Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Cyber-Criminal Impersonates Bernie Sanders Staffer

Cyber-Criminal Impersonates Bernie Sanders Staffer

America's Democratic National Committee has warned its electoral candidates to be wary after a phony Bernie Sanders campaign staffer used a fake domain to contact other political campaigns. 

The cyber-imposter attempted to set up conversations with at least two other campaigns using a spoofed domain registered outside the United States. Sanders campaign spokesperson Mike Casca said yesterday that he believed the domain to be registered in Russia. 

Casca said that the detection of the imposter was the indication that the party's cybersecurity was working well. 

“It’s clear the efforts and investments made by the DNC and all the campaigns to shore up our cybersecurity systems are working,” Casca told the Associated Press. “We will remain vigilant and continue to learn from each incident.”

DNC chief security officer Bob Lord emailed the party's presidential campaigns yesterday, urging them to be on the lookout for charlatans. Lord said that “adversaries will often try to impersonate real people on a campaign” to get people to “download suspicious files or click on a link to a phishing site.” 

Campaigns were also instructed to question the plausibility of anyone attempting to arrange a call or meeting that could be recorded or published. 

Though authorities have been notified about the fraudulent Sanders staffer, Lord expressed little hope that the impersonator would be identified, noting that "attribution is notoriously hard." 

In an effort to sort the real domains from the fake, Lord wrote in his email to campaigns: "If you are using an alternate domain, please refrain from doing so and let us know if you are operating from a domain that others have not corresponded with before."

The CSO then instructed campaign staffers not to use their personal email accounts for official business. 

If Lord's message sounds a trifle paranoid, it's worth remembering that a phishing attack on John Podesta, chairman of Hillary Clinton's 2016 presidential campaign, resulted in thousands of emails being hacked and leaked.

Podesta was deceived by an official-looking email sent to his Gmail account. Purporting to be from Google, the message warned Podesta that someone in Ukraine had accessed his personal Gmail password and had tried to log into his account. The email implored Podesta to immediately change his password, directing him to a malicious website to achieve this.

Source: Information Security Magazine

Microsoft Engineer Pleads Guilty to $10m Fraud Scheme

Microsoft Engineer Pleads Guilty to $10m Fraud Scheme

A former Microsoft engineer faces 20 years behind bars after being found guilty of attempting to defraud his ex-employer of $10m.

Ukrainian citizen Volodymyr Kvashuk, 25, from Renton, Washington, was initially a contractor for the tech giant before going full time there from August 2016 until he was fired in June 2018.

He was convicted on Tuesday of 18 federal felonies: five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns and one count each of mail fraud, access device fraud and access to a protected computer in furtherance of fraud.

According to court documents, Kvashuk worked on Microsoft’s online retail sales platform where he used his IT access to steal digital gift cards and other “currency stored value,” before selling them on the internet.

Although the amounts he stole started off relatively small, totalling around $12,000, they soon progressed into millions of dollars.

Kvashuk is said to have set up test email accounts under the names of Microsoft employees and used Bitcoin mixing services to hide his tracks and the source of the funds entering his bank accounts.

According to the Department of Justice (DoJ) over $2.8m in Bitcoin was transferred to his accounts over the seven months of the scheme. Kvashuk was also able to buy a $1.6m home and a $160,000 Tesla car.

“In addition to stealing from Microsoft, Volodymyr Kvashuk also stole from the government by concealing his fraudulent income and filing false tax returns,” said IRS-CI special agent in charge, Ryan Korner.

“Kvashuk’s grand scheme was thwarted by the hard work of IRS-CI’s Cyber Crimes Unit. Criminals who think they can avoid detection by using cryptocurrency and laundering through mixers are put on notice…you will be caught and you will be held accountable.”

Source: Information Security Magazine

Web Owners Ignore Alerts as Magecart Hits 40 More Sites

Web Owners Ignore Alerts as Magecart Hits 40 More Sites

A notorious group behind digital skimming attacks has upped its game recently, infecting at least 40 new websites, according to researchers.

Magecart Group 12, one of many collectives using techniques designed to harvest card details from e-commerce websites, continues to adapt its modus operandi, according to researcher Max Kersten.

The current campaign has been running for several months, with the first hacked site linking to a skimmer domain on September 30 2019 and the most recent infection date being February 19 2020, he explained.

“The skimmer, hosted on jquerycdn.su, changed four times during the campaign. In the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in the other reported campaigns,” he continued.

