STE WILLIAMS

Following last week’s indictment, federal governments issues pointers for how security pros can combat the SamSam ransomware.

The Department of Homeland Security (DHS) and the FBI issued an advisory yesterday for organizations looking to combat the SamSam ransomware.

The advisory comes on the heels of last week’s six-count indictment of two Iranian men that alleges they have collected more than $6 million in ransomware payments and have caused more than $30 million in losses to victims.

Jon DiMaggio, senior threat intelligence analyst at Symantec, says the security vendor has documented that out of 67 attacks in 2018, 56 were conducted in the United States. The federal indictment cites more than 200 victims, primarily in government, critical infrastructure, and healthcare.

The DHS/FBI advisory offers 14 tips for security pros, many of them standard best practices, such as keeping good off-site backup and enabling strong passwords and account lockout policies to prevent brute-force attacks.

“Keep in mind that the attackers are basically doing what pen testers do: They are scanning for open ports,” DiMaggio explains.

Out of the list of 14 points, these three will do the most to keep the SamSam ransomware at bay, he says:

• Keep all RDP ports behind the firewall. This is especially true for port 3389. The idea is for attackers not to have easy access to open ports. Companies can further strengthen their security by deploying two-factor authentication.

• Segment the network. What happened in many of these cases was that the SamSam attackers got access to a network, and once they were in, they had access to all of the network’s resources. By segmenting the network, attackers will only have access to a portion of it should they gain access.

• Restrict user privileges to only what they need and/or whitelisted apps. If attackers try to send out malware through Active Directory, it won’t execute if you’ve assigned privileges correctly.

“By taking these steps, security pros will force the attackers to change their tactics,” DiMaggio says. “By blocking off the publicly accessbile endpoints, the attackers will have to go to a more sophisticated type of attack, like spear-phishing with a back door.”

The SamSam ransomware hit the city of Atlanta especially hard last spring, infecting five of the city’s 13 departments. As of now, the motive for the attacks has been financial, but no other details have been released.

Related Content:

• SamSam Ransomware Goes on a Tear
• Federal Indictments in SamSam Ransomware Campaign
• Avoiding the Ransomware Mistakes that Crippled Atlanta
• Inside a SamSam Ransomware Attack

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/dhs-fbi-issue-samsam-advisory/d/d-id/1333396?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The massive breach has exposed passwords for millions who didn’t remember having a Quora account.

Quora, a website that provides answers to natural-language queries, announced that its membership database has been breached, exposing information for approximately 100 million individuals to criminals.

According to the company’s disclosure, exposed information includes:

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, and upvotes
• Non-public content and actions, e.g. answer requests, downvotes, and direct messages

Quora told affected users that the risk of long-term harm is low because the company collects no payment or deeply personal information from any account holder. Judging from Twitter activity around the breach, one of the most surprising facts for many account holders was the fact that they have an account on Quora; many had apparently signed on to answer a single question, then forgotten that they had the account at all.

Ryan Wilk, vice president of customer success for NuData Security, a Mastercard company, said in response to the breach, “Stolen information, such as names, email addresses and passwords, combined with other user data from other breaches and social media, builds a complete profile. Every hack has a snowball effect that far outlasts the initial breach.”

For those affected by the breach, the disclosure of their information could have an impact that extends far beyond Quora itself. Ben Johnson, co-founder and CTO of Obsidian Security, said, “The Quora breach is a powerful reminder about the perils of password reuse. Many of the compromised accounts belong to users who haven’t been active for years. Reusing the same password puts sensitive data across all accounts at risk if a single breach occurs — even if it’s a service they haven’t used in years.”

Among the facts not yet known is how regulators in the US and Europe will view the breach. The financial impact could be considerable, as Chris Olson, CEO of The Media Trust explains. “Now that [the EU General Data Protection Regulation] is in force, California’s Consumer Privacy Act has been passed, and a new federal consumer privacy bill has been proposed that threatens to imprison CEOs for inaccurate or incomplete reporting on data processes, companies must get to know all their third parties and ensure those third parties’ activities fall within company policies for data security and privacy. Most third parties operate under the radar, posing known and unknown threats to companies’ top and bottom lines.”

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/quora-breach-exposes-information-of-100-million-users/d/d-id/1333397?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.

Backdoor and ransomware detections increased 44% and 43%, respectively, in 2018, the same year nearly 30% of computers faced at least one malicious threat online, researchers report.

The Kaspersky Security Bulletin 2018 found malware should be among everyone’s top concerns as we head into the new year. Kaspersky Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946 unique malicious objects this year.

Backdoor detections made up 3.7% of all new malicious files analyzed by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to 3.13 million.

Trojans made up half of all new malicious files analyzed. Researchers point to banking malware and malicious programs for ATMs and point-of-sale terminals, as a threat to watch. This year, Kaspersky tools blocked attempts to deploy one or more money-stealing programs on 830,135 devices.

Of the 10 malware families most frequently used against banking users, the Zbot Trojan was the most common at 26.3% of attacks, and the Nymaim Trojan took second place with 19.8% of infections, followed by the SpyEye backdoor at 14.7%. Overall, seven of the top 10 banking malware families were Trojans and three were classified as backdoor, researchers found.

Crypto-ransomware proved a consistent threat as researchers observed 39,842 modifications of encryptors and 11 new families. Detections hit a high point in November 2017, when they hit 15,462 for the month. More than 220,000 corporate users and 27,000 small and midsize business users were hit with encryptors. September 2018 was the most active month, with 132,047 instances seen.

WannaCry was the most widespread ransomware family, at 29.3% of infections, followed by a “generic verdict” — the term researchers used for new and unknown samples — at 11.4%. Gandcrab ransomware fell in third place at 6.67%, followed by Cryakl (4.59%) and PolyRansom/Virlock (2.86%) in fourth and fifth place, respectively.

Most-Targeted Applications and Systems
This year will be remembered for the large number of targeted attacks leveraging zero-day exploits, researchers say.

Notable incidents included CVE-2018-4878 and CVE-2018-5002, which exploited Adobe Flash at the end of its life cycle. Acrobat Reader bug CVE-2018-4990 was abused for the first time in a long time. We also saw vulnerabilities in Windows script engine VBSscript: CVE-2018-8174 and CVE-2018-8373, and several flaws in the win32k.sys driver used by cybercriminals to escalate privileges in Windows and bypass a sandbox (CVE-2018-8120, CVE-2018-8453, CVE-2018-8589).

That said, the researchers have noticed attacks on certain popular tools decrease.

“As in the previous year, the share of users attacked by exploits for vulnerabilities in Adobe Flash Player and Internet Explorer has decreased, even though some new zero-day publicly exploited vulnerabilities have been found in both products,” researchers point out. Further, the share of exploits for Android fell 9 percentage points to 18%, a sign that security is improving.

However, they add, there was a “significant increase” in the number of people attacked with Microsoft exploits — four times the average in 2017. This drove the share of Office exploits from 17.6% to 55%, driven by mass spam email campaigns spreading malicious documents with exploits for the CVE-2017-11882 and CVE-2018-0802 vulnerabilities.

“Exploits for these vulnerabilities have gained popularity among cybercriminals due to their stability and ease of use — all that’s required to create an exploit is to modify the exploit builder script published on a public resource,” they explain in the report.

Related Content:

• 7 Holiday Security Tips for Retailers
• ‘London Blue’ BEC Cybercrime Gang Unmasked
• 5 Emerging Trends in Cybercrime
• Microsoft, Mastercard Aim to Change Identity Management

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/backdoors-up-44--ransomware-up-43--from-2017/d/d-id/1333399?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Are the underpinnings of HTTPS security as foolproof as everyone assumes they are?

The answer should be a resounding ‘yes’ unless, that is, you happen to be one of a small group of researchers who spend their time formulating what have come to be known as Bleichenbacher or Vaudenay padding oracle attacks.

There has been a steady trickle of these since an engineer called Daniel Bleichenbacher hypothesised the first and eponymous compromise of the RSA Public Key Cryptography Standard (PKCS) #1 v1.5 scheme in 1998.

The latest overlapping attacks made public last week (affected parties were informed in August) in the paper The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations, co-authors Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir (who co-invented RSA!), David Wong and Yuval Yarom.

Padding cats

The fundamental problem with the RSA key exchange protocols is that although only a few percent of servers still use them, SSL and even TLS (on which HTTPS depends) must remain backwards-compatible with them because that’s how internet security works.

This means that no matter how secure the later protocols are, attackers can keep scratching away at the theoretical weaknesses of the older parts of the system.

The new research tried a succession of compromises of the PKCS #1 element of the RSA protocols that defines how something secret (such as a symmetric AES 128-bit key) might be fitted into larger (say 2048-bit) RSA block key with the difference made up with what is called padding.

The padding oracle attack allows an attacker to infer this secret by bombarding the oracle (or server) with a random sequence of bytes and analysing the padding errors until no errors are returned.

Because previous mitigations countered this by limiting the number of queries that can be made with a given period, the researchers hit on a way to parallelise oracle attacks by sending queries to multiple servers secured by the same public key.

The researchers list other attacks, including cache-based side channel inference (FLUSH-RELOAD, PRIME-PROBE), before adapting older issues such as BEAST (Browser Exploit Against SSL/TLS), to see how easy it would be to target login tokens used by web browsers.

Importantly, the research once again showed that backwards compatibility and a slow upgrade cycle are the system’s Achilles’ heels. The security features of TLS 1.3 (which doesn’t support RSA key exchange) won’t help you if you can simply force a server to downgrade to an earlier version:

Supporting this small fraction of [RSA] users puts everyone at risk, as it allows the attacker to perform a downgrade attack by specifying RSA as the only public key algorithm supported by the server.

Of the nine RSA-based protocols tested by the team – OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL and BoringSSL – only the latter two were able to resist the team’s new oracle padding Cache-like ATacks (CATs).

So, in summary, after 20 years of poking since Bleichenbacher, PKCS #1 keeps being broken, including secure protocols that were supposed to have mitigated its weaknesses.

Time to panic?

There are some caveats, the biggest of which is that the man-in-the-middle described in the research would need to have found a way to target the server from another virtual machine running on the same system, rather than remotely.

Getting to that privilege level would require some other compromise, including the ability to remain undetected within that environment. The compromises discussed in this research would not be trivial, probably enough to convince most experts not to be overly worried that a real attack exploiting them might come to pass.

So, it’s more a demonstration of the old adage that “attacks only ever get better” than a new, panic-inducing vulnerability.

However, just to be on the safe side the researchers recommend:

The safest counter-measure is to deprecate the RSA key exchange and switch to (Elliptic Curve) Diffie-Hellman key exchanges.

The problem is that getting rid of RSA once and for all will be a function of time rather than an edict from on high.

As long as support for RSA continues in the real world, Bleichenbacher is a name that will keep cropping up.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VZZ10-Q879c/

A ransomware decryption service has turned out to be – quelle surprise – a Belarusian middleman who simply pays the ransom and adds his own profit margin to the hapless victim’s bill.

Dr Shifro, a Russian-language organisation presenting itself online as a ransomware decryption agency, claims that it’s “the only company that specializes in decrypting files”, urging users: “Call – we will help!”

Following a sting operation by infosec research biz Check Point, however, it was revealed that Dr Shifro in fact “merely pays the ransomware’s creator themselves and passes on the cost to the victim – at a massive profit margin”. Check Point also said it found that Dr Shifro’s operator was happily emailing scans of their own passport and tax certificate to potential customers of their service.

Two Check Point researchers, Nikita Fokin and Alexey Bukhteyev, came across Dr Shifro while looking into the latest strains of the Dharma ransomware. The duo’s suspicions were instantly aroused by the company’s advertising, which, Check Point said, implied that an unheard-of Russian firm seemingly based in a Moscow back street was capable of breaking RSA-1024 encryption – that is, decrypting data the hard way without the private key.

Estimates vary, but most agreed that doing such a thing with current hardware would take years, if not decades. Nonetheless, Check Point claimed it had “managed to get hold of” correspondence between Dr Shifro and a customer, which showed that Dr Shifro had decrypted ransomware-locked files within two hours of being sent them.

“Could it be possible that Dr Shifro… merely acts as a broker between ransomware operators and their victims for their own financial gain?” mused Fokin and Bukhteyev. “Such a quick response time could only mean that either Dr. Shifro has RSA private keys for this infection case or he instantly interacts with the ransomware’s operator to receive them.”

Setting a trap

The two set up a sting operation to find out, using the Dharma encryption algorithm and a freshly generated RSA-1024 public key to encrypt several files, as well as setting up an email address for a fake ransomware creator. They baited their trap by inserting that email address into the filename of the encrypted files before posing as a ransomware victim asking Dr Shifro for help.

Sure enough, they said, Dr Shifro “went silent for two days”. Then the fake ransomware creator received an email with the encrypted files attached, asking for help with decryption and offering payment in Bitcoin. Fokin and Bukhteyev emphasised that only they and Dr Shifro knew the fake ransomware creator’s email address, concluding that whomever had contacted them was behind the Russian decryption business.

Following some email exchanges between Dr Shifro and the fake ransomware creator, Check Point summarised the actor’s business model by explaining that “he is a mediator and regularly redeems keys for clients, sending Bitcoin without any questions”, adding: “He then asked for a discount on the 0.2 BTC we had requested to 0.15 BTC for the key. At this point we stopped communication.”

Just to be certain, Check Point then emailed Dr Shifro again, posing as the original victim, asking for a status update. The Russian company replied: “We managed to decrypt your files. Cost of the decryption tool is 150,000 rubles + visit by specialist 5000 rubles (the cost is for Moscow region).”

The firm “had added approximately $1,000 to the initial ransom price asked by our fake ‘Ransomware Operator’,” said Check Point.

And then it just gets strange

Unbelievably, Check Point was able to track down the real-world identity of Dr Shifro’s operator by simply asking for a copy of the contract that the firm offers to potential decryption clients, noting, poker-facedly: “The response we received contained a template of a civil contract and registration documents of the person behind Dr Shifro, including scans of his passport.”

Double-checking those details against Dr Shifro’s website, Check Point said it found the operator’s full name contained in a purported customer satisfaction letter published on the site. The name also checked out against Check Point’s own background research, which found that the pseudonymous email address he was using for Dr Shifro had been reused as a handle on enough social media sites for them to pinpoint a Vkontakt profile with the person’s real name and mugshot.

His Bitcoin account showed a trade volume of just over 100BTC over the past two years, which at current exchange rates is more than £300,000.

The Register has chosen not to name the man because while what he is doing may be unethical, it does not appear to be illegal. In addition, if he’s foolhardy enough to send scans of his passport, his Internal Revenue Service tax certificate and registration of residence to random strangers on the internet, karma will probably catch up with him sooner or later.

Check Point concluded: “Activities such as those carried out by Dr Shifro bring additional losses to ransomware victims due to the increased charges being demanded of them. Furthermore, these unethical activities merely encourage the popularity of ransomware as an attractive method for cyber criminals to use to extort money from the organizations and individuals they attack.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/04/ransomware_helper_was_middleman_dr_shifro/

Organizations can start today to protect against 2019’s threats. Look out for crooks using AI “fuzzing” techniques, machine learning, and swarms.

To manage increasingly distributed and complex networks, organizations are adopting artificial intelligence (AI) and machine learning to automate tedious and time-consuming activities that normally require a high degree of human supervision and intervention. To address this transformation of the security ecosystem, the cybercriminal community has now clearly begun moving in the same direction.

My threat predictions, taken from Fortinet’s Threat Landscape Predictions for 2019, reveal five emerging malicious trends:

1. AI Fuzzing: Because they target unknown threat vectors, exploiting zero-day vulnerabilities is an especially effective cybercrime tactic. Fortunately, they are also rare because of the time and expertise needed by cyber adversaries to discover and exploit them. The process for doing so involves a technique known as fuzzing.

Fuzzing is a sophisticated technique generally used in lab environments by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. They do this by injecting invalid, unexpected, or semirandom data into an interface or program and then monitoring for events such as crashes, undocumented jumps to debug routines, failing code assertions, and potential memory leaks. Though using fuzzing to discover zero-day vulnerabilities has, so far, been beyond the scope of most cybercriminals, as AI and machine learning models are applied to this process it will become more efficient and effective. As a result, the rarity of zero-day exploits will change, which in turn will have a significant impact on securing network devices and systems.

2. Continual Zero-Days: While a large library of known exploits exists in the wild, our cyber adversaries are actually only exploiting less than 6% of them. However, to be effective, security tools need to be watching for all of them as there is no way to know which 6% they will use. Alsok as the volume of potential threats continues to grow, performance requirements will continue to escalate as the scope of the potential exploit landscape continues to expand. To keep up, security will tools need to be increasingly more intelligent about how and what they look for.

While there are some frameworks like zero-trust environments that may have a chance at defending against this reality, it is fair to say that most people are not prepared for the next generation of threats on the horizon — especially those that AI-based fuzzing techniques will soon begin to uncover. Traditional security approaches, such as patching or monitoring for known attacks, will become nearly obsolete as there will be little way to anticipate which aspect of a device can be potentially exploited. In an environment with the possibility of endless and highly commoditized zero-day attacks, even tools such as sandboxing, which were designed to detect unknown threats, would be quickly overwhelmed.

3. Swarms-as-a-Service: Advances in swarm-based intelligence technology are bringing us closer to a reality of swarm-based botnets that can operate collaboratively and autonomously to overwhelm existing defenses. These swarm networks will not only raise the bar in terms of the technologies needed to defend organizations, but, like zero-day mining, they will also have an impact on the underlying criminal business model, allowing them to expand their opportunity.

Currently, the criminal ecosystem is very people-driven. Professional hackers build custom exploits for a fee, and even new advances such as ransomware-as-a-service requires black-hat engineers to stand up different resources. But when delivering autonomous, self-learning swarms-as-a-service, the amount of direct interaction between a hacker-customer and a black-hat entrepreneur will drop dramatically, thereby reducing risk while increasing profitability.

4. A la Carte Swarms: Dividing a swarm into multiple tasks to achieve a desired outcome is very similar to virtualization. In a virtualized network, resources can spin up or spin down virtual machine as needed to address particular issues such as bandwidth. Likewise, resources in a swarm network could be allocated or reallocated to address specific challenges encountered in an attack chain. In a swarm-as-a-service environment, criminal entrepreneurs should be able to preprogram a swarm with a range of analysis tools and exploits, from compromise strategies to evasion and surreptitious data exfiltration that are all part of a criminal a la carte menu. And because swarms by design include self-swarms, they will require nearly no interaction or feedback from their swarm-master or need to interact with a command and control center, which is the Achilles’ heel of most exploits.

5. Poisoning Machine Learning: One of the most promising cybersecurity tools is machine learning. Devices and systems can be trained to perform specific tasks autonomously, such as baselining behavior, applying behavioral analytics to identify sophisticated threats, or taking effective countermeasures when facing a sophisticated threat. Tedious manual tasks, such as tracking and patching devices, can also be handed over to a properly trained system. However, this process can also be a two-edged sword. Machine learning has no conscience, so bad input is processed as readily as good. By targeting and poisoning the machine learning process, cybercriminals will be able to train devices or systems to not apply patches or updates to a particular device, to ignore specific types of applications or behaviors, or to not log specific traffic to better evade detection.

Preparing for Tomorrow’s Threats
Understanding the direction being taken by some of the most forward-thinking malicious actors requires organizations to rethink their current security strategy. Given the nature of today’s global threat landscape, organizations must react to threats at machine speeds. Machine learning and AI can help in this fight. Integrating machine language and AI across point products deployed throughout the distributed network, combined with automation and innovation, will significantly help fight increasingly aggressive cybercrime. It is just important to remember, however, that these will soon be the same tools being leveraged against you, and to plan accordingly.

Related Content:
7 Real-Life Dangers That Threaten Cybersecurity
Rise of the ‘Hivenet’: Botnets That Think for Themselves
Defending Against an Automated Attack Chain: Are You Ready?

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Article source: https://www.darkreading.com/endpoint/5-emerging-trends-in-cybercrime/a/d-id/1333363?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Jared customer found he could access other orders by changing a link in his confirmation email.

Major jewelry retailers Jared and Kay Jewelers have patched a website vulnerability that compromised order information for all online customers, Krebs on Security reported this week.

The bug was discovered and reported by a Jared customer who learned he could access other shoppers’ orders by altering a link in his confirmation email and pasting the link into his browser. It was a small change, the report states, but it led him to orders containing peoples’ names, billing and shipping addresses, phone numbers, email addresses, items and amount purchased, delivery date, tracking link, and the last four digits of the credit card used.

Recognizing the potential for criminals to abuse this data and concerned for the safety of his own, he reached out to Signet Jewelers, parent company of Jared and Kay Jewelers. Signet reports it fixed the problem for future orders; however, the shopper who found the problem claims the company didn’t address data exposure for past orders until he reported it to Krebs.

Signet states the issue was limited to online orders for both Jared and Kay, and the websites of its other companies (Zales and Piercing Pagoda among them) were not affected.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/jared-kay-jewelers-web-vuln-exposes-shoppers-data/d/d-id/1333392?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Max Ray Vision, a computer security consultant turned hacker who’s serving what was a record-setting, 13-year prison sentence for illegal hacking when he was sent away in 2010, has racked up more charges from behind bars.

The Daily Beast reported on Friday that Vision – formerly Max Ray Butler, who goes by the handle Iceman – allegedly used a contraband cellphone to loot debit card accounts and to then fund the delivery, via remote-controlled drone, of even more contraband dropped into a Louisiana prison yard.

Vision, 46, pleaded not guilty to the charges during an arraignment last month in Lake Charles, Louisiana, according to his case docket. A hearing in his case has been set for 20 December.

The Iceman pleaded guilty in February 2010 to two counts of wire fraud connected to the theft of 1.8 million credit card numbers and $86 million in fraudulent purchases.

This is a guy with a whole lot of hacking history, both on the right and the wrong side of the law. To give you a sense of his background, The Daily Beast’s Kevin Poulsen notes that he interviewed Vision for a book that wound up titled Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.

Vision wasn’t sated with the fruits of his ravenous payment card appetite. No, he went from there to not only starting a market for credit card thieves but also eating up competing cybercrime forums. From the Daily Beast:

Under the moniker “Iceman,” Vision operated an underground criminal marketplace called CardersMarket that brought hackers and identity thieves together to do business. The site achieved legendary status in 2006 when Vision hacked into competing cybercrime forums and merged them into his own site by force, a move that marked the computer underground’s first hostile takeover.

Vision is so infamous that CNBC featured him in an episode of American Greed: a true-crime series about the “dark side of the American dream,” where “some people will do ANYTHING for MONEY.”

The latest charges

The indictment, seen by Poulsen, centers on Vision’s time at the Federal Correctional Center in Oakdale, Louisiana. In October 2014, he allegedly got his hands on a myTouch T-Mobile Android phone that had been smuggled into the prison.

He allegedly used the phone for more than a year before he began using it to “access the internet and obtain stolen debit card numbers” in December 2015, according to the indictment.

Allegedly using ill-gotten payment card numbers, Vision then used Western Union and Moneygram mobile apps to send $300 cash payments to the jail accounts of fellow inmates. The indictment names five as co-defendants: what The Daily Beast describes as “a mixed crew of bank robbers and crack cocaine dealers serving sentences of as long as 15 years.”

One of them is said to be a former cellmate of Vision’s named Jason Dane Tidwell with a history of gun and drug charges who stayed in the area after his May 2015 release. Prosecutors say that Tidwell stayed in touch with Vision via an encrypted messaging app.

Vision allegedly told Tidwell to buy a remotely piloted drone with some of the debit card scam proceeds. In the spring of 2016, the indictment says that Tidwell, Vision and two other inmates planned their first drone delivery of more cell phones, tobacco and drugs. They screwed up the first attempt, so Tidwell found somebody with better flying skills. That did the trick: on 24 April 2016, at 1:19 in the morning, the drone flew over two layers of barbed-wire fences, then dropped a bag into the prison’s recreation yard.

