Home Tags Labour

Tag: Labour

Crims turn to phishing-as-a-service to slash costs and max profits

So says Imperva after trolling the dark web Prefab phishing campaigns cost less to run and are twice as profitable as traditional phishing attacks, according to a new study by security vendor Imperva. Cybercriminals are lowering the cost and increasing the effectiveness of email phishing by buying complete packages of compromised servers and all the other components necessary to run a campaign of phishing attacks.

These so-called phishing-as-a-service bundles are cheaper than trying to cobble together it an email campaign from scratch.

That probably seems obvious to you, but it's useful to see some research confirming it. For one thing, the tactic is driving an across-the-board increase in phishing attacks. Phishing is the starting point for most network and data breaches.
Imperva researchers began their study by going through listings on dark-web marketplaces.

This allowed them to estimate the cost of phishing campaigns and gave them a clearer picture of the business model behind these all-too-commonplace scams. Based on the costs of the studied campaign – which used phishing pages, a spam server, an email list of 100,000 email addresses and access to compromised servers – the overall estimated expenses of an unmanaged phishing scam is about $27.65, Imperva estimates. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered up-front costs. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which tends to be more labour intensive. Lowering the costs and technology barriers associated with phishing will almost certainly lead to an increase in phishing campaigns, and the number of people falling victim to these cybercrime operations. The ease of purchase and low cost of PhaaS campaigns is highly likely to make frauds that rely on tricking marks into handing over login credentials for sensitive websites even more commonplace, Imperva concludes. “The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, cofounder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts, because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability.” Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016.

The researchers found that people are most likely to take the email phishing bait while at work, rather than at home.

Around a third (35 per cent) of successful phishing attacks were activated between 0900 and noon while victims were at work, busy writing and replying to emails.

The researchers also found that victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email before filling in a web form with their login credentials. Imperva researchers were able to link the campaign to an Indonesian hacking group that began its “career” with a series of web defacement attacks against targets in the US, Australia and Indonesia.
In late 2015, the group graduated to money-making hack attacks against online shops that use the Magento e‑commerce system. Two-thirds (68 per cent) of the victim credentials harvested by the group did not exist in previously known public breaches (one-third had been breached in the past). Imperva’s latest Hacker Intelligence Initiative report, Phishing made easy: Time to rethink your prevention strategy?, can be found here [PDF].

An Infographic summarising the main findings of the study is here [PDF]. ® Sponsored: Want to know more about PAM? Visit The Register's hub

'Snoopers' Charter' Set To Become Law In UK

Surveillance bill goes through British Parliament and awaits only the Royal assent to become law before the year ends. 'Snoopers’ Charter,' officially knows as The Investigatory Powers Bill, is all set to become law before the year ends after it was passed by the British Parliament and awaits the Queen’s stamp of approval, The Register reports. The bill, which is widely regarded as being the most stringent of its kind, had its first draft published in November 2015 and was passed by both Houses of Parliament with the Labour Party abstaining. Under the new legislation, Internet service providers will have to store a back-up of the browsing activities of their users for 12 months and make it available to authorities whenever needed. It will also legalize offensive hacking and bulk collection of personal data by the authorities, despite concerns that this could lead to flaws being exploited to reveal more data than required. This law will legalize what the British government had secretly been doing all along, Prime Minister Theresa May conceded when publishing the first draft. Read full story here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio More Insights

Appointments on hold as (computer) virus wreaks havoc with NHS trust...

Major medical issues diverted to neighbouring hospitals An NHS trust shut down all of its IT systems today and has all but ground to a halt in general after a virus compromised them on Sunday. In a bright-red warning labelled "Major incident" on the website for Northern Lincolnshire & Goole NHS Foundation Trust, patients are warned that their appointments have been cancelled due to a virus infecting electronic systems. The trust announced that it has "taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it". A major incident has been called and all planned operations, outpatient appointments and diagnostic procedures have been cancelled for today and tomorrow.

All adult patients (over 18) should presume their appointment/procedure has been cancelled unless they are contacted.

Those who turn up will be turned away. The nature of the virus has not been disclosed, but the infection comes after NHS Digital committed to expanding the range of cybersecurity services available to UK hospitals and clinics. Almost half (47 per cent) of NHS trusts have been subject to a ransomware attack in the past year, according to figures from a freedom of information (FOI) request published last month. NCC Group's FOI is based on requests to 60 trusts, 28 of which confirmed they had been victims of ransomware. Hands-on work will continue, with inpatients continuing to be cared for and discharged as soon as they're medically fit. Major trauma cases are being diverted to neighbouring hospitals, as are high-risk women in labour. The trust said it is "reviewing the situation on an hourly basis. Our clinicians will continue to see, treat and operate on those patients who would be at significant clinical risk should their treatment be delayed." ®

Court: Uber drivers are company employees not self-employed contractors

EnlargeOli Scarff/Getty Images reader comments 52 Share this story Uber drivers have the same employment rights as other full-time employees in Britain, a court has ruled in a landmark decision which looks likely to send shockwaves through the nation's so-called "gig economy." The ruling means that drivers are now entitled to earn the national minimum wage, holiday pay, sick pay, and other benefits, after the San Francisco-based taxi firm lost a case brought against them by two drivers backed by the GMB union. Uber had argued that it was a tech firm rather than a transport one, and that as its drivers were self-employed contractors it was not obliged to provide the kinds of statutory employment rights full-time workers would expect. According to the GMB, the Central London Employment Tribunal's decision will have ramifications in other industries which rely on casualised labour, and that "similar contracts masquerading as bogus self employment will all be reviewed." The union's legal director Maria Ludkin said the case represented "a monumental victory" and claimed it would "have a hugely positive impact" for Uber's drivers, of whom there are around 40,000 in Britain. Uber drivers and other directed workers do have legal rights at work. The question for them now is how those rights are enforced in practice. The clear answer is that the workforce must combine into the GMB union to force the company to recognise these rights and to negotiate fair terms and conditions for the drivers. For its part, Uber is sticking to its self-employment argument, and it UK general manager Jo Bertram has vowed to appeal the court's decision. She said: Tens of thousands of people in London drive with Uber precisely because they want to be self-employed and their own boss. The overwhelming majority of drivers who use the Uber app want to keep the freedom and flexibility of being able to drive when and where they want. While the decision of this preliminary hearing only affects two people we will be appealing it. Enlarge / Uber's UK manager, Jo Bertram. Leon Neal/AFP/Getty Images In the court's ruling, however, the judges insisted that “the notion that Uber in London is a mosaic of 30,000 small businesses linked by a common ‘platform’ is to our minds faintly ridiculous. Drivers do not and cannot negotiate with passengers… They are offered and accept trips strictly on Uber’s terms.” The tribunal panel reserved hefty criticism for the firm, claiming that it had used "fictions," "twisted language," and "brand new terminology" to hoodwink drivers and passengers alike. The GMB meanwhile denied that the majority of Uber drivers enjoyed the "flexibility" of their current contracts. Ludkin said: “This judgement in no way affects driver flexibility, it merely guarantees them basic employment rights. Uber’s decision to appeal that is purely related to protecting their ample profits and nothing to do with protecting the drivers.” Many tech firms rely on casual labour and the UK's lax self-employment laws, but this ruling has opened the doors to more tribunals, including at courier firms such as CitySprint, Addison Lee, eCourier, and Excel. Deliveroo, meanwhile, embroiled in a labour dispute of its own for similar reasons, may also find itself in trouble. As well as its appeal, Uber is currently also trying to persuade its drivers that the decision only affects the two drivers who went before the tribunal. In an e-mail sent to drivers on Friday night, Bertram wrote: As you may be aware, earlier this year a small number of London partner-drivers brought a claim to challenge their self-employed status with Uber. Although we have today heard that this challenge has been successful at this first stage, it’s very important to note that today’s decision only affects two individuals and Uber will be appealing it. There will be no change to your partnership with Uber in light of this decision and we will continue to support the overwhelming majority of drivers who tell us that they use the Uber app to be their own boss and choose when and where to drive. Ludkin responded: “Even after the judge found Ms Bertram’s evidence lacked credibility and described her as ‘grimly loyal,’ she continues to try and advance a misleading and false set of facts. The Uber judgment applies to 40,000 UK drivers, not two. Ms Bertram might be wise to think how this judgment reflects on her before she issues any more statements.” This post originated on Ars Technica UK

Assange’s Internet “intentionally severed by state party”

Enlarge / WikiLeaks founder Julian Assange prepares to speak from the balcony of the Ecuadorian embassy on February 5, 2016 in London, England.

Today, he can't get online.Photo by Carl Court/Getty Images reader comments 83 Share this story WikiLeaks announced via its Twitter account this morning that WikiLeaks founder Julian Assange's Internet connection had been cut off, blaming a "state party" for the outage.

Assange, who has been ensconced in the Ecuadorian embassy in London since he sought asylum there over four years ago to avoid extradition, has been "detained in absentia" by the Swedish government for questioning on allegations of rape. Other lesser allegations have been dropped because they have passed the time allowed by Sweden's statute of limitations. The announcement comes after the postponement of an interview of Assange by Swedish authorities at the Ecuadorian embassy by Ecuador's Attorney General's office.

The interview, which was to take place today, was pushed back by Ecuador until November 17 "to make it possible for Assange's lawyer to attend." WikiLeaks also announced that it had "activated the appropriate contingency plans" in response to the communication outage.

That plan may be related to other posts made from the WikiLeaks account overnight referring to three "precommitments"—one regarding the UK's Foreign & Commonwealth Office (UK FOS), one labeled "John Kerry," and one labeled "Ecuador." The posts included long alphanumeric strings that may have been encryption keys for files already prepositioned on the Internet. "Precommitment" is a term often associated with the concept of a "dead man's switch"—an automated response to an attack that would otherwise leave the target unable to respond, usually intended as a deterrent. It's possible that Assange made arrangements for a "dead man's switch" release of content about the UK Foreign Office, Ecuador and Secretary of State John Kerry that were intended to prevent them from taking action against him at the embassy.
If the code associated with the three "precommitments" are in fact cryptographic keys, then that "dead man's switch" has been activated by Wikileaks. In addition to the recent leaks of e-mails from the Gmail account of John Podesta, a high-ranking official within Hillary Clinton's presidential campaign, and the publishing of files obtained from the Democratic National Committee breach, WikiLeaks has issued "bounties" for leaks from the UK's Labour Party leadership.

Both leaks have been alleged by US officials to have been executed at the direction of the Russian government. Enlarge / "Precommitment" posts from WikiLeaks. Coincidentally, the Russian government-funded news organization RT, operated by TV-Novosti, published a report that RT's accounts in the United Kingdom had been "blocked." That report included a redacted image of a letter from Royal Bank of Scotland unit NatWest stating, "We have recently undertaken a review of your banking arrangements with us and reached the conclusion that we will no longer provide these facilities. You will therefore need to make banking arrangements outside of the The Royal Bank if Scotland Group." The letter said that accounts would be shut down by December. RT has broadcast a show by Assange in the past and has faced sanctions for violation of UK and European broadcast standards, particularly for its coverage of the shoot-down of Malaysia Airlines flight MH17. Ars will update this story as more details become available.

iPhone passcode bypassed with NAND mirroring attack

EnlargeSergei Skorobogatov/YouTube reader comments 46 Share this story Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist. Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards." In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement. The attack works by cloning the iPhone's flash memory chip. iPhones generally allow users six attempts to guess a passcode before locking them out for incrementally longer periods of time; by the complex process of taking the phone apart, removing its memory chip, and then cloning it, an attacker is able to have as many clusters of six tries as they have the patience to make fresh clones.
Skorobogatov estimates that each run of six attempts would take about 45 seconds, meaning that it would take around 20 hours to do a full cycle of all 10,000 passcode permutations.

For a six-digit passcode, this would grow to about three months—which he says might still be acceptable for national security. He demonstrated the fruits of his labour in a YouTube video, which clearly shows him making more than the regulation number of passcode entries by switching a fresh, identical chip into a physical port he'd attached to the phone he was attacking. "Because I can create as many clones as I want, I can repeat the process many many times until the passcode is found," he explained in the video.
NAND mirroring attack. Apple doesn't readily release the part numbers or wiring diagrams for the chips and circuits inside each iPhone, but the information is easy to find online (see the recent iPhone 7 teardown).

This information can be used to cleanly open the handset up and identify the location of the flash memory chip on its main board.

And while NAND flash memory manufacturers have so far managed to prevent the release of any documentation on how they actually work, it's possible to eavesdrop on their protocols and commands with an oscilloscope or a logic analyser. NAND memory is usually preferred to NOR memory on small devices due to its higher density and faster data-transfer rate, though it can only withstand tens of thousands of rewrites rather than hundreds of thousands for NOR, which complicates the hacking process. Despite the strength of the solder and epoxy which affixes the memory to the board, it proved relatively easy to separate the phone's NAND chip, provided a certain amount of care was taken.

From there, Skorobogatov attached an external connector for fresh chips, forcing him to painstakingly rewire the board to get the balance of voltages right once the components were in a different configuration. He then listened to the way the memory chip communicated with the rest of the device and spoofed the commands on a PC, "to support reading, erasing, and rewriting of the flash memory in a separate setup controlled... via a serial port." With this basis and a little refinement, it is possible for a determined hacker to use the technique to brute-force the re-engineered iPhone's passcode, giving full access without the possibility of overwriting the memory too much and changing vital information within. According to Skorobogatov, "the process does not require any expensive and sophisticated equipment." By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts.

This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5C.

Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection.

Also some reliability issues related to the NAND memory allocation in iPhone 5C are revealed. The demonstration should also please the FBI, which earlier this year tried and failed to persuade Apple to build backdoors for law enforcement into future versions of iOS, following a deadly shooting in San Bernardino, California, last December.

The FBI had wanted to access a phone taken from one of the killers, which was protected by a passcode; in March, Director Comey insisted that NAND mirroring "doesn't work." Eventually, the FBI paid a reported $1.3 million (£1 million) to a private security contractor to get into the phone—itself an iPhone 5C. iPhone models since the release of iPhone 6 Plus come with upgraded NAND memory chips, which Skorobogatov told Ars would require "an advanced team of researchers" to properly analyse. We don't know for sure if this attack will work for iPhone 7 therefore we're going to investigate this. However, due to more advanced NAND m-PCIe interface being used starting from iPhone 6S, more sophisticated equipment will be required to decode the protocol and talk to NAND. In order to analyse iPhone 7 for any threats an advanced team of researchers will be necessary, this of course requires substantial funding. Meanwhile, he said, "iPads use very similar hardware, hence models which are based on A6 SoC or previous generations should be possible to attack," though "newer versions will require further testing." And because Android phones are "normally based on standard NAND products, reading them and cloning should be easier because standard off-the-shelf programmes can be used." However, he added that it "all depends on particular implementations," as "NAND mirroring can be defeated." He included suggestions on how to defeat NAND mirroring in his paper. This post originated on Ars Technica UK

UK Labour man Owen Smith: If you wanna be a leader,...

'Net pics last forever, login details ... send The campaign for a leadership candidate for the UK's Labour party, Owen Smith, accidentally tweeted a photo that showed the login details for the campaign's phone bank system over the weekend. Security experts have chided the Labour leadership candidate for the cockup, which follows similar mistakes by organisers of the World Cup in Brazil and the Duke of Cambridge’s former RAF base. “Tweeting a photo of security credentials – no matter what they are for – is a stupid mistake and it indicates a lack of thought about even the most basic security needs,” said Ed Macnair, chief exec of CensorNet. “It’s a perennial problem and we need to do better at educating the nation on the dangers. While this incident might have evoked laughs, the next time may not be quite so funny.” “There’s going to be some red faces in the Owen Smith campaign office.

Clearly no harm was done, but it’s a perfect example of people being a huge security risk,” he added. ®