STE WILLIAMS

The National Republican Congressional Committee detected the compromise of four staffers’ email accounts in April.

Email accounts of four senior aides at the National Republican Congressional Committee (NRCC) were compromised by cyberattackers during the 2018 midterm election campaigns, according to party officials.

The incident was discovered in April, party officials told Politico. NRCC asked security firm Crowdstrike to investigate; Crowdstrike had already been contracted to secure the committee’s internal networks, which reportedly were not compromised in this attack.

Investigation showed that attackers had complete credentialed access to the aides’ accounts and had been surveilling them for months. Thousands of email messages were exposed during this time.

For more, see here and here. 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/republican-committee-email-hacked-during-midterms-/d/d-id/1333406?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The beta release of Google Cloud SCC will include broader coverage across the cloud platform and more granular access controls, among other features.

Google today released its Cloud Security Command Center (Cloud SCC) in beta mode to Google Cloud Platform (GCP) users.

Cloud SCC was first announced and deployed in alpha mode back in March. Google’s idea behind the tool was to give admins a single platform to view assets, vulnerabilities, and threats across the organization. Now, as part of the beta release, the team is adding new features.

For those who haven’t tried it, Cloud SCC takes inventory of cloud assets, alerts to unwanted changes in those assets, and detects risky areas throughout the environment. Its findings are collected in a dashboard and data platform so admins have a clear look at their cloud security.

The beta release comes with coverage across a broader range of services: Cloud Datastore, Cloud DNS, Cloud Load Balancing, Cloud Spanner, Container Registry, Kubernetes Engine, and Virtual Private Cloud. Google has also added 13 identity and access management roles for more granular access control across Cloud SCC, and expanded client libraries like Java, Node, and Go.

Cloud SCC now also includes additional examples of how to create notifications when changes occur or trigger Cloud Functions from a Cloud SCC query, Google officials explain in a blog post on the news. Admins can view and search for new and deleted assets over a specific time period, better manage asset discovery, and self-serve onboarding with the GCP Marketplace.

GCP admins can use the beta release of Cloud SCC to evaluate security risks and vulnerabilities – for example, which cloud storage buckets are publicly accessible, which virtual machines have public addresses, and which firewall rules should have tighter permissions. Admins can also see whether users outside of their designated domain can access corporate resources, they note.

Asset inventory lets admins view resources for their entire GCP organization or limit their scope to specific projects and view new, deleted, and total assets for a particular time frame.

As part of this update, Cloud SCC integrates with Google’s cloud security services (Data Loss Prevention API, Forseti, Cloud Security Scanner, and Google anomaly detection). It also connects with third-party cloud tools from Cavirin, Chef, and Redlock.

(Discovering non-org owners with access to cloud resources in Cloud SCC. Image: Google)

Related Content

• Backdoors Up 44%, Ransomware Up 43% from 2017
• 5 Emerging Trends in Cybercrime
• Microsoft, Mastercard Aim to Change Identity Management
• Holiday Hacks: 6 Cyberthreats to Watch Right Now

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/google-cloud-security-command-center-now-in-beta/d/d-id/1333409?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Tumblr is banning adult content in an effort to be safer, better, “more positive”.

The ban takes effect on 17 December and comes mere weeks after Apple kicked Tumblr out of the App Store due to discovering child abuse images on the service.

At the time, Tumblr blamed an “industry database” that didn’t include, and thereby didn’t filter out, the explicit images in question. It said that a routine audit turned up the content:

Every image uploaded to Tumblr is scanned against an industry database of known child sexual abuse material, and images that are detected never reach the platform. A routine audit discovered content on our platform that had not yet been included in the industry database. We immediately removed this content.

Child abuse images – specifically, anything about minors that’s sexually suggestive or violent – have always been forbidden on Tumblr. But the ban on adult content is a big new change. According to the new community guidelines, the ban includes anything that even suggests genitals or female nipples, though if it’s “artistic, educational, newsworthy, or political,” that’s OK:

Adult Content. Don’t upload images, videos, or GIFs that show real-life human genitals or female-presenting nipples – this includes content that is so photorealistic that it could be mistaken for featuring real-life humans (nice try, though). Certain types of artistic, educational, newsworthy, or political content featuring nudity are fine. Don’t upload any content, including images, videos, GIFs, or illustrations, that depicts sex acts.

And thus does Tumblr enter into the land of “good luck!”, as it takes on the task of sussing out what’s artistic or educational vs. what’s smut. Tumblr CEO Jeff D’Onofrio said in a post on Monday that telling the difference between a photo of Michelangelo’s David in his birthday suit isn’t easy when you’re talking about the huge scale of its content. This is going to take a lot of automated tools, he said, along with help from their human overlords:

Filtering this type of content versus say, a political protest with nudity or the statue of David, is not simple at scale. We’re relying on automated tools to identify adult content and humans to help train and keep our systems in check. We know there will be mistakes, but we’ve done our best to create and enforce a policy that acknowledges the breadth of expression we see in the community.

The change is going to be complicated, and it’s not going to happen overnight, D’Onofrio said. Tumblr will start to enforce the new policy on 17 December. Users with adult content will get a heads-up in advance before it is removed, along with guidelines on how to appeal the decision or preserve their content outside of Tumblr.

Sexual content fans aren’t taking this lying down

An online backlash has erupted over the ban, with adult content aficionados declaring that Tumblr is now toast, with the hashtag #TumblrIsDead popping up on Twitter. Users are furious that the site – a “major public service for art and individual self expression” – is forcing a “mass migration” that could make things even worse for individuals and networks.

Plus, how are male nipples as pure as the driven snow, while the “female-presenting nipples” are now anathema?

Times have certainly changed at Tumblr since 2013 when it first turned on “safe” mode by default to hide adult content from public view. Back then, Tumblr insisted that its view on the topic of NSFW content hadn’t changed: “empowering creativity” was then still “the most important thing in the world to us.” But so too was making sure people’s eyeballs didn’t explode when they accidentally stumbled on offensive content.

Two years later, it went on an anti-piracy blitz, blocking adult content, along with anything torrent-related, from turning up in searches. The same filter that was used to block words such as “penis” or “gay” (the latter of which was being used to spam the site with porn, Tumblr said) was put to use to block the word “torrent”. Unfortunately, as happens with filtering, it struggled to tell the good from the bad: content designed to help people stay safe was tossed out with the dirty bath water.

Most recently, in August 2018, after Motherboard found 70 Tumblr blogs dedicated to sharing creepshots – also known as “why is there a camera phone-holding hand sticking out from under that clothing rack and pointing up my skirt” shots = the micro-blogging platform banned creepshots and, keeping up with advances in creep technology, deep fakes.

Within a day after the ban was announced, stories were already surfacing about the filters not working, as they busily went to work flagging everything from masterworks to drawings of dragons to cookie decorating to Tumblr’s own post.

But filters don’t work 100% of the time, and they never will, as the App Store incident showed last month. What’s more concerning is how Tumblr’s move will affect marginalized communities, including sex workers and LGBT+ content creators.

Whether Tumblr is now “dead” remains to be seen. At the very least, it’s admitted that it’s taken on a difficult task. Let’s hope that as it learns how to tell smut from healthy, wholesome, safe, supportive content and artistic expression, it will learn to listen to the content creators and community builders it’s now in the process of exiling.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GGqoqAG-s6o/

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phoney family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.

Slick scripts

It started with a phone call one morning in April, Franc Stratton told the station. The caller pretended to be a public defender from Austin, Texas, who was calling to tell Stratton that his grandson had been in a car wreck, had been driving under the influence, and was now in jail.

Don’t be afraid, the imposter told Stratton: you can bail out your grandson by sending $8,500 in cash via FedEx. It didn’t raise flags for a good reason: Stratton had done exactly that for another family member in the past.

The cherry on top: the “attorney” briefly put Stratton’s “grandson” on the phone. The fake kid sounded injured, so Stratton drove to the bank to get the cash.

I wrote a check out, and they gave me $8,500 cash in hundreds.

Stratton went so far as to go to a local FedEx to overnight the money to an Austin address. But later that night, he said, he and his wife looked at each other and said, Scam!

Fortunately, they came to their senses in time to call FedEx to have the package returned. He got his money back, but Stratton is still frustrated. Of all people, he should know better, he says: he’s retired now, after a career spent working in intelligence, first for the Air Force and later as a cybersecurity programmer.

