STE WILLIAMS

Karim Baratov enters his plea in US Courts today, after waiving his extradition hearing in Canada last week.

A 22-year-old defendant charged for his alleged role in the infamous Yahoo data breach pleaded not guilty today to a 47-count indictment before a federal district court judge in San Francisco, according to media reports.

Karim Baratov is one of four defendants charged with computer intrusion, economic espionage, and conspiracy relating to the Yahoo cyberattack, according to a report in The Daily Beast. The other three defendants are Russian nationals and remain at large, one of which is Igor Sushchin, an undercover Russian Federal Security Service (FSB) agent, while the other two are Dmitry Dokuchaev, a former FSB officer who was arrested by the FSB for treason, and Alexsey Belan, a well-known Russian hacker, the report said.

On Friday, Baratov, a Canadian and Kazakh national, was in Canada where he waived his extradition hearing in a move to get his case heard quickly in US courts. During his US court appearance, another hearing was set for Tuesday, according to Reuters.

Last March, Baratov was arrested in Canada for his role in the 2014 Yahoo data breach, which affected approximately 500 million Yahoo accounts. He allegedly was asked by FSB representatives to target 80 individuals with spearphishing campaigns if their emails were not among the hundreds in the Yahoo batch, and deliver the non-Yahoo email account passwords to Russian handlers, according to The Daily Beast.

Read more about the case here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/suspect-in-yahoo-breach-pleads-not-guilty/d/d-id/1329711?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One of four men accused of carrying out the megahack of 500 million Yahoo! email accounts has pleaded not guilty in a San Francisco district court.

Karim Baratov, 22, was extradited from his Canadian home last weekend after waiving his right to fight going to America for the court case. He denied 47 separate charges of computer hacking, identity theft, wire fraud and industrial espionage.

According to court documents [PDF], Baratov and criminal hacker Alexsey Belan, 29, were hired by two Russian FSB officers – Dmitry Dokuchaev and his boss Igor Sushchin – in October 2014 to hack into Yahoo!‘s servers. Over the next 18 months the two hackers ran riot through the poorly secured servers of the portal, accessing email accounts of journalists, business people, and politicians around the world.

The US government alleges that the two used highly targeted emails to get access to Yahoo! personel, and then used internal company software to generate cookies to access webmail accounts without all that tricky password-stealing business.

In all, the government claims that the two accessed over 6,500 webmail accounts, going initially for Russian journalists, businessfolk and politicians. But then they widened their net to carry out industrial espionage against selected Western targets, it’s claimed.

Belan is also accused of hijacking Yahoo!‘s search engine results for profit, according to the charges. If a visitor searched for the term “erectile dysfunction,” they were redirected to an online pharmacy that was paying Belan a commission for hits, according to the Feds.

He is also accused of trawling through people’s email accounts looking for credit card information, online gift cards, and using his cookie-making skills to run a spam campaign against 30 million Yahoo! users.

The charge sheet also states that Baratov was directed to try similar hacking tricks with Gmail users. Up to 50 Google accounts were illegally accessed, the government states, including those of senior Russian politicians and business leaders. The hacking continued until December 2016.

It’s likely that Baratov is going to be the only one of the four to face a trial. Belan is living in Russia and is unlikely to leave, in part because the FBI has put a $100,000 bounty on his head.

Meanwhile Sushchin is still working for the FSB in Russia and is presumably being very careful about which countries he travels to – only those with no extradition treaty with the US or who won’t hand him over anyway. Dokuchaev, on the other hand, has legal issues of his own and has been charged with treason by the Russian authorities. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/24/accused_yahoo_hacker_pleads_not_guilty/

Big-name companies are still leaving themselves and their customers open to phishing because they haven’t implemented the DMARC message validation standard.

In this year’s DMARC adoption report [PDF], phishing prevention specialist Agari reckons two-thirds of the Fortune 500 are yet to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) yet.

Specified in RFC 7489 to combine Sender Policy Framework and DomainKeys Identified Mail techniques, DMARC’s aim is to defeat e-mail spoofing. It was originally put forward by Google, Microsoft, AOL, Facebook, Yahoo!, PayPal and others.

Agric’s data-gathering was straightforward: it analysed the DNS records of its targets – which also included companies on the Financial Times Stock Exchange 100 and the Australian Securities Exchange 100 – using its own DMARC record tool.

The FTSE 100 had the same non-adoption rate of 67 per cent, while Australian companies care even less, with 73 per cent having no DMARC policy record.

