STE WILLIAMS

A breach in a database for MyFitnessPal exposes information on 150 million users.

Tracking your fitness goals is good for you. It can be worrying, though, if the information from your fitness tracker is exposed to criminals. That’s the state some fitness buffs find themselves in after a breach of 150 million user accounts from the MyFitnessPal app from Under Armour.

The company has said that they have seen no evidence that any accounts have been logged into by an unauthorized user or that any illicit login attempts have been made. In an email to those affected they suggest that all MyFitnessPal users immediately change their passwords, a step that will ultimately be required for all users.

According to a statement from the company, on Feb. 25 Under Armour became aware that someone had gained access to the file in February, with the ability to see usernames, email addresses, and hashed passwords for the users. Under Armour stated that no Social Security numbers were seen because they don’t collect them, and no credit card numbers were stolen because that information is stored in a different system.

Under Armour says that they do not know the hacker’s identity, though they are continuing to work with law enforcement agencies on the investigation.

For more, read here and here.

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/under-armour-app-breach-exposes-150-million-records/d/d-id/1331411?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn’t fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.

Total Meltdown

Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month’s updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

BTW some of us have written kernel-mode code that manipulates MMU page tables, and it’s an absolute fiddly PITA. So gg Microsoft. You got there in the end. https://t.co/bxDbbALhqE

— The Register (@TheRegister) March 29, 2018

Frisk told El Reg he only learned the OS-level bug was still present yesterday. When he went live with the flaw on his blog earlier this week, it was with the blessing of Microsoft’s security group on the belief the March update had addressed everything.

Needless to say, if you own or administer either a Windows 7 or Server 2008 R2 system, you will want to test and deploy this fix as soon as possible. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/29/microsoft_meltdown_out_of_band_patch/

A new service from MITRE will evaluate products based on how well they detect advanced persistent threats.

What happens during a cybersecurity attack? How do you know if one is underway? Those are among the questions that MITRE answers with its ATTCK (pronounced “attack”) knowledge base and a new product evaluation service based on the data.

With the new offering, MITRE will evaluate endpoint detection and response products for their ability to detect advanced threats. “There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Fred Duff, principle cybersecurity engineer at MITRE. He explains that the methodology and knowledge base MITRE uses will allow those reading the results to understand what MITRE is evaluating, how it’s performing the evaluation, and what the results mean.

The knowledge base for ATTCK (which stands for Adversarial Tactics, Techniques, and Common Knowledge) is seen as an asset by others, as well. In a tweet about ATTCK, Microsoft Windows Defender security researcher Jessica Payne wrote, “If you have ever wondered ‘how does an APT do ___?’ or wanted to emulate an actual adversary in a Red Team, this database is a great start.”

Duff says the knowledge base originally was collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives. It has always been compiled from publicly available sources, he says, so there’s no “contamination” from internal MITRE information and no issue with sharing the resource back to the community.

It’s important, Duff says, to understand that MITRE is performing an evaluation, not a test. And to keep the evaluation manageable and meaningful against a huge data set, MITRE is very tightly focusing the first evaluation. The first round will be based on APT3/Gothic Panda and will evaluate the products’ ability to detect the threat.

Focusing on detection, Duff says, allows MITRE to perform a purely objective evaluation and provide objective results. In a statement, MITRE says that information it will provide from results includes “the ATTCK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”

Those results will be available to the public, Duff says, because it’s important both to be transparent and to contribute to the general community’s base of knowledge. And the general community has been asking for this kind of evaluation. Duff says that security vendors have been eager to map their capabilities to ATTCK and their customers have approved, but those customers have also been reluctant to simply take the vendors’ word about how they perform. That’s where MITRE will step in.

The call for vendors to participate in the first round closes on April 13, 2018.

Related Content:

• China’s Vulnerability Database Altered to Hide Govt. Influence
• Rapid Growth in Security Market Raises Question: How to Pick a Startup
• New PCI Security Standards and Program Support EMV 3DS Adoption 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/perimeter/mitre-evaluates-tools-for-apt-detection/d/d-id/1331407?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge.

Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPNs tested leak users’ IP address via WebRTC.

The privacy problem presented by WebRTC is not new. The issue has been known at least since 2015.

WebRTC is a popular free open-source project that has been implemented in web browsers to allow real-time communication via JavaScript APIs. It’s used to implement browser-based chat apps, for example.

