Half of the Largest Companies: Threat Vulnerable

October 24, 2016

Compromised Credentials, a research report by Digital Shadows reveals that around 1,000 companies comprising of Forbes Global 2000 are at risk as credentials of their employees are leaked or compromised.

As reported by Channel EMEA in Digital Shadows Global Study Reveals UAE Tops List in Middle East for…

The report found that 97 percent of those 1000 of the Forbes Global 2000 companies, spanning all businesses sectors and geographical regions, had leaked credentials publicly available online, many of them from third-party breaches.

Owing to large-scale data breaches in recent times, credentials of 5.5 million employees are available in public domain for anyone to see. Social networks like LinkedINMySpace and Tumblr were the affliction points of these breaches, the report states.

Analyzed geographically, companies in Middle-East seem to be the most affected:

The report revealed that the most affected country in the Middle East – with over 15,000 leaked credentials was the UAE. Saudi Arabia (3360), Kuwait (203) followed by Qatar (99) made up the rest of the list. This figure is relatively small as compared to the global figure due to the lower percentage of organizations that reside in the Middle East.

Affected organizations may not be able to contain the damages by simply resetting the passwords of the employees. It also needs to be seen if the information available is contemporary, not reposted and is unique. Moreover, mere password resetting can cause lot of friction within the IT departments of the organizations.

Without proper analysis, it will be difficult for the affected companies to gauge the extent of the damage. But considering the PR nightmare it leads to, will these companies come forward and acknowledge the breaches?

Vishal Ingole, October 24, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Twitter: A Security Breach

October 21, 2016

Several years ago, the Beyond Search Twitter account was compromised. I received emails about tweets relating to a pop singer named Miley Cyrus. We knew the Twitter CTO at the time and it took about 10 days to fix the issue. At that time, I knew that Twitter had an issue.

I read “Passwords for 32 Million Twitter Accounts May Have Been Hacked and Leaked.” I learned:

the data comes from a Twitter hack in which 32 million Twitter accounts may have been compromised. The incident and the news comes from a rather unusual source that lets you download such data and even lets you remove yourself from the listing for free.

No word about how many days will be consumed addressing affected accounts.

Stephen E Arnold, October 21, 2016

Multiple Vendors Form Alliance to Share Threat Intelligence

October 20, 2016

In order to tackle increasing instances of digital security threats, multiple intelligence threat vendors have formed an alliance that will share the intelligence gathered by each of them.

An article that appeared on Network World titled Recorded Future aligns with other threat intelligence vendors states that stated:

With the Omni Intelligence Partner Network, businesses that are customers of both Recorded Future and participating partners can import threat intelligence gathered by the partners and display it within Intelligence Cards that are one interface within Recorded Future’s platform

Apart from any intelligence, the consortium will also share IP addresses that may be origin point of any potential threat. Led by Recorded Future, the other members of the alliance include FireEye iSIGHTResilient Systems and Palo Alto Networks

We had earlier suggested about formation inter-governmental alliance that could be utilized for sharing incident reporting in a seamless manner. The premise was:

Intelligence gathered from unstructured data on the Internet such as security blogs that might shed light on threats that haven’t been caught yet in structured-data feeds

Advent of Internet of Things (IoT) will exacerbate the problems for the connected world. Will Omni Intelligence Partner Network succeed in preempting those threats?

Vishal IngoleOctober 20, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph


What Lurks in the Dark Web?

October 20, 2016

Organizations concerned about cyber security can effectively thwart any threats conditionally they know a threat is lurking in the dark. An Israeli SaaS-based startup claims it can bridge this gap by offering real-time analysis of data on Dark Web.

TechCrunch in an article Sixgill claims to crawl the Dark Web to detect future cybercrime says:

Sixgill has developed proprietary algorithms and tech to connect the Dark Web’s dots by analyzing so-called “big data” to create profiles and patterns of Dark Web users and their hidden social networks. It’s via the automatic crunching of this data that the company claims to be able to identify and track potential hackers who may be planning malicious and illegal activity.

By analyzing the data, Sixgill claims that it can identify illegal marketplaces, data leaks and also physical attacks on organizations using its proprietary algorithms. However, there are multiple loopholes in this type of setup.