Even among those who are aware of DMARC, hardly any are using it for anything more than monitoring (25 percent of the Fortune 500, 26 per cent of the FTSE 100, and 23 per cent of the ASX 100).

“Quarantine” or “reject” only appeared in eight per cent of Fortune 500 companies, 7 percent of FTSE 100 companies, and four per cent of ASX 100 companies.

Agari reckons that’s an open-door to e-mail spoofing, since the point of DMARC is that it both confirms a message came from the server it purports to come from, and creates a register of email systems used by spammers and scammers. To help things along, back in 2012 Agari made its Receiver Program free to try and encourage adoption.

The IT industry and telcos in particular can hang their heads in shame: apart from 21 per cent of US tech companies using DMARC, and a mere one per cent of US telcos, adoption is zero elsewhere (people, even Twitter thinks it’s a good idea).

“Deploying a DMARC policy where p=none is simple, but it is only the first step. Organisations must Quarantine, Reject and maintain strong email governance to reap the benefits of DMARC”, the report concludes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/24/dmarc_adoption_lagging_even_in_big_firms/

The number one issue facing cybersecurity firms is a “chronic shortage” of qualified staff.

That’s according to the founder of market analyst Cybersecurity Ventures, Steve Morgan. “The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It’s an absolute epidemic,” Morgan told supply-chain blog Channelnomics.

Morgan’s company in 2016 gathered feedback from executives listed highest on the company’s list of 500 top cybersecurity firms, many of whom pointed to the same problem.

“We are one of the few industries globally experiencing zero-percent unemployment,” said Robert Herjavec, CEO of cybersecurity outfit Herjavec Group. “Unfortunately the pipeline of security talent isn’t where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyberexperts receive, we will continue to be outpaced by the Black Hats.”

John McAfee has also weighed in on the issue, saying that cybersecurity is “the least populated of any field of technology,” and noting that there are two job openings for every qualified applicant.

On Sunday, Cybersecurity Ventures predicted that by 2021 there will be 3.5 million vacant cybersecurity jobs due to the lack of a “pipeline of security talent” combined with ever-expanding cybercrime.

For some time

The problem is not new. Two years ago, another widely cited report from consulting firm Frost Sullivan warned that there would be a 1.5-million worker shortfall by 2020, and then increased it soon after to 1.8 million.

Despite record spending on security – and healthy salaries – nearly half of hiring managers say they are struggling to find cybersecurity staff for open positions, and 62 per cent of them have reported a shortage of information security professionals.

So what is the solution?

There are a number of organizations, including the Cybersecurity Workforce Alliance (CWA), that are actively trying to recruit more people into the field. The CWA was set up by the financial industry, based around New York, to close the skills gap given the importance of cybersecurity to money flows.

The new head of the Securities and Exchange Commission, Jay Clayton, is also using his platform to encourage coordination between companies and regulators to share threats as a way of limiting their impact.

Morgan argues that the limited degree of specialized education in information technology and computer science around the world is a major factor in the shortage. He highlighted Kevin Mitnick’s KnowBe4 company as an example of training up IT staff to understand cyber threats.

It trains existing staff to recognize early warning signs on a network. “This lack of basic knowledge is plaguing the industry,” Morgan argues. “For instance, some software developers don’t understand IT security, and vice versa. Every corporation must be providing their staff with that kind of training.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/24/chronic_shortage_qualified_cybersecurity_bods/

From the look of it, the discovery of the first phishing site hosted on a .fish domain is putting more people at risk of suffering from bad puns than anything else.

Read a few news accounts about it and you will have to wade (sorry) through descriptions of victims being, “baited … hooked … reeled in … left to sharks … losing their hard-earned clams”, along with speculation about whether the site had been compromised or created specifically for the “porpoise of phishing”, and whether you needed to be a “brain sturgeon” to figure it out, etc.

There’s more – lots and lots more – but you get the idea. The less humorous reality is that the threat was real – was, as in, no longer. Netcraft web tester Paul Mutton reported Monday in a blog post that the company had found and blocked the site “parser.fish”.

But before that, if anyone had been lured (sorry again) to the site, “a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam. This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.”

As threats go, however, massive damage from this one seems highly improbable. Netcraft said it doesn’t know how many visitors there were to the site, but the victim pool (sorry yet again) was likely quite small.

This was the first phishing site it had found that was hosted on the homepage of a .fish generic top-level domain (gTLD). Even legitimate sites using those domains are very rare. Netcraft said within its top million websites are only one .fish and one .fishing. Among the 1.8bn in its site survey are fewer than 6,000 that use .fish or .fishing. As a percentage, that’s a decimal with five zeros after it.

