STE WILLIAMS

A 21-year-old has pleaded guilty to operating the Satori botnet – made up of Internet of Things (IoT) devices – and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.

Satori did massive damage: it and its iterations would be unleashed in record-setting distributed denial-of-service (DDoS) attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.

The guilty plea was filed on behalf of Kenneth Currin Schuchman, from Vancouver, Wash., on Tuesday in federal court in Anchorage, Alaska. He was indicted a year ago on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one of them.

Schuchman admitted that he and two co-conspirators – “Vamp” and “Drake,” both of whom are known by the law – operated the botnets Satori, Masuta and Okiru. Over time, they nurtured those botnets, fattening them on more and more devices to make them ever-more powerful and complex.

The co-conspirators used their botnets to launch attacks, but their primary goal was to make money from renting them out.

These DDoS-for-hire services can be purchased from so-called “booter” websites.

Such websites sell high-bandwidth internet attack services under the guise of “stress testing.” One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service …an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.

Of the trio, Schuchman specialized in finding vulnerabilities in IoT devices that could be exploited at scale. “Specialize” might be a bit too fancy a term: “run an online search” might be more like it. According to the plea agreement, the vulnerabilities often included default usernames and passwords, for example.

They’re all too easy to find, since researchers have found that the manufacturers of off-the-shelf IoT gadgets often post default passwords online in order to aid in quick device setup.

Using such default credential pairs, Schuchman and his buddies managed to compromise not only individual devices but entire categories of devices that shared the same vulnerability, as the plea agreement described.

From at least July 2017 until at least July 2018, Schuchman and his co-conspirators, who aren’t named in the indictment, rented out access to an evolving series of DDoS botnets. They were initially based on source code from Mirai – the botnet that was the subject of Schuchman’s previous prosecution in Alaska and which, in 2016, targeted security journalist Brian Krebs in what experts said at the time was the biggest DDoS attack in public internet history.

Over the course of that year, Vamp was the primary developer and coder, while Drake managed sales and customer support. Schuchman, besides researching new vulnerabilities, also helped out with botnet development.

In August 2018, the trio named one of their botnets Satori. That one built on Mirai by targeting devices with Telnet vulnerabilities. It also used an improved scanning system that was borrowed from another DDoS botnet, Remaiten. Mirai would go on to compromise 100,000 devices. The conspirators unleashed this version of Satori on a range of victims in the US, including a large ISP, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation.

At the same time, Schuchman bragged about compromising another 32,000 devices belonging to a large Canadian ISP. He used the added might of those devices to attack targets with bandwidth of about 1TB per second. He also bragged about causing a dramatic increase to internet latency on a national level with a test attack.

In September or October 2017, the trio, along with other co-conspirators, made yet more improvements to Satori, which they rechristened “Okiru.” They used Okiru to compromise vulnerable devices, including exploiting flaws in customized versions of GoAhead web servers embedded in wireless surveillance cameras.

The next botnet version, which arrived in November 2017, was dubbed Masuta. It targeted vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices. That one infected up to 700,000 compromised nodes.

At the same time that Masuta was being launched in a large number of attacks, Schuchman was also operating his own, distinct DDoS botnet, which he used against IP addresses associated with ProxyPipe, a DDoS mitigation network.

He was quite busy at that point: he was also scanning for more vulnerable Telnet devices to suck up into the botnets. When he got complaints about the scanning, he’d respond using his father’s identity. That was part of his modus operandi: he frequently hid behind his father’s identity throughout his criminal career. According to his plea agreement, after he’d been indicted, he kept committing new crimes from his father’s apartment.

Around January 2018, Schuchman, Drake and others merged elements of Mirai with those of Satori in order to target devices largely based in Vietnam, in order to expand the merged botnet further still. The refinement of the botnet continued: by March 2018, the improved botnet came to be called by the names Tsunami and Fbot. Mostly comprised of GoAhead cameras, the botnet infected up to 30,000 more devices and was used to attack gaming servers, including gaming server provider Nuclear Fallout.

