On Q Professional Investigations

By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.

For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.

YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.

You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.

Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust.

Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.

Facebook added support for the security key in January.

“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.

It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.

“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”

Read More

“A Pennsylvania man who assumed the identity of a baby who died in Texas in 1972 has been arrested on charges of Social Security fraud and aggravated identity theft after the baby’s aunt discovered the ruse on Ancestry.com.

Jon Vincent, 44, was arrested in Lansdale, near Philadelphia, on Monday, but had also lived near Pittsburgh and York, Pennsylvania since 2003 — after first obtaining a Social Security card in the name Nathan Laskoski in 1996, federal prosecutors said. Vincent remained jailed Wednesday, when a federal magistrate ordered him to appear for arraignment May 2.

The real Nathan Laskoski died in December 1972, two months after he was born near Dallas. Vincent stole the dead child’s identity after escaping from a Texas halfway house in March 1996, and used the dead baby’s identity to start another life, prosecutors said. The Texas conviction was for indecency with a child, though the precise sentence Vincent was serving wasn’t immediately clear, said Michele Mucellin, a spokeswoman for the U.S. Attorney’s Office in Philadelphia.

Vincent lived in also lived in Mississippi and Tennessee under his assumed name, holding jobs, getting drivers’ licenses and even getting married and divorced as Laskoski before the scheme unraveled late last year, according to online court records.

That’s when Laskoski’s aunt did a search on Ancestry.com, a genealogy website.

In researching her family tree, Nathan Laskoski’s name came up as a “green” leaf on the website, which led to public records suggesting he was alive. The aunt told Laskoski’s mother, who did more research and learned that someone had obtained a Social Security card under her son’s name in Texas, as well as finding public marriage and divorce records, Laskoski’s mother filed an identity theft complaint with the Social Security Administration.

An investigator from the SSA’s Office of Inspector General took it from there in January, court records show.

Read More

“A Miami student was sentenced yesterday for cyberstalking on Facebook and Instagram.

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and George L. Piro, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, made the announcement.

Kassandra Cruz, 23, of Miami, Florida, was sentenced by U.S. District Judge Frederico A. Moreno to 22 months in prison, followed by three years of supervised release, a $100 special assessment, and $2,178.32 in restitution, stemming from her conviction on one count of cyberstalking, in violation of Title 18, United States Code, Section 2261(A)(2)(B).

According to court documents, beginning in June 2015, victim “S.B.” received a “friend” request from Cruz on her Instagram and Facebook accounts. In an effort to gain “S.B.’s” friendship, Cruz created a false persona on her Instagram account wherein she portrayed herself as a male who was an active duty U.S. Marine. Under that ruse, “S.B.” accepted the friend request.

From late June 2015 until September 2015, Cruz, posing as Giovanni, “liked” and commented on pictures “S.B.” posted on both her Instagram and Facebook accounts. However, when “S.B.” noticed that Cruz had begun “following” and “liking” all of her friends pages and posts, she became suspicious and “blocked” and “unfollowed” Cruz from her social media accounts.

As a result, Cruz threatened that “S.B.” would face repercussions at her job and with her family if she did not comply, and specifically threatened to expose “S.B.’s” past via social media. The threats to “S.B.” persisted from Cruz on social media and later via text messaging, and Cruz ultimately demanded on multiple occasions $100,000 in exchange for no further contact, adding that she “knew where “S.B.’s family lived and they should watch their backs because someone would be heading to…to deal with them.” In total, “S.B.” received over 900 unwanted calls and text messages since the beginning of 2016, and the extortionate and threatening messages continued until late April 2016. Ultimately, Cruz was arrested and taken into custody during a pre-arranged meeting in Miami.

Mr. Ferrer commended the investigative efforts of the FBI. This case is being prosecuted by Assistant U.S. Attorneys Jodi L. Anton and Francis Viamontes.

View Source

“Alabama Attorney General Luther Strange, joined by Ozark Police Chief Marlos Walker and Baldwin County Sheriff’s Office representatives, announced the arrests of two individuals for their role in an apparent multi-state debit card skimming scheme that bilked unsuspecting victims in Alabama and surrounding states of thousands of dollars.

On Dec. 21, Reiner Perez Rives, 34, and Eunises Llorca Meneses, 30, both of the Orlando, Florida area, were apprehended by deputies of the Baldwin County Sheriff’s Office and investigators of the Attorney General’s Office.

Rives and Meneses face charges from the Baldwin County Sheriff’s Office for trafficking in stolen identities, identity theft and an illegally obtained or an illegally possessed credit card.

Rives also awaits 15 counts of identity theft to be served by the Ozark Police Department. Additional charges may be filed in both jurisdictions and in surrounding states pending further review of recovered evidence and the identification of other victims.

On Dec. 13, the Ozark Police Department contacted investigators of the Alabama Attorney General’s Office seeking assistance in solving approximately eight identity theft cases that had occurred within two days.

Investigators traced five of the thefts to a local gas station where a skimming device wrapped in electrical tape was bundled with wires inside a gas pump. The two suspects were later identified after one of the victim’s debit cards was traced to an unauthorized purchase at a Bristol, Virginia, gas station.

A surveillance video of the suspect’s license plate revealed a rental car linked to Rives. Attorney General investigators, working with the Ozark Police Department, tracked Rives and Meneses to Texas.