And, a very small audience means a very small phish market (OK, enough).

The site might not have been created with malicious intent either. While it had been registered through  Tucows’s Contact Domain privacy service, to keep its owner secret, Netcraft said “the fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised”.

But, while this specific site might only have been a small problem, phishing itself is a very large problem – one that affects all domains. Numerous surveys have found that phishing is the top delivery vehicle – up to 95% of targeted attacks begin with an email – for ransomware and other malware. And nearly a third of phishing emails still get opened by unsuspecting workers, according to the 2016 Verizon Data Breach Investigations report.

That is something to take seriously, no matter how many puns are involved.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ReNTrqtd6Nk/

Your daily round-up of some of the other stories in the news

Google pulls 500 apps from Play Store

Less than 24 hours after the launch of Android Oreo, Google has had to pull some 500 apps from its Play Store, which together had been downloaded more than 100m times.

The apps, which ranged from games targeted at teens – one of which had more than 50m downloads – to weather apps, internet radio apps, photo editing apps and travel apps, all used a software development kit (SDK) called Igexin. In a blog post, the researchers from Lookout said that the Igexin SDK could have introduced the ability to spy on victims “through otherwise benign apps by downloading malicious plugins”.

Advertising SDKs make it easy for app developers to tap into advertising networks and deliver ads to their users.

Lookout said that the apps themselves aren’t malicious and “it is likely that many app developers were not aware of the personal information that could be exfiltrated from their customers’ devices as a result of embedding Igexin’s ad SDK” and stressed that “not all versions of the Igexin ad SDK deliver malicious functionality”.

Google told Ars Technica that it had “taken action on these apps in Play, and automatically secured previously downloaded versions of them as well”.

Lottery boss sentenced over $14.3m scam

Remember Eddie Tipton, the lottery sysadmin who scammed $14.3m from the Multi-State Lottery Association (MUSL) back in 2010? He’s been sentenced to up to 25 years in prison in Iowa for rigging drawing jackpots in Iowa, Wisconsin and two other states.

Tipton, 54, was head of security for the MUSL who with his co-conspirators, who included his brother, Tommy, installed a rootkit to create numbers that he could predict. As an employee, he was banned from buying lottery tickets, but was caught when he was identified on CCTV footage from a gas station where he had bought his winning ticket.

Tipton still faces further sentencing in Wisconsin next month. The sentencing judge in Polk County, Brad McCall, told him: “It is indeed unfortunate that you did not use that intelligence to prosper by legal means. Instead you chose an illegal path.”

DJI Spark owners told to update or see their craft grounded

If you’re the owner of a DJI Spark drone, be warned: unless you apply a mandatory firmware update by September 1, your aircraft will be grounded.

In a blogpost, DJI said it had decided on the mandatory update “in order to maximise flight safety and product reliability which we consider as top priorities”.

However, drone enthusiasts were not happy with the manufacturer’s “ability to brick other people’s property if required”, said Gary Mortimer writing for SUAS News. “The ‘Kill Switch’ option is already causing consternation in user groups”, he added.

There has been concern about the safety of consumer drones, with reports of them getting uncomfortably close to commercial aircraft and most recently, a drone landed on the deck of a new Royal Navy warship. And just last week DJI said it was stepping up security after the US Army banned its troops from using them, citing security concerns.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Kh0NcuNdLm4/

ElcomSoft, the Russia-based maker of forensic software, has managed to find a way for crime investigators to access the data stored in Apple’s iCloud Keychain, if Apple ID account credentials are available.

Apple’s iCloud Keychain is a remote copy of the password vault that’s optionally available to users of iOS and macOS devices.

If enabled, it can store copies of credentials for Safari websites, for services like Facebook, Twitter and LinkedIn, and for applications like Calendar, Contacts, and Mail, along with credit card numbers and Wi-Fi network data.

It serves to replicate the contents of the device-specific Keychain database, which is exposed as an app to macOS users and as an API to developers on iOS devices. It also assists with two-factor authentication.

ElcomSoft’s Phone Breaker 7.0 has gained the ability to access and decrypt iCloud Keychain data, under certain circumstances.

Phone Breaker 7.0 screen (click to enlarge)

Users of Apple devices who have not enabled two-factor authentication and have not set up an iCloud Security code do not have an iCloud Keychain stored with Apple. Otherwise, the database exists in iCloud accounts, and can be accessed with an Apple ID, password, and – if the device is protected by two-factor authentication – a one-time security code.