During this time, Schuchman et al. also discovered vulnerabilities in about 650,000 High Silicon DVR systems. Schuchman managed to pwn at least 35,000 of the DVRs and dragged them into the Tsunami/Fbot botnet. He and his co-conspirators ran test attacks using about 10,000 of the hijacked DVR systems – attacks that attained estimated bandwidths of more than 100Gbps.

By April 2018, having moved on from Drake and Vamp to work with others, Schuchman developed another, unnamed DDoS botnet based on the Qbot financial malware. To create it, he exploited devices that included high-bandwidth GPON devices at the Mexican broadcast TV network Telemax.

By that point, Vamp had become a competitor: he and Schuchman were using the same credentials to go after the same universe of botnet nodes. They tried to block each other from getting at the infected nodes by changing configurations. Schuchman employed tactics including using the IPTables tool to kill all the open ports on the devices: a technique that, court documents say, is a good way to cause “substantial damage” to a victimized device.

Schuchman was first interviewed by the FBI in July 2018. He and Vamp were getting along again at that time, and they resumed working “in earnest” to keep buffing up their DDoS botnet iterations.

Schuchman, who was going by the aliases Nexus and Nexus-Zeta, was indicted on 21 August 2018, but that didn’t slow him down. Around October 2018, he created a new Qbot DDoS botnet variant – while he was on supervised release, and after he’d already been indicted for creating and deploying botnets.

Also in October, he used some of the data that turned up in legal discovery to figure out where Drake was located so that he could swat him. The swatting involved a fake 911 call about a purported hostage situation at Drake’s house, triggering a “substantial law enforcement response,” according to court documents.

Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. He’s facing a maximum penalty of 10 years in prison and $250,000 in fines, but he likely won’t see that much time: the recommended sentence agreed to by prosecutors calls for penalties “at the low end of the guideline range.”

According to The Daily Beast, Schuchman has Asperger’s syndrome, which might further affect his sentencing, which is set for November.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GTqVr4bD8sE/

When is a security update not a security update? Well, it’s a trick question, but the answer is – when it’s patching flaws in a version of an OS nobody beyond developers is yet running.

That OS is the all-new Android 10, which this week has started appearing on a tiny number of smartphones, complete with its first ever security patches.

Reading the September Security Bulletin, there are two specific to 10 – the first a remote code execution (RCE) marked ‘critical’ in the Media Framework (CVE-2019-2108), and the second an elevation of privileges (EoP) marked ‘high’ priority (CVE-2019-9254) affecting the Framework.

Of course, if you’re among the vast throng who don’t yet have Android 10 (or will need to buy a new device to get it), you’ll first see these when you download the new OS, in which case they’ll just be part of the first incarnation of the software.

That means Google is officially patching security flaws before users have their hands on the software containing the vulnerabilities being fixed.

For everyone else, this month sees fixes for a routine collection of woes. The advisory mentions a single critical flaw affecting Android 8.x and 9.x, plus another 12 marked high priority affecting different mixes of versions between 7.x, 8.x and 9.x.

In addition, there are three high priority fixes for Nvidia components in devices using them (including one affecting ARM Trusted Firmware) plus 17 CVE-level flaws marked high affecting Qualcomm.

Qualcomm’s closed-source components add a final tranche of 14 flaws, two described as critical.

Android 10 updating

Of course, it can take a long time for monthly Android fixes to reach devices – anything from days for Google Pixels, to months for everything else.

On a positive note, Android 10 implements Project Mainline, an initiative through which at least some urgent security fixes in the Google-specific bits of Android can be applied as simple updates delivered from the Play Store (see our earlier coverage for details on which components will be part of this initiative).

Bigger bounties

It’s good timing because there is evidence that the commercial market for flaws in Android is experiencing a dangerous spot of price inflation.

‘Commercial market’ refers to the price that independent companies are willing to pay for researchers to tell them about exploitable flaws in software such as Android, Windows, iOS or macOS.

One such enterprise is Zerodium, which this week released a new price list attaching a bug bounty of up to $2.5 million for the best zero-day (unknown, unpatched) flaws.

That’s a big increase for Android zero-days from a year ago, beating the $2 million offered for equivalent vulnerabilities affecting iOS.

Even if (as some suspect), this is mostly clever marketing by Zerodium, it serves to remind us that not every serious flaw discovered by researchers gets sent to vendors to rustle up a fix.

Who exactly gets their hands on the flaws bought up by specialist companies is anyone’s guess but it’s likely that customer lists include governments and law enforcement.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xUkOcZUm9To/

Mozilla has told developers not to fret – it won’t follow Google in tweaking its browser to be unfriendly to ad blocking software.

The Foundation made its announcement on Tuesday in an FAQ updating developers on its plans for the WebExtensions application programming interface (API).

WebExtensions is a set of interfaces that browser vendors offer to the developers of extensions, which are programs that extend the browser’s functionality. The WebExtensions interface gives the extensions a way to exchange instructions and information with the browser.

WebExtensions is used in Chromium, the open-source browser project on which Chrome is based, but Mozilla decided to support it too back in August 2015. By supporting the same API as Chrome, Mozilla ensured that extensions written for Chrome could easily port to Firefox.

Last November, Google announced changes to the way that it would implement the WebExtensions API as part of Manifest, the system that restricts what extensions can do in Chrome. Manifest v3 would restrict the webRequest API, it said. This is the API that extensions use to intercept network requests from the browser. One use for this API is to analyze and block traffic sent to advertising networks, making it a popular tool among ad blocking software. Under the new proposals, it would use a different API called declarativeNetRequest, which restricts the rules available to the blocking process.

Google’s Chrome developers said that this was a change designed to make the browser more efficient and increase performance, but it landed them in hot water after extension developers – especially those of ad blocking software – criticised the move.

Developers also asked Mozilla how it would handle the WebExtensions API in forthcoming versions of Firefox, and it published an FAQ on Tuesday. The upshot? The existing content-blocking API stays. It said:

We have no immediate plans to remove blocking webRequest and are working with add-on developers to gain a better understanding of how they use the APIs in question to help determine how to best support them.

Mozilla said that it’s tracking the development of Manifest v3, which is still in the draft and design phase. Refining its own support for WebExtensions is, therefore, a little like hitting a moving target, because it wants to make Firefox extensions as compatible as possible with Chrome without crossing any red lines with its own extension developers. So later this year, it will begin experimenting with the changes that it thinks are most likely to make it into Manifest v3 “and that we think make sense for our users,” it said.

Once Google has finalized their v3 changes and Firefox has implemented the parts that make sense for our developers and users, we will provide ample time and documentation for extension developers to adapt.

It also won’t kill off the v2 API until developers have a “viable path” to migrate to v3, it added.

Aside from Safari, which is only available on macOS and iOS, Firefox is the only major browser that isn’t now based on Chromium. Here’s how other Chromium-based browsers plan to support WebExtensions…

Jon von Tetzchner, CEO of Vivaldi, was noncommittal. He told us:

We are working on alternative approaches of our own, but it is too early to say exactly what the final result will be like.

A spokesperson for Opera told us that it wasn’t an issue for that browser, as it had its own ad blocker.

All the Opera browsers, both on mobile and PC, come with a built-in ad blocker that users can choose to enable. This means that Opera users aren’t really exposed to these changes – unlike users of most other browsers. We might also consider keeping the referenced APIs working, even if Chrome doesn’t, but again, this is not really an issue for the more than 350 million people who have chosen Opera.

Like Opera, the privacy-focused browser Brave already includes an ad blocker in its product. 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m--la7sLG8k/

Any business in its right mind should be painfully aware of how much money they could bleed via skillful Business Email Compromise (BEC) scams, where fraudsters convincingly forge emails, invoices, contracts and letters to socially engineer the people who hold the purse strings.

And any human in their right mind should be at least a little freaked out by how easy it now is to churn out convincing deepfake videos – including, say, of you, cast in an adult movie, or of your CEO saying things that… well, they would simply never say.

Well, welcome to a hybrid version of those hoodwinks: deepfake audio, which was recently used in what’s considered to be the first known case of an AI-generated voice of a CEO to bilk a UK-based energy firm out of €220,000 (USD $243,000).

