FBI Paid Hackers To Help Unlock San Bernardino Shooter's iPhone

The professional hackers were paid a one-time fee by FBI to help break into Syed Farook's iPhone. The FBI reportedly hired a group of professional hackers to help break into the San Bernardino shooter’s iPhone via previously an unknown software flaw in the device.

The information was used to develop hardware that helped the FBI unlock the iPhone’s four-digit password, the Washington Post reported. The method is only effective for a limited time. “The solution works only on iPhone 5Cs running the iOS 9 operating system,” said FBI Director James B.

Comey. Some security experts are requesting that the government disclose the issue to Apple so the company can patch the vulnerability. Last week, Comey said that “If the government shares data on the flaws with Apple, they’re going to fix it and then we’re back where we started from.” But he later said the agency is considering whether to disclose it or not. According to The Post, a process has been set up by the White House in which federal officials evaluate whether any security vulnerability is to be disclosed or not.  Read the full story about the case in the Washington Post article. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

FBI Paid Hackers To Help Unlock San Bernardino Shooter’s iPhone

The professional hackers were paid a one-time fee by FBI to help break into Syed Farook’s iPhone.

Securing the Weakest Link: Insiders

No longer is a hoodie-wearing malicious hacker the most obvious perpetrator of an inside cyber attack. Massive, high-profile security breaches dominate today’s headlines and consumers are swamped with notifications from organizations entrusted with private and sensitive data.  But, increasingly, I am convinced that security professionals and the majority of security vendors are too focused on the wrong things.   To many, it seems like the hoodie-wearing malicious hacker is the obvious enemy.  We imagine that he (or she) has been waiting for the perfect opportunity to launch that magical zero-day exploit s/he’s been sitting on, just waiting for the perfect moment to strike.  While this type of attack can happen, it isn’t the most common form of an attack that results in a breach; nor is it the biggest risk to your organization.  Let’s look at what defines an “insider.” An insider is any individual who has authorized access to corporate networks, systems or data.

This may include employees, contractors, business partners, auditors or other personnel with a valid reason to access these systems.  Since we are increasingly operating in a connected fashion, businesses are more susceptible to insider threats than ever before.  The volume of critical data in organizations is exploding, causing more information to be available to more staff.  While this can boost productivity, it comes with inherent risks that need to be considered and mitigated, lest that privileged access be used against the organization.   Gain insight into the latest threats and emerging best practices for managing them.

Attend the Security Track at Interop Las Vegas, May 2-6. Register now!  Mitigating risk is all about identifying weak points in the security program.

The weakest point in any security program is people; namely, the insider.  Insider threats can be malicious; but more commonly, they are accidental.  Insiders can have ill intent, they can also be manipulated or exploited, or they can simply make a mistake and email a spreadsheet full of client information to the wrong email address.  They can lose laptops or mobile devices with confidential data, or misplace backup tapes.   These types of incidents are real and happen every day.

They can lead to disastrous results on par with any major, external cyberattack.  Traditionally, these threats are overlooked by most businesses because they are more concerned with the unknown malicious actor than the known staff member or business partner.  Organizations are sometimes reluctant to take the steps necessary to mitigate these threats and share important data through a trusted relationship.

They put little to no emphasis on implementing security controls for insiders. Those of you who believe that you can count on employees as a line of defense in the organization, think again.

A recent SailPoint Technologies survey found that 27 percent of U.S. office workers at large companies would sell their work password to an outsider for as little as $1001.  Many years ago, (in a 2004 BBC News article) users were willing to trade passwords for chocolate bars.  With employee engagement levels as low as 30 percent in some organizations, asking employees to be a part of the solution may be asking too much. Given the current insider situation, attackers need not resort to elaborate attack methods to achieve their objectives.  A 2016 Balabit survey indicates that the top two attacker techniques are social engineering (e.g., phishing) and compromised accounts from weak passwords. There are a number of ways that insiders can cause damage.  In some cases, they are coerced by an outsider to extract data.  This is common when organized crime is involved.  In other cases, legitimate user access is used to extract data, but the user’s real credentials have been compromised and don't trigger security alerts focused on malware, compliance policies and account-brute-force attacks. The good news is that organizations can do more now than ever before.  Providers are responding with solutions that monitor email traffic, Web usage, network traffic and behavior-based pattern recognition to help detect who in the organization is trustworthy and who may be a risk.  If a staff accountant is in the process of exporting customer data at 3 a.m., this behavior is flagged as anomalous and alerts security staff to a potential compromise.  The employee that starts logging in later, leaving earlier and sending fewer emails to his manager may be disengaged or even disgruntled; and worth keeping an eye on.   Although this is a murky area, HR can be a security advocate, identifying employees with discipline issues whom could fit a risk profile.  While this may be a little “big brother” sounding in nature, some organizations may find this to be an appropriate way to mitigate the risks that come from insiders.  Organizations without big security budgets still have some old-school mitigations available to them such as employee awareness programs, employee background and reference checks, and exit interviews to gather information about attitudes toward the company and insights into working conditions.  The clear lesson here is that organizations must look past the perimeter and know what is happening inside the network, in addition to what is happening outside.

The most likely enemy won't fit the stereotype: beware that the threat could very well come from within.  Related Content: Philip Casesa is one of the leading voices representing (ISC)², often commenting on high-profile cyberattacks, breaches and important cybersecurity topics. His expertise has been featured in Security Week, CIO, CSO, GovInfosecurity, Dark Reading, eSecurity Planet, Health ...
View Full Bio More Insights

How To Monetize Stolen Payment Card Data

The carding value chain not only relies on carders and buyers, but individuals who don't even know they're involved. Bosses of the operations that turn stolen payment card data into cash have been known to take home as much as $1 million of profit in one year. One of the reasons they're so profitable: They scam and stiff thousands of the people who make the operation work.   In a new report today, Hewlett Packett Enterprise Security Research outlined the process and the players in this value chain.

To monetize stolen payment card data, organized criminals buy goods and then sell them for cash.

According to HPE, in nearly all cases, card data was stolen from US accountholders, goods were bought in the US from online retailers in the US, and goods were shipped to Russia via intermediaries located in the US. Beneath the bosses leading the operation are a network of administrators, "stuffers," and "drops," mostly managed via the Web. More specifically:   Admins notify "stuffers" about what goods need to be purchased and, sometimes, what retailers they should be purchased from. Walmart, BestBuy, AT&T, Sprint, and Verizon were popular choices. Stuffers, located in the US, buy goods online -- a wide variety of products ranging from electronics, to nutrition products, to toys, to rifle scopes.
Stuffers are paid a 25- to 40% cut, depending upon the item. The stuffers have the goods shipped to "drops," located in the US.  Admins purchase labels from fraudulent shipping label services that forge labels for legitimate parcel delivery services like FedEx, UPS, and the US Postal Service. Admins send the labels to drops. Drops repackage goods with fraudulent labels and reship goods to Russia, using legitimate delivery services.

The drops do not know that the items were bought illegally or that the shipping labels are fraudulent. The drops were often "recruited" -- or, more accurately, scammed -- through social media advertising "work from home" opportunities that required no special skills but promised base salaries of as much as $2,500 per month. However, the drops are almost never paid at all, according to the report.
In fact, the admin's workflow software includes a system for tracking when drops sign up, quit, and become "dangerous" -- meaning they're expected to quit soon when they realize they are never going to see a dime for their reshipping efforts.

Adding insult to injury, when drops sign up, they are convinced to submit a host of personal information -- including scans of government-issued IDs and proof of address -- as part of their "onboarding" process for the job. From the report: Recruiters find it more cost effective to recruit new drops from those looking for a "work from home" opportunity than to actually maintain and pay drops on an ongoing basis.

This practice has the added benefit of isolating the most exposed part of the operation from the rest of the organization.

Drops are exposed to very little if any of the true organization. ... It's important to understand that drops are not a part of the organization; rather, they are as much a victim as others in the types of fraud schemes targeting human assets for exploitation. Admins and stuffers, however, are key members of the organization.

Admins manage the day-to-day technical functions of the Web interface through which business is conducted -- including taking orders for the products Russian buyers want, notifying stuffers about what those products are, connecting stuffers with drops, and tracking packages. The operability and user interfaces of different re-shipper sites are so similar that researchers believe that these different operations must use the same software developers.  Gain insight into the latest threats and emerging best practices for managing them.

Attend the Security Track at Interop Las Vegas, May 2-6. Register now! Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Dark Reading Radio: Advancing Your Security Career

Join us for a fascinating discussion Wednesday on key trends and opportunities in the rapidly evolving world of cybersecurity. Whether you're an experienced security professional in today's skills-starved market or a newbie looking for your first job, you have many options for improving your prospects -- from increasing your salary by improving your credentials, to finding a new position at another company, or becoming an independent bug bounty hunter who searches for  security vulnerabilities and responsibly discloses them to a company's security team.  In our next Dark Reading Radio show, Wednesday, April 13 at 1:00 p.m.

EDT/10:00 a.m. PDT, we’ll take a look at the range of opportunities in today’s hot cybersecurity market and discuss the variety of career options to consider based on your individual interests, skills, experience, and industry-specific talents: Our guests include: Kymberlee Price, senior director of researcher operations, Bugcrowd, where she pioneered the first security researcher outreach program in the software industry. Prior to that, Kymberlee analyzed APTs at Microsoft, and spent four years investigating product vulnerabilities in BlackBerry's Security Response Team. Levi Gundert, vice president, threat intelligence, Recorded Future.

Before joining the startup Recorded Future, Levi was VP of cyber threat intelligence at Fidelity Investments and technical leader for Cisco's Threat, Research, Analysis and Communications (TRAC) team. Owanate Bestman, a technical security recruiter in the cyber and information security division of Barclay Simpson, an international corporate governance recruitment firm. In a broad-based discussion, our panel will share their own career stories, then discuss evolving trends in information security careers, including traditional roles in enterprise security to new titles and concentrations like cyber threat analyst, security software and infrastructure developers, cloud security specialists, and cybersecurity/IT Auditors.   Other topics we’ll explore: What are the most in-demand skills? What are the hottest markets? Startup versus established company? Specialist or generalist? How do you choose the best career path for your skills? On the job training, certifications, or college degree? What is the standard career path today, or is there one? How do you develop a road map? What soft skills and management experience will you need to advance in an organization? What impact will new technologies like machine learning and big data impact have on the security job market? I hope you'll join our show and bring your insights and opinions to the conversation. You can post your comments and questions below or take them with you to the Dark Reading Radio studio on Wednesday, where you can participate directly through online chat. Please note, you’ll need to register for the broadcast to participate. I look forward to seeing you there.

But if you can't make it, please check out the broadcast and live chat from our Dark Reading Radio archives.  Related Content: Gain insight into the latest threats and emerging best practices for managing them.

Attend the Security Track at Interop Las Vegas, May 2-6. Register now! Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ...
View Full Bio More Insights

'Panama Papers' Law Firm: We Were Hacked

Founding partner of Mossack Fonseca tells Reuters his firm was a victim of an external hacker who leaked its data. In the latest twist in the historic "Panama Papers" data leak and scandal, the founding partner of the law firm whose files were dumped, exposing illicit offshore holdings of global political leaders, celebrities, and others, says his firm was hacked by an outsider. Ramon Fonseca, founding partner of Panama-based Mossak Fonesca, yesterday reportedly denied any wrongdoing by his firm in the wake of the leak of law firm's 11.5 million documents.   The International Consortium of Investigative Journalists (ICIJ) on Monday published a report based upon a yearlong study of some 2.6 TB of leaked data, mostly emails.

The epic leak exposed illegal practices used to mask wealth and evade taxes, and has resulted in the resignation of Iceland's prime minister, while exposing dealings of friends and associates of Russian President Vladimir Putin, and associates and relatives of several other national leaders, including China's President Xi Jinping. Fonesca said he has filed a complaint with the Attorney General, according to Reuters. He said his firm did nothing illegal and didn't destroy documents or aid in any tax evasion or money-laundering activity. "We rule out an inside job.

This is not a leak.

This is a hack," Fonseca said.  "We have a theory and we are following it," he told Reuters. Fonseca says the emails "were taken out of context," and that the publicity surrounding the leak is basically sensationalized journalism.  "The only crime that has been proven is the hack," Fonseca said. "No one is talking about that.

That is the story." Meantime, speculation has run high over just how the breach occurred and why.  See the full Reuters report for more details on Fonseca's claims. Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

‘Panama Papers’ Law Firm: We Were Hacked

Founding partner of Mossack Fonseca tells Reuters his firm was a victim of an external hacker who leaked its data.

Donald Trump’s Hotel Chain Hacked Again: Report

Hotel chain reportedly faces yet another breach in less than a year.

Donald Trump's Hotel Chain Hacked Again: Report

Hotel chain reportedly faces yet another breach in less than a year. US Republican presidential candidate and businessman Donald Trump's chain of luxury hotels may have suffered another data breach of its customer payment information, according to a KrebsOnSecurity report. Trump's organization is currently probing the claims. “We are in the midst of a thorough investigation on this matter. We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly,” the organization said in a statement provided to KrebsOnSecurity. According to the sources in the article, fraudulent patterns on customer credit cards indicate that hotel customers' credit card information had been breached at some and possibly all of Trump's hotel chain locations. This is the second time Trump's luxury hotel properties have been hit by card breaches.
In July of last year, KrebsOnSecurity reported a potential breach of the credit card information system at Trump properties, which the Trump Hotel Collection officially confirmed in October. Read the complete KrebsOnSecurity report here.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Hacker 'Guccifer' Extradited To US

Romanian man accused of breaching several high-profile online accounts including two former US presidents faces multiple hacking charges. Romanian cybercriminal Marcel Lehel Lazăr, 44, aka Guccifer, who was indicted for unauthorized access to protected computers, identity theft, and various cyberattacks, has been extradited from Romania to the US. “Mr. Lazar violated the privacy of his victims and thought he could hide behind the anonymity of the Internet,” said US Attorney Dana J.

Boente of the Eastern District of Virginia. “No matter where they are in the world, those who commit crimes against US citizens will be held accountable for their actions, pursued by our investigators and prosecutors and brought to justice.” Guccifer faces charges for nine US cases:  three of wire fraud, three of unauthorized access to protected computers, and one each in identity theft, cyberstalking, and obstruction of justice.

According to the accusation, from December 2012 to January 2014, Lazăr broke into the online of high-profile victims, including former members of US government and their families, and publicly released their personal information and photographs. He is also accused of impersonating a victim after compromising the victim’s account in July and August of 2013. The FBI’s Washington Field Office, the DSS, and the US Secret Service in association with the Romanian National Police ,are probing this case. For more information on the case, read this DOJ release. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

In Brief: The Unusual Suspects — DeMystifying Attack Groups

Sponsored: Colin McKinty, vice president of cybersecurity strategy, Americas, for BAE Systems joins Brian Gillooly at the RSA Conference to talk about how knowledge of your adversary -- and knowing that they are, after all, just fallible human beings ...

New Portal Launched For ICS/SCADA Threat Intelligence-Sharing Among Nations

The East-West Institute teamed up with the US ICS-ISAC to create a platform for critical infrastructure operators worldwide to share threat data. In the aftermath of the unprecedented cyberattack that led to a blackout in Ukraine last December, members of the US ICS-CERT team flew to Kiev to get debriefed by their Ukrainian counterparts. It was both a crucial information-gathering trip and a reality-check for US critical infrastructure operators, according to US Department of Homeland Security officials, that such an attack could be pointed at power grids anywhere in the world. The Ukraine power grid attack--although obviously targeted--“punctuated” the global nature of cyber threats in the ICS/SCADA community, says Chris Blask, chair of the ICS-ISAC, the US-based industrial control system/SCADA threat intelligence-sharing group. Connecting power utilities and other critical infrastructure operators all over the world is the latest weapon in protecting these systems: a new portal launched this week by the ICS-ISAC and the nonprofit East West Institute (EWI) lets the critical infrastructure sector share and gather information from their counterparts in other nations. The EWI Information Sharing Community portal is based on the Facebook At Work collaboration platform, and initially is being used for sharing threat information, best practices, lessons learned, and other information.
It ultimately will be built out to share more sensitive threat intel including indicators of compromise such as malware markers or malicious IP addresses associated with an attack suffered by a power plant, for example. “It’s [about] global situational awareness,” Blask says. “If something happens, you have a space where you an reach out and have people help ... as opposed to Google [searches] and a phone call.” Blask says while groups such as the ICS-ISAC are open to international members, it’s still a US-based entity, so the new portal backed by EWI provides a more global connection for ICS/SCADA operators and interests. “They are using this platform for building [online] groups and communities,” he says, and ultimately, it will be built out for real-time, machine-readable threat intel feeds via the STIX (Structured Threat Information Expression) and TAXII (Trusted Automation Exchange of Indicator Information) protocols, he says. A few hundred users have signed up so far, and the portal includes public and private areas, much like other threat intel-sharing portals.

Among the early adopters are law enforcement groups, ICS vendors and ICS operators, and research and academic institutions, from around the world. “We started with the premise that we might have a better chance at securing critical  infrastructure individually if we looked at it globally,” says Tom Patterson, chair of a group on strengthening critical infrastructure resilience and preparedness that launched the initiative. “We got great response from all over the world ...
It encouraged us to create a global information exchange in a trusted forum.
It’s a way for them to share information among themselves on threats and counter-measures.” Patterson, who is vice president and global security leader for Unisys, says the EWI Information Sharing Community is not technically a global ISAC or ISAO for ICS/SCADA, but more of a place for public and private sector operators of critical infrastructure, different nations' ISACs, and government agencies to collaborate. Kenya’s ICT Secretary at its Ministry of Information Communication and Technology, in a statement said her nation plans to participate. "Kenya is taking an active role in addressing cybersecurity risks. We welcome this opportunity to share lessons learned with others in the global critical infrastructure community,” ICT secretary Katherine Getao said. The ICS-ISAC has set up a registration page for the new portal. Related Content: Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas.

Click here for pricing information and to register. Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights