Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Two Plead Guilty to Uber and Lynda.com Hacks

Two Plead Guilty to Uber and Lynda.com Hacks

Two North American men have pleaded guilty to hacking and extorting Uber and LinkedIn’s Lynda.com business, compromising data on tens of millions of users in the process.

Brandon Charles Glover, 26, of Winter Springs, Florida, America, and Vasile Mereacre, 23, of Toronto, Canada, pleaded guilty to one charge each of conspiracy to commit extortion involving computers. They will likely face a five-year stretch in jail and fine of $250,000 as a result.

The two are said to have used a custom-built GitHub account checker tool to try a number of already breached corporate credentials and see if they unlocked accounts on the developer site. After accessing several accounts belonging to Uber employees, they found AWS credentials which unlocked the online taxi firm’s AWS S3 data stores.

Using an encrypted ProntonMail address, they then contacted Uber’s CSO, claiming to have found a vulnerability in its systems and demanding payment in return for deletion of the compromised customer and driver data — which ran into 57 million records.

Uber eventually agreed, paying them the requested $100,000 in Bitcoin through its HackerOne account and then covering up the incident, until a new CEO decided to come clean in 2017.

Emboldened by their success, Glover and Mereacre then obtained access to 90,000 Lynda.com accounts via the online education firm’s AWS S3 account, and tried the same extortion trick, according to court documents.

However, this time the firm went public with the breach.

The two incidents almost read like a case study in the right and wrong ways to handle a breach-related extortion demand.

In the case of Uber, it ended up settling with the US government to the tune of $148m, whilst paying a £385,000 fine to the UK’s Information Commissioner’s Office (ICO). It’s lucky to have escaped the wrath of GDPR regulators, given that 2.7 million British customers and drivers were affected by the breach.

Source: Information Security Magazine

Twitter Bans Political Ads Ahead of Key UK Election

Twitter Bans Political Ads Ahead of Key UK Election

Twitter has announced a ban on political advertising ahead of crucial elections in the UK and US over the coming year, turning up the heat on Facebook to tackle micro-targeting campaigns on social media.

At Infosecurity Europe earlier this year, author Jamie Bartlett warned that elections will increasingly be fought online, with small groups of swing voters micro-targeted by personalized ads. This strategy threatens to undermine the legitimacy of results, he argued, and could be further tainted by dubious use of private data, as per the Cambridge Analytica scandal.

Across several posts on the social platform he co-founded, CEO Jack Dorsey, explained that the firm’s final policy would be published on November 15 and enforced a week later.

“We’ve made the decision to stop all political advertising on Twitter globally. We believe political message reach should be earned, not bought. A political message earns reach when people decide to follow an account or retweet. Paying for reach removes that decision, forcing highly optimized and targeted political messages on people. We believe this decision should not be compromised by money,” he said.

“While internet advertising is incredibly powerful and very effective for commercial advertisers, that power brings significant risks to politics, where it can be used to influence votes to affect the lives of millions.”

Although tacitly admitting that the decision would probably have a minimal impact on the firm, given its relatively minor role in a much larger political advertising ecosystem, Dorsey couldn’t resist piling the pressure on Facebook.

“For instance, it‘s not credible for us to say: ‘We’re working hard to stop people from gaming our systems to spread misleading info, buuut if someone pays us to target and force people to see their political ad…well…they can say whatever they want!’,” he argued.

Dorsey also called for “more forward-looking” political advertising regulation, although admitting this would be difficult to craft.

The news was welcomed by non-profit the Open Knowledge Foundation, which called on Facebook to follow suit.

“It will go a considerable way to preventing the spread of disinformation and fake news, and help to resuscitate the three foundations of tolerance, facts and ideas,” argued CEO, Catherine Stihler.

“It is imperative that we do not allow disinformation to blight this year’s UK General Election, forthcoming elections across Europe, and next year’s US Presidential election. Facebook must act on the growing demands for greater transparency.”

Socialbakers CEO Yuval Ben-Itzhak also praised the move as part of Twitter’s efforts to clean up its platform.