First, some Dark Web actors can easily insert red herrings across the communication channels to divert attention from real threats. Second, the Dark Web was created by individuals who wished to keep their communications cloaked. Mining data, crunching it through algorithms would not be sufficient enough to keep organizations safe. Moreover, AI can only process data that has been mined by algorithms, which is many cases can be false. TOR is undergoing changes to increase the safeguards in place for its users. What’s beginning is a Dark Web arms race. A pattern of compromise will be followed by hardening. Then compromise will occur and the Hegelian cycle repeats.

Vishal Ingole, October 20, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

NSA Aftermath in Germany

October 19, 2016

When it was revealed not too long ago that the United States was actively spying on Germany, the country decided it was time to investigate.  Netzpolitik wrote an update on Germany’s investigation in “Snowden’s Legacy: Hearing In The Parliament Committee.”  The German parliament launched a committee to head the investigation, which included many hearings.  At recent hearing in Germany, five USA experts spoke to the committee, including ACLU technologist Charles Soghoian, Watson Institute’s Timothy H. Edgar, ACLU attorney Ashley Gorski, Open Society Foundation senior advisor Morton H. Halperin, and US Access Now policy manager Amie Stepanovich.

The experts met with the committee as a way to ease tensions between the US and Germany, but also share their knowledge about legal issues related to surveillance and individual’s privacy rights.  The overall agreement was that current legal framework for handling these issues is outdated and needs to be revamped.  There should not be a difference between technical and legal protection when it comes to privacy.  As for surveillance and anonymity, there currently is not a legal checks and balances system to rein in intelligence organizations’ power.  The bigger problem is not governmental spying, but how the tools are used:

Nevertheless, Christopher Soghoian noted that the real scandal was not that government agencies were spying on their people, but that technology was so poorly secured that it could have been exploited. Historically, encryption and security have had a very low priority for big Internet companies like Google. Snowden turned the discussion upside-down, his disclosures radicalised the very people who design the software the NSA had privately exploited. Therefore, the most important post-Snowden changes were not made in Government hallways but in the technological community, according to Soghoian.

German surveillance technology manufacturers Gamma Group and Trovicor were also mentioned.  As the committee was investigating how the NSA violated Germany’s civil rights, of course, a reference was made to the World Wars.  What we can pull from this meeting is we need change and technology needs to beef up its security capabilities.

Whitney Grace, October 19, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Pattern of Life Analysis to Help Decrypt Dark Web Actors

October 18, 2016

Google funded Recorded Future plans to use technologies like natural language processing, social network analysis and temporal pattern analysis to track Dark Web actors. This, in turn, will help security professionals to detect patterns and thwart security breaches well in advance.

An article Decrypting The Dark Web: Patterns Inside Hacker Forum Activity that appeared on DarkReading points out:

Most companies conducting threat intelligence employ experts who navigate the Dark Web and untangle threats. However, it’s possible to perform data analysis without requiring workers to analyze individual messages and posts.

Recorded Future which deploys around 500-700 servers across the globe monitors Dark Web forums to identify and categorize participants based on their language and geography. Using advanced algorithms, it then identifies individuals and their aliases who are involved in various fraudulent activities online. This is a type of automation where AI is deployed rather than relying on human intelligence.

The major flaw in this method is that bad actors do not necessarily use same or even similar aliases or handles across different Dark Web forums. Christopher Ahlberg, CEO of Recorded Future who is leading the project says:

A process called mathematical clustering can address this issue. By observing handle activity over time, researchers can determine if two handles belong to the same person without running into many complications.

Again, researchers and not AI or intelligent algorithms will have to play a crucial role in identifying the bad actors. What’s interesting is to note that Google, which pretty much dominates the information on Open Web is trying to make inroads into Dark Web through many of its fronts. The question is – will it succeed?

Vishal Ingole, October 18, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Demand for British Passports Surge on Dark Web Post Brexit

October 17, 2016

Freedom of Information Act request submitted by British general insurer Esure reveals that 270,000 British passports have been reported missing so far in 2016. A tiny percentage of these passports are for sale on Dark Web for a premium.

In an article by Jennifer Baker titled Dark Web awash with pricey British passports after UK vote for Brexitstates:

The value of a fake British passport has increased by six percent since the vote in favor of Brexit, and is predicted to rise further if rules on European Union freedom of movement change

Each passport is being sold for around $3,360 and upwards in Bitcoin or its equivalent. Restriction of movement across borders from the European Union to the United Kingdom is considered to be the primary reason for the surge in demand for British passports.

