Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old. …more

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

MY TAKE: How state-backed cyber ops have placed the world in a constant-state ‘Cyber Pearl Harbor’

By Byron V. Acohido

Cyber espionage turned a corner this spring when Israeli fighter jets eradicated a building in the Gaza Strip believed to house Hamas cyber operatives carrying out attacks on Israel’s digital systems.

Related: The Golden Age of cyber spying is upon us.

That May 10th  air strike by the Israel Defense Force marked the first use of military force in direct retaliation for cyber spying. This development underscores that we’re in the midst of a new age of cyber espionage.

This comes as no surprise to anyone in the military or intelligence communities. State-sponsored cyber operations have been an integral part of global affairs for decades. And, in fact, cyber ops tradecraft has advanced in sophistication in lock step with our deepening reliance on the commercial Internet.

Here are a few things everyone should know about the current state of government-backed cyber ops.

Russia’s tradecraft

A lot of dots have been connected recently with respect to Russia’s cyber spying, initially thanks to Barack Obama’s leveling of sanctions on Russia for interfering in the 2016 U.S. presidential elections. Among more than two dozen Russians named as co-conspirators by the Obama sanctions were a pair of notorious cyber robbers, Evgeniy Bogachev of Russia and Alexsey Belan of Latvia.

At the time, both were well-known to the FBI as profit-motivated cyber thieves of the highest skill level. Bogachev led a band of criminals that used the Gamover Zeus banking Trojan to steal more than $100 million from banks and businesses worldwide. Then somewhere along the way, Bogachev commenced moonlighting as a cyber spy for the Russian government.

The Obama sanctions helped security analysts and the FBI piece together how Bogachev, around 2010, began running unusual searches on well-placed PCs he controlled, via Gameover Zeus infections. Bogachev’s searches explicitly sought out intelligence of direct strategic benefit to Russia – just prior to Russia making adversarial moves in the Republic of Georgia, the Ukraine and Turkey, respectively.

Meanwhile, details of Alexsey Belan’s Russian-backed escapades came to light in March 2017 when the FBI indicted Belan and three co-conspirators in connection with hacking Yahoo to pilfer more than 500 million email addresses and gain deep access to more than 30 million Yahoo accounts.

The Obama sanctions ultimately linked both Bogachev and Belan to the hack of the Democratic National Committee and several other organizations at the center of the 2016 U.S. presidential elections. The pair were not the first private-sector cybercriminals recruited to serve as Russian assets, and very likely won’t be the last, said Bryson Bort, CEO of security company SCYTHE, a supplier of attack simulation systems.

“Russia explicitly recruits folks already engaged in criminal activities, and once recruited, they are contracted and connected to military organizations for direction and oversight,” Bort told me. “Those activities have criminal end-goals of corporate espionage and theft, but to be clear, they are government-directed.”

Both Bogachev and Belan remain on the FBI’s most wanted cybercriminals list: Bogachev with a $3 million bounty and Belan with a $100,000 bounty. The assumption is that they both reside in Russia under the protection of the Russian government.

“We have not effectively deterred Russia, as a nation, from executing these operations,” Bort said. “So we can expect them to continue to recruit criminal hackers, grow their capabilities, and continue to use them.”

China’s tradecraft

It’s fully expected that Russia’s cyber spying will continue to revolve around spreading propaganda and influencing elections, as well as maneuvering for footholds, in critical infrastructure and financial systems, in order to put Russia into an improved position from which to manipulate global politics of the moment.

By contrast China takes a long view, as explicitly outlined in its Made in China 2025 manifesto. China has been taking methodical steps to transform itself from the source of low-end manufactured goods to the premier supplier of high-end products and services.

…more

NEW TECH: Early adopters find smart ‘Zero Trust’ access improves security without stifling innovation

By Byron V. Acohido

As we approach the close of the second decade of the 21st century, it’s stunning, though perhaps not terribly surprising, that abused logon credentials continue to fuel the never-ending escalation of cyber attacks.

Related: Third-party risks exacerbated by the ‘gig economy’

Dare we anticipate a slowing — and ultimately the reversal – of this trend? Yes, I believe that’s now in order.

I say this because tools that give companies the wherewithal to make granular decisions about any specific access request – and more importantly, to react in just the right measure — are starting to gain notable traction.