“The first stage loads the actual skimmer script, which is polluted with garbage code. The skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather than all forms. Although the approach and script are different, the general concept remains the same: obtaining credit card credentials.”

Of the 39 new sites hit by the group, 13 were still compromised at the time of writing, despite being contacted by Kersten. Most appear to be SME-sized retailers who perhaps don’t have many resources to devote to cybersecurity. Consumers are urged not to shop on these sites.

Last month, Kersten and fellow researcher Jacob Pimental revealed how Magecart 12 was targeting ticket re-selling websites for the 2020 Olympics and UEFA Euro 2020 tournaments. Although the domain was taken down, the group simply swapped it for another and continued, highlighting the resilience of the threat, according to RiskIQ.

Tarik Saleh, senior security engineer at DomainTools, urged companies to ensure their underlying operating systems and web frameworks are patched and up-to-date to prevent common exploits running.

“Secondly, it’s important to adjust your web application’s Content Security Policy (CSP) to allow scripts running on it to be from your specific whitelisted domains,” he added.

“Thirdly, I recommend deploying a File Integrity Monitoring (FIM) solution to your website’s directory containing the scripts used for the checkout or payment handling process. FIM solutions are great for monitoring when files have been tampered with or added to your website, and in this case it won’t prevent you from being compromised, but it will let you know if Magecart has been installed.”

It’s believed that Magecart groups had infected over two million websites, as of October 2019.

Source: Information Security Magazine

Facial Recognition Biz Clearview AI Suffers Data Breach

Facial Recognition Biz Clearview AI Suffers Data Breach

A controversial facial recognition company has just informed its customers of a data breach in which its entire client list was stolen.

Clearview AI leapt to fame in January when a New York Times report claimed that the start-up had scraped up to three billion images from social media sites to add to its database.

That makes it a useful resource for its law enforcement clients, which can query images they capture against the trove. The FBI’s own database is said to contain little more than 600 million images.

Now those clients have been exposed after an unauthorized intruder managed to access the Clearview AI’s entire customer list, the number of user accounts those companies have set up, and the number of searches they’ve carried out. However, they apparently didn’t get hold of client search histories.

Interestingly, the firm claimed that its own servers, systems and network weren’t compromised.

In a statement sent to The Daily Beast, company attorney, Tor Ekeland, claimed that security is the firm’s top priority.

“Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security,” he added.

Clearview AI is coming under increasing pressure from privacy activists and social media companies.

The latter have reportedly demanded the firm “cease and desist” from its web scraping activity as it breaches their terms of service, although the firm claims it is a First Amendment right to collect publicly available photos.

The firm has also been forced to deny rumors that consumers could also use its service to find out personal information including address details of people whose images they possess.

Tim Mackey, principal security strategist within the Synopsys CyRC (Cybersecurity Research Center), argued that cyber-criminals will now view compromise of Clearview AI’s systems as a priority.

“I would encourage Clearview AI to provide a detailed report covering the timeline and nature of the attack. While it may well be that the attack method is patched, it also is equally likely that the attack pattern is not unique and can point to a class of attack others should be protecting against,” he added.

“Clearview AI possesses a target for cyber-criminals on many levels, and is often the case digital privacy laws lag technology innovation. This attack now presents an opportunity for Clearview AI to become a leader in digital privacy as it pursues its business model based on facial recognition technologies.”

Source: Information Security Magazine

#RSAC: Review Your GDPR State, Biometric Collections and Cyber Insurance

#RSAC: Review Your GDPR State, Biometric Collections and Cyber Insurance

Now is the time to review your exposure to GDPR and CCPA-related lawsuits, and review contracts related to penetration testing.

In a talk at RSA Conference in San Francisco exploring recent cyber-related court cases, Julia Bowen, senior vice-president, general counsel and corporate secretary, The MITRE Corp and Professor Rick Aldrich, cybersecurity policy and compliance analyst, Booz Allen Hamilton, reviewed a number of issues relating to border control, surveillance and online page removals.

“If you are under the GDPR or the CCPA, makes sure you’re doing that correctly,” Aldrich said, referencing cases where page takedowns were disputed by search engines over local laws.

He also recommended checking if you are collecting biometric data, and the legality of doing that, referencing a recent case where the Illinois Supreme Court dismissed a case that would have pared back a state law limiting the use of facial recognition and other biometrics. “If you are doing worldwide business that involves people in Illinois, you may want to check that,” Aldrich advised.

