STE WILLIAMS

A week ago, the Senate slapped a price tag on the rumps of internet users.

Just like ISPs had requested, Congress undid broadband privacy rules that kept ISPs from selling customers’ data without their consent.

As you sow, so shall you reap. Or, at least, that’s what a few GoFundMe campaigners would like us to believe – though you should most certainly dissect the premise before reaching for your wallet.

They’re promising to turn the tables, collecting funds to buy the browsing history of each and every politician who voted to do away with the privacy rules via joint resolution S.J. Res. 34.

The most recent initiative to go viral comes to us courtesy of privacy activist and net neutrality advocate Adam McElhaney. It’s called Search Internet History.

McElhaney says he plans to purchase the browsing records of “all legislators, congressmen, executives, and their families and make them easily searchable at searchinternethistory.com”. He says that will include…

Everything from their medical, pornographic, to their financial and infidelity.

Anything they have looked at, searched for, or visited on the internet will now be available for everyone to comb through.

Voters didn’t get the opportunity to vote on whether our private and personal browsing history should be bought and sold, he noted. So he decided to remind legislators of how a democracy works – by giving supporters the opportunity to vote on whose history will be purchased first.

The votes are in. The purchase and posting would be in this order (if individuals could actually make such purchases, which they can’t).

1. Paul Ryan, Speaker of the House
2. Marsha Blackburn, the congresswoman who authored the resolution and who’s reportedly racked up $693,000 in campaign donations from industry players including ATT, Comcast and Verizon, according to the Center for Responsive Politics
3. Mitch McConnell, Senate majority leader
4. Ajit Pai, chairman of the FCC
5. Brian Roberts, chairman and CEO of Comcast.
6. Randall Stephenson, CEO of ATT

This will be a pricey undertaking, McElhaney said. He says on the initiative’s site that he set a GoFundMe fundraising goal of $1m, though his GoFundMe page shows the goal as $10,000.

Do you think this will be a cheap endeavor? 50 Republicans were lobbied by Telecom and ISPs in an effort to kill your privacy. So they can make more money. If all it takes is a million dollars to buy legislators, let’s do it.

As of Friday, McElhaney had raised $189,738 and the total was ticking ever upward.

The poetic justice would be sweet, wouldn’t it? But before you hit that donate button, there are a few warning flags that are worthy of heeding.

Firs, the idea that individuals can waltz right in and purchase de-anonymized internet data on politicians, CEOs or anybody else is flat-out wrong. TechDirt published a good explanation of what really happens with internet browsing data, which boils down to aggregation and sales to ad marketers who bid on what ads they want to show to a given demographic of people whose names have been stripped out of the datasets.

An excerpt:

It may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items). Then, from that marketplace, some advertisers’ computerized algorithms will more or less say “well, I’m selling boardgames about cows in Texas, and therefore, this person’s attention is worth 1/10th of a penny more to me than some other company that’s selling boardgames about moose”. And then the webpage will display the ad about cow boardgames. All this happens in a split second, before the page has fully loaded.

At no point does the ad exchange or any of the advertisers know that this is “Louis Gohmert, Congressional Rep.” Nor do they get any other info. They just know that if they are willing to spend the required amount to get the ad shown via the marketplace bidding mechanism, it will show up in front of someone who is somewhat more likely to be interested in the content.

Another thing to note is that McElhaney’s initiative isn’t unique. There’s a GoFundMe campaign from Misha Collins to do the same thing. As of Friday, that had hit $79,160 in its $500m goal.

Where will the money go when – not if – these initiatives fail?

Collins says the funds will go to the American Civil Liberties Union (ACLU), “to help fight to protect all Americans’ rights”. McElhaney urges supporters to fund ACLU, but he doesn’t actually say that the money he raises will be donated to any organization if his initiative fails. Which it will.

Save your money. It’s a compelling premise, but Paul Ryan, et al., can sleep well at night after voting to gut internet privacy.

Their individual data isn’t going to be shared with the likes of you and me.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PO3ylPZxG4U/

A week ago, the Senate slapped a price tag on the rumps of internet users.

Just like ISPs had requested, Congress undid broadband privacy rules that kept ISPs from selling customers’ data without their consent.

As you sow, so shall you reap. Or, at least, that’s what a few GoFundMe campaigners would like us to believe – though you should most certainly dissect the premise before reaching for your wallet.

They’re promising to turn the tables, collecting funds to buy the browsing history of each and every politician who voted to do away with the privacy rules via joint resolution S.J. Res. 34.

The most recent initiative to go viral comes to us courtesy of privacy activist and net neutrality advocate Adam McElhaney. It’s called Search Internet History.

McElhaney says he plans to purchase the browsing records of “all legislators, congressmen, executives, and their families and make them easily searchable at searchinternethistory.com”. He says that will include…

Everything from their medical, pornographic, to their financial and infidelity.

Anything they have looked at, searched for, or visited on the internet will now be available for everyone to comb through.

Voters didn’t get the opportunity to vote on whether our private and personal browsing history should be bought and sold, he noted. So he decided to remind legislators of how a democracy works – by giving supporters the opportunity to vote on whose history will be purchased first.

The votes are in. The purchase and posting would be in this order (if individuals could actually make such purchases, which they can’t).

1. Paul Ryan, Speaker of the House
2. Marsha Blackburn, the congresswoman who authored the resolution and who’s reportedly racked up $693,000 in campaign donations from industry players including ATT, Comcast and Verizon, according to the Center for Responsive Politics
3. Mitch McConnell, Senate majority leader
4. Ajit Pai, chairman of the FCC
5. Brian Roberts, chairman and CEO of Comcast.
6. Randall Stephenson, CEO of ATT

This will be a pricey undertaking, McElhaney said. He says on the initiative’s site that he set a GoFundMe fundraising goal of $1m, though his GoFundMe page shows the goal as $10,000.

Do you think this will be a cheap endeavor? 50 Republicans were lobbied by Telecom and ISPs in an effort to kill your privacy. So they can make more money. If all it takes is a million dollars to buy legislators, let’s do it.

As of Friday, McElhaney had raised $189,738 and the total was ticking ever upward.

The poetic justice would be sweet, wouldn’t it? But before you hit that donate button, there are a few warning flags that are worthy of heeding.

Firs, the idea that individuals can waltz right in and purchase de-anonymized internet data on politicians, CEOs or anybody else is flat-out wrong. TechDirt published a good explanation of what really happens with internet browsing data, which boils down to aggregation and sales to ad marketers who bid on what ads they want to show to a given demographic of people whose names have been stripped out of the datasets.

An excerpt:

It may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items). Then, from that marketplace, some advertisers’ computerized algorithms will more or less say “well, I’m selling boardgames about cows in Texas, and therefore, this person’s attention is worth 1/10th of a penny more to me than some other company that’s selling boardgames about moose”. And then the webpage will display the ad about cow boardgames. All this happens in a split second, before the page has fully loaded.

At no point does the ad exchange or any of the advertisers know that this is “Louis Gohmert, Congressional Rep.” Nor do they get any other info. They just know that if they are willing to spend the required amount to get the ad shown via the marketplace bidding mechanism, it will show up in front of someone who is somewhat more likely to be interested in the content.

Another thing to note is that McElhaney’s initiative isn’t unique. There’s a GoFundMe campaign from Misha Collins to do the same thing. As of Friday, that had hit $79,160 in its $500m goal.

Where will the money go when – not if – these initiatives fail?

Collins says the funds will go to the American Civil Liberties Union (ACLU), “to help fight to protect all Americans’ rights”. McElhaney urges supporters to fund ACLU, but he doesn’t actually say that the money he raises will be donated to any organization if his initiative fails. Which it will.

Save your money. It’s a compelling premise, but Paul Ryan, et al., can sleep well at night after voting to gut internet privacy.

Their individual data isn’t going to be shared with the likes of you and me.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PO3ylPZxG4U/

As far as the crooks are concerned, yesterday’s “scam that knows where you live” attack was just not enough for people in the UK.

Today, they’re taking the name of the UK’s Motor Registry in vain.

Known colloquially as the DVLA (pronounced deevee-ellay), short for Driver and Vehicle Licensing Agency, it’s based in Swansea in Wales.

The city of Swansea, in turn, is metaphorically associated with things like speeding fines, penalty points, licence renewals… and, from time to time, refunds for overpaid vehicle tax.

Interestingly, the UK no longer issues tax disks to display on a car’s windscreen – there’s so much automated surveillance these days using Automatic Number Plate Recognition (APNR) cameras that there’s little purpose in having a window sticker to “prove” you’ve paid.

Anyway, jf you sell or scrap a car, any tax you paid in advance for the current year will be refunded automatically, so many people will be familiar with getting money back from Swansea.

Some people may very well have had trouble getting their refund, for example if there was a problem with the bank account from which they originally paid in the money, or if they aren’t at the address on record at the DVLA, causing the refund cheque to be returned undelivered.

So an SMS looking like this could easily pass muster:

But look carefully, and you’ll realise that even though the URL contains the sort of components you’d expect in the real thing, notably gov DOT uk, the end of the server name is actually a domain based in Palau (.PW).

Palau is a tiny Pacific island country of just 20,000 people that uses its short-and-sweet domain names as a source of global revenue. (PW is branded as standing for “Professional Web”, although this particular domain name is anything but.)

If you click through, you’ll see a web page that seems realistic enough at first sight, although the “facts” are bogus (you don’t get offered a refund and then claim it), and both the grammar and style are sub-standard for Her Majesty’s Government:

If you click [Get Started-], you’re straight into a phishing page that believably asks for sufficiently many personal details that the crooks could fleece you right away if you were to fill them in:

What to do?

• Don’t rely on links to websites sent in emails, SMSs or other forms of electronic message.

Find the official website yourself – for the DVLA, for instance, look it up on an official document you’ve received in the past – and go there of your own accord. (Here’s a free hint for the DVLA: it wouldn’t do any harm to print the DVLA’s official URL somewhere on every UK driving licence, making an excellent and official way to find it.)

• If you’re offered a financial refund, check the official website to find out how refunds really work.

For example, the DVLA issues refunds automatically in one of just two ways: by reversing a Direct Debit, if you have one set up; or by mailing a cheque to the address you have on record.

• Don’t be misled by domain names because they start with the text you expect – it’s the right-hand end that counts.

For example, Sophos owns sophos.com, which means we can use any and all subdomain names that end with that text string, such as partners.sophos.com, nakedsecurity.sophos.com, and so on. Many browsers deliberately highlight the text at the right-hand end, to remind you to look there first.

• If you’re asked for personal data like your address and credit card number on an unencrypted web page, don’t enter it.

Crooks can easily get certificates for HTTPS these days, so just the presence of a padlock in the address bar doesn’t confirm you are at the right site. But the absence of a padlock on a page that wants a credit card is always wrong, even if it’s the right site. (Why trust a company that clearly doesn’t take even the most basic precautions with your personal data?)

• Report scams and dodgy SMSs like this to your mobile operator.

Having real reports and genuine complaints “from the wild” makes it possible for the regulator to take action against scammers who might otherwise get away with it. Some scams are on the grey edge of legality, and it’s community consensus that helps the regulators redefine the boundaries of acceptable text messaging behaviour.

Our parting shots

• When faced with a web link: think before you click.
• When faced with a web form: if in doubt, don’t give it out.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nEVF68qpbCQ/

As far as the crooks are concerned, yesterday’s “scam that knows where you live” attack was just not enough for people in the UK.

Today, they’re taking the name of the UK’s Motor Registry in vain.

Known colloquially as the DVLA (pronounced deevee-ellay), short for Driver and Vehicle Licensing Agency, it’s based in Swansea in Wales.

The city of Swansea, in turn, is metaphorically associated with things like speeding fines, penalty points, licence renewals… and, from time to time, refunds for overpaid vehicle tax.

Interestingly, the UK no longer issues tax disks to display on a car’s windscreen – there’s so much automated surveillance these days using Automatic Number Plate Recognition (APNR) cameras that there’s little purpose in having a window sticker to “prove” you’ve paid.

Anyway, jf you sell or scrap a car, any tax you paid in advance for the current year will be refunded automatically, so many people will be familiar with getting money back from Swansea.

Some people may very well have had trouble getting their refund, for example if there was a problem with the bank account from which they originally paid in the money, or if they aren’t at the address on record at the DVLA, causing the refund cheque to be returned undelivered.

So an SMS looking like this could easily pass muster:

But look carefully, and you’ll realise that even though the URL contains the sort of components you’d expect in the real thing, notably gov DOT uk, the end of the server name is actually a domain based in Palau (.PW).

Palau is a tiny Pacific island country of just 20,000 people that uses its short-and-sweet domain names as a source of global revenue. (PW is branded as standing for “Professional Web”, although this particular domain name is anything but.)

If you click through, you’ll see a web page that seems realistic enough at first sight, although the “facts” are bogus (you don’t get offered a refund and then claim it), and both the grammar and style are sub-standard for Her Majesty’s Government:

If you click [Get Started-], you’re straight into a phishing page that believably asks for sufficiently many personal details that the crooks could fleece you right away if you were to fill them in:

What to do?

• Don’t rely on links to websites sent in emails, SMSs or other forms of electronic message.

Find the official website yourself – for the DVLA, for instance, look it up on an official document you’ve received in the past – and go there of your own accord. (Here’s a free hint for the DVLA: it wouldn’t do any harm to print the DVLA’s official URL somewhere on every UK driving licence, making an excellent and official way to find it.)

• If you’re offered a financial refund, check the official website to find out how refunds really work.

For example, the DVLA issues refunds automatically in one of just two ways: by reversing a Direct Debit, if you have one set up; or by mailing a cheque to the address you have on record.

• Don’t be misled by domain names because they start with the text you expect – it’s the right-hand end that counts.

For example, Sophos owns sophos.com, which means we can use any and all subdomain names that end with that text string, such as partners.sophos.com, nakedsecurity.sophos.com, and so on. Many browsers deliberately highlight the text at the right-hand end, to remind you to look there first.

• If you’re asked for personal data like your address and credit card number on an unencrypted web page, don’t enter it.

Crooks can easily get certificates for HTTPS these days, so just the presence of a padlock in the address bar doesn’t confirm you are at the right site. But the absence of a padlock on a page that wants a credit card is always wrong, even if it’s the right site. (Why trust a company that clearly doesn’t take even the most basic precautions with your personal data?)

• Report scams and dodgy SMSs like this to your mobile operator.

Having real reports and genuine complaints “from the wild” makes it possible for the regulator to take action against scammers who might otherwise get away with it. Some scams are on the grey edge of legality, and it’s community consensus that helps the regulators redefine the boundaries of acceptable text messaging behaviour.

Our parting shots

• When faced with a web link: think before you click.
• When faced with a web form: if in doubt, don’t give it out.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nEVF68qpbCQ/

Update The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová.

Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline “three or four options” that range from voluntary agreements by business to strict legislation.

The EC’s goal is to provide the police with a “swift and reliable” way to discover what users of encrypted apps have been communicating with others.

“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said, according to EU policy site Euractiv.

Typically governments will use the threat of legislation to push companies into agreeing to offer what they want voluntarily. But Jourová clearly expects some significant pushback from the tech industry – particularly US corporations such as Facebook and Apple – and so argued that the voluntary, non-legislative approaches would only be provisional in order to get to “a quick solution,” with laws coming later.

The intended message is that the EC is not bluffing and although it will take a few years to pass such legislation, it is prepared to do so, and may do so regardless of what app-makers offer.

The announcement comes close on the heels of a number of aggressive pushes by European governments against social media companies.

Earlier this month, the German government proposed a €50m fine if companies like Facebook and Twitter do not remove “obvious” criminal content within 24 hours. A few days later, the EC said it was going to insist that social media companies change their terms and conditions to remove various efforts to insulate them legally from content issues – such as the requirement for anyone to sue them in a California court rather than in their home country.

And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they “can and must do more.”

That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.

The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.

At the heart of the matter though, nothing has changed: tech companies and security experts say that if crypto backdoors are created, it will be impossible to ensure that only the “good guys” can use this special access, and thus will undermine end-to-end encrypted systems and encrypted storage. Meanwhile politicians and law enforcement insist they don’t care how it’s done, they want to be able to access people’s private communications and stored data, particularly if they have a warrant regarding suspected criminal behavior. ®

Correction: updated to add

The original version of this article stated that the EC was looking to pass legislation providing it with backdoor access to encryption.

A spokesperson from the EC got in touch to say that Jourová’s words had been misinterpreted and there is no plan to introduce legislation covering encryption. The proposed laws will instead cover faster access to material held in the cloud in different jurisdictions. Material that, presumably, they expect to be unencrypted.

That clarification came on the same day that UK home secretary Amber Rudd also appeared to back away from her demand that law enforcement be given access to encrypted communications on apps such as WhatsApp.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/ec_push_encryption_backdoors/

Update The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová.

Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline “three or four options” that range from voluntary agreements by business to strict legislation.

The EC’s goal is to provide the police with a “swift and reliable” way to discover what users of encrypted apps have been communicating with others.

“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said, according to EU policy site Euractiv.

Typically governments will use the threat of legislation to push companies into agreeing to offer what they want voluntarily. But Jourová clearly expects some significant pushback from the tech industry – particularly US corporations such as Facebook and Apple – and so argued that the voluntary, non-legislative approaches would only be provisional in order to get to “a quick solution,” with laws coming later.

The intended message is that the EC is not bluffing and although it will take a few years to pass such legislation, it is prepared to do so, and may do so regardless of what app-makers offer.

The announcement comes close on the heels of a number of aggressive pushes by European governments against social media companies.

Earlier this month, the German government proposed a €50m fine if companies like Facebook and Twitter do not remove “obvious” criminal content within 24 hours. A few days later, the EC said it was going to insist that social media companies change their terms and conditions to remove various efforts to insulate them legally from content issues – such as the requirement for anyone to sue them in a California court rather than in their home country.

And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they “can and must do more.”

That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.

The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.

At the heart of the matter though, nothing has changed: tech companies and security experts say that if crypto backdoors are created, it will be impossible to ensure that only the “good guys” can use this special access, and thus will undermine end-to-end encrypted systems and encrypted storage. Meanwhile politicians and law enforcement insist they don’t care how it’s done, they want to be able to access people’s private communications and stored data, particularly if they have a warrant regarding suspected criminal behavior. ®

Correction: updated to add

The original version of this article stated that the EC was looking to pass legislation providing it with backdoor access to encryption.

A spokesperson from the EC got in touch to say that Jourová’s words had been misinterpreted and there is no plan to introduce legislation covering encryption. The proposed laws will instead cover faster access to material held in the cloud in different jurisdictions. Material that, presumably, they expect to be unencrypted.

That clarification came on the same day that UK home secretary Amber Rudd also appeared to back away from her demand that law enforcement be given access to encrypted communications on apps such as WhatsApp.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/ec_push_encryption_backdoors/

Spreading ransomware has become a point-and-click exercise following the release of a file-scrambling malware interface for unskilled wannabe cybercrooks.

The malware generator enables attackers to customise the wares using a user-friendly interface. Strains of the resulting WYSIWYE (What You See Is What You Encrypt) nasties have been detected by Panda Security in companies across Europe, including Germany, Belgium, Sweden, and Spain.

The resulting malware is pushed on to corporate networks through exploitation of the Remote Desktop Protocol technology, as explained in a blog post by Panda Security here.

Once credentials are obtained through a brute-force attack on RDP, hackers are in a position to unleash their wares.

What You See Is What You Encrypt ransomware GUI [source: Panda Labs blog]

The GUI makes it easier to run bespoke attacks. “With this customised attack, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.,” Panda Security explains.

The Spanish security firm views the development as part of a broader Ransomware-as-a-Service trend, which involves hosting affiliate programs and more.

Luis Corrons, PandaLabs technical director, said crooks are demanding a minimum of €500 after each successful infection.

“The tool is targeting criminals with no qualms,” Corrons explained. “Expertise is no required, you don’t need an army of ransomware writers, just a bunch of them feeding the cybercriminal ecosystem.

“There are hundreds of thousands of computers waiting to be compromised, listening to the RDP port in the open internet,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/point_click_ransomware/

Spreading ransomware has become a point-and-click exercise following the release of a file-scrambling malware interface for unskilled wannabe cybercrooks.

The malware generator enables attackers to customise the wares using a user-friendly interface. Strains of the resulting WYSIWYE (What You See Is What You Encrypt) nasties have been detected by Panda Security in companies across Europe, including Germany, Belgium, Sweden, and Spain.

The resulting malware is pushed on to corporate networks through exploitation of the Remote Desktop Protocol technology, as explained in a blog post by Panda Security here.

Once credentials are obtained through a brute-force attack on RDP, hackers are in a position to unleash their wares.

What You See Is What You Encrypt ransomware GUI [source: Panda Labs blog]

The GUI makes it easier to run bespoke attacks. “With this customised attack, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.,” Panda Security explains.

The Spanish security firm views the development as part of a broader Ransomware-as-a-Service trend, which involves hosting affiliate programs and more.

Luis Corrons, PandaLabs technical director, said crooks are demanding a minimum of €500 after each successful infection.

“The tool is targeting criminals with no qualms,” Corrons explained. “Expertise is no required, you don’t need an army of ransomware writers, just a bunch of them feeding the cybercriminal ecosystem.

“There are hundreds of thousands of computers waiting to be compromised, listening to the RDP port in the open internet,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/point_click_ransomware/

Security researchers have published more intel on the tactics of the infamous Russian government-linked hacker crew blamed for compromising the Democratic National Committee (DNC) during last year’s US presidential election.

A report by SecureWorks’ Counter Threat Unit offers an analysis of the connection between the APT 28 crew and Russia’s Main Intelligence Directorate (GRU) as well as a look at the comprehensive toolkits the cyberspies have put together.

APT 28 (AKA Fancy Bear) has moved beyond covert intelligence gathering using tactics such as email credential theft, exploit kits, the XAgent RAT (remote access trojan) and XTunnel backchannel tool, and an endpoint exploitation kit called Scaramouche.

SecureWorks’ report also documents attacks by APT 28 (which it nicknames Iron Twilight) on a wide range of targets ranging from individuals in Russia and former Soviet states, current and former military and government personnel and organisations in the US and Europe, as well as authors and journalists with an interest in Russia. Particularly high-profile attacks – against TV5Monde, the DNC, and the Dutch Safety Board following a report on the crash of Flight MH17 in Ukraine – are explored.

The DNC hack marked a departure in the crew’s operations that might be carried forward this year into interference against important French and German elections, SecureWorks warns.

In 2015 and 2016, the Russian government used Iron Twilight to target a variety of organisations. The threat group’s activity can be characterised by the theft of confidential information and its calculated release to influence global events. Characteristics of Iron Twilight’s activity suggest it is operated by the GRU. The threat group’s departure from purely military and regional affairs to broader political and strategic operations, evidenced by its US political operations, suggests the Kremlin views Iron Twilight’s role as supporting Russian ‘active measures’. These active measures correspond to the Soviet doctrine of manipulating popular opinion to align with Russian strategic interests, enabling other Russian threat groups to carry out traditional covert intelligence gathering operations.