A snitch ratted them out the next day, but guards never managed to find the contraband. One inmate, Phillip Tyler Hammons, confessed to picking up the contraband airdrop, and he fingered Vision as the mastermind behind the plan.

Why risk more time?

Vision is currently set for release in April 2019. Why would he jeopardize his long-awaited freedom?

According to court documents, he is planning to claim he was set up. In fact, he’s written in two federal lawsuits filed against Oakdale prison staff that Hammons falsely implicated him because he was miffed about a tiff over rules in a role-playing game. Here’s the Daily Beast again:

Vision claims that it was Hammons who was responsible for the drone, as well as everything done with the contraband cell phone. Hammons pointed the finger at Vision because he was fuming over a rules dispute between the two men during a recent game of Pathfinder, a Dungeons and Dragons-like role playing game.

What proof does the Bureau of Prisons (BOP) have that Vision masterminded the drone drops and payment card rip-offs? It doesn’t describe how Vision allegedly stole the debit card details, but its documents note that the myTouch smartphone showed evidence of “logons to hacker forums” made through Tor. That could have been anybody with knowledge of the anonymizing browser, but that description certainly fits Vision.

Regardless of whether the Iceman was behind the debit card rip-off/drone-delivery scheme or whether it was another inmate, something’s got to give. This is just another example of the crimes that criminals can still pull off while they’re incarcerated. Another recent example was that of a $560K sextortion scam run by inmates, in which they posted fake profiles of young women, sent nude photos to the service members who engaged in chats with the profiles, and then claimed to be fathers or police contacting them to let them know the “girls” were underage.

All that can be done via a mobile phone and a network of allies on the outside. So too can phones be used to call for hits on rivals and enemies.

Prisons have tried multiple ways to stop the smuggling of those phones, be it netting to catch the phones that get tossed over the fence or cell signal access filtering technology. The latter has proved successful, but prison administrators say it’s too expensive to implement widely.

Also, in June, the Federal Aviation Administration (FAA) established temporary no-fly zones around maximum security prisons for Unmanned Aircraft Systems (UASes). The BOP told the Daily Beast that it’s also drawing up plans to intercept and destroy drones that pose a “credible threat” to federal prisons.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5LfEt0HGX-o/

Zoom patched a bug this week that enabled people to hijack customer video conferences. Attackers with network access could have taken control of participating computers, researchers discovered.

Zoom sells video conferencing software for the business market and says that over 750,000 companies use its platform. This bug allowed attackers to spoof chat messages and kick attendees out of meetings.

David Wells, a researcher at Tenable Security, reported the bug and provided an analysis including a proof of concept demonstration video explaining how attackers could compromise the Zoom system.

The vulnerability, which affected the Windows, Mac and Linux versions of Zoom’s software, lay in the way the company queued and processed messages in its software, Wells said.

This vulnerability affects the following Zoom versions:

• macOS 10.13, Zoom 4.1.33259.0925
• Windows 10, Zoom 4.1.33259.0925
• Ubuntu 14.04, Zoom 2.4.129780.0915

The internal mechanism that Zoom uses to send its network messages handles two kinds of network packet: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). While TCP would typically be used to control sessions, UDP is a simpler protocol often used to send session content.

UDP doesn’t have the kind of handshaking and packet loss prevention overhead that you find in TCP packets, making it leaner and meaner. It’s perfect for the latency-sensitive network communications that you’d find in audio and video conferencing.

The messaging mechanism dispatches both kinds of packet to the same message handler program. Wells worked out a way to create a malformed UDP packet that the message handler interprets as a TCP message. The exploit works because the message handler isn’t validating the incoming messages to spot the malformed packet, according to Tenable’s synopsis. 

The message handler accepts the UDP packets even when encrypted sessions are enabled, meaning that attackers do not need to authenticate themselves on the system first. That makes it possible for attackers outside of rogue meeting attendees to hijack a meeting. An attacker can be on the local network, or even on a WAN connection, suggests Wells, by brute-forcing the port that the victim is using for their UDP session with the Zoom server.

An attacker could take control of a computer by targeting a remote attendee sharing their screen during a session, said Tenable’s analysis. They could then bypass screen control permissions and send keystrokes and mouse movements directly to that participant’s machine. In practice, though, they’d have to avoid packet loss, which is a common occurrence in UDP sessions, and which could cause their keystrokes to go amiss. They would also have to avoid the victim noticing what they’re doing and stopping them.

Tenable first gave Zoom the full details of this flaw on 11 October, and the video conferencing company released fixed versions for its Windows and Mac clients on 20 November, following up with a fix for the Linux client on 30 November.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/g0mqWT-QF-A/

It has come to the attention of the New York City Council that there have been certain disclosures of – ahem – intimate images, conveyed via portable electronic pocket telephones, that have been inflicted upon strangers in order to harass, annoy or alarm.

If a bill introduced last week by the council makes it into law, legions of hands-down-the-pants photographers could be left holding stiff penalties.

The bill would make it a misdemeanor “for a person to send an unsolicited sexually explicit video or image to another person with intent to harass, annoy or alarm such other person.” Anybody who gets caught beaming their junk out could be looking at up to a year in jail, a fine of up to $1,000, or both.

It’s called cyber-flashing, and it’s a modern-day version of flashing that dispenses with the need for a trench coat and sneakers to make a quick get-away. The term refers to the practice of sending obscene photos to strangers through Apple’s AirDrop: an iOS file-sharing app that enables users to send photos, videos and documents instantly over a wireless connection to anyone within 30 feet who’s left the feature open to being contacted by everyone.

By default, AirDrop is set to limit devices to accept content only from people in your contact list. Unfortunately, people often turn it on to accept from anybody and everybody, and then they forget to turn it back to contacts-only.

That’s led to a growing number of incidents, such as what happened last year to a Huffington Post UK writer who reported that she’d been gang-flashed with 120 down-the-pants images while riding on the London Underground.

At the time – August 2017 – London police didn’t think that it amounted to an epidemic despite headlines about the ”horrific public transport craze.”

However, the UK is ahead of New York on this one: sending indecent images is classified under section 66 of the Sexual Offences Act (2003), given that it’s the same as exposing genitals and intending that the recipient “see them and be caused alarm or distress”. The penalty for breaking the law is a prison term of up to two years.

One little problem: anonymity

Penalizing the propagandists of penises and other private parts is a satisfying notion, but there’s a bit of a hitch: AirDrop allows people to send images anonymously. It also keeps recipients anonymous: senders might never know who, within a 30-foot radius, has received their little package, since AirDrop only identifies nearby phones by their nicknames.

Be that as it may. Donovan J. Richards, a councilman from the New York borough of Queens and a co-sponsor of the bill, told the New York Times that the legislation is intended to raise awareness, and to lessen the sense of impunity that emboldens the creeps who send the pics:

If you do it, the message we are sending is that the repercussion is a fine or jail time.

AirDrop works via Wi-Fi and Bluetooth. A similar function has recently come to some Android devices in the form of a feature called AirDroid that offers wireless file transfer.

But what makes iOS devices particularly susceptible to cyber flashing is that AirDrop automatically shows an image preview when it asks a recipient to accept or decline a photo – thus, there’s no way of not seeing the fleshy missive if the feature is on and open to receiving content from one and all.

How to not see the fleshy missive

The way to avoid having your eyeballs assaulted is to either turn off AirDrop or set it for use only between phone contacts (Apple’s default setting).

Here’s how to keep the creeps off your phone:

• In the main settings app, select General, and then AirDrop. Then select either Receiving Off or Contacts Only. The Everyone setting is what the creeps take advantage of.
• On newer iPhones, you can also swipe up from any screen to bring up the control center. Press and hold the the network settings card that contains the Bluetooth and Wi-Fi icons to open another menu where you’ll find an AirDrop icon. Tap it, and you’ll be presented with options for Receiving Off, Contacts Only and Everyone.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CBdBIEfwW_M/