A Look at Romanian ‘Hackerville’ Reveals Human Element of Cybercrime

“Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Cybercrime if often thought of as something that only happens within the generalized, invisible space of the internet. It is seen as virtual rather than physical, and those who commit cybercrime are thought of as anonymous individuals whose activities are all within the confines of the web. Run an image search for “hacker” or “cybercriminal” and you will see plenty of pictures of people with their faces hidden by hoods or masks, sitting alone in a dark room in front of a computer. But what if, instead of a hooded loner, the universal image of cybercrime was that of a group of neighbors in an impoverished part of the world, gathered together at a local cafe?

The latter is a new picture of cybercrime that researchers Jonathan Lusthaus and Federico Varese hope to make more people aware of in their recent paper “Offline and Local: The Hidden Face of Cybercrime.” The co-authors, working on the Human Cybercriminal Project out of the sociology department of the University of Oxford, traveled to Romania in 2014 and 2015 to study the oft-ignored real-world aspect of cybercrime in an area known to be a hub for one specific form of this crime—cyber fraud.

“Hackerville”

The town of Râmnicu Vâlcea, which has a population of around 100,000, has faced some economic setbacks in the last decade, including the loss of a major employer, a chemical plant; in addition, the average monthly salary in Romania as a whole (in 2014) was only €398 compared to €1,489 across the European Union. However, upon arriving in town, Lusthaus and Varese found themselves surrounded by luxury cars, “trendy” eateries, and shopping malls stocked with designer clothes and electronics. Though Râmnicu Vâlcea is poor “on paper,” the town seemed to be thriving, and interviews with Romanian law enforcement agents, prosecutors, cybersecurity professionals, a journalist, a hacker, and a former cybercriminal would soon give the researchers a clue as to why that might be.

“It was rumored that some 1,000 people (in Râmnicu Vâlcea) are involved almost full-time in internet fraud,” Varese told me, explaining why the town sometimes nicknamed “Hackerville” became a key target of their research (although the authors point out, in their paper, that the more accurate term would be “Fraudville,” as scams are focused more on the sale of fake goods than hacking or the spread of malware).

Varese said major findings from their interviews in Râmnicu Vâlcea as well as the Romanian cities of Bucharest and Alexandria were that cybercriminals knew each other and interacted with each other at local meeting spots offline, such as bars and cafes; that they operated in an organized fashion with different people filling different roles; that many in the town were aware of the organized crime but either didn’t say anything or sought to become involved themselves; and that there have been several cases throughout the years of corrupt officials, including police officers, who accepted bribes from the fraudsters and allowed them to perpetuate their schemes without interference.

“These are almost gangs,” Varese said. “They are not the individual, lonely, geeky guy in his bedroom that does the activities, but it’s a more organized operation that involves some people with technical skills and some people who are just basically thugs.”

The paper describes a culture of local complacency, often under threat of violence by a network of seasoned cybercriminals. This picture is far from that of the anonymous, faceless hacker many have come to envision, and instead reveals how internet crime can become embedded in specific populations.

“Most people think of cybercrime as being a global, international sort of liquid problem that could be anywhere and could come at you from anywhere,” Varese said. “In fact, the attacks—the cybercrime attacks or the cyber fraud—really come from very few places disproportionately. So cybercrime is not randomly distributed in the world. It’s located in hubs.”

Cultural and Human Factors

I asked Varese two major questions—why Romania and why cybercrime, as opposed to other forms of profitable crime? He responded that a look at the country’s history reveals why, instead of weapons or drugs, criminals in Romania might turn instead to their computers.

“Romania is a very special place. Mainly because, during the dictatorship of Nicolae Ceaușescu—that was the communist dictator that ruled Romania from the 60s to the 90s—he emphasized the importance of technical education, and especially IT,” Varese explained. “There was a very good technical basis among people. When the internet arrived, a lot of Romanians built up their own micro-networks. And so it turns out that when the regime fell, Romania turned out to be a country which was very, very well-connected.”

The high level of technical education, combined with a high level of poverty and a high level of corruption—as shown in the paper, which points out that Romania’s score on Transparency International’s 2016 Corruption Perceptions Index is only 48 out of possible 100—created a perfect storm for a culture of cybercrime to grown, Varese said.

But Romania is not the only place where cybercrime is highly concentrated and where online activities are strongly tied to offline factors. Varese identifies Vietnam in Asia, Nigeria in Africa and Brazil in the Americas as three other cybercrime hubs. Varese and his coauthor also plan to take their future research to Eastern Europe, where “corruption and the technical and economic of legacy of communism” have created “a highly conducive environment for cybercrime,” their paper states.

Varese hopes this sociological research will help authorities recognize and manage the human element of cybercrime that is often ignored in the fight against online threats.”

Read More

HACKERS SPY ON HOTEL GUESTS AND TARGET NORTH KOREAN ORGANIZATIONS

“A security firm linked a recent wave of hacked hotel Wi-Fi networks to one of the groups suspected of breaching the Democratic National Committee during the 2016 presidential election, according to Wired.

The group, known as Fancy Bear or APT28, used tools allegedly stolen from the National Security Agency to conduct widespread surveillance on higher-end hotels that were likely to attract corporate or other high-value targets, the cybersecurity firm FireEye reported. FireEye has “moderate confidence” Fancy Bear was behind such a surveillance campaign in 2016, and others in recent months at hotels in Europe and one Middle Eastern capital. The campaign’s target, however, is unclear.

FireEye said the hackers used phishing emails to spread attachments infected with the alleged NSA exploit Eternal Blue. They eventually worked their way to corporate and guest Wi-Fi networks, where they could intercept guest information and collect credentials.

The Wired article suggested travelers should bring their own hotspots and avoid connecting to hotel networks.

Security Researchers: North Korea Hit with Malware Campaign

An unknown group has targeted North Korean organizations with malware that would allow repeated access to systems.

Security researchers say the latest campaign—after a July 3 intercontinental ballistic missile test—is at least the fifth attack in three years, Dark Reading reported. That campaign used a copy-pasted news article about the missile launch to trick recipients into launching the malware, the security firm Talos reported.

At first, the Konni malware used in the campaign only gathered information, but it later evolved to include the ability to remotely take control of some seized accounts, according to Talos and another security firm Cylance. The malware is capable of logging keystrokes, capturing screens and uses advanced techniques to avoid detection, the firms reported.

“The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs,” Cylance researchers said.”

View Source

Sanford security company develops alarm system to prevent thefts

SEMINOLE COUNTY, Fla. July 29 2017- A Sanford security company said it has come up with a solution to stop thieves from trying to rip people off at the gas station with skimmers, devices used to steal credit and debit card numbers.

Chris Gilpin with SignalVault told Channel 9 anchor Jamie Holmes that he’s developed a device that will sound an alarm if a gas pump is opened.

The alarm alerts gas station owners when someone opens the door on a gas pump to install a skimmer device.

The system also sends out an alert through an app to let the gas station owner know that a particular pump has been compromised.

“The pump can be inspected immediately afterwards and the skimmer can be removed from the gas pump before any credit or debit card numbers are stolen,” Gilpin said.

State investigators announced Wednesday that they’ve seen an increase in the number of skimmers found at gas pumps. Nearly 300 devices have been found in Florida this year, but that number is deceiving, investigators said.

“That doesn’t really cover the scope of how bad it actually is because the gas pumps are only inspected every 12 – 16 months, so there are hundreds more skimmers,” Gilpin said.

Gilpin said the bigger problem is the law. Florida only requires gas station owners to put red tape around the pump access panel and the tape is hardly a real deterrent for a thief.

Gilpin said his device constantly monitors skimming activity and although he’s still in the testing phase, he hopes the state eventually does more to really pump the brakes on this crime.

“We can’t stop these criminals from installing gas station skimmers. However, we can stop those skimmers from stealing credit and debit card numbers,” Gilpin said.

Gilpin will meet with state agriculture officials in a couple of weeks to show off his product.

He’s been on the ABC show “Shark Tank,” and has a similar consumer protection product used by a 500,000 people worldwide.

View Source

GLOBAL POLICE SPRING A TRAP ON THOUSANDS OF DARK WEB USERS

“WHEN ALPHABAY, THE world’s largest dark web bazaar, went offline two weeks ago, it threw the darknet into chaos as its buyers and sellers scrambled to find new venues. What those dark web users didn’t—and couldn’t—know: That chaos was planned. Dutch authorities had already seized Hansa, another another major dark web market, the previous month.

For weeks, they operated it as usual, quietly logging the user names, passwords, and activities of its visitors–including a massive influx of Alphabay refugees.

On Thursday, Europol and the US Department of Justice jointly announced the fruits of the largest-ever sting operation against the dark web’s black markets, including the seizure of AlphaBay, a market Europol estimates generated more than a billion dollars in sales of drugs, stolen data, and other illegal goods over its three years online. While Alpabay’s closure had previously been reported as an FBI operation, the agency has now confirmed that takedown, while Europol also revealed details of its tightly coordinated Hansa takeover.

With Hansa also shuttered as of Thursday, the dark web looks substantially diminished from just a few short weeks ago—and its denizens shaken by law enforcement’s deep intrusion into their underground economy.

“This is likely one of the most important criminal cases of the year,” attorney general Jeff Sessions said in a press conference Thursday morning. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe. You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you.”

The Sting

So far, neither Europol nor the Department of Justice has named any of the administrators, sellers, or customers from either Hansa or AlphaBay that they plan to indict. The FBI and DEA had sought the extradition from Thailand of one AlphaBay administrator, Canadian Alexandre Cazes after identifying him in an operation they called Bayonet. But Cazes was found hanged in a Bangkok jail cell last week in an apparent suicide.

Still, expect plenty of prosecutions to emerge from the double-takedown of Hansa and AlphaBay, given the amount of information Dutch police could have swept up in the period after Alphabay’s closure.

“They flocked to Hansa in their droves,” said Interpol director Rob Wainwright. “We recorded an eight-times increase in the number of new users on Hansa immediately following the takedown of Alphabay.” The influx was so large, in fact, that Hansa put up a notice just last week that it was no longer accepting new registrations, a mysterious development given that Dutch police controlled it at the time.

That surveillance means that law enforcement likely now has identifying details on an untold number of dark web sellers—and particularly buyers. Europol claims that it gathered 10,000 postal addresses of Hansa customers, and tens of thousands of their messages, from the operation, at least some of which were likely AlphaBay customers who had migrated to the site in recent weeks.

Though customers on dark web sites are advised to encrypt their addresses so that only the seller of the purchased contraband can read it, many don’t, creating a short trail of breadcrumbs to their homes for law enforcement when they seize the sites’ servers.”

Read More

This $18 key can protect you from hackers

By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.

For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.

YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.

You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.

Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust.

Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.

Facebook added support for the security key in January.

“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.

It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.

“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”

Read More

DHS Workers Left Unsecured Laptops and Passwords on Their Desks

Homeland Security Department offices are dropping the ball on information security controls, according to a pair of audits released last week.

Auditors with the firm KPMG walked through offices and cubicles of staff for the DHS chief information officer and chief financial officer after work hours and found unsecured laptops and mobile devices and written down passwords, according to one of the audits.

The inspectors also found unsecured documents marked “for official use only” and documents that contained employees or citizens’ personal information, according to the audit, which was performed during the 2016 fiscal year.

The unsecured information was found in three out of 69 workspaces the auditors visited, KPMG said.

The audit also found password configurations used by those officers that didn’t meet departmentwide standards and a plan for configuring access controls for sensitive data that was still in draft form.

A separate audit released Tuesday for DHS’ main cyber division, the National Protection and Programs Directorate, found deficiencies that “limited NPPD’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure their confidentiality, integrity, and availability.”

NPPD couldn’t produce a complete and accurate list of all contractors that stopped serving the division during the 2016 fiscal year, according to the audit.

The division also didn’t have sufficient controls to monitor when employee and contractor digital accounts were closed or recertified or when a user’s privileges were elevated, the audit found.

The audit also found weaknesses in ways the division scanned its systems for digital vulnerabilities and found NPPD didn’t fully comply with rules concerning database passwords and elevating user privileges.

View Source

Smile! Your face is changing how you move through the airport

After years of using passports and boarding passes to check bags or board a flight, travelers in Boston and Minneapolis are trying something new: facial recognition identification systems.

This week, Delta is launching a pilot program in Minneapolis-St. Paul where some passengers will check their bags automatically through kiosks that use facial recognition software to identify ticketed passengers.

Meanwhile, JetBlue is boarding some flights in Boston with the passenger identities being confirmed by a facial recognition system before they board the plane.

“We see a future where your face is your passport for travel. Where you can show up in an airport and your face checks you in, your face allows you to drop a bag, and your face allows you to go through the TSA checkpoint and ultimately board a flight,” said Joanna Geraghty, JetBlue executive vice president, customer experience.

The goal is an admirable one: move passengers through airports quicker and with less hassle. For the airlines there is the extra benefit of freeing up gate workers and those staffing ticket counters to focus on passengers who need more attention.

“It frees up the personnel that we have, to be able to deal with customers when they really need that human heart to empathize and understand,” said Gareth Joyce, senior vice president of airport customer service at Delta.

How do the new facial recognition systems work?

At Delta’s hub in the Twin Cities, passengers use self-serve kiosks to check in, get a luggage tag and tag their bag. After that, they take it to a self bag check terminal, scan their boarding pass and look into the camera screen to confirm their identity. If everything matches, they put their bag on the carousel and it will head on its way to the plane, while passengers walk to the security checkpoint.

JetBlue’s facial recognition system is used at the gate where passengers board a flight to Aruba.

Read More

How To Know Which NIST Framework To Use

“One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.

When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.

To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”

Read More

Texas school police to use drones to keep campuses safe

“School district police officers here completed a months-long drone training program at Sanchez Elementary on Friday.

This spring, Drone Pilot Inc., a Central Texas training firm, taught four officers from the McAllen Independent School District Police Department on the usage of drones. The 100-hour training, which began in February, went through various real-life scenarios.

Friday, the officers had their final exam on completing would-be scenarios of search and rescue. Their drone skills were tested on finding a missing child/endangered adult and identifying an unknown object, a skill that could help diffuse a bomb scare. Another mission was going through hazardous materials like an ammonia leak from a car.
Gene Robinson, vice president, co-founder and flight team director of Drone Pilot, said the officers learned to problem solve and jointly worked together in their missions.

“They (officers) will use the skills that we taught them, go out and try to solve,” Robinson said.
The drones will be used for faster response times and be used for investigative purposes to hold aerial views of parking lots, reconstruct collisions, look for evidence/crime scenes, and assess structural damage to buildings after a natural disaster or arson and most commonly, locate intruders in and around campuses.

“This training will be good for the public to keep them safe,” McAllen ISD Police Sgt. Charles Eric Treviño said. “When you look at it at ground level, it doesn’t look the same when you take it at aerial photographs. It’s different.”

“It’ll take minutes versus possible hours bringing an agency to check it out,” Treviño added about response times.

The drone training was divided into three phases. The introductory section covered legal issues and copyright information. Section two, covered the proper usage of equipment and regulations with recording and documenting the missions on logbooks. The final section was team cooperation and following proper procedures before beginning a mission.
Government use of aerial drones became much easier when the Federal Aviation Administration flipped the switch on new regulations last year, prompting some law enforcement agencies to adopt the technology.

The San Marcos Police Department has purchased a drone that will be used for investigations into vehicle crashes involving serious injury or death.

Before the FAA created new regulations last summer, the Austin Fire Department had already been operating drones to monitor and respond to wildfires for more than a year under a rare exemption that made it one of the first public safety agencies in the country allowed to use drones.”

View Source

Congress votes to wipe out landmark internet privacy protections

Congress sent proposed legislation to President Donald Trump on Tuesday that wipes away landmark online privacy protections, the first salvo in what is likely to become a significant reworking of the rules governing internet access in an era of Republican dominance.

In a party-line vote, House Republicans freed internet service providers such as Verizon, AT&T and Comcast of protections approved just last year that had sought to limit what companies could do with information such as customer browsing habits, app usage history, location data and Social Security numbers. The rules had also required providers to strengthen safeguards for customer data against hackers and thieves.

The Senate has already voted to nullify those measures, which were set to take effect at the end of this year. If Trump signs the legislation, as expected, providers will be able to monitor their customers’ behavior online and, without their permission, use their personal and financial information to sell highly targeted ads — making them rivals to Google and Facebook in the $83 billion online advertising market.

The providers could also sell their users’ information directly to marketers, financial firms and other companies that mine personal data — all of whom could use the data without consumers’ consent. In addition, the Federal Communications Commission, which initially drafted the protections, will be forbidden from issuing similar rules in the future.

Search engines and streaming video sites already collect usage data on consumers. But consumer activists claim that internet providers may know much more about a person’s activities because they can see all of the sites a customer visits.

And while consumers can easily abandon sites whose privacy practices they don’t agree with, it is far more difficult to choose a different internet provider, the activists said. Many Americans have a choice of only one or two broadband companies in their area, according to federal statistics.

Advocates for tough privacy protections online called Tuesday’s vote “a tremendous setback for America.”

“Today’s vote means that Americans will never be safe online from having their most personal details stealthily scrutinized and sold to the highest bidder,” said Jeffrey Chester, executive director of the Center for Digital Democracy.

Read More