STE WILLIAMS

Did you see that viral post showing an adorably glowering kid posing for his school portrait last week? He’s got his hands in the pockets of his pink pants in one photo, he’s sitting in front of a container full of fake grass in another, and he’s just staring balefully straight at the camera in a third.

So what’s with the sour face? Does he hate pink? Did he get teased?

No, said “El Prive,” there’s nothing wrong with his “son.” It’s just that he ate the last Pop-Tart, and the boy said he’d never smile again. And, of course, #poptartforeverfund #cashapp $bandobill.

#SimplyAdorbs! Within two days, the post was reportedly shared more than 156K times and had garnered well over 40K comments.

…And then the boy’s real parents weighed in. Last Monday, the lad’s mom put up a post saying – Hey, #ThatIsn’tYourSon and #Don’tUseOurSonForLikesOrMoney.

And thus was set off Pop-Tart-gate.

A woman named Tantarnea Arnold who goes by the name of LaShunta on Facebook posted about El Prive – who the Daily Mail identified as Bill Muhammad and whose Facebook page identifies as Bandobill™:

So Kari’s school pics from last year has went viral. Nothing we can do about that part…it is what it is. There are a lot of posts/memes going around about him, and I must admit, some are hilarious. But it still doesn’t sit well with me that he’s being posted world wide. But like I said, it’s out there now and we can’t stop it. However, if you happen to see a post where someone is claiming him asthere child, that is not funny…I don’t care if it is just a joke. Don’t be out here trying to use our son for likes or money. That’s lame and so disrespectful. Please, if yall continue to see people claiming him, claiming the pic as there’s, creating GoFundMe accounts and making money from my baby pics, please report it and let us know. Thanks!

At this point, given that we shouldn’t blindly trust anything we read on the internet, we should be questioning whether Ms. Arnold is, in fact, the true mother of the furrowed-brow tot, and for that matter, whether the kid in the photo is really somebody named Makari Arnold. But given that her Facebook profile and photos are publicly accessible, and that multiple photos on her page depict a (smiling!) child who looks like the child in the viral post, we can grant her the benefit of the doubt and assume that she’s on the up and up.

The boy’s father, Michael Arnold, also posted about the pictures, asking:

What type of weirdo claims somebody else son?
If yall see any go fund me accounts @ me or report.

Two days after Ms. Arnold aired her indignation, Bandobill™ claimed that he’d lost his job over the incident.

LOST my job over misunderstanding and numerous calls to my corporate office for accusations of fraud… and being on news…. mission accomplished people

Y’all so tight

It’s just a JOKE, people, he said, no harm intended, and many commenters agreed with him. Others said this was no “misunderstanding”… not given that he includes a Cash App request.

What’s the misunderstanding? You don’t post someone else’s kid without their permission. You def don’t put your cash app on that pic like you need money for the kid. That looks like fraud.

Cash App is a mobile payment app that lets users transfer money to each other using a mobile phone. Muhammad claimed that only $23.52 was raised and will go to a Kentucky homeless shelter, on top of another $200 from his own pocket.

Why were his photos publicly posted to begin with?

On Monday, Tantarnea Arnold said that the photos were taken last year at her son’s daycare center. She said that a cousin had posted the photos and that they subsequently went viral.

People like to share photos of their kids online. Even if they don’t, their friends and family are happy to step in and do it in their stead. Back in 2013, we asked readers whether they thought that posting photos of your kids online makes you a bad parent.

Nearly 72% said “No, but I am careful about what information I post about my children.”

That caution is encouraging, but we have to put it into perspective: people who read blogs about information security such as Naked Security would of course tend to be more informed than the general population about the potential harm of sharing photos.

What potential harm? Well, as the Arnolds can certainly attest, it doesn’t feel good to have your child’s photo used in somebody else’s joke, be it a non-malicious one or one that’s designed to rip people off. Also in the “that’s creepy” realm, we’ve seen online role players photo-nap kids and list them for “adoption.” Pedophiles, of course, photo-nap kids for their own use. And misery can also come from being teased by cyberbullies or being tormented over the images by schoolmates.

In spite of such potential dangers, we’re still sharing photos of children (and of others who are powerless to protest, such as the elderly or the unconscious, intubated or sedated) at a furious clip.

Experts say that on average, by the age of 13, parents have posted 1,300 photos and videos of their child to social media. According to a report published earlier this month by the UK’s Children’s Commissioner that looked into the collection and sharing of children’s data, the photo dump explodes when children themselves start posting online: on average, children post to social media 26 times per day for a total of nearly 70,000 posts by the time they reach the age of 18.

While we’re aware of the short-term dangers that can come from children’s photos falling into the wrong hands, it’s still too early to discern the dangers that can arise long-term, after a lifetime of children’s images and personal data being amassed from social media, smart toys and other connected devices, the Children’s Commissioner said:

This is not just about parents and children sharing information on social media, even though that is part of the issue. It is also increasingly about smart toys, speakers and other connected devices which are being brought into more and more homes. It is about the proliferation of monitoring equipment that parents can buy, from pedometers to location tracking watches. And it is about information that is given away when children use essential public services such as schools and GPs – something which they might have very little control over. Children are being “datafied” – not just via social media, but in many aspects of their lives.