The suspects were apprehended as they traveled back through Alabama by the Baldwin County Sheriff’s Office which was alerted by the Attorney General’s Office.

The Baldwin County Sheriff’s Office and agents of the Attorney General’s Office seized from the suspects $6,490 in cash, 39 stolen debit card numbers with PINs and an additional 315 gift cards with an undetermined amount of personal information. Rives and Meneses are currently being held in the Baldwin County jail.”

Read More

“The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.”

Read More

What do more than 870,000 students across the nation have in common?

Since 2012, they have all completed the FBI’s Safe Online Surfing (SOS) Internet Challenge. Available through a free website at https://sos.fbi.gov, this initiative promotes cyber citizenship by teaching students in third through eighth grades how to recognize and respond to online dangers through a series of fun, interactive activities.

Anyone can visit the website and learn all about cyber safety, but teachers must sign up their school to enable their students to take the exam and participate in the national competition. Once enrolled, teachers are given access to a secure webpage to enroll their students (anonymously, by numeric test keys) and request their test scores. E-mail customer support is also provided. Top-scoring schools each month are recognized by their local FBI field office when possible. All public, private, and home schools with at least five students are welcome to participate.

Now entering its fifth season, the FBI-SOS program has seen increased participation each year. From September 2015 through May 2016, nearly a half-million students nationwide finished the activities and took the exam. We look forward to even more young people completing the program in the school year ahead. The challenge begins September 1.

Read More

“Today, the FBI’s Internet Crime Complaint Center (IC3) is embarking on a campaign to increase awareness of the IC3 as a reliable and convenient reporting mechanism to submit information on suspected Internet-facilitated criminal activity to the FBI. As part of the campaign, digital billboards featuring the IC3’s contact information are being placed within the territories of a number of Bureau field offices around the country.

While the number of complaints being reported to the IC3 did increase in 2015 from the previous year, anecdotal evidence strongly suggests that there are many other instances of actual or suspected online frauds that are not being reported, perhaps because victims didn’t know about the IC3, were embarrassed that they fell victim to a scammer, or thought filing a complaint wouldn’t make a difference. But the bottom line is, the more complaints we receive, the more effective we can be in helping law enforcement gain a more accurate picture of the extent and nature of Internet-facilitated crimes—and in raising public awareness of these crimes.

The FBI field offices taking part in the billboard campaign include Albany, Buffalo, Kansas City, Knoxville, New Orleans, New York City, Phoenix, Oklahoma City, Salt Lake City, and San Diego. They were selected because they house multi-agency cyber task forces that participate in an IC3 initiative called Operation Wellspring. This initiative connects state and local law enforcement with federal cyber resources and helps them build their own cyber investigative capabilities, which is important because not all Internet fraud schemes rise to the level necessary to prosecute them federally. We hope to expand Operation Wellspring to other FBI offices in the future.”

Read More

Cyber criminals who have forced U.S. hospitals, schools and cities to pay hundreds of millions in blackmail or see their computer files destroyed are now targeting the unlikeliest group of victims — local police departments.

Eastern European hackers are hitting law enforcement agencies nationwide with so-called “ransomware” viruses that seize control of a computer system’s files and encrypt them. The hackers then hold the files hostage if the victims don’t pay a ransom online with untraceable digital currency known as Bitcoins. They try to maximize panic with the elements of a real-life hostage crisis, including ransom notes and countdown clocks.

If a ransom is paid, the victim gets an emailed “decryption key” that unlocks the system. If the victim won’t pay, the hackers threaten to delete the files, which they did last year to departments in Alabama and New Hampshire. That means evidence from open cases could be lost or altered, and violent criminals could go free.

Since 2013, hackers have hit departments in at least seven states. Last year, five police and sheriff’s departments in Maine were locked out of their records management systems by hackers demanding ransoms.

Ransomware crimes on all U.S. targets are soaring. In just the first three months of 2016, attacks increased tenfold over the total entire previous year, costing victims more than $200 million. Authorities stress that this number only represents known attacks. One federal law enforcement official told NBC News that the “large majority” of attacks go unreported.

The viruses – most of which come from Russia and Eastern Europe — are typically so impenetrable that even FBI agents have at times advised victims to just pay up and get their data back.

Read More

“Net scum have bashed florists with distributed denial of service attacks over Valentine’s Day in a bid to extract ransoms, security analysts say.

The attacks affected almost a dozen florists who were customers of security company Incapsula, and likely many others not monitored by the firm.

Security bods Ofer Gayer and Tim Matthews say one of their florist customers received a ransom note after a distributed denial of service attack.

“Of those sites (with inflated traffic), 23 per cent showed a sharp increase in attack traffic,” the pair say.

“There does not appear to be a trend in attacks against all online florists, but rather targeted attacks.”

Some sites received attacks that sent a flood of over 20,000 requests a second. In one instance the content distribution network provider counted the attack as legitimate traffic, bringing down the site “with a great loss of revenue”.

Attackers are in some instances attempting to exploit the Shellshock vulnerability against florists in a bid to breach the sites.

Distributed denial of service attacks are a common extortion tool in the lead up to big public events. Betting companies are understood to routinely pay off attackers who threaten to knock the sites offline during major sporting events.”

View More

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.
Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting too heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

View Source