On Q Professional Investigations

A new study by Maanak Gupta, doctoral candidate at The University of Texas at San Antonio, and Ravi Sandhu, Lutcher Brown Endowed Professor of computer science and founding executive director of the UTSA Institute for Cyber Security (ICS), examines the cybersecurity risks for new generations of smart vehicles, which includes both autonomous and internet-connected cars.

“Driverless and connected cars are increasingly becoming a part of our world, where cybersecurity threats are already a reality,” Sandhu said. “It’s imperative that we support research that addresses these concerns and presents a strong, innovative solution.”

Cars with internet connectivity, also known as “connected cars,” offer potential for many conveniences and innovations. They could allow for real-time and location-sensitive communication between drivers or even pedestrians, which could help make the roads safer for both. The connectivity could also allow the cars to capture safety and environmental conditions around the vehicle, including road obstructions, accidents, which also enables real-time vehicle-to-vehicle interaction on road.

“Connected cars have almost infinite possibilities for creative technological applications,” Gupta said. “Companies could even take advantage of the connectivity to implement location-based marketing tactics, providing drivers with nearby sales and offers.”

However, the researchers caution that as soon as cars are exposed to internet supported functionality, they are also open to the same cybersecurity threats that loom over other electronic devices, such as computers and cell phones. For this reason, Gupta and Sandhu created an authorization framework for connected cars which provides a conceptual overview of various access control decision and enforcement points needed for dynamic and short-lived interaction in smart cars ecosystem.

“There are vulnerabilities in every machine,” said Gupta. “We’re working to make sure someone doesn’t take advantage of those vulnerabilities and turn them into threats. The questions of ‘who do I trust?’ and ‘how do I trust?’ are still to be answered in smart cars.”

Read More

Australia is a bloody long way from the rest of the world. Fly from Los Angeles to Sydney and you’ll be in the air for 13 hours. Tack on five more if you’re starting in New York. And if you’re coming from London, your feet won’t touch the ground for about a day.

The point being, by the time you land in Australia, you’ll be sick of traveling. You’ll want to get out of the airport and to the country’s excellent beaches as quickly as possible.

That’s why Australia’s Department of Home Affairs is at the forefront of smart border control technology. In 2007, the border agency introduced SmartGates, which read your passport, scan your face and verify who you are at the country’s eight major international airports. Built by Portugal’s Vision-Box, the gates get you out of the airport and into Australia with minimum fuss.

Australia wants to make that process even faster.

During May and June 2017, the country tested the world’s first “contactless” immigration technology at Canberra International Airport. The passport-free facial recognition system confirms a traveller’s identity by matching his or her face against stored data. A second trial is set to start in Canberra soon.

Biometrics aren’t just being used at border control. Sydney Airport has announced it’s teaming up with Qantas, Australia’s largest airline, to use facial recognition to simplify the departure process.

Under a new trial, passengers on select Qantas international flights can have their face and passport scanned at a kiosk when they check in. From then on, they won’t need to present their passport to Qantas staff — they’ll be able to simply scan their face at a kiosk when they drop off luggage, enter the lounge and board their flight at the gate. Travellers will still need to go through regular airport security and official immigration processing, but all of their dealings with Qantas can be handled with facial recognition.

Read More

Fingerprint sensors—once a rarity—are now fairly common on smartphones. South Korean researchers have now given the fingerprint scanner an upgrade.

This new scanner is a clear sensory array, meaning that it could be hidden underneath the display rather than accessed as a button. It can also check the temperature of the fingerprint pressing into it to add an extra layer of security, CNET reports.

So why would your phone need to detect your temperature? It’s not for your health. Instead, it helps ensure that someone else isn’t using a fake hand or some other form of artificial fingerprints to get access to your phone.

Researchers from the Samsung Display-UNIST Center at Ulsan National Institute of Science and Technology in South Korea published an article on Tuesday detailing how they developed the sensor.

“This fingerprint sensor array can be integrated with all transparent forms of tactile pressure sensors and skin temperature sensors, to enable the detection of a finger pressing on the display,” the researchers wrote.

The researchers also confirmed that the sensor does this at a resolution that satisfies the FBI’s criteria for extracting fingerprint patterns.

View Source

Not that they knew him personally, but Taylor Huddleston, a 27-year-old from Hot Springs, Arkansas, was for a time very popular among the world’s cyber criminals, thanks to a malicious piece of software he created called NanoCore RAT.

