now browsing by tag
The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.
The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.
U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.
“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”
FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.
“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”
The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.
“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.
The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.
“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”
At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.
“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”
A copy of the indictment is available here.
DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”
While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.
Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response.
For starters, the Web site that Equifax set up to let consumers check if they were affected by the breach consistently gave conflicting answers, and was initially flagged by some Web browsers as a potential phishing site.
Compounding the confusion, on Sept. 19, 2017, Equifax’s Twitter account told people looking for information about the breach to visit the wrong Web site, which also was blocked by multiple browsers as a phishing site.
And two weeks after its breach disclosure, Equifax began notifying consumers of their eligibility to enroll in free credit monitoring — but the messages did not come from Equifax’s domain and were in many other ways indistinguishable from a phishing attempt.
It soon emerged the intruders had gained access to Equifax’s systems by attacking a software vulnerability in an Internet-facing server that had been left unpatched for four months after security experts warned that the flaw was being broadly exploited. We also learned that the server in question was tied to an online dispute portal at Equifax, which the intruders quickly seeded with tools that allowed them to maintain access to the credit bureau’s systems.
This is especially notable because on Sept. 12, 2017 — just five days after Equifax went public with its breach — KrebsOnSecurity broke the news that the administrative account for a separate Equifax dispute resolution portal catering to consumers in Argentina was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
Perhaps we all should have seen this megabreach coming. In May 2017, KrebsOnSecurity detailed how countless employees at many major U.S. companies suffered tax refund fraud with the IRS thanks to a laughably insecure portal at Equifax’s TALX payroll division, which provides online payroll, HR and tax services to thousands of U.S. firms.
In October 2017, KrebsOnSecurity showed how easy it was to learn the complete salary history of a large portion of Americans simply by knowing someone’s Social Security number and date of birth, thanks to yet another Equifax portal.
Around that same time, we also learned that at least two Equifax executives sought to profit from the disaster through insider trading just days prior to the breach announcement. Jun Ying, Equifax’s former chief information officer, dumped all of his stock in the company in late August 2017, realizing a gain of $480,000 and avoiding a loss of more than $117,000 when news of the breach dinged Equifax’s stock price.
Sudhakar Reddy Bonthu, a former manager at Equifax who was contracted to help the company with its breach response, bought 86 “put” options in Equifax stock on Sept. 1, 2017 that allowed him to profit when the company’s share price dropped. Bonthu was later sentenced to eight months of home confinement; Ying got four months in prison and one year of supervised release. Both were fined and/or ordered to pay back their ill-gotten gains.
While Equifax’s stock price took a steep hit in the months following its breach disclosure, shares in the company [NYSE:EFX] gained a whopping 50.5% in 2019, according to data from S&P Global Market Intelligence.
KrebsOnSecurity has long maintained that the 2017 breach at Equifax was not the work of financially-motivated identity thieves, as there has been exactly zero evidence to date that anything close to the size of the data cache stolen from that incident has shown up for sale in the cybercrime underground.
However, readers should understand that there are countless other companies with access to SSN, DOB and other information crooks need to apply for credit in your name that get hacked all the time, and that this data on a great many Americans is already for sale across various cybercrime bazaars.
Readers also should know that while identity theft protection services of the kind offered by Equifax and other companies may alert you if crooks open a new line of credit in your name, these services generally do nothing to stop that identity theft from taking place. ID theft protection services are most useful in helping people recover from such crimes.
As such, KrebsOnSecurity continues to encourage readers to place a freeze on their credit files with Equifax and the other major credit bureaus. This process puts you in control over who gets to grant credit in your name. Placing a freeze is now free for all Americans and their dependents. For more information on how to do that and what to expect from a freeze, please see this primer.