“By banning political advertising on the platform, Twitter's leadership is taking an important stance,” he added. 

“Validating each ad at scale is technically challenging to say the least, so by banning politically-motivated ads the platform stands a better chance of remaining digital pollution-free for its advertisers and users.”

However, Tom Gaffney, security consultant at F-Secure, argued that the real problem for Twitter is fake accounts which are used to amplify often extreme views and misinformation, and trolling, which can also be used to spread rumors.

“Since many fake and troll accounts are controlled at least partially by real people, it is very difficult to create algorithmic methods to detect them” he concluded.

“Despite Twitter’s own efforts, it is clear that the platform is still burdened by the presence of fake accounts and that many manipulation tactics are still very viable. In order to build better detection methods, more research is needed to understand how the people behind these accounts operate.”

Source: Information Security Magazine

#BSidesBelfast: Threat Hunting Requires Curiosity and Culture

#BSidesBelfast: Threat Hunting Requires Curiosity and Culture

Building a threat hunting team requires finding people who are prepared to be inquisitive of data, are keen to be the first to find a threat and having the right culture for them to work in.

Speaking at Bsides Belfast 2019, Martin Lee, outreach manager and Technical Lead at Cisco Talos, said that the team at Talos “work on analyzing the intelligence we have got, spot what is different and understand it, and as there is no manual on how to manage and function a threat research and intelligence team, the research team has grown organically.

He said that there is a common belief that threat hunting involves “putting data in and mixing it with tools using SIEM, and using procedures to find threats,” when threat hunting should be thought of as a “stack of technology” where you do not need a “secret store of data that only you can access.” 

Lee added: “We look for the most significant new threat on the internet, and see our role as to protect the entire internet. We want to hunt down and find the bad guys and be the first people to protect customers and inform the community.”

A lot of threat hunting “is classic engineering,” as if you put processes in at the beginning and follow them, you will come to a predicable end with a clean answer, and Lee called that “the holy grail” situation. In most cases, threat hunting involves looking through indicators of compromise and comparable data, and the resolution is affected by attackers using different domains, different IP addresses and different data. 

Lee also said that when there is a successful effort at threat hunting, this can be turned into an automated process.

“We find bad guys, find them first and hunt them down on the internet,” he said. “We have a strong sense of mission and a high degree of success as people want to hunt and encourage each other to keep going, it is not a job, but a lifestyle.”

Lee also said that very little of threat hunting is the common perception of “get a SIEM and go on the dark web” as a SIEM shows the analyst one view, which makes it difficult to ask different and innovative questions of the data.

As for the dark web, he acknowledged that there is malicious activity in the dark web “as you can find bad guys discussing [things] before they happen,” but the set of things that happen versus things discussed on the dark web often means “a lot of it can just be noise and people discussing things that may not happen.”

He said that “more important than tooling is people with skills” who will thrive in the right culture as you “can kill people with tooling if you have the wrong culture.” Also, you need to have some idea of what you want to find, and if you have no idea what you are looking for, you will never find it. 

Lee recommended building a strategy on what you’re hoping to find and what you would like to find, and decide what you would do with it and how to improve the goals of an organization. Also, use tools that allow you to ask questions of data easily, and hire people who are curious of things “and get to the root cause of what is going on.”

Source: Information Security Magazine

Major Cyber-Attack on APAC Ports Could Cost $110bn

Major Cyber-Attack on APAC Ports Could Cost $110bn

A major cyber-attack on Asia’s ports could end up costing the global economy as much as $110bn due to business interruption and other knock-on impacts, according to a new report.

Backed by Lloyd’s of London, the University of Cambridge and other organizations, the report was developed by the Singapore-based Cyber Risk Management (CyRiM) project.

It paints a hypothetical picture of a computer virus, dubbed ‘Shen,’ which exploits a vulnerability in port management software from a major shipping management company. It’s not made clear whether the virus is ransomware, but the effect is to infect systems on-board ageing ships, and then to “scramble” key database records at major ports in the region.