That’s how slick the scammers are, with their meticulously prepared scripts, and it shows that they know exactly how to put people into a panicked state, where they’re likely to make bad decisions. Stratton said he fell for it “because of the way that they scripted it.”

I’m the last person, I thought, would ever fall for a scam like this.

The FTC’s Monica Vaca:

A lot of people think they won’t fall for it and a lot of people don’t fall for it. But the fact of the matter is that when you get one of these calls, they sound really real. Scammers are very, very good at making you believe that you’ve got an emergency situation on your hands and they have a really powerful way of getting you to act on that.

The FTC says that Americans have lost $41 million in the scam this year: nearly twice as much as the $26 million lost the year before.

Self-defense for grandparents

These scams are growing more sophisticated as fraudsters do their homework, looking you and/or your grandkids up on social media to lace their scripts with personal details that make them all the more convincing.

Grandparents, no matter how savvy you are, you’ve got an Achilles heel: your love for your grandchildren. The fakers know exactly how to milk that for all it’s worth.

The FTC warns that they’ll pressure you into sending money before you’ve had time to think it through. The Commission offers this advice to keep the shysters from wringing your heart and your wallet:

• Stop. Breathe. Check it out before you send a dime. Look up your grandkid’s phone number yourself, or call another family member.
• Don’t overshare. Whatever you share publicly on social media becomes a weapon in the arsenals of scammers. The more personal details they know about you, the more convincing they can sound. It’s one of many reasons to be careful about what you share on social media.
• Pass the information on to a friend. Even if you haven’t been targeted yourself, you probably know somebody who’s either already gotten a call like this or who will.
• Report it. The FTC asks us all to please report these scams. US residents can do so online to the FTC. If you’re in the UK, report scams to ActionFraud.

Please do report these scams. Doing so helps the authorities nail these imposters before they can victimize others.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P4aNmk09rNk/

Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug – and it’s a mammoth one. The flaw could give an attacker unfettered access to the software applications that rely on the tool to operate.

Kubernetes is a software tool that manages large numbers of containers. These are similar to the virtual machines that run multiple operating systems on the same physical computer, but they have a key difference. Instead of housing a complete operating system, containers house only what’s needed for a particular application to run (such as software dependencies, system libraries etc), while sharing a host operating system with other containers.

Containers are small, nimble operating environments that are designed to run the same way across multiple computing environments, removing “but it worked when we tested it!” issues. Companies can run tens or even hundreds of thousands of containers, and that can make deploying, updating and managing them all a serious challenge. That’s where Kubernetes comes in. It manages containers in groups called pods.

The program, which originally started as an open-source project from Google and is now managed by the Linux Foundation’s Cloud Native Computing Foundation (CNCF), sprang its first serious leak with the flaw, which gives an attacker deep access to a Kubernetes installation. It enables a specially crafted request to connect with Kubernetes servers and make their own requests.

The Kubernetes team announced the flaw as CVE-2018-1002105. The vulnerability lies with the Kubernetes API server – which is a software tool that enables Kubernetes users to send instructions to Kubernetes pods over an HTTP API (Application Programming Interface) – and the way that API server communicates with a Kubernetes pod.

The API server authorises user requests via certificate-based authentication. But if the user sends a malformed request designed to return an error, the server leaves the line of communication open with the pod and simply lets subsequent requests through without checking to see if the user is authorized. This effectively escalates the user’s privileges.

This issue enables a regular user to acquire exec (very high privileged) access to any container on the node, including those that have read/write access to the host filesystem. They get access to all running workloads, including all the data flowing between them.

Attackers could use this flaw to steal data, bring applications grinding to a halt, or run their own malicious commands.

There are two variants on the exploit, one that uses Kubernetes’ aggregated API servers, and which is accessible by all users. The other uses a call to an API known as an exec/attach/portforward, which is typically only available to users with admin/edit roles.

Red Hat provided more detail about how the flaw affects version 3.0 of OpenShift, its own container platform that uses Kubernetes as a core component.

Kubernetes has already patched the flaw, and users of systems that support automated patches should already be protected. Those that aren’t need to get their Kubernetes installations patched pronto.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/78nvnpH9boY/

Hackers have compromised data from the accounts of 100 million users of question and answer site, Quora.com.

The bad news arrived in emails sent to the affected users – half its estimated 200 million account base – and through a public announcement made on Monday on its website.