Tags: Coronavirus, Equifax breach, FBI Deputy Director David Bowdich, FBI Director Christopher Wray, Jun Ying, Liu Lei, Sudhakar Reddy Bonthu, U.S. Attorney General Bill Barr, U.S. Justice Department, Wang Qian, Wu Zhiyong, Xu Ke
The post U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack — Krebs on Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The US has indicted Chinese military personnel today on charges of hacking into Equifax’s computer systems and stealing valuable trade secrets and the personal data of nearly 150 million Americans. A federal grand jury in Atlanta, Georgia, returned the indictment last week against four members of the Chinese […] View full post on AmIHackerProof.com
#hacking | Daily Inter Lake – Politics & Government, The big lesson from the Bezos hack: Anyone can be a target
PROVIDENCE, R.I. (AP) You may not think you’re in the same league as Jeff Bezos when it comes to being a hacking target. Probably not, but you and just about anyone else, potentially including senior U.S. government figures could still be vulnerable to an attack similar to one the Amazon founder and Washington Post owner apparently experienced.
Two U.N. experts this week called for the U.S. to investigate a likely hack of Bezos’ phone that could have involved Saudi Arabian Crown Prince Mohammed bin Salman. A commissioned forensic report found with medium to high confidence that Bezos’ iPhone X was compromised by a video MP4 file he received from the prince in May 2018.
Bezos later went public about the hack after the National Enquirer tabloid threatened to publish Bezos private photos if he didnt call off a private investigation into the hacking of his phone. It’s not clear if those two events are related. The Saudis have denied any involvement in the purported hack.
The events could potentially affect U.S.-Saudi relations. On Friday, Sen. Ron Wyden, an Oregon Democrat, said he is asking the National Security Agency to look into the security of White House officials who may have messaged the crown prince, particularly on personal devices. Jared Kushner, a White House aide and President Donald Trump’s son-in-law, is known to have done so using WhatsApp.
Wyden called reports of the Bezos hack extraordinarily ominous and said they may have startling repercussions for national security.
But they could resonate at the personal level as well. As the cost of hacking falls while opportunities to dig into peoples’ online lives multiply, more and more people are likely to end up as targets, even if they’re not the richest individuals in the world.
Ultimately, that boils down to a simple lesson: Be careful who you talk to and what you’re using to chat with them.
People need to get out of the mindset that nobody would hack them, said Katie Moussouris, founder and CEO of Luta Security. You dont have to be a specific target or a big fish to find yourself at the mercy of an opportunistic attacker.
WhatsApp, owned by Facebook, is generally considered a secure way of trading private online messages due to the fact that it scrambles messages and calls with encryption so that only senders and recipients can understand them. What many people may not have realized is that it, like almost any messaging service, can act as a conduit for malware.
That encryption, however, is no help if a trusted contact finds a way to use that connection to break into the phone’s operating system. In fact, an infected attachment can’t be detected by security software while it’s encrypted, and apps like WhatsApp don’t scan for malware even once files are decrypted.
WhatsApp users can disable the automatic downloading of photos, videos and other media, which happens by default unless the user takes action.
Other messaging apps are likely also vulnerable. It just so happens that this one was a vulnerability in WhatsApp,” said JT Keating, of Texas-based security firm Zimperium. It could have been in any one of any number of apps.”
Prince Mohammed exchanged numbers with Bezos during a U.S. trip in spring 2018. On the same visit, the prince also met with other tech executives, including the CEOs of Google, Apple and Palantir, as well as sports and entertainment celebrities and academic leaders. Virgin Group founder Richard Branson gave the Saudi delegation a tour of the Mojave Air and Space Port in the desert north of Los Angeles.
Google and Apple didnt respond to emailed requests for comment this week on whether their executives shared personal contacts after that trip. Palantir Technologies confirmed that its CEO Alex Karp met with the prince but said they never shared personal messages. Virgin Group said it was looking into it.
UC Berkeley cybersecurity researcher Bill Marczak cautioned that there’s still no conclusive evidence that the Saudi video was malicious, adding that it might be premature to jump to broader conclusions about it. Many other security experts have also questioned the forensics report upon which U.N. officials are basing their conclusions.
