The Home Office breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months, an inspector’s report has revealed.
Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI)
The report is the second to focus on the controversial EU Settlement Scheme (EUSS), which EU citizens must apply to if they want to remain in the UK post-Brexit. The EUSS launched at the end of March.
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
Aside from the 23 documents misplaced by a postal company in July, the worst incident came in April, when 240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email.
That incident happened just days after a similar privacy snafu in which the Home Office exposed the details of 500 applicants to the Windrush compensation scheme — itself set up after the mistreatment of Commonwealth citizens by the Conservative government.
At the EUSS, important ID documents were misplaced inside the EUSS office on multiple occasions and sometimes returned to the wrong address, according to the report.
The Home Office claimed it is getting better at data protection.
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
A Chinese scientist convicted of stealing trade secrets worth $1bn from an Oklahoma petroleum company has been jailed in the United States.
Hongjin Tan was employed by the unnamed company in June 2017 to work in a group whose goal it was to develop next-generation battery technologies for stationary energy storage.
Vigilant coworkers caught the 36-year-old Chinese national and US legal permanent resident stealing hundreds of files containing proprietary information specifically related to flow batteries.
After being confronted with the theft, Tan admitted intentionally copying and downloading the research and development materials onto a thumb drive without authorization from his employer.
Realizing the jig was up, Tan turned in the thumb drive along with his resignation in December 2018. But when investigators examined the storage device, they found evidence that five documents that had been stored on it had since been deleted.
The missing files were later located on an external hard drive recovered during a search of Tan's premises. It transpired that Tan had swiped the files and squirreled them away at home, where they could be accessed, and potentially sold, at a later date.
On November 12, 2019, Tan pleaded guilty to theft of a trade secret, unauthorized transmission of a trade secret, and unauthorized possession of a trade secret.
Speaking at the time, Assistant Attorney General for National Security John C. Demers said: “Tan’s guilty plea continues to fill in the picture of China’s theft of American intellectual property.
"The Department launched its China Initiative to battle precisely the type of behavior reflected in today’s plea—illegal behavior that costs Americans their jobs—and we will continue to do so.”
Yesterday, US District Judge Gregory K. Frizzell sentenced Hongjin Tan to 24 months in federal prison and ordered him to pay $150,000 in restitution to his former employer. After completing his two-year prison sentence, Tan will spend a further three years on supervised release.
“The sentencing of Hongjin Tan underscores the FBI’s commitment to protecting our country's industries from adversaries who attempt to steal valuable proprietary information," said Melissa Godbold, special agent in charge of the FBI Oklahoma City Field Office, said.
"American companies invest heavily in advanced research and cutting-edge technology. Trade secret theft is detrimental to our national security and free-market economy. It takes profits away from companies and jobs away from hard working Americans."
The FBI has indicted a man suspected of being responsible for a hack that compromised the accounts of 127 million Ticketfly users.
Moulak O. Ishak allegedly hacked into Ticketfly's systems in 2018. Ticketfly punters who tried to purchase tickets for upcoming live gigs were greeted with a picture of the V for Vendetta character and the message "Ticketfly HacKeD By IsHaKdZ."
At the time of the attack, Ticketfly was owned by Eventbrite, which made the decision to temporarily take the platform offline in the wake of the breach. Eventbrite issued the online message, “Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident.”
Following the attack, Motherboard claimed that hacker IsHaKdZ told them via email that he had warned Ticketfly of a vulnerability that allowed him to take control of all the databases for Ticketfly and its website.
In what sounds a lot like a ransom demand, the hacker is purported to have told Motherboard that he offered to share details of the vulnerabilities with Ticketfly in exchange for 1 bitcoin but never received a reply from the platform's operators.
Following the hack, the personal details of six Ticketfly users were posted to a server as proof that IsHaKdZ's claims of being able to access the databases were real.
According to the indictment issued on February 18, the FBI believes that Ishak, using the pseudonym IsHaKdZ, attempted to extort money from Ticketfly over a five-day period.
Ishak has been indicted on one count of forfeiture and one felony count of extortion in relation to damage to a protected computer.
The alleged cyber-criminal has not been apprehended, though a warrant has been issued for his arrest. If caught and convicted of these charges, Ishak could face a fine of $250,000 and up to three years behind bars.
The indictment reads: "On or about 27 May 2018, and continuing to at least 31 May 2018, in the Northern District of California and elsewhere, the defendant, with intent to extort from Ticketfly money and other things of value, transmitted in interstate and foreign commerce a communication containing a demand and request for money and other things of value in relation to damage to a protected computer, to wit, Ticketfly’s servers, where such damage was caused to facilitate the extortion."
