IBM has claimed that sophisticated criminals are responsible for 80 percent of cyber attacks, and that there are probably a lot of kids and amateurs accounting for the remaining 20 percent.
The IBM X-Force Threat Intelligence Quarterly 4Q 2015 (PDF) described this 20 percent as “script kiddies”, claiming that the attacks reveal their amateurishness. However, when people are not messing about they are able to carry out some catastrophic and expensive hacktrocities.
“The script kiddies scour the internet for ‘low hanging fruit’, the servers that can be compromised quickly and easily, and they use them for a limited time to send spam and scan other servers on the internet,” said the report.
“Or they deface the website and move on to other targets once they are discovered. These script kiddies give little thought to covering their tracks.
“In contrast, stealthy attackers might gain access to a system by exploiting the same vulnerability as the script kiddies, but they use a far more sophisticated combination of commercial tools, malware/rootkits and backdoors to increase their access level on the client’s network and compromise additional systems over several weeks of expansion.”
There is plenty to worry about, naturally, and IBM has plenty of things to spook us with. The report starts with saying that 2015 has been the year of ransomware. The FBI has already reported that such exploits have bagged attackers $18m over the period, and that it expects the problem to extend into 2016.
Take a look around your office before you read alert number two. This is the insider danger. The report said that this trend has played out since 2014, and that 55 percent of all attacks in 2015 were down to insiders, or at least people with inside information.
Perhaps as a result of this – we are not data analysts – IBM has also seen an increase in boardroom involvement and spending. Some 88 percent of respondents to a survey said that their relevant budgets had increased over the period.
Swiss bank Swedbank has had its website taken offline by hackers after suffering a distributed denial of service (DDoS) attack on Friday.
Details remain thin on the ground, but the attack means that customers are unable to to carry out online transactions or contact the bank through its website.
The site is still down, and the bank admitted to CBR that, while it probably knows who is behind the attack, “our method to cope with it hasn’t really succeeded yet”.
There’s no word as to when the website will be back up and running, but the bank has confirmed that its mobile applications are still working.
This isn’t the first time that Swedbank has fallen victim to hackers. The company admitted in a statement given to Reuters that this was the second attack in as many months, and – clearly not very confident in its own security – that it will probably happen again.
“The website was also hit by a hacker attack in October. It is not the first time and it will probably not be the last,” a spokesperson said.
News of the attack on Swedbank, which also operates in Estonia, Latvia and Lithuania, comes just hours after encrypted email company ProtonMail admitted that it had also been struck by a major DDoS attack.
ProtonMail said that, in a bid to get back to business, the company “grudgingly agreed” to pay 15 bitcoins, or $6,000, to the hackers in a bid to get them to stop the attack.
However, after handing over the cash, ProtonMail said that the DDoS attack, which was “unprecedented in size and scope”, continued, although it appears to have now stopped.
ProtonMail warned that the costs involved in avoiding another such attack are crippling and could put the firm out of business.
The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it’s sometimes difficult to completely shut down their operations.
The U.S. Department of Justice said on Oct. 13 it was seeking the extradition of a 30-year-old Moldovan man, Andrey Ghinkul. Prosecutors allege he used Dridex malware to steal $10 million from U.S. companies and organizations.
Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts.
The U.S. and U.K. said the Dridex botnet — or the collection of computers infected with the malware — had been disrupted following their operations.
Two weeks before the DOJ’s announcement, Palo Alto Networks wrote that it noticed a drop in Dridex activity but that it resumed again around the start of October.
Often, those employing Dridex tricked people into downloading it by sending spam emails with malicious links or attachments, such as XML files and Microsoft Office documents.
Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog.
He wrote that there appear to be more files labeled as Dridex on VirusTotal, a repository of malware samples. Although some of the samples could mislabeled, it backs up what Palo Alto noticed.
“Plenty of us are seeing Dridex malspam on a near-daily basis now,” Duncan wrote.
Data hacked from Experian is already on sale on the dark web and is available for grabbing by bad actors, phishers, malware writers and ID thieves.
Security firm Trustev is credited with the dark web discovery, although is it very possible that the underworld got to it first. Trustev and the internet are calling the dump a fullz, which means that it contains a lot of personal information.
T-Mobile customers make up a chunk of the potentially affected 15 million victims. The firm’s CEO, John Legere, went ballistic about what happened.
“We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach,” he said in a statement.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously.”
Experian has also gone public on this with a statement on its website, and has, perhaps ironically, offered to help victims sort their credit lives out.
“Experian North America today announced that one of its business units, notably not its consumer credit bureau, experienced an unauthorised acquisition of information from a server that contained data on behalf of one of its clients, T-Mobile USA,” the statement said.
“The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from 1 September 2013 through 16 September 2015, based on Experian’s investigation to date. This incident did not impact Experian’s consumer credit database.”
The agency said that it acted quickly to fix the problem once it was discovered, and immediately told the authorities and began an investigation into the hows and the whys.
It is the crown jewels of data that has been lost. Experian fessed to a breach of “names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver’s licence number, as well as additional information used in T-Mobile’s own credit assessment”.
Experian added that no payment card or banking information was lost to the hackers.
Affected punters are being contacted and will be offered credit services, including two years of credit monitoring (although this may have lost some of its shine), and some identity protection services through its own ProtectMyID service.
Experian recommended that these services are embraced. “Although there is no evidence to-date that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services,” the firm said.
Craig Boundy, CEO of Experian North America, took the opportunity to apologise and remind people that the company takes privacy very seriously.
The company confirmed that it suffered a security breach over a period of several months from late 2013 to early 2014, affecting approximately 4.6 million customers. But in a statement, Scottrade said it had no idea that the breach had occurred until law enforcement officials told them about it.
The FBI notified Scottrade of the breach in August but asked that the company hold off on disclosing the attack until it had wrapped up another part of its investigation. The company was cleared to disclose the breach at the end of last week and began informing customers last Friday.
To its credit, Scottrade said that it believes attackers obtained only clients’ names and street addresses — not the social security numbers, email addresses and other sensitive data stored in the compromised system. According to the company, the attackers didn’t compromise Scottrade’s trading platforms, and clients’ funds were untouched.
People who had a Scottrade account prior to February 2014 may have been affected by the breach. Those people who Scottrade knows were affected will be notified of that by email. The company isn’t suggesting that users change their passwords, since it believes that they remained encrypted during the attack.
As is expected in these sorts of cases, Scottrade is offering affected customers a free year of identity theft protection. It’s not clear how much good that will do, since the data was taken more than a year ago, but offering that sort of service is something consumers expect from a breach response at this point.
Looking forward, the company said that it has secured the intrusion point the attackers used to get into its systems, and conducted an internal investigation with the help of an unnamed computer security firm. The company also said that it has further secured its network.
The Hilton organization is reportedly trying to work out whether it has been hacked and, if so, what it should do about it.
We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.
Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.
Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.
“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.
“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”
Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
We have asked Visa and Hilton for their comments.
“Mimecast experienced malicious traffic from multiple IP addresses, targeting its U.S. network. This resulted in service disruption for U.S. customers,” Mimecast Chief Executive Peter Bauer said in a statement on Tuesday.
The statement said that service had returned to normal and that the attack appeared to be limited to disruption of email service for its clients.
The company declined comment when asked who was behind the attack or if law enforcement was investigating. An FBI spokeswoman said she had no immediate comment.
Mimecast’s customers include software maker NetSuite Inc, advertising and marketing giant Omnicom Group Inc, Bon Pan restaurant chain, the Boston Celtics basketball team and the Cleveland Indians baseball team.
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company has disclosed.
The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.
The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.
Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.
The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.
No evidence has been found yet that the data was copied or misused by the attackers.
Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.
The company will not contact affected individuals via email or telephone, so any emails or phone calls claiming to be from the company in regard to this attack should be ignored as they are probably scams.
The incident comes after three other Blue Cross Blue Shield health insurers — Anthem, Premera and CareFirst — announced large data breaches this year as a result of cyberattacks.
Excellus said that it doesn’t have sufficient information about the Anthem, Premera and CareFirst investigations in order to comment about possible connections between those attacks and the one against its own systems.
For most users, the only option to get rid of the malware is to reset the phone to its factory settings, which unfortunately also deletes all the data on the device.
The malware calls itself “Porn Droid” and bills itself as a viewer for adult content. It has been seen only on third-party Android application marketplaces or forums for pirated software, wrote Lukas Stefanko, an ESET malware analyst.
But after it’s installed, users see a warning supposedly from the FBI that they’ve allegedly viewed “prohibited pornography.” It asks for a $500 fine to be paid within three days.
To change the device’s PIN, Porn Droid needs administrator-level access to the phone. Stefanko wrote that the malware uses a new method to obtain that high level of access.
When Porn Droid runs, it asks people to click a button. “After clicking on the button, the user’s device is doomed,” Stefanko wrote. “The Trojan app has obtained administrator rights and now can lock the device. And even worse, it sets a new PIN for the lock screen.”
Other kinds of Android malware locked the screen by keeping the ransonware warning in the foreground using an infinite loop. But that could be remedied by using a command-line tool, the Android debug bridge, or deactivating admin rights in Safe Mode, according to Stefanko.
In the case of Porn Droid, if someone tries to deactivate the admin privileges, the malware uses a call-back function to reactivate them, Stefanko wrote.
The malware is also coded to try to shut down three mobile antivirus products: Dr. Web, ESET’s Mobile Security and Avast.
More advanced users may be able to get rid of Porn Droid without resetting and erasing all data on their phone. It is possible to remove the malware if a user has root privileges to the device, and some security software can stop it, Stefanko wrote.
NIST has funded a number of companies to make touchless fingerprint readers possible, and is creating a framework for evaluating possible technologies for widespread use.
Touchless fingerprint readers could be particularly useful for quickly identifying large numbers of people, such as a queue entering a controlled facility, NIST contends. Germaphobes would also appreciate the technology, as they would not have to touch potentially germy fingerprint readers to gain access to their computers.
In the past decade, NIST, which recommends specific standards across a wide range of industries, has been instrumental in establishing a technological baseline for standard fingerprint readers, which are now being increasingly used in computers and other devices requiring stringent techniques to identify users.
Now the agency wants to duplicate that success with contactless readers.
Companies such as 3M and MorphoTrak have developed prototype contactless readers with the help of NIST funding. NIST is also looking to fund additional companies to develop other models.
Contactless readers, in theory, would produce clearer images than those captured by mashing a human digit onto a fingerprinting surface, which distorts the friction ridges of a finger.
Capturing the fingerprint from a distance, however, requires a different set of technologies than those used by standard fingerprint readers. New sensing technologies must be developed as well as new algorithms to capture the fingerprints against varying levels of background light.
While the companies work on building the prototypes, NIST is developing metrics for evaluating how well they work.
Working with the FBI, NIST is developing a set of requirements for how the technology should work across different product lines. Such work will set the stage for certifying contactless fingerprint readers for U.S. government and military use.
Cyber thieves are using Yahoo’s advertising network to make money in a bad way. Today’s tinned food and bottled water warning is that the Yahoo system that we have come to love and let inform our purchasing decisions has a sickness, and that sickness is ruddy people and their tinkering with security.
People, specifically hackers, are exploiting the Yahoo advertising system with a poison, a poison known as malvertizing, according to a blog post by security firm Malwarebytes.
Malvertizing, a portmanteau of malware and advertising, is what you would expect.
Jérôme Segura, a senior security researcher at Malwarebytes, said that it is a rather significant threat, and a rather recent one.
“June and July have set new records for malvertizing attacks. We have just uncovered a large-scale attack abusing Yahoo’s own ad network,” he said.
“As soon as we detected the malicious activity, we notified Yahoo and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at this time.”
Segura said that the Yahoo network has a lot of traffic, he quoted monthly visits of 6.9 billion a month, and that the threat presented to users is a sneaky and silent one.
“Malvertizing is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” he added.
“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.”
Segura explained that the firm had worked closely with Yahoo on nixing the problem and Yahoo confirmed this in a statement.
“Yahoo is committed to ensuring that our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue,” it said.
“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”
The social security numbers and credit card information of up to 6,000 University of Connecticut students, faculty and others may have been stolen by cyberhackers from China, the university said on Friday.
Officials detected a potential breach of the School of Engineering’s network in March and an investigation uncovered that hackers may have gained access to it as early as September, 2013, spokesman Tom Breen said.
He said 6,000 students, faculty, alumni and research partners of the school were notified that their personal information may have been compromised.
“The breach is far more extensive, could impact many more accounts and started much earlier than we originally believed,” said Breen. “There is no way at the present time to determine the exact number of accounts hacked,” he added.
Breen said the hack has been traced to China ”based on the type of cyber-attack that was launched, and the software used.” He added the FBI and several state agencies have been notified. The university said it was also taking steps to secure its systems.
The National Security Agency has said that it will end its access to most bulk data collected under a controversial surveillance program in November, but keep records for litigation purposes.
The office of the Director of National Intelligence said in a statement that the bulk telephony data — the subject of leaks by former intelligence contractor Edward Snowden which shocked many in the US and abroad — would be destroyed “as soon as possible” to comply with a law passed by Congress in early June.
The statement said that during the 180-day transition period required under the USA Freedom Act, “analytic access to that historical metadata… will cease on November 29, 2015.”
But it added that “for data integrity purposes,” NSA will allow technical personnel to continue to have access to the metadata for an additional three months.
The NSA must preserve bulk telephony metadata collection “until civil litigation about the program is resolved, or the relevant courts relieve NSA of such duties.”
The data kept for litigation “will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata on expiration of its litigation preservation duties.”
Law enforcement agencies from 20 countries collaborated to cripple a major computer hacking forum, and U.S. officials filed criminal charges against a dozen people associated with the website, the U.S. Department of Justice announced.
Darkode.com on is displaying a message saying the site and domain had been seized by the FBI and other law enforcement agencies.
Darkode, a password-protected online forum for criminal hackers, represented one of the gravest threats to the integrity of data on computers across the world, according to David Hickton, U.S. attorney for the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
Five of the defendants face charges in Hickton’s district.
Darkode allowed hackers and other cybercriminals to sell, trade and share information and tools related to illegal computer hacking, the law enforcement agencies alleged.
Before becoming a member of Darkode, prospective participants were allegedly vetted through a process that included an invitation by a member, the DOJ said in a press release. The prospective member then pitched the skill or products he or she could bring to the forum.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware, the DOJ said.
The takedown of the forum and the charges announced Wednesday came after the FBI’s infiltration of Darkode’s membership.
Congress must pass a new wiretap law that requires social media websites and operators of other Internet communication tools to share customers’ communications with law enforcement agencies the same way that telecom carriers do, Michael Steinbach, assistant director of the FBI’s Counterterrorism Division, said Wednesday.
Congress should use the Communications Assistance for Law Enforcement Act (CALEA) as a model for new rules focused on Internet-based communications, Steinbach told the U.S. House of Representatives’ Homeland Security Committee. His comments build upon the FBI’s call in recent months to expand CALEA to Internet communications tools. Agency Director James Comey first called for a CALEA rewrite to cover encrypted mobile phone data last October.
CALEA requires telecom carriers and equipment vendors to build wiretap capabilities into their products or networks, and critics have accused the FBI of wanting Congress to mandate encryption backdoors in technology products. But the FBI isn’t asking for backdoors, Steinbach said.
“We’re not talking about large-scale surveillance techniques,” he said. “We’re not looking at going through a backdoor or being nefarious; we’re talking about going to the company and asking for their assistance.”
Instead, the FBI wants access to stored or ongoing Internet communications after it shows evidence of criminal or terrorist activity and gets a court order, he said. The FBI needs help from Congress and from communications providers to make that happen, Steinbach said.
“We understand privacy,” he said. “Privacy above all other things, including safety and freedom from terrorism, is not where we want to go.”