“While cyber-attacks have impacted individual ports in the past, an attack on systematic vulnerabilities across ports on this scale has never been seen,” the report claimed. “However, the combination of ageing shipping infrastructure and global complex supply chains, makes the shipping industry vulnerable to extreme losses.”

In this scenario, not only port owners themselves, but a range of supply chain organizations including logistics companies, cargo owners, ship owners, ship management companies and port management system providers would be affected.

Every country which operates bilateral trade with the affected ports would suffer heavy losses, due to delayed delivery and the impact on perishable items waiting to be shipped. For example, port closures in Japan would directly affect the US, China, Taiwan, South Korea and Hong Kong, the report said.

The heaviest losses were predicted to affecte the transport and aviation sectors, followed by manufacturing, retail and then real estate.

An attack affecting 15 Asian ports would range from $41-$110bn, the report claimed.

However, CyRiM warned that, 92% of total economic costs are currently uninsured, leaving an insurance gap of $101bn.

“Cyber-risk is one of the most critical and complex challenges facing the Asia Pacific maritime industry today. As this risk grows with the increasing application of technology and automation in the industry, collaboration and future planning by insurers and risk managers is critical,” argued Lloyd’s Singapore country manager, Angela Kelly.

“With nine out of 10 of the world’s busiest container ports based in Asia, and high levels of underinsurance in the region, this exposure must be addressed.”

Source: Information Security Magazine

Facebook Removes Russian Networks Targeting African Users

Facebook Removes Russian Networks Targeting African Users

Facebook has been forced to take action again to remove illegal Russian attempts to influence its users — this time in African countries.

The “coordinated inauthentic behavior” has been linked to notorious Russian financier Yevgeniy Prigozhin, already indicted by the US for funding the Kremlin-linked Internet Research Agency (IRA), which was involved in information warfare efforts ahead of the 2016 US Presidential election.

Facebook removed three separate networks originating in Russia and which targeted Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire, Cameroon, Sudan and Libya.

The first involved the take-down of 35 Facebook accounts, 53 Pages, seven Groups and five Instagram accounts focusing on users in Madagascar, the Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire and Cameroon.

At least one of the Pages accrued around 475,000 followers, and around $77,000 in advertising was spent.

The next campaign centered around 17 Facebook accounts, 18 Pages, 3 Groups and six Instagram accounts, accruing over 457,000 followers. They re-posed Sudanese state news and Russia propaganda from RT and Sputnik.

Finally, Facebook removed a network of 14 Facebook accounts, 12 Pages, one Group and one Instagram account that originated in Russia and focused on Libya.

As per the other campaigns, they often posted a mix of local and global news from local and Russian sources, on multiple sides of political debate, and from authentic and fake accounts. In this case, the accounts and Pages gained over 241,000 followers and around $10,000 was spent on ads.

“Although the people behind these networks attempted to conceal their identities and coordination, our investigation connected these campaigns to entities associated with Russian financier Yevgeniy Prigozhin, who was previously indicted by the US Justice Department,” said Facebook head of cybersecurity policy, Nathaniel Gleicher.

“We’re taking down these Pages, Groups and accounts based on their behavior, not the content they posted. In each of these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Source: Information Security Magazine

#BSidesBelfast: Focus More on Common Attacks, Less on Zero-Days

#BSidesBelfast: Focus More on Common Attacks, Less on Zero-Days

Spend less energy focusing on advanced attacks and zero-days, as attacks remain the same and cybersecurity needs to focus more on producing and enabling better professionals.

Speaking in the opening keynote at BSides Belfast 2019, BH Consulting CEO Brian Honan said that, as we mark the 50th anniversary of the internet, we have to realize that whilst we were once unconnected, we now have huge dependency on the internet and this has led to economies and democracies being under attack. With the Cambridge Analytica case still in the mind, and with a UK election likely for December, Honan suspected that we will see more online influence.

Looking at cyber-attacks, Honan said that data suggests that we are seeing “more of the same,” as in the 1980s we were talking about viruses as the main threat, “and that is the same now, but we call it ransomware” – and business email compromise and ransomware have been around for years.