Beyond stranger danger, will this lead to Big Data applications in the future? Will information about your 4-year-old somehow influence their future college application? Will their personal health data affect their ability to take out insurance in the future?

Time will tell.

In the meantime, Makari’s photos have had more than a year to spread far and wide, and there’s no way the Arnolds can ever get them back. What they can do: try to limit the audience for their photos and, thereby, (hopefully) stop other photos of their two children from being used in similarly offensive ways. Here’s how:

How to limit the audience of past Facebook posts

1. Click the down arrow at the top right of any Facebook page and choose Settings
2. Select Privacy from the menu on the left-hand side
3. Under Your activity, click Limit the audience for posts you’ve shared with friends of friends or Public?
4. Click Limit Past Posts

How to lock down the privacy of your future Facebook posts

1. Click the down arrow at the top right of any Facebook page and choose Settings
2. Select Privacy from the menu on the left-hand side
3. Under Your activity, click Who can see your future posts?
4. Here you can choose to limit the posts to Friends only, or a custom list of people you choose.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7eFuqf1JNFA/

An NCC Group graduate trainee who emailed 300 coworkers to ask for help with what she deemed to be “unusual” behaviour from her Kali Linux VM; contacted the firm’s incident response team to complain about a faulty laptop; and said the machine had been “deliberately sabotaged”, has had her victimisation claim thrown out by an employment tribunal.

Nga Hoang, who joined NCC in June 2016 on its graduate trainee scheme, claimed to the London South Employment Tribunal that her litany of 13 protected disclosures and 17 “detriments”, as defined in employment law (here and here), began just 10 days after she started working for the infosec consultancy.

The tribunal took place in Croydon, south London, from 25 to 29 June this year, and the outcome published this month.

Employment Judge Baron, sitting with two lay members, dismissed her entire case on 1 November (PDF), saying there was “no merit in any of the multiplicity of allegations” Hoang had made. She alleged her work laptop had been hacked from within the company network and that she was sacked for, among other things, revealing this to a laptop repair technician from Dell.

Hoang had had problems with her company-issued Dell laptop when she started on NCC’s six-month-long graduate trainee programme. According to Hoang’s written submission to the tribunal, her email to her line manager about her Windows 7 machine read as follows:

I have had odd things happening on my laptop since the first week. These would include the screen suddenly freezing up on one occasion, killing off multiple instances of an internal connection to a newly installed VM, over the past week my Kali VM instance would shut down by itself when I have been away from my laptop, intermittent issues that my wireless adapter, file shares that I have manually deleted open up again (this does not include after start-up which is done automatically), files mysteriously [being] deleted on my virtual machines – this is a specific folder on Kali that is used to store all my hacker tools – this is quite serious since I cannot imagine any scenario where I would have done this accidentally and this means I have to spend time going over previous work to reinstall software.

If it were just a one-off I wouldn’t mention it… but if I do notice it happening again it would be good to know what process I should follow.

Rather than accepting, as her line manager Colin Gillingham concluded, that the problems “could be caused by either faulty hardware, the unreliable installation of software, or software conflicts,” Hoang told her bosses that she was “concerned” about “unauthorised access to my laptop”.

Gillingham said in his evidence that the “very nature of the work of computer security meant that software conflicts were likely to arise between hacking tools deliberately installed for testing purposes and antivirus software which was designed to prevent hacking”.

NCC’s internal IT helpdesk diagnosed it as a motherboard problem and booked a Dell engineer to come and repair her laptop.

“At this time the Claimant made the first suggestion of working from home,” said the tribunal in its judgment, adding that Hoang had now started believing her laptop had been “deliberately sabotaged”, though it said: “There was no corroborating evidence to support that belief.”

Not long afterwards, Hoang asked to be posted from Basingstoke to Milton Keynes (which NCC agreed to, though she did not pursue the move) before making a formal complaint of “collective bullying behaviour” by her co-workers.

Hoang also emailed associate ops director Darren James to say her personal phone “may potentially have some kind of breach as it has been acting peculiarly,” telling the tribunal under cross-examination that “it was intuition” which led her to believe this.

As recounted in the judgment, Hoang spent her time in a group training session with “her laptop and two phones [used] to form a barrier” between her and others in the session, before walking out altogether “due to trying to get her laptop fixed”. The so-called DiSC session was organised so graduate trainees could “learn about their own personality types and how they interact and communicate” with others, with the tribunal describing her behaviour as “wholly inappropriate”.

After several meetings with managers and HR reps, Hoang decided to email NCC’s Cyber Incident Response Team complaining that her laptop had unlocked itself while she was away from it, having decided that the IT helpdesk’s suggestion of reinstalling Windows was not good enough. The CIRT is a customer-facing organisation set up to deal with corporate customers’ data breach fears, according to NCC’s website. She also emailed 300 co-workers, on three separate email lists, asking for more help with Kali Linux virtual machines and her laptop unlocking itself. She was later told: “It’s just a case of locking with ctrl-alt-delete in focus and better alternative is to use Windows key + L.”