He also recommended reviewing your penetration testing laws, considering the recent case of the Coalfire employees being arrested whilst on an exercise in Iowa.

In the coming months, Aldrich recommended taking actions to update your organization’s policies to minimize risk with regards to personal information, cloud providers and cross-border data transportation. Aldrich and Bowen listed a number of issues related to these cases, including where personal devices are seized and owners are ordered to unlock them.

“If you travel internationally, you may be asked to surrender equipment and risk giving up information to the government,” he said. “If they seize equipment, you may not have it anymore.”

Finally, Aldrich recommended taking actions to update your organization’s policies to minimize risk with regards to insurance providers, especially where payouts were not made due to what was determined to be an act of war. “Some people are now saying that they don’t have an exclusion for an act of war, so be very careful to check that they will pay out,” he said. “There are a lot of companies that are not expecting to pay out $50m when NotPetya occurs.”

Source: Information Security Magazine

#RSAC: It's Time to Disable Parental Controls to Enable the Next Generation

#RSAC: It's Time to Disable Parental Controls to Enable the Next Generation

It’s time to get rid of parental controls and let younger people make their own decisions.

Speaking in the opening keynotes at the RSA Conference in San Francisco, Wendy Nather, head of advisory CISOs, Duo Security at Cisco, said that parental controls need to be disabled as “we need to teach them to make good security choices for themselves because they need to learn this from a young age.”

As part of her keynote, Nather said that she does not use parental controls at home, but her teenage daughter asked for them to be turned on “to help enforce her study time,” so they were set up for her time, and Wendy controls the password.

“We have to teach them to make good security decisions, as we keep making the same mistakes year after year,” she said, saying this was done with web servers, mobile, and IoT, and this is because of the demographic. “We have to teach everybody, so it doesn’t matter who comes in with new technology, they know how to apply the security controls.”

She concluded by saying that it has to be about “security of, by, and for the people as we’re the ones who have been working on this for decades.”

Source: Information Security Magazine

#RSAC: Methodologies and Methods to Improve IoT Security

#RSAC: Methodologies and Methods to Improve IoT Security

Speaking at the RSA Conference in San Francisco on how to build a comprehensive Internet of Things (IoT) security testing methodology, Rapid7 IoT research lead Deral Heiland said that it is currently hard to determine what IoT is, so he built a testing model to determine the traits of IoT so they can be better detected and secured.

He said that he often asks companies if they have got any IoT technology, so created a methodology to define the traits of IoT, which is based on four key areas:

  • Management control—to control and manipulate data
  • Cloud service APIs and storage
  • Capability to be moved to the cloud
  • Embedded technology

He said that you have the ability to better defend your ecosystem if you know the traits of IoT, and can build a methodology to build and test IoT:

  • Functionality
  • Reconnaissance
  • Testing
  • Analysis

This is about finding information and gathering knowledge, as “there is no way to test your IoT ecosystem if you don’t know how it works.”

Heiland said that once you have done a functional evaluation, you can do a larger reconnaissance to look at what is going on, use open source intelligence to see what frequency the communication is running at and what components it was running, and if they had any notable vulnerabilities and exploits in the past.

The next stage is testing, including web-based penetration tests, scans, and more manual tests of the build, including looking at physical ports. Looking at the firmware, Heiland recommended analysis testing to look for hardcoded keys, passwords, undocumented command structures, IP addresses, and hardcoded URLs of interest. He also recommended doing radio frequency (RF) testing, as most IoT “have some form of this.” This can also determine if the communications are encrypted and effective, and find RF protocols. He also recommended looking at pairing and over-the-air updates.

Heiland admitted that one test does not work for all IoT, and elements will need to be changed for different products, as “you find new things every time and new ways of doing things.”

In one case study, he presented an analysis of a smart door lock. The idea of it is to provide short-term access via email, so he set up a Man in the Middle attack using Burpsuite to create a certificate, “as the mobile app didn’t have SSL, so it was simple to create a certificate and gain Man in the Middle access and see communications flowing back and forth.”

He said that he was able to see the communications, such as how the API returned control keys to all users, which was written to the developer debug log and available via a file on the phone. “We didn’t need to root the device as all of the data was in there, this had a session token so in theory you could control the lock forever.”

He explained that this issue has now been patched, and he declined to reveal the vendor name.

In terms of who can do this sort of testing, he said he would expect a person to be a “seasoned tester at a bare minimum” as well as have hardware skills, budget for kit, and “an endless desire to learn.”

Heiland said there are three elements needed in order to get to a better stage of IoT security. These were for manufacturers to implement a product security testing program and test before a product goes to market and for those that are available, bring them back in-house and test them.

Also, enterprise consumers should ask questions of the vendor, inventory their IoT, define what IoT is to their organization, and assign ownership.

The final element is for IoT researchers and testers to follow Heiland’s methodology and improve their own skills sets.

Source: Information Security Magazine

#RSAC: Time to Take Action on AI-Enabled Electoral Vote Influencing

#RSAC: Time to Take Action on AI-Enabled Electoral Vote Influencing

In a talk at the RSA Conference in San Francisco, students and researchers from University of California, Berkeley presented a theoretical method on how voters could be influenced using technical and automated methods.

Talking about “How AI Inference Threats Might Influence the Outcome of 2020 Election,” the three presented their own research, which included aggregating data to show how misinformation can be spread. Karel Baloun, software architect and entrepreneur at UC Berkeley, said these types of attacks can be nefarious as “attacks on democracy” are often not seen and it can be denied that they took place.

Pointing at the 2016 US presidential election, Baloun said that the hacking of the Democrats’ emails by Russia and passing of them to WikiLeaks “set the narrative for the election” and there is proof that this effort was able to “suppress over 100,000 votes.” He said that there are four examples of elections that have been influenced in history:

  • The 2016 Ukraine Election
  • The 2016 UK Brexit vote on EU Membership
  • The 2019 Hong Kong Anti-Extradition Law Protests
  • The 2020 Taiwan Presidential Election

Ken Chang, cybersecurity researcher at University of California, Berkeley, said that when someone registers to vote, that information should be trusted to be held securely, as all information that is collected is “a critical piece of information.”

With voter registration data, Chang said that the potential of a data breach is obvious, so the conversation needs to be centered on how to protect information, and not on how a data broker can collect and distribute information without the person knowing.

Baloun said that with the experiment it was able to build user voter databases and aggregate this into social media data, advertising, and messaging to influence people. Citing the case of Cambridge Analytica, Baloun said that it was able to use Facebook data that was open, and personal information that is freely obtained and available in the form of credit scores and credit card data.

Saying that it is only a matter of time before AI can do the whole process, as currently Machine Learning is used on Big Data sets, and AI can generate texts and emails and write news, Baloun said that the “technology is well advanced.”

“If you suck the firehose you only get what you’re provided,” Baloun said, pointing out that it could be easy for an attacker to impersonate an influential friend or family member.

Looking at steps to take, Baloun encouraged taking more action when friends and family share such information, and think about what you consume. He also called for the Secretary of State with responsibility for voter records to mandate a disclosure requirement. He also called for a ban by the FFC on creating “personal profiles” pretending to be voters.

“Each one can make a big difference, as the system depends on easily available rich voter profiles, and targeting with messaging,” he said. “To protect democracy we need to make things more expensive and less effective and let humans intervene, as they don’t know it is happening.”

Source: Information Security Magazine

#RSAC: Deterrence in Cyberspace Is About More Than Just Attribution

#RSAC: Deterrence in Cyberspace Is About More Than Just Attribution

How can the US deter other nations from executing cyber-attacks? According to a panel of US government officials speaking at the RSA Conference in San Francisco, there is a range of legal, diplomatic, and even military options that can be considered.

Adam Hickey, Deputy Assistant Attorney General, National Security Division at the US Department of Justice (DOJ), commented that there is a lot that can be done to deter nation-states from conducting cyber-attacks.

"Law enforcement is one tool of federal power and should be used to deter threat actors," Hickey said.

Hickey noted that he knows in many cases even if a state threat actor is charged in a legal indictment, an arrest won't be made. That's why the DOJ is using other legal instruments that can disrupt operations, including court orders to seize infrastructure.

That infrastructure, however, can be anywhere in the world, which is a challenge that Steven Kelly, Chief of Cyber Policy, Cyber Division for the Federal Bureau of Investigation (FBI), brought up. Kelly noted that because of the complexity of cyber-attack infrastructure attribution is often complex.

"Some people might scoff at the idea that we can deter nation-state cyber-attack activity, because the attacks keep happening, but we're working on it," Kelly said.