In an email to The Register, CEO Vladimir Katalov said this capability is not the consequence of any vulnerability. Rather, it’s intended for forensic investigators and law enforcement, given that an Apple ID and a trusted device are necessary.

Katalov said this is not a exploitation of a vulnerability and there’s nothing Apple can patch. Rather, ElcomSoft is exposing functions that Apple has not made available – Apple does not provide any means of accessing iCloud Keychain.

Katalov said the technique works with beta releases of iOS 11 and macOS High Sierra, which Apple is expected to introduce in a month or two.

There’s no security risk for Apple customers yet, according to Katalov. However, ElcomSoft is planning to implement the ability to access the iCloud Keychain with the help of an authentication token pulled from a PC or Mac.

“That way, that will be able to get just a couple of files from suspect’s computer, and get all passwords and credit card numbers with no need to have anything else (credentials, trusted device etc), and with no traces left,” he said.

ElcomSoft in February found that it was able to recover deleted Safari browsing history data from iCloud. In November 2016, the data harvesting biz discovered Apple’s iCloud Drive was storing iPhone call logs without consent.

Apple’s iCloud Keychain has elicited interest from security researchers because it’s such a tempting target. In March, Apple fixed an iCloud Keychain vulnerability (CVE-2017-2448) that had been disclosed to the company by Alex Radocea, cofounder of Longterm Security, two months earlier.

Radocea elaborated on his findings in May and presented a more detailed account of his work at the Black Hat conference earlier this month.

An Apple spokesperson said the company was looking into ElcomSoft’s claim, but did not respond further. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurped/

The US Department of Justice has eased up in its legal fight against hosting company DreamHost, saying it no longer wants all IP logs associated with a Trump protest site.

Following a hearing earlier this week in which DreamHost argued that the expansive request for information related to the disruptj20.org site was too broad and broke the First and Fourth Amendments, government lawyers claim they had no idea that the information requested was so broad.

“The government values and respects the First Amendment right of all Americans to participate in peaceful political protests and to read protected political expression online,” it states [PDF].

“This Warrant has nothing to do with that right. The Warrant is focused on evidence of the planning, coordination and participation in a criminal act – that is, a premeditated riot. The First Amendment does not protect violent, criminal conduct such as this.”

DreamHost went public with its concerns last week, noting that handing over the amount of information requested – basically anyone who visited the site – was tantamount to political persecution. “The Search Warrant not only aims to identify the political dissidents of the current administration, but attempts to identify and understand what content each of these dissidents viewed on the website,” it argued.

The DoJ’s response paints DreamHost’s stance as borderline hysterical. It argues that it had no idea of the extent of the information and that DreamHost did not make it clear to the government what it held.

It particular, DreamHost noted publicly that it had 1.3 million IP addresses of visitors, emails associated with people who used the site for legal advice, membership lists, draft blog posts and several thousand images, some published and some not.

Oooh, that’s a lot

“These additional facts were unknown to the government at the time it applied for and obtained the Warrant,” the DoJ filing states. “Consequently, the government could not exclude from the scope of the Warrant what it did not know existed.”

It is not interested in any information that is not relevant to ongoing criminal investigations against protestors, the DoJ claims. “The government is focused on the use of the Website to organize, to plan, and to effect a criminal act – that is, a riot. The government has no interest in seizing data from the Website that does not relate to this limited purpose.” And that includes “their political views” and the “lawful activities of peaceful protesters.”

The DoJ also explains why it served the search warrant following a more precise one that had been served six months earlier:

The website was not just a means to publicly disseminate information (as many websites are designed to do), but was also used to coordinate and to privately communicate among a focused group of people whose intent included planned violence. For example, as shown in the affidavit, the site was even used to verify the identity of people in closely held meetings that were not open to the media or public, where organizers required attendees to log into the website to prove their credentials.

That is a reasonable motive to want additional information from DreamHost. And it is fair to assume that despite unprecedented recent efforts by the White House to impose itself on the Department of Justice’s traditional autonomy, we have yet to reach the point where the DoJ is using its extraordinary powers to gather political intelligence on the Trump Administration’s political opponents.

However, the DoJ’s search warrant was inexcusably broad and DreamHost has greeted the response as “a huge win for internet privacy.”

That is not the end of the matter, however. The DoJ still wants records related to what it suspects was the planned coordination of illegal acts. It has slightly limited the request to a six-month window ending on the day of the protest itself, to “subscribers” of the site as opposed to simple visitors, and it has said it does not want draft blog posts or images.

In other words, it doesn’t want to potentially unmask more than a million netizens via their IP addresses, but it still wants details on folks who used the website to organize.

Hammers

In its filing, the DoJ notes: “The rioters – some of them armed with hammers, crow bars, wooden sticks and other weapons – moved as a cohesive unit for approximately thirty minutes, traveling more than a dozen city blocks, as individual participants engaged in violence and destruction that caused hundreds of thousands of dollars’ worth of property damage and left civilians and officers injured.”

While the DoJ has narrowed its request for information, it still wants the search warrant carried out and will keep pushing through the courts to get it. DreamHost is happy with a narrowed request but notes that “there are still a few issues that we consider to be problematic for a number of reasons.”

It doesn’t state exactly what those issues are, but does say it is preparing another filing “to address the remaining First and Fourth Amendment issues raised by this warrant.” Another hearing on the matter is scheduled for Thursday in Washington DC. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/doj_narrows_protest_website_info_grab/

Messaging provider Fuze has resolved a trio of vulnerabilities in its TPN Handset Portal.

The access controls and authentication flaws, discovered by security tools firm Rapid7, created a means for hackers to obtain personal data about Fuze users ranging from phone numbers to email addresses and access credentials.

Once seized through brute-force attacks, this sensitive data could then be transmitted via cleartext transmission, without encryption, or stored by cybercriminals.

The first flaw, which involved improper access control, allowed attackers to enumerate through MAC addresses associated with registered handsets of Fuze users. Another flaw involved improper restriction of excessive authentication attempts, clearing the way for brute-force attacks.

The last of the three flaws involved prompts for passwords pushed over an unencrypted HTTP connection.

Fuze offers enterprises a multi-platform voice, messaging, and collaboration service. The company had fixed all three issues in early May, meaning Rapid7 could go public with its discoveries in a blog post this week.

Chris Conry, CIO of Fuze, thanked Rapid7 for its responsible disclosure of security problems, adding that it has no evidence of hackers using the flaws.

“As users of the entire Fuze platform, Rapid7’s team identified security weaknesses and responsibly disclosed them to the Fuze security team,” Conry said.

“In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/fuze_plugs_security_flaws/

A day after a security researcher criticized AccuWeather for collecting people’s location data – even if its users refused to grant permission to do – the weather forecasting company and its ad tech partner Reveal Mobile denied violating permission settings while also revising the app’s info-grabbing code.

In a post on Monday, Will Strafach, CEO of the Sudo Security Group, said the AccuWeather iOS app sends users’ Wi-Fi router names and BSSIDs to Reveal Mobile, even if users refuse to grant the app access to GPS location data.

The BSSID (basic service set identifier) is the MAC address of a wireless access point and is often enough to determine a user’s location, though perhaps less accurately that device GPS coordinates. Companies such as Skyhook offer this service, as do various this public databases.

The Register asked AccuWeather to comment and a company spokesperson pointed to a statement published on Tuesday.

AccuWeather and Reveal Mobile, which makes the advertising SDK responsible for the app’s behavior, issued a joint statement disavowing any attempt to infer location data for devices that have disabled location services.

“Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user,” the two companies said. “Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.”

Despite insisting it was unaware such data was available and thus went unexploited, AccuWeather said it would remove the Reveal Mobile SDK from its iOS app until it takes privacy seriously. A spokesperson for the weather biz told us a new version of the iOS app with the SDK removed is not out yet, though, as it is awaiting approval from Apple.

On Monday, version 10.5.2 of the iOS AccuWeather app was released, but that was unrelated to the privacy kerfuffle. On Tuesday, Reveal Mobile updated its SDK to “cease collection of all device data if location sharing [is] disabled by [the] end user.”

Reveal in an update to the joint statement insisted, “We do not attempt to reverse engineer a device’s location based upon other data signals when location services are disabled.” And the company said it complies with all app store guidelines and ad industry best practices.

Despite such assurances, the incident highlights the absence of transparency and accountability in current app design practices and lack of clear disclosure about the information gathered by apps, how that information gets distributed, and how all the companies involved in the data flow use the information.

Google’s recent decision to remove more than 500 apps from Google Play offers a glimpse at the scope of the problem. Its mass app execution followed a report by Lookout, a mobile security firm, that found hundreds of apps were built with an SDK that was communicating with an IP address associated with malware.

App developers may have no idea what third-party libraries do. And they don’t appear to be interested in finding out, until security researchers start poking around with network analysis tools. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/accuweather_says_ignorance_of_location_data_precludes_misuse/