Category Archives: Industry News

French authorities take down ‘Black Hand’ dark web forum selling narcotics, weapons, stolen banking data

The French Minister of Public Action has announced the dismantling of the “Black Hand” forum, a marketplace on the French dark web selling drugs, weapons, stolen credit cards and other illicit goods and services.

On June 12, the National Directorate of Intelligence and Customs Investigations (DNRED) reportedly started raiding key locations in the country where authorities believed they might find the forum’s operators.

Authorities arrested the site’s administrator and several others also seemingly tied to the illegal marketplace. Investigators seized the actual server on which the forum was hosted as well as additional computer equipment, fake identification documents, 4,000 euros in cash and another 25,000 euros in digital currency (i.e. Bitcoin).

After gaining access to the forum’s contents, investigators confirmed that more than 3,000 registered users were selling or buying illegal products and services, including weapons, narcotics, false papers and stolen banking data, through the service.

After 48 hours of custody, the suspects were brought before the magistrates of the Interregional Specialized Court of Lille, where they were charged as follows:

“Criminal conspiracy for the preparation of crime (putting into circulation counterfeit or falsified currency legal tender in France), offenses punishable by 10 years imprisonment (drug trafficking) and offenses punishable by five years’ imprisonment (false administrative documents, scams).”

According to the press release issued by the Ministry of Public Action on Saturday, “this is the end of one of the most important illegal market places for the French dark web.”

Extortionists demand millions from Liberty; threaten to release ‘sensitive data’ of ‘top clients’

Ransomware and extortion aren’t going away in 2018. A group of hackers has threatened financial services provider Liberty with the leak of “top client” data if they refuse to pay a ransom.

Parent company Liberty Holdings posted a notice on Saturday regretfully announcing it had been subjected to “unauthorized access to its IT infrastructure.”

“An external party claims to have seized data from us, has alerted us to potential vulnerabilities in our systems and has requested compensation for this,” the firm said.

Liberty says it took immediate steps to contain the situation and that it is actively investigating, adding that it will “endeavour to keep all stakeholders fully informed as appropriate.”

The notice reveals Liberty refused to pay the extortionists, and has called upon law enforcement authorities to get to the bottom of the situation.

“We are at an advance stage of investigating the extent of the data breach, which at this stage seems to be largely emails and attachments. At this point there is no evidence that any customer has suffered any financial loss,” the notice says.

Liberty promises to inform any customer that may have been impacted, if such evidence is eventually uncovered.

A report in the Sunday Times says the hackers were sitting on “sensitive data” about “top clients” and were threatening to release it if Liberty doesn’t pay the extortion money. According to the report, the hackers demanded millions from Liberty.

HOTforSecurity: Extortionists demand millions from Liberty; threaten to release ‘sensitive data’ of ‘top clients’

Ransomware and extortion aren’t going away in 2018. A group of hackers has threatened financial services provider Liberty with the leak of “top client” data if they refuse to pay a ransom.

Parent company Liberty Holdings posted a notice on Saturday regretfully announcing it had been subjected to “unauthorized access to its IT infrastructure.”

“An external party claims to have seized data from us, has alerted us to potential vulnerabilities in our systems and has requested compensation for this,” the firm said.

Liberty says it took immediate steps to contain the situation and that it is actively investigating, adding that it will “endeavour to keep all stakeholders fully informed as appropriate.”

The notice reveals Liberty refused to pay the extortionists, and has called upon law enforcement authorities to get to the bottom of the situation.

“We are at an advance stage of investigating the extent of the data breach, which at this stage seems to be largely emails and attachments. At this point there is no evidence that any customer has suffered any financial loss,” the notice says.

Liberty promises to inform any customer that may have been impacted, if such evidence is eventually uncovered.

A report in the Sunday Times says the hackers were sitting on “sensitive data” about “top clients” and were threatening to release it if Liberty doesn’t pay the extortion money. According to the report, the hackers demanded millions from Liberty.



HOTforSecurity

HOTforSecurity: Banco de Chile admits losing $10 million in disk-wiping malware attack

Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.

Although bank operations were cancelled, internet portals, mobile applications and ATMs were not affected and were secure to use. Some 9,000 terminals and 500 servers across multiple branches were compromised by the malware.

According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.

“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).

Analyzing images posted by bank employees, Bleeping Computer deduced the malware “was affecting hard drives’ Master Boot Records (MBRs) a-la NotPetya.” It was identified as a possible KillMBR, malware that was specifically used in attacks meant to destroy data in financial institutions.

Financial institutions remain a top target for hackers in 2018. In 2015 and 2016, millions of dollars were stolen by hackers who manipulated the SWIFT banking network. Known as Lazarus Group, they have been directly associated with North Korea and are responsible for cyberattacks on 12 banks in Southeast Asia and Sony Pictures Entertainment.



HOTforSecurity

Banco de Chile admits losing $10 million in disk-wiping malware attack

Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.

Although bank operations were cancelled, internet portals, mobile applications and ATMs were not affected and were secure to use. Some 9,000 terminals and 500 servers across multiple branches were compromised by the malware.

According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.

“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).

Analyzing images posted by bank employees, Bleeping Computer deduced the malware “was affecting hard drives’ Master Boot Records (MBRs) a-la NotPetya.” It was identified as a possible KillMBR, malware that was specifically used in attacks meant to destroy data in financial institutions.

Financial institutions remain a top target for hackers in 2018. In 2015 and 2016, millions of dollars were stolen by hackers who manipulated the SWIFT banking network. Known as Lazarus Group, they have been directly associated with North Korea and are responsible for cyberattacks on 12 banks in Southeast Asia and Sony Pictures Entertainment.

Apple to terminate developers who collect, sell user data without consent

Apple has updated the Legal section of its App Store rulebook to include new guidelines for members of the iOS Developer Program. iOS developers who collect or sell personal data to a third party without clear, express consent from their users will be banished from the Apple developer community, and the App Store implicitly.

Apple’s new legal terms come on the heels of the EU’s General Data Protection Regulation that kicked into gear last month, affecting any global business that collects or processes personally identifiable information (PII) of EU citizens.

The GDPR’s Data Minimization and Anonymization principles, as well as the so-called Right to Be Forgotten, oblige companies to limit the collection of personally identifiable information (PII) to the absolute minimum needed for the service or app to work properly.

In that respect, Apple is now demanding that developers adhere to a new set of data collection guidelines. Some highlights:

  • All apps must include a link to their privacy policy in an easily accessible manner
  • Explicitly identify what data, if any, the app/service collects, how it collects it, and all the uses of that data
  • Confirm that any third party with whom an app shares user data provides equal protection of user data as stated in the app’s privacy policy
  • Describe how a user can revoke consent and/or request deletion of the user’s data
  • Apps that collect user or usage data must secure user consent for the collection
  • Ensure the purpose strings clearly and completely describe the use of the data
  • Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access (i.e. don’t ask for microphone access if the app only wants to post to social media)
  • Don’t ask the user to sign up / sign in if the app doesn’t include significant account-based functionality
  • The app must include a way to revoke social network credentials and disable data access between the app and social network from within the app
  • Unless otherwise permitted by law, developers may not use, transmit, or share someone’s personal data without first obtaining their permission
  • Apps should not attempt to surreptitiously build a user profile based on collected data
  • Developers must not use information from Contacts, Photos, or other APIs that access user data to build a contact database for their own use or for sale/distribution to third parties

These are just some of the key new requirements for iOS developers doing business in the App Store. The guidelines also clarify that developers who use their apps to surreptitiously discover passwords or other private data will be removed from the Developer Program. The same goes for app sellers who share user data with third parties without obtaining clear, express consent from end users.

Vermont librarian scores symbolic $600 win against Equifax in small claims lawsuit

In the wake of the Equifax incident last year, more than 143 million people had their personal and financial information leaked by hackers. For one 49-year-old librarian in Vermont, simply watching the company’s image get tarnished would not suffice.

Jessamyn West lives in a tiny town in Vermont, USA. She was one of the many American citizens affected by the monstrous Equifax data breach in September 2017. Days after the credit reporting agency reported the embarrassing incident, West decided to file a claim with the local Orange County courthouse seeking $5,000 in damages.

West admits she was driven by frustration. Her mother had died recently, and she was struggling to sort out a lot of family paperwork, including many financial documents for herself and her sister, with whom she runs a business.

“There is no way for me to tell if these or many other similar financial services hassles are due to the breach, but they have become more prevalent since last summer. I was on hold with Equifax’s understaffed support lines for hours. I tried to load their constantly-crashing websites for days. I am eternally vigilant about any change to my bank accounts, credit scores or even incoming postal junk mail. It’s exhausting,” she wrote in a post on Medium describing her ordeal.

The judge eventually sided with her, but would only award West $690, of which 90$ represented court hassle money.

“The small claims case was a lot more about raising awareness,” West told security heavyweight Brian Krebs in an interview. “I just wanted to change the conversation I was having with all my neighbors who were like, ‘Ugh, computers are hard, what can you do?’ to ‘Hey, here are some things you can do’,” she said. “A lot of people don’t feel they have agency around privacy and technology in general. This case was about having your own agency when companies don’t behave how they’re supposed to with our private information.”

She said she was surprised more people weren’t joining the fight, knowing the scale of the incident as well as Equifax’s annual turnover ($3.4 billion as of last year). However, she hopes to inspire others to do the same by sharing her story. West reportedly plans to donate the $600 to the Vermont chapter of the American Civil Liberties Union (ACLU).

Around the time Equifax reported the breach, Law firm Geragos & Geragos said it was seeking up to $70 billion in damages in a class action suit. If successful, the law firm said, the class action settlement would be the biggest in the history of the United States.

FBI arrests 74 alleged scammers in international financial fraud operation

The Nigerian prince scam is back, and this time going after smaller businesses instead of corporates. On Monday, the FBI announced the arrest of 74 alleged email scammers from seven countries, including 15 money mules and 42 scammers in the US alone.

The elaborate scam had been targeting employees from medium-sized businesses that had access to finances or wire transfer payments. Once scammers gained access to an employee’s email account, they posed as that person or as a business partner.

A typical BEC (Business E-Mail Compromise) scheme, also known as “cyber-enabled financial fraud,” the financial fraud campaign started in Nigeria and rapidly spread to other countries. Email scams can also target individuals, seeking to trick them into making payments for real estate or to help someone in need, and even tech giants such as Google and Facebook have already lost millions in email scams.

Dubbed “Operation WireWire,” the investigation took six months and involved a joint effort of overseas local law enforcement and US federal authorities including the Department of Homeland Security, the Department of the Treasury and the U.S. Postal Inspection Service. The investigation led to a significant number of arrests in just two weeks in the US, Canada, Nigeria, Mauritius and Poland. Authorities blocked wire transfers to successfully recover some $14 million, and they confiscated $2.4 million.

“A number of cases charged in this operation involved international criminal organizations that defrauded small- to large-sized businesses, while others involved individual victims who transferred high-dollar amounts or sensitive records in the course of business,” said the FBI.

“The devastating impacts these cases have on victims and victim companies affect not only the individual business but also the global economy. Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.”

Dixons Carphone data breach – millions put at risk of fraud

Once again a large company has suffered a huge data breach, putting millions of innocent customers at risk.

Customers of British popular high street stores Currys PC World, Carphone Warehouse, and Dixons Travel have been warned that a huge data breach has occurred involving 5.9 million payment cards and the personal data records of 1.2 million individuals.

Parent company Dixons Carphone said in a statement that an review of its internal systems uncovered a security breach at one of the processing systems used by Currys PC World and Dixons Travel stores.

According to reports, the breach – which has only just been made public – could have occurred as far back as 2016.

What makes the breach particularly serious is that often hacking incidents will involve the exposure of users’ personal information (such as names, email addresses, or even passwords) but *not* their payment information.

With the Dixons Carphone hack, however, things are different – with almost six million payment card details ending up in the hands of hackers.

The only silver lining on the cloud is that Dixons Carphone says that the majority of the breached cards have chip and pin protection:

5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

However, the firm admits that approximately 105,000 non-EU payment card details were not protected with chip and pin protection – potentially putting those consumers at greater risk of fraud.

Even if consumers’ credit card details are not at risk of being exploited, there are still dangers associated with the security breach.

For instance, Dixons Carphone has admitted that hackers also gained access to 1.2 million personal records containing non-financial information (such as names, addresses, and email addresses).

Past incidents have proven that criminals can be quick to exploit such information in follow-up attacks, perhaps pretending to be communications from the hacked company in an attempt to trick customers into handing over even more personal details that can then be used for the purposes of identity theft.