For the 2020 edition, however, many of the attack vectors presented weren't entirely new, as old threats resurfaced. Additionally of note, while the title of the session is about the top five new attacks, researchers outlined more than that at this particular event.
Command and Control (C2) Returns
Ed Skoudis, instructor at the SANS Institute, highlighted what he referred to as the "golden age of c2" as one of his top new threats. C2, which stands for command control, is commonly associated with botnet activity that is controlled from a central command point.
Skoudis identified several ways that organizations can help protect themselves from C2 activity. Among his suggestions is for defenders to vigorously control outbound traffic and look for beacons and log anomalies. He also suggested that security professionals enforce application white-listing to limit what can run within the enterprise.
Living Off the Land
Another trend that Skoudis identified is the concept of living off the land, which refers to attackers' making use of tools that are already present within an organization and then abusing them for malicious gain.
"If you're an attacker, what you could do is you could use the resources of the operating system itself to attack that machine, and to spread to other systems in the environment, so you're living off the land," he said.
The concept of living off the land is not entirely new either, having been reported on at least as far back as 2015.
There are several things that organizations can do to protect against living off the land attacks. One set of resources cited by Skoudis is the LOLBAS project, which provides tools to help identify and limit the risk of attacks.
With the threat of deep persistence, Skoudis warned that malware can now be embedded deep into devices in a way that wasn't happening before. For example, he noted that it is now possible to embed malware in a USB charging cable.
With the charging cable example, even if an organization is able to purge whatever malware gets installed on a given system, with deep persistence, the next time the cable is plugged in, it will reinfect the system all over again.
Skoudis said that it's important for individuals and companies to not just plug anything into their system and to make sure that cables and other peripherals are acquired from trusted sources.
Mobile Device Integrity
Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute highlighted the risk of mobile devices as one of her top threats.
Given that mobile phones have become an essential part of daily life, she noted that if a phone falls into the wrong hands it could be catastrophic. She wasn't just talking about lost or stolen devices, but also about the risk of refurbished devices that have not been properly wiped of the previous owner's data.
She also mentioned the risk of the checkm8 vulnerability in Apple IOS devices, which is a silicon vulnerability that enables the checkra1n jailbreak.
How 2FA Can Hurt You
Two-Factor Authentication (2FA) is a recommended best practice to help improve user security, but it's not a panacea either. Mahalik noted that simply having a code that needs to be typed in for 2FA isn't enough.
She also warned that there are some apps that only require a phone number, which is a risk if a user gives up their phone number and the carrier then reissues that number to a new customer.
"You want a password and 2FA," she said. "If it's just one or the other, it's not a good scenario."
Mahalik suggested that when users get a new phone number they should make sure they go into every application that has 2FA and change to the new number.
Enterprise Perimeter Vulnerabilities
Johannes Ullrich, dean of research at SANS Institute, identified the risk of enterprise perimeter vulnerabilities as one of his top threats.
Over the past year there have been numerous publicly reported issues in widely deployed enterprise firewall and perimeter security devices.
Aside from patching, Ullrich suggests that users never expose an administrative interface on an enterprise perimeter device to the public internet.
The final emerging threats identified by Ullrich are localhost APIs that are embedded in enterprise applications that call out to third-party resources. While the intention for the APIs is to enable functionality such as tech agent support, they also open up enterprises to potential risk.
To help limit the risk, Ullrich suggests that users, where possible, identify what is listening in to ports on a system and monitor how applications call out to external resources.
A data breach that exposed patients' personal health information (PHI) for almost three months went undetected for half a year at a Michigan healthcare group.
Hackers gained access to patient data placed in the safekeeping of Munson Healthcare Group by compromising the email accounts of at least two employees. Patient records were accessed from July 31, 2019, to October 22, 2019, but the breach went undetected until January 16, 2020.
What data was compromised in the prolonged attack varied from patient to patient, but information accessed by the hackers included financial account numbers, driver’s license numbers, dates of birth, and Social Security numbers.
Health information, including insurance details, treatments, and diagnostic data were also exposed by the breach.
Exactly how many patients were affected by the breach has not been revealed by Munson Healthcare, but given the size of the group, the number could potentially be high. From its base in Traverse City, Munson Healthcare operates nine hospitals in 30 counties spread through Northern Michigan.
The group has 7,500 employees and covers an area of 11,177 square miles, which is roughly the size of Vermont and Delaware combined.
“This incident does not affect all patients of Munson Healthcare and not all information was included for all individuals. Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information,” a spokesperson for Munson Healthcare said.
The group went on to say that no evidence had been found to indicate that the information exposed in the breach had been acquired or misused by any third parties who accessed it. Given how long it took the group to detect that the breach had even occurred, this statement may come as cold comfort to Munson patients whose data was accessed by hackers.
"Patient privacy is a top priority and we take this matter very seriously,” said Lucas Otten, Munson Healthcare's director of information security.
“Munson regularly trains and educates all employees on cybersecurity awareness and risks, and we use a 24x7 staffed cybersecurity response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen."
Delivering a keynote talk at the RSA Conference in San Francisco, Mary T Barra, chairman and CEO of General Motors Company, said “all of you today are the best and strongest line of defense in this on going and even more complex fight.”
Barra had concluded the first part of her keynote talk by saying that “we know this is a marathon with no finish line” and stressed the need for more talent, citing the most recent (ISC)2 Cyber Workforce Survey, which estimated a shortage of four million skilled people by 2022. She said that “without the right people and the right tools” security risks will increase, “and endanger all of us.”
She added that for long term success of every business that exists in a digital ecosystem “we must fill the talent gap, and not just with anyone but with everyone.”
She highlighted the need to recruit more “women and minorities, who are under-represented in the engineering and IT fields” so GM has run outreach programs to schools with a focus on pursuing “rewarding careers” and encouraging students to pursue science, technology, engineering and mathematics (STEM) careers, and “help them see a path for themselves in this space.” Last year this enabled 300,000 students and teachers across the United States, while General Motors has participated in nationwide careers programs and has encouraged its own engineers to do outreach to schools.
“If we want to cultivate young people of the future, we need to invest in theirs,” she said.
Free HTTPS tool Let’s Encrypt yesterday announced it has issued its billionth certificate, in what it claims to be a milestone for user privacy and security.
Backed by the non-profit Internet Security Research Group (ISRG), the initiative has good reason to make such claims, having made what was once a complex and expensive process — registering and managing TLS certificates — free and easy.
In a blog post from executive director, Josh Aas, and VP of comms, Sarah Gran, the two revealed how HTTPS page loads have risen from 58% of the global total in 2017 to 81%, and even higher (91%) in the US.
“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” they explained.
“When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
However, there’s another side to the free encryption message: as well as making it easier for legitimate users to improve security, it has made it simpler for cyber-criminals to hide their activities online.
In 2016, for example, Trend Micro reported that malvertisers were using Let’s Encrypt to hide malicious advertising from network security tools.
A couple of years later, a flaw in Let’s Encrypt’s ACME protocol was found which could have allowed attackers to obtain certificates for domains they did not own.
However, the organization has also been improving its own security and authentication processes. Last week it launched a multi-perspective domain validation system to ensure certificate applicants control the domains they’re hoping to register a cert for.
A US TV star has lost nearly $400,000 in a classic email fraud scam after a fraudster persuaded her bookkeeper to wire funds to a new bank account.
Multi-millionaire Barbara Corcoran describes herself as an “NYC real estate queen” and is one of the investors on popular show Shark Tank. However, on Wednesday, she took to Twitter with the brief message, “Lesson learned: Be careful when you wire money!”
In fact, it was her bookkeeper that had been tricked into wiring the $388,000 funds into an Asian bank, according to reports.
A fraudster reportedly spoofed the email address of Corcoran’s assistant, telling the bookkeeper to wire the funds to a German company called FFH Concept.
It’s unclear whether this was a legitimate supplier or a new organization, but the scammer apparently responded to an initial query for more information with a detailed explanation about the invoice.
That indicates they put in plenty of work ahead of time researching Corcoran’s business.
This modus operandi is similar to the business email compromise (BEC) or CEO fraud scams that netted scammers a staggering $1.8bn last year, accounting for half of all reported cybercrime losses. That’s up from around $1.3bn in 2018, according to the FBI.
Peter Goldstein, CTO and co-founder of Valimail, argued that firms cannot rely on human intuition alone to stop such scams.
“The phishing scam impacting Corcoran’s company clearly debunks the myth that phishing emails are easy to spot. Many companies invest in employee security training to prevent this kind of attack, but as this incident proves, humans are not able to identify malicious emails reliably,” he added.
“Hackers leverage impersonation and heavily researched social engineering tactics to appear as trustworthy senders, and their fraudulent messages are often indistinguishable from legitimate ones.”
Goldstein recommended investing in technologies which validate and authenticate sender identity. It’s reported that the email address used by the hacker was almost identical to that of Corcoran’s assistant but missing a single 'o' — a common tactic to trick recipients.
Facebook has filed a lawsuit in California against a data analytics company it claims has illegally accessed user data.