Kelly added that multiple agencies have been working together to get faster at identifying who is behind an attack and then working together to impose consequences more rapidly. He emphasized that it takes a lot of cooperation within the US government and with other law enforcement groups around the world to get all the facts that enable the FBI to identify threat actors behind an attack.

"Nations and the individuals that are working on their behalf can no longer assume that they can operate with anonymity," Kelly said.

Secret Information and Public Indictments

Among the assets that the US government has engaged to help deter nation-state cyber-attacks is the intelligence community, though much of their work still needs to remain secret, commented Thomas Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy at the US Department of Defense (DOD).

Wingfield noted that while the DOD can't reveal everything about its operations it can and does help other agencies to keep the country safe.

Information from the public is also a key part in helping with deterrence. Hickey commented that in recent years, as companies have matured in their own cybersecurity process, attacked companies have disclosed information to the government that is critical to helping with attribution.

In the final analysis, Wingfield emphasized that deterrence isn't just about lawsuits or projecting power in some way with a retaliatory action. Rather, in his view deterrence is about influencing would-be attackers to make a different decision.

"At the end of the day, deterrence is meant to work in one place, and that is inside the human element, inside of the brain of the adversary decision maker," Wingfield said.

Source: Information Security Magazine

#RSAC: How Medical Device Cybersecurity Could Improve

#RSAC: How Medical Device Cybersecurity Could Improve

Cyberattacks can impact individuals and companies in different ways, but few if any industries have the same life-or-death impact as medical devices.

In recent years, medical devices and hospitals have come under increasing attack from different threat actors, which has not escaped the notice of regulators in the United States. At the RSA Conference in San Francisco, the safety implications of medical devices was detailed, along with direction on how things could well be set to improve in the years ahead.

Penny Chase, Information Technology & Cyber Security Integrator at MITRE, commented that with any device connected to a network there can be vulnerabilities.

"If those vulnerabilities aren't taken care of, devices can potentially be exploited, and that can result in patient harm or serve as a pivot point to get into a hospital network."

The risk to medical infrastructure is far from a theoretical threat. In 2017, the WannaCry Ransomware attack had devastating consequences in the UK, shutting down NHS operations and hospitals. There have also been publicly reported flaws in medical devices that vendors have been slow to fix. Perhaps the most well-known example occurred with Abbott Laboratories and its St Jude cardiac pacemakers.

Chase added that even when patches are available for known issues, patching medical devices is often far from routine, with many hospitals unaware that they are vulnerable.

How Medical Device Security Will Get Better

The US Food and Drug Administration (FDA), together with MITRE and other stakeholders, has been engaged in multiple efforts to improve the state of medical device security. Chase noted that in 2018 the Medical Device Safety Action Plan was published by the FDA, which includes a number of action items for device manufacturers. Among the primary items is a requirement that firms build capabilities to update and patch device security into a product's design. The plan also requires that device manufacturers have coordinated disclosure polices in place in the event of a vulnerability.

Margie Zuk, Senior Principal Cybersecurity Engineer at MITRE, commented that a key challenge with medical device cybersecurity is making sure that the vulnerabilities are understood with the right amount of detail. To that end, MITRE has been developing a Medical Device Rubric for Common Vulnerability Scoring System (CVSS) that has been submitted to the FDA.

Another current effort is to help hospitals build out their preparedness for cybersecurity incidents like WannaCry. Zuk noted that with WannaCry, for example, there was a lot of confusion between hospitals and manufacturers about risk. To help with that type of situation in the future, MITRE has developed a playbook to help hospitals with incident response.

A key challenge for understanding the risk is related to testing under different scenarios. That's where Zuk said that the Medical Device Cybersecurity Sandbox effort comes into play as an effort to help validate vulnerabilities in clinical scenarios.

Software Bill of Materials (SBOM) Will Help

One of the key efforts under way in 2020 is a multi-stakeholder effort led by NTIA for a Software Bill of Materials (SBOM). With SBOM, software in medical and other devices would need to have a list of constituent components that are included.

"SBOM is really critical to understand if you have a vulnerability in your system," Zuk said. "Hospitals need to know what the attack surface is and what's at risk."

Fundamentally, the key to improving medical device cybersecurity is reducing risk and understanding the potential for exploitation.

"It's a shift in thinking about how a device is supposed to be used, to how a device can be exploited by a malicious adversary that it trying to abuse the device, " Chase concluded.

Source: Information Security Magazine