STE WILLIAMS

The 2020 Democratic presidential race remains wide open as all eyes are on New Hampshire this week, but some candidates have an edge when it comes to securing their campaigns from phishing and other attacks: About half of them have fully deployed technology to prevent the spoofing of their Internet domains.

Democratic presidential hopefuls Joe Biden (joebiden.com), Mike Bloomberg (mikebloomberg.com), Pete Buttigieg (peteforamerica.com), Tulsi Gabbard (tulsi2020.com), Amy Klobuchar (amyklobuchar.com), Tom Steyer (tomsteyer.com), Elizabeth Warren (elizabethwarren.com), and Andrew Yang (yang2020.com) all have implemented DMARC, the Domain-based Message Authentication, Reporting Conformance protocol that protects organizations from domain-spoofing abuse.

Meanwhile, John Delaney (johndelaney.com), Deval Patrick (devalpatrick2020.com), and Bernie Sanders (berniesanders.com) — as well as President Donald Trump (donaldjtrump.com), the lone Republican candidate — each have adopted DMARC for their domains but only have it running in monitor-only mode, which could allow attackers to deliver emails spoofing the campaign’s domain, a new study shows.

Campaigns with no DMARC protection for their domains at all are those of Democratic candidates Michael Bennet (michaelbennet.com) and Bill Weld (weld2020.com) and the former Republican challenger to Trump, Joe Walsh (joewalsh.org), who recently suspended his campaign, leaving their domains wide open for spoofing and abuse, according to security experts.

DMARC, which allows domain owners to control which users can send emails via their domain, is on the rise. According to Valimail, 80% of email inboxes worldwide perform authentication-checks on the sender domain, and the majority of consumer email accounts recognize the DMARC protocol, which currently is in the works as an Internet Engineering Task Force (IETF) standard. DMARC specifies and enforces which servers can send messages from a domain, and uses a digital signature validation process to ensure an email is legitimate.

On the recipient side of the equation, that information gets shared with the recipient as well as information on what to do with any unauthorized email. Microsoft Office 365, Google Gmail, and Yahoo all employ DMARC certification.

Seth Blank, director of industry initiatives at anti-phishing vendor Valimail, says email is the first likely step in an attack on election-related systems. “It’s easy and effective,” he says. “But the good news is that it looks like major presidential campaigns have started to get that message.”

In May 2019, Valimail found that just three of 25 presidential campaigns had adopted DMARC. Blank says it’s likely the result of raised awareness in the wake of the 2016 presidential election, where breaches of the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and of course, the personal email of John Podesta, former chair of then-Democratic presidential candidate Hillary Clinton’s campaign, served as a wake-up call for election security.

No DMARC Easy Button
Properly deploying DMARC is not exactly plug and play, however. It requires identifying who uses which services in an organization, which can be difficult in an ever-changing campaign staff scenario where hiring fluctuates. “DMARC can be hard,” Blank says. “Campaigns are turning up email resources all the time,” he adds, so setting the email security policy can be challenging for them.

Even DMARC-active domains can have configuration issues: take that of Michael Bloomberg. “The DMARC record for mikebloomberg.com is configured with an enforcement policy, but there is a problem with the underlying SPF record that could cause problems with security, visibility, and deliverability: It exceeds the limit of 10 DNS lookups specified in the SPF standard,” Dylan Tweney, vice president of research and communications for Valimail, explained in a blog post today about Valimail’s findings.

And while the federal government recently mandated DMARC for all nonmilitary agencies, campaigns are not required by law or regulation to adopt DMARC. “Frankly, it needs to be a minimum standard. It’s a known [attack] vector, and you can close it off,” Blank notes.

But DMARC handles just one piece of email security. It’s designed to thwart phishing that uses spoofed domains, which accounts for half to two-thirds of phishing attacks, Blank says. DMARC does not, however, detect a compromised user email account, nor a malicious insider.

The Mobile, Messaging, and Malware Anti-Abuse Working Group (M3AAWG) advises election officials to not only adopt DMARC but also multifactor authentication for user accounts. “MFA should also be deployed across personal social and communications accounts to ensure that a compromise of a personal account could not be used in a social engineering effort to dupe a colleague in hopes of gaining further access to more sensitive and protected systems,” M3AAWG’s advisory says. Email messages also should be digitally signed and encrypted in transit, the organization says.

In October, Awake Security found that most of the Democratic candidates, as well as Trump’s campaign, had not yet enabled DNSSEC, the protocol for protecting domains from DNS cache-poisoning and hijacking attacks.

Election Disruption Concerns
Blank worries most about a ransomware attack taking down a voter registration or other system this year “at the absolute worst time,” hampering voting or transmitting results, he says.