New Jersey-based OneAnalytics allegedly paid app developers to install a malicious software development kit (SDK) in their apps. This was designed to harvest information including name, gender, email and username of users logging in to the apps with their Facebook credentials, the social network claimed.
“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” wrote the firm’s director of platform enforcement and litigation, Jessica Romera.
“Facebook’s measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate.”
The firm is said to have done the same to Twitter and Google users. Twitter claimed in a notice that the issue was down to “a lack of isolation between SDKs within an application.
“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK,” it explained.
“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”
In a statement back in November, OneAudience said that it was shutting down the offending SDK.
“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used,” it said.
“We proactively updated our SDK to make sure that this information could not be collected on November 13 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.”
There has been a lot written in recent years about election security and ensuring the integrity of voting systems. While voting machines are important, so too are non-voting election technologies, which was the topic of a session at the RSA Conference in San Francisco.
Aaron Wilson, Senior Director of Election Security at the Center for Internet Security (CIS), explained that non-voting election systems include things that support elections. Those systems include electronic poll books, election night reporting systems, voter registration systems, and electronic ballot delivery.
"There is a lot to that attack surface, but there are not a lot of standards and regulations," Wilson said.
The Center for Internet Security has developed a guide to help secure those non-voting election systems that has 160 best practices to help reduce risk and improve confidence. The overall goal, according to Wilson, isn't necessarily that every election official will do all the steps, but rather they will have a guide that provides questions to ask vendors and IT staff.
There are three key areas that Wilson suggested election officials should look at. The first is dealing with Denial of Service (DoS) risks.
"Denial of Service is concerning because you know exactly when to wage the attack against an election system," he said. "If you can take a service down in a moment of critical need it can have significant impact."
Ransomware is also a risk that election officials need to defend against. Wilson said that both DoS and ransomware attacks are essentially about availability and denying access to assets.
The third key area is something Wilson referred to as unauthorized data modification. That's a critical area for non-voting election system integrity, as an unauthorized change can throw an election into doubt.
Among the key recommendations that Wilson provided to reduce the risk of unauthorized data modification are the following:
- Deployment of automated software patch management tools
- Using best practices for securely handling input and output
- Verifying data on backup media
- Deployment of application layer filtering
- Enforcement of access controls to data
Verifying Election Technology
Going a step beyond best practices, there is also an ongoing need to verify that systems are in fact operating as intended on a continuous basis. That's where the RABET-V: Rapid Architecture-Based Election Technology Verification framework comes into play.
"RABET-V is an election technology verification process that supports rapid product changes by design," Wilson said.
The RABET-V effort was launched in February 2020 as a pilot program and is available as an open source effort on github.
"It provides a consistent basis from which approval authorities can draw information, resulting in quicker decisions and reduced, amortized overall cost," Wilson concluded.
The method, procedures, and practices used by cybersecurity professionals have relevance beyond just the technology sphere; they can also be used to hack society.
"This is the big idea: we here in our community have developed some very effective techniques to deal with code and technology," Schneier said. "Can our expertise in IT security transfer to broader social systems like the tax code, or the systems we use to choose our elected officials or the market economy?"
Schneier argued that the hacker mindset, that is, an approach to thinking about how things fail and how to make things fail, has broader implications than just computer security. He suggested that the cybersecurity procedural mindset is valuable in a broader context and can be used to help secure the systems that make up society.
"As the world looks more like a computer, our security skills become more applicable," he said.
That said, Schneier noted that he didn't want to imply that technology can fix everything, but rather there is perhaps a way to blend technology and policy in a new way that can improve human communities.
The Hacking Mindset
Using a hacking mindset to impact society isn't an entirely new idea. Schneier remarked that NSA whistleblower Edward Snowden wrote in his memoir that the US intelligence community hacked the Constitution in order to justify mass surveillance.
"We can argue whether that's true or not, but everyone here intuitively knows what he means by that," Schneier said.
Another example of how the hacking mindset is already in use is within the advertising industry. Schneier argued that advertising is a hack of humans' cognitive systems to help influence choices.
Political forces are already using hacking type technique for propaganda as well.
"Authoritarian regimes are vulnerable to information attacks that challenge their monopoly on common political knowledge, and that is why an open internet is so dangerous to an autocracy," Schneier said. "Democracies are vulnerable to information attacks that turned common political knowledge into contested political knowledge."
Schneier suggested that there are several ways modern cybersecurity practices can be used to hack society for good purposes.
In cybersecurity, having transparency and visibility is a foundational idea that is a useful concept for society in general.
"We have other solutions in our tech tool kit like defense in-depth, compartmentalization, isolation, sandboxing, audit, incident response, and patching," he said. "We never actually solve a security problem, we iterate, so is there some way to iterate law to have extensible law, where we implement some rapid feedback in our laws and regulations."
A key challenge that Schneier sees today is that we don't have policy institutions with footprints to match the technology that society uses. For example, he noted that Facebook is global, yet it's only regulated nationally by specific governments.
"Our problems tend to be social problems masquerading as tech problems and tech solutions masquerading the social solutions," Schneier said. "We need to better integrate tech and policy."
Speaking in a keynote talk at the RSA Conference in San Francisco, Mary T. Barra, chairman and CEO of General Motors Company, said that she acknowledged that “no one in this room needs convincing that there are virtually no industries today that are not vulnerable to cyber-attacks.”
She said that the auto industry is no exception, as it is bringing technologies and features to market, while users expect seamless integration with their devices, “and it is always our intention that customers and their data are always safe, secure, and private.”
GM built a “proactive cybersecurity organization” with hands-on engagement from the board, as it views cybersecurity “not just as a competitive advantage, but as a systemic concern for our industry.”
Barra said that the automotive industry remains competitive, but is an area “where we must, and rarely do, collaborate and share best practices,” and it works with the Auto-ISAC for information sharing, while it is focused on securing the automobile process at every stage.
Referring to the Cruise autonomous vehicle arm of GM, she said that human error is responsible for 9 out of 10 crashes, and GM was keen to provide “the safest products and strongest cybersecurity and giving them greater convenience, better accessibility, at an affordable cost.”
Barra said that around $100m is spent per year on cybersecurity, and the risk is looked at end-to-end with “no shortcuts” taken by the nearly 500 practitioners “developing in-depth defense, monitoring incident response capabilities that we continually test, rework, and refine.”
One partner GM has worked with is HackerOne “to engage more closely with the research community and identify vulnerabilities before they become an issue.” She said that this commitment showed its determination to maintain best practices in cybersecurity, and had re-engineered its development program to create the Vehicle Intelligent Program (VIP) to support safety systems, 5G networks, and over-the-air updates “and enhanced cybersecurity protections.”
She concluded by saying that “we know this is a marathon with no finish line” and stressed the need for more talent.
Criminals are using a combination of server exploitation, email, and voice calls to execute voice phishing attacks, often referred to as vishing.
In a session at the RSA Conference in San Francisco, John LaCour, founder and CTO at PhishLabs, and Davey Ware, Special Agent at the FBI, detailed the mechanics of how vishing attacks work to defraud victims of money, as well as how one group of criminals was found.
"Vishing attacks are phishing attacks that use the telephone network," LaCour said.
He explained that in vishing attacks the lure is delivered in one of several ways, including an email message with a call-back number, SMS via a telephone provider, and robocalls from an interactive voice response system (IVR). According to data cited by LaCour, over a one-year period more than 50% of vishing attacks targeted small banks and credit unions.
Vishing attacks occur in stages involving compromising a Windows server with some form of Remote Desktop Protocol (RDP) backdoor to gain access. Attackers also compromise IVR systems and then create fake email accounts as well.
The FBI Investigation
The FBI is aware of vishing attacks and has been actively involved in tracking down criminals. Ware detailed one such investigation involving three vishing hackers from Romania who had exploited a small bank in South Carolina.
By going through the logs of the impacted bank the FBI identified a number of clues, including IP addresses from RDP sessions. With some basic internet searching, Ware said, the FBI was able to make a link to a Facebook account and then via legal processes was able to get additional information on the criminals.
The FBI then found further evidence in Facebook chats that tied three Romanian individuals to the vishing attack. Over a two-year period, Ware said, the FBI collected enough evidence that they felt they could go to the next step, connecting with law enforcement in Romania.
Arresting the Vishers
Romanian law enforcement, working with the FBI, raided the homes of all three suspects at the same time in 2014. Ware noted that one of the criminals threw his laptop and power cord out the window as soon as police showed up. Luckily, the laptop landed in the snow and the data were still all on the laptop.
At the time of the raid, Ware noted, there was an active RDP session open on the laptop, with a text file including credit card numbers.
"They were literally doing the scheme when the search warrant was served," he said.
While the raid were conducted in 2014, the legal process takes time. All three of the suspects were indicted in 2017, extradited to the US in 2018, and, after pleading guilty, sentenced in 2019 to jail terms of approximately 8 years.
"Why we're talking about this case now is because it has been fully adjudicated, so we can talk about it," Ware said. "We want to present this because attackers are still using the same tactics now."
In a talk at the RSA Conference in San Francisco, Lexis Nexis Risk Solutions director of product management Daniel Ayoub and VP of product management Dean Weinert talked about the reality of which metrics and identifiers browsers release on users.
In a talk titled “Creepy Leaky Browsers,” Ayoub said that the classic cartoon “on the internet no one knows you’re a dog” was becoming less apparent, as there is so much more info available via a browser. The concept of a browser fingerprint involves a combination of persistent and non-persistent identifiers gathered passively through application programming interfaces (APIs) built into modern web browsers.
Ayoub said these browser fingerprints are typically used for:
- Digital marketing
- Improving the user experience
- Return device recognition
- Fraud prevention
Weinert said that this all “began with cookies” but browsers went steps forward when cookie use was limited, so identifiers could be determined on a user’s network information, external IP address, screen resolution, and the type of GRU. Ayoub said that many introductions were made in the late 2000s before concerns were raised regarding browser privacy in 2010 by the EFF.
“As time moved on, we saw more APIs added to browsers, and they offered details on what hardware was added, how much RAM was used, and which CPUs were now baked into the browser,” he said. This allows someone to know how a user interacts with a device, and “the key point is that real work apps that benefit consumers take into account fingerprinting, and these are used every day in the background, and most people are unaware of it.”
Their research into different browsers showed that there were different details revealed; for example, Firefox doesn’t reveal the device memory, while Google Chrome OSX does, and some browsers support Bluetooth adapters, while some do not.
To better protect yourself while using the internet, Ayoub and Weinert recommended trying to “blend in” rather than stand out, “as more people don’t try to hide, and the best strategy is to use common operating systems and browsers.”
However, this causes an issue when trying to spot cyber-criminals, as Weinert said that the “bad guys look like regular users,” and as more browsers obfuscate, “if everything is vanilla it is harder to find the wolf among the sheep.”
Weinert said that browser vendors realized that they had to put privacy first, and he urged vendors to collaborate better to a degree where standards can be determined. “Also do the right thing” when device profiles are offered in bulk resale.
For users, Ayoub recommended using current and latest versions of browsers, going to fingerprinting sites to see what they are comfortable with, and considering using browser tools that are designed for privacy.
“Also opt-out where appropriate,” he said, and recommended finding your Advertiser ID on your device and switching it off or resetting it.
Last year's data breach at the Desjardins Group will cost the co-operative far more than initially anticipated.
Original estimates by the Quebec-based financial institution set the cost of recovering from the breach at $70m. The co-operative has now said that the final breach bill is likely to be $108m.
The data breach was intentionally carried out by a malicious employee who had access to banking details such as loans and savings. As a result of their actions, the data of 4.2 million customers who bank with Desjardins in Quebec and Ontario was exposed.
Six months after the breach was announced, the incident was found to have also affected 1.8 million credit card holders who were not Desjardins members. The employee at the center of the breach has since been fired.
News of the breach came to light in June last year. From July onward, Desjardins introduced identity protection for all members who bank with the co-operative in Quebec and Ontario, free of charge.
In November, Desjardins issued an online statement that implied that data exposed in the breach had not been misused.
The statement said: "Desjardins would like to remind its members that there was no spike in fraud cases, either before or after the privacy breach was announced on June 20."
While the repair bill does not make suitable reading material for the faint-hearted, Desjardins president and chief executive officer Guy Cormier said that the financial impact of the breach represents less than 1% of the $18bn in revenue the institution earned in 2019.
According to Cormier, Desjardins has "ample capacity" to absorb the cost of the breach into its everyday operations.
Driving up the cost of recovery is the package of compensation measures Desjardins offered its members in the wake of the breach. Included in the package was five years of free credit monitoring from Equifax, which suffered its own catastrophic data breach in 2017 in which personal data of almost half the population of the United States of America was exposed.
Cormier said that no further increase in costs related to the data breach is expected.
Researchers at the University of Texas have found a way to bamboozle malicious hackers into giving away their secrets.
The DEEP-Dig (DEcEPtion DIGging) method tricks hackers onto a decoy site set up to record whatever sneaky tactics are thrown at it. This information is then fed into a computer, where it is analyzed to produce clues on how to identify and fend off future hacking attacks.
University of Texas at Dallas computer scientists presented papers on their wily new work at the annual Computer Security Applications Conference in December in Puerto Rico and at the Hawaii International Conference of System Sciences.
Furtively obtaining information from hackers that can later be used against them is a rapidly growing cybersecurity field known as deception technology. This cunning approach encourages those working in cybersecurity to view cyber-attacks in a whole new light.
“There are criminals trying to attack our networks all the time, and normally we view that as a negative thing,” said Dr Kevin Hamlen, Eugene McDermott Professor of Computer Science.
“Instead of blocking them, maybe what we could be doing is viewing these attackers as a source of free labor. They’re providing us data about what malicious attacks look like. It’s a free source of highly prized data.”
Privacy restrictions can make it difficult for researchers to obtain sufficient data on attackers' tactics to create effective defense strategies. DEEP-Dig functions like a spy in the attacking camp, gathering up valuable real-time information on how hackers strike.
Dr. Gbadebo Ayoade, who presented the scientists' findings in Puerto Rico and Hawaii, said that having more data will make it easier to detect when an attack is under way.
“We’re using the data from hackers to train the machine to identify an attack,” said Ayoade. “We’re using deception to get better data.”
Dr Latifur Khan, professor of computer science at UT Dallas, said "attackers will feel they're successful" when they encounter the decoy site stocked with disinformation.
Mirroring the cyber-criminal’s domain-spoofing technique and using it against them to gain a window into their activity might appear like poetic justice; to Khan, it's simply another roll of the dice.
Describing the ongoing online battle between the lawless and the law-abiding, Khan said: "It's an endless game."
Traditional organized crime gangs are now making efforts to succeed in financial cybercrime in Latin America.
According to research by IntSights into cybercrime activities in central and south America, persistent cyber-criminals are operating extensive schemes targeting banks, hospitality services,and retail businesses for their credentials and financial assets.
As the attackers were deliberately changing their tactics and infrastructure but tended to use the same profiles, the IntSights research team were able to detect locations. This included one attacker who was based in Colombia, who was originally from Venezuela and had escaped from poverty and government censorship to pursue cybercrime as a career.
As well as dealing with economic struggles, political corruption, internet censorship, and the rise of organized crime, cybercrime has emerged in Latin America as attackers are specifically focused on financial gain.
Speaking to Infosecurity at RSA Conference in San Francisco, IntSights’ cyber-threat intelligence advisor Charity Wright said that the intelligence team were initially tipped off by the appearance of multiple phishing sites “but what we found was that it was a single person and he was building a team.” He turned out to be called Charles or Carlos, who was the attacker originally from Venezuela, and “he found a way to make money by scamming people out of their credentials for their bank accounts.”
The research found that he was using fraudulent sponsored adverts on search engines and social media to lure people into giving up their details. “He mostly evangelises his tactics and techniques to other people in Latin America,” Wright said. “He teaches other people about what he does, and also targets American banks.”
Wright said that there are four major threat landscape factors that are contributing to the cybercrime emergence in Latin America:
- Economic instability
- Social factors like poverty
- Corruption and bribery
- The population growth, and use of technology
This all adds to a combination of a need to make money, combined with a “new” user base of technology, and governments and law enforcement who are either overlooking this issue because of dealing with larger crimes, or turning a blind eye to smaller fraudulent crimes. “They are making millions of dollars now,” Wright added.
She also said that a lack of legislation is another factor, as while Brazil leads the way with over 40 different data privacy regulations in place, it is currently consolidating these into one overarching policy called Lei Geral de Proteção de Dados (LGPD), forecasted to be implemented in August 2020.
This law will be similar to GDPR and will focus on keeping companies accountable for their customers’ data, with non-compliance potentially resulting in a 2% annual revenue penalty, which Wright said would be crippling for retailers and banks that are already struggling to fight fraud and cybercrime.
“So all of the other factors considered, none of the enterprises are being held accountable for the protection of data of their users and employees,” she said. “There is a lot of skepticism, but I am advising businesses in the region to stay ahead of this because if they do not understand what is expected of them and how to plan for it and do it, they are going to face fines. They cannot afford to be non-compliant.”
In terms of cyber-criminal actions that verge on state-sponsored attacks and intelligence gathering, Wright said that there are some hacktivist-style groups, but these are not as prevalent as the low-level threat actors with some technical skill. “Those with technical skill are being recruited into cartels and organized crime groups, the rest of them are just really good at fraud.”
America's Democratic National Committee has warned its electoral candidates to be wary after a phony Bernie Sanders campaign staffer used a fake domain to contact other political campaigns.
The cyber-imposter attempted to set up conversations with at least two other campaigns using a spoofed domain registered outside the United States. Sanders campaign spokesperson Mike Casca said yesterday that he believed the domain to be registered in Russia.
Casca said that the detection of the imposter was the indication that the party's cybersecurity was working well.
“It’s clear the efforts and investments made by the DNC and all the campaigns to shore up our cybersecurity systems are working,” Casca told the Associated Press. “We will remain vigilant and continue to learn from each incident.”
DNC chief security officer Bob Lord emailed the party's presidential campaigns yesterday, urging them to be on the lookout for charlatans. Lord said that “adversaries will often try to impersonate real people on a campaign” to get people to “download suspicious files or click on a link to a phishing site.”
Campaigns were also instructed to question the plausibility of anyone attempting to arrange a call or meeting that could be recorded or published.
Though authorities have been notified about the fraudulent Sanders staffer, Lord expressed little hope that the impersonator would be identified, noting that "attribution is notoriously hard."
In an effort to sort the real domains from the fake, Lord wrote in his email to campaigns: "If you are using an alternate domain, please refrain from doing so and let us know if you are operating from a domain that others have not corresponded with before."
The CSO then instructed campaign staffers not to use their personal email accounts for official business.
If Lord's message sounds a trifle paranoid, it's worth remembering that a phishing attack on John Podesta, chairman of Hillary Clinton's 2016 presidential campaign, resulted in thousands of emails being hacked and leaked.
Podesta was deceived by an official-looking email sent to his Gmail account. Purporting to be from Google, the message warned Podesta that someone in Ukraine had accessed his personal Gmail password and had tried to log into his account. The email implored Podesta to immediately change his password, directing him to a malicious website to achieve this.
A former Microsoft engineer faces 20 years behind bars after being found guilty of attempting to defraud his ex-employer of $10m.
Ukrainian citizen Volodymyr Kvashuk, 25, from Renton, Washington, was initially a contractor for the tech giant before going full time there from August 2016 until he was fired in June 2018.
He was convicted on Tuesday of 18 federal felonies: five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns and one count each of mail fraud, access device fraud and access to a protected computer in furtherance of fraud.
According to court documents, Kvashuk worked on Microsoft’s online retail sales platform where he used his IT access to steal digital gift cards and other “currency stored value,” before selling them on the internet.
Although the amounts he stole started off relatively small, totalling around $12,000, they soon progressed into millions of dollars.
Kvashuk is said to have set up test email accounts under the names of Microsoft employees and used Bitcoin mixing services to hide his tracks and the source of the funds entering his bank accounts.
According to the Department of Justice (DoJ) over $2.8m in Bitcoin was transferred to his accounts over the seven months of the scheme. Kvashuk was also able to buy a $1.6m home and a $160,000 Tesla car.
“In addition to stealing from Microsoft, Volodymyr Kvashuk also stole from the government by concealing his fraudulent income and filing false tax returns,” said IRS-CI special agent in charge, Ryan Korner.
“Kvashuk’s grand scheme was thwarted by the hard work of IRS-CI’s Cyber Crimes Unit. Criminals who think they can avoid detection by using cryptocurrency and laundering through mixers are put on notice…you will be caught and you will be held accountable.”
A notorious group behind digital skimming attacks has upped its game recently, infecting at least 40 new websites, according to researchers.
Magecart Group 12, one of many collectives using techniques designed to harvest card details from e-commerce websites, continues to adapt its modus operandi, according to researcher Max Kersten.
The current campaign has been running for several months, with the first hacked site linking to a skimmer domain on September 30 2019 and the most recent infection date being February 19 2020, he explained.
“The skimmer, hosted on jquerycdn.su, changed four times during the campaign. In the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in the other reported campaigns,” he continued.
“The first stage loads the actual skimmer script, which is polluted with garbage code. The skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather than all forms. Although the approach and script are different, the general concept remains the same: obtaining credit card credentials.”
Of the 39 new sites hit by the group, 13 were still compromised at the time of writing, despite being contacted by Kersten. Most appear to be SME-sized retailers who perhaps don’t have many resources to devote to cybersecurity. Consumers are urged not to shop on these sites.
Last month, Kersten and fellow researcher Jacob Pimental revealed how Magecart 12 was targeting ticket re-selling websites for the 2020 Olympics and UEFA Euro 2020 tournaments. Although the domain was taken down, the group simply swapped it for another and continued, highlighting the resilience of the threat, according to RiskIQ.
Tarik Saleh, senior security engineer at DomainTools, urged companies to ensure their underlying operating systems and web frameworks are patched and up-to-date to prevent common exploits running.
“Secondly, it’s important to adjust your web application’s Content Security Policy (CSP) to allow scripts running on it to be from your specific whitelisted domains,” he added.
“Thirdly, I recommend deploying a File Integrity Monitoring (FIM) solution to your website’s directory containing the scripts used for the checkout or payment handling process. FIM solutions are great for monitoring when files have been tampered with or added to your website, and in this case it won’t prevent you from being compromised, but it will let you know if Magecart has been installed.”
It’s believed that Magecart groups had infected over two million websites, as of October 2019.