It’s easy to imagine, for instance, that customers may have found themselves on the receiving end of malicious spam or phishing attacks in the wake of the hack.

If all of this sounds somewhat familiar then you’re not wrong.

Three years ago, in 2015, Carphone Warehouse (which was then a separate company) warned that approximately three million customers had been put at risk after its IT systems had been breached by hackers.

That incident cost Carphone Warehouse £400,000 in the form of a fine from the Information Commissioner’s Office (ICO).

In the ICO’s report on that incident, Carphone Warehouse was criticised for its “multiple inadequacies” when it came to security and its failure to take adequate steps to protect customers’ personal information.

Little has been made public at present at precisely what the security failings were which allowed the hackers to gain access to the sensitive information in this latest breach.

But questions will now no doubt be asked as to whether the merged companies learned enough from the earlier hack and were taking appropriate steps to ensure that data security would be maintained.

Dixons Carphone Chief Executive, Alex Baldock, says the company is “extremely disappointed and sorry for any upset [the hack] may cause,” and shares in the company have dropped 3% today.

Bitcoin drops 10% after hack of South Korean exchange service

CoinRail, a small cryptocurrency exchange service based in South Korea, reported on Sunday that it fell victim to a cyberattack and publicly confirmed it on Twitter. As a result, bitcoin prices collapsed by 10 percent to the lowest since April.

“The price of bitcoin dropped $500 in a single hour Sunday to hit a two-month low below $6,700,” wrote CoinDesk.

Following the hack, CoinRail lost some 30 percent of the tokens traded at the time of the hack, namely Pundi X (NPXS), NPER (NPER) and Aston (ATX). Local media estimated the loss at $37.28 million. CoinRail’s website has been in maintenance mode ever since the hack was identified. Their website said most of the cryptocurrency has been moved to offline wallets but it gave no detail about the actual financial loss.

“At present, 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage,” reads their website (according to Google translate). “Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers.”

CoinRail is working with an external forensics agency to investigate the breach and recover from the damage. Together with the compromised ICOs, they are trying to freeze the stolen tokens.

As South Korea is an important cryptocurrency trading center, this is not the first time a cryptocurrency exchange service has been attacked. After it was hacked twice, Youbit shut down in December.

Tens of thousands of Android devices are leaving their debug port exposed

Countless Android devices are leaving themselves open to attack after being shipped with a critical port left unsecured.

Android Debug Bridge (ADB) is a feature that allows developers to communicate with an Android device remotely, executing commands, and – if necessary – taking full remote control.

As its name suggests, the facility is tremendously useful when it comes to debugging a device and ironing out bugs. However, if not disabled on shipping devices it is open to abuse by criminal hackers.

Security researcher Kevin Beaumont highlighted the danger in a blog post late last week:

It is completely unauthenticated, meaning anybody can connect to a device running ADB to execute commands. However, to enable it — in theory — you have to physically connect to a device using USB and first enable the Debug Bridge.

Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.

In a nutshell, anyone can remotely access vulnerable devices with God-like “root” privileges, silently install software, and execute malicious code, without any need for a password.

According to Beaumont, vulnerable devices have includes DVRs, mobile telephones, Android smart TVs, and even tankers.

And, according to other researchers, the threat is not theoretical. A network worm called ADB.Miner has been seen scanning across the internet to see where TCP port 5555 used by ADB has been left open, in an attempt to create a cryptomining botnet.

Although it’s difficult to calculate a precise number of devices that may be open for potential attack, Beaumont says “it is safe to say ‘a lot’.”

A guide on the HackTabs website provides a tutorial on how users can check to see if ADB has been enabled on their devices, as well as a means of disabling the feature.

Hack of US Navy Contractor Nets China 614 Gigabytes of Classified Information

China allegedly exfiltrated classified information pertaining to US Navy projects after a successful cyber-attack on an unspecified Navy contractor resulted in the loss 614 gigabytes of sensor data, cryptographic information, submarine electronic warfare, and the exposure of a classified project known as Sea Dragon.

The contractor, believed to work for the Naval Undersea Warfare Center, allegedly stored the sensitive information on an unclassified network. The Sea Dragon project seems to be a Pentagon initiative aimed at bringing “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.”

The trove of data allegedly also includes information about a supersonic anti-ship missile that’s supposed to be fitted onto US submarines by 2020, increasing the strategic military value of the theft. Officials have estimated that the Chinese government is behind the attack, as this type of military intelligence is exactly what China needs to bridge the technology gap between its navy and the United States’ navy.

“So anything that degrades our comparative advantage in undersea warfare is of extreme significance if we ever had to execute our war plans for dealing with China,” said James Stavridis, dean of the Fletcher School of Law and Diplomacy at Tufts University and a retired admiral who served as supreme allied commander at NATO.

While this is not the first time the US has blamed China for breaches on government contractors that resulted in the loss of sensitive military research and information, this incident has been attributed to the Chinese Ministry of State Security, a civilian agency tasked with counterintelligence.

“We treat the broader issue of cyber-intrusion against our contractors very seriously,” said Cmdr. Bill Speaks, a Navy spokesman. “If such an intrusion were to occur, the appropriate parties would be looking at the specific incident, taking measures to protect current information, and mitigating the impacts that might result from any information that might have been compromised.”

MyHeritage breach leaks 92 million emails, hashed passwords

DNA testing application MyHeritage announced that it has fallen victim to a cyberattack. It appears a security researcher allegedly found online, on a private server, a database containing over 92 million user emails and hashed passwords stolen by a mysterious hacker.

Once MyHeritage received news of the breach, the company immediately assembled an Information Security Incident Response Team to investigate, and confirmed that the discovery was genuine. The security researcher did not say how he got hold of the information, so MyHeritage is now investigating further to see how the breach actually occurred.

The internal investigation also revealed that only accounts from up to October 26, 2017 were affected, and hackers haven’t used the stolen information to attack the accounts so far. MyHeritage stored a one-way hash of each password, so hackers wouldn’t be able to do much with the data because they didn’t really steal actual passwords. However, the company has started a reset for all accounts.

“Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so,” MyHeritage said. “However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days.”

MyHeritage systems doesn’t store credit card information either because it uses third-party providers.  Family trees and DNA data have not been affected as they are kept on segregated systems.

“We believe the intrusion is limited to the user email addresses,” reads the company blog. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.”

MyHeritage announced the immediate addition of two-factor authentication for extra account safety. Authorities will also be informed, so as to comply with GDPR, and users are advised to check their accounts.

Patch your Flash Player now! Zero-day actively exploited in the wild

Adobe has released patches for all users running Flash Player 29.0.0.171 and earlier versions, addressing critical flaws in its trouble-plagued platform.

Whether you are running the software on Windows, macOS, Linux or Chrome OS, the Flash Player creators urge you to install the newest version immediately!

“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email,” the company says in its advisory.

Affected installments of Flash include Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Exploitation of the flaw can lead to arbitrary code execution, says Adobe.

Users of Flash Player Desktop Runtime must install version 30.0.0.113 via the update mechanism within the product. The procedure applies to all desktop users, regardless of their OS. The next version of Chrome to be released by Google will include Flash Player 30.0.0.113 by default. The same goes for the Flash plugins in Microsoft Edge and Internet Explorer 11 for Windows 10.

The downloadable patches can be found at the Adobe Flash Player Download Center.

HOTforSecurity: US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country

US legislators are proposing new legislation that would empower US cyber defenses to hack back at cyber aggressors, even if they’re using a third-party country’s infrastructure, without the explicit consent of the respective country.

The National Defense Authorization Act would also create a new cyber entity with the technology and skills to strike back at cyber aggressors, namely China and Russia, that seek to disrupt US critical infrastructure or weaken its cyber resilience. If approved, the bill not only let the US military “hack back” at aggressors, but also creates a “Cyberspace Solarium Commission” whose purpose is to propose and implement strategic cyber defenses that augment the United States’ resilience towards cyber-attacks.

“The committee recommends a provision that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command (CYBERCOM), to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace,” reads the proposed bill. “The provision would also authorize the Secretary of Defense to conduct, through the Commander, U.S. Cyber Command, surveillance in networks outside the United States of personnel and organizations engaged at the behest or in support of the Russian Federation…”

The Cyberspace Solarium Commission, which would be comprised of 13 people with knowledge and expertise both in national security and cyber security, would also be tasked with evaluating adversarial strategies and allocating resources for defending against offensive strategies.

“The Commission would weigh the benefits and costs of various strategic frameworks (e.g., deterrence, normsbased regimes, and cyber persistence), evaluate the sufficiency of the current allocation of resources in cyberspace, and consider potential realignments in governmental structure and authorities,” reads the proposed bill. ”The Commission would have broad authorities to hold hearings, request information from government entities, subpoena witnesses, and contract out taskings.”



HOTforSecurity

US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country

US legislators are proposing new legislation that would empower US cyber defenses to hack back at cyber aggressors, even if they’re using a third-party country’s infrastructure, without the explicit consent of the respective country.

The National Defense Authorization Act would also create a new cyber entity with the technology and skills to strike back at cyber aggressors, namely China and Russia, that seek to disrupt US critical infrastructure or weaken its cyber resilience. If approved, the bill not only let the US military “hack back” at aggressors, but also creates a “Cyberspace Solarium Commission” whose purpose is to propose and implement strategic cyber defenses that augment the United States’ resilience towards cyber-attacks.

“The committee recommends a provision that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command (CYBERCOM), to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace,” reads the proposed bill. “The provision would also authorize the Secretary of Defense to conduct, through the Commander, U.S. Cyber Command, surveillance in networks outside the United States of personnel and organizations engaged at the behest or in support of the Russian Federation…”

The Cyberspace Solarium Commission, which would be comprised of 13 people with knowledge and expertise both in national security and cyber security, would also be tasked with evaluating adversarial strategies and allocating resources for defending against offensive strategies.

“The Commission would weigh the benefits and costs of various strategic frameworks (e.g., deterrence, normsbased regimes, and cyber persistence), evaluate the sufficiency of the current allocation of resources in cyberspace, and consider potential realignments in governmental structure and authorities,” reads the proposed bill. ”The Commission would have broad authorities to hold hearings, request information from government entities, subpoena witnesses, and contract out taskings.”

HR software PageUp breached, faces class action in Australia

Australia HR software provider PageUp is facing a class lawsuit after a major data breach that exposed users’ personal information. Australian law firm Centennial Lawyers just announced. Fearing their personal data may have been exposed, some users who applied for jobs through PageUp are taking legal action against the company because they feel they haven’t received enough details about the breach, as only a simple, general email was sent out without much explanation.

“If any personal data has been affected it could include information such as name and contact details. It could also include identification and authentication data e.g. usernames and passwords which are encrypted (hashed and salted),” the company said in a statement.

PageUp reported “unusual activity” on May 23, CEO and co-founder Karen Cariss wrote on the company website, and a forensic investigation immediately followed after malware was identified. Thousands of job applicants may have been affected by the breach and could fall victim to identity fraud.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used,” Cariss wrote. “All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.”

Some of Australia’s top companies including Wesfarmers: Coles, Target, Kmart, Officeworks, NAB, Telstra, Commonwealth Bank, Lindt, Aldi, Linfox, Reserve, Bank of Australia, Australia Post, Medibank, ABC, Australian Red Cross, University of Tasmania, AGL and Jetstar used the software provided by PageUp in their online recruitment process.

PageUp claims to have some 2 million active users in 190 countries.

Bug bounty payouts double in 2018; India reports the most bugs while U.S. wins highest payouts

Some of the biggest players in various industries have turned to the crowdsourced security model – white hat-driven bug bounty programs – in a race to identify emerging vulnerabilities before the black hats do.

The crowdsourced security model brings the brightest ethical hackers together. Bug bounty and vulnerability disclosure programs uncover seven times more high-priority vulnerabilities than traditional assessment methods, and the smart companies are turning to crowdsourced security to cope with a complex threat landscape, according to Bugcrowd.

The industries most eager to adopt the crowdsourced security model include Computer Hardware, Software & Networking, IT Services, eCommerce / Retail, Financial Services, and Telecom / Communication Services, the company said.

In its fourth iteration, the 2018 Bugcrowd State of Bug Bounty Report reveals a spike across the board in the number and severity of vulnerabilities, as well as an increase in payouts to ethical hackers.

The total number of vulnerabilities submitted via the company’s platform rose 21 percent in the last 12 months, year-over-year, to more than 37,000. Significantly, the average payout across all programs and industries doubled.

The Top 5 vulnerabilities submitted this past year were: Cross-Site Scripting (XSS) Reflected; Cross-Site Scripting (XSS) Stored Admin; Broken Authentication and Session Management Failure to Invalidate Session; Broken Authentication and Session Management Weak Login Function Over HTTP; and Server Security Misconfiguration No Rate Limiting on Form.

