STE WILLIAMS

The young iPhone scammer in Ireland had no clue who he was dealing with when he tried to shake down the owner of a stolen iPhone 5 he had acquired after it was snatched from the owner’s coat pocket in a Dublin pub.

Turns out the iPhone belonged to security expert Ralph Logan, who was visiting Dublin in September on business and out for a pint or two one evening with a friend who was there as part of the roadie crew for former Pink Floyd band member Roger Waters’ “The Wall” tour. Logan didn’t realize his smartphone was missing until he and his fellow revelers were settled in at a second pub that night.

Logan’s iPhone was locked with “Find My iPhone” enabled, so he messaged the phone with his name and hotel information in hopes someone had found it and would return it. “I didn’t get any response,” says Logan, who is a partner at Logan Haile, LP. When he returned home to the States, he purchased a new iPhone 5S and “moved on.”

But on November 13, he received a message via Twitter from “Lee Cork,” asking if Logan had recently lost an iPhone 5 in Ireland. Logan confirmed that he lost his phone with a grey and orange case in Dublin, and gave Cork his Gmail address. (Cork had gleaned Logan’s email from the stolen iPhone).

Cork sent Logan this email message:

Lee Cork
Nov 13

Hi Ralph,
My name Lee and I work for a company in Belfast which specialise in mobile technician repairs replace etc. A few days ago a guy came in with what is believed to be your phone to get it unlocked or used as parts but upon opening the phone up we came across your name and have be trying to track you down. I would like to return the phone to you but I need to take verification steps can you please forward on the following information:
1- Apple ID and Password
2- A list of 5 contacts numbers you would have used prior to the phone been lost.
3- Your Full name, phone number and Full address.

Lee Cork,
RTP General Manager

That’s how “Lee” gave himself away as a scammer: The iPhone 5 required Logan’s Apple ID and passcode to reinstall the iOS, a feature that prevents thieves from wiping and using stolen phones as their own, so Lee was obviously neither a Good Samaritan nor a sophisticated scammer. Logan then decided it was time to root out the scammer who had his iPhone. “As soon as I got that email, I launched my black-box investigation,” he says.

Logan declined to share details of his investigation on the record, but he was able to dig up some key information on Lee, including his real name – Martin — his real email address, his girlfriend’s name, and his brother’s name. After “Lee” emailed him again for the iPhone credentials and information, Logan responded with an email sent to both Martin’s scammer and real email addresses.

The email, said, in part:

Nov 29, 2013

Martin,

Firstly, you can drop the idiotic pretense of being Lee Cork in Belfast. You are Martin XXXXXX in Dublin. Secondly, I know you acquired my stolen phone as I’ve been investigating you for weeks now. The bad news for you is worse than just being out of pocket some money. The bad news is that you acquired stolen property that is owned by a very capable and determined professional security investigator. It’s what I do for a living. I currently have enough evidence to roll up and remand you into custody anytime I want. However I’ve taken this a bit personally and don’t want to involve the Irish local authorities just yet.

Logan then dropped the first names of Martin’s girlfriend, brother, and mother in the message, and gave him an ultimatum:

Here’s what I’ve decided to do. I’m literally giving you until Wednesday, December 4th to take my phone and drop it with the receptionist at XXXXXX at the following address: xxxxxxxx, Dublin 2

You can tell the receptionist any story you like, but have her label the phone for XXXXXX. XXXXXX is the head of security at that location, who I happened to be visiting while in Dublin.
He’ll get it back to me.

The phone was delivered, undamaged, to Logan’s colleague’s office in Dublin on December 3. “I had him drop it off at a neutral site in Dublin,” he says. Turns out Martin had paid 300 euros to someone else who had either stolen or purchased the stolen phone.

