8.7 C
London
Wednesday, September 20, 2017
Home Tags Digital Guardian

Tag: Digital Guardian

Firm wipes down password DB after hackers muscle in Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter.

The 1x0123 hacker crew later claimed that they planned to sell off the compromised database through underground markets. PayAsUGym apparently used the obsolete MD5 hashing technology, making it straightforward to work out the corresponding passwords using a brute force attack and dictionary lookups. Troy Hunt, the security researcher behind the haveibeenpwned breach notification website, warned over the weekend that “PayAsUGym data appears to be circulating with “more than 400k unique emails in there for UK customers”. Hunt reposted a notice that admitted email addresses and passwords might have been breached. PayAsUGym, which says that it doesn’t store credit card numbers, has reset user passwords. Password reuse is always a bad idea.

Those users who their PayAsUGym password at other sites are particularly exposed to so-called credential-stuffing attacks, where hackers try passwords exposed at one site at other sites. Luke Brown, VP and GM EMEA at Digital Guardian, said: “It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks. “This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts.
Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information,” he added. PayAsUGym offers flexible access to day passes, fitness classes and no-contract membership at over 2,200 UK gyms.

The firm is yet to respond to a request from El Reg to confirm the number of breached records. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
Brazen hackers actually accepting credit card payments Hackers have unleashed a strain of scammer that activates on compromised computers when it encounters filenames containing strings that have been associated with child abuse clips and images. Ransoc kicks in when it finds potential "evidence" of child abuse material or media files downloaded via torrents on the targeted machine.

The malware will then customise the penalty notice threatening the victim with fake legal proceedings if he fails to pay the ransom, security firm Proofpoint reports. The malware scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information.

This info is used to put together a more convincing "pay up, or else" customised penalty notice featuring genuine information captured from Skype and social media profiles, including profile photos. Scammers threaten to expose the collected "evidence" publicly unless their extortionate demands are met. Unlike most ransomware variants, the target here is the victim's reputation rather than his or her files, which are not encrypted. Crooks behind the scam demand payment via credit card rather than harder-to-trace digital currency. "Credit card payment is almost unheard of in ransomware schemes," Proofpoint notes. "While it removes the hassle and confusion for many victims associated with Bitcoin processing, it also potentially allows law enforcement to trace activity back to the cybercriminal more easily. "This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement." Ransoc is better considered as more potent variant of earlier law enforcement notice lock-up scams, where victims were confronted with a false notice claiming that they had downloaded illegal content. Ransoc actively targets those it assesses may have actually downloaded abhorrent content. The Ransoc malware also includes code that may allow it to access a victim's webcam, according to Proofpoint, although it was unable to verify if this functionality worked in practice. Ransomware in general is one of the most potent internet security threats and biggest money spinners for crooks over the last three years or so.

As ransomware is so lucrative it is unsurprising that crooks have devised a different approach to bilking money from victims. Thomas Fischer, threat researcher at Digital Guardian, commented: "Ransomware authors are trying to find new ways to make their attacks more convincing and to ensure the target is more likely to pay the ransom.

The Ransoc variant is pushing the boundaries by going beyond the standard file encryption to incorporate social engineering techniques and targeting sensitive personal information.

The end goal is still the same – to use as many tactics as possible to try to obtain money from the target." ® Sponsored: Customer Identity and Access Management
Entire country gets to enjoy life without the web thanks to huge DDoS attack The West African country of Liberia was knocked offline this week. Early indications are that hackers used the same techniques against the country's rudimentary net infrastructure using the same method that rendered hundreds of the world's most popular websites inaccessible at the end of October. Once again the Mirai IoT botnet has been implicated in the assault. Simon Moffatt, senior product manager at ForgeRock, commented: "It's safe to say that these IoT-based attacks will become more frequent and individuals and manufacturers need to be aware of the basic attack vectors that exist. In a typical DDoS or botnet-style attack, the victim is often not the owner and, in fact, they may not even be aware their device has been exploited by cyber criminals. Yet, as we saw with Dyn and now the attack on Liberia, the consequences can be extensive." Thomas Fischer, threat researcher and security advocate at Digital Guardian, added: "The IP cameras and similar devices enrolled into the Mirai botnet are alluring to hackers because they usually provide two points of access. Firstly, a web browser or command line interface on the device itself and secondly a cloud-based portal or web page. This provides the attacker with multiple ways to gain control of the camera. The fact that it is always-on and always-connected is a strong factor, but the real attraction is the lack of built-in security." ® Sponsored: Customer Identity and Access Management
Famed capture-the-packet contest technology will become part of DoD training as well. The Defense Department for the second year in a row sent one of its top directors to DEF CON in Las Vegas this month, but it wasn’t for recruiting purposes. So what was Frank DiGiovanni, director of force training in DoD’s Office of the Assistant Secretary of Defense for Readiness, doing at DEF CON? “My purpose was to really learn from people who come to DEF CON … Who are they? How do I understand who they are? What motivates them? What sort of attributes” are valuable to the field, the former Air Force officer and pilot who heads overall training policy for the military, says. DiGiovanni interviewed more than 20 different security industry experts and executives during DEF CON. His main question:  “If you’re going to hire someone to either replace you or eventually be your next cyber Jedi, what are you looking for?” The DEF CON research is part of DiGiovanni’s mission to develop a state-of-the-art cyber training program that ultimately helps staff the military as well as private industry with the best possible cybersecurity experts and to fill the infamous cybersecurity skills gap today.

The program likely will employ a sort of ROTC-style model where DoD trains the students and they then owe the military a certain number of years of employment. With the help of DEF CON founder Jeff Moss, DiGiovanni over the the past year has met and then picked the brains of, seasoned hackers and the people who hire them about the types of skills, characteristics, and know-how needed for defending organizations from today’s attackers. DiGiovanni, who is also responsible for helping shape retention and recruitment policy efforts in the DoD, has chatted with CEOs of firms that conduct penetration testing, as well as pen testers and other security experts themselves, to get a clearer picture of the types of skills DoD should be teaching, testing, and encouraging, for future cybersecurity warriors and civilians. This is the second phase of the development of a prototype cyber training course he spearheads for DoD at Fort McNair: the intensive six-month prototype program currently consists of 30 students from all branches of the military as well as from the US Department of Homeland Security.
It’s all about training a new generation of cybersecurity experts. The big takeaway from DiGiovanni’s DEF CON research: STEM, aka science, technology, engineering, and mathematics, was not one of the top skills organizations look for in their cyber-Jedis. “Almost no one talked about technical capabilities or technical chops,” he says. “That was the biggest revelation for me.” DiGiovanni compiled a list of attributes for the cyber-Jedi archetype based on his interviews.

The ultimate hacker/security expert, he found, has skillsets such as creativity and curiosity, resourcefulness, persistence, and teamwork, for example. A training exercise spinoff of DEF CON’s famed capture-the-packet (CTP) contest also will become part of the DoD training program.

DiGiovanni recruited DEF CON CTP and Wall of Sheep mastermind Brian Markus to repurpose his capture-the-packet technology as a training exercise module. “In October, he will submit to the government a repackaged capture-the-packet training capability for DoD, which is huge,” DiGiovanni says.

Also on tap is a capture-the-flag competition, DoD-style, he says. One of the security experts DiGiovanni met with at DEF CON this year was Patrick Upatham, global director of advanced cybersecurity at Digital Guardian. “I was a little apprehensive at first,” Upatham says. “After learning what they are doing and the approach that they are taking, it totally made sense.” “He [Frank] is looking for a completely different mindset and background, and [to] then train that person with the technical detail” to do the job, Upatham says. “They are looking for folks who are more resourceful and persistent, and creative in their mindset.” DoD’s training program is about being more proactive in building out its cybersecurity workforce.

That’s how it has to work now, given that more than 200,000 cybersecurity jobs were left unfilled last year overall.

DoD’s Cyber Mission Force is calling for some 6,200 positions to be filled. The goal is to train that workforce in both offensive and defensive security skills.

That means drilling down on the appropriate problem-based learning, for example.

The current prototype training program doesn’t require a four-year degree, and it’s more of a “journeyman apprentice” learning model, DiGiovanni says. About 80% or so is hands-on keyboard training, he says, with the rest is lecture-based. “A lot of the lectures are by the students themselves, with a learn-by-teaching model,” he says. From 'Cable Dog' To Hax0r DiGiovanni gave an example of one student in the DoD training program who came in knowing nothing about security.

The young man was a self-professed  “cable dog” at Fort Meade, a reference to his job of pulling cable through pipes.

But when he finished the six-month DoD course, he was reverse-engineering malware. “When he came to the course, he didn’t know what a ‘right-click’” of a mouse was, nor did he have any software technology experience, DiGiovanni recalls. “To me, that’s a heck of a success story.” The next step is determining how to scale the DoD training program so that it can attract and train enough cyber warriors for the future.

The goal is to hand off the training program to a partner organization to run it and carry it forward, possibly as early as this fall, he says. Meantime, DiGiovanni says the DEF CON hacker community is a key resource and potential partner. “The security of our nation is at stake.
I think it’s imperative for DoD to embrace the DEF CON community because of the unique skill they bring to the table,” he says. “They want to serve and contribute, and the nation needs them.” Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights
The Olympic Games in Rio de Janeiro will attract more than just athletes and tourists this year. Hackers from across the world will also be on the prowl, trying to exploit the international event.   That means visitors to the Olympics and even people watching from home should be careful.

Cyberthreats related to the games will probably escalate over the coming weeks and could creep into your inbox or the websites you visit. Don't click if it's too good to be true The Olympics have become a beacon for cyber criminals, said Samir Kapuria, senior vice president with security firm Symantec.

A great deal of money is spent on the international event, so hackers naturally want a slice of the pie, he added. During past major sporting events, hackers have come up with fake ticketing and betting services to commit fraud on unsuspecting users.

They'll also use phishing emails and social media posts to spread malware. Computer users will see these messages and links, expecting to view a video on a record-breaking Javelin throw or a bargain on great seats to the event.

But in reality, they'll end up downloading ransomware that can take their data hostage, Kapuria warned. "Think before you click, especially if something looks too good to be true," he said. Thomas Fischer, a security researcher at Digital Guardian, has already been noticing an increase in phishing scams trying to take advantage of the Olympics. Typically, a user will receive an email loaded with an attachment that invites them to an Olympics ticket lottery.
Inside the attachment, however, is malicious code that will download the Locky ransomware and begin encrypting all the user's files. Hackers are already blanketing email addresses with this kind of attack.

They'll also pretend to be an organization like an Olympics committee, he added. "Anyone can receive these emails," Fischer said. "They usually come in English." Brazilian hackers like to target banking data Visitors who actually make the trip to Rio de Janeiro will be entering a country well known for online banking fraud, according to security firms.
It doesn't help that local laws there might not be strong enough to fight cybercrime. Trend Micro has been following the cyber crime scene in Brazil and noted in a report that hackers there "exhibit a blatant disregard for the law." "They will abuse social media and talk about their criminal enterprise, without fear of prosecution," said Ed Cabrera, the company's vice president of cybersecurity. Many of these Brazilian hackers are developing Trojans that pretend to be legitimate banking software, but in actuality can steal the victim's payment information. However, much of this Brazilian malware is focused on targeting local users, and not necessarily foreign tourists, Cabrera said. Tourists should still be careful, however.

Any banking Trojan can still be dangerous because the malware can spy on computer users, said Dmitry Bestuzhev, the head of global research for security firm Kaspersky Lab. He's warning visitors to be wary of ATM and point-of-sale machines in the country.

They often can be infected with malicious code that can secretly steal payment data once a banking card is swiped. "The attacker has the capability to intercept the data and then to clone the card," he added. Another danger is public Wi-Fi spots in Brazil, which often times are insecure.

A hacker can use them to eavesdrop on victims and steal their passwords, Bestuzhev said. He recommends users buy a VPN service to encrypt their Internet communications. Hacktivists and cyber terrorists could be lurking The other big threat that could disrupt the games is hacktivists, said Robert Muggah, a security specialist at Brazilian think tank the Igarapé Institute. Anonymous, for instance, is targeting the event and could end up embarrassing the local government.

The hacking group has already managed to temporarily shut down the official Rio Olympics website on May 11, and then Brazil's Ministry of Sports site on the following day, Muggah said. "Analysts are also concerned with Islamic terrorists," he added.

The extremist group ISIS has been trying to use the encrypted messaging app Telegram to attract sympathizers in Brazil. Local authorities, however, are bolstering their cybersecurity defenses, and the country is no stranger to holding major events, Muggah said.
In 2014, the country was the site of the World Cup. In the run-up to the Olympics, the U.S. government has launched a multimedia campaign pointing out the possible cyberthreats travelers may encounter in foreign countries.
In extreme cases, U.S. tourists could even be the targets of espionage, the campaign warns. At the very least, visitors heading to Rio de Janeiro should watch out for smartphone theft. Muggah said thefts are quite high in the country because the devices are so expensive. New iPhones, for example, have been known to cost about $1,000 in Brazil due to the local import tariffs and taxes.
I travel all over the world for my job, and for my hobbies. Although there are still plenty of places I haven't been, I've visited enough foreign countries that I don't deny it when someone calls me a world traveler. Over the years, I've experienced my fair share of foreign spying. I know what it's like to be snooped on. I'm no longer surprised when I suddenly get gobs of spam from a country I've visited. My best guess is that someone in the country intercepted my email and recorded my email address. I still get porn spam in Arabic and ads for weight loss products in Mandarin. I've had my laptop and USB keys searched at countless borders. An eye-opening moment: On one trip to an Asia-Pacific country, while I was taking a shower in my hotel room, I saw someone insert a USB key into my unlocked laptop. I yelled and jumped out of the shower, and the intruder ran out of the room, leaving his USB key behind. On it was a remote backdoor Trojan. That someone believed I was significant enough to spy on made me feel pretty important. It also taught me to be much more careful with my laptop. Besides keeping your eyes and ears open, what else can you do to protect your privacy and data when traveling? After discussing the topic recently with Salo Fajer, CTO of cybersecurity firm Digital Guardian, I put together the list below. After spending just a brief time with Fajer, I realized we shared a lot of the same ideas on protecting our data from foreign adversaries, but he had a few I hadn't thought of. #1. Know your rights before you go First, and foremost, know your rights and laws before you go to a foreign country. Just as you must know the currency and exchange rate and when to tip, you need to know the legal rights that a particular country might have to your data. It might surprise you to learn that your normal privacy rights, not to mention your Constitutionally protected rights as a U.S. citizen, go away at the border. Border crossings are a legal no-man's land, where each country's laws often do not apply. One of my Canadian co-workers, who traveled to the United States dozens of times a year, was once asked at the border to turn on his laptop, provide his encryption key, and let the border authorities copy his laptop's digital contents. He initially refused because his laptop contained private customer data that he legally could not provide ... or so he thought. The border guards told him that if he did not provide the data he would be immediately prevented from entering our country for five years. He called our company's lawyers and they recommended that he provide the encryption key and give the border guards access to the data. One little tip I gained from that experience is to double encrypt my data. I use a full disk encryption product that is readily apparent to anyone who turns on my computer. But I use a second encryption product to encrypt my most critical data a second time. I have changed the directory path, icon, and executable names so that they look like they belong to a common, run-of-the-mill program. Turns out that if the border guards don't know something is double encrypted, they don't ask for the second set of encryption keys. It's a cryptographer's variation of “Don't ask, don't tell.” #2. Protect copied data I'm a big fan of data encryption schemes like Microsoft's Active Directory Rights Management Service that encrypt the data from unauthorized eyes no matter where it is copied. So even if the border guards or spies get to your data, they are unlikely to be able to review it later on. #3. Leave the data home Better yet, leave the data at home. These days, all my data is stored in the cloud. Before traveling, I just delete the local copy after disabling the sync feature, so that there is no data on my laptop in the first place. I do all my updates and edits on cloud-based copies when I'm away, and then re-enable the local cache when I return home. Or I use the same method, but take another device that never had the data on it in the first place. #4. Always choose the most secure network option Whether you're traveling foreign or domestic, you should always choose the most secure network option available. Be wary of all free Wi-Fi and Bluetooth connections. Make sure you're connecting only to official Wi-Fi offerings and not fake hacker Wi-Fi access points. Better yet, if you can't be sure you're using the right open Wi-Fi network, use your cell phone's tethering feature. #5. HTTPS is your friend Make sure all of your web surfing, or at least your surfing to the websites you use authentication with, is protected by TLS-enabled HTTPS. You don't want bad guys sniffing your connections. Make sure that any wireless connections you use don't try to place fake digital certificates on your computer in an attempt to man-in-the-middle the connections. It's more common these days than ever. Also, it's important to remember that your 2FA (two-factor authentication) methods may not work, especially if your 2FA option uses your cell phone or messaging and your cell phone's voice or data service doesn't work. #6. Use a VPN Use your corporate VPN whenever possible. If your VPN connection uses split-tunneling, understand which traffic is secure and which is not secure. Fajer uses his own personal VPN router when traveling to make sure all connections are protected. Personally, I'm a big fan of Anonabox. #7. Use privacy screens I'm very old school. When I travel I always make sure I have a good privacy screen over my laptop display to keep prying eyes from reading what I'm reading or typing. 3M makes some of the most versatile and secure privacy screens you'll find. #8. Use throwaway accounts I try not to use other people's computers, but there are times when using other computers is necessary or at least very useful. When I use those computers, I often use temporary, throwaway email and cloud storage accounts when I travel. For example, I send my airline tickets to print to a throwaway account so I can pick up and print the tickets on hotel computer equipment. Hotel computers are obvious targets for malware and keystroke recording equipment. If you print that ticket from a throwaway account that you'll never use again, who cares if someone can access it after you leave? #9. Lock your device It goes without saying that you should lock your computing devices anytime you aren't using them -- even in your own hotel room when you're using the shower. #10. Make sure your device is secure Don't take your regular device along on trips if you don't have to. But regardless of whether the computer is your normal device or just a travel one, you want it as secure as possible. It should be securely configured, have all security patches applied, and have a host-based firewall, and host intrusion prevention software, as well. He also said to make sure that you turn off any file or network sharing features. #11. Don't broadcast your current location Lastly, while this isn't exactly a travel tip, don't share your current location with the world. This happens all the time when people use social media. Maybe it's the paranoia gripping me, but I've never understood my friends letting everyone know when they are out of the country, advertising that either their house is empty or that their spouse or kids are home alone. I love to share my pictures and adventures on social media, but I wait until I'm home and able to protect my assets and loved ones. If you travel, whether halfway around the world or halfway across the state, you must take special care to make sure your data and devices stay secure. If you don't take precautions, it's only a matter of time before you get burned.