The protocol is often employed with the ICE (Interactive Connectivity Establishment) framework and STUN (Session Traversal Utilities for NAT) servers, among other options.

VPNs use the STUN server to translate between the VPN user’s local IP address and the public IP address in much the same way that a home router acts as a network intermediary between local devices and the external internet.

VPNs are so insecure you might as well wear a KICK ME sign

READ MORE

According to Stagno, WebRTC can be queried to return information that should remain private.

“WebRTC allows requests to be made to STUN servers which return the ‘hidden’ home IP-address as well as local network addresses for the system that is being used by the user,” he said in a post on Tuesday.

Such requests aren’t normally visible because they aren’t part of standard XML/HTTP interaction, he explains, but they can be made via JavaScript. Stagno says the technique can be employed in any browser that supports both WebRTC and JavaScript.

And in many browsers – Brave, Chrome (desktop and Android), Firefox, Samsung Internet Browser, Opera, Vivaldi – WebRTC and JavaScript are enabled by default.

The list of leaky VPNs is available on VoidSec’s website.

Stagno suggests disabling WebRTC, among other measures to protect privacy. In Chrome, that requires an extension, such as uBlock Origin. In other browsers, the fixes vary.

Those in the security industry tend to frown on commercial VPN providers on the basis that they don’t always act in their customers’ interests. Some log your activity, some track you to push ads your way, and some are just plain insecure. Free ones in particular should be avoided.

El Reg suggests, if you have the skills, roll your own using your mastery of network administration – and try OpenVPN, Trail of Bits’ Algo or Jigsaw’s Outline software. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/29/almost_a_quarter_of_vpns_tested_leak_ip_addresses/

Facial recognition: so many uses!

The potential must make heads spin at police departments, pet-door manufacturing companies and municipal toilet paper requisition departments!

Because yes of course Chinese police got facial recognition glasses to find suspects in the massive human migration that is China’s annual Lunar New Year, Microsoft built a pet door that can unlock for Fluffy but not for whatever’s built a nest under the compost pile, London police’s system couldn’t even tell the difference between a young woman and a balding man at the recent Notting Hill Carnival, and Hey! Get lost, you! We already gave you 60cm of toilet paper!

Here’s a new application: automatically ticketing the scourge of society known as jaywalkers.

The New York Post reports that surveillance-happy China is on the path to being all the happier, given that jaywalkers are going to be publicly named, shamed and slapped with an instant fine sent via text.

The South China Morning Post reported on Tuesday that traffic police in the southern Chinese city of Shenzhen – they already enjoy a reputation for strict enforcement of road rules in the city of 12 million – are going to identify jaywalkers with the help of artificial intelligence (AI) and facial recognition technology.

There will be nothing subtle about this. There will be large LED screens placed at intersections to display the faces of jaywalkers. South China Morning Post says that an AI firm based in Shenzhen, Intellifusion, that already provides technology to the city’s police is now in talks with local mobile phone carriers and social media platforms such as WeChat and Sina Weibo to develop the instantaneous texted-fine system.

Some cities, including Beijing and Shanghai, have already used AI and facial recognition to regulate traffic and identify drivers who violate road rules. Shenzhen traffic police launched the jaywalker campaign when it began displaying their photos on the large LED screens at major intersections starting last April.

You may well ask what kind of database the city has, to be able to identify all jaywalkers in that huge city, including displaying their family names and part of their government identification numbers on the LED screens.

So far, Shenzhen traffic police announced last month, some 13,930 jaywalkers were recorded and displayed at just one busy intersection in the 10 months leading up to February. Well, that’s not all that much, considering: traffic police say that in 2016, 123,200 cases of jaywalkers were recorded in the city.

According to NextShark, the system works with a camera that’s triggered whenever somebody enters the crosswalk during a red light. Shenzhen Traffic Police Technology Department Chief officer Li Qiang told the publication that the camera captures a photo of the jaywalker’s face, then automatically sends it to the LED screen and to a police database for identification.

Wang Jun, Intellifusion’s director of marketing solutions, told South China Morning Post that the system will register how many times a repeat offender has violated traffic rules. After a point, Wang said, the offender’s social credit score will take a hit, which in turn may limit their ability to take out loans from banks.

So back to that database: South China Morning Post says that most people in Shenzhen, which has “one of the most transient populations in China,” aren’t in it. In fact, authorities can only identify 10 percent of offenders with their new AI facial recognition.