That malware allowed hackers to steal sensitive information from victims’ computers, including account numbers and passwords, and even allowed them to secretly activate the webcams of infected computers to spy on unsuspecting victims.

“Basically, the malicious software compromises victim computers and steals information,” said a special agent from the FBI’s Washington Field Office who investigated the case. “The NanoCore RAT has the ability to control a victim’s computer.”

This type of malware—a Remote Access Trojan (RAT)—is all the more insidious because in most cases victims have no idea their computers have been compromised. According to court documents, NanoCore RAT was used to infect and attempt to infect more than 100,000 computers.

RATs are not only a threat to individual users but to commercial enterprises as well. And if hackers decide to target U.S. infrastructure using this malware, the agent said, “there is a potential for national security implications.”

Huddleston had the skills to develop malicious software. “There are many cyber criminals out in the world,” the agent said. “Many are not sophisticated in terms of developing a new malware. Instead, they would rather purchase malware to carry out their crimes.”

Read More

The Supreme Court says police generally need a search warrant if they want to track criminal suspects’ movements by collecting information about where they’ve used their cellphones.

The justices’ 5-4 decision Friday is a victory for privacy in the digital age. Police collection of cellphone tower information has become an important tool in criminal investigations.

The outcome marks a big change in how police can obtain phone records. Authorities can go to the phone company and obtain information about the numbers dialed from a home telephone without presenting a warrant.

Chief Justice John Roberts wrote the majority opinion, joined by the court’s four liberals.

Roberts said the court’s decision is limited to cellphone tracking information and does not affect other business records, including those held by banks.

He also wrote that police still can respond to an emergency and obtain records without a warrant.

Justices Anthony Kennedy, Samuel Alito, Clarence Thomas and Neil Gorsuch dissented. Kennedy wrote that the court’s “new and uncharted course will inhibit law enforcement” and “keep defendants and judges guessing for years to come.”

The court ruled in the case of Timothy Carpenter, who was sentenced to 116 years in prison for his role in a string of robberies of Radio Shack and T-Mobile stores in Michigan and Ohio. Cell tower records that investigators got without a warrant bolstered the case against Carpenter.

Investigators obtained the cell tower records with a court order that requires a lower standard than the “probable cause” needed to obtain a warrant. “Probable cause” requires strong evidence that a person has committed a crime.

Read More

Apple is closing a security gap that allowed outsiders to pry personal information from locked iPhones without a password, a change that will thwart law enforcement agencies that have been exploiting the vulnerability to collect evidence in criminal investigations.

The loophole will be shut down in a forthcoming update to Apple’s iOS software, which powers iPhones.

Once fixed, iPhones will no longer be vulnerable to intrusion via the Lightning port used both to transfer data and to charge iPhones. The port will still function after the update, but will shut off data an hour after a phone is locked if the correct password isn’t entered.

The current flaw has provided a point of entry for authorities across the U.S. since the FBI paid an unidentified third party in 2016 to unlock an iPhone used by a killer in the San Bernardino, California, mass shooting a few months earlier. The FBI sought outside help after Apple rebuffed the agency’s efforts to make the company create a security backdoor into iPhone technology.

Apple’s refusal to cooperate with the FBI at the time became a political hot potato pitting the rights of its customers against the broader interests of public safety. While waging his successful 2016 campaign, President Donald Trump ripped Apple for denying FBI access to the San Bernardino killer’s locked iPhone.

In a Wednesday statement, Apple framed its decision to tighten iPhone security even further as part of its crusade to protect the highly personal information that its customers store on their phones.

CEO Tim Cook has hailed privacy as a “fundamental” right of people and skewered both Facebook and one of Apple’s biggest rivals, Google, for vacuuming up vast amounts of personal information about users of their free services to sell advertising based on their interests. During Apple’s 2016 battle with the FBI, he called the FBI’s effort to make the company alter its software a “dangerous precedent” in an open letter.

Read More

Today, federal authorities—including the Department of Justice and the FBI—announced a major coordinated law enforcement effort to disrupt international business e-mail compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals.

Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.

A number of cases charged in this operation involved international criminal organizations that defrauded small- to large-sized businesses, while others involved individual victims who transferred high-dollar amounts or sensitive records in the course of business. The devastating impacts these cases have on victims and victim companies affect not only the individual business but also the global economy. Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.

BEC, also known as cyber-enabled financial fraud, is a sophisticated scam that often targets employees with access to company finances and trick them—using a variety of methods like social engineering and computer intrusions—into making wire transfers to bank accounts thought to belong to trusted partners but instead belong to accounts controlled by the criminals themselves. And these same criminal organizations that perpetrate BEC schemes also exploit individual victims—often real estate purchasers, the elderly, and others—by convincing them to make wire transfers to bank accounts controlled by the criminals.

Foreign citizens perpetrate many of these schemes, which originated in Nigeria but have spread throughout the world.

During Operation WireWire, U.S. law enforcement agents executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters. And local and state law enforcement partners on FBI task forces across the country, with the assistance of multiple district attorney’s offices, charged 15 alleged money mules for their roles in defrauding victims.

Read More

Palo Alto is turning to technology in hopes of preventing people from attempting to stand in front of or jump in front of trains traveling through the Peninsula city.

The city has installed thermal imaging-equipped video cameras designed to keep an eye out for people standing or hanging around the tracks at four railroad crossings within city limits.

While the video cameras have already been put in place, the city is still conducting rounds of testing before making the cameras fully operational later this month.

Palo Alto has hired a company to watch the camera feeds from an off-site location and call law enforcement if they spot anything unusual. Those monitoring the camera feeds can also speak via a public address system to alert someone on the tracks that help is on the way.

The Peninsula city has been paying security guards to scan the railroad crossings since about 2009 after a number of teenagers committed suicide on the tracks.

Unlike the human eye, the cameras are able to scan for movement roughly 1,000 feet away from where they are located along the tracks. The cameras can also capture movement when its dark, raining or foggy.

“We’re hoping that not only will this provide better monitoring, the ability to see much better down the tracks than the human eye, but also in the long run to provide faster notification to law enforcement and be more cost effective,” Claudia Keith with the city of Palo Alto said.

Read More

“Get down, this is a robbery!” That’s something no bank employee or patron wants to hear. In the past, bank robberies have resulted in thousands, even millions of dollars stolen in cash and gold (although the average yield for a bank robbery in the United States is only about $3,500, according to the FBI).

However, as money has become less physical and more digital, with credit cards and cryptocurrency rapidly replacing cash and coins, bank heists too have evolved from criminals physically breaching the walls of a bank with weapons and physical force, to hackers silently infiltrating the cyber infrastructure and funneling millions into their own accounts.

In one recent heist in Mexico, suspected to be a cyberattack, thieves stole as many as 300 million pesos ($15.4 million) through “phantom orders” to fake accounts, according to Reuters. This week, cybersecurity company Positive Technologies released a report describing how gangs execute sophisticated hacking campaigns against banks by taking advantage of social engineering and flawed security systems. The report also reveals the results of the company’s own penetration tests to show where these institutions may be falling short on protecting their networks and ultimately their funds.

This week I spoke with practice lead for governance, risk and compliance at TrustedSec, Alex Hamerstone, who works closely with large financial institutions doing cyber assessments and developing defense methods based on penetration test results, to gain more insight into bank vulnerabilities and security measures.

Read More

Beginning in 2015, the Internet Crime Complaint Center (IC3) forwarded multiple complaints to the FBI’s Houston Field Office regarding fraudulent offers of investment opportunities by perpetrators who impersonated U.S. bank officials and financial consultants over the Internet and telephone. Victims in various countries, including the U.S., were deceived into believing they would receive millions of dollars from joint ventures with certain U.S. banks if they paid up-front fees—ranging from tens of thousands to hundreds of thousands of dollars—to participate. According to court documents, victims lost more than $7 million collectively in this scam.

The complaints submitted by victims to the IC3 helped investigators uncover this elaborate international advance fee and money laundering scheme, and in February of this year, six individuals were federally charged in Houston in connection with the scam.

The IC3, which has received more than 4 million victim complaints from 2000 through 2017, routinely analyzes complaints like these and disseminates data to the appropriate law enforcement agencies at all levels for possible investigation. The IC3 also works to identify general trends related to current and emerging Internet-facilitated crimes, and it publicizes those findings through periodic alerts and an annual report.

And today, the IC3 is releasing its latest annual publication—the 2017 Internet Crime Report—which reveals that the center received more than 300,000 complaints last year with reported losses of more than $1.4 billion.

Read More