Chinese State Hackers are Actively Recruiting Corporate Insiders

The F.B.I began October, 2018, by putting out a plea to U.S. companies: Work with us to stop malicious insiders from stealing your secrets and sending them to foreign competitors. To be more specific, stop China from infiltrating your company and stealing your secrets. “It’s no surprise to anyone…that China, in particular, seeks our information, our technology, and our military secrets.” According to F.B.I Director, Christopher Wray, “Every company is a target. Every single bit of information, every system, and every network is a target. Every link in the chain is a potential vulnerability.”

China’s not really making any pretense about being innocent. Their last 5-year plan openly states that it wants to “make breakthroughs in key technologies such as core chips, basic software, key components, and major machinery systems.” And they will do this anyway they can, even if it means infiltrating company networks around the world to reach these goals. Sectors that need to be especially on guard include any involved in high tech development, agriculture, healthcare, transportation, manufacturing and communication. Since this includes the constellation of companies that surround all of these sectors, basically nothing is safe.

Wray further elaborates on how the Chinese will use any tactic to get to the information they need. We’re not only talking about cyber attacks here. In one case, the Chinese set up a legitimate-looking company to lure victims to leave a target company. They offered them cash incentives and high paying positions. What did they want?  Information on something called syntactic foam. This may seem strange until you realize that such foam is a key component in stealth bombers and ship construction. The compromised employees used their connections with friends in their former company to get the information the Chinese needed.

At times, the Chinese recruitment efforts have not been altogether subtle. In August, LinkedIn announced that it was working with U.S. law enforcement agencies to weed out fraudulent accounts that were being used to recruit some of its members. According to one source, China was using information on the 22 million government workers it stole during the infamous Office of Personnel Management hack of 2014-15 to target LinkedIn members.

Kevin Mallory was one such person. He was recruited through LinkedIn, promised wealth and fame for a few secrets, and is now serving prison time. Here is the profile through which he was recruited.

linkedin mallory

It is not known precisely who contacted Mallory, but the Chinese have a penchant for using attractive women in LinkedIn profile pictures. Here is an example. The photo used can be found on a number of fashion sites. Although she purportedly works in the shipbuilding industry, the most she probably knows about ships is that they are supposed to float.

linkedin zhu

China is also using less obvious ways of getting access to insider information. They are apparently trying to buy it through deep web portals.

Such sites are notoriously hard to find and change their addresses frequently for security reasons. Often, individuals will post on forums either claiming that they have important information for sale or are willing to buy it. One site that I found gives advice to people who want to work for them by selling inside information. Potential insiders will be vetted because the value of information varies, and some may have little use to buyers. They, then, suggest a number of ways to get this valuable information.

Here are some of their suggestions.

Try to get a job in a large company. You can begin by getting an education in a potentially lucrative field, which would be anything connected to technology. Getting into such a large company may give you access to its network and potentially valuable/saleable information. If you are in a large company but do not have such access, try to befriend people who do. “Be genuine and build a rapport. People love to share their successes and failures with their friends. It can be as simple as a quick conversation during a lunch meeting between two well-connected friends. Sometimes, you don’t even need to ask them. One day, they’ll tell you. Just keep your ears and eyes open.”

They suggest attending company events. “Company parties are awesome occasions where the best information is being shared.” This is because, “attendees begin to loosen up as the night goes on and the people love to brag. Reach out to these folks and talk to them when the time is right. It’s easier than you might think. There are many talkative people who will tell you anything about the company.”

And here’s another clever trick the insider spy can use. “You can ‘accidentally forget’ your cell phone in the conference room at the right time.” In other words, you can record what is going on in an important meeting by, in a sense, bugging the room. If caught, you can always say you were recording a meeting you were at and forgot to turn off the recorder. Have them delete anything you recorded to protect yourself.

This website, which I don’t want to advertise any more than I just have, claims they will pay $100,000 a year for a good flow of information. That will certainly make a disgruntled employee consider the risk.

It is no surprise that recruiters, spies, and malicious insiders will go to where the action is. In the U.S., that means Silicon Valley. According to a recent article in Politico, “there’s a full-on epidemic of espionage on the West Coast right now. And even more worrisome, many of its targets are unprepared to deal with the growing threat.” The article quotes a member of the intelligence community who claimed that, spies “are very much part of the everyday environment”.

Chinese government officials, or others associated with the Chinese government, are known to pressure Chinese students or Chinese employees of U.S. firms to gather information for them. They may use anything from financial incentives to threats to achieve compliance. They are also known to pressure U.S. citizens of Chinese descent to help them reach their goals. They do this by threatening, either implicitly or explicitly, family members who still reside in China. “You get into situations where you have really good, really bright, conscientious people, twisted by their home government,” commented one chief security officer of a Silicon Valley firm.

As a result of such maneuvers, many Silicon Valley firms claim to be caught in an ethical dilemma. On the one hand, they want to be seen as embracing diversity by hiring Chinese or ethnic Chinese employees, while, on the other, the very diversity they embrace may result in the destruction of their company. Some companies will not allow Chinese or ethnic Chinese employees to work on certain sensitive projects, but, in so doing, they worry about facing charges of racism.

It has long been known that the Chinese government maintains control over Chinese students in the U.S. It is unlikely that they would give up this control when the students graduate and enter U.S. firms. The Chinese are well-aware of the liberal views on diversity prevalent in California universities and Silicon Valley in particular and leverage these views whenever they feel it benefits them. In addition, they have considerable power in influencing government officials and have infiltrated the region’s government at many levels. This linking of political influence and social leverage is potent combination. If you don’t believe this, remember that San Francisco senator, Dianne Feinstein, had a Chinese spy working as her driver and office director for over 20 years. Remember that  Dianne Feinstein is the head of the Senate Intelligence Committee. Need I say more?

So, expect the U,S. intelligence community’s cybersecurity focus to shift from Russia to China. Expect to see more high profile arrests, like the recent arrest of Yanjun Xu, the Chinese intelligence officer who has been extradited to the U.S. for stealing company secrets. The main problem for U.S. intelligence agents, however, is to convince companies, firstly, that a problem exists and, secondly, that embracing diversity could lead to embracing disaster. The entanglement of cybersecurity, politics, and social issues may thwart any attempt at achieving a malicious-insider free workplace. Be advised.

 

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Magecart Malware Steals Credit Card Data from Legitimate Online Payment Forms

Traditional credit card skimmers are physical devices attached to or overlain on ATMs or other credit card terminals. These are still around and some, like the overlay skimmer below which was reported on by Brian Krebs, are quite sophisticated.

card skimmer

Once the criminals get your credit card data and your pin number through the skimmer, they can produce a card that can be used to clean out your bank account at, ironically, an ATM.

But skimmers have evolved from the analogue to the digital. Now, criminals can wait for you to fill out a legitimate online shopping payment form and then have the data sent directly to them. In other words, you believe you have had a normal online shopping experience on an https protected site, but, unbeknownst to you, someone, in addition to  the company you’re buying from, has received all of your personal information and credit card data. Here is a diagram from Symantec which shows the basic idea behind these attacks which are sometimes referred to as, formjacking.

formjacking

These attacks are very effective, and cybersecurity experts have been seeing them increase at a remarkable rate. Within the last few months alone, the Magecart threat group has gleaned the data from hundreds of thousands, perhaps even millions, of credit cards through attacks on Ticketmaster, British Airlines, and Newegg. There are, no doubt, other ecommerce sites that are currently leaking customer data without the site owners even knowing it, due to the fact that the attack vector is so well-disguised.

So how, you may rightly ask, is all of this possible? How can they take control of legitimate payment forms? Well, first of all, they would have to compromise an ecommerce website, which is not necessarily easy. They would have to get access to the site by getting the webmaster’s password or by tricking someone who has it, through a phishing email, to give it to them. The attackers could also find vulnerabilities in plug-ins and leverage them to get control of a site. In any event, once on the site, they could alter the code to make the site perform in the way they want it to.

The organization of such an attack, however, takes a lot of time and it does not come with a guarantee of success. Large sites are often well-protected. Ticketmaster, for example, was not attacked directly but by compromising a third party supplier, Inbenta; a company that designs, among other things, shopping cart code for various ecommerce sites. If Inbento had access to the Ticketmaster website, an attacker could use this access to alter the code on that site. Once the main Ticketmaster site was breached, the attackers could extend their attack to other points on its worldwide network, which, according to the RiskIQ report on this breach, they probably did.

However, there is an easier way to gain access to a variety of websites, especially if you speak Russian. This is an underground Russian website called, MagBo, that sells access to over 3000 compromised websites. The price varies with the importance of the site compromised.

magbo

You can see, from the graph supplied by Flashpoint, that the site specializes in selling access to ecommerce sites.

magbo graph

Since the site gives a menu to buyers on how much access they are buying and what vulnerabilities are available, potential attackers can choose which site best suits their hacking methods and goals. The Magecart attack group looks for sites that give them the ability to alter the code on the page that supplies the form that shoppers fill out to get their merchandise.

Without going into technical detail, the injected script would send the information from the form to a site that is made to look like it is connected to the breached site. In the Newegg breach, the information was sent to a site named neweggstats.com. This site was officially registered on August 13th in preparation for the attack. The group also purchased an SSL certificate for the site to make it look more valid (give it an https allocation). The actual attack began three days later and continued until September, 18th.

For those interested, the actual code for this attack is shown below.

magecart code

An important point to note occurs in the second line which shows that the code targeted both computers (mouseup) and mobile devices (touchend). Newegg has released no information as to how many customers were compromised, but since Newegg has an estimated 50 million visitors a month, if we assume only 2% were buyers (a modest estimate), it is not a stretch to assume that over a million customer credit card details were stolen.

Needless to say, if you visited Newegg during the mid-August to mid-September period, keep an eye on your credit card transactions or take other preventive action such as applying for a new credit card. For that matter, if you have had earlier dealings with Ticketmaster or British Airways, be sure to review all of your transactions. Symantec has noted a large increase in Magecart attacks on a variety of large and small ecommerce sites, so buying online has become a lot more risky. This site lists URLs that may be connected to Magecart, and there are a lot of them. As a shopper, you can be easily fooled because, unlike most scams, the problem is not with your computer or device but hidden on the ecommerce site itself. In addition, it can be so well-disguised that you will likely not see that anything is wrong. Your order will even go through. Unfortunately, a duplicate order will go to the attackers and they can then use your card information and personal information in whatever way they want. They can use it themselves or sell it on the deep web.

To summarize, there is little you, as a buyer, can do. The Magecart attack group continues to upgrade its attacks and makes each harder to detect than the one before. We are certain to hear of more of these attacks over the next few months as the attackers gear up for the biggest online shopping season of all, Christmas, though, if the past is any indication of the future, these attacks won’t be discovered until the beginning of next year.

