Are you interested in WADA and USADA confidential documents?" Fancy Bears HT is the front for the hacking operation that spear-phished International Olympic Committee members to gain access to the systems of the World Anti-Doping Agency (WADA).
Those records were leaked—and in some cases, according to WADA officials, modified—in an effort to discredit the Olympics' drug-testing rules.
The leaks were seen by officials as retribution for the bans imposed on Russian athletes after widespread doctoring of drug tests by the Russians at multiple Olympic games was exposed by a WADA investigation. The hack of the United States Anti-Doping Agency (USADA) e-mails was first revealed in October.
A spokesperson for USADA told Ars that the e-mails were probably exposed during the Paralympic Games in Rio de Janeiro, possibly when a scientific advisor to USADA was using public Wi-Fi at the games. The Federal Bureau of Investigations and an outside information security firm are still investigating the breach.
But officials have indicated that, as in the WADA breach, the perpetrators are in some way tied to the group behind part of the network intrusion at the Democratic National Committee and the hacking of e-mail accounts of a number of political figures—including Hillary Clinton's campaign chairman, John Podesta. Those hacks were attributed by security researchers to a group designated by Crowdstrike as "Fancy Bear"—a name the hackers apparently liked so much that they adopted it for their Twitter account name and WADA/USADA leak site. On the other hand, whoever is behind the Fancy Bears Twitter account told Forbes' Thomas Fox-Brewster (who got a similar pitch by DM) that they were not the same Fancy Bear (aka APT28). Nothing in the e-mails leaked from USADA so far is particularly controversial.
The latest batch includes discussions with officials from a number of different countries' anti-doping agencies about contingency plans for what to do if Russian athletes were not banned from the Olympic games as well as preparation for a lawsuit to be filed by USADA and the Canadian Centre for Ethics in Sport against the International Olympic Committee that was never taken forward.
The contents of the e-mails, USADA Communications Manager Ryan Madden told Ars, "just show us doing our jobs." And it's that mundane level of content—and the resulting lack of interest in continued press coverage—that may have prompted Fancy Bears to reach out to Ars and other outlets this morning.
The WADA/USADA leaks are apparently not getting the amount of attention that Fancy Bears feels they deserve, as it offered a lure to write more about them: A transcript of Ars' chat with some Fancy Bears.
Greenford, UK (December 8, 2016) In the wake of Brexit there seems to be an air of gloom hanging over British business – but not at Ultra Electronics.
Based in Greenford, London, the Group continues to supply its products to some of the world’s biggest and most technologically advanced organisations.
Gemini, the world’s first licensed Bitcoin and Ether exchange, chose Ultra’s Hardware Security Module (HSM) to protect its most valuable information despite competition from US and mainland Europe cyber security giants.
The coup for Ultra outlines the significant amount of respect the organisation commands in the world of cyber security.
Gemini, founded and managed by Olympic rowers the Winklevoss brothers, allows clients to trade Bitcoins to USD, Ether to USD and Bitcoins to Ether.
The company is the first of its kind to receive a license from a major regulatory body, receiving its accreditation from the New York State Department of Financial Services (NYSDFS) in 2015.
Cryptocurrencies are fast becoming a more widely respected form of payment, so much so that the city of Zug, a well-known financial hub in Switzerland has started allowing residents to pay for public services with Bitcoins.
Ultra, Gemini and Bitcoin
For such a rapidly expanding business within a field where security is absolutely paramount, Gemini has ensured it recruits security professionals from some of the world’s most distinguished companies.
For a company which has invested so much in security personnel it begs the question, what exactly was it that made them choose the Ultra Electronics’ HSM?
According to Cem Paya, the CSO of Gemini;
“Information security is one of the most important parts of the Gemini business model and ensuring we utilise the most secure HSMs is vital.
There were a number of reasons as to why we chose to work with Ultra Electronics KeyperPlus. Not only did KeyperPlus have a superior key management system, comprehensive security options and Linux support but it also was without any severe vulnerabilities.”
The fact that Gemini chose Ultra Electronics is a positive sign.
Brexit or not – truly innovative companies who can offer unique product solutions will always be desired by the rest of the world. Rob Stubbs, Product Director at Ultra’s Communication & Integrated Systems business, outlines why he believes Gemini selected the KeyperPlus and how the Ultra team will continue to ensure it wins orders from market-leading businesses such as Gemini in the future.
“The success of Bitcoin is critically dependent on the security of exchanges such as Gemini. We have already seen the cyber-theft of Bitcoins from Mt.
Gox, Bitfinex and others totalling over $500m.
Gemini’s decision to use KeyperPlus was based on its own detailed security evaluation as well as the product’s international certification and market reputation so as to provide the upmost security for its clients.
HSMs are an important cyber security tool, and can be used to enhance any security system. KeyperPlus is the only network-attached HSM to incorporate a cryptographic module validated to FIPS 140-2 Level 4 overall, one of the toughest security standards in the world. Ultra’s Keyper™ HSMs have successfully maintained this level for over 15 years, earning them a deserved reputation as the world’s most trusted HSMs.
For example, two generations of Keyper™ HSM have been used by ICANN to protect the security of the global Internet domain name system, upon which the whole world-wide-web ultimately depends.”
Ultra Electronics’ experience and expertise within the cyber-security sector is set to stand both the business and the security of its clients’ valuable information in good stead for the foreseeable future.
If you have any further questions regarding either Ultra Electronics cyber-security capabilities or this article please contact:
Morgan Sellars, Marketing Executive:
Office: 020 8813 4621 – Email - Morgan.Sellars@ultra-cis.com
It’s also important that we highlight the work conducted by our North American partners at Connect IT Solutions Inc.
Their skill and security expertise were invaluable during the design, sale and management phases of this project.
If you have any questions regarding Connect IT Solutions or its services then please contact:
Jasper Rose, Vice President, Cyber Security Division:
Office: 1- 888-246-6350 x 102 Email - firstname.lastname@example.org Web - www.citsus.com
There’s a “concerted effort” by cybercriminals to recruit health care industry insiders as accomplices in these thefts.
Efforts to recruit insiders are far from subtle and can brazen online ads and offers sent through social media, according to a new study (PDF) by Intel Security. Intel Security researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information are all of potential interest to hackers turned industrial spies.
Confidential data is stored not only by pharmaceutical companies but with their partners and (sometimes) government regulators. Cybercriminals are taking advantage of the cybercrime-as-a-service market to execute their attacks on healthcare organizations through, for example, the purchase and rental of exploits and exploit kits in order to attack targeted organizations. Doctored records Away from the top end of the scale there’s even a market for the health records of ordinary people.
Stolen medical records are available for sale from $0.03 to $2.42 per record, McAfee Labs reports.
Comparable stolen financial account records are available for around $14.00 to $25.00.
And credit and debit card account data is available for $4.00 to $5.00 per account record. Protected health information could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.
Easier-to-monetize credit card information commands a greater price on black markets, at least for the immediate future, as Intel Security explains: Upon stealing a cache of medical records, it is likely cybercriminals must analyze the data and perhaps cross-reference it with data from other sources before lucrative fraud, theft, extortion, or blackmail opportunities can be identified.
Financial data, therefore, still presents a faster, more attractive return-on-investment opportunity for cybercriminals. “In one case, a relatively non-technically proficient cyber thief purchased tools to exploit a vulnerable organization, leveraged free technical support to orchestrate his attack, and then extracted more than 1,000 medical records that the service provider said could net him about $15,564, Intel Security reports. Raj Samani, Intel Security’s CTO in EMEA and author of the McAfee Labs’ Health Warning report, said: “Given the growing threat to the industry, breach costs ought to be evaluated ... in terms of time, money, and trust – where lost trust can inflict as much damage upon individuals and organizations as lost funds.” “When a well-developed community of cybercriminals targets a less-prepared industry such as health care, organizations within that industry tend to play catch-up,” Samani continued. “Gaining the upper hand in cybersecurity requires a rejection of conventional paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information, industry players must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.” ®
Investigators discovered that recently published data from anti-doping testing at the 2016 Olympics in Rio de Janeiro had been altered by parties connected to a Russia-based hacking group behind the breach, according to a report issued by the World Anti-Doping Agency (WADA) yesterday. The International Olympic Committee (IOC) dump, released by a group calling itself "Fancy Bears," was found by WADA's incident response team to contain altered information. "WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects [Anti-Doping Administration and Management System (ADAMS)] data," a spokesperson for WADA wrote in a post on the investigation.
The attackers gained access by stealing ADAMS credentials through "spear phishing" e-mails sent to IOC officials who owned the accounts.
The attack was similar to the e-mails sent to DNC and Clinton campaign officials earlier this year. This fits into a pattern tied to recent hacks by "Fancy Bear" and other groups—organizations that researchers and government authorities believe are connected in some way to the Russian intelligence community—being used for misinformation.
Some of the data in the initial Democratic National Committee "dump" by the entity calling themselves Guccifer 2.0 was revealed to have been altered, and that leaked metadata indicated files had been edited by someone who spoke Russian. While the latest "leak" from Guccifer 2.0 allegedly against the Clinton Foundation's network contains no such smoking guns, the metadata does exist and suggest data came from previous "Fancy Bear" breaches at the DNC and other organizations that used the DNC's network. Forensic examination of the Guccifer 2.0 Clinton files specifically suggests the files came from previous breaches of the DNC and Democratic Congressional Campaign Committee (DCCC). Payroll files, expense reports, receipts, and lease documents for Democratic party field offices—as well as scans of checks issued for payment for FOIA requests and vendors—all point to the DCCC, DNC, and some state Democratic Parties.
Files not from the DNC or affiliated organizations came from GMBB (an advertising firm that does work for the Democratic Party), the Federal Election Commission, and the House of Representatives. Some of the more controversial documents in the collection posted directly on the Guccifer 2.0 WordPress blog, including one titled "Master Spreadsheet PAC Contributions," may have been modified before posting.
That file was created and edited once in February 2009.
Based on file metadata, it was pulled off the DCCC server on May 23, 2016.
This hack facilitated access to the medical history of athletes that participated in the games. WADA’s technical and forensic team’s current assessment is that hackers illegally accessed the Rio 2016 ADAMS Account multiple times between 25 August 2016 and 12 September 2016, using credentials obtained through a spear phishing campaign. The broader ADAMS system was not compromised in the attack, according to WADA.
In response to the admitted breach, WADA has tightened its security controls, introduced increased logging as well as hiring FireEye Mandiant to handle incident response. Security watchers have warned of the possibility of hacking attacks that involved data manipulation for several years, and the only real surprise on that front is that the attack affected a sporting rather than a banking organisation. Jason Hart, CTO of data protection at Gemalto, commented: “As the news that data from the WADA hack may have been manipulated shows, business leaders need to realise they are no longer just at risk from data simply being stolen.
As well as exposing gaps in a company’s security, the next frontier for cyber-crime will be data manipulation.
Data is the new oil and the thing most valuable to hackers. “Businesses can make vital decisions based on incorrect or exaggerated information, or data that has been stolen can be altered to change public sentiment regarding a business or individual, which hackers can exploit for personal or financial gain,” Hart said, adding that the fact that a breach can take months to detect further exacerbates the problem. Bootnote *The TUE process allows athlete to obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition, such as asthma.
Dr.] Jim [Parkhurst] plays guitar, sings in a symphony chorus, loves to hike, does crossword puzzles, and is an avid reader. He enjoys spoiling his twin nephews on annual trips to our national parks in the west." -Post announcing Parkhurst's new job, January 2015 In 2013, federal agents investigating the child pornography collection of one David S.
Engle—who was later sentenced in Washington state to 25 years in prison—came across a new set of eight images.
The pictures showed five boys, ranging in age from around seven to 15, urinating outdoors, shaving their pubic hair, and posing naked in bathtubs. According to an affidavit from Postal Inspector Maureen O'Sullivan, who helped investigate the images, the photo set was "emerging and being widely distributed and traded by child pornography collectors on a national and international scale." Being new and uncatalogued, the images were forwarded to the National Center for Missing and Exploited Children (NCMEC), which maintains a vast database on prohibited images for use in investigations and image blacklists. While law enforcement generally focuses on finding those who create and/or trade child pornography, a simultaneous effort is made to identify—and if necessary to secure—the victims.
At the federal level, this task is centralized within NCMEC at the Child Victim Identification Program (CVIP)—and this new image set wound up at CVIP accordingly.
The investigation of the pictures, which took three years to complete, opens a rare window into the world of digital detectives who specialize in tracing some of the world's most horrific imagery. An Embassy Suites hotel room—but which one? It turns out that federal agents largely run an investigation the way most of us would: on the public Internet. CVIP took the obvious first step and pulled all the Exchangeable Image File (EXIF) metadata from the photos.
Amazingly, this data had never been scrubbed (even Facebook scrubs EXIF metadata from uploaded photos for security and privacy reasons).
Though the images were not tagged with GPS locations, they did have dates attached.
This would become a crucial clue. Without names and dates, finding the photos' creator would be difficult.
Even if one could identify a particular hotel used in a photo, the huge number of possible dates would make guest check-in registries nearly worthless.
But with a date, identifying a particular hotel might solve the case immediately. To that end, CVIP agents looked through a subset of the pictures that had been taken in a hotel room on August 20, 2010.
Background items suggested a location in Colorado, while the décor of the room hinted at an Embassy Suites hotel.
To find out which hotel, CVIP "compared rooms in the images to online photos of hotel rooms in all of the Embassy Suites in the area." (This sounds like either a Google image search or a careful look at the Embassy Suites website.) The team decided that the location was the Embassy Suites in Denver. The information was sent back to the postal inspectors, who fired off a subpoena to Embassy Suites for everyone registered at a "small subset of the hotel's rooms" on the date in question. However, the registry turned up no clear leads.
The trail went cold. Let me Google that for you In February 2015, CVIP came back to the postal inspectors with new data. Unrelated investigations around the country had turned up additional images from the set, showing the same boys in Western locations, many of them outdoors. James Parkhurst UMC EXIF data revealed that these photos were taken two days earlier than the others, and one additional boy was now pictured. More importantly, "a particular landmark" in the new photos offered a specific location: a cabin within the Antero Hot Springs cabins in Salida, Colorado. In March 2015, the owner of the cabins sent postal inspectors information on guest rentals from the time. On the day the photos there had been taken, the cabin in question had been rented to "James Parkhurst" and three guests. Rather than delving into some super-secret law enforcement database, agents turned to Google and Facebook to ID Parkhurst. Quick searches revealed a 55-year-old man with the same name who lived in Portland and was working as the Executive Director of Camp and Retreat Ministries for the United Methodist Church's Oregon-Idaho Conference. A search of Facebook pages belonging to Parkhurst and his family members showed conversations about trips to national parks—along with names and (non-sexual) photos of the five boys in the prohibited image series. Three of the boys, it turned out, were sons of Parkhurst's cousin.
The other two were twins, both adopted from Vietnam by Parkhurst's brother. The full Facebook This discovery led to an August 2015 search warrant for the Facebook accounts of Parkhurst, the five boys, and their parents.
Cross-referencing the conversations and pictures returned by the social network with the prohibited images and their EXIF data, investigators sketched out specific dates and times during which Parkhurst appeared to be on trips alone with the boys in locations matching those in the prohibited photos. For instance, the earliest photos dated to August 2008, when Parkhurst allegedly took all five boys on a trip to Las Vegas, the Hoover Dam, and Yosemite National Park.
As part of that trip, the group stopped at Travertine Hot Springs and Buckeye Hot Springs.
Inspectors found references to both places on a public website devoted to naturism ("nudity is commonplace").
Another stop, at El Dorado Hot Springs, was listed on a separate site as one of the "best places for nude camping in Arizona." With another prohibited image, investigators used "public search engines" to identify a particular hotel in Mariposa, California.
As confirmation of the location, traveler pictures on a "hotel review website" matched the bathroom amenities and décor in the prohibited photo.
Still more images were identified based on "landmarks that are searchable on Google" or by matching one pond to "an online image of the Olympic Hot Springs in Olympic Park, Washington." Travertine Hot Springs in California. gastondog Revenge of the thumbnail Several of the photos from the set were circulating among child pornography collectors in cropped versions, with the pictures usually altered to remove an adult or to focus attention on the genitals. But the crops didn't hide the original image completely.
Investigators found that several of the image files still held thumbnail versions of the original image. One of these smaller but un-cropped images showed, in O'Sullivan's words, "Parkhurst nude next to [one of the boys]." Secret databases Assembling the case against Parkhurst eventually moved beyond open source information. Law enforcement periodically busts allegedly "legitimate" businesses selling things like "naturist films from around the world" that are actually child pornography. When that happens, investigators seize and archive all sales records for future investigations. For instance, in 2006, postal inspectors and the Los Angeles police raided Insider Video Club, which dealt in "DVDs, VHS tapes, and still images of nude men and boys;" the company's database was then seized.
And in October 2010, Toronto police shut down Azov Films, which specialized in this material, and they sent a copy of the sales database to the US. As part of the Parkhurst investigation, postal inspectors ran his name against these kinds of sales databases—and found hits at both Azov and Insider Video Club. Parkhurst had allegedly ordered Swim Party for $24.95 back in 1997 and Boys in the Mud in 2005 for $45.95.
Each video showed nude young boys and contained "no meaningful dialogue or storyline." Each video had been sent directly to Parkhurst's address. Federal Judge Youlee Yim You. But it was a third "ping" against a sensitive database that appears to have kicked the investigation into urgent mode. Postal inspectors plugged away on the Parkhurst case all the way through to July 2016, when they realized that Parkhurst had ongoing contact with the boys in the images—he had another trip coming up. A law enforcement sensitive database revealed that Parkhurst had booked tickets for himself and one of the boys—a senior in high school living near Chicago—to Greece, Italy, and Sweden.
The trip would begin on August 3. On August 1, Postal Inspector O'Sullivan took a search warrant to Federal Judge Youlee Yim You in Portland, had it signed, and assembled her team.
They raided Parkhurst's home the next morning, one day before the trip. According to O'Sullivan, the search team found some of the prohibited images on "one or more" of Parkhurst's digital devices. Parkhurst then agreed to speak to investigators. He allegedly admitted that he had taken the photos, acknowledged masturbating to at least some of them, but denied that he engaged in sexual activity with the boys. Parkhurst also suggested that his collection of nude images would not "qualify as child pornography." (US child pornography law actually includes a clause banning "lascivious exhibition of the genitals or pubic area" as a way to short-circuit any "but I didn't actually touch them!" defense.) Parkhurst was arrested.
According to the Oregonian, he resigned from his job and surrendered his ministerial credentials a few days later. He was eventually transferred to Denver, where he will stand trial. He had his first court appearance there this week. Creative searching While the Internet has enabled an explosion in child pornography—an issue that was largely under control in the analog era, thanks to the difficulty and expense of finding, creating, printing, and distributing it—it at least makes investigations simpler, too. Even though law enforcement has access to expensive or secret databases, many of the Parkhurst investigation leads were based on EXIF data and publicly available Internet pages.
Google, Facebook, hotel review and naturist websites, online maps, and image searches—it's all grist for the mill. Once a hotel or cabin has been located, once a person has been ID'd on Facebook, once a trip is suspected, then it's time for the subpoena, the warrant, or the secret database. Still, with all of the tech, search, and monitoring tools available to authorities today, one of the most useful investigative skills remains the ability to use the public Internet creatively.
Some details—including files on gymnast Simone Biles, basketball star Elena Delle Donne, and tennis pros Serena and Venus Williams—have already been leaked to the public. pic.twitter.com/tPxCJ1K2RZ — Simone Biles (@Simone_Biles) September 13, 2016 "We'll keep on telling the world about doping in elite sports," the Fancy Bear website says. "Stay tuned for new leaks." "WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act," Director General Olivier Niggli said in a statement. "[We] condemn these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system." It appears the hackers were only after info about the Summer Games; no other data has been compromised, according to the agency, which is conducting internal and external security vulnerability checks. The attack comes only a month after Yuliya Stepanova's WADA database password was stolen and her account illegally accessed.
Stepanova was the key whistleblower who helped expose widespread doping among Russian athletes.
The country's track and field team was ultimately banned from the Rio Olympics, and all athletes were barred from the Paralympics. "Let it be know that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency's independent McLaren Investigation Report," Niggli said. Fancy Bear was linked to the hack of the Democratic National Committee this summer.
Crowdstrike co-founder Dmitri Alperovitch said at the time that Fancy Bear has targeted defense organizations around the world, suggesting they are aligned with GRU, Russia's military intelligence service.
Enter the new sports information-sharing and analysis organization (ISAO), which started as a pilot program during the 2016 Olympics in Rio this past summer. Douglas DePeppe, co-founder of the Sports ISAO, says the ISAO plans to launch formally either later this year or in early 2017.
ISAOs stem from a 2015 Obama administration executive order to create intel-sharing groups around specific communities much like information sharing and analysis centers (ISAC) formed over the past 10- to 15 years. “We saw everything that was happening in the news with sports and knew about the Obama administration efforts so we thought there was just a tremendous need for a Sports ISAO," DePeppe explains. "The idea is to build an organization that would feed threat information to professional, college and high school sports organizations much like the FS-ISAC supports the financial industry." Jane Ginn, also a co-founder of the Sports ISAO, says the organization uses ThreatConnect as its main threat intelligence platform.
Security analysts then use ThreatConnect to manage threat intelligence feeds from the FBI, Department of Homeland Security and other government organizations, open source feeds, and a passive DNS database from Farsight Security that’s integrated into ThreatConnect. Ginn says Farsight has built a database of historical DNS information that dates back to 2010. When the Sports ISAO security analysts see something suspicious appear in ThreatConnect, they can then query the Farsight database to learn more about a specific threat. DePeppe says another aspect of the ISAO is working with the community to develop talent in the industry. He says the Sports ISAO has been working closely with Mercyhurst University in Pennsylvania to provide internships and develop security analysts. "There’s a tremendous shortage of people in the security industry and we’re working with Mercyhurst and other institutions to develop programs that will train professionals to do this kind of threat intelligence work," DePeppe says. DePeppe adds that in the next 30 days the Sports ISAO will release a detailed report on the research it conducted during the Rio Olympics. Some of the topics will include the hacktivists who targeted the Brazilian government during the Olympics as well as US Olympians victimized by hackers. Related Content: Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology.
Steve is based in Columbia, Md.
View Full Bio More Insights