For the past four years or so, leading security vendors have been championing the so-called Zero Trust approach to network architectures. All of this evangelizing of a “never trust, always verify” posture has incrementally gained converts among early-adopter enterprises.

PortSys is a US-based supplier of advanced identity and access management (IAM) systems and has been a vocal proponent of Zero Trust.  I recently had the chance to visit with PortSys CEO Michael Oldham, and came away with a better grasp of how Zero Trust is playing out in the marketplace.

He also reinforced a notion espoused by other security vendors I’ve interviewed that Zero Trust is well on its way to being a game changer. Key takeaways from our discussion:

Entrenched challenges

It takes a cascade of logons to interconnect the on-premises and cloud-based systems that enterprises rely on to deliver digital commerce as we’ve come to know and love it. And it remains true that each digital handshake is prone to being maliciously manipulated by a threat actor, be it a criminal in possession of stolen credentials or a disgruntled insider with authorized access.

To be sure, advances have come along in IAM technologies over the past two decades. Yet, high-profile breaches persist. Some 78% of networks were breached in 2018, based on CyberEdge’s poll of IT pros in 17 countries. What’s more, an IBM/Ponemon study pegs the global average cost of a data breach at $3.86 million, and predicts a 28 percent likelihood of a victimized organization sustaining a recurring breach in the next two years.

This has to do with entrenched investments in legacy security systems, such as traditional firewalls and malware detection systems that were originally designed to protect on-premise systems. As remote access, mobile devices and cloud computing …more

MY TAKE: Let’s not lose sight of why Iran is pushing back with military, cyber strikes

By Byron V. Acohido

It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend.

Related: We’re in the golden age of cyber spying

Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK possess deep hacking and digital spying expertise – capabilities which we regularly deploy to optimize our respective positions in global affairs.

Last week, President Trump took an unheard of step: he flexed American cyber ops muscle out in the open. An offensive cyber strike by the U.S. reportedly knocked out computing systems controlling Iranian rocket and missile launchers, thus arresting global attention for several news cycles.

“The digital strike against Iran is a great example of using USCYBERCOM   as a special ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” observes Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based supplier of IoT and industrial control system security technologies.

Some context is in order. Trump’s cyber strike against Iran is the latest development in tensions that began in May 2018, when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past year steadily escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

Iran pushes back

This, of course, has pushed Iran into a corner, and forced Iran to push back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.  Let’s not forget that a  hard-won stability was in place, prior to Trump choosing to stir the pot.

Today, Iran is scrambling for support from whatever quarter it can get it. It’s moves, wise or unwise, are quite clearly are calculated to compel European nations to weigh in on its behalf. However, many of Iran’s chess moves have also translated into fodder for Trump to stir animosity against Iran. …more

BEST PRACTICES: Do you know the last time you were socially engineered?

By Byron V. Acohido

This spring marked the 20th anniversary of the Melissa email virus, which spread around the globe, setting the stage for social engineering to become what it is today.

The Melissa malware arrived embedded in a Word doc attached to an email message that enticingly asserted, “Here’s the document you requested . . . don’t show anyone else;-).” Clicking on the Word doc activated a macro that silently executed instructions to send a copy of the email, including another infected attachment, to the first 50 people listed as Outlook contacts.

What’s happened since Melissa? Unfortunately, despite steady advances in malware detection and intrusion prevention systems – and much effort put into training employees – social engineering, most often in the form of phishing or spear phishing, remains the highly effective go-to trigger for many types of hacks.

Related: Defusing weaponized documents

Irrefutable evidence comes from Microsoft. Over the past 20 years, Microsoft’s flagship products, the Windows operating system and Office productivity suite, have been the prime target of cybercriminals. To its credit, the software giant has poured vast resources into beefing up security. And it has been a model corporate citizen when it comes to gathering and sharing invaluable intelligence about what the bad guys are up to.

Threat actors fully grasp that humans will forever remain the weak link in any digital network. Social engineering gives them a foot in the door, whether it’s to your smart home or the business network of the company that employs you.

Attack themes

A broad, general attack will look much like Melissa. The attacker will blast out waves of email with plausible subject lines, and also craft messages that make them look very much like they’re coming from someone you might have done business with, such as a shipping company, online retailer or even your bank.

Some common ones in regular rotation include: a court notice to appear; an IRS refund notice; a job offer from CareerBuilder; tracking notices from FedEx and UPS; a DropBox link notice; an Apple Store security alert; or a Facebook messaging notice.

…more