Among the 10 people targeted in the conspiracy were Brennan; then-Deputy FBI Director Mark Giuliano; National Intelligence Director James R.
Clapper; Greg Mecher, the husband of White House Communication Director Jen Psaki; and other government officials.
The group called itself Crackas with Attitude, and it was led by a co-conspirator going by the name of Cracka. "She talks mad shit abt snowden," Liverman said on December 10, 2015 in an online chat with Cracka, referring to a target who is believed to be Psaki, according to a statement of facts signed by Liverman and filed in US District Court for the Eastern District of Virginia. (The document refers to Mecher and Psaki as Victim 3 and the spouse of Victim 3 respectively.) "If you come across anything related to [Victim 3's spouse] let me know.
If you find her cell or home number omg gimme." Liverman went on to say he wanted to "phonebomb the shitt [sic] outta" Psaki. The statement of facts shows Liverman discussing other intrusions with Cracka.
After getting a cellphone number Cracka had unlawfully obtained from a breached online account belonging to Victim 2, Liverman dialed it to make sure it belonged to the government official, whose real-world identity couldn't be immediately confirmed by Ars. Liverman "then paid an online service to automatically dial Victim 2's phone number once an hour, for 30 days, and leave a threatening recorded message." "We will keep a close eye on your family" Liverman later sent text messages to the cellphone that read in part: "We will keep a close eye on your family, especially your son." The message included a photo of the son that had been unlawfully obtained from one of Victim 2's compromised accounts.
That same day, Liverman publicly posted the cellphone number to pseudonymous Facebook and Twitter accounts and wrote: "This line will be active for only 24hrs, so call/sms it if you want to talk to me ... i also accept sexy nudes lol." Two days later Liverman told Cracka: "if we could get [Victim 2] swatted that would be amazing." Swatting is the term for falsely reporting violent crimes in progress to emergency responders in an attempt to elicit a response from special weapons and tactics police officers. Cracka used Victim 2's official credentials to gain unauthorized access to the Law Enforcement Enterprise Portal, an online database that's supposed to be available only to law enforcement officials.
At Liverman's request, Cracka used his access to obtain a list of more than 80 police officers and law enforcement employees in the Miami area. On January 6, 2016, Liverman posted the list online. The group allegedly also published a 47-page security clearance questionnaire containing highly personal information, which Brennan completed to obtain his post.
Around the same time, the group published a separate spreadsheet containing the personal data of the 29,000 FBI and DHS employees.
A day later, a group member allegedly presented evidence showing it had hijacked accounts belonging to Clapper. According to an affidavit filed in September, the group didn't rely on computer hacking to break into restricted accounts.
Instead, members used social engineering in which they impersonated their targets and various IT support personnel purporting to help the victims. On October 11, 2015, one of the suspects allegedly accessed the account belonging to Brennan by posing as a technician from Verizon.
The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account. The group allegedly used similar techniques to access other accounts.
The affidavit said another group member appeared to gain access to a law enforcement database by calling an FBI help desk and asking that Giuliano's password be reset. Now, Liverman faces a maximum possible sentence of five years in prison at sentencing, which is scheduled for May 12. The statement of facts filed with Friday's guilty plea offers a window into the depravity and viciousness that motivates so many online intrusions.
The perpetrators often succeed not through any technical skill but rather by making fraudulent phone calls that carefully exploit weakness in various companies' customer support services.
It's not the first time social engineering has exacted such a high price, and sadly, it likely won't be the last.
When you can get a seriously full-featured, security-conscious password manager for free, what would entice you to pay? How about even more features, and no limits on existing features? LogMeOnce Password Management Suite Ultimate 5.2 pulls out all the stops, removing limits on the number of shares and beneficiaries, and adding advanced features that include anti-theft and an unusual selfie-based two-factor authentication system. A few quirks in its mobile editions are still being ironed out, but overall, it's a feature-packed password powerhouse.
At $39 per year, LogMeOnce Ultimate costs the same as Dashlane 4.0. Sticky Password goes for $29.99 per year, and LastPass for just $12. But this big, sprawling utility has a ton of features, including some I haven't seen in any competing product.
The free edition doesn't impose any limits on the number of saved passwords, or of synced devices. If you're interested in the product but not sure if you want to pay for it, go ahead and install the free edition, and familiarize yourself with its impressive capabilities. You can upgrade to Ultimate any time the free edition's limits begin to chafe.
The free LogMeOnce Password Management Suite Premium 5.2 is loaded with features, enough that it outperforms many competing products that aren't free. I'll summarize its capabilities here, or you can read my full review of the free edition for more details.
LogMeOnce runs strictly as a browser extension, so it's not limited to a specific platform. If your browser supports extensions, you can use it on Windows, macOS, or even Linux. There are also apps for Android and iOS.
Just about every password manager starts off by asking you to define a strong master password, something that you can remember but that nobody could guess. LogMeOnce now offers password-less authentication as its default. To set this up, you pair your smartphone or mobile device with your LogMeOnce account. Now when you log in on your desktop, you verify when prompted on the mobile device, using a PIN, a fingerprint, or what the company calls PhotoLogin.
Those who've upgraded to Ultimate get more information along with the request for PIN, fingerprint, or PhotoLogin. Swipe left to see the requester's email address, GPS location, IP address, and more, or swipe right to view the location on a map. If you get an unexpected login request, this data may help you figure out who's trolling you.
For PhotoLogin, LogMeOnce snaps a photo with the webcam and sends it to the device. You simply verify that the photo is what you expected. If the computer has no webcam, you can compare a visual one-time password that's sent along with the photo. It's also possible to use PhotoLogin on the mobile device itself, but this isn't quite as secure. It involves you verifying that you are seeing the photo you just snapped; it's a bit self-referential. When I mentioned this to the developers, they quickly modified on-device PhotoLogin to also require entering a PIN.
The free edition captures logins (which it calls applications) as you enter them, and offers to play back your saved credentials when you revisit the site. It also includes a catalog of almost 4,500 known websites. Choose one of these and you can be sure that LogMeOnce will handle it, even if it uses a non-standard login page. However, if you somehow manage to find an oddball login that's not in the catalog, you can't just capture all form fields the way you do with LastPass or Sticky Password Premium. Clicking the browser toolbar button displays all your saved websites. Clicking one of them navigates to the site and logs in.
The password generator defaults to creating 15-character passwords, using all character sets, which yields a very tough password. It also rates any password you type, estimating how long it would take to crack. By default, you must change your master password every three months, without re-using previous passwords. Those using Ultimate can change the password expiry time, in a range from one month to one year.
You can use Google Authenticator, or a workalike such as Duo Mobile or Twilio Authy, for two-factor authentication. Other options in the free edition include receiving a one-time passcode via email, SMS, or voice call. In an unusual move, LogMeOnce charges two credits for each SMS authentication and four credits for each voice call. Those using Ultimate get an allowance of 50 credits per month, with the option to purchase more, $10 for 1,000 credits. I'll cover the Ultimate edition's additional two-factor options below.
An interesting feature called Mugshot gives you a look at anyone who tries to log in on a lost or stolen phone. On any failed login attempt, it snaps photos with the front and rear cameras and sends them to your online dashboard, along with the device's GPS location and IP address. Using this information, you may be able to locate and recover the device. Upgrading to Ultimate gets you a more complete anti-theft system.
LogMeOnce stores personal, address, phone, and company data, for use in filling Web forms. You can save multiple instances of each data type. New since my last review, it also saves and fills credit card data. Like Dashlane, it helpfully displays the saved cards as images, using the color and bank name you specified. It doesn't have the flexibility of form-filling whiz RoboForm Everywhere 7, but it does the job.
Like LastPass and Dashlane, LogMeOnce can display a list of all your passwords, with a strength rating for each, and a flag for any duplicates. In addition, its report page offers several other views on your security, some of which aren't functional in the free edition. If you find you've got weak or duplicate passwords, just click the link next to each one to go change it. For many popular websites, LogMeOnce can even automate the password change process, something few competing products manage.
LogMeOnce includes the ability to securely share passwords with other users. You can choose whether the recipient gets to see the shared password, or just to use it for logging in. There's also an option to define a beneficiary who will receive either your whole account or a specific password in the event of your death. The free edition allows one whole-account beneficiary, five password beneficiaries, and five shared passwords. In the Ultimate edition, there are no such limits.
A productivity dock along the bottom of the screen displays a baker's dozen of live icons that expand when you mouse over them. You can use these icons to quickly reach important features like mugshot or security scorecard. That is, you can if you've paid for the product. Those using the free edition just get a reminder that the productivity dock is only for paid users.
Selfie Two-Factor Authentication
Upgrading to Ultimate unlocks several additional options for two-factor authentication, the most unusual of which is Selfie-2FA. It works like this. You log in to the browser extension, either with the default password-less authentication or a master password. LogMeOnce snaps a webcam photo and sends it to the mobile device you've specified for Selfie-2FA. If the received photo matches what you expected, you simply tap to authorize. MasterCard is exploring a similar type of selfie-based authentication.
What if you're using a desktop device with no webcam? In this case, LogMeOnce sends a generic image with a visual one-time password at the bottom. If the OTP on your mobile device matches the one on your browser, you simply tap to authorize. It's less tech-sexy than using a selfie, but it totally works.
My LogMeOnce contact pointed out that you can make it even harder for an attacker to beat this system by being unpredictable. Just keep changing which of your devices is the one authorized to respond to Selfie-2FA.
Those who've paid for the program can prepare a USB flash drive for use as a physical second authentication factor. There's also an option to add an X.509 Certificate as an authentication factor, but this is more logical in a business setting.
You can enable as many of the two-factor options as you wish, and log in using whichever is logical at the time. For example, if you logging in on a mobile device with no socket for your USB authentication key, you could opt to receive a code via SMS or email, or get a code from Google Authenticator. True Key by Intel Security also offers multiple authentication options, but goes further by letting you require more than just two of them for authentication.
Device Management and Anti-Theft
The free edition receives the GPS location of any failed login attempt, but the paid edition lets you check device location whenever you like. The Device Map page in the Security section displays the location of all your registered devices. Clicking on a device gets you more information, along with a button that remotely logs out of any active LogMeOnce session on the device.
The separate Device Management page lists all the devices you've configured for use with LogMeOnce. If you've lost or replaced a device, you can remove it from the list, thereby disconnecting it from your account. You can flip a switch to define whether each mobile device can accept password-less login requests.
When you select a device from the list, other actions become available. You can send a request to locate a mobile device. A Details tab displays a huge amount of information for iOS devices, quite a bit less for Android devices. However, for Android devices only, you can view a list of installed apps.
The Commands tab appears for both Android and iOS devices, but the available commands differ. You can remotely cause an Android smartphone to ring at top volume, handy in case you've simply misplaced it, and you can lock it remotely using the system lockscreen. You can even change the lockscreen password remotely before locking it down.
On both Android and iOS, you can send a message, perhaps something like, "I've seen your mugshot, phone thief, and I'm coming for you!" But don't get too excited about this feature. Unless you've enabled viewing notifications on the device's lockscreen, the only way a phone thief could read the message would be by logging in to LogMeOnce, which shouldn't be possible.
That brings me to the final command, available on iOS and Android, the Kill-Pill. This dramatically named feature simply wipes all personal LogMeOnce data. I sent the Kill-Pill command to my Apple iPad Air and watched as LogMeOnce reverted to the initial setup screen, with no sign of my email address or any other configuration data. Oddly, sending the same command to my Nexus 9 never worked; it timed out repeatedly in my testing. My company contact confirmed that while the feature works on most Android devices, it doesn't yet work on a Nexus 9. Gotta love Android fragmentation!
Using a trusted mobile device as part of the authentication process is becoming more and more common. Like LogMeOnce in password-less mode, oneID skips the master password in favor of device-based authentication. You can configure True Key to use other forms of authentication, including a trusted device, in place of a master password. But LogMeOnce is the only product I've seen that adds anti-theft features to protect the security of that trusted device. It's a smart move.
Even the free edition of LogMeOnce lists all your passwords ordered by strength, rates your total security status, and displays what it calls a hybrid identity score. If you've paid, you also get an overall password strength rating, with a breakdown of statistics such as the number of passwords of at least 15 characters, and the number that contain at least one of each character type.
The Live PasswordTracker chart is another paid-only feature. It takes two weeks to get a baseline for reporting, so I didn't see its full capabilities. For starters, it charts a solid line that's your overall password strength each day. If you're using the product correctly, that line should only go up. It also charts what the company calls a heartbeat line. Solid line segments represent days that you used LogMeOnce, dotted segments days that you did not. The line's height above the axis is based on the strength of the passwords you used on that day. The purpose of the chart is to encourage you in proper password hygiene, replacing weak passwords with strong ones and always relying on the password manager to keep track.
A Few Oddities
In testing the free edition, I glossed over the few little quirks I ran into, given the fantastic features that you get for free. Running into those same quirks—and a few new ones—in the paid edition, I'm slightly less forgiving.
LogMeOnce is a work in progress, in a good way. While working on this review, I confused the PhotoLogin feature with what was then called Photo-2FA. Overnight, the developers renamed it to Selfie-2FA, to avoid confusion. Because I mused about the possibility of an unauthorized person picking up a phone that was left unlocked, they changed the local-only PhotoLogin to also require PIN entry. This is an agile team, indeed.
On the other hand, I also ran into some oddities that aren't yet fixed. I couldn't make the Kill-Pill personal data erasure work on my Android device. To use Selfie-2FA from my all-in-one desktop PC, I had to crank the webcam brightness to the max, so high that Skype images appeared washed out. On an iPad, the iOS edition runs in the dated 2x mode, just a blown-up version of the iPhone edition. And even though a paid account should be ad-free, the "Go ad-free" link still appears, and I saw ads on some mobile screens. Pending updates for the Android and iOS apps should fix at least some of these oddities. Overall, though, this utility's breadth of features and its inclusion of innovative, security-focused features overshadows these few quirks.
LogMeOnce Password Management Suite Ultimate takes the vast feature set of the free LogMeOnce password manager and kicks it up to the next level. I haven't seen another product offering selfie-based two-factor authentication, or a built in anti-theft system. It lacks the ability to manage password for applications, but it checks just about every other box. On the flip side, you get almost all of these features in the free edition, and for some the vast array of features may prove off-putting.
LastPass Premium comes the closest to matching LogMeOnce's breadth of functionality, though with the latest edition LogMeOnce has taken a significant lead. For those who are more into simplicity and ease than a prodigious number of features, Dashlane 4 does everything you could want, with flair. LogMeOnce joins these two as an Editors' Choice for commercial password managers.
To expedite the sale, Gautreaux had documents already approving him for a loan for the vehicle stored on his smartphone, and claims the salesman asked to show the device to his manager. The phone was out of the couple's sight for about five minutes, they say, but when the pastor got it back he saw that an image was on the top screen – one of a couple of sexy snaps he'd taken of his wife as she was getting into and out of the bath. Subsequent investigation showed that the pictures had been emailed to an account at a website for swingers, the couple claims, and they called the police. Matthew Luke Thomas, the dealership's sales director, was arrested last month and charged with allegedly breaching a computer's security, a class B misdemeanor. Thomas is out on bail. Meanwhile, the Gautreauxs have now hired high-powered human rights lawyer Gloria Allred and are suing Thomas, Texas Toyota of Grapevine and Toyota Motor North America, claiming [PDF] breach of contract, intrusion, negligence and public disclosure of private facts.
The couple took their case to the Dallas County court on December 1, claiming the photos were swiped in January 2015, and have asked for more than a million bucks in relief. "Undoubtable this is not the first time that this has happened," Allred claimed during a news conference on Thursday, the Dallas Morning News reports. "But we hope the public awareness will help to put a stop to it." ® Sponsored: Customer Identity and Access Management
This time around, we’ve chosen to focus on attribution in APT research, its methods and complications, and how intermediate-to-advanced attackers are already manipulating attribution indicators in an attempt to mislead researchers and squander limited incident response resources.
False flags and deception tactics have always been discussed as possibilities in this space, but we wanted to put out a wealth of examples to advance the conversation. Our hope is that we can further the dialogue regarding attribution to involve more nuanced and daunting questions that have yet to be conclusively addressed. When reading some of the examples, keep in mind that this was written back in February to submit to the VirusBulletin call for papers.
At the time, deception techniques were a topic discussed in private between researchers, but never publicly substantiated.
Since then, events over the summer have made this topic commonplace to the infosec community, if still a matter of contention and skepticism.
The paper is extensive (but not exhaustive) and we hope that those of you interested in the subject will take some time to go through the reasoning and examples.
The following are some takeaways we hope will pique your interest and get a dialogue going regarding the nuances of attribution as it’s currently being done: There’s nothing straightforward about ‘whodunnit’ From the perspective of threat intelligence producers, there exist complications regarding attribution and its practical purpose.
As any honest anti-malware company should admit, no institution has complete or perfect visibility into the activities of any threat actor.
Different companies see different fragments; different types of service providers compliment that visibility with other types of data.
This is a research space rewarded by cooperation and data exchanges.
As such, when attempting to describe the activities of a threat actor, it’s difficult to suggest that a single threat intelligence product can stand as the exhaustive final chapter on any of the threat actors we investigate. Much less, provide a definitive picture of their identity, activities, and resources. The true value of a threat intelligence product is its actionable potential, its ability to help detect and mitigate attacks, to provide clear avenues for proactive defense and improved defensive posture against a persistent and shadowy adversary, and to provide understanding to institutions and individuals outmatched and outwitted by the topdogs of the cyber espionage space.
And even then, we have to consider that when it comes to wide dissemination of this information for the benefit of the public, it’s not just victims that are reading threat intelligence products.
As our paper sets out to demonstrate, attackers too are keenly consuming threat intelligence research, learning from researcher methods as well as other APT groups and incorporating that information to better their own operations. What can attribution do for you? Threat Intelligence has come a long way in the last five years or so, and with that, more and more attribution is being done publicly by companies selling this as a product.
Before that, attribution was only really done within governments and kept private or classified.
These days, journalists and commentators are after the ‘sexy’ part of the story and are heavily focused on the “who” and not the “why”. While we are not arguing for or against companies performing attribution and publicly sharing their discoveries, we do pose some questions around how deep attribution really needs to go based on the role of the organization defended and its ability to take action.
For governments, the most fidelity is justifiably needed, especially when the outcome of the attribution results in diplomatic sanctions, offensive operations, or demarches.
But for a private company consuming threat intelligence is that level of attribution really needed to protect that organization against these attacks? We hope the paper proves thought-provoking to threat intelligence producers and consumers alike, aligning needs and expectations, and preparing the infosec community for increasingly deceptive and manipulative interactions with our adversaries.