Good guys win: International Criminal Sentenced to 13 Years For Identity Theft Scheme

The news is so full of the security failures and problems that it is worthwhile to pause and see the good. Ngo built a marketplace and sold identifying information about regular people – in packages that contained everything for an identity theft. He was caught and a number of his ‘customers’ in the U.S. were captured.

Details and full links below – if you were breached, consider the breach response task list from How Not To Be Hacked.

Ngo, 25, will serve 13 years in prison for hacking into U.S. business computers and stealing the information of approximately 200 million US citizens  to sell to other people as so-called ‘fullz’, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting U.S. Attorney Donald Feith of the District of New Hampshire and Director Joseph P. Clancy of the U.S. Secret Service announced.

The IRS confirmed 13,673 U.S. citizens had their information sold on Ngo’s websites, with $65 million in fraudulent individual income tax returns filed thanks to his services.

source: Massive International Hacker Sentenced to 13 Years For Identity Theft Scheme | Hacked.

Best,

James

Copying access control cards is easier w/ $10 device being released at BlackHat 2015

Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.

While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article

I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio

The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …

Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.

James

p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!

Hacking Drones Close to Being Drawn up by Boeing and Hacking Team

Drone-HackedA high schooler could have done this, but these 2 didn’t get it done because of a NDA!?  Sad and shows sometimes progress can be derailed by the smallest of things. Passion is finicky and when pursuing the development of new ideas they need to be nurtured in and between organizations.

The technology already exists, and I’d bet for less than $2k it could be made operational. Perhaps we’ll see these at DefCon just to show how feasible and fun they can be in real life?

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

via Hacking Drones Close to Being Drawn up by Boeing and Hacking Team.

Ps.. I wrote a book to help Information Security professionals share Tips to the other 3.1 billion people in the world struggling to stay secure and safe online. I’d love for you to share the news and benefit from the book – How not to be hacked

Mobile ad fraud costs advertisers $1 billion a year, study says

Mobile devices are easy targets and when more dependency on wifi is enabled the conduct of fraud is easier to execute without detection. Also thinking this would be pretty to execute such advertising fraud, as described in the article, by installing similar tech onto all of the unsecured/patched/Internet of Things devices on the internet. Imagine this fraud with all of the consumer internet routers!

Details from the Fortune article:

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit…

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia.

Mobile ad fraud costs advertisers $1 billion a year, study says.

… My comments on this report (not posted on Fortune due requirement to link social media account):

It’d be valuable to know how those Apps identified for fraud were ranked in the ‘App stores’. This way we could identify the popularity and likely spread of these apps. The 12 million figure is large, but out of a possible 1.3 billion devices it is hard to understand the sampling effect.

I’d love more intelligence on the ‘what’, so that regular readers of the article and users of the devices could clean out these Apps off their devices.

Gotta love Blackhat and DefCon week! All the research docs are released.

James

Russians used non-public exploits to hack governments; Debunking: skill vs. budget

blind-men-and-the-elephant

Organizations being hacked is not always the result of superior adversary, but more often than not (I think the figure is closer to 85% defender mistakes vs. 15% “very skilled) the result of poor defenses. The recent Russian hacking highlights against the White House website (note that GAO rated MOST Federal agencies as failing w/ regards to their information security postures) was noted as skilled, because they used yet known vulnerabilities. This is a generous leap in conclusion.

Their sophistication is not a factor here, but they have budget to buy such vulnerabilities off the open market. These are easily available and a successful attack could be orchestrated with less than $10k. According to public sources, the very expensive vulnerabilities cost around $100k. Easily within the reach of any financed attack group.

As we enter the week of RSA, and likely a slew of discoveries that are released this week let’s be pragmatic on their impacts and the defenders role.

They’ve determined that APT28, a politically-motivated Russian hacking group, used unpatched exploits in Flash Player and Windows in a series of assaults against a “specific foreign government organization” on April 13th. Patches for both flaws are either ready or on the way, but the vulnerabilities reinforce beliefs that APT28 is very skilled — less experienced groups would use off-the-shelf code.

via Russians are using undiscovered exploits to hack governments.

See you at RSA!

James @jdeluccia

How did China weaponize every citizen’s browser to DDoS censored content topics at GitHub

jdeluccia_github_china

A Nation State modified it’s users’ web traffic to overload the deployed servers of a Silicon Valley start-up. The business, GitHub, allows businesses to store files online.

Why this matters…

This was done to bring offline content that was against their censorship policies. Such an attack is possible against any business, service, or organization. This could be done against something as harmless as taking offline any website in the planet, but could also be applied to any critical infrastructure sensor and set of systems – think Internet of Things, Nuclear power plants, 911 phone systems, etc ..

Cisco IoT graphic (link in article)

The business and nation state security implications are quite severe here. The reason for the attack was about the 2 types of content – New York Times (banned in China) and information on bypassing the Chinese censorship firewall. Clearly these are not aligned to China leadership.

This attack was executed in the following manner: 

the attack was due to HTTP hijacking, and “a certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load every two seconds.” Block code execution was also apparently used to prevent looping.

via GitHub suffers ‘largest DDoS’ attack in site’s history | ZDNet.

Despite a good deal of articles the common media (WSJ, Bloomberg, etc..) and political response has been lacking compared to the response and support provided to Sony.

My true concern here is that this minor attack (only a few citizens of China are unknowingly having their traffic used to attack a small technology company) is an excellent BETA TEST for a full scale modification of all 1.4B Chinese citizen traffic against critical infrastructure (46% of population was used for GibHub).

Other thoughts?

James

Bored w/ Security warnings? MRIs show our brains shutting down when we see security prompts

Ever find yourself just click click clicking through every message box that pops up? Most people click through a warning (which in the land of Web Browsers usually means STOP DON’T GO THERE!!) in less than 2 seconds. The facts seem to be due to be from habituation – basically, you are used to clicking, and now we have the brain scans to prove it!

What does this mean for you? Well specifically you won’t be able to re-wire your brain, but perhaps you can turn up the settings on your web browser to not allow you to connect to a site that has the issues your web browser is warning against. Simple – let the browser deal with it and take away one nuisance.

From the study:

The MRI images show a “precipitous drop” in visual processing after even one repeated exposure to a standard security warning and a “large overall drop” after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.

via MRIs show our brains shutting down when we see security prompts | Ars Technica. (photo credit Anderson, et al)

Don’t forget to check out – www.facebook.com/hntbh if you are looking for quick reminders. The book is coming along and chapter releases are (finally) coming in April!