“Criminals use the same techniques as they work, and the biggest risk is the common run of the mill cyber-attack that is known to work,” he argued. “Attackers are not using zero-days and advanced cyber-attacks, they are using email and phones to break into companies.”

This has led to a culture of repeating the same mistakes over and over again, and we are not learning from them. Honan called for an end to “victim blaming” as if we “keep making the same mistakes, then there is an insecure future ahead.” He also called for more transparency into incident response reports, as too often investigations are not revealed.

Drawing comparisons with the aviation industry, Honan highlighted the frequent checks and tests on planes, and the fact that pilots need to be qualified and trained to fly, and “rigorous procedures” are followed. “However, we don’t do that in IT, as we launch things on the internet and hope they will work and if they don't, we fix the problem in the next release. You cannot do that at 10,000 feet.”

Concluding, Honan called for better collaboration as “business people demand better security” now, as we now talk to boards “and not geeks.

“Don’t stand alone, work outside industry and your community to fix problems, and make sure we embrace the business side and talk to them and continue hacking stuff to improve the systems we rely on,” he said.

Source: Information Security Magazine

North Korean Malware Found at Indian Nuke Plant

North Korean Malware Found at Indian Nuke Plant

A malware infection at one of India’s nuclear power plants has been confirmed by its owner, with researchers speculating that it is North Korean in origin.

News began circulating on social media earlier this week that the Kudankulam Nuclear Power Plant (KNPP) may have been hit by an attack. A third party contacted cyber-intelligence analyst Pukhraj Singh who in turn notified the country’s National Cyber Security Coordinator on September 3, he said.

He added that the malware in question was later identified by Kaspersky as Dtrack.

Although initially KNPP officials said an attack on the plant was “not possible,” they changed their tune in a letter dated Wednesday.

The government-owned Nuclear Power Corporation of India (NPCIL) released a statement saying the original reports had been correct, and handled by CERT-In when the organization was notified on September 4.

“The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes,” it clarified. “This was isolated from the critical internal network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected.”

Dtrack was first revealed in late September by Kaspersky as linked to the infamous Lazarus Group. It discovered over 180 samples of the malware, which is said to take advantage of weak network security, password management and a lack of traffic monitoring to deploy information stealing and remote access capabilities to victim systems.

It’s unclear what the attacker’s goals were in this raid — whether it was an accidental infection, a deliberately targeted multi-stage IP-stealing mission, or something more sinister still.

However, at the time of discovery, Singh tweeted about a causus belli (act of war) in Indian cyberspace. He later clarified this was a reference to a second, as-yet-unnamed, target.

“Actually, the other target scared the sh*t out of me. Scarier than KKNPP in some ways,” he said.

Source: Information Security Magazine

#ISC2Congress: IoT Devices Pose Off-Network Security Risk

#ISC2Congress: IoT Devices Pose Off-Network Security Risk

Internet of Things (IoT) devices can still be a serious security threat even when they are off network.

Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, 802 Secure CSO Michael Raggo shared research that demonstrated the risks posed by everyday IoT devices. 

In his talk titled "Cyber Physical Security: Addressing IoT Risks," Raggo cited examples of threat actors gaining access to data centers via WiFi thermostats and spying on conferences by hacking into smart TVs mounted on boardroom walls.

"The problem goes far above and beyond the potential breach of data or risks to that data. It also has an impact on safety, privacy, and the whole operation of your entire network, especially if it's an industrial IoT type of network," said Raggo.

"What that means in terms of your policies and how you approach the problem, is that this is more than just protecting data and avoiding data exfiltration. Now we are talking about the safety and the privacy of people and employees."

The impact of IoT security issues is far-reaching. According to Raggo, "roughly 50% of the new buildings being built in the United States have some kind of IoT functionality."

Raggo said that ensuring the reliability and security of the lighting, power, and HVAC systems of your home and your business is a real challenge if those systems aren't connected to your own network.

Although many people are familiar with Wi-Fi and Bluetooth, according to Raggo they often don't have a clear understanding of how IoT devices are configured and who can actually connect to them.   