Bugcrowd’s legion of white hat hackers has grown 71 percent in the past year, with representatives from more than 100 countries. One standout from the report is India, responsible for an impressive 30 percent of vulnerability submissions. However, the largest payment amount went to the United States, suggesting Americans have more of a knack for high-profile bugs.

(This post on the Microsoft Developer blog explains, rather comically, how the P1, P2, P3… priority system works in the bug bounty world).

The report also notes a 40 percent increase in the number of bug bounty programs opened during the past year. A 33 percent increase was also recorded among private programs. In another key finding, 75 percent of all P1 vulnerability payouts were above $1,200, up from $926 last year. And more than 91 percent of all vulnerability submissions were web vulnerabilities.

Australia’s Commonwealth Bank leaks data of 10,000 customers over domain misspelling

Just last month, Australia’s Commonwealth Bank admitted losing the financial history of some 20 million customers. Now, the financial institution drops the ball again, this time mistakenly sending the data of some 10,000 customers to the wrong email address, the bank confirmed on Friday.

During the last financial year, the simple misspelling of the domain, forgetting to include “.au” after the domain name “cba.com,” sent 651 internal emails to the wrong domain. After an internal investigation of the domain ownership, it was revealed it belonged to a US-based cybersecurity company and, prior to that, it was owned by a US financial services company.

CBA purchased the domain in April 2017 and, as of January 2017, emails sent to cba.com were blocked.

CBA assures its customers their data has not been compromised, and anyone involved in the error will be contacted immediately.

“We want our customers to know that we are committed to being more transparent about data security and privacy matters,” said Angus Sullivan, CBA’s acting group executive for retail banking services.

“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”

The emails were deleted by the domain owner’s system and permanently discarded from the servers. The investigation confirmed the data in the emails was not used in any way.

HOTforSecurity: Australia to force tech companies to allow government access to encrypted messages

The Australian government has drafted laws to gain access to encrypted messages from messaging apps, but tech companies fear this would create backdoors that would lead to encryption exploits and jeopardize security, writes The Guardian.

The government sees these measures as a partnership with telecom and tech companies “to modernize” interception legislation and keep a closer eye on alleged criminals and terrorists. Officials say backdoors are out of the question, as other decryption methods will be used. As expected, Facebook and Google are key actors involved due to the massive amounts of personal data they collect from users.

Australian Cyber Security Minister Angus Taylor gave no clear explanations of the technology and methods behind getting access to encrypted messages, or whether surveillance codes would be installed on mobile devices. Despite his reluctance to offer details, one thing is certain; the law will take effect in coming months and companies that don’t comply will be fined.

“The key point here is that we need to modernize our laws and get access to information for holding criminals and terrorists to account for investigations and gathering evidence,” Taylor said in an interview.

“Those laws were developed during an analogue era decades ago and they are now out of date. Much data and information is transferred through messaging apps and it’s digital not analogue. There’ve been very substantial changes in the technology and we need to update the powers.”



HOTforSecurity

Australia to force tech companies to allow government access to encrypted messages

The Australian government has drafted laws to gain access to encrypted messages from messaging apps, but tech companies fear this would create backdoors that would lead to encryption exploits and jeopardize security, writes The Guardian.

The government sees these measures as a partnership with telecom and tech companies “to modernize” interception legislation and keep a closer eye on alleged criminals and terrorists. Officials say backdoors are out of the question, as other decryption methods will be used. As expected, Facebook and Google are key actors involved due to the massive amounts of personal data they collect from users.

Australian Cyber Security Minister Angus Taylor gave no clear explanations of the technology and methods behind getting access to encrypted messages, or whether surveillance codes would be installed on mobile devices. Despite his reluctance to offer details, one thing is certain; the law will take effect in coming months and companies that don’t comply will be fined.

“The key point here is that we need to modernize our laws and get access to information for holding criminals and terrorists to account for investigations and gathering evidence,” Taylor said in an interview.

“Those laws were developed during an analogue era decades ago and they are now out of date. Much data and information is transferred through messaging apps and it’s digital not analogue. There’ve been very substantial changes in the technology and we need to update the powers.”

Facebook exposed users’ personal data in data-sharing partnership

“Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it,” said Mark Zuckerberg in front of Congress a couple of months ago. But his company may not be taking privacy protection as seriously as he claimed during the Congress hearings.

For the past 10 years, Facebook has been in a data-sharing partnership with over 60 computer, tablet and smartphone manufacturers, including Amazon, Apple, Samsung, Microsoft, HTC and Blackberry, exposing users to privacy and security risks, accuses The New York Times in an investigative report.

The newspaper says the partnership might violate a 2011 agreement with the Federal Trade Commission that states Facebook needs explicit user consent to provide third parties with their data. Facebook facilitated access to users’ personal data and to the data of their friends, breaching its own privacy policies.

The social network disagrees with the accusations in the New York Times and claims the decision concerned device-integrated APIs to “recreate Facebook-like experiences” on mobile devices, reads a blog post written by Ime Archibong, VP of Product Partnerships at Facebook. The company confirms some of the partners stored the data on their servers.

“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built,” Archibong writes.

“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

We need you! Join the Bitdefender 2019 BETA and test the future of cybersecurity!

We’re just a month away from launching our brand new Bitdefender 2019 series of security products, and we’re happy to announce that the next generation is ready for a public debut.

We are looking for 150 forward thinkers to lend us a helping hand in creating the world’s best security solution. If you fit the bill and minor glitches don’t give you headache, then welcome aboard!

The beta testing campaign for Bitdefender Total Security 2019 starts in mid-June. Once you’re enrolled and accepted, we’ll send you a welcome e-mail with a download link to get you started.

Our way of giving back

Not only will you be the first to get the next awesome products to come out of the Bitdefender Labs, but we’re throwing in some extra goodies such as Bitdefender products and Amazon vouchers as well. Watch this space for future announcements about brand-new features in the product!

Ready to join the beta? Start here!

Malware in the age of IoT

Malware that impacts IoT systems, however, operates a bit differently than traditional malware.

Now that technology providers are bringing connectivity to a whole host of different items and appliances, the full force of the Internet of Things is beginning to be felt by businesses and consumers alike. From simple items like home routers to more complex, machine-to-machine systems, the IoT is a powerful, revolutionary tech concept.

As connected systems and devices continue to bring benefits to the enterprise and consumer sectors, everyone has taken notice, including hackers. Similar to every other intelligent solution that's made an impact in the marketplace, connected IoT devices are attractive to hackers, as well as white hat users.

Malware that impacts IoT systems, however, operates a bit differently than traditional malware. What's more, because IoT platforms and appliances don't have the same computing power or security – and because these types of threats have seen a considerable uptick recently – it's worth taking a closer look at the infections that can impact connectivity-enabled devices.

How far is the reach of the IoT?

Significant statistics have surrounded the IoT since its inception, demonstrating the potential impact that a system of connected items could have. Consider these up-to-date numbers from Statista:

  • Researchers forecasted more than $284 billion in pending on IoT services in 2017, and predict that consumer spending will reach $1,494 billion by 2020.
  • The overall IoT retail market will surpass a value of $5 billion over the next two years.
  • The number of installed consumer IoT sensors and devices will reach 12.86 billion by 2020.
  • The global market for RFID tags will reach a value of $24.5 billion by 2020.
  • More than 37 million IoT-enabled road traffic management systems will be installed in the next two years.
  • There will be over 830 million wearables and 20.8 billion smart home automated systems installed in the consumer sector by 2020.

With such an expansive reach in the consumer, retail and civil sectors, it's no wonder why malicious actors are beginning to take advantage of connected sensors and devices for black hat purposes.

IoTThe IoT is set to grow steadily over the next few years.

How does IoT malware work?

IoT endpoints are considerably different than the traditional PCs and computing systems many users – and hackers – are used to. While these devices are equipped with wireless connectivity, some don't have the type of classic user interface or computing power.

However, some of the factors that set IoT devices apart from other technological platforms are just the types of things that hackers seek out.

"The overall IoT retail market will surpass a value of $5 billion over the next two years."

"While IoT devices have far less power than even the most basic PC, they come with the benefit – for the attackers at least – that they often lack proper cyber security controls and that users frequently install the device and more or less forget about it," ZDNet contributor Danny Palmer wrote.

The use of default passwords and users not treating IoT endpoints in the same way that they would treat a traditional endpoint creates protection weaknesses that open the door for infection.

That being said, there are some similarities between recent malware strains infecting PCs and servers and the attacks launched on IoT systems. As Palmer explains, many IoT malware samples look to leverage devices for cryptocurrency mining, creating a botnet capable of generating a profit of untraceable, digital currency. Although some tech and security experts are unconvinced that hackers could create any kind of sizeable income from IoT cryptocurrency mining schemes, these instances should be considered a threat.

"While profit from infected IoT devices might be small – for not at least – it still represents a worry for users because ultimately the device is infected with malware," Palmer noted. "While cryptojacking arguably isn't as damaging as the likes of ransomware or trojans, the devices has still been compromised."

IoT malware: Mirai variant targets IoT devices

One instance of an infection that specifically targets IoT endpoints is a variant of the Mirai malware sample, named OMG and identified as ELF_MIRAI.AUSX by Trend Micro researchers. This variant leverages the same distributed denial-of-service style attack capabilities as the original Mirai sample. The OMG variant also comes with certain code additions and omissions in an effort to infect IoT endpoints, including home routers, in particular.

"The main point of a Mirai attack is to allow cybercriminals authors to use privately-owned routers in their malicious activities without the knowledge of the owner," Trend Micro researchers explained. "Such attacks can have dire consequence for its victims, which could also include enterprises. Businesses could deal with business disruptions, monetary loss, and even damaged brand reputations."

Reaper: Building on the capabilities of Mirai

The OMG Mirai variant was one of the first notable IoT-targeting infections, but it surely wasn't the last. In late 2017, WIRED contributor Andy Greenberg reported on the Reaper IoT Botnet, which at the time of that writing, had already infected a total of one million networks.

Internet of Things Default passwords and weak security are opening the door for malicious IoT-targeted activity.

While Mirai and the OMG variant exploited weak security credentials or un-updated default passwords, the Reaper botnet – also known IoT Troop – uses a more focused approach. This threat uses more active hacking techniques to pinpoint and infect IoT endpoints, establish a far-reaching botnet with considerable computing power.

"It's the difference between checking for open doors and actively picking locks," Greenberg explained, comparing Mirai to Reaper. "Instead of merely guessing the passwords of the devices it infects, [Reaper] uses known security flaws in the code of these insecure machines hacking in with an array of compromise tools and then spreading itself further."

Safeguarding IoT endpoints: Enterprise best practices

The Reaper botnet threat shows that malicious actors are becoming increasingly savvy with their IoT-targeted infections, and chances are good that attacks on connected devices will only become more complex. As enterprises continue to take advantage of all that the IoT can offer, it's also important to ensure that these sensors and endpoints are properly protected:

  • Select reliable IoT products: It's important to deploy only routers and IoT appliances that include robust security protections. For instance, Trend Micro researchers recommend avoiding routers that include internet service packages, and to never use used routers, as these can have incorrect and insecure configurations.
  • Use strong authentication credentials: Most IoT devices come with pre-installed, default passwords. These represent an open door to hackers, making a breach and an infection a simple process for malicious actors. For this reason, it's imperative to change default passwords to something stronger and not easily guessed upon device deployment.
  • Ensure devices are updated: Businesses and consumers should also make sure that the firmware supporting router operations is up-to-date, including the OS, drivers, management programs and configurations.

To find out more about the latest news involving the IoT, connect with the security experts at Trend Micro today.

The post Malware in the age of IoT appeared first on .

Jail for the man who helped Russia hack Yahoo’s email accounts

Remember when Yahoo seemed to have been beset by hack after hack after hack?

In September 2016, Yahoo revealed that the personal data of over 500 million users had been stolen by hackers in 2014.

As if that wasn’t bad enough, three months later the firm revealed that an even larger hack had occurred – a massive security breach had seen hackers access data belonging to up to billions of Yahoo user accounts.

That mega-hack took place in August 2013, with the attackers creating forged cookies that could permit access to users’ accounts without needing any passwords whatsoever. But Yahoo didn’t go public about the breach until December 2016, advising users to be cautious of unsolicited communications and to ensure that they were not using the same passwords and security questions/answers on any other online accounts.

The timing for the company couldn’t have been worse, as it was in the process of trying to sell itself to Verizon.

But it was hard to feel too sorry for Yahoo, as it was revealed that some of its staff had known since 2014 that its systems had been compromised by what it believed to be a “state-sponsored attacker”.

And it’s also hard to feel too much sympathy for Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, both officers in Russia’s FSB, who the FBI believes directed and paid the hackers involved in the 500 million user account heist.

Nor does my heart cry out for another Russian, Alexsey Alexseyevich Belan (also known as “Magg”), who the US Department of Justice claimed had gained access to the Yahoo User Database (UDB) and details of how to create account authentication web browser cookies.

According to US authorities, the fourth member of the gang was Karim Baratov, a resident of Canada who was extradited to the United States, and pleaded guilty to conspiracy to commit computer fraud and identity theft.

According to prosecutors, Baratov was paid by FSB officer Dokuchaev to hack into at least 80 webmail accounts, including at least 50 belonging to Google users. Baratov had been compromising webmail accounts, charging customers $100 per hack, since he was a teenager. Specifically, Kazakhstan-born Baratov advertised his services to Russian language speakers across the globe.

In all, Baratov is believed to have made more than US $1.1 million through his hacks, using his illegal income to purchase a house and expensive cars such as a Lamborghini, Porsche, Aston Martin, Mercedes, and BMW.

This week Baratov has been sentenced to five years in prison, avoiding the 94-month sentence that prosecutors asked for because US district judge Vince Chhabria accepted that Baratov had not been one of the gang’s ringleaders.

“The last 14 months have been a very humbling and eye-opening experience,” Baratov told the court. “There is no excuse for my action…all I can do is promise to be a better man.”

And as for Dokuchaev, Sushchin, and Belan? The three other men the United States would like to question about the Yahoo hack? They’re not expected to see the inside of a US court any day soon.

Cryptocurrency Mining: Abuse of system resources

Cryptocurrency mining can result in the unauthorized use of computing resources for profit.

Recent advances including digital currencies and the associated public transaction record blockchain have paved the way for an array of new financial activities. Cryptocurrencies like Bitcoin are beginning to be accepted as payment by major retailers, creating more concrete use cases and capabilities.

At the same time, though – and similar to a range of other legitimate technological processes that have been twisted into nefarious pursuits by black hats – hackers and other malicious actors have unsurprisingly begun leveraging cryptocurrency for their own purposes.

Cryptocurrency mining attacks have begun to take hold, and experts predict that they won't stall anytime soon – on the other hand, cybercriminals may only increase this abuse of resources. And unlike traditional attacks that involve breaches, data theft and malware, cryptocurrency mining impacts underlying system resources, gobbling up computing power that should be devoted to critical operational tasks.

Today, we'll take a closer look at cryptocurrency mining, the rise of these attacks within the threat environment, and why businesses should be concerned. 

How does cryptocurrency mining work?

As ITPro contributors Adam Shepherd and Keumars Afifi-Sabet point out, cryptocurrency mining relies upon the use of blockchain. Transactions are grouped together into blocks, which are verified by ensuring that the coins used in each transaction haven't expanded in value again before the transaction has been cleared. If the input and output totals tally equally, the block is verified, and the next sequential transaction block can be created and connected to the previous block.

Because blockchain is a publicly accessible record, there is no central authority – like a bank or other financial institution – and the system requires network nodes to support the process of gathering transactions together to create the next block in the chain. The nodes themselves are known as "miners." Each miner must go through and resolve a complex mathematical algorithm or "proof of work" before the miner can create the next block. This effectively slows the devaluation of the cryptocurrency by making it more difficult for network node miners to create new blocks.

As Shepherd and Afifi-Sabet explain, the completion of the proof of work isn't the only requirement to create a new block – and the benefit for doing so is the reward of cryptocurrency units.

"Winning miners receive 12.5 Bitcoins – or over $100,000 – for creating a single block."

"In order to successfully create a block, it must be accompanied by a cryptographic hash that fulfills certain requirements," Shepherd and Afifi-Sabet noted. "The only feasible way to arrive at a hash matching the correct criteria is to simply calculate as many possible and wait until you get a matching hash. When the right has is found, a new block is formed and the miner that found it is awarded with units of cryptocurrency."

According to Benzinga staff writer Shanthi Rexaline, winning miners receive 12.5 Bitcoins for creating a single block. This equates to over $100,000, creating considerable motivate to engage in cryptocurrency mining. 

Enabling mining with stolen computing resources

When the concept of cryptocurrency mining first emerged, users were able to utilize their own standard PC to support the process. Now, however, much more computing power is required to facilitate a matching hash and creation of a new block. As Shepherd and Afifi-Sabet indicate, it would cost a typical individual more than £1,000 – or over $1,300 – to purchase the hardware necessary to successfully mine cryptocurrency.

For these reasons, hackers are forgoing the up-front investment and simply stealing the computing resources of legitimate systems to do their mining for them. And although the network nodes and underlying resources belong to a victim organization, it is the hacker orchestrating the attack that walks away with the coveted cryptocurrency profit.

According to Trend Micro's report, "A Look Into the Most Noteworthy Home Network Security Threats of 2017," there was a huge leap in the number of cryptocurrency mining events during the second half of last year. Although the first and second quarters of 2017 saw almost no activity in this realm, nearly 25 million cryptocurrency mining events took place in Q3, while more than 20 million were recorded in Q4, making it the most detected network event of the year.

Trend Micro researchers found much of this has to do with rising valuations: The Bitcoin market has surpassed the $100 billion mark, "prompting investors to jump in on the seeming cryptocurrency craze."

Overall, Trend Micro discovered that more than 14,000 home computers, 981 smartphones, 573 IP cameras and 358 tablets were leveraged for cryptocurrency mining. However, it's impossible to tell whether these activities were undertaken by device owners or if devices were hijacked by unauthorized users.

In addition to endpoints like computers, routers and mobile devices, some organizations have begun monetizing their websites by including cryptocurrency mining scripts within the site code. This enables the site to leverage visitors' CPU power for mining.

"Think of it as an alternative revenue stream to intrusive online advertising, without user consent," the report states. "Many websites have been reported to be cryptojacking visitors, i.e., surreptitiously stealing resources from visitors' computers to mine for cryptocurrencies."

Gold Bitcoin. Bitcoin mining has become big business for unauthorized users hijacking the resources of legitimate systems for profit.

This kind of unauthorized use of resources for mining has lead to the use of blockers that can disable mining browser extensions used on monetized websites. However, hackers have found other workarounds, including cryptocurrency malware. These samples are markedly different than traditional malware, though.

"Unlike ransomware, which needs to actually engage the victim for the attack to pay off, unauthorized cryptocurrency mining is almost unnoticeable," per Trend Micro's report. "Unsuspecting users will not detect any visible indicators of suspicious activities in their devices, especially those with low user interaction like IP cameras, unless users take time to inspect their systems in case of a hike in electricity usage or frequent system crashes."

Why cryptocurrency mining is concerning for enterprises 

As explained, cryptocurrency mining can take resources away from legitimate pursuits and lead to system performance issues and considerably high utility costs due to the heightened demands stemming from mining activity. And while Trend Micro's report focused around home devices, hackers are turning to more powerful enterprise systems to support their mining profits as well.

Security industry expert Gad Naveh relays that, while it's impossible to guess what hackers will do next, chances are good that abuse of resources for these pursuits won't stop anytime soon. 

"What I can say is that for now, we continue to see a steady rise in the volume of these attacks, and new crypto-mining attack campaigns every few days," Naveh told SC Magazine. "Our gateways are reporting more and more companies being targeted – 200 additional companies in the past couple of weeks. If I were to guess, then I'd say this growth trend is going to continue in the near future."

To find out more about how cryptocurrency mining can impact network systems, and how organizations can guard against this type of unauthorized use of resources, check out this piece from Trend Micro researchers Jon Oliver and Menard Oseña.

The post Cryptocurrency Mining: Abuse of system resources appeared first on .

How connected devices put health care at risk

When crucial health care systems and devices are exposed and accessible through the internet, it puts daily operations and patient care at risk.

The health care industry is one of the most attractive sectors to hackers. Not only do hospitals, doctor offices and other facilities store and have access to an array of patients' personal information, but many organizations also have financial details on file to facilitate billing processes.

One of the most damaging attacks on the health care sector took place just last year when the now-infamous WannaCry outbreak impacted organizations across more than 100 countries.

According to Trend Micro's Securing Connected Hospitals report, this ransomware infected National Health Service systems, preventing facilities from accessing patient records. The attack created scenarios in which infected hospitals were forced to reroute ambulances to other facilities. Doctors even had to cancel appointments and reschedule surgeries, all thanks to WannaCry.

This is by no means the first time the health care industry has been impacted by a far-reaching attack, and it likely won't be the last.

"As hospitals and other health care facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services – but the digital attack surface expands as well," Trend Micro's report states. "The more connected they get, the more attractive they become as lucrative targets to threat actors."

malware

Top cyber security risk areas

As the WannaCry outbreak demonstrated, an infection-based attack can have a significant impact on a health care facility and its patients. The three most at-risk areas in terms of malicious cyber activity in the health care industry include:

  • Daily hospital operations: Staff scheduling, paging systems, building controls, tube transport systems, inventory, payroll and administration operations could all be severely threatened by a cyber attack. As more of these critical daily functions are automated and shifted to digital platforms, this risk grows exponentially.
  • PII privacy: One of the most compelling elements of the health care industry to hackers is the personally identifiable information (PII) that facilities have associated with patients, including financial details, diagnosis and treatment information, and other confidential information.
  • Patient health: An interruption in normal daily functions or compromised PII data can considerably affect a hospital's ability to provide care to support patient health and well-being.
African American nurse wearing blue scrubs standing at the bedside of an elderly, female patient in a hospital room. Connected devices help bolster patient care, but exposed devices could put hospital operations and patient data at risk.

Exposed connected devices

The above described areas of hospital operations and patient data are put at risk through a number of different factors. However, as the report shows, one of the most persistent issues includes exposed connected devices which provide an entryway for hackers and malicious actors.

Modern health care facilities include more connected health information systems than ever before, encompassing settings and elements like:

  • Admission area and nurses' stations: Email, payroll, electronic health record (EHR) and other office systems.
  • Patient rooms: HVAC controls, EHR access, monitoring equipment and inventory system access.
  • Emergency and operating rooms: Diagnostic, surgical, monitoring and imaging equipment.
  • Pathology labs: EHR and pathology equipment.
  • Conference rooms: Video conferencing, VoIP and other office and communication applications.
  • Pharmacy: Inventory and EHR systems.

However, when these devices are exposed and accessible through the internet, it puts daily operations and patient care at risk. Some of the instances and situations that can cause connected health care devices to be exposed include:

  • Direct device and system access through incorrectly configured network infrastructure systems. This extends to issues like the use of default passwords that make it easy for malicious actors to access network infrastructure and supported platforms.
  • Connectivity requirements to enable the regular function of a system or device. Nearly all connected devices need an internet connection to support their functionality, but this can also create an opening for hackers. 
  • Remote-enabled access to ensure troubleshooting capabilities or access for remote workers.

As the Trend Micro research indicates, just because a device is exposed doesn't necessarily mean it is compromised. An exposed device simply means the endpoint is connected to the internet and, therefore, discoverable and accessible through a public connection.

The threat of Shodan

Another factor to take into account here is Shodan. As a search engine that enables users to discover internet-connected devices, it represents a beneficial solution for organizations to identify unpatched vulnerabilities and exposed assets within their systems.

At the same time, though, Shodan also offers advantages for hackers, who could leverage Shodan to surveil and gather intelligence about a target organization's connected devices and systems to support malicious activity.

"[This] is why Shodan has been called the World's Most Dangerous Search Engine," Trend Micro's study notes.

Problem with exposed ports

Although the inherent connectivity of today's advanced applications and devices are critical to their functionality, it is this connectedness that also puts them at risk.

A notable issue identified by Trend Micro is the problem of exposed ports. Researchers identified a number of different exposed and viewable ports within the current health care industry, including these identified ports that could create the greatest risks:

  • Network Time Protocol (NTP): This is one of the oldest protocols today. Because the connections between NTP servers and computers are almost never encrypted, hackers can leverage NTP protocols for man-in-the-middle attacks that prevent systems from updating appropriately.
  • Teletype Network (Telnet): This is another connection that is rarely encrypted – one in which data is transmitted in clear text, creating the ideal hacker opportunity for packet-sniffing attacks.
  • File Transfer Protocol (FTP): This standard network protocol is a default setting on most web servers, enabling hackers to exploit the protocol and compromised connected servers. This then provides access to all sensitive files supported by the servers and offers the ability to upload malicious files to further the attack. 
Nurse wearing white lab coat and stethoscope sitting at a laptop surfing the internet. Health care and IT administrators must ensure that network activity is encrypted and ports aren't left exposed.

Other exposed areas to monitor

As Trend Micro's research shows, exposed ports and hackers' ability to exploit certain protocols aren't the only issues to be aware of – items like exposed databases and industrial controllers can pose a threat to health care operations as well.

"Databases are also treasure troves of critical/sensitive/important data, which makes the lucrative targets for hackers," Trend Micro's report states. "Compromising exposed building automation controls can allow a hacker to 'turn off the lights' inside the hospital. Doomsday scenarios like these are unfortunately not unrealistic, and extreme care should be taken to ensure building automation controllers are never exposed on the public internet."

Safeguarding health care devices

As Trend Micro's research clearly demonstrates, any exposed endpoint – from diagnostic and surgical equipment to electronic health record systems and exploitable protocols – can provide the window malicious actors need to interrupt operations and prevent quality patient care.

For these reasons, hospital administrators and IT stakeholders must ensure that sensitive equipment and devices have the proper protection in place, and that the necessary network connectivity doesn't result in these devices being exposed via public connections.

To find out more about connected devices in the health care industry, read Trend Micro's article and full report.

The post How connected devices put health care at risk appeared first on .

Cast your vote for Hotforsecurity at the European Security Bloggers Awards

Every year, world’s best security blogs get to compete in the European Security Bloggers Awards, an event part of London’s Infosec Europe. This year, we are honored to be among the finalists for the Grand Prix Prize for the Best Overall Security Blog, but it is our readers who will decide which of the nominated blogs get to take the award home.

Along Hotforsecurity, Bitdefender’s Business Insights Blog is nominated in two categories, namely The Best Corporate Security Blog and The Best European Corporate Security Blog.

We believe that educating readers is  fundamental to staying safe online and for more than 10 years we have made Hotforsecurity one of the strongest voices in the cyber-security industry. If you feel that our work has made and continues to make a difference, please do cast your vote for Bitdefender Hotforsecurity and Bitdefender Business Insights.

Cast your vote for Hotforsecurity

Voting closes at midnight GMT on Friday, June 1st 2018, so act fast! After casting your vote, please help us spread the word about the nomination on social media: I voted for Hotforsecurity at the European Security Blogger Awards 2018 .

The winning blogs will be announced at the Security Bloggers Meetup on Tuesday, June 5th, at The Crown & Sceptre Pub, 34 Holland Road, London W14 starting at 18:00. Thanks for your support!

The University of Greenwich fined by ICO for leaking 20,000 records

The University of Greenwich was fined $160,000 under the Data Protection Act of 1998 by the Information Commissioner’s Office for leaking the personal data of almost 20,000 staff, alumni and students, writes the BBC.

The exposed information included names, addresses, birthdates, phone numbers, study progress, email conversations between students and staff and some 3,500 health records with detailed information about physical and mental issues.

It appears the data was placed online on a microsite for a conference in 2004, which was left active and unsecured after the event ended. The site was hacked in both 2013 and 2016 by a number of cybercriminals who took advantage of its vulnerabilities to infiltrate the web server.

The security breach was detected by a university student who reported it to the BBC and the ICO.

“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the ICO.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The University of Greenwich accepted the decision and claims to have taken serious measures to secure its data and infrastructure.

“We acknowledge the ICO’s findings and apologize again to all those who may have been affected,” said University Secretary Peter Garrod.

“No organization can say it will be immune to unauthorized access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”

Kid monitoring app TeenSafe exposes user data

Phone application TeenSafe allegedly leaked thousands of passwords that were kept on a vulnerable Amazon server, found Robert Wiggins, a security researcher based in the UK.

The application was created for parents to keep track of their children’s online activity such as messages on various social media sites, internet searches, call history and applications downloaded to their phone. It is available for both Android and iOS devices.

It all started with a security vulnerability on one of the data servers the company has hosted on Amazon’s cloud services. Because device names, Apple ID emails and plaintext passwords were kept unencrypted, not even secured with a password, over 10,000 accounts of parents and their children were exposed. For some reason, in order to use the application, two-factor authentication had to be disabled, making it even easier for anyone on the web to access the data.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a company spokesperson told ZDNet.

TeenSafe collects a large amount of data from its users, so the recent data breach and invasion of privacy are raising questions about the company’s overall strategy to ensure user online safety. In-app content such as photos, GPS data or messages were not kept on company servers so this data was not affected.

The company claims to have over 1 million users in the US.

Suspected Syrian Electronic Army hackers indicted for conspiracy and identity theft

Two men have been indicted for their alleged involvement in hacking campaigns that targeted critics of Bashar al-Assad’s regime in Syria.

The men – Ahmad Umar Agha (also known by his online handle of “The Pro”) and Firas Dardar (“The Shadow”) – have been named in charges by a Virginia federal grand jury on counts of conspiracy and aggravated identity theft.

Agha and Dardar are both Syrian nationals, and their alleged attacks were perpetrated under the banner of the notorious “Syrian Electronic Army”.

In one of the most notorious hacks conducted by the Syrian Electronic Army, the group broke into the Associated Press’s Twitter account in 2013 and posted a message claiming that there had been an explosion in the White House, and President Barack Obama had been injured.

That bogus news alert caused the stock market to temporarily plummet, wiping $136 billion off the Dow Jones.

Other high profile victims of the Syrian Electronic Army include Forbes, Microsoft, Facebook, CNN, The Guardian, The Telegraph, and the Washington Post, amongst many others.

Although many of the Syrian Electronic Army’s social media hacks appeared to be designed more to be attention-seeking pranks than more dangerous data breaches, that’s not to say that all of their activities were entirely benign.

For instance, the Syrian Electronic Army did not shirk from hacking into the computer systems of international companies to steal information, and – in some cases – extort large sums of money.

In a typical Syrian Electronic Army attack a user at an organisation would be targeted with a carefully-crafted phishing email, with the intention of stealing login credentials.

If the theft of a user’s credentials was successful, the hackers would then use the username and password to login to an organisation, whereupon they could compromise social media accounts, deface websites, meddle with DNS records, or launch further phishing attacks.

Ahmad Umar Agha and Firas Dardar are no stranger to being persons of interest to the FBI having previously been charged in 2014 and put on the FBI’s Cyber Most Wanted list in 2016 when a $100,000 bounty was offered for information which resulted in their arrest.

But don’t imagine that the two suspected hackers will be defending themselves in a US court anytime soon. Both are thought not to be in custody, and residing in Syria.

For now, at least, they seem to be beyond the reach of the US authorities.

If you are responsible for security at your company, ensure that staff who have remote access to email or your website’s CMS are using two-factor authentication to reduce the chances of them being a victim of the type of attack typically perpetrated by the Syrian Electronic Army.

The Dark Overlord: Suspected hacking group member arrested in Serbia

Is The Dark Overlord’s days numbered?

Serbian police have arrested a man suspected of being a member of the notorious and high profile hacking and extortion group.

The Dark Overlord has made quite a name for itself in recent years by not just stealing sensitive information from compromised computer networks, but also demanding a ransom be paid.

What happens if you choose not to pay the ransom? Well, The Dark Overlord threatens to release the stolen data to the media, or simply publish it openly on the internet. And that’s the kind of attention that few organisations are wanting.

Past victims of The Dark Overlord “hack-then-extort” group include Hollywood studios, investment banks, Gorilla Glue, a celebrity plastic surgery clinic, and healthcare organisations.

The hacking group is thought to have made hundreds of thousands of dollars through its extortion attempts.

The 38-year-old man, who the authorities have not named other than by his initials (“S.S”), was arrested by police in Belgrade as part of a joint operation with the FBI.

Of course, with the information made available so far it’s very difficult to say if this is the end of the line for The Dark Overlord’s operations. We simply do not know how many people are involved in the hacking gang, or what position the arrested man is thought to have had within the group.

As a consequence it’s quite possible that we may continue to see other hacks (and extortion attempts) carried out under the banner of “The Dark Overlord”, whether it be the same group or by copycats trying to take advantage of the gang’s notoriety.

Sure enough, Joseph Cox at Motherboard reports that since the arrest of “S.S” he has been contacted by someone who has access to The Dark Overlord’s email account with a simple stark message:

“We’re still here”

But one thing is certain, Other members of The Dark Overlord hacking collective must be having some sleepless nights right now, wondering if they might be the next to get a surprise visit from the authorities.

For now, my advice to businesses remains the same. Educate your staff about phishing scams, put strong authentication in place, patch against vulnerabilities and adopt a layered approach to security to reduce the risk that your company will be hacked, and the privacy of your customers put at risk.

HOTforSecurity: The Dark Overlord: Suspected hacking group member arrested in Serbia

Is The Dark Overlord’s days numbered?

Serbian police have arrested a man suspected of being a member of the notorious and high profile hacking and extortion group.

The Dark Overlord has made quite a name for itself in recent years by not just stealing sensitive information from compromised computer networks, but also demanding a ransom be paid.

What happens if you choose not to pay the ransom? Well, The Dark Overlord threatens to release the stolen data to the media, or simply publish it openly on the internet. And that’s the kind of attention that few organisations are wanting.

Past victims of The Dark Overlord “hack-then-extort” group include Hollywood studios, investment banks, Gorilla Glue, a celebrity plastic surgery clinic, and healthcare organisations.

The hacking group is thought to have made hundreds of thousands of dollars through its extortion attempts.

The 38-year-old man, who the authorities have not named other than by his initials (“S.S”), was arrested by police in Belgrade as part of a joint operation with the FBI.

Of course, with the information made available so far it’s very difficult to say if this is the end of the line for The Dark Overlord’s operations. We simply do not know how many people are involved in the hacking gang, or what position the arrested man is thought to have had within the group.

As a consequence it’s quite possible that we may continue to see other hacks (and extortion attempts) carried out under the banner of “The Dark Overlord”, whether it be the same group or by copycats trying to take advantage of the gang’s notoriety.

Sure enough, Joseph Cox at Motherboard reports that since the arrest of “S.S” he has been contacted by someone who has access to The Dark Overlord’s email account with a simple stark message:

“We’re still here”

But one thing is certain, Other members of The Dark Overlord hacking collective must be having some sleepless nights right now, wondering if they might be the next to get a surprise visit from the authorities.

For now, my advice to businesses remains the same. Educate your staff about phishing scams, put strong authentication in place, patch against vulnerabilities and adopt a layered approach to security to reduce the risk that your company will be hacked, and the privacy of your customers put at risk.



HOTforSecurity

ZipperDown Programming Vulnerability Could Let Hackers Execute Code in iOS Apps

A recently discovered vulnerability in iOS applications could allow hackers to execute code within affected apps, provided the device is connected to an attacker-controlled Wi-Fi network. The number of potentially vulnerable applications is estimated at around 10 percent of iOS applications, and the programming error has been validated by an Apple security researcher.

The jailbreaking team that reported the vulnerability, Pangu Team, has not yet released any technical details about how the programming glitch can be exploited, but they did release a proof-of-concept video.

“While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps,” reads the ZipperDown website. “Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues.”

Speculation that the programming vulnerability might lie in the commonly used utility named ZipArchive has not yet been confirmed by the Pangu Team, which says it is keeping mum about it to prevent hackers from exploiting it in the wild. However, the team did post a list of potentially affected iOS applications, ranging from Instagram and Pandora to Dropbox and Amazon.

“Due to the large amount of potentially affected apps, we cannot verify all the results precisely. To protect the end-users, the detail of ZipperDown is not available to the public for now.”

Since the premise for the attack to work involves users connecting their vulnerable applications – and devices, of course – to attacker controlled networks, developers are theoretically tasked with fixing their apps. However, Apple has yet to officially confirm the vulnerability and publish guidelines on what developers need to do to fix it.

The same researchers also noted that Android applications might be affected as well, as they have already confirmed that a number popular Android apps share the same programming vulnerability.

HOTforSecurity: Russian hacker gets 35 years in prison for running counter-AV service

A citizen of the former USSR who had been living in Riga, Latvia faces three charges related to his operation of “Scan4you,” an online counter-antivirus service that helped hackers dodge anti-malware solutions, the US Department of Justice has announced.

Court records reveal that, between 2009 and 2016, 37-year-old Ruslans Bondars operated Scan4you, a service that allowed malware developers to scan their malicious code against known AV solutions protecting millions of systems owned by major U.S. retailers, financial institutions and government agencies.

For instance, Scan4you helped the author of a credit card heist who made off with approximately 40 million credit and debit card numbers, as well as some 70 million addresses, phone numbers and other personal data of U.S. citizens. One retailer, particularly badly hit by the operation, suffered damages of $290 million.