Posted in Uncategorized | Tagged , , , | Leave a comment

Review Bombing: New Extortion Scam Threatens Businesses with Negative Reviews

If you’re like most people, you probably read the reviews of a hotel or restaurant before you visit it for the first time. After all, you don’t want to spend your money on an experience you may be disappointed with, right? But let’s face it, bad reviews seem to carry more weight than good reviews. The way I look at it, good reviews can always come from friends of the owner while bad reviews often come from true bad experiences, even if those experiences may have been a one-off. It is well-known that you can buy good reviews, but few people would ever consider buying bad ones.

In fact, negative reviews can be so costly that there are companies dedicated to getting them removed. “We eliminates negative search results permanently form popular search engine within 48 hrs by ensuring the truth appears first. Our technologist lets you control your online appearance”, claims one such firm, though the grammar makes me wonder about their professionalism. According to experts, 86% of people will hesitate to buy from a business that has negative reviews. In some ways this is unfortunate as even Shakespeare has bad reviews on Amazon. “My first shakespeare.. honestly I’m not impressed. The plots are dull, the only interesting thing is the language choices.”

Positive reviews are also for sale by certain illicit firms. However, most of the sites that sell these seem to be built by nonnative English speakers. “Do you think too and focus yourself or your products as mostly sold to the people?” Yeah, I would have some doubts on how well-written the reviews would be. There is also a risk of your fake good reviews being caught by a review filter. If Yelp suspects you of posting fake reviews, you will be publicly shamed.

yelp filter

This all goes a long way towards proving my point that negative reviews hold more power and, if this is the case, businesses will do whatever they can to stop them.

That’s why a new scam making the rounds may prove to be effective. This is a scam that threatens businesses with bad online reviews unless they pay a certain amount of money. Oddly, this is similar to the hitman scam, where a purported hitman contacts you and says that, although he has been hired to kill you or a family member, he doesn’t really want to and will not if you pay him some money. “I am very sorry for you, is a pity that this is how your life is going to end as soon as you don’t comply. As you can see there is no need of introducing myself to you because I don’t have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that.”

The negative review bomber has a similar approach. In a threat to a San Francisco restaurant, the scammer claims they were hired by a competitor and will give a negative review and “awful photos of the food containing hair and insects.” Of course, the scammer doesn’t want to do this, “I don’t want to hurt your restaurant reputation therefore I offer you to have a deal. I’ll refuse to fulfill this order if you compensate me the amount that I’ll lose in case of failure to fulfill order.” The scammer also threatens to release negative information to the press. However, if you pay them, they will even write a good review for you.

On the surface, this seems like something you could just ignore and relegate to the spam folder, assuming it wasn’t already there. The bad English alone should be a giveaway. However, there’s a new wrinkle that’s been put on this scam that makes it far more dangerous. Several restaurants in Washington State have started to get numerous one-star reviews with complaints of bad food, terrible service, and even food poisoning. In one case, business fell by 40% and the owner was even forced to lay off staff. Then the extortion message arrived. Pay $900 and we will remove the bad reviews. Here is the email outlining the details for payment.

review extortion

The restaurant reported the extortion attempt to the police who traced it to a source in Romania, which meant that there was little they could do. One of the police investigators claimed that, “we are seeing extortion cases like this on a daily basis right now”, which seems to suggest that some of these extortion attempts have been successful; otherwise, they wouldn’t be on the rise.

The truth is that review extortion has been around for quite a while. Sellers on Amazon often complain that they are contacted by buyers who want to keep a product for free or they will give the seller a bad review. Amazon says it is impossible to delete bad reviews because they cannot prove whether they are valid or not. However, recent news reports claim that malicious insiders at Amazon have offered to remove bad reviews for a price.

Similarly, online sites that specialize in publishing bad reviews are often criticized for being organized for purposes of extortion. This is because they allow for the posting of anonymous reviews. If this was all that they did, there would be no problem. However, sites like Ripoff Report will remove bad reviews if you join their specialized management program (Corporate Advocacy Program). The costs are hidden on the site but are reported to be between hundreds and tens of thousands of dollars, depending on the case. But Ripoff Report is not alone in profiting from negative review management.

Some businesses are more vulnerable to reputation attacks than others, but none are immune. Doctors, dentists, celebrities, and politicians have all been victimized. Would you trust a doctor who someone claimed had botched a surgery? Wouldn’t it just be easier for the doctor to pay a little extortion money? The scammers are hoping this is the case.

Restaurants and hotels are most susceptible to review bombing extortion threats, but the entire travel industry is vulnerable. Recently, CheapAir was hit with a $10,000 extortion attempt. Airbnb participants claim they are frequently asked for refunds by customers or face getting a negative review. The smaller the establishment, the more likely they will be hurt by a bad review.

Knowing the power of bad reviews, some online travel sites are taking extraordinary precautions when dealing with them. TripAdvisor, for example, automatically flags all potentially damaging reviews and then assesses their validity using a team of 300 trained employees. Remember that not all bad reviews are extortion attempts and many have merit. I have written numerous reviews and some of them have been negative. For example, I once had a meal in Corfu, Greece that deserved a bad review. While waiting for the main meal to arrive, the waiter put a small plate of bread on the table. We hadn’t ordered bread, but we figured that was part of the service. Only later, did we find that the bread was priced at about $10 on the bill. I complained about this but only received a derisive smile. I asked to speak to the manager but was told that there was no manager. I informed the waiter that I would write a bad review of the restaurant, but he just shrugged it off. So I wrote what I thought was a well-deserved bad review so that others would not fall for this scam.