No problem, Wang said: that number will skyrocket after government departments merge their databases, which is set to happen soon.

It sounds, in other words, as if China is following the path that so many other law enforcement agencies in other countries have taken: they’ll smush databases together into monoliths mostly full of innocent people’s likenesses, prone to massive false identification rates.

Take the FBI, for example: during a US House oversight committee hearing on the FBI’s use of facial recognition, it emerged that 80% of the people in the FBI’s massive database don’t have any sort of arrest record. Yet the system’s recognition algorithm inaccurately identifies them during criminal searches 15% of the time.

That’s a lot of people wrongly identified as persons of interest to law enforcement, and it’s easy to see how China’s use of the technology could lead to a whole lot of people wrongly fined, wrongly tagged as scofflaws, and wrongly shamed on public media.

It’s not just the FBI that experiences these issues with the technology: in the UK, the Home Office’s database of 19m mugshots contains hundreds of thousands of facial images that belong to individuals who’ve never been charged with, let alone convicted of, an offense.

But hey. Surveillance cams. Catching jaywalkers in the act. Tracking all citizens. What police department can resist, particularly in China?

According to the BBC, with 170 million CCTV cameras already up, and another 400 million new ones set to be installed in the coming three years, China’s building what it calls “the world’s biggest camera surveillance network”.

Who will stand up for privacy and inaccurately identified, innocent people?

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QXUbgvT7jHA/

No more potty mouth on Microsoft Services!

No more swearing on Skype, in Outlook.com emails, in Office 365 documents, or on Xbox, Microsoft has told customers.

As of May 1, a new Microsoft Services Agreement will ban offensive language. Oh, and bestiality, too, plus a slew of other unsavory content types.

Here’s the new code of conduct:

Don’t publicly display or use the Services to share inappropriate content or material (involving, for example, nudity, bestiality, pornography, offensive language, graphic violence, or criminal activity).

The new offenses, which can get you kicked from services or lose you your Microsoft account, join the garden-variety evil villain ones: transmitting viruses, stalking, posting terrorist content, communicating hate speech, advocating violence against others, copyright infringement, and manipulating services to increase play count, among others.

What you’re up against if you violate the new terms:

…we may stop providing Services to you or we may close your Microsoft account. We may also block delivery of a communication (like email, file sharing or instant message) to or from the Services in an effort to enforce these Terms or we may remove or refuse to publish Your Content for any reason. When investigating alleged violations of these Terms, Microsoft reserves the right to review Your Content in order to resolve the issue. However, we cannot monitor the entire Services and make no attempt to do so.

The list of covered services includes:

• Skype
• Windows Live Mail
• Office 365
• Bing
• Cortana
• OneDrive.com
• OneDrive
• OneNote.com
• Outlook.com
• Xbox Live

No swearing or offensive language on Xbox Live? Well, hallelujah and good luck to you on that, Microsoft. Very young voices pipe up with very rude injunctions on the gaming platform’s chat features. Bullying and harassment run amok: it seems like shock-value is a game unto itself. So OK, good for Microsoft: now it’s got a policy to justify kicking off the jerkiest jerks. Microsoft has this code of conduct to spell out how Xbox Live customers are expected to behave.

With regards to Microsoft censors listening in on our Skype conversations for blue language or photos sent via email that are just way too sexy – or illegal – the company assured The Register that it doesn’t listen to Skype calls, and it’s not actively poking its nose into our stuff…

…as long as nobody complains, that is. Microsoft clarified that if it receives a complaint about a potential breach of the code of conduct, be it in a Skype chat, an email or whatever, it may examine private files and conversations.

So while Microsoft says it’s not actively policing content, you could still start blipping on its radar if somebody were to complain about, say, an Office 365 email stuffed full of profanity, or a nude selfie you sent them via Outlook.com, or using the Bing search engine to enter strings that insult someone.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n5E9rEp-vtc/

Microsoft’s updates for the Meltdown microprocessor mega-flaw inadvertently left users running Windows 7 64-bit systems open to a “way worse” flaw, a researcher has claimed.

To recap, Meltdown (aka F**CKWIT or CVE-2017-5754) is a proof-of-concept hardware vulnerability uncovered almost simultaneously by several groups of researchers through which an attacker could access the contents of kernel memory (passwords, encryption keys, say) from the part used by ordinary applications.

An extremely inviting target for any attacker, which is why Microsoft sprang into action to mitigate the vulnerability (in addition to BIOS updates from vendors) across different Windows versions in two rounds of updates in January and February.

But according to Ulf Frisk, something went awry starting with the January update when applied to Windows 7 and Windows Server 2008 R2, which miss-set controlling permissions for something called the Page Map Level 4 (PML4).

This is a table used by Intel microprocessors to “translate the virtual addresses of a process into physical memory addresses in RAM.”

Set correctly, only the kernel should be able to access this table. The result of the issue is that an attacker aware of the flaw would have the ability to break out of the application space and take over a system.

All this from a simple software mistake:

No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!

How should Windows users react?

According to Frisk, Microsoft’s March update patched the problem, so if you are up to date then the newly-introduced PML4 bug has now been removed.

Only Windows 7 x64 systems that received the January and/or February updates were affected:

Other Windows versions – such as Windows 10 or 8.1 are completely secure with regards to this issue and have never been affected by it.

It’s not often that a security update makes a system more vulnerable than it was before its application, but that appears to be the bottom line with this one.

First came the mitigation for the flaw, which created a new and separate flaw, which required a new fix to patch the fix.

This brings home how difficult it can be to either mitigate or fully patch security flaws that have their origin in the way hardware was designed anything up to two decades ago.

These flaws exist at such a low level that even a small mistake can open another vulnerability.

Not to mention that emboldened researchers are now poking around at this level looking for new vulnerabilities and oversights, resulting in a trickle of new proof-of-concepts with a side channel theme.

Pushing mitigations and patches that don’t slow down microprocessors or create new problems while fending off inquisitive researchers is putting Microsoft, Intel and other big vendors outside their comfort zone.

Baffled users look on and wonder what it all means.  As far as 2018 is concerned, the answer is most likely a lot more work and unpredictability.

For a definitive explanation of these vulnerabilities and why they matter, read our take on Meltdown and Spectre.

And make sure to apply the latest patches from Microsoft – like we always say, Patch Early, Patch Often.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/svYhubHs-2Q/

Long gone are the days when Facebook was just a way to keep in touch with friends and family. Many of us don’t think twice about signing up or logging in to an app or retailer’s website through our Facebook account, and using Facebook to leave comments is so ubiquitous that it just seems like a normal part of the internet experience.

Long after we’ve closed that Facebook tab, our Facebook accounts continue to follow and monitor us everywhere we go online, all in the pursuit of mining us for marketing data and serving us targeted advertisements.

Most of us remember that it wasn’t always this way. Privacy advocates have long warned about overreach in how Facebook tracks user data, and there are certainly ways to curtail what Facebook knows about your internet activity (that is, if you must use Facebook at all) – clearing cookies frequently, disabling javascript, using ad and tracker blocker plugins and so on.

All of these methods chip away at the creeping moss of Facebook surveillance, a term that would have seemed absolutely laughable just a few years ago. But with the revelations about Facebook data misuse by Cambridge Analytica, more users are taking a hard look at what exactly they’ve tacitly consented to by using Facebook, and how much they really want to allow it to peek into more and more facets of their lives.

To make it easier for people to keep the Facebook experience precisely where one might expect it to be – within the browser tab where it is running, and no where else — Mozilla has released a new extension called the Facebook container extension for its Firefox browser. In Mozilla’s own words, the extension “prevents Facebook from tracking you around the web.” Essentially, it keeps all Facebook activity within the browser tab where you are actively looking at Facebook, and it slaps Facebook’s hand if it tries to do anything outside of that tab.

So much of what we’ve become used to as internet-ubiquitous in the past few years – commenting on a page with a Facebook account, logging in to a service with Facebook credentials, liking a page or a comment outside of Facebook – will no longer work (or will mostly not work) within Firefox if you have this extension installed.

As this runs in the browser, it doesn’t change Facebook’s behavior at the core. So if you use Facebook on a different browser or on another instance of Firefox that doesn’t have the extension, these protections won’t apply. And this certainly wouldn’t affect how the in-phone Facebook app potentially tracks you or collects data on your activity.

(If you’re really concerned about the data Facebook is collecting on you but can’t quite get on the #DeleteFacebook train, using this browser extension and deleting the app from your phone is a good compromise.)

If you’re a Firefox user, here’s how to run the extension

As soon as you install the extension, it will log you out of Facebook, so don’t be surprised if you see the login screen the first time you go back after installing. (You won’t have to re-login every time to Facebook after this though.)

You’ll notice that when you browse Facebook, your tab will now have a blue line under the title. This applies to Facebook only and serves to highlight where you have a Facebook session active.

If you browse to another website in the same tab where you were running Facebook, the blue line goes away AND you won’t be able to hit the “back” button to navigate to Facebook again. Facebook won’t follow you after you leave the site, even if you use the same tab.

Most Facebook plugins outside of the Facebook site will no longer work, or work properly. This means things like leaving comments via your Facebook account on other sites won’t work, and logging in to services with your Facebook account might not work.

For example, I was not able to leave a comment on any site I knew of that used the Facebook comment plugin, but I was still able to authenticate to some services where I had signed up with my Facebook credentials, including Spotify.

(In the case above, hitting Log In to Post does send you back to Facebook, but the page is broken and your comment will not post.)

So, no, this plugin will not stop Facebook from functioning completely outside of facebook.com, but it will significantly slow it down. It’s a pretty decent speedbump at that – forcing people to be more aware of how Facebook collects data about them is a helpful exercise, especially after the Cambridge Analytica story came to light.

This extension is effective in its simplicity. There are certainly other extensions and even other browsers that will go further – again, provided that you won’t or can’t opt out of Facebook entirely – but this is a great option for many people who might not have known that they really can take action to control how they are tracked online, or how to use available technology to enable that kind of control.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QIQsHbpEZ_k/

On Sunday, Baltimore’s emergency service dispatchers were forced off automated dispatching and onto getting the job done manually because of a hacked server.

According to the Baltimore Sun, the breach was confirmed by Mayor Catherine Pugh’s office, the FBI (which is helping with the investigation), Baltimore Police Commissioner Darryl De Sousa, and CIO Frank Johnson from the Mayor’s Office of Information Technology.

James Bentley, a spokesman for Pugh, told the newspaper that the attack, which came around 8:30 am on Sunday morning, affected messaging functions within the computer-aided dispatch (CAD) system.

The CAD system supports the 911 emergency service and the 311 mayor’s hotline. Johnson called it a “limited breach.” Services that back up the two numbers “were temporarily transitioned to manual mode,” he said, and continued to operate without disruption.

The Baltimore Sun quoted Johnson:

This effectively means that instead of details of incoming callers seeking emergency support being relayed to dispatchers electronically, they were relayed by call center support staff manually.

After isolating the affected server and taking it offline, city workers did a “thorough investigation of all network systems,” Johnson said, and had the problem fixed and the server back online as of 2 am Monday.

Police Commissioner De Sousa said that police response time to crime reports didn’t slow down due to the attack.

There were no suspects as of Tuesday, and the motive for the hack was unknown. Nor is it known if this was the first such attack on Baltimore’s 911 system.

There are all sorts of motives that have been at the heart of similar attacks, though. As the Baltimore Sun reports, and as was confirmed by an association that represents 911 professionals across the country, there’s not much by way of personal or financial data on these systems.

The systems can, however, store some medical information and can give attackers access to cities’ important mapping systems. Taking them down also affects cities’ ability to quickly respond to disasters.

The newspaper quoted Brian Fontes, the CEO of the National Emergency Number Association (NENA):

If I’m a bad actor out there and I wanted to do some real harm beyond the 911 center, one of the main things I would want to do is bring down the 911 center.

If there were a concerted attack of some sort, you want to make sure that your 911 centers are up and running because they are your dispatch centers for emergency responses.

This isn’t the first time hackers have messed with 911 systems. In October, a 19-year-old hacker was sentenced to three years of probation for seriously disrupting Phoenix’s 911 system: a stunt he said he pulled in order to impress Apple.

He said he wanted to create a “non-harmful but annoying bug that he believed was ‘funny.’”

Go back to 2009, and you’ll find a 17-year-old hacker who ran a botnet with which to bombard the 911 system with hoax calls. He got nearly a year in juvenile detention.

Sooooooo not funny. Sooooo “we will lock you up” not funny.

Good luck with the investigation, Baltimore.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IbZRkOy-Bpc/

Football is a big-ticket news item all around the world, whichever flavour of the game you prefer.

Unsurprisingly, there are huge amounts of money at the top level in all codes of football – American, Australian, two different tyes of rugby, and the most widely-played variant, Association Football, variously known as the “world game”, the “beautiful game”, or soccer.

A lot of money, at least in European soccer, goes on transfer fees, paid when players switch between teams – sometimes between teams in the same league, but often in moves from country to country.

For example, Dutch player Stefan de Vrij moved from top-flight Dutch club Feyenoord to Italian football giants Lazio a few years ago.

We’re not sure what the total transfer fee was, but apparently the payments were done in installments, with the final payment, due in 2018, a cool €2,000,000 ($2.5 million).

Here’s the scary thing.

According to astonished football journalists the world over, Lazio apparently paid out that final $2.5m sum…

…to the wrong bank account, after being convinced to switch account numbers by an email scammer.

As one football writer quipped:

There’s nothing more wonderful in the world than the spam folder […] – Lord knows how much utter nonsense lives there – but perhaps Lazio need better filters on their inbox…”

I chuckled at that remark, but the truth is almost certainly much more complex than just one piece of unfiltered spam.

Whaling – phishing on a grand scale

BEC, short for business email compromise, also known as “whaling” (because it’s phishing on an grand scale), is an increasingly common cybercrime in which the crooks take their time to build up trust first, before going for a single, giant sting at the end.

BEC gets its name because the crooks often take the trouble to hack one or more email passwords inside their target company along the way.

If they can get control of the email address of, say, your CFO or chief accountant, then they can send mail that doesn’t seem to come from one of your senior managers, but actually does come from them – or, more precisely, from their account.

Even a well-informed user who knows how to inspect email headers, and who is cautious enough to verify the sending server precisely, will find what they expect.

Worse still, crooks with full access to your email account can do much more than send email in your name, because they can also:

• Look through your email history to learn the sort of phrases, greetings and sign-off remarks you tend to use.
• Keep track of deals that you’re working on, and payments that are about to come due.
• Make copies of official invoices and other documents for future reference when quoting details such as account numbers, payment amounts and due dates.
• Delete fraudulent emails from the Sent folder so you won’t notice that your account has been hijacked to send unauthorised correspondence.
• Delete incoming warning emails from colleagues, including the IT team, that might otherwise blow the lid on the scam.
• Set up email rules to divert incoming messages to an email subfolder so the crooks get to see your emails first, and can read, reply to and delete them without you realising.

In other words, once the crooks control your email account, you can no longer trust your Inbox to contain everything you were supposed to see, and you can no longer trust your Sent folder to be a record of everything that went out from your account.

High value, low volume

Remember that BEC crooks aren’t like conventional low-value/high-volume phishers, who might hope to make $20 each from hundreds of thousands of compromised passwords.

Instead, “whalers” are aiming the other way around, such as $100,000 each from 20 companies, or even millions of dollars from one or two companies.

As a result, the crooks have plenty of time to build up their insider knowledge, their trustworthiness, and their confidence-trickster patter before they go for gold.

What to do?

• Watch out for apparently innocent emails trying to make contact, such as, “Hey, are you in the office today?”, “I’m on the road this week, can you talk to IT for me?”, or “I left my phone in the airport so can you call me on this temporary SIM card I had to buy in [whichever country your boss is visiting this week, as mentioned on your company blog]?”
• If in doubt, ask internally for help on how to double-check the truth of any message you just received. For example, if HR were to call your boss’s allegedly lost phone and you boss were to answer, you’d have knocked a scam on the head right there by exposing the fraudsters’ treachery.
• Follow a strict, multi-person process for changing financial records for customers and suppliers. Even the CFO’s say-so (or apparent say-so), shouldn’t be enough on its own to change where business payments are made – insist upon a second pair of eyes. As carpenters like to say, “measure twice, cut once.”
• Use two-factor authentication (2FA) for your business account logins whenever you can. 2FA, where you need a one-time code as well as your password every time you login, isn’t perfect, but it makes attacks such as email account compromise much harder for the crooks.
• If you see something, say something. Phishers and whalers don’t just try to trick one user and then give up – they’ll keep trying with other people inside the company until they get lucky. So, the sooner someone raises the alarm, the sooner your security team (even if that’s just you!) can let everyone know and you can close ranks against the crooks.

Let’s hope, for Lazio’s and Feyenoord’s sakes, that the money diverted in this scam gets halted by the banking system in time and can therefore be recovered…

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X3hcZvVrFkQ/