Even the organizers of the famed DEF CON Voting Village have said they’re more concerned about managing the risk to the election infrastructure: ensuring there’s an audit trail with paper ballots; employing risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

Christopher Krebs, director of the US Department of Homeland Security’s Cybersecurity Infrastructure Agency (CISA) told Dark Reading in an interview at DEF CON in August that he worried about the threat of disruptive attacks on the 2020 election that could shake trust in the election system. “We need to have resilience in place,” he said.

Even a small attack or disruption — or even appearance of one — could shake the confidence of the electorate.

Related Content:

• How Can We Make Election Technology Secure?
• 5 Measures to Harden Election Technology
• New Standards Set to Reshape Future of Email Security
• Most US Presidential Campaign Websites Offer Little Privacy Protection
• 7 Ways SMBs Can Secure Their Websites

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?“

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/risk/some-democrats-lead-trump-in-campaign-domain-security-efforts/d/d-id/1337012?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report sheds light on how North Korea’s senior leadership is changing how it uses the Internet, which has evolved into a professional tool its leaders use to generate revenue and evade international sanctions and controls meant to block certain technologies and operations.

Recorded Future researchers have seen a 300% increase in the volume of activity to and from North Korean networks since 2017. They attribute the spike to multiple drivers: greater use of the Russian-routed TransTelekom infrastructure, use of previously unresolved North Korean IP space, and new mail servers, FTP servers, and DNS name servers to maintain higher traffic flow.

Few people in North Korea are permitted direct access to the global Internet. This research is focused on the activities of these few people, primarily government leaders and ruling elite. It’s believed the observed changes in network administration over the past six months are likely in response to higher Internet demand from North Korean users both at home and abroad. An Internet-enabled mail server, for example, indicates need for people to remotely access email.

It’s clear, the researchers report, that the Internet has shifted from a “fascination” or “leisure activity” to a serious revenue-generation tool. Weekdays are now the most popular time for Internet use, compared with weekends and evenings in 2017. This, combined with the 300% increase in activity and higher bandwidth, denotes greater focus on harnessing the Internet.

The regime has tried to hide its increased Internet use with operational security technologies like virtual private networks, virtual private servers, transport layer security, and the Tor browser, among others. In 2019 it introduced DNS tunneling and demonstrated just how tech-savvy North Korea’s leaders are. Researchers expect they’re using DNS tunneling to hide data exfiltration from target networks, and/or to evade government security controls and limits.

There are three key ways North Korea uses the Internet to bypass sanctions and generate revenue: online bank theft, cryptomining, and low-level IT and financial crime. The UN reports North Korean cyber activities have targeted financial organizations and cryptocurrency exchanges in at least 35 countries, generating up to $2 billion for the regime. Attackers have also used illegal access to the SWIFT banking network; after they gain initial entry, they execute fraudulent transactions and transfer stolen funds to dummy accounts under their control.

“We assess that these banking operations are well researched and resourced by the North Koreans,” Recorded Future’s Insikt group explains in a writeup of their findings. “Attackers likely spent anywhere from nine to 18 months inside of a target network conducting further reconnaissance, moving laterally, escalating privileges, studying each organization’s specific SWIFT instance, and disabling security procedures.”

Researchers have consistently observed small-scale Bitcoin mining as of November 2019. Monero mining, however, has increased tenfold since October 2018, when it reflected activity similar to Bitcoin’s. Unlike Bitcoin, they say, Monero is truly anonymous and all transactions are encrypted so only the sender or receiver involved can find the other.

“We assess that cryptocurrencies are a valuable tool for North Korea as an independent, loosely regulated source of revenue generation, but also as a means for moving and using illicitly obtained funds,” researchers say.

Learning Prohibited Skills Abroad
People who have defected from North Korea have described a process in which operators and programmers overseas earn money and send it back to the regime. Some have created counterfeit video games and developed bots to steal digital items (weapons, gear, etc.) and resell them for profit. Some sell vulnerabilities in gaming software or target online casinos. One defector said these operators were required to earn nearly $100,000 per year, with 80% sent back to North Korea.

Many defectors have also shared how North Korea exploits other countries to train and host its state-sponsored operators. People are sent to countries including China, Russia, and India so they can gain advanced cyber training. Researchers say this activity is growing harder to track as North Koreans, and all Internet users, place a greater focus on cybersecurity.

“At its most basic, North Korea has developed a model that leverages the internet as a mechanism for sanctions circumvention that is distinctive but not exceptional,” researchers write. These techniques for gaining block knowledge and generating revenue can be repeated, driving concern for how the regime can serve as an example to other financially isolated countries eager to bypass their own sanctions.

Related Content:

• China’s Military Behind 2017 Equifax Breach: DoJ
• 6 Factors That Raise The Stakes For IoT Security
• RobbinHood Kills Security Processes Before Dropping Ransomware
• Researchers Reveal How Smart Lightbulbs Can Be Hacked to Attack

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/how-north-koreas-senior-leaders-harness-the-internet/d/d-id/1337013?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Back to the grind — time to review what needs to get done today. As a botnet, I have a very interesting job in some ways, but in others, it feels like the movie Groundhog Day. I originally was built by a criminal organization to conduct distributed denial-of-service (DDoS) attacks and then demand “protection” money to make sure it didn’t happen again. Not a very innovative business model, but why fix what isn’t broken?!   

I’m fortunate in that my owners have kept my code on the cutting edge, so I can be used for newer attacks like credential stuffing, brute-force password cracking, cryptomining, and even as a ticket bot to scoop up the best seats for resale. Some of my friends work as aggregators, spam bots, web scrapers, or search engines, and while we all do similar functions, I’m doing the truly exciting stuff. 

Over time, both the systems I’m made of and the types of criminal business models I’m used for have changed. Today, some of my network of hacked computers are part of the Internet of Things, such as home video surveillance cameras. As long as they have good computing power and connectivity, I’m an equal opportunity employer. 

Before I get too deep into what I must get done today, I want to address the big picture. While my organization is outstanding at what it does, I think of myself as part of a larger ecosystem. Other organizations pay me for my stolen information, such as access to someone’s bank account. They also pay me for my ability to cause an impact, such as conducting a DDoS attack on a company’s main web page. That is one thing I do like about the Dark Web — it’s in a state of constant innovation around repurposing malware and business models.

Enough big picture: Let’s talk about the fun part of my day — attacking stuff! Generally, the process I follow is the same as a military unit attacking an objective. I start with reconnaissance, then execute the attack to gain access. Next comes capturing the objective, or in cyber terminology, exploitation. This consists of stealing data to sell it.  

Let’s cover what I do by looking at a sample task, like credential stuffing. To start with, I require actionable intelligence, or information, so I must make sure my reconnaissance results in the discovery of a vulnerable part of the network. This means I have to determine what kind of defenses exist so I can tailor my attack to bypass them. How well my day goes really does depend on what the company I’m targeting has done to improve its security posture. 

If it has a web application firewall (WAF) with fraud and bot mitigation capabilities, it’s a real headache. If it blocks the country my bots are coming from (called a geolocation block), I need to change source of attack to an unblocked location. If it blocks based on the rate and volume of my attempts, then I must slow down the attack to stay under the radar. If it uses CAPTCHA or browser validation, then I must use more advanced techniques to defeat its defenses. Some companies are even looking at the network logs to determine if there is really a person on the other end of the connection, by looking at behavior. But for each defense, my research team comes up with a counter. 

After I establish how to gain access to the right login sites for the victim, I also need to have access to the latest ammunition for my attacks — be that updated malware, new social engineering techniques for phishing emails, or set of compromised user names and passwords (often called credentials). For today, I’m going after accessing accounts to take them over, which means I need lots of credentials. This technique is called credential stuffing and is used to get access to customers accounts. If someone uses the same user credentials for multiple online accounts, then when one account is compromised the cybercriminals can use these credentials to gain access to all their other accounts. To make this scale, I have automated the process to try multiple compromised credentials against the company, hoping some of them have been reused. It works about 1% to 2% of the time, but if I have a million sets of credentials I’m looking at, that’s a good return on investment.

Once I get access to an account, I need to make sure I can sell it. I will often change the contact info so if the company detects an issue, it’ll reach out to me to confirm that everything is OK. Next, I will offer the account for sale to someone who can either transfer money through something as simple as buying gift cards or buying products that are shipped to members of the buyer’s money-laundering operations (called mules).

There are a number of variations to how the process works, depending on if someone on the Dark Web contracts for my services. So, that’s a typical day in my life. What I wish I could do is become part of a university research network. Those guys have it made — weekends off and meaningful work. That said, I do get to interact with a lot of interesting sites!

Related Content:

• 7 Malware Families Ready to Ruin Your IoT’s Day
• The 5-Step Methodology for Spotting Malicious Bot Activity on Your Network
• Account Fraud Harder to Detect as Crime Moves from Bots to Sweatshops
• Online Malware and Threats: A Profile of Today’s Security Posture

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?“

Steve Winterfeld is the Advisory CISO at Akamai. Steve is focused on being the voice of the customer for Akamai’s security vision and helping CISOs solve their most pressing issues. He brings experience with Zero Trust Security Architectures, and integrating multiple tools … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/day-in-the-life-of-a-bot/a/d-id/1336954?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers found a misconfigured Amazon S3 bucket leaking sensitive data belonging to inmates of correctional facilities in Florida, Kentucky, Missouri, Tennessee, and West Virginia. Investigators are working to determine the status of other potentially affected state jails.

The leaky repository, discovered by vpnMentor’s research team on January 3, belongs to JailCore, a cloud-based management and compliance platform commonly used in US correctional facilities. It contained 36,077 records of sensitive inmate data including full names, mugshots, inmate IDs, booking numbers, activity logs, and a host of personal health information. The bucket was sealed by January 16, following disclosure to JailCore on January 5 and the Pentagon on January 15.

Data exposed in this incident includes medical records, which specify the drugs inmates are prescribed and taking during their incarceration. The bucket contained medicine names, dosages, and whether the patient accepted the drug. Full names of drug administrators and signatures of correctional officers were also compromised in the leak. While some state jails’ inmate data is made publicly accessible; for example, current inmate rosters, medical data, and other personally identifiable information is not.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/unlocked-s3-bucket-lets-36077-jail-files-escape/d/d-id/1337008?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Justice has charged four members of China’s People Liberation Army with the massive May 2017 breach of information-broker Equifax, making it purportedly the largest theft of sensitive personal information attributed to a state-sponsored group to date.

During the breach, hackers used a known vulnerability in the Apache Struts Web framework to compromise Equifax’s network and steal the names, addresses, birthdates, Social Security numbers, and other sensitive information on more than 145 million US adults from the company’s database. The breach has become the focus of multiple lawsuits, reportedly led to significant identity fraud, and will cost Equifax at least $1.4 billion in settlement and future security expenditures. 

With the indictment, the DoJ and FBI continue their efforts to hold other nations accountable for the hacking of US companies, FBI deputy director David Bowdich said during a press briefing on Monday.

“This [hack] is about more than targeting just an American business,” he said. “It is about the brazen theft of sensitive personal information of nearly 150 million Americans. This is the largest theft of sensitive PII [personally identifiable information] by state-sponsored hackers ever recorded. This indictment is also a reminder that — with their attacks on our economy, cyber-infrastructure, and our citizens — China is one of the most significant threats to our national security today.”

China has had a long history of using cyber espionage to steal intellectual property from US companies. More than a decade ago, Chinese operatives, later dubbed Elderwood and APT1, infiltrated Google and dozens of other companies in a series of attacks. 

China is not alone, of course. The US has issued indictments against nation-state hackers and intelligence operatives in Russia, Iran, and North Korea, and in many cases has linked economic sanctions against the countries and individuals for their hacking activity. Of course, the US has been caught a number of times using cyber operations against other countries, perhaps the most significant incident involving the Stuxnet attack that hobbled Iran’s nuclear processing capabilities.

“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” said Attorney General William P. Barr in a statement announcing the indictment. “Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

During the press briefing, DoJ officials warned US citizens not to become inured to the steady drumbeat of breaches. While the perpetrators are unlikely to see the inside of a US courtroom, the investigation and indictment are necessary to pursue criminals acts, the FBI’s Bowdich said. 

“We have seen so many breaches since 2017 … and we almost, as a country, have become immune to these breaches,” he said, adding that “we cannot think like that in this country. American businesses cannot be complacent about protecting their data and their intellectual property from our adversaries.”

Equifax cooperated extensively with the FBI, according to officials, who thanked the company. During the investigation, the FBI found that the attacker ran more than 9,000 queries against the company’s database to first locate and then download sensitive data over an encrypted channel.

“I cannot overstate the importance of the victim company working closely with us after an intrusion like this,” the FBI’s Bowdich said. “This investigation started with minimal evidence — no more than 40 IP addresses for servers located through the world and a handful of malicious computer programs. The hackers tried to hide the origin and the location of the Internet traffic using servers around the world to infiltrate Equifax’s network. But their attempts to cover their tracks failed.”

Investigators were able to link the attack to the four Chinese intelligence agents by analyzing network logs and forensic images of hard drives and reverse-engineering the malware used. In addition, the FBI “obtained legal process to create a digital footprint linking the hackers to the intrusion.” 

Despite the fact that the investigation took almost three years to come to completion and the FBI will likely never apprehend the operatives behind the attacks, Bowdich said investigating and taking action are necessary.

“We in law enforcement will not let hackers off the hook just because they are halfway around the world,” he said. “That’s why we are here today, years after this investigation began in 2017, calling out the Chinese government for its illegal activity.”

Related Content:

• 2017 Data Breach Will Cost Equifax at Least $1.38 Billion
• US Turning Up the Heat on North Korea’s Cyber Threat Operations
• Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
• Deconstructing the DOJ Iranian Hacking Indictment
• Google Aurora Hack Was Chinese Counterespionage Operation

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Is a Privileged Access Workstation (PAW)?“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinas-military-behind-2017-equifax-breach-doj/d/d-id/1337009?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple