6 C
London
Tuesday, November 21, 2017
Home Tags Intelligence officers

Tag: Intelligence officers

DAILY VIDEO: DOJ Charges Russian intelligence officers in 2014 Yahoo hack; Third-party Twitter app hacked by Turkish activists to post messages; Intel now major player in driverless cars with Mobileye buy; and there's more.
The DOJ charges four, including three Russian nationals, in connection with the 2014 Yahoo breach of 500 million user accounts.
reader comments 28 Share this story In a move that stunned some security researchers, a top investigator at Russia's largest antivirus provider, Kaspersky Lab, has been arrested in an investigation into treason, a crime that upon conviction can carry severe sentences. Ruslan Stoyanov Kaspersky Lab Ruslan Stoyanov, the head of Kaspersky Lab's investigations unit, was arrested in December, Russian newspaper Kommersant reported Wednesday.

The paper said that Sergei Mikhailov, a division head of the Russian intelligence service FSB, was also arrested in the same probe.
Stoyanov joined the Moscow-based AV company in 2012 and was chiefly involved in investigating and responding to hacking-related crimes carried out in Russia. His LinkedIn profile shows he served as a major in the cybercrime unit of Russia's Ministry of Interior from 2000 to 2006. "The case against this employee does not involve Kaspersky Lab," company officials wrote in a statement issued following the report. "The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation.

The work of Kaspersky Lab's Computer Incidents Investigation Team is unaffected by these developments." In the past 15 months, Stoyanov wrote three posts for Kaspersky Lab's Securelist blog.

All three involved financially motivated crime conducted inside of Russia.
It's not clear what the maximum penalty is for treason in Russia.

The country has reportedly suspended executions, and the last one was in 1996. Word of the arrest almost immediately ignited a flurry of speculation and concerns of a possibly chilling effect the action might have among security researchers.

The charges were filed under Article 275 of Russia's criminal code, an extraordinarily broad statute that opens individuals to treason charges for providing financial, technical, advisory, or other assistance to a foreign state or international organization that's considered hostile to the Russian government.

As coverage from Forbes reported, such assistance could potentially be as simple as furnishing the FBI with information on a botnet. A much more chilling scenario, offered in this post from Lawfare Blog, is that Stoyanov was a source for US intelligence officers who ultimately concluded Russian-sponsored hacking attempted to interfere with the 2016 US presidential election.

That speculation is likely off base because it doesn't fit with Kaspersky's assertion Stoyanov is being investigated for activities that predated his employment or with this claim from a fellow Kaspersky Lab researcher that Stoyanov's research never involved advanced persistent threats, the term for hacking techniques used by government-sponsored spies. People advancing the theory seem to be basing it on the timing of the arrest, which roughly coincided with the classified release of specific details said to support the US intelligence community's claims the hacking was ordered by President Vladimir Putin. Whatever the specifics are behind the investigation into Stoyanov, security researchers said the arrest will likely cause colleagues in Russia and elsewhere to self-censor potentially sensitive findings. "For those living and working under oppressive regimes, keep up the good fight," Jake Williams, founder of security firm Rendition Software who previously worked for the Department of Defense, wrote in a blog post. "But also remember that no incident response report or conference talk is worth jail time (or worse)." In a message to Ars, he added: "I think that these charges will cause security researchers, particularly those in states with oppressive governments, to carefully consider the weight of reporting details of security incidents." Listing image by Kaspersky Lab
NEWS ANALYSIS: Ransomware is a significant problem for small and medium-size business.

But now there’s a new military-grade means of fighting back. You already know how ransomware works. Malware gets loaded on to a computer, and quietly encrypts everything of use. When it’s done, you see a message displayed on your screen demanding payment in Bitcoins, and you’re told that if you don’t pay up, you’ll never get your data back.For many companies, the only choice is to pay up, but that has two complications.

First, it costs you a lot of money.
Second, it labels you as being willing to pay the ransom, which means you can expect more ransomware attacks.However, successfully fighting off ransomware is tough. Ransomware varieties rapidly evolve and change almost daily.

The chances of your antivirus or your antimalware catching it aren’t very good.Since ransomware is spread through a variety of vectors, you can’t depend on some of the more traditional methods such as screening email or social network feeds to reliably bock attacks.

Even large companies with good security practices sometimes get stung by ransomware. But there is an anti-ransomware system for SMBs that was developed from an enterprise system that's already in place in the field.
It's called RansomFree, from security company Cybereason. Cybereason was organized by a group of former military intelligence officers using skills they acquired fighting the worst of bad guys.

This explains why they refer to their products as military-grade prevention.

The company uses techniques developed by the military to detect, deceive and kill ransomware.The company has been active in the enterprise security space for some time and its products have been widely adopted there.

But the software doesn’t lend itself to most SMB users because of the expense and the expertise required to use it.
So Cybereason’s developers created a version that small companies and individuals can implement and they are giving it away for free.Right now, RansomFree only works on Windows computers.

But once it’s installed, it does three things.

First it can detect the ransomware malware when it arrives on a computer if it has a signature it recognizes.

But because of ransomware families rapidly evolve, it also watches the activity of the ransomware looking for attempts to encrypt files.

Finally it deceives the ransomware into thinking its working, when in reality all that it’s doing is operating in a secure honey pot of a container.A honey pot is a simulated environment that looks normal to the malware, but which exists only as a place for the malware to execute, while the anti-ransomware software studies it. Once it’s done with that, the ransomware attack is stopped in its tracks and the malware is killed.
EnlargeВвласенко reader comments 3 Share this story Shadow Brokers, the mysterious group that gained international renown when it published hundreds of advanced hacking tools belonging to the National Security Agency, says it's going dark.

But before it does, it's lobbing a Molotov cocktail that's sure to further inflame the US intelligence community. In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed. While they said they would still make good on the offer should the sum be transferred into their electronic wallet, they said there would be no more communications. "Despite theories, it always being about bitcoins for TheShadowBrokers," Thursday's post, which wasn't available as this article was going live, stated. "Free dumps and bullshit political talk was being for marketing attention.

There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers." The post included 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers. While they all were detected by antivirus products from Kaspersky, which in 2015 published a detailed technical expose into the NSA-tied Equation Group, only one of them had previously been uploaded to the Virus Total malware scanning service.

And even then, Virus Total showed that the sample was detected by only 32 of 58 AV products even though it had been uploaded to the service in 2009.

After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products. Parting insult Malware experts are still analyzing the files, but early indications are that, as was the case with earlier Shadow Brokers dumps, they belonged to the Tailored Access Operations, the NSA's elite hacking unit responsible for breaking into the computers and networks of US adversaries.

And given evidence the files remained undetected by many of the world's most widely used malware defenses, Thursday's farewell message may have been little more than a parting insult, particularly if the group has origins in the Russian government, as members of the intelligence community have speculated. "This farewell message is kind of a burn-it-to-the-ground moment," Jake Williams, a malware expert and founder of Rendition Infosec, told Ars. Russian ties make sense Given the inauguration [of Donald Trump] happens in a short time [from now].
If that narrative is correct and Shadow Brokers is Russian, they wouldn't be able to release those tools after Trump takes office.
If you roll with that narrative, [the burn-it-to-the-ground theory] certainly works." Thursday's dump came several days after Shadow Brokers members published screenshots of what they claimed were NSA-developed exploits for Windows systems. While the absence of the actual files themselves made analysis impossible, the screenshots and the file names suggested the cache may have included a backdoor made possible by a currently unpatched vulnerability in the Windows implementation of the Server Message Block protocol. Other tools appeared to provide: bypasses for antivirus programs from at least a dozen providers, including Kaspersky, Symantec, McAfee, and Trend Micro a streamlined way to surgically remove entries from event logs used to forensically investigate breached computers and networks hacks for a Windows-based e-mail client known as WorldTouch capabilities for gaining administrator privileges or dumping passwords on Window machines. The full text of the post read: So long, farewell peoples.

TheShadowBrokers is going dark, making exit.

Continuing is being much risk and bullshit, not many bitcoins.

TheShadowBrokers is deleting accounts and moving on so don’t be trying communications.

Despite theories, it always being about bitcoins for TheShadowBrokers.

Free dumps and bullshit political talk was being for marketing attention.

There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers.

But TheShadowBrokers is leaving door open. You having TheShadowBrokers public bitcoin address 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK TheShadowBrokers offer is still being good, no expiration.
If TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out of hiding and dumping password for Linux + Windows.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files. Password is FuckTheWorld Is being final fuck you, you should have been believing TheShadowBrokers. Files included with the post carried the following names: DoubleFeatureDll.dll.unfinalized DuplicateToken_Implant.dll DuplicateToken_Lp.dll DXGHLP16.SYS EventLogEdit_Implant.dll EventLogEdit_Lp.dll GetAdmin_Implant.dll GetAdmin_Lp.dll kill_Implant9x.dll kill_Implant.dll LSADUMP_Implant.dll LSADUMP_Lp.dll modifyAudit_Implant.dll modifyAudit_Lp.dll modifyAuthentication_Implant.dll modifyAuthentication_Lp.dll ModifyGroup_Implant.dll ModifyGroup_Lp.dll ModifyPrivilege_Implant.dll ModifyPrivilege_Lp.dll msgkd.ex_ msgki.ex_ msgks.ex_ msgku.ex_ mssld.dll msslu.dll mstcp32.sys nethide_Implant.dll nethide_Lp.dll ntevt.sys ntevtx64.sys ntfltmgr.sys PassFreely_Implant.dll PassFreely_Lp.dll PC_Legacy_dll PC_Level3_dll PC_Level3_dll_x64 PC_Level3_flav_dll PC_Level3_flav_dll_x64 PC_Level3_http_dll PC_Level3_http_dll_x64 PC_Level3_http_flav_dll PC_Level3_http_flav_dll_x64 PC_Level4_flav_dll PC_Level4_flav_dll_x64 PC_Level4_flav_exe PC_Level4_http_flav_dll PC_Level4_http_flav_dll_x64 PortMap_Implant.dll PortMap_Lp.dll ProcessHide_Implant.dll ProcessHide_Lp.dll processinfo_Implant9x.dll processinfo_Implant.dll ProcessOptions_Implant.dll ProcessOptions_Lp.dll pwdump_Implant.dll pwdump_Lp.dll RunAsChild_Implant.dll RunAsChild_Lp.dll tdi6.sys Of interest to researchers looking for clues about the people behind Shadow Brokers, Images included with the file dump showed the files were included on a Drive D that was most likely a USB drive, given an accompanying icon.

The folder was titled DSZOPSDISK, a string that also matches a folder name a previous exploit dump.

The evidence "lends credibility to the argument the leak came from an insider who stole, and subsequently lost control of, a USB stick, rather than a direct hack of the NSA," said independent researcher Matt Tait, who posts under the Twitter handle Pwn All The Things, told Ars.

As Tait also observed, the computer the drive was attached to appeared to be running Kaspersky AV and VMware tools, had no connected network or sound card, and was configured to show dates in the dd/mm/yyyy format.

The files were signed by the same cryptographic key used to sign previous Shadow Broker dumps. Thursday's post comes five months after Shadow Brokers first appeared.

A day after the unprecedented leak, Kaspersky Lab researchers definitively tied the included exploits to the NSA-connected Equation Group.

A day after that, Cisco Systems confirmed that the leaked cache included a zero-day exploit that had secretly targeted one if its firewall products for years.
In October, Shadow Brokers published a document revealing hundreds of networks that were targeted by the NSA over more than a decade. Tracking bear prints One theory floated by intelligence officers and reported by The New York Times is that the Shadow Brokers leaks were carried out by Russian operatives as a warning to the US not to publicly escalate blame of President Vladimir Putin for hacks on the Democratic National Committee. NSA leaker Edward Snowden and a host of others have also speculated that Russia is behind the Shadow Brokers as well.

There's no definitive proof of Russian involvement, but the timing of Thursday's farewell and the potentially damaging leaks that accompanied it—coming eight days before the inauguration of President elect Donald Trump—give the unescapable impression of a link. "They may not be Russian," Williams said of the Shadow Brokers members. "But it is inexplicable they would release the dump without understanding the timing and how it would be read.

Anyone smart enough to steal these tools understands the conclusion that will be drawn by most."
EnlargeMustafa Al-Bassam reader comments 20 Share this story Shadow Brokers—the name used by a person or group that created seismic waves in August when it published some of the National Security Agency's most elite hacking tools—is back with a new leak that the group says reveals hundreds of organizations targeted by the NSA over more than a decade. "TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak.

Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks. Equation Group was originally a name researchers from Moscow-based Kaspersky Lab gave to an elite team of NSA-tied hackers who exploited some of the same then-unknown Windows flaws later targeted by the Stuxnet worm that attacked Iran's nuclear program.

The group operated undetected for more than 14 years until Kaspersky researchers brought it to light.

The researchers dubbed it "Equation Group," but there's no evidence that was the name anyone inside the group used.

The people penning posts accompanying the leaks that started in August then used the Equation Group name when identifying the elite team the data and tools allegedly belonged to. According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA.

The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010.

The addresses include 32 .edu domains and nine .gov domains.
In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. The dump also includes various other pieces of data.

Chief among them are configuration settings for an as-yet unknown toolkit used to hack servers running Unix operating systems.
If valid, the list could be used by various organizations to uncover a decade's worth of attacks that until recently were closely guarded secrets.

According to this spreadsheet, the servers were mostly running Solaris, an operating system from Sun Microsystems that was widely used in the early 2000s. Linux and FreeBSD are also shown. "If this data is believed then it may contain a list of computers which were targeted during this time period," the analysis provided by Hacker House, a firm that offers various security services, stated. "A brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software.

These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures." The domains and IP addresses purportedly belong to organizations that were hacked by the NSA.

But according to Monday's Shadow Brokers post, once they were compromised, some of them may have been used to attack other NSA targets.
If true, the list could help other organizations determine who may have been behind suspicious interactions they had with the listed servers.

The possibility that some of hacked servers were used to attack other sites were raised by the discussion of a tool called pitchimpair, which the authors claimed is a "redirector." Typically, redirectors are used to surreptitiously direct someone from one domain to another. Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
EnlargeRestrictedData reader comments 47 Share this story In the final filing before a second custody hearing in a week, prosecutors said Thursday afternoon that a former National Security Agency contractor accused of removing massive amounts of secret data and documents should remain in custody. Among that trove of data, investigators say they found “numerous names of intelligence officers of the United States” who are serving abroad. When Martin was arrested in August, investigators seized 50TB worth of data and many other printed and classified documents from Martin’s home in suburban Maryland. If all of this data was indeed classified, it would be the largest such heist from the NSA, far larger than what former contractor Edward Snowden took. “Although still undergoing review, it is estimated that a substantial portion of the 50 terabytes of digital information seized from the Defendant contains highly classified information,” Harvey Eisenberg, and other prosecutors wrote in an explanation of what Top Secret/Sensitive Compartmented Information (TS/SCI) intelligence is, underscoring that it is considered to be “irreplaceable once compromised.” As Eisenberg continued: As an example, information stolen by the Defendant includes numerous names of intelligence officers of the United States. These officers operate under cover outside the United States, and putting the secrecy of their identities at risk by removing information about those identities from appropriate, secure storage not only endangers the lives and safety of those officers and the individuals with whom they work, but also risks exposure of American intelligence operations. Additionally, numerous intelligence sources and methods for highly sensitive intelligence operations would be rendered nearly useless should they fall into the wrong hands. Last week, US Magistrate Judge A. David Copperthite ruled that Harold Martin was a flight risk and should remain behind bars pending trial. Earlier this week, Martin’s defense attorneys asked a more senior judge, US District Judge Richard D. Bennett, to overrule that decision. Judge Bennett will hold a hearing on the matter later on Friday, October 28, at 2:30pm ET in federal court in Baltimore.
The U.S. National Counterintelligence and Security Center will soon provide classified supply chain threat reports to critical U.S. telecommunications, energy and financial businesses. The effort is designed to reduce threats against a vast private supply chain of equipment and services that could result in the theft of vital data or disrupt operations in critical systems.
Supply chain threats are not well understood by security professionals, yet the supply chain is relatively easy to manipulate by foreign governments like Russia and China, as well as criminal gangs, hackers and even disgruntled workers, according to NCSC officials. The Office of the Director of National Intelligence described the threats to private sector supply chains in a press release on Thursday and released a video on supply chain risk management.
The video urges companies to include a member of the company’s acquisition division in planning sessions to defend against cyberattacks.
It also urges companies to know their suppliers and whether they are associated with adversaries of the U.S,. and from which vendors those companies purchase parts. The NCSC, in the statement, said it will provide “threat briefings to government partners and eventually to industry.” NCSC officials could not be reached for more details, but the statement referred to a Bloomberg interview that said the threat reports would begin in about two months through secure channels and would include the context behind hacking attacks, such as whether another country is responsible. Threat reports against a company’s supply chain will likely be welcomed by many U.S. companies, considering the variety and number of attacks that can occur. One company, Verizon, said on Friday it has long recognized the importance of keeping its supply chain reliable and secure. “We devote considerable attention to that effort,” said David Samsung, a Verizon spokesman, via email. “We welcome the government’s efforts to share timely and actionable information about threats to supply chain security.” Duke Energy’s Managing Director of Cybersecurity Hafid Elabdellaoui said the utility welcomes the “opportunity for intelligence sharing, especially when the information comes from government agencies who have extensive knowledge of threats and potential threats within U.S. borders and around the world.” Gartner analyst Avivah Litan called the government’s plan to share supply-chain threat reports “a really important initiative.” “This is one area that the federal government pays attention to while private industry generally does not,” she added. “Many of the threats to the U.S. supply chain are perpetrated by nation-states like China and Russia who use weaknesses and vulnerabilities in the supply chain to infiltrate U.S. infrastructure and systems.” She said private companies typically focus on preventing and detecting known attacks that started long ago, but not on pre-empting them. “It’s a very good thing for U.S. intelligence agencies to bring information that can pre-empt attacks.

This is probably one of the most useful activities our government can engage in to help protect U.S. infrastructure.” Litan said only a handful of security companies focus on pre-empting attacks by finding criminal perpetrators and then uncovering how they act well before they strike. “This is the first initiative I have heard of that specifically targets U.S. supply chains across the board with the same intent,” she added. U.S. intelligence officials are likely using data-mining tools to discover threats against supply chains in the darknet.

By contrast, most threat intelligence companies don’t look for perpetrators and instead look for key words or IP addresses, malware or URLs that provide signatures, or they contribute to blacklists that can help private companies prevent attacks already started in another industry or another part of the world. U.S. intelligence officers are also likely to use electronic surveillance techniques to focus on suspicious groups, then monitor what individuals in the groups are chatting, emailing or talking about, Litan said. “U.S. intelligence is more focused on the people and finding out the bad guys and government actors and accomplices, then seeing what they talk about and the traces they leave behind.

They might be talking about infiltrating routers or polluting a manufacturing process.” This story, "U.S. intelligence to share supply chain threat reports with industry" was originally published by Computerworld.
U.S.

Assistant Attorney General John Carlin's statement finds support in FireEye report of a 90% fall in China-based hacking. Cyber-espionage activities coming out of China appear to have dropped after September talks in which the country said it would stop supporting the hacking of US trade secrets, Reuters says quoting US Assistant Attorney General John Carlin. This statement finds support in a recent report from security firm FireEye, which witnessed a dramatic 90% drop in breaches by China-based groups in the last two years. Speaking at the Center for Strategic and International Studies think tank in Washington, Carlin said last year’s talks with China and Group of 20 nations were vital to a uniform cyber law. However, he says it remained to be seen how long this reduction in hacking activities would last.

Carlin added that private sector and US intelligence officers were "better positioned to assess hacking trends." For details, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights