STE WILLIAMS

President Donald Trump has long railed against social media sites for what he says is their politically biased censoring of conservative voices, and now he’s looking for proof.

The White House on Wednesday released a tool that invites people who’ve been censored on social media and who suspect political bias as the cause to “share your story with President Trump.”

The first page says:

SOCIAL MEDIA PLATFORMS should advance FREEDOM OF SPEECH. Yet too many Americans have seen their accounts suspended, banned, or fraudulently reported for unclear ‘violations’ of user policies.

No matter your views, if you suspect political bias caused such an action to be taken against you, share your story with President Trump.

Read the fine print

Anyone thinking of using the tool should take a good, long look at the user agreement, which grants the US government – including, but not limited to, the president’s executive office – an irrevocable license to any content you submit on the site.

You grant the U.S. Government (including, but not limited to the Executive Office of the President) a license to any “Content” (including but not limited to the photographs, information, text, or otherwise) you post or submit on this site… The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media… You should not post any information that you do not wish to become public…

That means that whatever content curled somebody’s toes enough that a social media platform removed it will potentially see the bright light of day, as it uses your stuff in any way it likes:

This permission grants the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content (including edited, composite, or derivative works made therefrom).

The user agreement makes clear that “you understand this form is for information gathering only.”

The reporting form, hosted on Typeform, asks users to submit screenshots of and links to the banned content. It also provides a text field where users can describe the enforcement actions taken against them. Users can choose between Facebook, Twitter, Instagram, YouTube or “other” as the platform from which their content was taken down.

Long-simmering resentment

There’s a lot of context behind Wednesday’s rollout of this tool. For years, conservatives have been alleging that the big platforms – Facebook, Google, and Twitter – have been censoring them. When they ran the House, Republican lawmakers held multiple hearings on the matter.

Trump has in the past threatened regulation: last year, he suggested that the administration could take aim at the way Google displays its search results; in March, he again criticized the companies, accusing them of “collusion” and a “hatred they have for a certain group of people that happen to be in power, that happen to have won the election.”

Regardless of where your politics lie, the bigger picture is probably that, as soon as social media companies make themselves the arbiters of what’s acceptable and what’s not, they open themselves to accusations of bias. Even if they banned people at random you’d be able to find a way to cut the data so that it looked biased against somebody.

The White House is now looking at capturing a whole lot of data. It remains to be seen how it will use the results.

Readers, if you plan to chime in with your own tale(s) of being silenced, feel free to share with us the details – including your thoughts on the form and how the government might use the data you submit with it…

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jsq92YYbGBU/

Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware.

According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world – mainly business computers.

Among those picked up were the alleged network mastermind, arrested in Georgia, and another individual in Ukraine who unsuccessfully attempted to evade police by producing a firearm. Five unnamed Russians remain on the run.

The GozNym malware was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.

The combination combined the best of two slightly different worlds, turning up in attacks on customers of two dozen US and Canadian banks in 2016.

The attacks used a common technique – blasting out the malware in phishing campaigns, or via exploit kits planted on websites; capturing online banking credentials; accessing those accounts to steal money; and laundering the proceeds:

The GozNym network exemplified the concept of cybercrime as a service, with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.

The gang behind it was highly-specialised in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.

Avalanche botnet

The breakthrough in collaring the people behind GozNym can be traced to Europol’s takedown of the Avalanche botnet in 2016. That had been used to host GozNym, which gave police several leads.

The operation stands out for the unusual way it was conducted, with simultaneous prosecution in four nations at the same time representing what Europol described as a “paradigm change.”

Normally, prosecutions progress haphazardly in different countries for reasons to do with the local laws and legal process.

Complicating this is the fact that an individual might be arrested in one country for crimes carried out in another that might or might not have mutual extradition agreements.

Said Scott Brady of the US Attorney’s Office for the Western District of Pennsylvania:

The law enforcement response must be equally broad and borderless. We believe this represents the new blueprint for how we attack cybercrime going forward.

This is good news – though sadly we suspect that there are plenty of cybercriminals and malware still to come…

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h02aRIYM6LE/

Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.

On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.

The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Prosecutors allege that The Community got control of victims’ mobile phone numbers and intercepted phone calls and text messages. They often purchased help by bribing an employee of a mobile phone provider. Other times, they used social engineering: contacting a mobile phone provider’s customer service; posing as the victim; and sweet-talking their way into having the victim’s phone number swapped to a SIM card in one of their own mobile devices.

Prosecutors also allege that The Community bribed the other three people charged in the indictment, who are all employees at mobile phone service companies – Jarratt White, 22, of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California. The three allegedly helped the hackers steal subscribers’ identities.

The indictment claims that once the gang had control of a victim’s phone number, they’d use it as a gateway to gain control of online services such as email, cloud storage, and cryptocurrency exchange accounts.

The Community gang members allegedly tried to hijack victims’ cryptocurrency wallets or online cryptocurrency exchange accounts so as to clean them out of funds. The indictment alleges that the defendants executed seven attacks that resulted in the theft of cryptocurrency valued at $2,416,352.

If convicted of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years, while the aggravated identity theft in support of wire fraud charge carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud. Maximum sentences are rarely handed out, however.

A rising trend

The past few years have seen many examples of  fraudsters using SIM swaps to drain accounts.

A steady drip of them have been arrested for going after cryptocurrency in particular: in March, Joel Ortiz, a 20-year-old SIM-swap scammer accused of stealing $5 million in Bitcoin, copped a plea and was sentenced to 10 years in prison.

Over the last 18 months or so, we’ve also seen SIM swappers arrested for hijacking phone numbers and using them to access emails, social media accounts, and online Bitcoin wallets. In August 2018, 19-year-old Xzavyer Narvaez, known as being one of the “best” SIM swappers out there, was accused of stealing around $1 million in Bitcoin. He used the loot to buy fancy sports cars.

Nicholas Truglia, 21, was also accused of stealing millions in Bitcoin last year. Part of that was $1 million that a Silicon Valley dad had put aside for his daughter’s college fund.

Yet another 21-year-old, Joseph Harris, was arrested in September for allegedly stealing more than $14 million in cryptocurrency.

What to do?

Whether they’re breaking into regular old bank accounts or Bitcoin accounts, the crime is obviously extremely costly for the victims who watch helplessly as their accounts drain. The growing tide of incidents has given rise to a regrettable number of times that Naked Security has found itself handing out advice on how to protect yourself from these SIM hijacks.

The indictment announced on Thursday presents yet another one of those times.

So, once again, here are those tips:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MwIpZcX1chc/

Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure.

Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users.

Launched in July 2018, they offer a level of physical authentication to complement website passwords. Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

When you switch on hardware key support in a website, it asks you to present your Titan key along with your password before it will let you in. This stops thieves who steal your password from accessing your web account.

How do you present your Titan key? It comes in two flavours: a USB key that you plug into your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.

The problem lies with the Bluetooth key, and in particular with its implementation of Bluetooth Low Energy (BLE). This is the protocol it uses to communicate wirelessly with the device it’s authenticating to.

In normal operation, you’d first register your BLE-enabled Titan key with the web service you’re using, generating a secret that is stored on the key.

Whenever you want to access the web-based service, you enter your username and password as you would normally, but the site also asks you to use your hardware key. You press a button on your Titan key. The key uses BLE to connect with your computer or mobile device and send it the secret. The browser on your device then sends the secret on to the web service, which verifies that you’re legit.

So far, so good.

The problem, however, is that Google misconfigured the BLE implementation, so it was insecure. It allows a so-called Man in The Middle (MiTM) attack, in which someone could get between your Titan key and the device it’s communicating with. That person could then intercept communications from the key and use them to sign in as you.

Fortunately, the attack can’t be pulled off from the other side of the world: an attacker has to to be within about 10 meters; has to launch their attack just as you press the button on your Titan key; and needs to know your username and password in advance.

But anyone else in the same coffee shop as you, for example, automatically satisfies the first two conditions, so that although this attack is tricky to pull off, it’s far from impossible.

The issue only affects the Bluetooth-enabled keys, not those that you plug into a USB port. To solve it, Google has recalled affected keys and offered a free replacement.

The company also argued that the security flaw still renders the Titan keys more secure than relying just on your password for access:

It is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).

Google made its own Titan key rather than partner with key manufacturer Yubico, which created the U2F standard with Google in 2014. Yubico threw shade at Google’s Bluetooth choice last year arguing:

While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Google’s Bluetooth misstep bolsters Yubico’s point. It also won’t do any favours for the concept of hardware keys overall.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PbxPJx08sZ4/

Among a bumper crop of 57 security issues Cisco divulged on Wednesday was a fix for a trio of vulns, one critical, in networks management tool Prime Infrastructure.

The latter potentially allows unauthenticated miscreants to execute arbitrary code with root privileges on PI devices.

CVE-2019-1821 “can be exploited by an unauthenticated attacker that has network access to the affected [web] administrative interface,” Cisco said in an advisory.

Two other related vulns, consecutively numbered CVE-2019-1822 and 1823, require credentials for the admin interface. They affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1, the company said.

The vulns were reported to the firm by Steven Seeley of Source Incite.

“These vulnerabilities exist because the software improperly validates user-supplied input,” Switchzilla continued. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”

So far Cisco’s PSIRT has said it is not aware of any proof-of-concepts or active exploits in the wild, but that’s no excuse not to get patching ASAP.

Full details, including how to determine what version of PI is running on your boxen and links to the patches themselves, are available on Cisco’s website.

The updates come just two days after the firm copped to a secure boot flaw in its routers that has been dubbed 😾😾😾 (pronounced Thrangrycat) by those who discovered it.

It has also been just a few months since a pile of patches addressed roughly similar problems, including a slack handful of remotely rootable vulns in Hyperflex. Over the years El Reg has written time and again about severe and critical problems with PI, including a SQL injection nasty and a method of obtaining root privs through a malformed HTTP POST request, among many others. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/17/cisco_prime_infrastructure_critical_vuln/

After seven days of freedom, US Army whistleblower Chelsea Manning is back behind bars for refusing to testify before a secret federal grand jury investigating WikiLeaks.

District Court Judge Anthony Trenga ordered Manning back to prison, and said she will, in addition, be fined $500 a day for the first 30 days in the clink, and $1,000 a day after that, until she testifies. Manning previously served 63 days in the cooler for refusing to talk, 28 of which were in solitary confinement.

“We are of course disappointed with the outcome of today’s hearing, but I anticipate it will be exactly as coercive as the previous sanction — which is to say not at all,” her attorney Moira Meltzer-Cohen said in a statement on Thursday.

“In 2010 Chelsea made a principled decision to let the world see the true nature modern asymmetric warfare. It is telling that the United States has always been more concerned with the disclosure of those documents than with the damning substance of the disclosures.”

The grand jury, which was kept secret until a typo revealed its existence, is researching the 2010 WikiLeaks publication of US State Department cables and the Collateral Murder video showing two journalists being killed in Iraq by US forces, as well as other documents relating to the ongoing wars in Iraq and Afghanistan.

Chelsea Manning leaves prison, heads straight for booze and pizza

READ MORE

Manning was arrested shortly after WikiLeaks published the cables and vid online. She was snared because the late and little lamented ex-hacker Adrian Lamo had befriended her online, and passed their chat logs, in which she took credit for leaking the secret material, onto the Pentagon. She was sentenced to 35 years in prison in August 2013, although 112 days were thoughtfully removed after the judge ruled that she had been tortured while being held in military prison.

After nearly seven years behind bars, Manning had her sentence commuted by President Obama, and was a free woman, for a while. Her refusal to testify in front of a secret grand jury on the grounds that they are undemocratic means she has now been taken into custody again until she changes her mind.

“Facing jail again, potentially today, doesn’t change my stance,” she said before today’s hearing.

“The prosecutors are deliberately placing me in an impossible position: go to jail and face the prospect of being held in contempt again or forgoing my principles and the strong positions that I hold dear. The latter is a far worse jail than the government can produce.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/17/chelsea_manning_prison_again/

Video Aircraft instrument landing systems (ILS) are susceptible to radio signal spoofing using off-the-shelf equipment, boffins have found, calling into question the adequacy of aviation cybersecurity.

In a research paper titled “Wireless Attacks on Aircraft Instrument Landing Systems,” scheduled to be presented at the 28th USENIX Security Symposium in August, computer scientists Harshad Sathaye, Domien Schepers, Aanjhan Ranganathan, and Guevara Noubir demonstrate that it’s possible to interfere with ILS data in real-time, potentially causing aircraft to discontinue a landing approach (“go around”) or miss the landing area entirely in a low-visibility situation.