While the asking price for smaller EU nation passports remains tepid on Dark Web, experts are warning that instances of British passport thefts will increase by 20 percent next year.

The offline and online black market for British passports is estimated to be around $57 million a year. According to Ms Baker:

The most common hotspots for passport theft included bars and restaurants (14 percent), the beach (14 percent), busy streets (14 percent) and hotel rooms (13 percent). However, it isn’t just overseas as one in five (19 percent) of people reported a passport being stolen from their own homes.

A stolen passport can be used without any hassles till it is reported lost or stolen, and Brexit rules come into force. Even after being reported, the passport can still be used for identity theft and other online scams. Can there be a better way to curb this practice of identity theft, Brexit or not?

Vishal Ingole, October 17, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Malware with Community on the Dark Web

October 14, 2016

While Mac malware is perhaps less common than attacks designed for PC, it is not entirely absent. The Register covers this in a recent article, EasyDoc malware adds Tor backdoor to Macs for botnet control. The malware is disguised as a software application called EasyDoc Converter which is supposed to be a file converter but does not actually perform that function. Instead, it allows hackers to control the hacked mac via Tor. The details of the software are explained as follows,

The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. Once installed, the malware grants full access to the file system and can run scripts given to it by its masters. Eleanor’s controllers also uses the open-source tool wacaw to take control of the infected computer’s camera. That would allow them to not only spy on the victim but also take photographs of them, opening up the possibility of blackmail.

A Computer World article on EasyDoc expands on an additional aspect of this enabled by the Dark Web. Namely, there is a Pastebin agent which takes the infected system’s .onion URL, encrypts it with an RSA public key and posts it on Pastebin where attackers can find it and use it. This certainly seems to point to the strengthening of hacking culture and community, as counterintuitive of a form of community, it may be to those on the outside.

Megan Feil, October 14, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph


Pindrop: Will It Make Burner Phones Less Attractive to Bad Actors

October 12, 2016

I read “Lloyds to Use Pindrop Tech to Identify Fraudulent Calls.” The company has technology which fingerprints a voice call. The approach considers such factors as “‘location, background noise, number history and call type, among others.” The “others” includes about 140 other items of information the system can extract or generate. The idea is that a fraudulent call can be flagged and appropriate action taken. The company, like Recorded Future, is partially funded by Alphabet Google.

The company was founded in 2011 and uses smart software to provide an early warning system when an in bound call is potentially fraudulent. Each monitored call receives an “audio fingerprint”; that is, a numerical identifier which allows calls to be analyzed. Terbium Labs uses a fingerprinting technique to identify certain types of content on Dark Web and other online sites.

The idea is that a customer service representative can be alerted when a back actor calls to transfer money or request a new credit card.

Can the system identify fraudulent calls from burner phones. These are devices which place calls and use one time SIM cards? What other applications will Pindrop bring to market? What happens if the technology is applied to Google’s new voice actuated home devices?

For more information about Pindrop, navigate to the company’s About page. Presumably Pindrop’s stakeholders can hear a pin drop and may more.

Stephen E Arnold, October 12, 2016

Hacking Federal Agencies Now a Childs Play

October 12, 2016

A potentially dangerous malware called GovRat that is effective in cyber-espionage is available on Dark Web for as low as $1,000.

IBTimes recently published an article Malware used to target US Government and military being sold on Dark Web in which the author states –

The evolved version of GovRat, which builds on a piece of malware first exposed in November last year, can be used by hackers to infiltrate a victim’s computer, remotely steal files, upload malware or compromised usernames and passwords.

The second version of this malware has already caused significant damage. Along with it, the seller is also willing to give away credentials to access US government servers and military groups.

Though the exact identity of the creator of GovRat 2.0 is unknown, the article states:

Several of these individuals are known as professional hackers for hire,” Komarovexplained. He cited one name as ROR [RG] – a notorious hacker who previously targeted Ashley Madison, AdultFriendFinder and the Turkish General Directorate of Security (EGM).

Data of large numbers of federal employees are already compromised and details like email, home address, login IDs and hashed passwords are available for anyone who can pay the price.

InfoArmor a cybersecurity and identity protection firm while scanning the Dark Web forums unearthed this information and has already passed on the details to relevant affected parties. The extent of the damage is unknown, the stolen information can be used to cause further damage.

Vishal Ingole, October 12, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Next Page »