But Marczak said it is generally good advice to always be on the lookout for suspicious links or messages that sound too good to be true.”
Even caution about avoiding suspicious links might not be good enough to ward off spyware especially for high-profile targets like dissidents, journalists and wealthy executives. Hackers-for-hire last year took advantage of a WhatsApp bug to remotely hijack dozens of phones and take control of their cameras and microphones without the user having to click anything to let them in.
In such cases, said Marczak, there doesnt need to be any interaction on the part of the person being targeted.
View full post on National Cyber Security
What Mr. Pierson describes is low-hanging fruit — the kind of security flaws that can quickly be fixed with a little knowledge and attention to detail. Even then, he said, it takes time for the true nature of clients’ vulnerability to sink in. “They’re shocked when we give them their password and tell them where we found it, but it doesn’t hit as hard as when we tell them their entire home automation system has been potentially online and viewable for three or five or eight years,” he said.
When it comes to a Bezos-style breach — potentially at the hands of a nation-state’s intelligence service — high-profile targets would likely be even less prepared. As Mr. Bezos’s lengthy investigation into the 2018 attack shows, it’s difficult to get straight answers even when you have the money and resources to run full forensics.
Of course, it’s not just wealth that turns somebody into a person of interest for hackers. Journalists, government employees, workers at energy companies and utilities could all be targets for someone. Those who work for financial firms, airlines, hospitals, universities, Hollywood studios and tech firms are all potentially at risk. To mitigate that risk, there are plenty of things you can do. You can take steps to secure yourself from corporate data collection using privacy settings on your phone. And to protect yourself from cyberattacks there are helpful guides you can use that have been vetted by security professionals.
For most of us, the attack against Mr. Bezos isn’t the death of privacy, but a reminder of the risks of living a connected life. It should be a moment to think as critically about what you do online as you might in the real world. Invest in a password manager. Turn on dual factor authentication. Be skeptical of any communication that looks out of place.
For the ultrarich and influential, the Bezos hack should be a terrifying revelation that, as the former State Department employee and whistle-blower John Napier Tye told me last autumn, “For someone who’s truly a high-value target, there is no way to safely use a digital device.” The stakes are astronomically high. Not just personally, as Mr. Bezos found, but professionally. Company secrets, matters of national security, access to critical infrastructure and the safety of employees could all be compromised by lax security at the top.
The internet has long been thought of as a truly democratic tool, flattening and democratizing the ability to publish and communicate. It’s also the great privacy equalizer. Money can buy a lot of things. But on a dangerous internet full of exploits, flawed code, shady actors and absent-minded humans, total, foolproof security is not one of them.
The post #deepweb | <p> Opinion | Jeff Bezos’s Phone Hack Should Terrify Everyone <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Facebook in October reportedly derailed an investigation into an Islamic State terror suspect by European law enforcement and an Israeli intelligence firm by warning users that their phones had been hacked.
The company’s massively popular messaging platform, WhatsApp, notified some 1,400 users, including the suspect, that an “advanced cyber actor” had gained access to their devices. The suspect, who was believed to be planning a terror attack during the holiday season, disconnected shortly after.
The officials in the unnamed Western European country had hacked the suspect’s phone with software developed by Israel’s NSO group, which they secured with a government contract and the approval of a judge, according to a Wall Street Journal report.
The WhatsApp warning message to users said: “An advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted.”
The company was reportedly unaware of the security investigations.
A Western intelligence official told Channel 12 that the notification had been sent to both Islamic State and Al Qaeda suspects, calling the intelligence breach “a disturbing and dangerous fact,” according to a Sunday report.
The alert foiled investigations into some 20 cases, including into suspected terrorists and pedophiles, the official said.
Investigators breached suspects’ phones “surgically” using a loophole in the app, had been monitoring the suspects for a long time, and following the alert had to start the investigations anew, he said.
The investigation into the Islamic State suspect planning a holiday season attack had relied on the suspect’s phone for information on his activities and communications, and had only had access to the device for a few days — not enough time to complete the probe.