The researchers, based at Northeastern University in Boston, USA, are also scheduled to demonstrate some of their findings today at ACM WiSec 2019.

In a phone interview with The Register, Aanjhan Ranganathan, assistant professor in the Khoury College of Computer Sciences, said he was hesitant to characterize the attack techniques discussed in the paper as capable of causing a crash.

“If a human is completely out of the loop, then this is possible,” he told us today, adding that could become more of an issue in the years to come if fully automated landings become common.

But the more immediate concern is that malicious individuals may use this technique to disrupt airport operations by tricking pilots into aborting landing attempts. “You can cause something like denial of service,” he said.

ILS helps pilots make an instrument approach when the landing strip is not visible. It provides both vertical and lateral guidance and defines three major categories, CAT I, CAT II and CAT III, based the decision height at which missed approach maneuvers must be undertaken when the runway cannot be seen.

The attacks described in the paper are of particular concern during CAT III operations, where the decision height is low, making it possibly too late to regain altitude and try to land again.

How can airlines stop hackers pwning planes over the air? And don’t say ‘regular patches’

READ MORE

ILS, the paper explains, is the most common precision approach system used by commercial aircraft today. It’s not the only assistive landing system – there’s the Microwave Landing System (MLS), the Transponder Landing System (TLS), the Ground Based Augmentation Landing System (GLS), and the Joint Precision Approach and Landing System (JPALS). Nor is it the only source of navigation data. But its ability to resist cyberattacks is still a matter of significant concern.

“Given the heavy reliance on ILS and instruments in general, malfunctions and adversarial interference can be catastrophic especially in autonomous approaches and flights,” the paper says.

The Northeastern University eggheads have designed two wireless attacks on ILS. The first they call the “overshadow attack,” which involves sending specific ILS signals at a high power level to overpower legitimate ILS signals. The second they call a single-tone attack that interferes with a legitimate ILS signal through the transmission of a lower power frequency tone that alters the plane’s course deviation indicator needle.

The attacks were tested with commercial available software-defined radio equipment (USRP B210s), an attacker control unit (a laptop running Ubuntu Linux with four submodules, including a spoofing zone detector, offset correction algorithm, legitimate signal generator, and attacker signal generator), a commercial aviation grade handheld navigation receiver, and the X-Plane 11 flight simulator (to avoid injuries and remain within the law, which prohibits open air transmission of ILS signals).

That’s several thousand dollars in gear but Ranganathan said the necessary tech could be had for six or seven hundred dollars. Generating a signal that’s powerful enough to have an effect avionics systems at 5,000 feet might be a problem, he said, but that’s easy enough to achieve with a few car batteries.

The effect of the attacks is to misdirect ILS, which could disrupt a landing attempt or even cause a crash if the pilot fails to recognize the plane is landing off the runway. The researchers have published this video that illustrates their attacks technique:

Youtube Video

While encryption can help secure aviation systems, it’s not a complete fix. “Cryptography will prevent spoofing but won’t stop record-and-replay attacks,” Ranganathan said.

As far as mitigation go, systems like GPS can help, though GPS too has been shown to be vulnerable to spoofing. Ranganathan’s answer for now is that humans need to remain in the loop.

“It’s a very open problem and the only way to do this is two-way communication,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/16/airplane_landing_security/

Ten people have been accused of masterminded the theft of roughly $100m from bank accounts using the Goznym malware. Five have been arrested, charged, and are facing prosecution, and five have been indicted and remain at large. An eleventh person linked to the software nasty is awaiting sentencing after admitting his crimes.

Goznym was a highly sophisticated piece of Windows malware that raided the online bank accounts of some 40,000 victims: it would lurk on PCs waiting for folks to log into their accounts, snatch those details, and pass them onto crooks who would then clean out the accounts. The Feds and cops made their move, smashing the crime ring by nabbing its suspected members, after dismantling the Avalanche server network, which was set up to spam out emails that tricked victims into downloading and installing software nasties like Goznym.

“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge Robert Jones on Thursday.

“Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively.”

Goznym surfaced in 2016, and was able to circumvent antivirus packages by encrypting its code and data. In order to develop this nasty, investigators claimed, the gang recruited technical specialists, who advertised their programming and cryptography skills on dark web forums, and pulled together the Goznym team: think Oceans 11 with extra scumminess.

The indictment [PDF] of all ten was announced today at Europol headquarters by crimebusters from the US, Georgia, Ukraine, Moldova, Germany, and Bulgaria.

Arrests

We’re told the alleged ringleader Alexander Konovolov, 35, of Tbilisi, Georgia, and his alleged technical assistant Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia, have been arrested and charged in that nation in connection with the banking malware, and are being prosecuted there.

Krasimir Nikolov, of Varna, Bulgaria, is accused of being a casher, a person who funnels victims’ funds into bank accounts controlled by the gang: he was arrested in 2016 by Bulgarian authorities, and extradited to the US. He pleaded guilty to banking fraud charges last month, and will be sentenced in August this year.

Gennady Kapkanov, 36, of Poltava, Ukraine, who allegedly ran the Avalanche server farm that spewed more than 20 strains of malware, was also arrested in 2016, in dramatic fashion. As the plod tried to storm his apartment, he held them off with an assault rifle, according to the US Department of Justice, but was cuffed and now faces multiple charges in his home country.

Alexander Van Hoof, 45, of Nikolaev, Ukraine, was also arrested and charged with banking offenses as he was also a suspected casher for the crew. Meanwhile, Moldovan cops swooped on Eduard Malanici, 32, of Balti, Moldova, who allegedly encrypted the malware, along with two unnamed associates, and faces prosecution in that nation.

At large

Five Russian members of the team named [PDF] in the indictment remain on the run. They include the suspected malware designer Vladimir Gorin, of Orenburg, Russia, and Konstantin Volchkov, 28, of Moscow, Russia, who is said to have designed the phishing emails to spread the malware. Viktor Eremenko, 30, of Stavropol, Russia, and Farkhad Manokhin, of Volgograd, Russia, are also accused of helping the gang drain cash out of victims’ compromised bank accounts. Manokhin was cuffed in Sri Lanka in 2017, at the request of US prosecutors, but managed to flee to Russia where he remains at large. Ruslan Katirkin, 31, of Kazan, Russia, is also accused of being a casher for the gang.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said US Attorney for Pennsylvania Scott Brady.

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime. Cybercrime victimizes people all over the world. This prosecution represents an international cooperative effort to bring cybercriminals to justice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/16/goznym_grifters_indicted/

CISOs must consider reputation, resiliency, and regulatory impact to establish their organization’s guidelines around what data matters most.

Today’s CIOs are the stewards of company data, responsible for its health and performance as well as maintenance of the availability, speed, and resiliency their stakeholders expect. CISOs, however, sometimes serve as emergency room doctors for their company’s data. Their role is to think about worst-case scenarios, diagnose the severity of incidents, and jump in when incidents happen or are likely. Their first priority is to keep patients alive, but keeping them healthy is worth bonus points.

Like ER doctors, CISOs need rapid prioritization tied to the health of the business to effectively triage incidents. To establish each organization’s guidelines around what data matters most every CISO must consider reputation, resiliency, and regulatory impact.

Defining and Solving the Data Problem
A CISO must consider focus on business protection, cybersecurity breaches, and the role of data in their organization:

● Reputation: Which data loss would hurt the business’ reputation and negatively impact a customer or investor’s confidence in the business?

● Resiliency: What data outage could cause business disruption, and could the business come back from the outage?

● Regulatory impact: What is the financial or legal liability?

With these themes in mind, the CISO’s data problem is twofold: which data most needs to be protected, and what data is needed to monitor and diagnose an incident when protection fails?

The first step is for the CISO to get their arms around all the data that matters. These days, data ownership is often federated, so CISOs must team up with peers to get access and manage the overlapping ownerships. For example, the security team may have access to one body of data, whereas application teams have another. Lines-of-business leads would own their business data in SAP, for example, while the CIO would manage the infrastructure’s operational data and maintain the health, performance, and security protection of SAP and the data it contains. Underscoring this business dynamic is the critical role that CISOs play: They need to ensure their peers have visibility into all business-critical data, and they need to ensure they have full access to this data and its supporting systems.

With the data in hand, the next step to solving their data problem is to examine tool sets and ensure they have maximum visibility. Today, environmental complexity is such that you may not know what it contains, making visibility difficult to achieve. Organizations have on-premises environments, workloads in multiple clouds, numerous purpose-built applications, Internet of Things devices, and more. When combined with organizational silos, shadow IT, rogue DevOps teams and business units driving “digital transformation” that put speed-to-market ahead of architectural elegance, efficiency, and application security, it becomes even clearer that the job of the CISO is getting harder every day.

Business Impact Analysis Best Practices
Forward-thinking CISOs lead their teams with the goal of protecting what matters most while maturing their security capabilities and posture. This begins with a business impact analysis that explores which applications and systems are most critical to provide the environmental visibility needed to enable effective data protection. In any organization, this task is daunting and time consuming; however, the larger the organization, the higher the risk and the reward. Both the CIO and CISO have much to gain by looking strategically at their organizations, aligning efforts, and improving the efficiency and effectiveness of their teams and technology.

With business impact in mind, CISOs can better drive security maturity and improve their cyber hygiene. This can start with simple but necessary activities like vulnerability identification and management, endpoint protection, or malware detection; even these activities can be prioritized by business impact and informed by a view of reputation, resiliency, and regulatory requirements.

Once CISOs have grasped the business impact of their data according to the three pillars — defined data boundaries, access, and tool sets in use across the organization — then it’s time to review tools’ effectiveness and return on investment. Most CISOs know not all their tools are effective or delivering as promised; what’s important is determining which tools are truly useful or necessary, and understanding the financial impact. This is also an opportunity for CIOs and CISOs to work together — there’s limited technology budget to go around. If CIOs and CISOs can leverage system synergies on top of common data sets, and then further align systems with critical business units, then there is a huge opportunity to optimize spending, operations, and protection.

Emergencies Are Preventable with Primary Care
The constant specter of a serious data breach keeps many CISOs up at night. CISOs know how to handle emergencies, but like their ER counterparts, they’d prefer they never happened in the first place. The modern CISO needs to start with primary care — understand business impact, the effect of security incidents on reputation, resiliency, and regulation, and then address these needs with a robust security program aimed at mature cyber hygiene.

Related Content:

• 7 Types of Experiences Every Security Pro Should Have
• The Fine Line of Feedback: 6 Tips for Talking to Security Pros
• Trust the Stack, Not the People
• How Storytelling Can Help Keep Your Company Safe

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Julian Waits has 30-plus years in senior leadership roles at technology companies, specializing in security, risk and threat detection. He services on several industry Boards, including ICMCP and NICE, promoting development of the next generation of cyber security … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/the-data-problem-in-security/a/d-id/1334660?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The FBI and counterparts from other nations say group infected over 41,000 computers with malware that steals banking credentials.

US law enforcement authorities and their counterparts from five other countries have announced charges against 10 members of an international cybercrime operation that attempted to steal an estimated $100 million from organizations in the US and elsewhere in 2016.

An indictment unsealed Thursday by the US Attorney’s Office for the Western District of Pennsylvania accused the individuals of committing bank fraud, wire fraud, and money laundering, in an operation of a sophisticated, international cybercrime network called GozNym.

Five of the indicted individuals are based in Russia and remain fugitives from justice, the US Department of Justice announced Thursday. The other individuals are based in Georgia, Ukraine, Moldova, and Bulgaria and face prosecutions in their respective countries.

A eleventh individual, Krasimir Nikolov, aka pablopicasso, was arrested in Bulgaria and extradited to the US in December 2016 on related charges. He has since pleaded guilty to participating in the GozNym operation. Nikolov is scheduled for sentencing in Pittsburgh federal court August 30, 2019, the DOJ said.

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime,” US Attorney Scott Brady of the Western District of Pennsylvania said. “This prosecution represents an international cooperative effort to bring cybercriminals to justice.”

According to the indictment, the eleven individuals belonged to a gang that stole money from the bank accounts of businesses located mostly in the United States and Europe.

The group is alleged to have infected tens of thousands of computers with GozNym, a malware for stealing online banking credentials from the infected systems. GozNym was designed to lurk on a system and wait until a user attempts to access their bank account online – then the malware steals their username and password and transmits them to a server controlled by the attackers.

Certain members of the GozNym crew then used the stolen credentials to access the victim’s bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang.

An April 2016 IBM blog described GozNym as a hybrid malware tool that combines the best features of two earlier banking Trojans—Nymaim and Gozi. At the time, IBM said the malware was being actively used in attacks against customers of more than two-dozen banks in the US and Canada and had resulted in the theft of millions of dollars.

Limor Kessem, global executive security advisor of the X-Force team at IBM, says GozNym-facilitated fraud attacks amounted to over $4 million of dollars in losses within just the first few days of its activity. “[GozNym] was unique because the malware authors had created a double-headed monster,” Kessem says.

GozNym combined the Nymaim dropper’s stealth and persistence and Gozi’s capabilities to facilitate wire fraud on infected user devices, she notes. “[It made] for a powerful combination like nothing else in the cybercriminal toolkit arena at the time,” Kessem says.

The alleged leader of the GozNym operation was Alexander Konovolov, 35, a Tbilisi, Georgia native who often used the online handles NoNe and none_1, when carrying out his criminal activities. Konovolov is alleged to have controlled some 41,000 computers infected with GozNym malware.

Sophisticated Criminal Team

According to the indictment, Konovolov assembled the GozNym team by recruiting members via underground Russian-language speaking online forums. Many of the members that Konovolov recruited were individuals who advertised their specialized technical skills and availability on these forums.

Among them was Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia. The indictment against Kazandjian describes him as being Konovolov’s primary assistant and technical administrator. Both Konovolov and Kazandjian are being prosecuted in Georgia.

Most of the other indicted members of the GozNym gang had specific and separate roles within the operation. 

Gennady Kapkanov, 36, of Ukraine is charged with operating Avalanche network, a so-called bulletproof hosting service on which the GozNym malware was hosted and from where it was distributed worldwide. Kapkanov is alleged to have offered similar malware hosting services for at least 200 other cybercriminals. Ukrainian authorities arrested Kapkanov in November 2016 after he shot at law enforcement officers conducting a search of his facilities. He is being prosecuted in Ukraine for his role in the GozNym campaign.

Moldova-national Eduard Malanici, 32, is accused of helping encrypt GozNym malware so it could evade detection by anti-malware tools and other security controls on victims. Malanici, along with two other unnamed accomplices, will stand trial in Moldova.

Vladimir Gorin, one of the five indicted individuals that currently remain free in Russia, is charged with developing, leasing, and managing GozNym. Another Russian national, Ruslan Katirkin, was an account-takeover specialist who used the credentials obtained by the GozNym malware to break into victim accounts and steal money from them.

Three other indicted individuals—Alexander Van Hoof of Ukraine, Viktor Eremenko, of Russia, and Farkhad Manokhin also of Russia—are accused of operating bank accounts for receiving and laundering funds stolen from the victims of the GozNym campaign. Katirkin, Eremenko, and Manokhin currently remain at large in Russia. Makokhin was actually arrested in 2017 in Sri Lanka and was awaiting extradition to the US when he managed to flee from the country and escape to Russia.

Nikolov, the only member of the gang that is facing prosecution in the US so far, was a “casher” or account-takeover specialist. Like Katirkin, his role in the GozNym operation was to use stolen credentials to break into bank accounts and steal money from them.

Though five of the indicted individuals remain free, they run the risk of capture and extradition if they set foot in a country with an extradition agreement with the US.

“If there’s anything that discourages crime, it is seeing that it doesn’t pay,” Kessem says. The persistence of law enforcement in tracking down the alleged perpetrators over three years is also a win for cybercrime victims, especially organizations that can lose millions to such fraud attacks, Kessem says.

Related Content:

• Gozi Trojan Using Dark Cloud Botnet in New Wave of Attacks
• US Law Enforcement Busts Romanian Online Crime Operation
• US Law Enforcement Shuts Down Massive Marketplace for Compromised Servers
• 8 Ways Hackers Monetize Stolen Data

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-charges-members-of-goznym-cybercrime-gang/d/d-id/1334737?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple