Cybercrime Week in Review 31 October 2015
CISO’s Guide to Spear Phishing Defense Podcast (#PhishLabs)
Everyone’s talking about business email compromise, but what they aren’t talking enough about is what’s at the root of these attacks – spear phishing. Joseph Opacki of PhishLabs discusses how security leaders must respond to the threat.
Scammers up Their Game with New BEC Attacks (#PhishLabs)
BEC is an acronym for “business email compromise.” BEC refers to social engineering attacks used to convince those in charge of finances at an organization to send large payments to the scammers. These attacks are carried out over email conversations initiated by the scammer who spoofs the identity of an executive at the organization.
The Dridex botnet is running again (#CSO Online)
Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August.
CCTV cameras worldwide used in DDoS attacks (#ZDNet)
In the past year, we’ve seen refrigerators being hacked, Jeeps being remotely controlled by attackers while the driver is a helpless passenger, and everything from baby monitors to routers being criticized for poor security which can place not only our Internet of Things (IoT) devices at risk, but our personal privacy and security.
TalkTalk Hack: UK Police Bust Teenage Suspect (#Bank Info Security)
TalkTalk has warned that the hack may have resulted in personal data on up to 4 million subscribers being stolen. The company recently confirmed that it received a ransom demand from the alleged hacking group behind the attack.
Police nab 9 for allegedly spoofing bank employees in £60 million scam (#Naked Security)
UK police have busted nine people over allegedly spoofing phone calls from victims’ banks to drain them of a total of £60 million ($92 million).
?Library of Congress Says It’s OK to Hack Your Car (#Wired)
Car hackers rejoice: today the Library of Congress approved copyright law exemptions that will allow you to modify the software on your car for purposes of security research, maintenance, or repair. The catch is that the exemptions don’t take effect for another year.
Australian Federal Police cast net over Xero phishers (#The Register)
The Australian Federal Police is investigating phishing attacks against accountants that some say has seen thousands lifted from bank accounts.
Biggest Free Hosting Company Hacked; 13.5 Million Plaintext Passwords Leaked (#The Hacker News)
The world’s most popular Free Web Hosting company 000Webhost has suffered a major data breach, exposing more than 13.5 Million of its customers’ personal records.
Second teenage boy arrested in connection with TalkTalk hack (#CNET)
Police arrested a second teenage boy in London on Thursday over a cyberattack on UK broadband provider TalkTalk.
Cybersecurity Information (Over)Sharing Act? (#KrebsOnSecurity)
The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.
In other Security News…
TalkTalk Receives Ransom, CISA Advances, Researcher Hacks Fitbit Tracker
UK-based telecommunications provider TalkTalk announced it was hit by a “significant and sustained cyber attack,” which may have led to the theft of personal and financial information from its four million customers. According to reports, a TalkTalk spokesperson said on Friday that the company had received a ransom demand from an unidentified party for the attack. Although investigations are ongoing, the firm stated it believed the financial information that was potentially accessed to be “materially lower than initially believed, and would on its own not enable a criminal to take money from [a customer’s account].” The incident marks the third time this year that the company has been targeted.
The U.S. Senate voted in favor of advancing the Cybersecurity Information Sharing Act (CISA), which could allow companies and the government to share information about hacking attacks amongst each other, without fear of lawsuits. Reuters reported the White House said in a statement that it supports the bill but wants the Department of Homeland Security to be charged with running the information-sharing system, and would “strongly oppose” any amendments to the bill to expand exceptions. Major tech companies, including Apple, Google, Facebook and Twitter, have showed strong disapproval of the bill, saying it fails to protect users’ privacy.
French Prime Minister Manuel Valls announced the launch of the country’s new digital security strategy, which it says will help establish a collaborative and coordinated effort to better protect its citizens, and address cyber threats. The national strategy is comprised of five objectives outlining the country’s fundamental interests; defense and security of critical infrastructures; digital trust and privacy; awareness and education, among other aspects.
A teenage hacker claimed to have broken into the personal email account of CIA Director John Brennan, which reportedly included sensitive documents, such as Social Security numbers and personal information of more than a dozen top American intelligence officials. The alleged hacker posted several screenshots of sensitive information on Twitter, including Brennan’s alleged contact list and cell phone bill. Federal law enforcement is investigating the issue.
A security researcher claimed to have found a way to exploit a vulnerability in Fitbit fitness trackers and subsequently deliver malware to a target device – such as a laptop or PC – in less than 10 seconds. Axelle Apvrille of Fortinet described the scenario, saying:
“An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near.”
Fitbit has disputed the findings, however, stating that users remain safe to use their devices.
Facebook said it will begin notifying users if it believes their accounts has been targeted or compromised by an attacker suspected of working on behalf of a nation-state. Alex Stamos, Facebook’s Chief Security Officer, announced the move in a post. “We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” said Stamos.
Notable news stories and security related happenings:
Facebook Appoints Self World Police, Promises State Attack Warnings. “Facebook’s heading into ticklish territory here because China’s recently made it abundantly clear that it is not at all happy at being fingered for attacks. If The Social Network TM starts pointing the finger, it may find itself being rather unhelpful in the wider context of US foreign policy and therefore less likely to be shopped as an exemplar of US ingenuity.” (Source: #The Register)
Security Professionals Agree Vulnerability Sharing Beneficial, Wary On Implementation. “While the majority of information security professionals agree on the benefits of sharing threat intelligence, most will share only amongst a trusted peer community (49.3 percent) and others only internally (34.3 percent) according to a new survey.” (Source: #Legal Tech News)
Kudos to Adobe. They Patched Flash Quicker Than They Promised. “In a security advisory, Adobe initially said that it hoped to issue a fix for the vulnerability this week (in other words, the week beginning Monday 19th October). However, it actually managed to push out the patch ahead of schedule on Friday 16th October instead.” (Source: #Graham Cluley’s Blog)
Is It Still Possible to Do Phone Phreaking? Yes, with Android on LTE. “Android won’t recognize that a data call is being made and show nothing on a smartphone’s screen. A video call could eat up the victim’s data allowance and potentially garner them a huge bill. The vulnerabilities on the operator side could also lead to some crippling attacks…” (Source: #CSO Online)
Want Some Nuclear Power Plant ‘Zero-Day’ Vulnerabilities? Yours For Just $8,000. “Whilst weaknesses in Apple’s iOS 9 can fetch up to $1 million, flaws in certain industrial control systems that run nuclear power and water plants – known widely as SCADA (Supervisory Control and Data Acquisition) boxes – can be bought for next to nothing, according to a Russian businessman who sells them.” (Source: #Forbes)
Don’t Overdo Biometrics, Expert Warns. “Biometric data such as fingerprint scans is being collected too widely and too casually, according to security company Protegrity USA. […] Meanwhile, FireEye researchers Tao Wei and Yulong Zhang demonstrated the ability to harvest fingerprints on a large scale from some mobile devices at the Black Hat conference this summer.” (Source: #CSO Online)
IBM Runs World’s Worst Spam-Hosting ISP? “Typically, the companies on the receiving end of this criticism are little-known Internet firms. But according to anti-spam activists, the title of the Internet’s most spam-friendly provider recently has passed to networks managed by IBM — one of the more recognizable and trusted names in technology and security.” (Source: #Krebs on Security)
Bump Into Someone and Lose Up to £30 from Your Contactless Card. “Furthermore, the contactless payment process is not supposed to transmit payment information more than that about 10cm from a reader – although some researchers have claimed to intercept payment data from further distances.” (Source: #Graham Cluley’s Blog)
Researchers Reveal How Attackers Could Turn Back Internet Time. “NTP is so ubiquitous that most people who use computers rely on it without realizing it. It’s important because Web browsers such as Safari or Chrome rely on a system of certificates to verify that a website claiming to be Amazon.com, for instance, is actually Amazon.com. If those certificates are compromised, they can be revoked – but only until the certificate expires. Turning back the clock on users’ computer is effectively a way to convince computers that an expired – and possibly compromised – certificate is still valid.” (Source: #Christian Science Monitor)
BlackBerry Promises Robust Security on Android-Based Priv. “BlackBerry is building security right into the handset with a manufacturing process dubbed Root of Trust, which involves injecting cryptographic keys into the device hardware, “providing a secure foundation for the entire platform,” he added. The handset then uses these embedded keys to check every part of the device — from the hardware to its operating system to apps — and ensure they haven’t been tampered with.” (Source: #PC Magazine – UK)
Employee Activities That Every Security Team Should Monitor. “As innocuous as a casual email exchange may seem, the person on the other end might actually be trying to lure employee to share credentials. And even if many work-oriented applications seem to pose no threat to IT, many apps, in fact, are infamous for collecting all kinds of data without an average user’s knowledge.” (Source: #Help Net Security)
CCTV Camera Botnets on the Rise. “The most common reason is that typically products are rushed to market so they can be first on the scene, and not much consideration is invested in giving the device security by design. As a result IoT botnets are now gaining popularity with hackers, with CCTV botnets reported to be among the most common.” (Source: #SC Magazine)
Privacy by Design Does Not Sacrifice Security. “‘You can’t have good privacy without strong security,” Cavoukian said. “If you don’t lead with strong security, you will never have data privacy.’ It’s important to understand that privacy does not equal security, and privacy is not about having something to hide, she added.” (Source: #eSecurity Planet)
Tech-savvy Users are Actually the Worst Offenders. “Even as businesses and the federal government have made cybersecurity a high priority, 93% of office workers engage in some form of unsafe online habits that could jeopardise their employer or their customers, according to Intermedia.” (Source: #Help Net Security)