One European intelligence official said that the NSO technology had given his team information on a violent bank-robbing outfit and weapons dealers, which led to arrests. He said that officials in other countries in Western Europe had told him that over 10 investigations may have been thwarted by the WhatsApp message to users.
On October 29, the same day as the alert, WhatsApp sued NSO Group, accusing it of using the platform to conduct cyber-espionage on journalists, human rights activists and others.
The suit, filed in a California federal court, contended that NSO Group tried to infect approximately 1,400 “target devices” with malicious software to steal valuable information from those using the messaging app.
WhatsApp said NSO Group’s hacking was illegal and that it was acting to protect its users.
NSO Group told The Wall Street Journal that its tools were “only licensed, as a lawful solution, to government intelligence and law-enforcement agencies for the sole purpose of preventing and investigating terror and serious crime.”
Most of its clients are Democracies in Europe that use its technology to fight crime and terror, NSO Group said.
NSO Group came to prominence in 2016 when researchers accused it of helping to spy on an activist in the United Arab Emirates.
Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.
The firm has been adamant that it only licenses its software to governments for “fighting crime and terror,” and that it investigates credible allegations of misuse, but activists say the technology has been instead used for human rights abuses.
The post #hacking | Facebook reportedly derailed Europe terror probe by alerting users of phone hack appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans US Department of Homeland Security building, Washington DC AFP via Getty Images In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans There were a bunch of big data hacks in 2019, and 2020 will likely be just as bad as the number of cyberattacks increase. (The average number of security breaches in the last year grew by 11% from 130 in 2017 to 145 in 2018, according to Accenture research.) Companies […] View full post on AmIHackerProof.com
Amazon’s voice assistant wisecracks her way through SQL injection attacks on serverless environments at Black Hat Europe
Developers in serverless environments must heed the threat posed to their applications by voice command inputs, an industry expert has warned.
Speaking at the Black Hat Europe conference in London last week, researcher Tal Melamed took control of vulnerable applications hosted on serverless environments using Alexa-guided SQL injection attacks.
‘Sounds like a dream’
Serverless architecture, which allows developers to build applications without provisioning a server, is becoming an increasingly popular choice among developers, said Melamed, who is leading the OWASP Serverless Top 10 project.
Code is executed only when needed and “you don’t pay for what you don’t use”, the researcher noted, adding that the approach is a boon for “experimentation and scaling up”.
Serverless application development “sounds like a dream,” he said. But if organizations are liberated from the burdens of server management, it does not follow that security concerns are fully outsourced to service providers like AWS, Azure, and Google Cloud Platform.
This is because serverless applications still execute code, said Melamed – and insecure code is vulnerable to application-level attacks.
Melamed, head of research at Protego Labs, told The Daily Swig that all too many developers are unaware that serverless environments demand a different security posture to their traditional counterparts.
Read more of the latest news on hacking techniques from The Daily Swig
Outsourcing the perimeter
Outsourcing server architecture might reduce workload, but it also tears down the security perimeter.
“Serverless is an event-driven architecture where code is triggered via different events in the cloud,” Melamed told The Daily Swig.
Unlike monolithic applications, developers are not limited to APIs.
“Code can now be executed due to an email that was received, a file that was uploaded or a database table that was changed. The ‘connection’ between those events to your code is transparent and is controlled by the cloud provider.”
All too many developers “are unaware of the adjustments” they need to make “to attend [to] those risks.”
Those adjustments include never trusting inputs, which should be validated before data is processed.
“However, [developers] need to get used to the fact that the input could come from unexpected sources, like Alexa voice commands,” added Melamed.
Alexa, what is my balance?
Melamed’s final demonstration, in which he stole data from a hypothetical user account, illustrated how a voice-command injection attack requires only “code [that’s] vulnerable to SQL injection, which accepts inputs from Alexa (or any other voice-enabled devices) and processes the input as part of the database queries without validating it first.”