Logan says the other method he had planned to use to name and shame the scammer was an email that could have traced is source IP address. “I would send him an HTML email with a link to an embedded one-pixel image that would GET from my Web server, which would reveal his source IP address,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/security-expert-unmasks-his-scammer/240164721

The July 2013 Department of Energy breach happened because of an ongoing number of managerial and technological failures, some of them stretching back years.

That’s the top-level takeaway from a 28-page report, released Wednesday, by Gregory H. Friedman, the inspector general (IG) of the Department of Energy. The IG’s report is a result of an investigation that was launched, in part at the request of the DOE’s CIO, after an attacker hacked into the DOE Employee Data Repository (aka DOEInfo), which is accessed via a gateway provided by the agency’s management information system (MIS).

The list of failures cataloged by the report is extensive, starting with a “lack of urgency” over information security matters. “While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease,” said Friedman. The attacker exploited a DOEInfo vulnerability for which attack code was publicly available on the Internet.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/energy-department-breach-years-in-making/240164751

Hackers used nude photos of former French first lady Carla Bruni as bait to get dozens of G20 representatives to click on what turned out to be a Trojan-delivering email.

According to News.com.au, dozens of diplomats attending the 2011 sixth G20 summit in Cannes were snared.

The tempting message that masked the Trojan was sent to the finance ministers and central bank representatives that attend these summits.

All that was needed to get those high-value espionage targets to click were these nine words:

To see naked pictures of Carla Bruni click here

The nude photos were legitimate: Ms. Bruni, now using the name Carla Bruni-Sarkozy, is a pop singer and former supermodel who married the French President Nicolas Sarkozy in 2008. At the time of the phishing attack, she was France’s first lady.

While the victims eyeballed the nude photos, malware invisibly infected their computers, as well as replicating and forwarding copies of itself to others.

Somebody the Daily Telegraph calls “a government source in Paris” told the news venue that just about everybody who got the message fell for it:

Almost everybody who received the email took the bait.

The purpose, target, effect and origin of the attack are still apparently unknown and under investigation.

It’s worrying that such a low tech attack can still be effective, especially against those in the upper echelons of power. Sure, it can be hard for humans’ to block their most basic impulses but there is a long, sordid and well publicised history of attacks like this and there can be no excuses for G20 attendees being so foolish and unprepared.

We trust that Naked Security readers will be more careful where they click!

Follow @LisaVaas

Follow @NakedSecurity

Image of Carla Bruni-Sarkozy By Remi Jouan via Wikimedia Commons

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JSP_mMCmj1Y/

Specialist explosives officers in the UK removed what they suspected was a live hand grenade in a Tuesday morning raid on what detectives believe is an organized ring of cyber-criminals.

Detectives from London’s Met cybercrime unit busted four people on suspicion that they were involved in planting malware that siphoned £1 million out of two UK banks.

According to The Guardian, besides the grenade, detectives seized £80,000 ($130,608) and a Range Rover following raids on addresses in the north London boroughs of Enfield and Islington.

They also seized computers, smartphones and other media devices, and luxury goods, including designer jewellery.

Two 31-year-old men, a 27-year-old woman and a 24-year-old woman were arrested on suspicion of conspiracy to defraud, conspiracy to launder money and possession of an explosive.

The raid, carried out by detectives from the Metropolitan Police’s new Cyber Crime Unit (MPCCU), was launched following an investigation into malicious malware that a number of bank customers inadvertently downloaded by opening emails posing as bank communications.

Thieves drained bank customers’ accounts of £1 million, which was then transferred to a series of other accounts for money-laundering and eventual cash withdrawal.

The Guardian quoted DCI Jason Tunn of the MPCCU as saying that beyond the four suspects lies a more extensive criminal ring:

These arrests by the Met’s cybercrime unit follow an investigation into what we suspect is an international and organised crime targeting a number of bank customers in London and across the UK. The victims have been hoodwinked by malware-carrying emails purporting to be from their banks, and subsequently had money taken from their accounts.

