Operation #LeakTheAnalyst hits security firms by hitting employees.
An attack on an individual, legitimate security analyst, came to light early Monday. A Mandiant analyst's personal accounts were breached, with doxing to Pastebin by a person or persons calling themselves "the 31337 Hackers." (Leetspeak for "eleet," that is, "elite.") The doxing was part of Operation #LeakTheAnalyst. The hackers also claim to have breached Mandiant systems in 2016, but no documents posted so far suggest this is anything but gasconade (Security Week).
Mandiant is a unit of FireEye, which says it's found no evidence that its systems or networks were compromised. An investigation is in progress. The company did say that some information on two customers was exposed in the doxing; they're working with those customers to contain any problems (Infosecurity Magazine). FireEye reported strong results this week, and said that their investigation of the hack revealed that not only had corporate networks not been breached, but that the affected employee had suffered compromise of a couple of online accounts, not his personal systems. The company said it found the timing of the attack "interesting" for unspecified reasons (CRN).
As far as declared motivation, the 31337 Hackers say they've long resented legitimate security analysts and have decided to target them as individuals. The communiques that accompanied their Pastebin doxing aren't quite written in ShadowBrokerese, but there are some similarities. One of the ShadowBrokers' linguistic stigmata is a mangled plural, as in their use of "peoples." There are signs of this in what the 31337 Hackers have to say. "This documents describes some of the key events of the past two months related to cyber espionage," is a representative sample. Not quite as mannered and contrived as the ShadowBrokers—indeed, it's within the range of what one might see in an undergraduate's term paper—but still, Operation #LeakTheAnalyst" will bear watching (CSO).
Winter is coming (but you knew that).
HBO was hacked this past week, with scripts for Game of Thrones leaked along with other properties (Ars Technica). The hackers' take is thought to be very large, with some putting it at seven times the size of Sony's hack. More than show scripts and episodes may have been taken: the company and its stakeholders are bracing for release of emails and other material that may have been compromised (Vanity Fair).
In an unrelated third-party incident, HBO distribution partner Star India said Friday that an unaired Game of Thrones episode had leaked online (Reuters).
NotPetya sequelae.
Merck has warned that its manufacturing operations were severely impeded by NotPeyta, that the incident will have material effect on their earnings, and that they haven't yet fully recovered (Threatpost). Merck will not be the last. Beiersdorf, which manufactures Nivea cosmetics, continues investigating and recovering from NotPetya, but the company has reported that €35 million in sales will be delayed into the next quarter. The company's CFO said, "There is a cost and there will be a cost associated with this. We are still working our way through it. Our focus so far has been on recovery." Six major international corporations (four in Europe, two in Russia) who've disclosed NotPetya infestations will report results this month (Reuters).
Corporations and their stakeholders are understandably skittish. BASF experienced network outages at its Ludwigshafen plant this week, and the chemical manufacturer has hastened to reassure all that it doesn't believe the incident was a cyber attack (Reuters via US News & World Report).
The plaintiff's bar has taken note. A Ukrainian law firm, Juscutum Attorneys Association, is assembling injured companies to join in a lawsuit against Intellect-Service LLC, the company whose M.E.Doc accounting software was the patient zero of the NotPetya pandemic (Bleeping Computer).
Cryptocurrencies attract digital Willie Suttons.
Bitcoin executed its expected hard fork Tuesday. There are now two successor currencies: Bitcoin and Bitcoin Cash. The fork, from a Bitcoin owner's point-of-view, is analogous to a stock split (Ars Technica).
The hackers behind WannaCry this week quietly emptied their not-particularly overflowing Bitcoin wallets and transferred funds to Monero, thought by some to offer more anonymity than other cryptocurrencies (International Business Times).
Cerber ransomware has picked up some new functionality: it now raids Bitcoin wallets (TrendLabs Security Intelligence Blog).
WannaCry's "inadvertent hero" not so heroic in the Feds' eyes.
Marcus Hutchins, 23, a researcher for security firm Kronos Logic, gained fame when he registered a domain specified in WannaCry's code, thereby tripping the malware's kill switch and halting its spread (Guardian). But Wednesday the US FBI arrested him in Las Vegas (he'd been attending DEF CON) on a warrant alleging his responsibility for creating and distributing the Kronos banking Trojan. A second individual whose identity has been redacted from charging documents is also named in the indictment (Motherboard). Prosecutors say Hutchins admitted to investigators that he sold Kronos, but Hutchins intends to plead not guilty (ITV). Bail was set Friday at $30,000, and Hutchins remains in custody (BBC).