Alexa translated his voice commands – such as “what is my balance?” – into code.
“I designed it so it would translate words of numbers into actual numbers,” he told attendees.
The voice-delivered code that cracked the user’s secret ID, unlocking the cash balance, was .
The lesson to “organizations that develop voice-enabled applications” is clear, Melamed told The Daily Swig: they “should consider voice-commands as [an] input to their application.”
Melamed also launched event injection attacks through a third-party app using rest API, against cloud storage, and via email.
Melamed said his demos – coming soon to GitHub – evidenced the importance of shrinking “the attack surface by following the least-privilege principle: narrowing down the permissions of every serverless function as much as possible.”
Attendees were also urged to automate their defensive processes wherever possible.
Telling it like it is, Alexa clearly assigned blame for successful injection attacks: “In short, the problem isn’t the cloud – it’s you [the developer]”.
RELATED The best hacks from Black Hat Europe 2019
The post #hacking | ‘Alexa, hack my serverless technology’ – attacking web apps with voice commands appeared first on National Cyber Security.
View full post on National Cyber Security
Today the Financial Times has published a news story about how the British Home Office’s app for EU citizens applying to live and work in the UK post-Brexit “could allow hackers to steal phone numbers, addresses and passport details.”
It certainly caught my attention. Just yesterday I used the EU Exit: ID Document Check app on my cleaning lady’s Android phone to help her apply for residency. And – to be honest – it was pretty easy to use, once I’d worked out how to change the language of her phone from Romanian to English.
Applicants scan their passport, take a selfie, and use their phone’s NFC feature to read the biometric chip embedded in their passport.
But, according to the FT, Norwegian cybersecurity researchers have discovered flaws in the Android version of the app (they didn’t test the iPhone version):
Promon, a Norwegian cybersecurity company, found major loopholes that allowed them to take control of the app and access any information that was entered into it, including the facial scans and images of passport pages.
They were also able to see information being typed into the app, such as usernames, passwords and other details, and were able to alter information being entered.
“The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge,” said Tom Lysemose Hansen, chief technology officer at Promon, who added that they had “experienced no resistance”.
Ok… so it sounds scary that information could be surreptitiously stolen as it is entered into the app… but how would a hacker do this?
Mr Lysemose Hansen said Promon’s researchers had focused on copying and stealing or manipulating data while it was being actively entered into, or processed by, the app. But he added that it was possible to add malicious code to the app while it was inactive that would then help steal personal information when it was subsequently being used.
So what the researchers are saying is that if a hacker manages to compromise your smartphone or the app then it could do something malicious…
Err, isn’t that pretty much the case with all programs and computers? If a hacker already has control of the device or has already compromised the app then all bets are off…
Now, if the researchers had described a way in which an attacker might be able to remotely compromise the app or meddle with the phone then that would have been interesting. Or if it had been found that the app was sending sensitive data insecurely which could be intercepted then that would have certainly raised an eyebrow.
And yes, an app could always integrity check itself to see if it had been tampered with, but if someone is replacing your legitimate version of the app with a bogus compromised version there’s no reason why they couldn’t also tamper with the code which checks if it has been tampered with!
So, this doesn’t seem like a big deal to me.
The final word goes to the Financial Times again:
The app was tested for several months before being launched in March and there have been no reports of any security breaches. The app’s page on the Google Play Store states that it is “safe and secure” and that: “None of your personal identity information will be stored in the app or on the phone when you finish using it.”
The post #cybersecurity | #infosec | About the “easy to hack” EU Exit: ID Document Check app appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #hackerspace | Analyst Discusses Reporting Hack Of Computer System At Indian Nuclear Reactor | Avast
Source: National Cyber Security – Produced By Gregory Evans This week a report of hackers gaining access to an Indian nuclear power plant’s computer network led to alarm, confusion, and denial before officials admitted the hack took place. The threat analyst who reported the issue experienced a unique vantage point in the middle of that […] View full post on AmIHackerProof.com