As of Wednesday, the male suspects were in custody at a central-London police station. The women were free on bail and set to return on a date early next year.

Police have served restraint requests to several banks seeking to freeze a number of accounts linked to the investigation.

Follow @LisaVaas

Follow @NakedSecurity

Image of hand grenade courtesy of nighthawk101 on deviantart.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/O6cLzz7iSNQ/

Email delivery: Hate phishing emails? You’ll love DMARC

The Home Office has embarrassingly coughed to accidentally leaking the personal details of 1,598 immigrants.

Applicants in the “family returns” process had some of their personal data exposed online for nearly a fortnight, immigration minister Mark Harper admitted in a written statement to Parliament on Thursday.

He blamed the government’s transparency agenda for the error by, in effect, suggesting that such a data breach was a horrible side effect of Whitehall being more open with taxpayers about its policies.

Harper said:

Unfortunately between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was removed immediately.

The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status. It did not include personal addresses or financial information.

The minster added that the Home Office had confessed to the cockup by notifying the Information Commissioner’s Office of the breach. Harper claimed that measures had been implemented to prevent such a blunder recurring. Bods at Theresa May’s department have also scanned the HO site to check for any similar errors that may have previously taken place.

Fewer than 30 people visited the relevant website page during the period when the sensitive data was exposed, Harper claimed.

A spokesman at the ICO told The Register that the watchdog had been informed of the clumsy mistake.

“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken,” he said. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/13/data_breach_home_office_leaks_personal_details_of_1600_immigrants/

Email delivery: Hate phishing emails? You’ll love DMARC

A Ukrainian national who co-founded the infamous cybercrime marketplace CarderPlanet has been jailed for 18 years following a lengthy US legal process that ran for more than a decade.

Roman Vega, 49, eventually pleaded guilty in 2009 to conspiracy to commit money laundering and access device fraud offences – but he was only sentenced by a New York court on Thursday.

Vega, who went by various online pseudonyms including “Boa,” “Roman Stepanenko,” “Randy Riolta,” and “RioRita,” formed two online marketplaces for stolen credit card information. He started off with the Boa Factory in the late 90s, one of the earliest websites on the Internet to provide a forum for buyers and sellers of stolen credit card information.

In the early 2000s, he co-founded and became a high-ranking administrator of a second and more ambitious criminal website, CarderPlane. This Russian-language site quickly became one of the busiest online marketplaces for the sale of stolen financial information, computer hacking services, and money laundering.

At its peak, CarderPlanet had more than 6,000 members. It leadership structure borrowed the titles and styles from the mafia. For example, CarderPlanet was headed by a “Godfather”, immediately below which served various “Dons,” including Vega.

Two levels below the Dons was the “Consigliere”, who served as an advisor – think Tom Hagen as played by Robert Duvall in the Godfather films. Vega, using the name “RioRita,” also served as the Consigliere.

Vega is credited with instituting a quality control system for sales through CarderPlanet that is credited with its growth. If a cyberthief wanted to sell stolen credit card information on CarderPlanet, the information was subjected to a vetting process overseen by a manager to ensure that buyers obtained usable stolen data.

In addition, the website used cyber-currencies, such as WebMoney, to provide the participants with security and the cloak of anonymity. The end result was an “efficient and reliable online marketplace for the buyers and sellers of stolen financial information not unlike legitimate e-commerce sites”, a DoJ statement on the case explains.

As well as playing a key role in running CarderPlanet, Vega also sold stolen data on the marketplaces he founded and managed. “He directed cells of cybercriminals around the globe who hacked into financial institutions to steal credit card and other financial information that would in turn be sold on online marketplaces, including CarderPlanet,” the DoJ adds.

Some principals of CarderPlanet were alleged to have ties with ShadowCrew, a notorious US founded clearinghouse for payment-card fraudsters, and the RBSWorldPay gang. A US Secret Service operation that led to the unravelling of both CarderPlanet and ShadowCrew led to 28 arrests in October 2004, by which time Vega had been in custody for over a year.

Vega was identified and arrested in Cyprus in February 2003 before his subsequent US extradition and prosecution. At the time of his arrest, Vega possessed over half a million stolen credit card numbers. Vega has been continuously incarcerated since 2003.

“Roman Vega and his cybercriminal associates emulated the mafia in organising their criminal operations,” stated United States Attorney Loretta Lynch. “Now, he shares the same fate as so many mafia bosses – a long term of imprisonment. This investigation spanned the globe and sends the unmistakable warning that when it comes to dismantling global cybercrime organisations, neither distance nor complexity will deter us and our partners in law enforcement.”.

The US Secret Service, assisted by the US Postal Service, led the investigation into CarderPlanet. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/13/carderplanet_mastermind_sentencing/

Email delivery: Hate phishing emails? You’ll love DMARC

The denizens of internet horror-forum 4chan have come up with a hoax designed to trick Mac fans into deleting all the files on their machines by running commands supposedly needed to turn on hidden Bitcoin mining features.

Apple’s so-called secret mining feature, which 4channers claim has been present in Macs since 2009, can be unlocked by opening a terminal command line and running the following command: sudo rm -rf/*, viral images falsely claim.

Do not try this at home – or anywhere else, come to that. In reality, typing rm -rf/* on a Unix system (including Mac OS X) tells your computer to delete all of your files and folders.

The more tech-savvy folk on 4chan would take the bogus flier as the slightly twisted joke it’s probably intended to be. But, as with any in-joke, there’s a danger that less technically knowledgeable people might be taken in, warns veteran security researcher Graham Cluley.

“With many people intrigued by mainstream newspaper stories about Bitcoins, but lacking in knowledge about how to dip their toe into the waters of Bitcoin mining, there is a danger that some folks could take the advice seriously,” Cluley writes in a blog post featuring screenshots of the deliberately misleading flier.

“Most of the denizens of 4Chan are probably in on the joke, and will give an evil grin at the suggestion. But there’s always a danger that other wannabe Bitcoin miners will see the “advice” and follow it to the letter with data-destroying results.”

An article by the Daily Dot suggests the hoax has already claimed a number of victims.

It seems the inmates of 4chan’s random imageboard /b/ are following up on the recent Xbox One bricking hoax with a ruse designed to trick the less knowledgeable into auto-trashing all the files on their Apple computers.

Last weekend malicious /b/ pranksters pushed a fake advisory seeking to trick Xbox One owners into bricking their consoles by following a set of instructions that supposedly made the latest version of Microsoft’s gaming console backwards compatible with Xbox 360 games. Instead it made the console inoperable.

The Xbox wheeze was far more plausible – and created far more problems – than the latest rash of mischief. The Daily Dot adds that the Xbox hoax has even spawned secondary ruses involving supposed instructions to restore a bricked Xbox One console that, in reality, will result in a knackered PC to go with a borked gaming console.

This latter ruse surfaced in the image community 9gag and not /b/, which is notorious as the birthplace of Anonymous and much more besides. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/13/mac_bitcoin_mining_hoax/

If an IT security organization feels it’s in a maturity rut, perhaps stuck in the compliance-focused hamster wheel or lacking enough line-of-business support to make necessary security investments, one of the fast ways out of it is to take the spotlight away from security processes and technology and move it to business processes and business risks.

“Shifting the focus from technical things, from the bright, shiny security objects, to instead being about critical business processes, that shift is a big deal for risk management,” says Sam Curry, chief strategy officer and chief technologist for RSA, the security division of EMC.

In its work with members of its Security for Business Innovation Council (SBIC), RSA recently helped publish a report on how to transform information security, with highlighted recommendations from security executives at a selection of Global 1000 firms. Among the five major suggestions for future-proofing security processes, three of them revolved around reworking IT risk management so its activities are cast in the light of its relativity to the business.

According to leading CISOs and CSOs, in addition to shifting their focus from technical assets to critical business processes, they should also be instituting business estimates of cybersecurity risks in order to show the financial impact to the business when risks come to play, as well as establishing a business-centric risk assessment process.

Critical to all of it is meaningful collaboration — essentially folding in IT risk management decision-making into every business initiative of the company just as enterprise risk management is involved to calculate other business risks.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

“A key aspect of risk management is having a process in place to ensure that for every initiative in your organization, a risk assessment is done at a very early stage in the lifecycle,” says one SBIC participant, Vishal Salvi, CISO for HDFC Bank Limited.

It’s why Dwayne Melancon of Tripwire recommends cross-functional teams to help establish a good hybrid perspective on IT risks.

“A number of organizations I work with have cross-functional teams that look at risk holistically to better understand dependencies, and these teams make recommendations about which risks the company should focus on from a business perspective,” says Melancon, CTO of Tripwire. “The discussion and agreement process makes it a lot easier to allocate scarce resources to the highest priorities for the whole business.”

Melancon says that focusing too much on technical risks instead of business risks is a common mistake of IT professionals working in isolation while conducting risk assessments.

“A top down, risk-based approach is best — it allows you to focus on the ‘so what?’ aspect of risk to the business, instead of going down a technical rat hole around a risk that doesn’t really impact the business in a significant way,” he says.

This last point is important in understanding how collaboration between IT security and line-of-business leaders should work; the teamwork shouldn’t be focused on making business people learn the intricacies of IT security technology. In fact, it means the opposite, Curry says.

“The security guys have to wake up and learn about business. It means the security people have to start carrying business books around and start talking to their peers and that will do more to advance the DNA of a company from a security perspective than the reverse,” Curry says. “And when you do that, you find the technical maturation happens more easily.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/advancing-the-it-security-dna-through-ri/240164739

Email delivery: 4 steps to get more email to the inbox

Hot on the tail of devilish Cryptolocker comes a copycat software nasty that holds victim’s files to ransom – but the newcomer’s encryption is potentially breakable, we’re told.

Security startup IntelCrawler claims a “large-scale distribution” of the new so-called Locker malware began earlier this month.

Locker, once it has infected a PC, copies and encrypts a victim’s documents, adding a “.perfect” extension, and then deletes the original data. The trojan also places a contact.txt file in each directory containing contact details of the malware author – usually a throwaway mobile phone number or an email address.

Victims are warned that if they harass or threaten the extortionist, the decryption key to unlock the files will be deleted, revealing the mindset of the scumbags behind the scam.

IntelCrawler contacted a crook listed in the contact file, and was told someone would have to pay up $150 to a Perfect Money or QIWI VISA Virtual Card number to receive the decryption key needed to restore the information on a Locker-infected machines.

In order to decrypt, you need to provide an identifying code written in the “contact.txt” file, as well as the hostname of the compromised computer.

“It seems to be the hackers just compare the list of infected IP addresses of the users together with their hostnames,” according to IntelCrawler.

Locker is a rank amateur effort compared to the CryptoLocker crew, who run their scam using a network of command-and-control servers and use a combination of 256-bit AES and 2048-bit RSA crypto to hold data to ransom (the master key being held in the crims’ servers).

But despite its less-advanced design, Locker has already managed to attack Windows-powered computers in the US, we’re told – including Washington DC, Texas and Missouri – plus PCs in the Netherlands, Turkey, Germany and Russia. Locker also, we’re told, avoids infecting machines running tools used by security researchers, a tactic undoubtedly aimed at ensuring the malware stays under the radar for as long as possible.

The software nasty spreads mostly by drive-by downloads from compromised websites. Executables disguised as MP3 files are another vector of infection.

The Locker malware uses the TurboPower LockBox library, a cryptographic toolkit for Delphi: specifically, it uses AES-CTR for encrypting the contents of files on infected devices. But shortcomings in the programming will apparently make it possible for researchers to develop skeleton keys capable of unscrambling files on compromised kit. IntelCrawler’s researchers are working on a universal antidote.

“We have found a decryption method and universal strings [keys] for decryption on any infected client,” Andrey Komarov, IntelCrawler’s chief exec, told El Reg.

Komarov added that detection of the malware by antivirus packages is low, with only Avira able to detect the pathogen as of Thursday evening. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/13/locker_ransomware/

A Las Vegas court convicted a cybercriminal under RICO (Racketeering Influenced Corrupt Organizations Act) law last week, in what may well turn out to be a landmark case.

The US RICO law allows for anyone found guilty of racketeering offences, if seen to be part of organized criminal activity, to be subject to extra-heavy jail terms and fines, and implicitly extends responsibility for crimes committed by any gang member to any other member of the same organisation.

Part of the aim of the RICO law is to enable the conviction of gang leaders who have ordered their subordinates to commit crimes but not taken part themselves.

In the past RICO law has generally been used against mafia-type gangsters and global drug cartels, and this is thought to be the first time it has been used to target online criminals. Other unusual areas where the law has been invoked include the Catholic Church, the LAPD and the Hell’s Angels.

The crook in question in this case, 22-year-old Arizonan David Ray Camez, was a relatively small-time fraudster already serving jail time on forgery charges. He was a member of cybercrime forum Carder.su, where he bought bank card data, fake identity documents and bespoke counterfeiting services.

Camez was tracked down after a parcel of fake credit cards was intercepted en route to a post box in Arizona, subsequently linked to Camez.

He later bought more counterfeit items on the forum, infiltrated by the same undercover FBI agent involved in other cybercrime forum cases such as DarkMarket.

The gang connection is the forum itself, which the US prosecutors successfully argued was equivalent to an organised crime ring, although others have compared it to a “criminal eBay”.

The Russian-run forum was a hub for all sorts of cybercriminal shenanigans, much more than the carding which gave it its name, with its own escrow system to keep the crooks honest. Estimates of the number of users seem to vary wildly, ranging from 5,500 to 7,900.

The Camez case and the history of Carder.su has been followed in depth by Wired.

A major part of the case for counting the forum as a criminal organisation as recognised under RICO law was that there was a vetting process for new members.

The precedent this sets will doubtless be a little worrying for many internet users operating on the fringes of legality – file sharers and underground marketplaces like the now-infamous Silk Road being prime examples.

Almost everything useful on the web has some sort of “vetting process” for new members, even if it’s only confirming that you have access to the email account you’ve provided.

How high the bar is set for accepting this as proof that a website’s users constitute a (potentially criminal) organisation seems likely to be contested in a lot of future cyber-RICO cases.

The racketeering activities covered by RICO are quite broad and varied, covering various kinds of counterfeiting and copyright infringement as well as the murder, kidnap and arson usually associated with violent organised crime.

Indeed the definition of racketeering under the RICO act seems to include everything from “white slave traffic” to “unauthorized fixation of and trafficking in sound recordings and music videos of live musical performances”.

So could YouTube users find themselves up on RICO charges? Unlikely perhaps, as there seems to be a requirement that racketeering activities make you some money.

With penalties even harsher than the already tough sentences available to US prosecutors, RICO means Mr Camez faces up to 40 years imprisonment for the two indictments required for the law to kick in.

Ostensibly, the main purpose of jail sentences is to punish and rehabilitate offenders, with scaring the hell out of other potential offenders so they avoid breaking laws a secondary byproduct.

It seems this dissuasion tactic is becoming an ever bigger weapon against cybercriminals.

Don’t do crimes, people.

Follow @VirusBtn
Follow @NakedSecurity

Image of gavel and handcuffs courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s2RjdqEIFrA/