In a meeting with James and HR rep Laura Kennedy-Gill, Hoang said she did not accept the internal investigation into her laptop troubles because the investigating team “was not independent”. Three months after starting at NCC, and halfway through the grad trainee scheme, Hoang told her assigned mentor: “There is not much point having a meeting as I’ve not made any progress” on a research project she had been assigned as part of her training scheme.

Gillingham eventually decided that Hoang was not capable of working as part of a team and she was dismissed by NCC in mid-October 2016 “due to a breakdown in the working relationship” on the grounds that she failed her probationary period, though the company later conceded in front of the tribunal that it was because of a lack of communication and soft skills.

In handing down its judgment, which was published on 7 November (PDF), the tribunal ruled: “We find that the Claimant did not make any protected disclosures, and so the claims of having suffered detriments on the ground of having made one or more protected disclosures necessarily fail.

“It must by now be the experience of most people that computers develop hardware faults, and also that there are often software issues causing unexpected things to happen. We have accepted that this was more likely than usual in the Claimant’s case because of the nature of the Respondent’s business.”

We have asked NCC Group to comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/27/ncc_group_employment_tribunal_grad_trainee/

The UK’s data watchdog has slapped a £385,000 penalty on app-not-driving-service baddie Uber for security weak spots that attackers exploited to expose the details of millions of customers.

Two fiends accessed the data after snatching login credentials for Uber’s AWS S3 data stores from the firm’s GitHub code repo.

The hack, which Uber ‘fessed up to in November 2017 but which actually happened 12 to 13 months earlier, saw ne’er-do-wells nab information on 57 million punters globally, including full names, email addresses and phone numbers.

The personal details of 2.7 million Brit punters were scooped up in the security skirmish, as were the records of roughly 82,000 drivers based in the UK that ranged from details of journeys made to payments taken.

Rather than admitting the hack affecting tens of millions of passengers customers, Uber’s co-founder and former CEO Travis Kalanick decided it would be better to keep schtum and not go public with the mess. Instead, Uber paid off the hackers to the tune of $100,000 to destroy the downloaded data.

The latest CEO, Dara Khosrowshahi, installed in August 2017, questioned why customers caught up in the security snafu were not made aware of it earlier, and neither were US state or federal authorities.

ICO director of investigations Steve Eckersley, said:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

“Paying attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response the cyber attack,” he added.

There was no legal duty to report the breach under the Data Protection Act (DPA) 1998 but that has all changed when GDPR was introduced in May: now firms have 72 hours to inform the ICO or have a bloody good reason for not doing so.

The Dutch Data Protection Authority today imposed a fine of €600,000 on Uber B/V and Uber Technologies for flouting the local DPA. The hack hit 174,000 Dutch citizens.

Uber was forced to pay $148m to US state authorities to settle the 2016 breach, the largest penalty handed out by multiple states. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/27/uber_fined_385k_by_ico_for_that_hack_of_57m_customers_deets/

Mark Dreyfus, the Labor opposition’s shadow Attorney General, has offered a compromise on Australia’s controversial encryption backdooring bill that could see it passed, but with its operation restricted to counter-terrorism agencies.

The request for urgency, Dreyfus said, was driven by the government’s “short term” concerns about counter terrorism.

“One of the options for the committee is to look at potentially an interim report, interim processing of part of the bill, in order that the government’s stated purpose of urgency can be served, while the committee continues to consider the remainder of the bill and tries to deal with the multitude of concerns that have been expressed”, he said.

Responding to the Australian government’s demand that its forced-decryption legislation be fast-tracked, the parliamentary committee scrutinising the bill had extra short-notice hearings yesterday.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) heard from spy agencies in private, before opening the hearing to he public.

ASIO director Duncan Lewis told the public hearing: “We are moving inexorably towards universal, ubiquitous encryption”, and called for the legislation to be passed as soon as possible.

“We are not going to a provider and saying ‘we want you to give us the keys to your encryption’,” he told the committee. Likening ASIO’s aims to a hotel raid, Lewis said the agency wants the key to one room, not the “master key of the hotel”.

Lewis also highlighted the indemnity the bill offers to companies that assist agencies like ASIO, a protection currently lacking. Industry has assisted law enforcement in the past, he said, but “The point is that there is no requirement for industry to assist,” and those companies that cooperate lack protections: “They would obviously require some form of immunity.”

Tech sector unites in attempt to avoid Oz’s anti-crypto push, again

READ MORE

“We’re trying to access the communication between individuals in the main… if that communication is encrypted, it is a real challenge to understand the nature of that. What we are asking is that individual telcos, individual companies, on-top providers… to give us their best assistance in understanding the nature and the content (where we have a warrant) of that communication”, Lewis continued.

Lewis was careful not to directly echo calls from prime minister Scott Morrison and home affairs minister Peter Dutton to rush the legislation through, emphasising that the timing of the laws is a “matter for the parliament and the government to decide.”

Lewis was backed by Australian Federal Police commissioner Andrew Colvin, who said the “operational urgency attached to that” is now becoming “urgent”. He also echoed Lewis’s statement that it’s “not about breaking encryption,” but rather getting access to what the AFP already has a “lawful power” to access.

Neil Paterson of Victoria Police said the issue isn’t criminals “going dark” – they “absolutely” are already dark.

However, PJCIS chair Andrew Hastie has kept the currently-scheduled hearings (the last of which is December 4) in place. That makes scheduling a headache for the government, since parliament rises for the year on December 6.

That urgency prompted shadow attorney-general Mark Dreyfus to offer a compromise: the PJCIS could send an interim report back to parliament, allowing parliament to consider the legislation, but restricting its use to anti-terrorism agencies.

Dreyfus did not, however, address questions of feasibility that have already been raised in the PJCIS inquiry – whether end-to-end encryption can be cracked without introducing backdoors that would place all nternet communications at risk. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/27/oz_decryption_legislation/

A widely used Node.js code library listed in NPM’s warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers.

This vandalism is a stark reminder of the dangers of relying on deep and complex webs of dependencies in software: unless precautions are taken throughout the whole chain, any one component can be modified to break an app’s security. If your project uses event-stream in some way, and you should check to make sure you didn’t fetch and install the dodgy version during testing or deployment.

Here’s how it all started: a developer identified on GitHub as “right9control” volunteered to take over event-stream, which had been built by another dev. The JavaScript was then briefly updated to include another module, flatmap-stream, which was later modified to include Bitcoin-siphoning malware – prompting alarm yet again that those pulling third-party packages into their apps have no idea what that code may be doing.

A timeline can be found here, but in short: on September 9, right9control added flatmap-stream as a dependency to event-stream, and then on September 16, removed the dependency by implementing the code themselves. However, this latter change was not automatically pushed out to the library’s users. On October 5, flatmap-stream was altered by a user called “hugeglass” to include obfuscated code that attempted to drain Bitcoins from wallets using the software.

Thus, anyone using event-stream and pulling in the cursed flatmap-stream, rather than the rewritten code, since October 5 would be potentially hit by the malicious script. The offending code has been removed from event-stream. If it’s any relief, the hidden malware is highly targeted, and not designed to attack every programmer or application using event-stream.

Flagged up

Ayrton Sparling, a computer science student at California State University, Fullerton (FallingSnow on GitHub), flagged the problem last week in a GitHub issues post. According to Sparling, a commit to the event-stream module added flatmap-stream as a dependency, which then included injection code targeting another package, ps-tree.

The malicious code in [email protected] – apparently an attempt to steal coins from Dash Copay Bitcoin wallets – is hosted on GitHub and was distributed through the Node Package Manager (NPM) until it was removed from NPM’s listing on Monday this week.

In a statement emailed to The Register today, an NPM spokesperson said, “At 9:18 PT this morning, the sub dependency flatmap-stream was unpublished, and shortly after 9:30 PT this morning, NPM Inc. assumed control of the event-stream package.” NPM’s spokesperson said the matter is currently being investigated.

EventStream was created by Dominic Tarr, a New Zealand-based developer who stopped maintaining the code. According to Tarr, right9control emailed him to say that he wanted to take over maintenance of the project, and was granted access because Tarr no longer had any interest in looking after it.

Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

READ MORE

The Register emailed right9control, based in Tokyo if the individual’s GitHub profile is accurate, but we’ve received no response. A server used for the attack is run by a service provider operating out of Kuala Lumpur, Malaysia. It may well be that right9control had no idea flatmap-stream would be tampered with to smuggle in wallet-raiding code when updating event-stream to use the module.

Some developers commenting via the GitHub issues post and elsewhere have criticized Tarr for failing to provide adequate notice to the code community about the change in event-stream‘s ownership. Others argue that the software license specifically disclaims any responsibility and that developers have only themselves to blame for trusting code that comes with no guarantees.

In a phone interview with The Register, NPM director of security Adam Baldwin said, “Based on our current analysis, which is not complete yet, the early indications suggest it’s an extremely targeted attack on a Bitcoin platform.”

Baldwin said NPM has not yet gathered data on the number of individuals who downloaded the compromised code for their Node.js apps. He confirmed that version 3.3.6 of EventStream, which included the flatmap-stream dependency, was released on September 9, and the malicious version of flatmap-stream appeared on October 5.

“The payload only decrypts if being run in a certain environment,” he said. “It’s the most sophisticated payload we’ve seen to date.”

But because the attack is so targeted, Baldwin expects its impact will be minimal.

Repo depot

NPM and other code repositories like Python’s PyPI and Ruby’s RubyGems have been dealing with the problem of compromised package libraries for years. Despite the ongoing addition of defenses like automated vulnerability scanning and of reporting mechanisms, the risks are unlikely to go away while people have the freedom to publish unvetted code.

However, dependency pinning – in which a specific version rather than a range of versions is required – can help.

Asked about how this situation might be avoided in the future, Baldwin acknowledged that both unmaintained code and transferring code ownership pose potential problems. He credited the NPM community for identifying the malicious code and said if the organization tightened things down so much that no one could publish code, it would harm the community.

“We have to give maintainers the ability to move on,” he said. “At the same time, the community is wonderful because there are lots of eyes on projects.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.

A ransomware attack that hit computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly disrupted the hospitals’ emergency rooms.

The attack hit the evening of Friday, Nov. 23, leaving the hospitals unable to accept ER patients via emergency responders. Those patients were diverted to other area hospital emergency rooms, The Times Ledger newspaper reported. 

Karin Janiszewski, director of marketing and public relations for the hospitals, told the paper that the two hospitals hit by ransomware were able to handle walk-in ER patients, and that the IT team had hoped to have the attack “resolved” by Sunday, Nov. 25. “We have redundant security, so the attack was able to get through the first layer but not the second layer,” she said. “There has been no patient information breach.”

Read more here. 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/ransomware-attack-forced-ohio-hospital-system-to-divert-er-patients-/d/d-id/1333333?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Postal Service recently fixed a security bug that allowed any USPS.com account holder to view or change other users’ data.

The United States Postal Service (USPS) last week patched a vulnerability in the API for a program called “Informed Visibility,” which enabled anyone with an account for USPS.com to view and, in some cases edit, information of other users, KrebsOnSecurity reports.

KrebsOnSecurity was alerted to the bug by an anonymous researcher who reportedly informed USPS of the problem more than a year ago and didn’t receive a response. In this case, the vulnerability was in the API of Informed Visibility, an online application designed to provide package tracking data to businesses, advertisers, and other organizations sending mail in bulk.

The bug exposed “near real-time data” about mail in transit from commercial users. It also let any USPS online account holder to query its system for other users’ account details: usernames, phone numbers, email and physical addresses. If multiple accounts shared a common trait, like a street address, searching for that one piece of data unearthed multiple user records.

Setu Kulkarni, vice president of strategy and business development at WhiteHat Security, points out how when not secure, APIs can prove dangerous for organizations. He advises companies to perform security tests against potential weak spots, like APIs, network connections, mobile apps, websites, and databases.

“APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security,” he explains. “APIs, when insecure, break down the very premise of uber connectivity they have helped establish.”

In a statement, USPS said it has no data indicating this bug was used to exploit user records.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/usps-web-vuln-exposes-data-of-60-million-/d/d-id/1333334?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyberattacks on airports and airlines are often unrelated to passenger safety – but that’s no reason to dismiss them, experts say.

Cathay Pacific. British Airways. Air Canada. Airlines and airports are hot targets for cyberattackers, whose motivations range from financial and identity theft to cyber espionage.

Those three recent incidents reflect a growing trend. It was late August 2018 when Air Canada alerted users to a mobile app breach affecting 20,000 people. British Airways admitted to a breach compromising 380,000 passengers in September; a month later, it learned 185,000 more were affected in a second attack. Cathay Pacific spooked us all when, a few days before Halloween, it disclosed a breach exposing the data of 9.4 million people — the largest of any airline to date.

For attackers hoping to cash in on sensitive data, the aviation industry is a gold mine.

“Nation states have targeted airlines for a long time to collect data on passengers, but we’ve seen an increase in targeting by cybercriminals,” explains Christopher Porter, chief intelligence strategist at FireEye.

“Because air travel is high-dollar and time-sensitive, criminals have realized they can extract payment data from customers, who will have valuable credit cards to commit fraud with, or use ransomware to extort the airline,” he adds. In the last two years, FireEye has seen an increase in the use of ransomware to disable ticketing and support processes for short periods of time.

Cyberattacks exploiting air travel are “gaining momentum,” he continues. In a recent report on threats to watch in 2019, FireEye researchers pointed to the aviation sector as a prime target. In addition to cyber espionage, airlines face threats like third-party ticket sellers profiting from illicit tickets on the Dark Web, and breaches designed to capture the valuable data they store.

Consider passports. “The airlines have one thing that virtually nobody else has, and that’s passport information,” says Randy Abrams, senior security analyst at Webroot. While more valuable on a nation-state level, passports can aid fraudsters in phishing attacks and identity theft. When you add them up, they can also earn quite a bit of money on the Dark Web.

There isn’t enough publicly available data to determine if passports are an objective in aviation cyberattacks, he adds; however, successful attackers will likely take passport data they find. It’s one of many types of information airlines hold, in addition to users’ names, home and email addresses, payment card numbers, phone numbers, and other personal data. Sure, payment information is handy for financial theft, but all the other info can be used for identity fraud.

“There’s a lot of people doing a lot of flying these days, and there’s a good chance of picking up a lot of personal information in one fell swoop,” says David Emm, principal security researcher at Kaspersky Lab. “We’re used to seeing attacks on individuals, but it’s easier if you can hit one target and grab all the data. Airlines are strategically placed from a criminal’s point of view.”

How They’re Breaking In

Emm explains how a common technique among modern attackers is capturing information as it’s entered online. Someone who breaches a provider to steal payment card data likely won’t access all the info they need (for example, the cards’ CVV numbers) because the company won’t store it. However, that data can be captured by a script sitting on a website.

A number of airlines, including British Airways and Cathay Pacific, have been targeted by injecting a script into one of the processors for handling online payments, he adds. It’s more fruitful for the attackers but makes breach remediation harder for organizations hit.

Emm, Porter, and Abrams all point to the dangers of the aviation supply chain, another common attack vector.

(Image: Peshkov – stock.adobe.com)

The risk of a security breach intensifies with the number of third-party vendors involved with a company’s processes. Airports work with many, and their operations demand constant exchange of data among governments, credit card companies, baggage handlers, maintenance, and a wealth of other organizations responsible for keeping the industry in business.

“Those are all good targets … all potential entry points for a cybercriminal,” says Porter. He calls the supply chain “a hidden risk” airlines didn’t consider when they were corporate risk planning but now is top of mind.

If an airline is using a process developed by a third party — payments, for example — they’re putting security into the hands of the third party and giving attackers “a bit of an advantage,” Emm explains. “They know there’s an opportunity to slide between the cracks there,” he says of the attackers.

“If there’s not a good reason to be using a third-party script, well, don’t,” he notes. It’s like high-tech systems, he says: the simpler the equipment, the less of a problem you’re likely to have.

Buckle Up: Airline Security Tips and Challenges

It’s one of many pieces of advice for an industry challenged with a wave of cyberattacks.

Abrams advises airlines and airports to make sure their assets are well-protected and perform high-quality penetration testing, especially on Web-facing systems, which are “getting hit left and right.” He also suggests implementing third-party auditing for the supply chain and correlating data across geographical regions to detect threat patterns as they occur.

“If I’m seeing something anomalous on my site in New Jersey, and seeing the same anomaly on my sites in Hong Kong and Croatia, and I’m not correlating all these events, then that’s where I’m missing the big picture,” he explains.

Emm recommends developing scripts internally to maintain more control over security. For businesses relying on third-party providers, he strongly suggests evaluating external code with the same rigor they’d use to check code they built: give it a good and thorough test.

“Make sure all the processes have evolved and the handling of personal information is solid,” he adds.

Taking Control: Who’s Responsible for Cyber

Airports in the US are sometimes privately owned, owned by different municipalities, or have a mix of different stakeholders, begging the question: who takes control for infosec?

“Everyone gives a different answer on who’s responsible,” says Porter, noting that his team has asked airports and airlines about potential threats.

There’s room for improvement here, and it can be filled by getting stakeholders together and running security exercises: practicing a major cyber threat that disables operations, for example, or impairs a flight. It’s imperative airlines determine who is responsible for each element of response — something they don’t want to find out when an incident strikes.

“In the US, a bigger factor is that Congress and the executive branch have been growing more concerned about potential lethal risks from cyberattacks on aviation,” says Porter. To prove air travel is resilient to that, airlines and their partners have to re-examine their security posture. He says some airports, and the DHS, have begun doing these exercises, which is encouraging.

Can Cybercrime Bring Down A Plane? Probably Not.

While data breaches generally make for bad publicity, those against the aviation sector often cause concern among passengers who wonder if the effects of cybercrime can hit mid-flight. Experts say there’s little reason to be concerned here — most cyberattacks targeting the industry affect systems unrelated to fliers’ safety — but these attacks are still concerning.

While he’s not aware of an attack that would remotely bring down an aircraft, Porter points out how attacks like ransomware could disrupt flight operations. It may not affect passenger safety but could affect a pilot’s ability to take off if they can’t access a flight plan, for example.

FireEye doesn’t defend aircrafts themselves, so Porter points to a 2017 US Department of Homeland Security study that found a threat to planes “was at least technically feasible.” He gives the world’s most skilled hacker groups the benefit of the doubt. “You have the be cognizant of worst-case scenario,” he says.

Security researchers have already shown it’s possible. Earlier this year, Ruben Santamarta, principal security consultant with IO/Active, took the stage at Black Hat USA to demonstrate how he gained access to an in-flight aircraft and its on-board satellite communications devices from the ground. Equipment flaws including backdoors, insecure protocols, and network misconfigurations could affect hundreds of commercial planes from major carriers like Southwest, Norwegian, and Icelandair.

However, for the general public and policymakers, the most relevant threats affect their data and not the plane’s safety. Cyber espionage is a far more common threat to aviation security.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Russia Linked Group Resurfaces With Large-Scale Phishing Campaign
• Consumers Are Forgiving After a Data Breach, but Companies Need to Respond Well
• Leaderboard Shows Adoption of DMARC Email Security Protocol

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/buckle-up-a-closer-look-at-airline-security-breaches/d/d-id/1333336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A SIM-swap robber allegedly lifted $1 million in crypto-coin from Robert Ross, who was saving to pay for his daughters’ college tuition.

According to the New York Post, Ross “watched helplessly” on 26 October as his phone went dark. Within seconds, $500,000 drained out of his Coinbase account, and another $500,000 was suctioned out of a Gemini account. That was his entire life savings, West said.

Erin West, the deputy district attorney for Santa Clara County in California, told reporters that 21-year-old Nicholas Truglia, of Manhattan, has agreed to be extradited. Santa Clara officials plan to pick him up in December. According to court documents, he’s been charged with 21 felony counts against six victims, including identity theft, fraud, embezzlement, crimes that “involve a pattern of related felony conduct,” and attempted grand theft.

Truglia allegedly hacked the phones of Silicon Valley executives from his cushy West 42nd Street high-rise apartment.

Ross was apparently Truglia’s one success, though officials allege that he went after a half dozen other Silicon Valley cryptocoin players, including Saswata Basu, CEO of the block-chain storage service 0Chain; Myles Danielsen, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Deputy DA West is part of the Santa Clara REACT task force, which pursues SIM-swapping cases nationwide. The team also includes federal agents. On 14 November, the team flew to New York with a search warrant. They arrested Truglia and searched his high-rise, managing to recover $300,000 from a hard drive.

The rest of the missing money might be harder to track down, though, due to the nature of the blockchain public ledger. Though it records transactions, it keeps senders and receivers anonymous.

CNBC quoted West:

In some ways, it’s helpful because we can see where the money is going – that’s the beauty of the blockchain. It’s public, but what we still can’t see is who holds those accounts.

In August, we wrote up what was reportedly the first time an alleged SIM-swap fraudster had ripped off cryptocurrency – in that case, $5 million in Bitcoin.

This won’t be the last time: West said that SIM-swap cryptocoin-heists are a “whole new wave of crime”.

It’s a new way of stealing of money: They target people that they believe to have cryptocurrency.

How SIM-swap scams work

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your identity.

That comes in handy when you lose your phone or get a new one: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number. But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

Control over your phone number means the robber also controls communication with your sensitive accounts, like bank accounts: it’s all under the control of a thief when you’ve been victimized by a fraudulent SIM swapper.

Banks have traditionally sent authorization codes needed when using 2FA or 2SV – that’s two-factor authentication or two-step verification – via SMS to complete a financial transaction. Fortunately, this is becoming less common: The United States National Institute for Standards and Technology (NIST) in 2016 published new guidelines forbidding SMS-based authentication in 2FA. Besides the security risks of mobile phone portability, problems with the security of SMS delivery have included malware that can redirect text messages and attacks against the mobile phone network such as the so-called SS7 hack.

By stealing your phone number, the crooks have also stolen access to your 2FA codes – at least, until you manage to convince your account providers that somebody else has hijacked your account.

Crooks have made the most of that window of opportunity to:

• Change as many profile settings on your account as they can.
• Add new payment recipient accounts belonging to accomplices.
• Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.

By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.

And this is how that all feels when you’re the one being drained, West told reporters:

You’re sitting in your home, your phone is in front of you, and you suddenly become aware there is no service because the bad guy has taken control of your phone number.

Did he have accomplices?

Prosecutors believe that Truglia was working with a crew. Apparently, he’s also worked with “friends” who allegedly can’t keep their hands to themselves when it comes to cryptocoin. Prosecutors didn’t mention whether his alleged conspirators were the same guys who he claims tortured him a few months ago to get at a thumb drive with account data linked to $1.2 million in bitcoin, but that is indeed the first time Truglia’s name made it into the press.

According to the New York Post, in September, Truglia called the cops on four friends who, he claimed, tried to steal his bitcoin. He said that his friends demanded logins for his cryptocurrency accounts while “holding his head underwater in the bathtub, punching him in the stomach and throwing hot wax on him.”

Really? Well, maybe… The defense attorney for his “friends” claimed that it was all lies and that Truglia had since recanted. As of 6 November, they were still headed for a court date of 14 March, to find out whether they’ve been indicted.

What Truglia said at the time:

It’s pretty common for people to target people who have a lot of cryptocurrency.

If the charges stick, we’ll grant him a “nobody would know that better than you.” In the meantime, how do you protect yourself from a growing number of cryptocoin robbers?

What to do

What follows are some tips for dealing with the rising trend of fraudsters using SIM swaps to drain accounts. It doesn’t matter that they’re going after digital instead of nondigital currency: the precautions we can all take to avoid becoming victims stay the same.

Here they are:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific webpages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone rather than just your phone number.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w0a0GCXjj7Q/

What do you get when you cross the worst aspects of social media, people’s actual lives and giant, centralized databases?

The outcomes are already playing out. Certain cities in China have been piloting the country’s social credit score system – a system that’s due to be fully up and running by 2020, according to a plan posted on the Beijing municipal government’s website on Monday (the plan is dated 18 July).

One of the many repercussions of such a system is that people get blacklisted for not paying off their debts when a court thinks they’re capable of doing so, regardless of what the debtor says.

The ID photos, names and numbers of blacklisted people are displayed on billboards throughout the city, and they’re then barred from booking flights or high-speed trains (considered “luxury” travel) and blocked from staying in hotels. By the end of May, people with bad credit in China had been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.

A permanent stigma?

The Indicator podcast on National Public Radio’s Planet Money has been covering China’s unfolding social credit system for the past few months. Last month, the podcast covered the story of Lao Duan, a 42-year-old coal broker, who told NPR that people’s attitude toward the blacklisted is one of suspicion. He can’t relax when socializing with anybody who isn’t also on the blacklist – which is the case with many of his former coal-dealing colleagues:

(Through a translator) The widespread attitude towards us is very resistant. People were saying, why are you cured being happy? Why do you still have time to be happy? Why do you not go out and make money to pay back your loan?

Unfortunately, as NPR reports, the stigma appears to be permanent. While in countries like the US, we can declare bankruptcy and then hopefully rebuild our credit, in China, the label of socially/financially unacceptable appears to be irreversible. Though it’s technically possible to get off the blacklist, it seems that nobody ever does.

A financial scarlet letter is only one aspect of China’s increasingly pervasive social credit system, which, according to Bloomberg, is designed to make it impossible for the “untrustworthy” to “move even a single step.”

Rewards and penalties

The pilot city of Rongcheng foreshadows how comprehensively China plans to judge each of its 1.3 billion people with its lifelong points program, which assigns each resident their own, personalized rating. The system is similar to the credit score system of the US, but it will also include ratings for behavior, including whether you squabble with your neighbors, clean up after your dog, or obey the traffic laws.

Xu Ranjan, a 32-year-old IT engineer, told NPR that it’s gotten a lot more peaceful in Rongcheng since it implemented the multifaceted penalties. It used to be that pedestrians risked their lives crossing the street. Now? The cars wait for you. If they don’t, their drivers will lose points. And that can be bad.

There’s a letter/grade system behind the points. Everybody starts at 1,000, though you can earn more by, say, giving to charity or donating blood. If you score between 960 to 1,000 or more points, you’re an “A.” Between 850 to 959 points, you’re a “B.” You’re a “C” if you’re between 849 and 600. That’s considered a “warning” level. Below that, you’re a “D,” and you’re labelled untrustworthy.

Driving while intoxicated? Automatic downgrade to a B. You’re also docked 50 points for spreading rumors online.

A high score gets you discounts at local businesses, a lower heating bill, free cable channels (such as a kung fu channel and a soap opera channel), and special invitations to community events.

A low score not only costs you those goodies; it also means you might not be able to get a promotion at work, regardless of your great performance and productivity.

NPR reports that the government is keeping track of all of this with the help of designated “watchers.”

These are people who keep track of goings-on in their neighborhoods. And they keep track of neighbors’ behavior and update people’s scores.

‘Nosedive’

If you haven’t already watched the “Nosedive” episode of the TV show Black Mirror,” perhaps you should, because it’s no longer fiction, at least in China. Somebody in the nation’s government must have interpreted it as a blueprint.

The system has some benefits. Xu Ranjan, who has a score of 1,000 and is living in Rongcheng’s pilot system now, says that it doesn’t feel creepy. He likes it. People are behaving, and they’re putting the needs of the community above their own selfishness, Ranjan said: a positive step in the evolution of society and people living together:

I feel people have become more friendly. I think in the history of human being developing towards, like, communities, if everybody can follow the rule, I’m sure it’s very good for, you know, every individual living in the city.

According to Beijing’s published plan, the capital city is on track to pool data from multiple databases and, by the end of 2020, will be rating some 22 million citizens based on their actions and reputations. To do so, they’ll rely on a range of services, with data flowing from agencies that deal with tourism, business regulators and transit authorities.

They’ve already got much of this already in place: just a few examples include an enthusiastic embrace of facial recognition, such as when Chinese police got facial recognition glasses to find suspects in the massive human migration that is China’s annual Lunar New Year. Chinese authorities love facial recognition technology so much that they use it in at least one public park to thwart toilet paper thieves.

As Bloomberg points out, the move to online banking has also made tracking individuals via financial data easier:

Apps such as Tencent’s WeChat and Ant Financial’s Alipay [have become] a central node for making payments, getting loans and organizing transport. Accounts are generally linked to mobile phone numbers, which in turn require government IDs.

With pieces of such a vast system of surveillance already in place, it’s hard to imagine anybody can escape, and that means that the state can punish anybody it wants, with ease.

Political dissidents? Ethnic minorities? Jaywalkers? Toilet paper hoarders?

Check, check and check: vast databases, linked together, enable states to find them, name them, shame them, fine them, or to persecute them. That’s why it’s called Big Data: the oceans of data being linked together are wide and all-inclusive. The repercussions can be deep.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9wkDh1lWKSc/