If Iron Twilight’s ‘active measures’ operations in 2016 were intended to influence the US presidential elections, then CTU researchers expect similar operations against elections of strategic interest to the Russian government. These elections include the French presidential and German federal elections in 2017. The operations against TV5 Monde and the UK-based television network could indicate that the Russian government considers the disruption of foreign television broadcasts as a key capability.

Iron Twilight is opportunistic but less sophisticated than other Russian threat groups, according to SecureWorks. “By applying best practice security controls such as regular vulnerability scanning and patching, network monitoring, and user education, organisations can reduce their susceptibility to compromise,” SecureWorks advises, adding that rolling out two-factor authentication (2FA) controls on internal or third-party webmail platforms represents another sensible precaution. ®

Bootnote

APT 28 is variously known as Pawn Storm, Sofacy, Tsar Team, Strontium, Fancy Bear, and (now) Iron Twilight.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/apt_28_hacking_tactics/

Security researchers have published more intel on the tactics of the infamous Russian government-linked hacker crew blamed for compromising the Democratic National Committee (DNC) during last year’s US presidential election.

A report by SecureWorks’ Counter Threat Unit offers an analysis of the connection between the APT 28 crew and Russia’s Main Intelligence Directorate (GRU) as well as a look at the comprehensive toolkits the cyberspies have put together.

APT 28 (AKA Fancy Bear) has moved beyond covert intelligence gathering using tactics such as email credential theft, exploit kits, the XAgent RAT (remote access trojan) and XTunnel backchannel tool, and an endpoint exploitation kit called Scaramouche.

SecureWorks’ report also documents attacks by APT 28 (which it nicknames Iron Twilight) on a wide range of targets ranging from individuals in Russia and former Soviet states, current and former military and government personnel and organisations in the US and Europe, as well as authors and journalists with an interest in Russia. Particularly high-profile attacks – against TV5Monde, the DNC, and the Dutch Safety Board following a report on the crash of Flight MH17 in Ukraine – are explored.

The DNC hack marked a departure in the crew’s operations that might be carried forward this year into interference against important French and German elections, SecureWorks warns.

In 2015 and 2016, the Russian government used Iron Twilight to target a variety of organisations. The threat group’s activity can be characterised by the theft of confidential information and its calculated release to influence global events. Characteristics of Iron Twilight’s activity suggest it is operated by the GRU. The threat group’s departure from purely military and regional affairs to broader political and strategic operations, evidenced by its US political operations, suggests the Kremlin views Iron Twilight’s role as supporting Russian ‘active measures’. These active measures correspond to the Soviet doctrine of manipulating popular opinion to align with Russian strategic interests, enabling other Russian threat groups to carry out traditional covert intelligence gathering operations.

If Iron Twilight’s ‘active measures’ operations in 2016 were intended to influence the US presidential elections, then CTU researchers expect similar operations against elections of strategic interest to the Russian government. These elections include the French presidential and German federal elections in 2017. The operations against TV5 Monde and the UK-based television network could indicate that the Russian government considers the disruption of foreign television broadcasts as a key capability.

Iron Twilight is opportunistic but less sophisticated than other Russian threat groups, according to SecureWorks. “By applying best practice security controls such as regular vulnerability scanning and patching, network monitoring, and user education, organisations can reduce their susceptibility to compromise,” SecureWorks advises, adding that rolling out two-factor authentication (2FA) controls on internal or third-party webmail platforms represents another sensible precaution. ®

Bootnote

APT 28 is variously known as Pawn Storm, Sofacy, Tsar Team, Strontium, Fancy Bear, and (now) Iron Twilight.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/apt_28_hacking_tactics/