The company discovered the breach on 30 November, finding that “data was compromised by a third party who gained unauthorized access to our systems,” wrote Quora CEO, Adam D’Angelo.

Data accessed included private information such as name, email address and encrypted (hashed) passwords, and any data imported from linked networks as authorised by account holders.

Also taken was “Non-public content and actions, e.g. answer requests, downvotes, direct messages,” however the company believes only a low percentage of users had such data in their accounts.

In addition, the hackers got hold of any questions, answers and upvotes posted by users, although these would also have been publicly available on the site itself.

Anyone who posted anonymously to the site over the years is not affected as Quora does not store data from these users, the company said.

What to do

If you’re one of the 100 million, the company will log you out of your account and ask you to reset the password the next time you try to log in.

Even if you’re a Quora user who isn’t asked to change their password, it’s a good idea to do this anyway – even if you’re one of the sizeable number of people who might have forgotten they signed up on the site at some long-forgotten moment in the past.

What is Quora doing to stop something similar happening in future?

We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.

Passwords matter

As with any data breach, the lurking issue is what hackers might do with the data they stole last week.

The worry isn’t simply the compromised Quora accounts themselves but that some of the passwords used to secure them might have been re-used on other websites. A lot here depends on how long ago the hackers accessed the data before it was discovered.

Quora says the passwords were “encrypted”. We hope it means the data had been run through a password hashing function and just chose a word people are more likely to recognise as ‘secure’.

What the company hasn’t told us is what hashing function it used, nor the salting/iteration it used with it. Those details could makes all the difference.

If the company used obsolete MD5 or SHA-1, hashes to protect passwords, that’s not good news. If it used something like bcrypt or scrypt with adequate stretching, that would be more reassuring because it means cracking users’ passwords will be many orders of magnitude slower and more costly.

For an illustration of the difference it makes, take a look at what happened when researchers tried to crack the passwords exposed by the Ashley Madison breach.

Quora’s data breach announcement makes it the third big brand to fall to the hackers in a week, after Marriott (which affected 500 million accounts), and Dell (the size of which is as yet unknown).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jA-_klU3My0/

A protocol meant to protect smartphone users’ privacy is vulnerable to fake base station attacks all the way from 3G to 5G, according to a group of international researchers. All the baddies need is a little over €1,100 worth of kit and a laptop.

The “Authentication and Key Agreement” protocol (aka AKA, hehe) is meant to provide security between mobile users and base stations, and its past problems lay behind the creation of law enforcement surveillance devices such as the StingRay.

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens’ data – just Friday things

READ MORE

In research published at the International Association for Cryptologic Research, boffins from ETH Zurich, Berlin Technical University and Norwegian research institute SINTEF Digital claimed they had found “a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do”.

It is severe because it is a logical vulnerability in the protocol – which means it’s not specific to one implementation of AKA, and is why it reaches all the way back to 3G implementations.

“AKA is a challenge-response protocol mainly based on symmetric cryptography and a sequence number (SQN) to verify freshness of challenges, preventing replay attacks,” the boffins wrote.

Because of previous vulnerabilities, particularly mobile phones’ susceptibility to IMSI-catchers (that is, fake base stations like StingRay), the body in charge of mobile phone standards, 3GPP, improved AKA for the 5G era with randomised asymmetric encryption to protect user identifiers sent during the pre-encryption handshake.

However, the new version still uses SQNs, and the paper said that’s what the researchers attacked. They discovered that a lack of randomness and its AKA’s use of XOR allowed them to defeat the SQN protection mechanism.

“We show that partly learning SQN leads to a new class of privacy attacks,” the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue “even when subscribers move away from the attack area”.

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location and so on – the researchers believe it’s worse than previous AKA issues like StingRay, because those are only effective when the user is within reach of the fake base station.

“Even when [user equipment] are using mobile services outside the attack area, part of this activity may be leaked to some adversary using our attack the next time the UE enters again the attack area,” the paper read. “Intuitively, this is because, independently of its location, the UE’s activity has an effect on the counter SQN stored in the HN that will be leaked when the UE is (actively) under attack.”

Rights groups challenge UK cops over refusal to hand over info on IMSI catchers

READ MORE

The vulnerability arises because an attacker can send authentication challenges to the UE at different times, to retrieve the SQN, and “by cleverly choosing several timestamps, the attacker is able to exploit [SQN] values… to break the confidentiality of SQN”.

