referenced as if it were but a single example of many times that the NSA’s powers have been used to provide additional national security, but we have no way of knowing whether this was literally one case or one of many as the NSA and associate services refuse to provide broader context or statistics.

Trade-off

This approach of pointing only to the value of such extraordinary powers obscures the larger question of whether the same information could have been revealed by a different method, and ignores whether the resources and trade-offs with privacy and civil rights are sufficiently valuable to be worth continuing them.

However, when it comes to Section 702, the single case provided in this post does not address the biggest problem with the legislation: that, despite its name, the Foreign Intelligence Surveillance Act has increasingly been used to spy on Americans.

Under the NSA’s highly questionable interpretation of Section 702, the agency has gathered huge amounts of data on an unknown number of US citizens by claiming that it can grab and store information on anyone connected to a foreign target.

How many American citizens? The NSA refuses to say, and has done so for years. Having provided excuse after excuse for why it is unable to produce such a figure, in June the spy nerds gave up any pretense that it was going to do so.

That led to a fiery exchange between Senator Ron Wyden (D-OR), who has acted as a watchdog on the intelligence services’ powers in his position as a member of the US Senate’s Intelligence Committee, and director of national intelligence Daniel Coats back in June.

“You promised that you would provide a ‘relevant metric’ for the number of law-abiding Americans who are swept up in the FISA 702 searches,” Wyden barked at Coats. “This morning you went back on that promise.”

Coats responded: “What I pledged to you is I would make every effort to try to find out why we were not able to come to a specific number of collection of US persons… There were extensive efforts on the part of the NSA to get you an appropriate answer – they were not able to do that…”

Wyden angrily interjected: “Respectfully, that’s not what you said. You said: ‘We are working to produce a relevant metric…'”

“But we were not able to do it. Working to do it is different from doing it,” retorted Coats.

Database

It’s not just the storing of information on US citizens – a situation that goes directly against the actual wording of the FISA – that worries lawmakers and privacy groups. Over time it has emerged that the NSA allows the FBI to access that database without limit and to use search terms related to US citizens including their names, email address and telephone numbers, to search for possible incriminating evidence in domestic crimes.

Under significant political pressure, the NSA vowed that it would stop gathering information on anyone and everyone that even mentions a foreign target but it has not said it will reduce its existing database of information or limit its access by other government agencies. There is also nothing to stop the NSA from changing its mind at a later date unless specific changes are made to the law itself.

And that is ultimately what this unusual NSA public post is about: pushing back against efforts to rewrite the law to exclude the NSA from doing many of the things it has bent Section 702’s wording to accommodate.

With Congress required to reauthorize FISA at the end of the year and with lawmakers due to hold hearings in its next session starting in September on what should be done, the NSA is pushing back against a growing consensus that radical changes need to be made to the law to prevent it from being abused.

Tech firms have already proposed five very specific changes to the law – the first of which is to explicitly ban the broader targeting of anyone connected to a foreign target a permanent part of the law.

They also want: agencies like the FBI to get a warrant before searching the 702 database; the wording tightened up so the intelligence services have to specifically identify individuals rather than insist on access to all data within which they will search for individuals; better oversight of the process; and increased transparency over the number and type of requests made under this section of the law.

Unhappy

Recent investigations into declassified documents have also shown that the NSA and FBI routinely violated civil liberties laws during the Obama Administration by carrying out improper searches, sharing raw intelligence data and failing to delete unauthorized intercepts.

In the lead up to the new session of Congress where the future of Section 702 will be decided, a number of organizations have actively opposed the law.

The Electronic Frontier Foundation wants the Supreme Court to explicitly rule that the gathering of intelligence on US citizens through FISA is illegal – bypassing Congressional wheeler dealing altogether.

Even security policy wonk publication Just Security has lambasted the misleading arguments put forward by Section 702 advocates who oppose reform.

We have checked with the Senate and House Judiciary Committees and so far there are no scheduled hearings on the reauthorization of FISA and Section 702 but there are indisputably coming and this week’s post by the NSA is almost certainly just the first shot in a pitched battle that will be fought between now and the end of 2017. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/25/nsa_pr_campaign/

A new ransomware strain, Defray, that focuses on certain verticals in narrow and select attacks is making the rounds in the healthcare, education, manufacturing, and technology sectors.

A highly targeted ransomware strain emerged this month, with attackers focusing on specific industry verticals in small attacks, Proofpoint researchers stated this week.

The Defray ransomware attacks have hit the healthcare, education, manufacturing, and technology industries by distributing emails containing a Microsoft Word document embedded with an executable OLE packager shell object, according to Proofpoint, which discovered Defray.

The small campaigns usually only contain several messages in each effort and demand a ransom of $5,000. An Aug. 15 campaign against the manufacturing and technology sectors used a bogus email from a representative of a UK-based aquarium with offices across the globe as bait. That was followed up with a similar campaign against the healthcare and education industries on Aug. 22 from a purported director of information management and technology at a hospital.

Once the victim clicks on the attachment, the ransomware is activated and encryption takes place. Defray, however, may also disable startup recovery and delete shadow copy volumes, as well, according to Proofpoint. The researchers suspect Defray is not for sale like other ransomware strains and instead is being used by certain threat actors for their personal use.

Read more about Defray here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/new-targeted-ransomware-hits-healthcare-manufacturing-/d/d-id/1329725?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Charging documents reveal sophistication – and a surprising degree of sloppiness.

The arrest of an individual believed connected to the massive data breach at the US Office of Personnel Management (OPM) in 2014 has revealed both the sophistication of the operation and the suspect’s almost surprising sloppiness in protecting his identity.

The FBI on Thursday arrested Chinese national Yu Pingan on charges of distributing and using a variety of malware tools including the Sakula malware associated with the OPM attack. The same tool was also used in the attack on health insurer Anthem that resulted in the breach of 80 million records containing highly sensitive data.

Yu is accused of working with two unnamed and as yet uncharged co-conspirators in China to install malware on the networks of at least four organizations, identified in the charging papers as merely Companies A, B, C, and D. He was arrested in Los Angeles after apparently arriving there to attend a conference.

Details provided in the government’s compliant show that between May 2012 and January 2013, Yu and has associates deployed as many as five Internet Explorer zero-days on a server hosting a website that was used in watering hole attacks (CVE-2012-4969, CVE-2012-4792, CVE-2014-0322, and CVE-2012-84792)

The website distributed a variety of malware tools, including Sakula and variants such as mediacenter.exe, to more than 370 unique IP addresses in the United States.

The Sakula variants that Yu and his associates are accused of installing were configured to beacon to a legitimate Microsoft domain in Korea that was used to download software updates for Microsoft products. The government believes that Yu and one of the unnamed co-conspirators broke into Microsoft’s legitimate domain in Korea and modified it to point to malicious IP addresses that they controlled.

The breach at OPM continues to be one of the largest — and easily one of the most impactful —ever of any US government entity. In two separate intrusions, threat actors believed to be operating out of China stole personnel records belonging to over 20 million current and former government employees. In addition to the usual Social Security Numbers and birthdates and other personal data associated with such breaches, the incidents at OPM also resulted in data connected to employee background investigations such as health, financial, criminal history, and fingerprint data.

Marcus Christian, an attorney at Mayer Brown and a former prosecutor at the US Attorney’s Office for the Southern District of Florida, says the arrest is very significant not just for the charges that have been filed but what are yet to come. “One noteworthy aspect of the charging documents is that they indicate that the government is working with at least two alleged co-conspirators and may have secured the cooperation of others,” which could result in more charges, he said.

The case is the latest in a growing series of prosecutions that demonstrate the federal government’s increasing focus on cybercrime. “Investigators are routinely reaching into jurisdictions around the globe to build cases and, when necessary, they are patiently waiting in friendly jurisdictions to make arrests,” Christian said.

Interestingly the charging papers show that Yu did little to conceal his true identity when conspiring with his associates.

His communications with one of them, for instance, ties him directly to Sakula. Other seized communications tie him to exploits against the zero-days used in the watering hole attacks. The key that was used to decrypt a Sakula variant that had been encrypted, directly referenced the name “Goldsun,” a handle that Yu regularly used and even acknowledged using in communications with one of his associates.

On more than one occasion his associates warned Yu about tipping off the FBI about his activities, but he appears to have done little to conceal his tracks.

“Many of the takeaways from this arrest are lessons for criminals in how not to get caught,” including not using your real name in association with criminal activity, says John Bambanek, threat systems manager at Fidelis Cybersecurity. “The biggest lesson of all is that if you are going to participate in espionage against the United States, it’s probably best you don’t step foot in our country,” he says.

“What I take away from this is that their level of sloppiness indicates a complacency that they don’t have to protect themselves because they won’t get caught,” he says.

Rick Holland, vice president of strategy at Digital Shadows, adds that the arrest highlights why operation security is critical. “First, adversaries – even nation-state actors – aren’t infallible. They make mistakes and leave breadcrumbs that can be used in an investigation.”

Yu Pingan made mistakes and associated his personal information with his operations. “Security researchers, threat intel analysts, and incident responders who investigate intrusions need to keep this in mind. Given the #LeakTheAnalyst campaign, personal OPSEC is critical,” Holland says.

Related Content:

• OPM Data Breach: A New Twist On The Discovery Of The Malware
• OPM Breach: Two Waves Of Attacks Likely Connected, Congressional Probe Concludes
• OPM: Personal Info On 21.5 Million People Exposed In Hack
• The 7 Most Significant Government Data Breaches

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-national-with-possible-links-to-opm-breach-arrested/d/d-id/1329731?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here we go again: it’s Celebgate 3.0, and that means a new round of stolen intimate photos of celebrities and tee-hee’ing jerks.

This time around, photos have been gang-grabbed from Miley Cyrus (pictured), Stella Maxwell, Kristen Stewart, Tiger Woods, Lindsey Vonn and Katharine McPhee.

The celebrity leak sites that posted the stolen content don’t merit whatever traffic they might get if we shared their names. Suffice it to say that one of them considers itself a “satirical website” that publishes rumors, speculation, assumptions, opinions, fiction, and what it calls facts… And, obviously, illegal stolen content.

According to Fossbytes, McPhee is taking legal action against the sites that published her content. Ditto for Woods and for Kristen Stewart and her girlfriend, Stella Maxwell, said TMZ.

Vonn, an Olympic skiier and Woods’ former girlfriend, called the theft “a depicable invasion of privacy”. The photos were stolen from her cell phone a few years ago. Her spokesman told People that she’s lawyering up:

Lindsey will take all necessary and appropriate legal action to protect and enforce her rights and interests. She believes the individuals responsible for hacking her private photos as well as the websites that encourage this detestable conduct should be prosecuted to the fullest extent under the law.

Celebs suffered through this type of mugging in 2015 with Celebgate 1.0. In v1, thieves and many equally scumbaggy photo-sharers trampled over the privacy of Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele, Winona Ryder, Hulk Hogan’s son and Hillary Duff, among dozens of other women celebrities.

The photos in this latest round were still up as of Thursday evening.

We’ve seen multiple men convicted and given jail time over prying open the Gmail and iCloud accounts of Hollywood glitterati, but that sure didn’t stop Celebgate 2.0: in May, we saw the intimate photos of Emma Watson and Amanda Seyfried stolen and posted.

How to trip up the thieves

According to the FBI, the original Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

These guys’ pawing was persistent: the IP address of one of the Celebgate suspects, Emilio Herrera, was allegedly used to access about 572 unique iCloud accounts. The IP address went after some of those accounts numerous times: in total, somebody using it allegedly tried to access 572 iCloud accounts 3,263 times. Somebody at that IP address also allegedly tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Some of the suspects used a password breaker tool to crack the account: a tool that doesn’t require special tech skills to use. In fact, anybody can purchase one of them online and use it to download a victim’s iCloud account if they know his or her login credentials.

To get those credentials, crooks break into a target’s iCloud account by phishing, be it by email, text message or iMessage.

All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Anybody who owns an email account and a body they don’t want to see parading around the internet without their permission should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.

Here are some ways to keep your private images from winding up in the thieves’ sweaty palms:

• Don’t click on links in email and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, instead of clicking on the email link, get in touch by typing in the URL for its website and contacting it via a phone number or email you find there.
• Use strong passwords.
• Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
• Don’t friend people you haven’t met on Facebook, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
• Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9idObu-SMLA/