US Customs and Border Protection reportedly suspends subcontractor over cyberattack

The US Customs and Border Protection has reportedly suspended a subcontractor following a “malicious cyberattack” in May that caused it to lose photos of travelers into and out of the country. Perceptics, which makes license plate scanners and other surveillance equipment for CBP, has been suspended from contracting with the federal government, The Washington Post reported Tuesday.

On June 12, CBP had confirmed that in violation of its policies, a subcontractor had “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.” The subcontractor’s network was then compromised by a cyberattack that affected under 100,000 people who entered and exited the US in a vehicle through several specific lanes at one land border during a 1.5-month period.

Federal records showed CBP officials citing “evidence of conduct indicating a lack of business honesty or integrity,” Washington Post reported.

Passports and travel document photos weren’t taken in the cyberattack, but it was reported later in June that the hackers stole sensitive CBP data from Perceptics, including government agency contracts, budget spreadsheets and even Powerpoint presentations.

Read More

Cellebrite Cracks All iOS Devices, Company Announces

The “arms race” of mobile forensics – ever-tougher encryption and the breakneck operations to crack it – has become more of a public tug-of-war than ever before.

Cellebrite, the largest player in the mobile-forensics industry, unveiled its UFED Premium last Friday. Along with the announcement came the bombshell: that it can now get into any Apple iOS device, and many of the high-end Android devices.

“An exclusive solution for law enforcement to unlock and extract data from all iOS and Android devices,” the company said in a tweet.

Those devices have historically been the toughest to crack – and Cellebrite’s newfound ability to perform a full-file system extraction on any iOS device in particular would allow law enforcement “to get much more data than what is possible through logical extractions and other conventional means.”

“Our certified forensic experts can also help you gain access to sensitive mobile evidence form several locked, encrypted or damaged iOS and Android devices using advanced in-lab only techniques,” the company added in its Friday announcement.

The latest tool works on Apple device running anything from iOS 7 to iOS 12.3, according to the company. Among the Android devices covered are the Samsung S6, S7, S8, and S9. Also supported are the most popular models of Motorola, Huawei, LG and Xiaomi.

The announcement follows the highly-publicized breakthrough of the GrayKey devices made by Grayshift more than a year ago. The GrayKey tool had exploited a low-power loophole in some iOS systems, one expert explained to Forensic Magazine. But Apple put in a fix to stop the access late last year, involving an iOS system to reconnect with a home device. Since then, GrayKey has made some inroads on some Apple devices – but not all of them, according to experts.

Read More

Fake Microsoft employee scams $25k from couple in remote access heist

Computer hackers pretending to be from a giant tech company are calling consumers, and gaining access to their bank accounts. One hacker even swindled nearly $25,000 from one local couple.

“They’re so savvy that they can get into your computers and figure out passwords just by the click of the keys,” said Nancy Isdale.

Isdale and her husband George say they thought they were getting money from Microsoft until they were swindled out of $24,600. The hacker, who told the couple his name was Sean, made it seem like he was a tech support expert and that he was refunding the couple $400 on behalf of Microsoft, but instead he was fooling them into giving him remote access to their computer.

“Once they get into the computer you can see the mouse going around so they are into your computer,” explained George.

Then the couple said the scammer gained access to their money on their computer by saying they could help them set up online access for all of their bank accounts compromising their accounts.

“So that’s what they did, they took the money out of my savings, [and] put it in his checking account,” said Nancy.

Without them knowing, “Sean” took $25,000 from Nancy’s savings account and transferred it to George’s checking. Then the scammer said he mistakenly gave George a $25,000 Microsoft credit instead of that $400 credit, and that George needed to send $24,600 back.

“He was like crazy, he was like ‘oh my god this isn’t your money this is Microsoft’s money you need to get to the bank right away and wire transfer this’,” said Nancy.

What they ended up doing is sending their own hard earned money to that scammer in Bangkok, Thailand.

“You know I was nervous, I didn’t want to be responsible for $25,000 dollars to Microsoft so, you know, we went to the bank,” explained Nancy.

Just when they thought it was the end of it, the thief called them back a few days later demanding even more money.

“He wanted us to send $40,000 to Bangkok Thailand again,” explained Nancy.

Read More

An $80 Million Cyber Crime in 1999 Foreshadowed Modern Threats

Two decades ago, computer viruses—and public awareness of the tricks used to unleash them—were still relatively new notions to many Americans.

One attack would change that in a significant way.

In late March 1999, a programmer named David Lee Smith hijacked an America Online (AOL) account and used it to post a file on an Internet newsgroup named “alt.sex.” The posting promised dozens of free passwords to fee-based websites with adult content. When users took the bait, downloading the document and then opening it with Microsoft Word, a virus was unleashed on their computers.

On March 26, it began spreading like wildfire across the Internet.

The Melissa virus, reportedly named by Smith for a stripper in Florida, started by taking over victims’ Microsoft Word program. It then used a macro to hijack their Microsoft Outlook email system and send messages to the first 50 addresses in their mailing lists. Those messages, in turn, tempted recipients to open a virus-laden attachment by giving it such names as “sexxxy.jpg” or “naked wife” or by deceitfully asserting, “Here is the document you requested … don’t show anyone else ;-) .” With the help of some devious social engineering, the virus operated like a sinister, automated chain letter.

The virus was not intended to steal money or information, but it wreaked plenty of havoc nonetheless. Email servers at more than 300 corporations and government agencies worldwide became overloaded, and some had to be shut down entirely, including at Microsoft. Approximately one million email accounts were disrupted, and Internet traffic in some locations slowed to a crawl.

Within a few days, cybersecurity experts had mostly contained the spread of the virus and restored the functionality of their networks, although it took some time to remove the infections entirely. Along with its investigative role, the FBI sent out warnings about the virus and its effects, helping to alert the public and reduce the destructive impacts of the attack. Still, the collective damage was enormous: an estimated $80 million for the cleanup and repair of affected computer systems.

Finding the culprit didn’t take long, thanks to a tip from a representative of AOL and nearly seamless cooperation between the FBI, New Jersey law enforcement, and other partners. Authorities traced the electronic fingerprints of the virus to Smith, who was arrested in northeastern New Jersey on April 1, 1999. Smith pleaded guilty in December 1999, and in May 2002, he was sentenced to 20 months in federal prison and fined $5,000. He also agreed to cooperate with federal and state authorities.

The Melissa virus, considered the fastest spreading infection at the time, was a rude awakening to the dark side of the web for many Americans. Awareness of the danger of opening unsolicited email attachments began to grow, along with the reality of online viruses and the damage they can do.

Read More

Members of APT 10 Group Targeted Intellectual Property and Confidential Information

Two Chinese men have been charged in a massive, years-long hacking campaign that stole personal and proprietary information from companies around the world, the FBI and the Justice Department announced at a press conference today in Washington, D.C.

The men, Zhu Hua and Zhang Shilong, are part of a group known as Advanced Persistent Threat 10, or APT 10, a hacking group associated with the Chinese government. A New York grand jury indicted the pair for conspiracy to commit computer intrusion, conspiracy to commit wire fraud, and aggravated identity theft. The indictment was unsealed today.

According to the indictment, from around 2006 to 2018, APT 10 conducted extensive hacking campaigns, stealing information from more than 45 victim organizations, including American companies. Hundreds of gigabytes of sensitive data were secretly taken from companies in a diverse range of industries, such as health care, biotechnology, finance, manufacturing, and oil and gas.

FBI Director Christopher Wray described the list of companies, not named in the indictment, as a “Who’s Who” of the global economy. Even government agencies like NASA and the Department of Energy were among the victims. The hack is part of China’s ongoing efforts to steal intellectual property from other countries.

“Healthy competition is good for the global economy. Criminal conduct is not. Rampant theft is not. Cheating is not,” Wray said at the press conference.

APT 10 used “spear phishing” techniques to introduce malware onto targeted computers. The hackers sent emails that appeared to be from legitimate addresses but contained attachments that installed a program to secretly record all keystrokes on the machine, including user names and passwords. The group also targeted managed service providers (MSPs), companies that remotely manage their clients’ servers and networks. MSP hacks allowed APT 10 members to indirectly gain access to confidential data of numerous companies who were the clients of the MSPs.

Read More

State-Sponsored Cyber Theft

Nine Iranian citizens—working at the behest of the government of Iran—have been charged in a massive computer hacking campaign that compromised U.S. and foreign universities, private companies, and U.S. government entities, including the Department of Labor and the Federal Energy Regulatory Commission.

The hackers were affiliated with the Mabna Institute, an Iran-based company created in 2013 for the express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions. Members of the institute were contracted by the Islamic Revolutionary Guard Corps—one of several entities within the Iranian government responsible for gathering intelligence—as well as other Iranian government clients.

During a more than four-year campaign, these state-sponsored hackers “compromised approximately 144 U.S.-based universities and 176 foreign universities in 21 countries,” said FBI Deputy Director David Bowdich during a press conference today at the Department of Justice in Washington to announce the indictments. When the FBI learned of the attacks, he said, “we notified the victims so they could take action to minimize the impact. And then we took action to find and stop these hackers.”

Initially, the cyber criminals used an elaborate spearphishing campaign to target the e-mail accounts and computer systems of their victims, which in addition to the universities included nearly 50 domestic and foreign private-sector companies, the states of Hawaii and Indiana, and the United Nations.

According to the indictments unsealed today in a Manhattan federal court, the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data contained in the print collection of the Library of Congress.

“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said a special agent who investigated the case from the FBI’s New York Division. “That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government,” he added.

Read More

FBI agrees to help Arkansas prosecutors open iPhone after hack

The FBI has agreed to help prosecutors gain access to an iPhone 6 and an iPod that might hold evidence in an Arkansas murder trial, just days after the agency managed to hack an iPhone linked to the San Bernardino terror attacks, a local prosecutor said Wednesday.

Cody Hiland, prosecuting attorney for Arkansas’ 20th Judicial District, said that the FBI’s Little Rock field office had agreed to help his office gain access to a pair of locked devices owned by two of the suspects in the slayings of Robert and Patricia Cogdell.

It was not immediately clear whether the FBI planned to use the same method it used to access data on Syed Rizwan Farook’s phone. Calls to the FBI’s Little Rock field office were not immediately returned. An FBI spokesman in Washington declined to comment.

The couple were killed in their home just outside Little Rock in July, according to the Associated Press. Four suspects, ages 14 to 18, have been charged in the killings, Hiland said.

Prosecutors asked for a delay in the trial of 18-year-old Hunter Drexler on Tuesday, less than 24 hours after the FBI said it had successfully gained access to an iPhone 5c that Farook used.

Farook and his wife, Tashfeen Malik, carried out the deadly attacks at the Inland Regional Center on Dec. 2, leaving 14 dead and many more wounded. Federal prosecutors went to court to force Apple to help them unlock Farook’s phone, but the historic court battle was staved off earlier this week when a third party helped the FBI gain access to the device.

Read More

PASSWORDS AREN’T THE PROBLEM. YOU ARE.

When you start your first day at Quartz, you get peppered with passwords.

There’s a password to log into your new Mac, which you are immediately prompted to change once you’re up-and-running. The new password allows you log into your email. Once there, you are invited to join our password protected—with double-authentication—CMS. It’s not much of an exaggeration to say your first Quartz workday consists largely of password management.

I had that in mind, as I helped a new hire settle in on Monday. So, I urged him—repeatedly—to take a moment and sign-up for a password client that I had used to help me beat my own long-standing struggle with password amnesia: LastPass. For months, the service, which essentially creates an encrypted vault of all your passwords and protects it with a master password, had made my life much better.

Until Tuesday morning. That’s when I received an opened an from LastPass indicating that the service had been compromised, and that some sensitive information—including email addresses, password reminders—had been taken. For its part, LastPass says its “vaults” where users keep their passwords to various sites and applications were not compromised.

“So no data stored in your vault is at risk,” officials said. But I still had to explain this to the guy I had convinced to use it less than 24 hours before.

A recent survey commissioned by Telesign—a company that sells two-step verification technology—found that roughly 70% of 2,000 people in the UK and US they surveyed don’t trust that their password will protect them. They shouldn’t. After all, it’s abundantly clear that we are living in an era of profound data insecurity.

I mean, Russian hackers read President Obama’s unclassified email. And just to review, over the last few months alone we’ve learned that hackers have breached not only the White House, the but the IRS and the Federal government’s office of personnel management, where they perused—among other things—the form people fill out as they apply for security clearances.

What’s more, today we learned that the FBI is investigating front office officials from the St. Louis Cardinals in connection with hacking into the Houston Astros’ “baseball operations database.” The New York Times reports:

Investigators believe Cardinals officials, concerned that [former Cardinals executive, and current Astros general manager Jeff] Luhnow had taken their idea[s] and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

There’s a reason why hackers—whether they be associated Red China or the St. Louis red birds—aim for passwords. Long ago, we reached the human limits of our ability to remember them. The human mind has pretty strict limitations on remembering long sequences numbers and letters. (Essentially it’s about seven items, plus or minus two.) And they’re best remembered when they’re in familiar chunks, you know, like letters in words. This is why consumers have an average of 24 online accounts, but only about six unique passwords, according to the Telesign study.

In other words, passwords aren’t the problem. We are.

And humans will remain the problem until we get to the post-password era.

Over the next few years we’ll increasingly be authenticating ourselves not with passwords, but with our fingerprints, faces, irises, retinas, palm-prints and speech patterns. But humanity still presents profound engineering problem.

“Passwords or tokens are easy to change while it is compromised. But, biometric traits are inherent and fixed forever, that is, the biometric data is irrevocable,” wrote academics in a paper published in April.

If you think the resetting your password is a pain, trying resetting your fingerprint.

Engineers are addressing the problem, coming up technologies that enable cancelable crypto-versions of our biometric data that can be reset. But I can’t help but be overcome by the suspicion that that the digital world might just work a lot better if it didn’t have to put up with all these people.

View Source

OPM HACK: WHY EMAIL NOTIFICATION MAKES A BAD SITUATION EVEN WORSE

Last week, millions of government employees were probably quite nervous to hear their personal data had been stolen by hackers (likely from China), who gained access to a trove of data from the Office of Personnel Management.

This week, the same office is opening up even more government employees to more risk, based on its response to the breach. OPM announced it will notify all impacted individuals by email, which makes not only the affected individuals, but also anyone else who is worried they might be affected now a ripe target for a phishing attack.

In its announcement, OPM said, “The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach.”

OPM is using a third party, CSID, to manage this communication, and has now, in essence, provided phishers with a blueprint for creating an attack. Of note, CSID does at least use DMARC, which is one good step it has taken to see how others may be spoofing its domain.

Imagine you have had any kind of interaction with the OPM in the past five years or so. You may be wondering “was I one of the ones compromised?” Soon enough, an email shows up in your inbox, notifying you that you have indeed been breached, and offering credit monitoring and identity protection services. It directs you to a website, where you provide some basic information, including your name, email address, mailing address (and maybe more) and promises the credit and ID monitoring services will start immediately.

But what if you didn’t read the email closely enough? What if it came from opmcio@cdis.com, or from opmcio@cssid.com? What if you never saw the announcement to know exactly what email address you should be looking for?

Now each of these employees have willingly handed over this information to a second group of hackers (this time, through the phishing attack), who likely have different ambitions than China. These hackers can easily keep you placated by sending you false credit report info (hey, your credit still looks great, nothing to worry about here), while destroying your actual credit.

OPM is in a difficult situation, and is trying to respond as quickly and cost effectively as possible to a massive breach affecting millions of government employees. But it must take a step back and make sure it does not cause greater harm to these employees with its follow-on actions.

Instead, OPM should send notifications via physical mail, or secured Intranet communication. OPM should also provide education to all employees on the risk of phishing attacks.

And finally, OPM should conduct thorough penetration testing of the third-party provider, CSID, to ensure that by handing this project off to another party, it’s not opening up its employees to yet another attack.

View Source

WHITE HOUSE ORDERS ALL FEDERAL SITES GO HTTPS BY THE END OF 2016

In a bid to close potential vulnerabilities in the government’s Web presence, the White House is mandating every public federal website switch to a more secure Internet connection standard within about a year and a half.

The connection technology, Hypertext Transfer Protocol Secure, provides site visitors more privacy and confidence they are looking at official government websites. The secure protocol also prevents a lot of Web surfing behavior from being watched or toyed with.

Come Dec. 31, 2016, every public federal site must be protected with HTTPS.

Today, most of the federal government’s roughly 1,200 websites use HTTP technology, which exposes website content, browser format, search terms and other user information to eavesdroppers.

Anyone observing the network, including an employer or Internet service provider, can see what topics a computer user is interested in. Or instead of just watching traffic, the interloper could redirect the user to fraudulent content.

HTTPS cannot protect Web servers and other networking systems from being hacked, however. For example, HTTPS would not have stopped self-described Syrian government backers from defacing the official website of the U.S. Army earlier Monday. In that instance, Syrian Electronic Army hacktivists broke into a military contractor’s system and posted a message reading, “YOUR COMMANDERS ADMIT THEY ARE TRAINING THE PEOPLE THEY HAVE SENT YOU TO DIE FIGHTING.”

The White House rule will eliminate the burden of deciding what Web content is sensitive enough to merit HTTPS protection and ensure stronger privacy governmentwide, federal Chief Information Officer Tony Scott said in a blog post.

“With this new action, we are driving faster Internetwide adoption of HTTPS and promoting better privacy standards for the entire browsing public,” he said.

The transition to the new format will take elbow grease and money, officials acknowledged. Manual work often is required to transition sites with external images, scripts and fonts that aren’t secure, for example.

The public can see which dot-gov websites are protected with HTTPS by checking an official government website, Pulse, that launched last week. CIA.gov, FTC.gov and HealthCare.gov were early converts to HTTPS. To date, about 160 government sites default to the secure protocol.

There also is a HTTPS help website for federal web managers.

HTTP sites “will not keep pace with privacy and security practices used by commercial organizations,” the HTTPS regulation states. “This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government.”

The White House Office of Management and Budget in March first proposed HTTPS requirements.

View Source