The case may be an important one, since the indictment alleges violation of an infrequently used anti-wiretapping law. That law, 18 United States Code Section 2512, makes it a crime to make, sell, or advertise “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.” The Government's theory holds that devising and selling the malware count as purveying such a wiretapping device, and doing so with guilty knowledge that it will be used in a prohibited way. Some experts characterize the Government's theory of the case as an "aggressive" one (Washington Post) and worry about its implications for legitimate security research (The Hill). Investigators, security researchers fear, may lack an understanding of "context"(WIRED).
Protection for white hats and other bug hunters.
Security researchers have long been leery of their exposure to prosecution or civil litigation under two US Federal laws, the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. The US Government took two steps this week to mitigate those concerns. First, the US Department of Justice issued a guidance document establishing a framework for responsible disclosure. The guidelines would help companies set up bug bounty programs, and they would also limit the exposure of researchers to legal action that might be taken under current laws (Help Net Security).
Second, a bipartisan bill was introduced into the US Senate that would incentivize companies developing and selling Internet-of-things (IoT) devices by limiting US Government purchases of IoT equipment to products that met certain requirements (Scribd). The core provisions of the Internet of Things Cybersecurity Improvement Act of 2017 would require vendors to ensure their devices can be patched, that they use industry-standard protocols, and that they contain neither hard-coded passwords nor known vulnerabilities. One of the sponsors, Senator Wyden of Oregon, sees the bill as a corrective to what he calls the "overly broad" provisions of the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act (KrebsOnSecurity).
Spearphishing with nothing but a subject as hook, line, and sinker.
German researchers warn of a new, unusually lean form of speaphishing. The victim gets an email, apparently from a colleague. It contains neither links nor attachments, the usual malware vectors in phishing emails. In this case the attackers are counting on the victim Googling the subject. The search results will lead the victim to a malicious site (Zeit).
Hybrid war gets hotter; US-Russian relations turn colder.
US President Trump has signed a bill sanctioning Russia for a range of objectionable behavior. Leaders of both major US political parties (for example, President Trump and Minority Leader Pelosi) have called the bill "flawed," but hope it will help deter not only Russia, but other bad actors as well (Military Times).
Russia has taken a very dim view of US plans to arm Ukraine (such assistance will include cyber capabilities), warning that this will, first, not work, and second, that the policy will prompt responses from Russia well outside Ukraine (Defense News).
Election hacking: investigation, signaling, and the real thing.
Venezuela appears to be giving the world a spectacularly large, barefaced example of what election fraud looks like. The government seems to have installed its "temporary parliament" attended by voting in which at least a million ballots were invented out of thin air. The company whose voting devices were manipulated has denounced the fraud (Times).
Germany will hold its elections next month. The conventional wisdom holds, probably correctly, that "of course" Russia will try to hack the vote, but that in the end its efforts to determine the results will fail, in part because the element of surprise is gone, and the propaganda is already factored into public opinion (Foreign Policy).
A member of the US House of Representatives wants the Department of Homeland Security's Election Assistance Commission to train political campaign staffers (described in press reports as "political operatives") in defense against hacking. Representative Terry Sewell (Alabama) introduced the E-Security Fellows Act on July 28. She also introduced the Securing and Heightening the Integrity of our Elections and Lawful Democracy Act, which would direct the Department of Homeland Security to coordinate cybersecurity efforts directly with political campaigns. She reasons that "Campaign staff are our first line of defense against cyberattacks targeting our elections." Her goal appears to be establishment of what would in effect amount to an ISAO for campaign organizations (FCW).
Crypto wars update, with notes on inspiration.
British Home Secretary Amber Rudd visited Silicon Valley on a mission to convert pro-encryption tech firms to the anti-encryption side. "Real people," she argues, don't need strong crypto. The only people who do are terrorists, in the Home Secretary's view (Computing). Observers are sympathetic to the wish to prevent terrorism and reduce radicalization, the two linked causes most commonly cited by Home Secretary Rudd's side in the crypto wars, but most see moves against encryption as weakening security for everyone. This view is widespread in Silicon Valley: Google, Apple, WhatsApp, Microsoft and other tech firms have been strongly on the pro-encryption side (Naked Security).
The British Government is coming under criticism at home as civil servants decline to release an unusually large number of documents. HM Government has long been famously secrecy-prone, but watchdogs are saying it's becoming even more so (Times).
The Islamic State and other jihadist groups continue to mount alternatively devout or repellent inspiration campaigns, but observers see these as yielding diminishing returns. Their audience has grown bored, some think (Foreign Policy). Russian security firm Group-IB has unmasked the identities of the ISIS-sympathizing skids who do business loosely organized as the United Islamic Cyber Force (UICF). Interpol has been informed (Security Week).
Internet control advances.
On the other hand, where you stand on matters like privacy and encryption can depend on where you do business. Last month Apple decided to comply with Chinese authorities' orders to block virtual private network (VPN) providers. Apple has defended its compliance as an instance of respect for legitimate local law, but that explanation has played poorly with both privacy advocates and political realists (ZDNet). But Apple's hardly alone: such compliance with state control has been, observers say, the industry pattern (WIRED).
On July 29th Russia's President Putin signed a ban on proxy services, including VPNs. Activists (including not just Amnesty International, but the increasingly quixotic Edward Snowden, still residing in Russia) denounced the law as a blow to free exchange of information on the Internet, which of course is exactly the point (Radio Free Europe | Radio Liberty).
Big Brother thinks you might be interested in buying a copy of Big Data for Dummies.
Chris Inglis, former deputy director of the US NSA, told symposiasts in Australia this week that, to be sure we need to constrain data collection by the state, but that people should really worry more about what corporations collect on them. "The private sector is running unchecked in this regard," Inglis said (NewsComAu). (It's all right there in that EULA you clicked through.)
More from Vault7: the Dumbo project.
WikiLeaks' latest dump from Vault7 includes material that allegedly describes CIA's "Dumbo" project, an effort to compromise webcams and microphones. Dumbo is interesting in that it appears designed to facilitate (and conceal) physical access rather than to serve primarily as a set of collection tools (Hack Read). Some put it into context by describing the leaks as a kind of how-to manual for Hollywood-spy-capers (Hacker News).
Investigation into where WikiLeaks gets its material continues, as do deliberations about how to organize intelligence services to reduce the likelihood of such leaks. The US Government Accountability Office (GAO) said this week that its study of the matter has concluded that splitting NSA from US Cyber Command would make it less likely that offensive cyber tools would leak (Nextgov).
The ShadowBrokers have been relatively quiet this week. US investigators are still rumored to be looking for a "disgruntled" insider or former insider as the source of the Brokers' material (International Business Times).
Regulatory direct effects and side effects.
Among the effects of GDPR is expected to be increased attention to clarity about roles and responsibilities within enterprises (CSO). And, Brexit Schmexit: a UK data protection bill essentially incorporating all of GDPR is expected in September (Infosecurity Magazine).
DDoS: not the right way to exercise a right to be forgotten.
A Seattle man is in jail facing US Federal hacking charges. The FBI says the defendant, Kamyar Jahanrakhshan, undertook a distributed denial-of-service campaign against Leagle[dot]com in January 2015. He identified himself as "Anonymous" and told the legal services website he would shut them down if they didn't remove case citations concerning his prior criminal conduct (Ars Technica).
Patch news.
No one seems sad to see Adobe announce the 2020 retirement of Flash Player, but some gamers may feel a twinge of regret (Forbes). Microsoft fixed three Outlook vulnerabilities. Redmond also reissued some broken (now fixed) Office patches from June (Threatpost). Microsoft won't immediately patch the recently discovered SMBLoris vulnerability. The company regards it as a bug, not a security issue, and it will address it in an unspecified future update (Bleeping Computer). Cisco has fixed fifteen vulnerabilities, including an authentication bypass bug and a flaw that could result in a denial-of-service condition (Threatpost). IBM has patched cross-site scripting issued in Worklight and MobileFirst (Threatpost).
Industry notes.
Symantec has sold its web security business to DigiCert for a reported $950 million (CRN). Those interested in successful transition from government-funded science and technology to the market will take note of the Department of Homeland Security's S&T Directorate and its most recent Transition to Practice success story: start-up Deterministic Security has spun off the REnigma malicious software analysis program from the Johns Hopkins University's Applied Physics Laboratory (SIGNAL). GuardiCore announced that it's raised $15 million in a Series B round (eSecurity Planet). BlueteamGlobal launched Thursday, with a $125 million funding round (PRNewswire). McAfee, which Intel has sold to TPG Capital, is undergoing a round of layoffs (CRN).