Businesses should not respond to extortion attempts. They can ask sites to take bad reviews down, but they should also realize that large social network platforms, such as Facebook, take a long time to respond to complaints of a fake review. In the case of Facebook, it may be better to simply turn off the ‘Show Review’ option until Facebook removes the fake negative review, if they ever do. Online reputation management firms advise businesses to respond to negative reviews if they appear to be valid.
CheapAir responded to their attack via Twitter. They warned people that were a victim of a review extortion scam, which seems to have helped get the word out and preserved their reputation.

Customers can help by looking more closely at negative reviews. They should look for details about why the negative review was posted. Beware of reviews that appear to be written in bad English or just give general information. The Washington restaurant that was targeted received a fake review connected to a fake Facebook page, to make it look legitimate. In this case, a visit to the reviewer’s Facebook page may show that it is fake. There will be little information on it as it exists only as a front for the scam.

fake review

So, if you have a business that depends on reviews to get customers, you could be the target of review bombing. If you note a sudden increase in negative reviews, prepare yourself for an extortion attempt. You may be tempted to pay the ransom,; however, this will probably flag you as an easy mark and you can expect another attack in the future. If the site will not remove a fake negative review, respond to it in a calm and understanding way. If you receive an extortion email, publicize it so that customers will realize what is happening. I’d like to say that law enforcement would help you, but, to be honest, there’s probably not much they can do.

Posted in Uncategorized | Tagged , , , | Leave a comment

Would You Pay $800,000 for Virtual Land? Someone Did

For some, the harsh reality of daily life becomes too much. Some choose to leave this world to go to a better place. That place is called, Decentraland. This is a land where “you can create unique experiences unlike anything in existence”. And the good news is, you don’t have to die to go there.

Decentraland is a virtual world where you are free to develop your life in any way you see fit, as long as you are willing to pay a price. There is, currently, a land rush to Decentraland and some people are paying more for virtual land than they would for land in the real world. Once you buy your plot, you can develop it in whatever way you like. You could build a casino, a church, a movie theater, a store, or just a mansion. It’s all up to you. Take a look at their brief promo video.

But before you start reaching for your wallet, even your Bitcoin wallet, there are a few things to consider. First of all, you can only pay for these plots with a virtual currency called MANA, which is a currency unique to Decentraland. MANA uses the Ethereum blockchain so you’ll have to purchase Ethereum currency first so that you can exchange it for MANA and buy a plot of virtual land. I’m not going to go into details on how to do this, but, for those interested, you can find information here. You’ll have to read another guide for exchanging your Ethereum currency for MANA.

Assuming you now have your MANA, you can go to the Decentraland Marketplace to choose your plot of land. Here’s what you will see when you go there.

decentral market

The land for sale by a particular owner is shown by a red square. The blue squares are also plots that can be purchased. The prices given are in MANA. At the time of this writing, the plot listed on the left is selling for around $3,900. I have seen prices in prime locations selling for nearly $800,000. Why? Location, location, location. Prime plots, like the one shown below, are located in the middle of Genesis City and on the main square (Genesis Plaza). The cheapest land is located on small roads far from the city center. They are now selling for just over $500. There are a limited number of parcels available (90,000) so that speculation can operate. Each parcel is a 10m x 10m square (33ft x 33ft).

decentral prime

Okay, so let’s assume you’ve bought a parcel of virtual land in Decentraland. Now what? Well, now it’s time to build something. However, for the moment, most people seem to be buying these plots for speculation. They have no intention of building anything. However, the people paying big money for land in Decentraland are probably large companies that want to position themselves just in case this idea takes off. These companies probably have the resources and technical know-how to build a retail outlet on this platform. But, in order for a profit-making business to work, they need visitors to the platform, and that may be a problem.

In order to build anything on your parcel, you’ll have to install the Decentraland SDK (software development kit) and be able to write code in a language called TypeScript, which is related to JavaScript. If you do not possess these skills, you probably will not build anything on your land. For those who think the interface will be something like that of SimCity, think again. There are some tutorials available with pre-written code but the results may not prove so satisfying. Here is one of the more complex codes that will produce a scene with dogs.

decentral dog

Yeah, don’t expect much realism here. Expect the realism of retro games but in 3D. The platform is expected to launch by the end of this year. At that time, interested people should be able to explore Decentraland and interact with what is available there, which probably won’t be much.

Some may feel this is simply a VR version of Second Life. There is some truth to this. The only real difference at this point is that Second Life would not allow someone to own land. They can only rent a space. Actually, they pay an initial purchase price then pay ‘maintenance fees’ thereafter. My problems with Second Life were having a slow internet connection, getting trapped inside buildings, and meeting unsavory people. I expect Decentraland will have many of the same problems unless some regulations are put in place.

For example, Second Life relied on income from its virtual casinos. However, government agencies claimed that such gambling violated laws in some locations and most of the casinos were forced to close. I expect the same problems to surface with regard to Decentraland. Although the developers claim that, “no one can limit what you build”, they probably can.

I’ll have to wait for the online appearance of Decentraland before I can predict its future. There is no doubt that a virtual world with 360 degree reality is a saleable idea. The movement towards creating such a world has been set in place and nothing is going to stop it. I feel that Decentraland is a sort of intermediate platform on the way to that world and, unless they develop it themselves, some other virtual world with more realistic experiences and a less complicated interface will replace it.

For now, Decentraland is nothing more than a virtual land speculation program. You can spend $800,000 on the belief that what you bought is real land. If other people share this belief, fine; otherwise, you may be left with nothing more than a line of computer code.

If I had a plot on this platform, I would sell it today and hope I made a little money. Second Life is far more developed and, as one reviewer put it, “Second Life is more of a social world and not recommended to make substantial income online.” Yes, some people make money by selling cyber goods or skins, such as those seen below. But that’s the exception.

seond life skins

The hope that Second Life will become a true virtual world with university lectures and philosophical debates has all but vanished. As Motherboard noted in a 2016 post, “if you let users make whatever they want, they’ll make a lot of sex stuff.” Indeed, that is where Second Life makes most of its income. If you visit Second Life, you’ll find a virtual ghost town. The only activity is taking place on an adults only island that it created. In fact, if you look at all virtual worlds that have been created, they have eventually evolved into adult only areas. This may say more about human nature than anything else.

A true virtual world would have to mimic the real world. It would have to develop from the ground up. This is the SimCity or Age of Empires model. Developers could create a ‘canvas’ for development and colonists or settlers would have to use natural resources to build dwellings and communities. There would have to be an intuitive user interface with easy to use tools that give realistic-looking results. Commerce would develop naturally. Communities would have to develop laws and law enforcement as well as governments. It all may sound a little boring but real businesses will only invest in a stable platform that attracts real participants willing to spend real money.

Decentraland has no developmental philosophy other than ‘buy land and do what you want’. It’s a model that has never really worked in the past. People may initially come here out of curiosity but, I would expect Decentraland to soon go the way of Second Life. In short, Decentraland is a step on the way to a true virtual world, but, for now, it is more of a misstep.

 

Posted in Uncategorized | Tagged , , | Leave a comment

Forget the One-Day Exploit, Beware the One-Hour Exploit

A recent report by the United States Government Accountability Office (GAO) details how one of the largest personal information hacks in history was designed. The hack described was the one on Equifax, a credit reporting agency (CRA) that exposed the PII (personally identifiable information) of more than half of all adult Americans. Why should you care? Well, if you have a business or organization of any size, you could be vulnerable to the same type of hack that brought down Equifax. It is a hack that could have been performed by anyone with a rudimentary knowledge of hacking.

The report explains how a few small oversights left the company vulnerable. These are mistakes that numerous firms and organizations make every day. Here’s how it happened.

When Cisco found a serious vulnerability in the Apache Struts web application framework, they notified their customers. In a blog post, they emphasized that “it is highly recommended that you upgrade immediately.” But, apparently, almost as soon as they announced the vulnerability, it was being exploited. What this meant was that any enterprise that did not update its servers at once, were in danger of being attacked. The quick use of a newly announced vulnerability is often termed a one-day exploit; however, this one could have been measured in hours.

When Equifax received the news of the security flaw and the recommendation to update their system, they sent out notices to all system server administrators, just like they were supposed to do. Unfortunately, the list of system administrators was out of date. It did not include the address for the system administrator for its dispute portal servers. Thus, this administrator did not get the notice and the update was not installed. This left the servers for this department vulnerable to attacks.

Two days later, “unidentified individuals” discovered the unpatched server. Using software designed to make use of this vulnerability, the hackers accessed the server and tested their software. No data was taken. It wasn’t until May that the actual attack on the server began. Maybe the attackers just needed time to develop an attack framework based on their initial reconnaissance. In any event, when they re-entered the system, they were able to hide their activities as they worked their way around the Equifax network, stole data, and methodically sent it back to their C&C (command and control center). By making their actions on the network look like normal network traffic, they were able to remain undetected for 76 days (May 13, 2017 to July 29, 2017). Here is a diagram of the breach from the report.

equifax diagram

Why didn’t Equifax discover this breach sooner? Normally, security architecture would be alerted if it saw encrypted traffic running through its network. Unfortunately, such detection software did not work because the certificate it needed to operate had expired 10 months before the attack. The attackers, therefore, were more or less free to do whatever they wanted because they would not be detected. It is unclear whether they realized this before they began the attack. The dispute portal servers were taken offline as soon as the breach was discovered.

For enterprises who want to protect themselves from such attacks, it is important to mention two more lapses that made the attack so successful. According to the report, the databases should have been segmented. This means that the databases were in some way connected so that the attackers with access to one database could access others. Another blunder was that Equifax kept usernames and passwords to these databases in an unencrypted file. Imagine the excitement on the part of the hackers when they discovered this.

Equifax has subsequently updated its security architecture in predictable ways. Some of its improvements seem more cosmetic than anything else; for example, creating a new position, Chief Information Security Officer, which will, purportedly, improve communication between IT and management. Yeah, ok.

It took a while for Equifax to figure out how many people were affected by the hack, but they finally settled on 145.5 million. They then set up a website where people could find out if they were among those affected. Those interested in finding whether they were victims of the hack, can go to this page and click the “Am I impacted” button.

equifax impact

You will need to give your name and the last 6 digits of your social security number. If you live outside the U.S., you will need to use a VPN. Interestingly, Equifax accidentally sent people to the wrong site, an approach often associated with phishing attacks.

equifax phish

The repercussions of this breach went beyond Equifax. For example, both the IRS and SSA had to take actions to guard against a possible increase in identity fraud. These and other government agencies used Equifax to validate certain transactions. Surprisingly, no government agencies were made aware of the attack until it was publicly announced, making them vulnerable to a variety of attacks in the interim. Equifax refused any help from the Department of Homeland Security.

After the hack, the company’s share prices fell 33%. They have since recovered most of these losses. In fact, the company is expected to make record profits next year. As of this writing, Equifax faced no penalties for the breach although one lawsuit is pending. Some evidence of this hack has purportedly been found on the deep web. Most of the data taken has probably been combined with other available personal information troves to make ‘fullz’, a term that refers to full information and, at a minimum, includes “the victim’s full name and billing address; credit card number, expiration date and card security code; as well as their Social Security number and birth date.” Fullz simply sell at a higher price on the deep web.

Although Equifax may seem to have escaped relatively unscathed by the breach, politicians are pushing for more penalties to be paid by companies who are breached due to their own ineptitude. However, ineptitude is not easy to delineate. For example, in a large organization, it is often very difficult to perform all updates as soon as information on a vulnerability is released. Sometimes, this is because of practical considerations, such as the update interfering with normal work flow. At other times, updates simply take a long time because of the size of the network.

Hackers have been known to begin their attacks on holidays or weekends when they believe that most of the IT staff will be away. Can this be classified as ineptitude on the part of the company? It’s not a question with an easy answer. However, with these points in mind, I would suggest that most small to medium-sized enterprises would be more vulnerable on weekends and holidays, while large companies and organizations would be more vulnerable during peak working hours.

So what can companies and organizations learn from the Equifax hack? First of all, don’t wait to perform important security updates because the hackers certainly won’t. Implement a certificate checking program that alerts administrators when a certificate is about to expire. Keep important databases separate and encrypt all stored usernames and passwords.

Several executives, including CEO Richard Smith, ‘resigned’ after the breach. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said as he sadly pocketed a $90 million goodbye package. A number of states took action against Equifax which resulted in Equifax promising to implement security measures that it had already put in place. In the end, Equifax paid out about $250 million in security updates that they would have paid for anyway. In fact, the whole breach could be looked at like one, giant, well-designed penetration test. As such, it was a bargain for everyone except those who lost all of their personal data.

Posted in Uncategorized | Tagged , , | Leave a comment

GMail Confidential Really Isn’t, But It Has Its Uses

Many of you reading this have had your Gmail account updated. The update contains a few extra features and a new look, but I would like to focus on one feature that may have escaped your attention. This is the confidential option available when sending an email. This option allows you to control how the email you sent is used.

 For years, I have thought that such a feature should exist. There simply seem to be times when you reluctantly have to email a copy of an important document to someone you may not know. For example, if you are applying for some job overseas, you may have to send a copy of your passport information page. I’m always uncomfortable doing this because I have no idea how the recipient will guard my privacy. Will they leave the document open on their computer? Will they make and distribute a copy of it? Will they forward it to other people? With each of their actions, I risk being compromised.

 But Gmail has come up with a solution to this problem. Using their confidential option, you can make a sensitive document self-destruct at a designated time. It will also prevent downloads, copying, printing and forwarding of such emails and their attachments. There are positive and negative aspects to this, but before discussing them, here is some basic information about using this feature.

 First of all, you have to know where to find this feature. To be honest, I didn’t even notice where it was. For me, the icon associated with this feature does not clearly relate to its purpose. Here is where to find this feature when you compose an email.

 google confidential

 Clicking on the icon brings up this interface.

 google confidential details

 You can see that you can choose to send a code by SMS if you know the person’s phone number. The recipient will receive an email that looks like this.

 google confidential recipient

 They will then be sent to a page where they can read the email and which will give information as to when the email will expire. If you change your mind about allowing access to a confidential email, you can remove the recipient’s access at any time, even before the email gets opened. To do this, open your ‘Sent’ folder, open the confidential message and click the ‘Remove Access” button. The recipient will no longer be able to read the email. This could be a good tool to use for those impulsive, angry emails you may send and then later regret. You can also renew access in the same way.

 The tool does offer some good features, but Google admits that anyone can take a screenshot of the email or attachment. It is true that the copy function is disabled; however, I found that going into developer tools to access the page code enabled me to find and copy the message. In the following example, I sent the message, “This is only a test.” You can see it here. It can then be copied.

 google confidential code

 One positive aspect of the confidential feature is that you can set the expiration date from one day to five years. This will come in handy if the recipient’s email is hacked and the hackers harvest all available sensitive data and any documents that have been sitting around for years. People often allow old emails and attachments to build up in their folders so this tool gets around that. Setting an expiration date removes old emails that could harm the sender or the sender’s company if they happen to be stolen.

 Some members of the cybersecurity community have criticized Google for using the term, ‘confidential mode’. They feel this is a misnomer because this mode does not offer true confidentiality. True confidentiality can only exist in some form of end-to-end encryption.

 Besides the security shortcomings mentioned above, using the confidential mode also does not mean that Google cannot save copies of your email and attachments. They can still use the information you supply in such emails to target you for ads or sell this information to internet marketing firms. If you decide to send the recipient an SMS code, you are also supplying information on your recipient, their phone number, which Google can monetize or otherwise use.

 Such criticisms aside, the confidentiality feature at least gives the sender more control over a message or document than they previously had. Sure, a recipient can subvert this using a number of techniques, but I’m not sure many would actually consider this. Most would simply retrieve the information that was sent during the allowed access time and that would be the end of it. The exception to this would be attachments. Google gives you the right to preview the attachment, but you cannot save or print it. Yes, right clicking on the attachment will show a print option, but printing will give you nothing. In such cases, the recipient would be inclined to make a screenshot and save that.

 In the end, don’t expect true secrecy when sending anything in this mode. Using it will alert the recipient that something important has been sent and may, thereby, prompt quick action on the recipient’s part. On the other hand, if you are sending something like a job application and the recipient doesn’t open the email quickly enough, they may never be able to access your application. In other words, make sure you give the recipient enough time to open your email when you set the expiration date. Also, expect that any attachments, like a resume/cv, will not be printable or savable, which makes it inconvenient for the recipient. In some cases, such an inconvenience could make them ignore your email.

Remember also that some recipients may take the fact that you sent them a self-destructing email as a sign of distrust. It may imply that you don’t expect them to handle your sensitive documents with care. What would this say about your character if they were to consider you as a future employee or business partner? In these cases, some sort of explanation or apology may be necessary in the cover letter. On the positive side, it could show that you are interested in maintaining security and at least have a passing knowledge of what that entails.

 In the end, the Gmail confidentiality feature should be considered as a useful tool. If you want real safety you’ll need to send an encrypted email. You could also password protect a document. These methods, however, take more time to organize and can create problems for both sender and receiver. If, for example, you send a password protected document, you’ll need some way to inform the recipient of the password. If you know the recipient, you can give them a phone call or reference a shared association e.g. the town we met in last year. If you have no association with a person, such as when applying for a job and attaching your resume/cv, you probably don’t want to make things too difficult for the recipient, in such cases, the Gmail confidentiality feature may be your best choice. So use it, but keep in mind its limitations.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The Recent DNC Hack that Wasn’t… Or Was It?

Penetration testing, or pentesting, can be a useful strategy for an enterprise to use to tighten security on its network. Paying an ethical hacker to find holes in a company’s cybersecurity architecture can help a company avoid a major breach. Of course, this comes with some risks. What if the pentester is not so ethical and uses the vulnerabilities found to hack the corporate network they are hired to protect? What if they sell this information to unethical hackers? In other words, a company or organization must be careful who it allows into its network.

This is why there are organizations that certify pentesters. However, many so-called pentesters aren’t certified. Let’s call them, ‘unsolicited pentesters’. These are people who may test a company’s cybersecurity on their own initiative, find a vulnerability, and then ask the company to pay them for their work. It’s a hit or miss scenario. The company may just give the unsolicited pentester a pat on the back and nothing more. Other companies offer official payments for those who find bugs in their networks or products. They offer clearly defined bug bounties to bug bounty hunters. For the most part, any unsolicited individual who hacks into an enterprise’s network must be considered a hacker unless they clearly state that they want no money or other compensation for what they find.

That’s what makes the recent cybersecurity incident at the DNC so interesting. It was initially reported that the DNC thwarted a cyber attack designed to get login information from spearphished employees. Someone had made a fake sign-in page that emulated NGP VAN’s Votebuilder, a database used by the Democratic Party. The DNC’s chief security officer, Bob Lord, wasted no time contacting the FBI and CNN to report the  “sophisticated attempt to hack into our voter file”. In his report to CNN, Lord tried to make political hay of the attempt by claiming, that “we need the (Trump) administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks.” There were clear insinuations in the CNN story that Russia may have been behind the attack.

However, just as this incident was to become a major news story, it was found that the hack wasn’t a hack at all. According to the DNC, the Michigan Democratic Party had asked NGP VAN to do a “simulated phishing test” on the DNC and no one thought it might be a good idea to tell the DNC about it. But, according to a statement given to CNN by Brandon Dillon, the chair of the Michigan Democratic Party, it was all Donald Trump’s fault. “We have taken heightened steps to fortify our cybersecurity — especially as the Trump Administration refuses to crack down on foreign interference in our elections.” Dillon referred to the blunder as “a misstep”.

Misstep or not, this qualifies as a hack, since the DNC did not authorize itself to be pentested. However, it is not clear what the Michigan Democratic Party wanted with  Votebuilder login information even if they got it. Did they simply want to learn which people in the DNC would be stupid enough to fall for a phishing attack? Wouldn’t this be the job of the DNC security team? Did they want access to part of the database they did not normally have access to? I’m perplexed. In fact, the Washington Post reported that it may not have been the Michigan Democratic Party at all, but an unidentified “web contractor” hired by them. This group was identified by the Wall Street Journal as the recently formed, DigiDems, a largely volunteer group of tech people with a strongly left wing agenda: “DigiDems is a team of innovators passionately committed to supporting the progressive movement through the use of technology.”

This is not the first time that NGP VAN has caused trouble for the DNC. Back in December of 2015, NGP VAN temporarily left its database open which allowed members of the Bernie Sanders campaign to access Hillary Clinton’s strategy. This resulted in the firing of one member of Bernie Sanders’ IT team, Josh Uretsky, and the banning of the Sanders’ campaign from accessing the Votebuilder database. Why NGP VAN agreed to go along with this is still open to debate, since it occurred just before the New Hampshire primary and banning the Sanders campaign from using the database would tilt the primary in Clinton’s favor. Sanders subsequently sued the DNC.

The whole incident spawned a number of conspiracy theories. The cybersecurity firm, CrowdStrike, was asked to look into the Sanders’ breach and, after studying the situation for four months, concluded, in April, 2016, that the Sanders team really didn’t do much with the information they accessed. Sanders subsequently dropped his lawsuit. However, just as CrowdStrike was finalizing its findings, the DNC discovered that they had been hacked. Coincidentally, CrowdStrike was still on board and they were experts in Russian hacking. Coincidentally, they found, within minutes, that Russia had hacked the DNC. Interestingly, they found no indication of this while they had had access to the servers for four months. This has led conspiracy theorists to conclude that “the Russian hacking that’s caused so much division and turmoil at home and abroad never really happened. It was all a ruse concocted by CrowdStrike.” This is not a minor accusation as the entire Robert Mueller investigation of the Trump campaign’s involvement with Russia hinges on CrowdStrike’s conclusions.

The problem here is that the Russians don’t need to hack the DNC to get voter records. Voter registration records are available to anyone, free of charge. Each state also maintains voter records that are openly available. Some are free and searchable online while others must be purchased. Firms like NGP VAN simply compile these databases and organize them to make them searchable by various criteria. As such, they would be a tempting target for certain hackers as they contain a wealth of personal information. Here is a list of the information available in these databases (from Wikipedia).

voter information

The problem with this list is that it doesn’t go far enough. NGP VAN boasts, “before, only Facebook, Twitter, and LinkedIn profiles were matched to an individual’s contact record.  Now, 97 different social networks are matched daily  (highlight NGP VAN), and also provide social media biographies to be integrated into a contact record. Additionally, an individual’s photo will be automatically synced from their profiles when available. You can find your supporters with a particular network with our updated search functionality, and when on that contact’s record, you’ll see a lot more information.” NGP VAN gives the following example to show just what they can do.

ngp voter

In other words, being able to hack into this organized database would be any hacker’s dream, Russian or not.

I’m not saying this happened, but if I were a Russian hacker (or any bad actor) I would certainly consider setting up a fake login page to NGP VAN, just like the contractor for the Michigan Democratic Party purportedly did. In fact, if I were a hacker employed by the Russian government, I would probably volunteer for a firm like DigiDems and use their connection with NGP VAN and Votebuilder. I would then send spearphishing emails to key DNC employees, telling them, for whatever reason, to sign into NGP VAN. I would have a link for them to follow to the spoofed login page and hope they would not look too closely at the URL address. Once they entered their login information I would have access to the full NGP VAN Votebuilder database and, with such access, I really could influence the outcome of any election.

I’m not really sure what the Michigan Democratic Party was up to and maybe they didn’t really know what their overly enthusiastic contractor, DigiDems was doing. I’m not really sure why CSO, Bob Lord, was so quick to contact the FBI, unless he was overly paranoid about Russian meddling. For the same reason, or for pushing a political agenda, he may have contacted CNN. This would give the DNC, with CNN’s help, ammunition to use against the Russians that could substantiate the current investigations into their supposed meddling in the 2016 election. In the end, such an angle could damage the Republicans and Trump in particular.

This strategy may have worked if the scenario didn’t fall apart the next day. In the end, Lord threw a punch which ended up with the DNC getting a black eye.

DNC Chairman, Tom Perez, tried to put a positive spin on the blunder in a quote he gave to CNN.

“We are at war right now — it’s a cyberwar and unfortunately the commander in chief of the cyberwar is asleep at the switch because he benefits and has benefited from the cyberwar. We’re not waiting for help, we’re not waiting for the cavalry from the White House. We’re working with our partners in the cyber-ecosystem and that is in part how we were able to address this, what turned out to be a false alarm.”

Well, you obviously didn’t work that closely with your partners or you would have been informed that they were performing a pentest or hack on your organization. Yes, the DNC could use the angle that it was being proactive in quickly reporting a suspected breach. Then again, they could also be accused of desperately grasping at straws in order to connect all suspected breaches with Russia.

There is something just not right here. Bob Lord stated that this ‘test’ “was not authorized by the DNC, VoteBuilder nor any of our vendors.” So are you saying NGP VAN did not agree to have DigiDems make a fake copy of its Votebuilder login page? You can’t have it both ways.

My problem is with DigiDems. It’s a newly formed enterprise with a poorly designed web page. I’ve seen many fake websites in my days, and this certainly looks like one. You’d think an organization that prided itself on its technical expertise would come up with something better than this pre-packaged web design. For example, the photograph used on its homepage is taken from one used on a number of websites. Ok, I understand. The organization just formed in March and they had to put something together quickly before the 2018 midterms.

So why would the Michigan Democratic Party allow a fly-by-night organization to undertake a pentest of the Democratic National Party? Why would they trust them with such a sensitive task? My guess is that they didn’t. My guess is that they knew nothing at all about what someone on Digidems was doing. They only found out when the hack was traced back to them. That’s when damage control kicked in.

What do you do when it looks like you dropped the ball? You act as if it was planned all along. An actual hack on the DNC, especially by Russians, would make them look pretty inept. The DNC was reluctant to report the 2016 hack because they feared it would negatively impact donations. People don’t want to give personal details to an organization that can’t protect them. This could be a similar case of damage control and the damage was done by Lord when he publicly reported the breach without considering the implications. When the possible financial repercussions of reporting yet another DNC hack was realized, they tried to back off the report by claiming it to be a planned attack.

I would have to agree with the observation by Joseph Carson, chief security scientist at Thycotic, in his statement to Security Week. “I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test.” As I stated previously, an unauthorized pentest is a hack and should be investigated as one. My prediction is that we will never hear anything about this attack again and, in the near future, Bob Lord will be replaced as DNC CSO.

 

Posted in Uncategorized | Tagged , , , | Leave a comment