The Wall Street Journal reports that some time in March, the British CEO thought he had gotten a call from the CEO of his business’s parent company, which is based in Germany.

Whoever placed the call sounded legitimate. The voice had the hint of a German accent and the same “melody” that the UK CEO recognized in his boss’s voice, according to fraud expert Rüdiger Kirsch, who works with the company’s insurer, Euler Hermes Group SA. The insurer shared details of the crime with the WSJ, but it declined to identify the businesses involved.

The caller had an “urgent” request: he demanded that the British CEO transfer $243,000 to a Hungarian supplier within the hour. He complied and made the transfer.

Analysts told the WSJ that they believe that artificial intelligence- (AI)-based software was used to create a convincing imitation of the German CEO’s voice. The transfer went through, and the money was subsequently funneled into accounts in other countries.

The scammers then called back for more: Kirsch told the WSJ that the imposter called the target company three times. The transfer went through after their first call, then the attacker called a second time to lie about the money having been reimbursed to the British company. Then, they called a third time, to ask for another payment, using the same fake voice.

The British CEO had grown skeptical by that time, given that the “reimbursement” never showed up. Plus, the third call was made with an Austrian phone number. Hence, he didn’t comply with the repeated demand for money.

Joe Rogan vs. Joe Fauxgan

If you aren’t familiar with how realistic AI-generated deepfake audio has become in recent months, you can listen to this sample, produced by the AI startup Dessa and released in May. The subject of the impersonation is the popular podcaster and comedian Joe Rogan.

You can decide for yourself how accurate the deepfake audio is, or you can take this quiz that Dessa released. I guessed right on 5 out of 8 samples, but some of those correct answers were pure guesses. It’s tough to tell the difference, in short, in my and others’ experience.

As Dessa pointed out at the time, there was plenty of material to work with when it comes to training AI. As of the time its team went to work to create a fake Rogan – that would be Joe Fauxgan, as Gizmodo quipped – Rogan had released close to 1,300 episodes of his podcast, with most of those episodes being 2-3 hours long.

That’s thousands of hours worth of audio to train from. Bafflingly, though, Dessa said that its team created the Rogan replica voice with a text-to-speech deep learning system they developed called RealTalk, which generates life-like speech using only text inputs.

What does this all mean? Well, it means that the floodgates have opened on deepfake audio, for one thing. Dessa’s Principal Machine Learning Architect Alex Krizhevsky:

Human-like speech synthesis is soon going to be a reality everywhere.

It also means that we can expect more cybercrooks to pull off convincing scams like the one with the faux German CEO.

As it is, a year ago, the voice interaction identity and security infrastructure company Pindrop released a report that found that the rate of voice fraud had climbed over 350% from 2013 through 2017, with no signs of slowing down. Pindrop attributed the surge to several causes, one of which was the development of new voice technology.

In a post on Medium, Dessa said that at this point, you have to have a good deal of “technical expertise, ingenuity, computing power and data” to make models like its RealTalk perform well.

So not just anyone can go out and do it. But in the next few years (or even sooner), we’ll see the technology advance to the point where only a few seconds of audio are needed to create a life-like replica of anyone’s voice on the planet.

From the sounds of the voice phishing (vishing) scam pulled off in March, it sounds like it isn’t years off at all. We don’t have many details, but it sounds pretty much like it’s “now.”

What to do?

If this turns out to indeed be a deepfake audio scam, we can take a page from the advice given out to avoid BEC scams to avoid these, as well. After all, both scams are after the same thing – pretending to be a business’s known contacts so as to initiate fraudulent transfers. And in both types of scam, the crooks benefit from the fact that you can’t see them when they’re hiding behind a convincing email or a convincing-sounding phone call.

As the the FBI notes with regards to BEC, no matter how sophisticated the fraud, there’s an easy way to thwart it: don’t rely on email alone. In this case, we can swap in “voice” for “email”.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

And by “directly,” make sure that you’re the one who places the call, as opposed to being the one who picks up the phone and potentially becomes a fraudster’s mark.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_coDs7IxGNM/

Are you one of the 20 million people out there who own a Raspberry Pi?

Actually, let’s be careful with our numbers here, and ask if you own one or more of the 20 million Raspberry Pis out there. (Many people own more than one – they can be habit-forming.)

Ever wondered what sort of project to attempt with your Pi?

Here’s one example: we used our Pi Zero as a monitoring system for some light-hearted research into cryptojacking.

We set up a power-logging network where you could browse to various websites, and track live on a big screen the power consumption, fan speed and CPU temperature of your laptop when you hit a website that had cryptomining JavaScript on it. If you’ve ever wondered why browser-based cryptomining has mostly died out after arriving in a blaze of publicity, it might help to know that in a live demo in the Netherlands, we found that, at the cheapest Dutch electricity tariff we could find, we could potentially earn as much EUR2.70 a year for a low, low, low annual running cost of just EUR84. We didn’t need a Raspberry Pi to work that out, but we used one anyway.

Well, a UK company called SSTL, short for Surrey Satellite Technology Limited, had a more ambitious goal.

Plan. Send a regular Raspberry Pi Zero into orbit, and made a video of Planet Earth with it.

Result. Success!

We’re not sure, but at the right hand side of the image, we can see what looks a bit like the proverbial ‘piece of string’ that every good project needs.

In a formal statement for the company’s press release, Sarah Parker, SSTL Managing Director, said:

I am delighted with the success of our new Core-DHS based avionics which, will give our customers the benefits of our heritage avionics stack but in a lower form factor to deliver improved power consumption and lower launch costs. The success of the Raspberry Pi camera experiment is an added bonus which we can now evaluate for future missions…

As for the technical modifications that were needed, Engineering Director, Rob Goddard, put things less formally for the BBC:

We put it in a metal box.

That may sound like carelessly casual talk, but it isn’t.

As SSTL’s own website explains:

In the mid-1970s space was considered to be such a different environment to Earth that anything sent into the atmosphere needed to be specially designed and tested for the harsh conditions of space. Naturally, this made building satellites incredibly expensive and time-intensive.

In the late 1970s, a group of aerospace researchers working at the University of Surrey, including a young Martin Sweeting [now Sir Martin], decided to experiment by creating a satellite using commercial off-the-shelf (COTS) components. The idea was bold and audacious and the results were surprising.

To show how far off-the-shelf, you-and-I-can-buy-one-too technology has come in the past 40 years, SSTL published an image taken over the Mediterranean in 1981 on the company’s first mission, with a 2019 picture from the latest mission alongside it.

To be honest, we’re still pretty impressed with the pixellated bi-level image beamed back from space in the early 1980s, let alone with this year’s one.

But we’re not surprised that the Pi Zero was up to it.

The only question is, “What project to attempt with it next?”

Leave your ideas below! (Seriously. Our own Pi Zero is ready for its next deployment.)

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-LDElVMtVrM/

Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don’t assume you’re safe from them just because you’re compliant with regulations.

Cyberattackers’ interest in healthcare organizations continues to increase. In 2018, there were 284 breaches reported on the US Department of Health and Human Services (HHS) breach portal and 27 so far in 2019. According to InfoSec Institute, “nearly 95 percent of all medical and health care institutions have been victims of some form of cyberattack.”

Most people think of healthcare and cyber-risk as related to the compromise of sensitive patient data. This is true, and it’s also a fact that healthcare data is valued significantly higher than credit card data. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a US credit card number. Protecting this data is critical, and this is at the core of the long-standing Health Insurance Portability and Accountability Act (HIPAA) regulations, including the HIPAA Security Rule.

A high percentage of healthcare organizations successfully check the HIPAA compliance box. However, it’s unhealthy to confuse being HIPAA compliant with being secure, especially as healthcare cyber threats today are broadening beyond data theft.

Cyber Threat Actors Have Been Expanding Their Scope
While plundering the troves of valuable healthcare data is still a high priority, cybercriminals have expanded their scope when it comes to attacking healthcare organizations. A once sole focus on data theft has expanded to include business disruption, extortion, and phishing scams targeting healthcare employees. 

Healthcare was one of the most targeted industries in 2019 and the top industry for ransomware incidents in 2018 according to the “Beazley 2019 Breach Briefing.” According to the report, the healthcare industry represented 34% of total ransomware incidents, more than double that of the next two industries — professional services and financial services. The proliferation of Internet-connected medical devices is also emerging as an area of growing concern. This is shown by the recent release of the Medical Device and Health IT Joint Security Plan.

The good news: This is all driving increased awareness of the need for a more focused and comprehensive approach on healthcare cybersecurity as opposed to healthcare compliance.

NIST Cybersecurity Framework and HICP
There is an increasing focus in healthcare on adopting the NIST Cybersecurity Framework to improve cybersecurity efforts, bolster defenses, and reduce risk. The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices to manage cyber-risk. The framework is based on a holistic approach to cybersecurity that includes these concepts: identify, protect, detect, respond, and recover.

There are two attractive attributes of the framework that healthcare organizations will find positive. First, it is very flexible and has applicability to organizations of all sizes, from small, three-person doctor’s offices to the largest hospital systems. Second, it’s voluntary!

The shift to the NIST Cybersecurity Framework will accelerate with Health and Human Services’ announcement of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HICP is also similar to the NIST Framework in that it is voluntary and very flexible. In fact, HICP does a great job segmenting best practices that are applicable to small organizations versus midsize and large organizations.

Three steps all healthcare organizations can take right now to improve their cyber posture:

1. Embrace and align cybersecurity efforts to NIST and HICP. The shift in healthcare cyber focus from being compliance- and data-centric is happening rapidly. If you haven’t started down the road of NIST and HICP, it’s time to get moving. First, measure yourself against the NIST Cybersecurity Framework, which provides an excellent general baseline. Once you’ve done that, become more intimate with HICP and align where your organization is relative to these healthcare-specific best practices. Keep in mind that it doesn’t matter as much where you are on this journey; what matters is that you’re on it.

2. Revisit basic cyber hygiene practices. Fortunately, for healthcare companies, the flood of attacks targeting state and local government organizations has taken the spotlight off of healthcare. However, it’s also exposed many organizations that continue to fall down on basics like vulnerability management, patching, and data backups. Revisit the basics and make sure you’re covered.

3. Increase your use of threat intelligence and information sharing more broadly. Threat intelligence has become a critical component of cyber defenses for all companies. As a first step, if you’re not consuming and sharing threat intelligence with healthcare peers via H-ISAC (Health Information Sharing and Analysis Center) you should. Importantly, because healthcare is heavily tied to other industries like financial services and government, you should explore whether you can participate in these communities and other cross-industry threat-sharing communities operated by those like Global Resilience Federation.  

The trend of cyberattack frequency and severity should be concerning to all healthcare organizations. As we have seen in other industries, being compliant is not the same as being secure. The expanding focus on cybersecurity frameworks like HICP and the NIST Cybersecurity Framework is a positive step toward improving cybersecurity health.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• Industry Insight: Checking Up on Healthcare Security
• Ever-Sophisticated Bad Bots Target Healthcare, Ticketing
• What the Transition to Smart Cards Can Teach the US Healthcare Industry

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT.”

Todd Weller, Chief Strategy Officer at Bandura Cyber, works with large organizations in acting on their threat intelligence to prevent future attacks. He brings over 20 years of cybersecurity industry experience with a unique blend of operational and hands-on proficiency. He … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/its-not-healthy-to-confuse-compliance-with-security/a/d-id/1335669?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s still unclear who owned the server storing hundreds of millions of records online without a password.

An unsecured server exposed 419 million phone numbers belonging to Facebook users, whose information was stored in several databases without password protection, TechCrunch reports.

The records spanned Facebook account holders in countries including the US (133 million), UK (18 million), and Vietnam (50 million). Each record held an individual’s Facebook ID, which is a unique number connected to the account, and the person’s phone number. Some also held the user’s name, gender, and location. Affected databases were taken offline by the hosting provider.

User phone numbers have not been publicly available on Facebook since 2018, when the social media giant removed developers’ access to them. It’s believed whoever scraped the numbers did so before Facebook changed its policy allowing users to find friends using phone numbers. The identity of who scraped the information and why has yet to be confirmed, the report says.

Facebook has so far not seen any indication that user accounts have been compromised. Exposure of a phone number can leave victims susceptible to SIM swapping and spam calls.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/419m-facebook-user-phone-numbers-publicly-exposed/d/d-id/1335740?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report investigates the evolution of crimeware, how businesses underestimate the threat, and why they should be concerned.

As businesses large and small have shifted their security concerns from financial cyberattacks to sophisticated threats, criminals have been constructing a well-run crimeware organization. An enterprise of its own, this lets them develop, leverage, and distribute new infection methods.

Chronicle, the enterprise cybersecurity division under Alphabet and recent addition to Google Cloud, today published a report investigating the evolution of crimeware from 2013 to 2018. Researchers explain how crimeware, traditionally considered a “commodity threat,” has grown into a highly lucrative institution fueling sophistication of malware and attack strategies.

“These guys run straight businesses,” says Brandon Levene, head of applied intelligence at Chronicle and report author, explaining the services offered and analytics used. “Everything is well documented. The data is extraordinarily rich. … I think that has been a really big tell” for how organized these criminal organizations are.

Instances of crimeware have steadily grown each year, Levene says, and the prevalence and frequency of attacks have desensitized security teams. “Crimeware fatigue,” as he describes it, distracts targets from malicious activity that has become inexpensive and low effort for financially motivated criminals. Once attackers are on a corporate network, they know how to conduct reconnaissance, see what’s valuable to them, and where they sit in an organization.

“They are able to select their victims for maximum value,” he continues. Years of deploying massive, broad attacks have taught cybercriminals how to optimize for volume and speed; now, they leverage traditional workplace standards to generate profit. A shift to consolidation and “crimeware-as-a-service” showcases their ability to grow this business while finding new tactics.

All the while, as attackers have refined their techniques and profited off enterprise victims, law enforcement has lagged behind. Criminals model risk based on law enforcement’s efforts and adjust their tactics based on the funds they generate, Levene says. Unburdened by geography and other factors that limit law enforcement’s ability to find and arrest attackers, crimeware operators have had an advantage in building their capabilities to further outpace the good guys.

So, how did we get here? How have criminals adjusted their operations, and why are they leveraging their more advanced capabilities to target businesses instead of consumers?

A Snapshot of Crimeware’s Evolution
In 2012 and 2013, which marked the start of Levene’s research, there was a “pretty broad range” of people conducting malware operations. Over time, these parties began to consolidate, likely in response to the risks of running malware operations. Infrastructure hosting was consolidated, and malware began to consolidate as well, he explains. While we still see multiple malware families, it’s typically the same four to five names instead of the 20 to 30 seen in the past.

While crimeware is generally increasing, different attacks have seen different trends. Banker malware, for example, was “relatively flat” from 2013 to 2017, then spiked 1,130% in the second quarter of 2017. Ransomware’s growth track was more reliable, increasing in 13 of the 20 total quarters analyzed. Information stealers’ growth was stable from 2013 to 2018. Miners were pretty uncommon until they appeared in the transition from 2017 to 2018, Levene reports.

Emotet, which is recently less active but historically has a strong relationship with the criminal community, is one example of a threat that has adjusted its technique. Its operators have moved from a banking Trojan model to running “enormous” malware spam campaigns in which they can gain, and subsequently sell, access to businesses. TrickBot has also stepped up its pace, Levene says. Emotet was used as a dropper for TrickBot, which can launch ransomware attacks.

One of the biggest shifts in technique was the transition to the “as-a-service” model. In this environment, trusted affiliates could manage malware distribution, command and control, data collection, and payouts. More criminals owned “as-a-service” platforms or bought into them, eliminating the need for people to run their own malware operations. Attackers don’t need to share source code with customers, who can launch campaigns with less-advanced skills.

“Executing a well-run operation from beginning to end is much easier,” Levene says, once a criminal is able to enter one of these operations or pay for a relationship to the operators. “A lot of these businesses are run on trust,” he notes, and many have been around for years.

Why Businesses Should Be Worried
Today’s organizations underestimate the threat of crimeware; instead, they’re worried about advanced persistent threats (APTs) and advanced attacks. “One of the misconceptions is that financially motivated threat actors are not as sophisticated as these targeted intruders, nation-state intruders,” he says.

APTs are low-prevalence, high-impact threats, Levene adds. Crimeware is high prevalence, high impact. Businesses that can’t stop high-prevalence intrusions have no chance of stopping an APT. “The competence of financially motivated threat actors has gotten to a point where they can disrupt an organization or an enterprise just as badly as an APT.”

There are two ways attackers normally try to break into a business environment. The first is sending emails laced with malicious links or attachments, which Levene calls “the bread and butter” of cybercriminals. “That accounts for the huge majority of targeting,” he points out. Unlike in 2013 or 2015, when criminals used exploit kits, they now rely on social engineering.

The second is Internet-facing remote access protocols including TeamView, VNC Viewer, and Windows Desktop. All offer public-facing remote access into an enterprise server but are often protected with weak passwords. Criminals will gain access into these environments and launch tailored ransomware attacks. Levene notes this tactic, which has become prevalent in the past two years, requires more labor, knowledge, interaction, and availability to distribute malware.

He anticipates in the future, ransomware and destructive malware should be a growing concern, especially as attackers tailor access to chosen environments. Loaders will get smaller, droppers will improve, and better recon tools will be more lightweight. Recon will become a lot more routine, and organizations will be forced to quickly react when they realize data is at risk.

“I think it’s going to be a shock to them, when they realize how valuable their data is,” Levene says of small and large businesses alike. “This places the onus for defense on network defenders themselves, which may not be equipped to handle it.”

Related Content:

• 7 Steps to Web App Security
  
• 3 Promising Technologies Making an Impact on Cybersecurity
• Over 47K Supermicro Corporate Servers Vulnerable to Attack
• Phishing Campaign Uses SharePoint to Slip Past Defenses

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/crimeware-how-criminals-built-a-business-to-target-businesses/d/d-id/1335742?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Episode 7 of the Naked Security Podcast is now live!

This week, host Anna Brading is joined by Mark Stockley, Paul Ducklin and Matt Boddy. Anna revisits her childhood limerick horror [1’06”], Duck talks iPhone zero days [3’49”], Matt discusses Android botnets [18’25”], and Mark finds out how the founder and CEO of Twitter had his account hijacked [31’07”].

A huge thank you to those of you who have rated and reviewed our podcast – reviews help us reach more people.

If you’ve got questions that you’d like us to answer on the show, please comment below or ask us on social media.

Listen now and tell us what you think!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EUMAta8PBoU/

Software testing and delivery company CircleCI has apologised for exposing user data to the world and its dog.

The company blamed a third-party analytics provider for the leak, which it was told about at the end of August. CircleCI is a continuous integration/continuous delivery software pipeline for Microsoft, Linux, Docker and macOS developers.

In a statement, the outfit said: “On August 31st, we became aware of a security incident involving CircleCI and a third-party analytics vendor. An attacker was able to improperly access some user data in our vendor account, including usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user agent strings. The engineering and security teams at CircleCI immediately revoked the access of the compromised user and quickly launched an investigation.”

The company reassured users no source code, build logs or other production data was at risk. Nor was any authentication or password data lost. But the incident could affect any customers who used CircleCI’s platform between 30 July and 31 August – users should have been informed by email.

CircleCI said its security team was still working with its unnamed company to upgrade security and had also started work with an external forensics firm to consider additional measures.

It warned customers to be extra vigilant about phishing attempts that may be using their leaked email addresses.

We’ve contacted the company but they’re based in San Francisco, so probably haven’t yet got up to drink their artisan coffee.

Anyone worried should keep an eye on this page of CircleCI’s website where further updates are promised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/05/circleci_security_incident/