The researchers’ proof of concept needed a laptop, a universal software radio peripheral, a smartcard reader, and the OpenLTE software. Excluding the laptop, they said the kit cost €1,140 (they note that the laptop could easily be replaced with a Raspberry Pi).

The authors – Ravishankar Borgaonkar of SINTEF Digital, Lucca Hirschi of ETH Zurich, and Shinjo Park and Altaf Shaik of the Technical University of Berlin – said they have notified 3GPP, the GSM Association; vendors Huawei, Nokia and Ericsson; and carriers Deutsche Telekom and Vodafone UK.

They said the GSMA and 3GPP told them remediation will be undertaken for future generations. However, the early implementations of 5G will probably suffer from the vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/05/mobile_users_can_be_tracked_with_cheap_kit_aka_protocol/

The National Republican Congressional Committee, the Republican Party’s campaigning arm, has confirmed it has fallen victim to a major compromise of its email system.

Following an early report from Politico, the committee confirmed to multiple outlets that someone had been surveilling its messages for months.

The NRCC did not respond to a Register request for comment.

The breach is said to have been found by a security vendor working with the NRCC back in April. The intruder reportedly had access to the email accounts of at least four NRCC aides and, by the time the breach was discovered, had likely been collecting thousands of sent and received emails over the course of several months.

According to Politico’s account of the matter, much of the GOP leadership, including Speaker Paul Ryan (R-WI) and Majority Leader Kevin McCarthy (R-CA) was left in the dark about the matter as the NRCC sought to investigate the breach on its own. The committee has notified the FBI, however.

Just so we’re all clear on this: Russia hacked the French elections, US Republicans and Dems

READ MORE

No other personal information or donor details were believed to have been stolen.

The April breach came ahead of an extremely difficult 2018 mid-term election for the Republican Party, particularly in the House where the GOP lost 40 seats and gave up majority control to the Democrats.

The attack is reminiscent of the breach that occurred with the DNC in the summer prior to the 2016 election. Much like the NRCC breach, that attack involved breaking into staff email accounts and harvesting thousands of emails. Those emails were released in the lead-up to the election in what the DNC believes was an attempt to sway the outcome in favor of Donald Trump.

The Russian FSB intelligence service was soon named as the prime suspect in the incident, though the Kremlin has claimed that if it were responsible, it would be protected from legal action. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/04/republicans_email_hack/

Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.

BLACK HAT EUROPE 2018 – London – Call it karma or just poor OpSec, but a prolific global cybercrime organization recently blew its cover after inadvertently targeting executives at a security firm.

The infamous Nigerian/UK group behind a rash of business email compromise (BEC) scams found itself on the other side of its own social-engineering scam when it posed as Agari CEO Ravi Kahtod in an Aug. 7 email sent to Raymond Lim, chief financial officer at Agari, an email security company.

Agari today disclosed details of both its unmasking of the group – which it has dubbed “London Blue” – as well as its inner workings. Security researchers at Agari flipped the equation on the attackers in an email exchange by posing as Lim’s assistant and drawing out enough details to drill down into the particulars of the group as well as the physical location of its operators in London.

“Our email filter caught [the BEC email],” says Crane Hassold, senior director of threat research at Agari and a former FBI investigator. Hassold’s team was ultimately able to extract the information, coupled with its own intel-gathering, to identify the two top execs of the gang, who live in and operate out of London.

The most striking finding, Hassold says, was that the operation used at least two legitimate lead-generation services that gave them more filtered intel for targeting C-level execs around the world, rather than having to cast a wide-net phishing campaign.

The lead-generation tools let them filter possible victims by role, location, and company size, for example, he says. The group purchased subscriptions to the tools, he says, which saved them time and labor. Among one list of 306 target victims that London Blue acquired in November 2017 was Agari CFO Lim, as well as California-based CFOs from a top private university, an enterprise data storage vendor, a well-known guitar manufacturer, casinos, hotels, and some small and midsize businesses.

Overall, the group has targeted some 50,000 CFOs worldwide across 82 countries, but mostly in the US, Agari found.

Like many of today’s BEC emails, the attackers didn’t bother to spoof the real email domain of the target; instead, they merely displayed the name “Ravi Khatod” in the email header. And there’s no malware required with BEC: It’s mainly a social engineering exploit.

Their initial email read:

Ray, we need to make a transfer today. Let me know if you can process now and I will send info. Thanks Ravi Khatod.

That’s when the cat-and-mouse operation began. Agari researchers, posing as Lim’s assistant Alicia, responded:

Ravi, Raymond is out this week and I will help you with the transfer. Would you please provide me with the transfer details? Also just a reminder, as you may know, all payments go out on Wednesday, which is tomorrow. So if you need to make another transfer or payment, please inform me so that I could take care of them together before tomorrow’s cut-off passes. Best Regards, Alicia

The email exchange went from there, with Agari gathering more money-mule account information.

Hassold says the group’s makeup of 20 to 25 individuals includes some 17 money mules spread around the US and Western Europe, and likely some members in Nigeria. At least three of the money mules have criminal records (including two sex offenders).

One transaction spotted by Agari was a $20,000 cashier’s check obtained by a money mule from a large US bank. While the transaction initially triggered a potential fraud alert at a local branch, the money mule social-engineered the bank’s fraud prevention group into approving it.

BEC as a Business
London Blue’s operation includes the lead generation, lead assignments/sales, the BEC emails and social engineering, and then the movement of the pilfered funds. “This is organized like a business,” Hassold says. “These cybercrime gangs are not just loosely affiliated low-level scammers.”

BEC is becoming one of the most popular – and successful – cybercrime attacks. According to the FBI Internet Crime Complaint Center, BEC scams total some $12 billion in losses. Agari says a BEC scam typically nets four victims out of every 100 tries via email, and the average payment query is $35,000.

Agari has been working with law enforcement in the UK and US to identify the actors in London Blue, including the two top execs, who have not yet been apprehended. “If they get arrested, that will take this group down,” Hassold says.

London blue is an “average” size BEC group, he says, among the 10 or more different Nigerian BEC groups Agari is tracking. 

How did Agari convince the attackers they were falling for the scam? “They may have had a red flag during our interactions, but their financial motivation was so strong that it overrides [their hesitation],” he says.

Related Content:

• Attackers Employ Social Engineering to Distribute New Banking Trojan
• Who’s At Greatest Risk for BEC Attacks? Not the CEO
• FBI: Email Account Compromise Losses Reach $12B
• 74 Arrested in International Email Scam Schemes

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/london-blue-bec-cybercrime-gang-unmasked/d/d-id/1333391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.

This year marked the 30th anniversary of Die Hard‘s release. Often considered a holiday movie, it set a standard for action films — a lot of high-energy, edge-of-your-seat action scenes, an intense plot (punctuated with humor), a protagonist who saves the day, and possibly one of the greatest cinematic villains of all time.

For those of us in the cybersecurity field, the movie offers uncanny, familiar parallels between the villain’s attempted mission and the kinds of cyber threats we see today.

Parallel #1: The “Exceptional Thief” Continues to Evolve

“I am an exceptional thief, Mrs. McClane.” — Hans Gruber

Hans Gruber (played by the late Alan Rickman) is a well-organized villain who stays one step ahead of John McClane (played by Bruce Willis) by adjusting his tactics throughout the movie, although he doesn’t remain so lucky in the end. While other movie villains fail when the protagonist thwarts their plans, Hans pivots and evolves. 

The evolving tactics reflect centuries of actual criminal history. For example, Butch Cassidy was considered an exceptional thief in the late 19th century, going from town to town, robbing banks, trains, and mine stations for 10 years until he was caught in South America by mounted soldiers. Alan Golder was considered a “Master Thief” under the Genovese crime family who robbed celebrities of their jewels and sold them on the black market.

Exceptional thievery has evolved over time. Like modern-day business, thieves have undergone a digital transformation of their own. For example, today’s cyber attackers are well organized, patient, and able to work from home. They are exceptional in stealing and monetizing data and information, and even engaging in espionage and sabotage. 

Parallel #2: Blend in to Breach the Perimeter
What made Die Hard‘s Gruber stand out was how well organized he was. Gruber had a determined mission, strategy to execute, and contingency plans in place. One example is when he came face to face with McClane and impersonated a hostage to prevent getting caught.