The bad actors behind Citadel, a malware strain used to infect over 11 million computers worldwide, also leveraged Scan4you to hide their tracks. The developers of Citadel have caused their victims around $500 million in fraud-related damages.

“The Citadel developer took advantage of a special feature of Scan4you that allowed its integration directly into the Citadel malware toolkit through an Application Programming Interface, or API. The API tool allowed Scan4you users the flexibility to scan malware without the need to directly submit the malware to Scan4you’s website,” reads the DOJ press release.

Unlike legitimate scanning services, Scan4you was designed to diagnose malware fed to it anonymously – without sharing information about the uploaded files with the AV community.



HOTforSecurity

Russian hacker gets 35 years in prison for running counter-AV service

A citizen of the former USSR who had been living in Riga, Latvia faces three charges related to his operation of “Scan4you,” an online counter-antivirus service that helped hackers dodge anti-malware solutions, the US Department of Justice has announced.

Court records reveal that, between 2009 and 2016, 37-year-old Ruslans Bondars operated Scan4you, a service that allowed malware developers to scan their malicious code against known AV solutions protecting millions of systems owned by major U.S. retailers, financial institutions and government agencies.

For instance, Scan4you helped the author of a credit card heist who made off with approximately 40 million credit and debit card numbers, as well as some 70 million addresses, phone numbers and other personal data of U.S. citizens. One retailer, particularly badly hit by the operation, suffered damages of $290 million.

The bad actors behind Citadel, a malware strain used to infect over 11 million computers worldwide, also leveraged Scan4you to hide their tracks. The developers of Citadel have caused their victims around $500 million in fraud-related damages.

“The Citadel developer took advantage of a special feature of Scan4you that allowed its integration directly into the Citadel malware toolkit through an Application Programming Interface, or API. The API tool allowed Scan4you users the flexibility to scan malware without the need to directly submit the malware to Scan4you’s website,” reads the DOJ press release.

Unlike legitimate scanning services, Scan4you was designed to diagnose malware fed to it anonymously – without sharing information about the uploaded files with the AV community.

Rail Europe data breach lasted almost three months

Travel website Rail Europe has informed customers that their lifelong dream to see the sights of Europe by train may have turned into a nightmare.

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.

According to the company, personal information put at risk by the data breach includes:

  • Customers’ names
  • Customers’ gender
  • Customers’ delivery address
  • Customers’ invoicing address
  • Customers’ telephone number
  • Customers’ email address
  • Customers’ credit/debit card number
  • Payment card expiration date and CVV

In addition, in some cases, usernames and passwords of registered users may also have been grabbed. As a consequence it obviously makes sense to change your Rail Europe password, and, if you have made the mistake of using the same password anywhere else on the internet, to change those as well.

Now that would be bad news at the best of times, but what makes this data breach even worse is that it is believed that hackers had access to RENA’s systems for almost three months.

RENA first realised that it might have a problem with its Rail Europe website when it was contacted by one of its banks on February 16 2018. The company says it “immediately cut off from the internet all compromised servers” upon realising that personal information of customers’ may have been compromised, and discovered that its problems had begun on November 29, 2017.

RENA says it has since “replaced and rebuilt” the Rail Europe website, changed passwords, renewed certificates, and hardened its IT security.

In addition, in a letter filed with the California Attorney General, the company is offer identity theft protection to affected customers, in case any users suffer from identity theft as a result of the breach.

Although the number of customers affected by the data breach has not been made public by the company, the breadth of personal data which has been put at risk and the fact that hackers appear to have had access to Rail Europe’s payment systems for such a long time, underline the seriousness of the threat.

What currently remains a mystery, to the general public at least, is just how the hackers managed to breach Rail Europe’s infrastructure. One very real possibility is that the failure may have been down to poor authentication – if a hacker had been able to grab a careless IT worker’s password for a server they might have ended up with free reign to do what they like.

All businesses need to recognise the most critical parts of their infrastructure and protect them with a layered defence, forcing users to authenticate they are who they claim to be. In this modern age, a simple username and password is not enough.

Another theory is that Rail Europe’s website may have been poorly maintained, allowing a remote hacker to crowbar their way in by exploiting an unpatched vulnerability or incorrect configuration.

My advice to other companies? Test your defences. Adopt a hacking mindset and try to find your company’s weaknesses before a hacker finds and exploits them for their own gain.

HOTforSecurity: Rail Europe data breach lasted almost three months

Travel website Rail Europe has informed customers that their lifelong dream to see the sights of Europe by train may have turned into a nightmare.

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.

According to the company, personal information put at risk by the data breach includes:

  • Customers’ names
  • Customers’ gender
  • Customers’ delivery address
  • Customers’ invoicing address
  • Customers’ telephone number
  • Customers’ email address
  • Customers’ credit/debit card number
  • Payment card expiration date and CVV

In addition, in some cases, usernames and passwords of registered users may also have been grabbed. As a consequence it obviously makes sense to change your Rail Europe password, and, if you have made the mistake of using the same password anywhere else on the internet, to change those as well.

Now that would be bad news at the best of times, but what makes this data breach even worse is that it is believed that hackers had access to RENA’s systems for almost three months.

RENA first realised that it might have a problem with its Rail Europe website when it was contacted by one of its banks on February 16 2018. The company says it “immediately cut off from the internet all compromised servers” upon realising that personal information of customers’ may have been compromised, and discovered that its problems had begun on November 29, 2017.

RENA says it has since “replaced and rebuilt” the Rail Europe website, changed passwords, renewed certificates, and hardened its IT security.

In addition, in a letter filed with the California Attorney General, the company is offer identity theft protection to affected customers, in case any users suffer from identity theft as a result of the breach.

Although the number of customers affected by the data breach has not been made public by the company, the breadth of personal data which has been put at risk and the fact that hackers appear to have had access to Rail Europe’s payment systems for such a long time, underline the seriousness of the threat.

What currently remains a mystery, to the general public at least, is just how the hackers managed to breach Rail Europe’s infrastructure. One very real possibility is that the failure may have been down to poor authentication – if a hacker had been able to grab a careless IT worker’s password for a server they might have ended up with free reign to do what they like.

All businesses need to recognise the most critical parts of their infrastructure and protect them with a layered defence, forcing users to authenticate they are who they claim to be. In this modern age, a simple username and password is not enough.

Another theory is that Rail Europe’s website may have been poorly maintained, allowing a remote hacker to crowbar their way in by exploiting an unpatched vulnerability or incorrect configuration.

My advice to other companies? Test your defences. Adopt a hacking mindset and try to find your company’s weaknesses before a hacker finds and exploits them for their own gain.



HOTforSecurity

Former CIA engineer allegedly leaked Vault 7 hacking tools

Former CIA employee Joshua Adam Schulte has been identified as a top suspect behind the leak last year of the Vault 7 secret computer hacking tools used by the agency in espionage operations, although the FBI had previously suspected contractors, writes The Washington Post. The document Wikileaks received allegedly contained over 8,000 pages of documented techniques.

Although the man’s apartment has been searched and a number of notes, notebooks and computer equipment has been retrieved, the evidence was not strong enough to indict him. His attorney claims “those search warrants haven’t yielded anything that is consistent with [Schulte’s] involvement in that disclosure.”

Schulte was part of the CIA’s Engineering Development Group responsible for writing code used in cyberespionage. He is currently in prison in Manhattan on child pornography charges issued in August 2017. He has pleaded not guilty to the pornography charges.

The US government has not brought charges against him despite months of investigations. The Vault 7 investigation is advancing and Schulte “remains a target of that investigation,” the prosecutor said.

Some argue the Vault 7 leak could cause more harm than Edward Snowden’s revelations, because these are the actual tools the CIA used to hack messaging apps and electronic devices such as routers, computers, phones and TVs to exfiltrate data. The CIA hacking tools could also be used against US national security.

Before the CIA, Schulte worked for the NSA, and claims he was “the only one to have recently departed [the CIA engineering group] on poor terms,” after reporting “incompetent management and bureaucracy.”

The CIA refused to comment.

Chili’s hit by malware, payment card data stolen

Chili’s customers may have fallen victim to a malware attack that affected a number of credit and debit cards used in several restaurants, confirmed parent company Brinker International on Saturday. The malware allegedly collected not only payment card details, but also customers’ names. Because Chili’s does not collect Social Security numbers, full dates of birth or federal ID data, these were not compromised.

Brinker brought in an external forensic team to investigate the incident, but so far it is believed the attack took place between March and April. Also, the company said, simply because customers used their cards in the affected facilities does not mean their data was exposed. The investigation will determine who is responsible and how the incident actually took place.

“On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident,” said Brinker International in a press release. “Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident. We deeply value our relationships with our Guests and sincerely apologize to those who may have been affected.”

As the breach was detected on Friday, customers are strongly advised to check their bank statements for illegal transactions and to immediately contact their bank if fraud is suspected. Brinker offers free credit monitoring and fraud resolution for customers whose payment card data was stolen.

It seems hackers have made a habit of going after popular restaurants, shops and hotel chains, as Sears, Kmart, Whole Foods, Under Armour, Home Depot and Target have also suffered security breaches recently. So far there’s no evidence to suggest the data stolen from Chili’s has been put on sale on the dark web.

16-year-old arrested after phishing scheme against teachers to change grades

A 16-year-old high school student from California was arrested on Wednesday on 14 felony counts associated with a phishing scheme he allegedly launched against teachers in his school district. The investigation that led to the arrest was a joint effort by local law enforcement, Contra Costa County task force and the Secret Service, according to KTVU.

David Rotaro, a student at Ygnacio Valley High School in the Bay Area, is accused of sending manipulative emails to teachers to trick them into clicking on a link that redirected them to a fake page he had created to mimic the school’s official teacher portal.

It was enough for one teacher to unwittingly log in to the fake website with credentials. Rotaro allegedly stole the teacher’s information and used it to access the school’s grade system to change his grades and those of other students. In some cases the grades were lowered, while in others they were raised.

Teachers reported the suspicious campaign about two weeks ago. The police traced the IP address to the boy’s house and used a special K-9 unit to detect hidden electronics. The dog found a flash drive hidden in a tissue box.

“We wrote numerous search warrants to get the IP addresses of the possible phishing site email. We got it and we did good old-fashioned police detective work and we narrowed it down to an address,” said Sgt. Carl Cruz, the Concord Police Financial Crimes Supervisor. “We believe 10-15 students’ grades were changed, but we’re still investigating.”

David Rotaro was released to his parents and is awaiting a court date.

US senators demand FTC investigate Google’s GPS data collection

Two US senators from the Democratic Party urged the US Federal Trade Commission to thoroughly investigate Google and the way its Location History collects user data on Android smartphones. Once the application is turned on, it is apparently enabled on all signed-in devices.

Google has been collecting massive amounts of data and tracking user location since 2009. Although Google was asked to comment on this matter and its privacy policies in an official letter in December 2017. Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) were not convinced by the company’s detailed answers so they wrote a letter to Federal Trade Commission (FTC) Chairman Joseph Simons asking him to take a closer look at the company’s practices.

“Google has an intimate understanding of personal lives as they watch their users seek the support of reproductive health services, engage in civic activities or attend places of religious worship,” reads the request.

The two argue that users cannot opt out of the service even though they think they can. Blumenthal and Markey believe Google is taking advantage of consumers’ lack of proper knowledge of how data collection works, which has driven them to making uninformed decisions about what they share.

They “found that the consent process frequently mischaracterizes the service and degrades the functionality of products in order to push users into providing permission.”

In the fall of 2017, Quartz investigated Google and found that, even though the GPS service was disabled, Android would still collect location information from cellular towers and share it with Google, violating user privacy.

Signal App Delivers Timely Patch for Code Injection Vulnerability that Allows Remote Code Execution

A recent vulnerability in the Signal messaging application that enables encrypted communication between parties, could have enabled attackers to arbitrarily remotely execute code on the victim’s device without any user interaction.

Security researchers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo accidentally triggered the vulnerability while exchanging URLs that contained various XSS (cross-site scripting) payloads. Combined with iframes, attackers could leverage the vulnerability to execute arbitrary code on the victim’s device.

“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack,” wrote Iván Ariel Barrera Oro on his blog. “Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP.”

Hours after the vulnerability was disclosed to the Signal team on May 15, a patch was released. Interestingly, researchers noted that the regex function used to validate URLs existed in previous versions of the Signal desktop app, but might have been accidentally removed in an April 10 build.

“However, the patch caught my attention: it was a big regex and I was surprised how fast they wrote it. So I decided to check on the file’s history to observe since when it has been vulnerable and I found this wonderful mistake: the applied “patch” already existed, but was (accidentally?) removed in a commit on April 10th to fix an issue with linking (I guess the issue is back  ). I’m still not convinced about that regex and I’m afraid someone might exploit it, especially those resourceful three-letter agencies…”

Everyone is strongly encouraged to use the latest Signal build to make sure threat actors cant’s exploit the vulnerability.

Security experts say government regulation is a lousy option – but may still be the best

A survey of over 500 security professionals has revealed, rather disconcertingly, that most believe governments should regulate the way social networks handle our data, and even install encryption backdoors to that end. At the same time, most experts also berate governments for their lax understanding of social media and digital privacy.

Deeply contrasting results were revealed by the survey conducted by Venafi at RSA Conference 2018, with the help of 512 industry professionals willing to answer questions about the current state of affairs in cyber security.

Surveyors wanted to learn how industry experts view the increasingly blurry lines between cyber security, privacy threats and government regulation. So they asked participants: should governments regulate the collection of personal data by social media companies?

Some 70% of respondents said governments should indeed regulate social media companies’ collection of personal data to protect user privacy. Meanwhile, 72% said bureaucrats don’t understand current digital privacy threats. Worse yet, participants couldn’t articulate exactly what governments should do to protect our privacy online.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, believes the results are “disturbing”

“While security professionals agree that government officials do not understand the nuances of social media and digital privacy,” he said, “they’re still looking to them to regulate the technology that permeates our daily lives.”

45% of the respondents went as far as to say that governments should be able to impose encryption backdoors on private companies – in other words, to allow the government to obtain anyone’s personal data whenever it wants.

Bocek believes this would motivate bad actors to pour all their resources into stealing such backdoors and then sell them to the highest bidders on the underground web.

The survey did reveal some positive numbers as well: 64% of respondents say their personal encryption usage has increased due to recent geopolitical changes, up from 45% in a similar survey conducted last year.

The smarter the student, the stronger the password – study

A consulting director at Asia Pacific College (APC) in the Philippines decided to match student GPAs against the strength of their passwords. The findings suggest there is some degree of correlation between smarts and good password hygiene.

JV Roig, who is also a software developer in addition to dispensing his consulting expertise, compared the password hashes from APC’s 1,252 students to the database of leaked passwords maintained by the handy Have I Been Pwned? site created by security researcher Troy Hunt. The database holds a whopping 320 million exposed password hashes resulting from various data breaches over the years. The weakest passwords, and implicitly the most common ones, are found there.

Of the 1,252 students, 215 had a match in the database. Roig then looked at the students’ grade point average (GPA) and found that the lower the student’s GPA, the weaker the password and the greater the chance of it being fount in Hunt’s database.

“If we only take into account students with a GPA of at least 3.5, only 12.82 per cent of them use compromised passwords, which compares favorably to the population average of 17.17 per cent,” Roig wrote. “Looking at students with a minimum GPA of 3.0 results in 15.29 per cent compromised passwords, which is significantly closer to the population average.”

Roig thus determined that students with a higher GPA knew better than to use a weak password, versus students with a low GPA. However, he admitted the disparities were small, and the sample group not very large either.

“This shouldn’t be taken as the end-all or be-all of whether smarter people have better passwords, but merely one interesting data point in what could be an interesting series of further experiments,” he said.

It’s also worth noting that the single student who had a lower than 1.5 GPA also happened to use an unsafe password.

Text bombs and “Black Dots of Death” plague WhatsApp and iMessage users

If you believed all the headlines you would think the problem is more serious than it really is.

“Beware the ‘Black Dot of Death’ that will obliterate your iPhone with one text message”, reads The Metro newspaper. “Warnings about WhatsApp ‘text bomb’ that could destroy your phone.” says the Liverpool Echo. And “This WhatsApp ‘text bomb’ is destroying recipient’s phones” claims the Birmingham Mail.

Yes, it is true that so-called “text bomb” vulnerabilities are capable of crashing normal operations on your Android or iPhone, but to claim that your phone is “destroyed”? Well, that’s crazy.

The problem first emerged six days ago, when a Reddit user claimed that a specially-crafted text message could crash a number of messaging apps including WhatsApp.

At first sight that message looks fairly harmless – a sentence followed by a laugh-until-you-cry emoji, surrounded by quotation marks. But secretly hidden between the emoji and the final quote mark are thousands of hidden characters that don’t get displayed.

Unfortunately, apps like WhatsApp fail to handle the hidden character shenanigans gracefully, get their knickers in a twist, and fall over – causing the app to crash, and in some cases other instabilities on the device.

The payload, the text bomb’s creator said, was more dramatic in its impact on Android devices than iOS.

Now, that’s not the kind of news that Apple devotees want to take lying down. So it was only a matter of a day or two before a similar “text bomb” was reported specifically causing crashes on Apple devices.

The so-called “Black Dot of Death” is a message you might receive which contains an emoji of a medium-sized black circle, perhaps accompanied by an emoji of a pointed finger urging you to click on the ominous black hole.

The “Black dot” itself appears to be harmless, but once again hidden inside the message are many invisible Unicode characters that simply overload the phone, ultimately causing your iMessage app to crash in unpredictable ways.

The bug reportedly affects the current version of iOS (11.3), as well as the iOS 11.4 beta.

CNET offers advice on how affected iOS users can recover their systems, while they wait for a proper patch from Apple. In short, your phone is not destroyed.

In February, Apple fixed a similar ‘killer text bomb’ vulnerability after pranksters started sending boobytrapped messages containing a Unicode symbol representing a letter from the South Indian language of Telugu.

The fact that a similar ‘text bomb’, known as the “chaiOS bug”, was messing up users’ Macs, iPhones, and iPads in January suggests that this continues to be an ongoing problem for Apple.

I’m confident that Apple will roll out a patch for the “black dot of death” bug soon enough, but I find it hard to have any confidence that this will be the last time they find their devices vulnerable to this type of denial-of-service attack.

And I would like to think this should go without saying, but just in case – please don’t be tempted to try any of these text bomb attack out on anyone else, even as a prank. It’s simply not funny.

IBM bans all staff from using USB drives out of security concern

IBM is banning all removable storage, company-wide, in a new policy that seeks to avoid financial and reputational damage stemming from a misplaced or misused USB drive.

IBM global chief Information security officer Shamla Naidoo told staff in an internal e-mail that the company “is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

Although some departments already had this policy in place for a while, “over the next few weeks we are implementing this policy worldwide,” Naidoo said, according to The Register.

The reason for the radical new policy is simple and well justified in a world laden with data breaches: “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimized,” the CISO clarified.

Avid readers will remember that Stuxnet was written to “hop” from terminal to terminal through USB drives moving between them as attack vectors. Some of the networks it targeted were air-gapped, meaning they had no direct access to the outside world. For those who fear such an event in their respective networks, Bitdefender’s USB Immunizer prevents malware from setting itself up on USB drives.

Drupe app removed from Google Play store after photos and messages leaked publicly

Repeat after me.

If you’re still arguing about which is the better smartphone operating system for security – iOS or Android – you’re having the wrong debate.

The big data security issue with smartphones is not so much with what operating system you are running (although obviously it’s imperative to keep that up-to-date with patches) but instead with the third-party apps that you choose to install.

That threat is brought home loud and clear by the discovery that a popular Android app called Drupe, downloaded over 10 million times, has been leaving users’ selfie snapshots, audio messages, and other sensitive data exposed for anybody to see.

The Drupe communications app was supposed to make it more intuitive for Android users to contact each other with easy options to quickly call, SMS, email your buddies or start a Google Hangouts or Skype conversation.

However, as Motherboard reports, Drupe’s developers made a colossal blunder.

Because some of the data that Drupe was collecting from its users was being uploaded to unprotected Amazon AWS buckets, making the information accessible to anybody on the internet… no password required.

Security researcher Simone Margaritelli discovered the problem this weekend, and estimated that billions of pictures and audio messages from Drupe were lying around online for anyone to access if they knew where to look.

Fortunately Margaritelli acted responsibly, and after being informed of the problem Drupe configured the Amazon AWS buckets so they were no longer publicly accessible.

In a blog post Drupe played down the threat, claiming that only a small proportion of Drupe users – including those who had used the “Walkie Talkie” feature – had had their data exposed.

Separately the company refuted Margaritelli’s claims that billions of records might have been put at risk.

Whether there were billions of records exposed or not is missing the point in my opinion. What happened was clearly reckless behaviour on the part of app developers who simply had not prioritised the security and privacy of user data.

It’s not as though there haven’t been endless headlines of Amazon storage buckets leaking very sensitive information through sheer sloppiness on the part of companies.

And concerns just rise further when you see that Drupe requests such a wide and unnecessary range of access permissions when Android users install their app.

At the time of writing Drupe is not available in the Google Play store. Google is reportedly in contact with Drupe to discuss “the app’s handling of user data.”

The app is also available from the Apple iOS store, although it is unclear whether it suffers from the same or similar security concerns.

Always remember that when you give an app access to your data, you are putting your trust in the hands of third party developers. Do they have your best interest at heart? Do they even know how to keep your data secure and private?

It’s hard to write a good smartphone app. It’s even harder to create an app that properly looks after users’ data and leaves them secure.

Two Romanians extradited to Atlanta to face cyber-fraud charges

Two Romanians have been extradited to Atlanta, Georgia to face federal charges of wire fraud conspiracy, wire fraud, computer fraud and abuse, and aggravated identity theft, the Northern District of Georgia said in a press release

From October 2011 until February 2014 Teodor Laurentiu Costea, 41, and Robert Codrut Dumitrescu, 40, are accused of conducting elaborate phishing schemes stealing banking information from targeted Atlanta residents.

The duo allegedly identified vulnerable computers in the U.S. and installed interactive voice response (IVR) software that would automatically interact with call recipients. IVR technology allows a computer to interact with people over the phone through the use of voice and dual-tone multi-frequency (DTMF) input via a keypad.

The defendants allegedly installed software on infected machines to initiate thousands of automated telephone calls and text messages to victims. The messages, made to look as though they were from a financial institution, directed victims to call a number due to a problem with their account. When victims called the number, they were prompted by the IVR to enter their bank account numbers, PINs, and full or partial Social Security numbers.

The stolen information was stored on the compromised computers themselves and accessed by the perpetrators at the time of their choosing. Financial losses from the scheme are estimated at over $18 million, according to the U.S. Department of Justice.

A third alleged co-conspirator, Cosmin Draghici, 28, is accused in the press release of selling or using the fraudulently obtained information for the group’s personal gain. It isn’t clear if Draghici himself has been, or will be extradited to the U.S.

The DoJ, however, clarifies that the indictment only contains charges and are presumed innocent unless the government can produce solid evidence that the defendants are indeed guilty.

Cisco rolls out new wave of must-install WebEx patches

Cisco has released several patches for users of WebEx clients and its Access Control System, all of which are mandatory if users want to keep using the products safely. The release comes two weeks after the networking giant issued critical patches for an array of WebEx installments.

Advisory CVE-2018-0264 says the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files suffers from a vulnerability that, if exploited, “could allow an unauthenticated, remote attacker to execute arbitrary code on the system of a targeted user.”

Various organizations use the players to play back WebEx meeting recordings. If your installation comes as part of Cisco WebEx Business Suite, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and the Cisco WebEx ARF Player, install the patch ASAP, as there are no workarounds for the flaw. To patch, users must perform a simple software update.

CVE-2018-0253 is about a weakness in the ACS Report component of Cisco Secure Access Control System (ACS) that could allow a remote attacker to take hold of the system without having to authenticate as a valid user.

“Commands executed by the attacker are processed at the targeted user’s privilege level,” Cisco says. “The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device.”

Finally, according to CVE-2018-0258, a vulnerability in the Cisco Prime File Upload servlet used by several Cisco products could allow a remote attacker to upload malicious files to a vulnerable device and execute whatever intentions he has. Users must update the servlet to patch the vulnerability.

Quite a number of Cisco products, in fact, do not suffer from this particular flaw. All of those unaffected products are listed in the advisory.

Australia’s largest bank lost its customers’ financial history and forgot to mention it

Australia’s Commonwealth Bank admitted losing years’ worth of data backup containing the financial details of some 12 million customers. When the breach occurred in 2016, the bank informed the Office of the Australian Information Commissioner, yet chose not to notify its customers. As a consequence, the CBA is facing further investigations.

BuzzFeed News revealed that the backup contained banking statements collected between 2004 and 2014, while  News.com.au claims the loss affects data of almost 20 million customers, collected between 2000 and 2016.

Because bank data was kept on magnetic tape drives, subcontractor Fuji Xerox accidentally destroyed some of them; that data was never retrieved and the bank is now investigating what happened and why a destruction certificate was not found.

The CBA assures its customers that no sensitive information, such as PIN codes and passwords, was leaked, nor was suspicious activity detected. The tapes contained names, addresses, account numbers and transaction details.

“We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologize for any concern the incident may cause,” said Angus Sullivan, acting group executive.

“We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.”

One possible scenario, as initially concluded by a forensic team hired to investigate the privacy breach, is that “the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction.”

Anti-theft LoJack supposedly manipulated by Russian hackers to hijack computers

Security researchers from Arbor Networks’ ASERT lab have found that laptop recovery software LoJack appears to be used in a sophisticated, yet subtle, Russian state-sponsored attack scheme through remote code execution. The tool was created as an anti-theft program to remotely protect corporate information should computers be stolen.

Security solutions don’t flag the malware hidden in the installation as malware activity, which makes it easy for attackers to intercept the communication and get inside the computer.

Anyone with administrator privilege can use the software to locate and encrypt stolen computers, and delete information. Some devices have the tool by default.

“This is basically giving the attacker a foothold in an agency,” said in an interview with Dark Reading Richard Hummel, manager of threat research at NETSCOUT Arbor’s ASERT. “There’s no LoJack execution of files, but they could launch additional software at a later date.”

According to the report published on Tuesday, the Fancy Bear hacking group was manipulating the software to hack into a company’s network. Fancy Bear servers appear to have been communicating with a number of LoJack executables; “LoJack agents containing command and control (C2) domains likely associated with Fancy Bear operations,” reads the report.

“If they’re on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise,” Hummel added, “with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims’ machines.”

It’s not yet clear how the malware payloads spread, but researchers believe the hackers used phishing techniques.

Fancy Bear has been widely covered in the news due to its strong association with Russian military intelligence and the attacks against the Democratic National Committee in the US.

Twitter Plain Text Password Bug Prompts Users for Immediate Password Change

Twitter has warned its 330 million users to immediately change their passwords, as a result of a bug that caused passwords to be logged in plaintext before being hashed. Although Twitter says passwords are stored using the bcrypt hashing algorithm, it seems they were inadvertently placed in an internal log before being hashed.

“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” reads the Twitter blog post. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

The vulnerability does not appear to have been misused by cyber criminals nor have Twitter’s systems been breached or misused to access these plaintext passwords. However, because the blog post seems to encourage all Twitter users to change their passwords, it is believed that the number of potentially affected accounts is significant, and the vulnerability may have been present for months before it was detected.

“Out of an abundance of caution,” the social network strongly advises users to immediately change their account passwords, while also enabling two-factor authentication for additional security. Twitter also emphasizes that the vulnerability has been addressed, while apologizing for the incident.

“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” reads the blog post. ”We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

Twitter is the second company this week to reveal the existence of a “bug” in its password management systems, with GitHub announcing a similar vulnerability just days ago. From their description and warning to users, the two companies seem to have experienced the same type of password security issue.

89% of top travel websites fail to protect your security

Researchers have put big-name travel and booking sites to the test to see how their security practices fare against other online services. If the results are anything to go by, we should all take extra precautions to secure our personal data when booking a flight and a hotel room, or renting a car.

Analyzing the data for its first Travel Website Password Power Rankings report, password manager developer Dashlane found that 89% of booking sites leave users’ accounts dangerously exposed to bad actors due to unsafe password practices.

The company tested each website on five critical criteria, and ranked each site’s performance on a five-star scoring system. The results were not good, as the chart above shows.

Notably, 96% of travel sites tested did not provide 2FA (two-factor authentication), where the system asks users to validate their identity on a second platform, such as their phone, or service, such as their email.

Most big-name booking and travel agencies, including Booking.com, Hertz, American Airlines and InterContinental Group, scored poorly in areas like two-factor-authentication (2FA), and in assessing password strength when accounts are created.

And cruise company Norwegian Cruise Line flunked on all points of security best practices, receiving zero stars. At the other end of the spectrum lay hospitality service Airbnb, with 5 out of 5 stars.

“When compared to results of Dashlane’s 2017 rankings of leading consumer websites, and the more recent 2018 rankings comparing the cryptocurrency exchanges, travel sites performed especially poorly,” reads the report. “In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score. That is in extremely stark contrast to the 89% of sites that failed Dashlane’s 2018 travel examination.”

Users are encouraged to employ a unique password for every online account they create. That password should be at least eight characters long with a mix of case-sensitive letters, numbers and special symbols.

But if other studies are any indication, convenience usually wins. That, perhaps, is at least part of the reason almost every big-name travel agency avoids turning their service into a cyber-security hassle.

ProtonMail warns all users to beware of phishing scam

ProtonMail is sending a warning urging all users of the end-to-end encrypted email service to be on the lookout for phishing scams impersonating ProtonMail.

“Dear ProtonMail user, over the last few days we have noticed an unusually high number of phishing attempts targeting ProtonMail accounts. To help keep your account safe, we want to remind you of a few security tips,” reads the warning.

Users are told to look for the “star” that indicates the email is from the provider, to avoid clicking on links or attachments if the email looks or feels suspicious in any way, and more (full text body in the embedded tweet below, courtesy of Catalin Cimpanu).

The company says phishing is the most common attack vector employed by cybercrooks, and urges users to watch out for any suspicious correspondence hitting their inbox.

ProtonMail is an end-to-end encrypted email service founded in 2014 at the CERN research facility. It uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers, unlike the more common email services out there.

The service uses a combination of public-key cryptography and symmetric encryption protocols to achieve end-to-end encryption, and includes the option to log in with a “two-password mode” that requires a login password and a password for the mailbox. The service is also secured by the industry-standard two-factor-authentication (2FA) protocol.

Since ProtonMail stores decryption keys only in their encrypted form, bad actors can’t retrieve user emails nor reset user mailbox passwords. Thus, the only way (or at least one of the few ways) they can get their hands on a ProtonMail account is through a phishing campaign that tricks users into inputting their credentials.

Critical Vulnerability in Docker Tool for Windows Allows RCE; Patch Available

A recent vulnerability in the Windows Host Compute Service Shim (hcsshim) library that allows users to import Docker container images in Docker for Windows could have enabled remote code execution on the Windows host.

The open source hcsshim library was developed by Microsoft as a wrapper for use with its Host Compute Service (HCS).

The vulnerability is triggered because the hcsshim library used by a container management service does not properly validate input whenever a container image is imported, potentially triggering the execution of malicious code on the targeted machine.

“Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft,” wrote software developer Michael Hanselmann who reported the vulnerability. “Its use of Go’s filepath.Join function with unsanitized input allowed to create, remove and replace files in the host file system, leading to remote code execution. Importing a Docker container image or pulling one from a remote registry isn’t commonly expected to make modifications to the host file system outside of the Docker-internal data structures.”

Tagged as CVE-2018-8115, it has been dubbed critical by Microsoft, although the chances it would be exploited in the wild are seen as very low.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” reads the advisory. “An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”

While full technical details of the vulnerability have yet to be made available, Hanselmann did receive approval from Microsoft to release a proof-of-concept along with technical details on May 9.

The vulnerability has already been fixed with the release of hcsshim 0.6.10 and everyone using Docker for Windows is urged to get this latest version of the library.

59% of people use the same password everywhere, poll finds

Despite an increasingly dangerous threat landscape and heightened global awareness of hacking and data breaches, password hygiene leaves a lot to be desired. 91 percent of people know that password recycling poses huge security risks, yet 59 percent still use the same password everywhere.

Users’ behavior in creating and managing secret login data lags behind the rapid evolution of cyber threats, according to statistics compiled by password management experts at LogMeIn. This holds true both in people’s personal lives and at work.

The firm polled 2,000 users across the United States, Australia, France, Germany and the United Kingdom, and found that people are more aware of security best practices, but don’t necessarily apply them.

For example, the number one reason for password reuse is fear of forgetfulness.

“Not only do most respondents (59 percent) use the same password for multiple accounts, but many continue to use that password as long as possible — until required by IT to update or if impacted by a security incident. The fear of forgetfulness was the number one reason for reuse (61 percent), followed by wanting to know and be in control of all of their passwords (50 percent),” according to the report.

Businesses should pay closer attention to staffers’ password hygiene, with nearly 47 percent of respondents saying there is no difference in passwords created for personal and work accounts. 79 percent have between one and 20 online accounts for work and personal use. Only 19 percent are more careful with their work login details, and 38 percent never use the same password for work and personal accounts. Unfortunately, the other 62% percent do.

The survey even found distinct differences in the psychology of users who are diligent with their online credentials versus those who are less meticulous.

“Bad password behavior in Type A personalities stems from their need to be in control, whereas Type B personalities have a casual, laid-back attitude toward password security,” researchers found. “Respondents who identify as Type A personalities are more likely than Type B personalities to stay on top of password security: 77 percent put a lot of thought into password creation, compared to 67 percent of Type B. And Type A users consider themselves informed about password best practices (76 percent) over Type B users (68 percent).”

Lastly, 72% feel well informed on password best practices, but 64 percent of those also prefer a password that’s easy to remember, and they admitted they always choose convenience over security. And while 91 percent are aware of the risks of password recycling, 58 percent mostly or always use the same password or a similar variation of that password for most of their online accounts.

It’s important to give your passwords a refresh every once in a while, as you never know what data breach caused your personal data to leak onto the dark web, where bad actors can use that data for extortion, phishing scams, ransomware, or fraud.

And while a trusted AV solution limits the attack surface for cybercrooks, it’s still your duty – and your duty only – to keep your login credentials safe from prying eyes.

Blockchain-powered e-commerce startup leaks personal information of 25,000 early investors

A misconfigured MongoDB database has led to the leak of names, email and physical addresses, wallet information, encrypted passwords, and driver’s license and passport numbers of 25,000 early investors in Bezop. The leak deals a second security-related blow in months to the e-commerce startup, which hopes to give retail giant Amazon a run for its money by fashioning its business around digital currency.

Bezop is a decentralized blockchain-powered commerce platform, similar in some ways to Amazon, that hopes to be “the future of global trade,” according to its creators.

“No monthly fees, Build professional amazon-like stores and start accepting cryptocurrency in minutes,” reads a marketing tagline on the firm’s website.

The business is based on its own Bezop cryptocurrency, which trades under the name BEZ. Users are promised several sure-fire ways to generate profits, not just by selling goods in exchange for crypto coins, but also by participating in “mining” programs for an extra incentive.

However, things went awry for Bezop when researchers at Kromtech (a developer of popular macOS utilities) found a misconfigured MongoDB database that was showing the personal information of 25,000 Bezop investors in plain text – publicly, for anyone with access to the Internet to see.

When alerted to the breach in March, Bezop fixed the problem but made no public admission that it messed up so badly – if there’s one thing a startup needs like air, it’s the trust of its early backers.

Sadly for Bezop, it’s not the first time the company has made headlines for insecure handling of user data. As reported by hackread.com, only a few months ago the company sent usernames and passwords in cleartext format.

John McAffee (the founder of the security firm with the same name) sits on Bezop’s board of directors, but his expertise has apparently yet to rub off on the company he is backing.

After failing to jailbreak friend, Washtenaw County hacker gets seven years in prison

27-year-old Konrads Voits, convicted of hacking Washtenaw County computer systems to try to get a friend out of prison early, now faces prison time himself. Volts has been sentenced to seven years and three months behind bars – and his laptop and phones have been taken away.

Voits last year tried to get a friend out of prison early by hacking government systems. The hacker used typical phishing schemes to steal login credentials from government employees and gain access to County systems, the Department of Justice (DoJ) reported in December.

Once in, Voits modified his friend’s release date. However, an employee discovered suspicious activity and alerted the IT department, and an investigation into the hack was commissioned. Soon after, all signs pointed to one Konrads Voits.

“The FBI is deeply committed to the aggressive pursuit of all cybercrime and in bringing to justice those who commit such acts”, said Timothy R. Slater, Special Agent in Charge, Detroit FBI.  “Today’s sentencing of Mr. Voits is an example that cybercriminals should no longer expect the Internet to provide them a veil of anonymity towards carrying out their illegal activities. The FBI will continue to vigorously investigate these high-tech crimes through strong law enforcement partnerships.”

Judge Robert H. Cleland gave Voits an 87-month sentence. As part of the sentencing, the DoJ says authorities confiscated several of Voits’ possessions, including a laptop, an integrated circuit component, several cellular phones, and several hundred dollars’ worth of Bitcoin.

Washtenaw County said the investigation into Voits’ hack cost them almost a quarter million dollars.