Raggo referenced experiments conducted in his own lab that had produced worrying results, exposing vulnerabilities in smartphones and surveillance cameras. In one test, he used a wireless thumb drive to access data on a hub.

"I simply plugged it into a USB port in the back of the hub and immediately videos started being recorded to my thumb drive. There was no authentication required," said Raggo.

One threat Raggo drew attention to was Bluetooth skimming, where threat actors steal money by breaching credit card details used in transactions. After being asked to investigate a fast-food restaurant that had suffered a breach, Raggo used readily available Bluetooth scanning tools to detect a long-range Bluetooth device placed under the cash register that had been used to skim data.

Source: Information Security Magazine

Facebook Finally Pays £500K Cambridge Analytica Fine

Facebook Finally Pays £500K Cambridge Analytica Fine

Facebook has finally reached an agreement with the UK’s privacy regulator to pay a £500,000 penalty related to the Cambridge Analytica scandal, a year after the fine was levied.

The social network had lodged an appeal against the Information Commissioner’s Office (ICO), and in June a tribunal agreed that the watchdog’s decision-making process should be scrutinized as part of the case, to investigate allegations of bias. The ICO appealed this judgement in September this year.

However, the two parties have now agreed to withdraw their respective appeals, which means Facebook will pay the £500,000 but accept no liability relating to the penalty notice. Both parties will pay their own legal costs.

“The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy,” argued deputy commissioner, James Dipple-Johnstone.

“We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case."

The original penalty notice alleged that Facebook had processed user information “unfairly” under the old Data Protection Act 1998. It did this by allowing developers to access the data without adequately “clear and informed consent,” and by allowing access to users who had not downloaded an app but were friends of those who had.

The social network was also accused of failing to check how this data was being secured or used by developers. That is said to have led to one developer, Aleksandr Kogan, harvesting info on 87 million users without their knowledge and subsequently sharing some of this with Cambridge Analytica parent SCL Group. It was then purportedly used to target wavering voters ahead of the 2016 US presidential election.

The ICO also claimed at the time that Facebook failed to take swift enough action to ensure this highly sensitive data was deleted when, in December 2015, it discovered what had happened. SCL Group wasn’t suspended until 2018.

The penalty issued was a rare maximum fine under the old data protection regime, although commissioner Elizabeth Denham said it could have been much greater had the incident happened during the GDPR era.

In the US, Facebook was fined $5bn by the FTC earlier this year.

Facebook associate general counsel, Harry Kinmonth, was quick to point out that the ICO had found no evidence that users in the EU had their data transferred by Kogan to Cambridge Analytica.

“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015,” he added.

“We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information.”

Source: Information Security Magazine

Facebook Takes Spyware Firm NSO Group to Court

Facebook Takes Spyware Firm NSO Group to Court

Facebook is taking spyware vendor NSO Group to court over allegations that the Israeli firm developed and helped to deploy malware that was used to target over 1000 WhatsApp users.

The threat in question was discovered back in May, targeting video call users without them even needing to pick up. Victims would receive a call while in the background a specially crafted series of SRTCP packets allowed the attacker to install the NSO Group’s Pegasus spyware on either iOS or Android devices.

Facebook rolled out a fix for the buffer overflow vulnerability in the WhatsApp VOIP stack, but did not release any further details at the time.

Now it is claiming the Israeli firm, which claims only to sell its wares to help legitimate law enforcement and government intelligence agencies, was directly behind the attacks on 1400 WhatsApp users.

It alleged that the “attackers used servers and internet-hosting services that were previously associated with NSO.”

Moreover, the attacks themselves were not used for legitimate policing efforts, but targeted journalists, human rights activists, political dissidents, and senior government officials — with the majority of victims located in Bahrain, the United Arab Emirates and Mexico, Facebook claimed.

“We agree with UN pecial rapporteur for Freedom of Expression David Kaye’s call for a moratorium on these attacks. There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world,” the firm noted in a lengthy statement.

“Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders. Working with research experts at the Citizen Lab, we believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse.”

WhatsApp alleges that NSO has violated US and California laws and its own Terms of Service, which prohibits such abuses.

Source: Information Security Magazine