His behavior was not unlike any well-organized attacker. In fact, one of the most effective tactics used by attackers is blending in with normal day-to-day activity, most often through the use of stolen, valid credentials, which can make it difficult to detect an attacker in the network and applications.

The 2017 Verizon Data Breach Report reported that 81% of breaches are due to compromised or stolen credentials. These days, there are a multitude of ways an attacker can penetrate the enterprise and establish a foothold using stolen credentials. They don’t even have to orchestrate the complexities of an initial spearphishing attack. Attackers can guess, socially engineer, obtain from the Dark Web, and use malware to obtain valid user credentials. Then they gain access and credentials, escalate privileges, and move laterally within the network among applications and sensitive data until their mission is complete.

To thwart these attacks, organizations are moving beyond passwords and basic two-factor authentication methods. If an attacker has valid credentials — or even a spoofed phone number to receive a second-factor one-time passcode — adaptive authentication and risk analysis could identify a suspicious login attempt from other factors. Those factors include the location of the login, the device being used, or determining whether the IP address is suspicious or malicious. It essentially renders stolen credentials useless.

Parallel #3: Think Like an Attacker
Gruber had clear motives. He wasn’t looking for worldwide domination; he sought monetary gain. He wanted to be “sitting on a beach earning 20%,” with the Nakatomi Corporation vault his primary target. With good plans and all the resources he needed, he wouldn’t make mistakes.

McClane had to outthink and outmaneuver him, just as IT security teams do against cyber threats. They have to think like an attacker in order to understand and reduce the threat surface. Assessments need to be conducted to consider how their organization is a target, what data and sensitive information is stored, how attackers move around the environment, what they would do with that stolen information, which employees or end users are vulnerable, and how attackers could exploit these, and so on.

Conducting risk assessments is a best practice, similar to thinking like an attacker. With advanced penetration testing skills and tools, real-world attack scenarios can be created proactively to test IT infrastructures and uncover risks and vulnerabilities that could lead to an attacker completing their mission. From penetration testing reports, security teams can proceed to actions beginning with patches, to prioritization and remediation plans, leading ultimately to a more secure enterprise.

Parallel #4: Keep Emergency Lines (or the SOC) Clear

Emergency Responder System in Die Hard: “This channel is reserved for emergency calls only.”

John McClane: “No kidding, does it sound like I’m ordering a pizza?”

This scene is reminiscent of the security operations center (SOC) of an enterprise. Many of the hundreds and thousands of alerts flooding the SOC lack context around how identities are being misused. This can best be described as looking for multiple moving needles in a barn full of haystacks.

IT security teams are already overwhelmed. They’re sifting through too much information to find meaningful data on failed login attempts for remediation, what needs urgent attention, and what constitutes a threat. The M-Trends 2018 report revealed the global dwell time for an attacker is just over 100 days. That’s 100 days of presence on a victim’s network before even being detected. Interestingly, the first 20 minutes of Die Hard are also action-free.

Today, SOCs are able to laser through floods of information and speed up identification and remediation with advanced threat-detection services. Threat detection is important in providing visibility into activities on the network and endpoint devices that otherwise would go undetected in the noise.

Modern threat-detection services integrate multiple different providers of threat intelligence and threat information to provide greater coverage and protection. Beyond typical IP reputation feeds, effective threat services give the SOC actionable intelligence on a given threat (e.g., actor type, malware family, etc.). IT teams can use this information to aid SOC staff and incident responders alike, so they know what to focus on during an investigation.

Parallel #4: We Can All Be John McClane
McClane went on to win (incident responding?!) against the bad guys in four sequels (with another on the way!). We, too, will continue to face many cyber threats. But with the proper planning, modern approaches and tools in place, each of us can protect, detect, and prevent the threats from the Grubers of the world, ensuring our people, data, and information remain safe and secure.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Veterans Find New Roles in Enterprise Cybersecurity
• After the Breach: Tracing the ‘Smoking Gun’

Keith Graham is the chief technology officer at SecureAuth. With 17 years in security, product management, product development and consulting, Graham is recognized as an industry leader in developing adaptive identity security and access control solutions. Today as CTO, he … View Full Bio

Article source: https://www.darkreading.com/perimeter/4-lessons-die-hard-teaches-about-combating-cyber-villains/a/d-id/1333389?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple