Category Archives: Hacking

FBI warns of criminals escalating SIM swap attacks to steal millions

The Federal Bureau of Investigation (FBI) says criminals have escalated SIM swap attacks to steal millions by hijacking victims’ phone numbers.

The number of complaints received from the US public since 2018 and reported losses have increased almost fivefold, according to reports received by the FBI through the Internet Crime Complaint Center (IC3) in 2021.

FBI’s warning comes after the US Federal Communications Commission (FCC) announced in October that it started working on rules that would pull the brake on SIM swapping attacks.
The FCC’s move is the result of numerous complaints received from consumers regarding significant distress and financial harm as a result of SIM swapping attacks and port-out fraud.

SIM swapping attacks behind millions in losses

SIM swap fraud (also known as SIM hijacking, SIM jacking, or SIM splitting) is a type of account takeover (ATO) fraud that allows scammers to take control of their victims ‘phone numbers.

The crooks do this by tricking phone service providers into swapping a target’s phone number to attacker-controlled SIM cards either by using social engineering or with the help of one or more bribed employees.

After the SIM is ported, the criminals will receive the victims’ calls and messages, making it very simple to bypass SMS-based MFA, steal credentials, and take control of their victims’ online service accounts.

The vast majority of SIM swappers are financially motivated and usually target their victims’ online banking and cryptocurrency exchange accounts to steal money and virtual assets, as well as lock the victims out of their accounts by changing the passwords.

The FBI also shared tips on Tuesday regarding how individuals can protect themselves and how mobile carriers can defend their customers from such attacks, as well as info on how to report SIM swapping incidents.

If you haven’t added an account security pin to your mobile service account yet, now would be a great time to do that today !!!

Stopping Cyberattacks

The key to stopping cyberattacks? Understanding your own systems before the hackers strike

Organisations struggle to monitor their networks because they often don’t know what’s there. And that allows hackers to sneak in under the radar

Cyberattacks targeting critical national infrastructure and other organisations could be stopped before they have any impact if the teams responsible for the security had a better understanding of their own networks.

That might sound like obvious advice, but in many cases, cyber-criminal and nation-state hackers have broken into corporate networks and remained there for a long time without being detected.

Some of these campaigns involve intrusions into critical infrastructure where malicious hackers could do damage that could have serious consequences.

But hackers have only been able to get into such as strong position because those responsible for defending networks don’t always have a full grasp on what they’re managing.

“That’s what people often misunderstand about attacks – they don’t happen at the speed of light, it often takes months or years to get the right level of access in a network and ultimately to be able to push the trigger and cause a destructive act,” says Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator and co-founder and former CTO of CrowdStrike.

That means deep knowledge of your network and being able to detect any suspicious or unexpected behaviour can go a long way to detecting and stopping intrusions.

“Defence can work if you have time. If you’re looking inside your systems, hunting for adversaries and applying intelligence, you’re able to discover them even if they get in, before they do any damage,” Alperovitch adds.

Knowing what’s on the network has become even more crucial in recent years, as industrial environments have become increasingly connected with Internet of Things sensors and monitors.

The devices are useful to infrastructure providers because they allow better monitoring of systems for efficiency, maintenance and repair, but if not properly managed, they could be weak points for attackers to access the network.

“We need to be pro-actively testing,” says Annessa McKenzie, VP of IT and CSO at Calpine, an American power generation company.

“We need to grow more of that capability to go in with that confidence so that before there’s a breach, we at least have a basic understanding of this environment,” McKenzie explains. “Because when we go in completely blind, what should take days to respond takes weeks, sometimes months – and we never really understand what happened.”

Organisations should also try to think like hackers; by thinking about the network and how an attack could exploit it, security teams could uncover unexpected means that hackers could use to exploit the network.

“A lot of companies put in segmentation, monitoring, anti-virus – they’re not bad things – but I think too little focuses on what the attack is going to look like,” says Rob Lee, CEO and co-founder, Dragos, the industrial security provider that hosted the online discussion on securing critical infrastucture.

“Let’s work backwards. What kind of response do we want to have? Do we want to get the plant back up and running? Then we’re going to have to understand root cause analysis”.

By examining the network like this, Lee says, organisations responsible for industrial control systems can understand the requirements the network needs to ensure security – and by doing this, those responsible for critical infrastructure can help everyone by detailing what they find to the government.

“The ICS community has the ability to look at this backwards and educate the government on what that’s going to look like. That’s when the government can be impactful,” Lee adds.

With the right tools and expertise available, government intervention could help boost cybersecurity across critical infrastructure by providing an environment for organisations to share information about attacks and best practices for protecting networks.

“They could create a platform for companies to come together and exchange best practices and assistance and maybe even host some sort of joint public private response capability. That would help propel things along,” says Michael Chertoff, former United States Secretary of Homeland Security and co-founder and executive chairman of The Chertoff Group, a security and risk advisory firm.

He also suggests that liability for security shouldn’t just lie with infrastructure providers and other organisations, but the companies that build the specialist systems and connected parts used in these environments should also hold some responsibility if they’re found to be inherently insecure or vulnerable to cyberattacks.

“Right now, one of the arguments for manufacturers is ‘it isn’t our problem, we just give you the stuff, it’s on you’,” Chertoff says.

Through a combination of this and a good knowledge about what the network looks like, infrastructure and utilities providers in particular can go a long way to preventing themselves from falling foul of hacking campaigns and cyberattacks. But in many cases, there’s a long way to go before this is the case.

“The greatest advantage defenders have is if they know their environment better than an adversary – that’s not always true, unfortunately if the right tools and capabilities aren’t in the organisation,” says Alperovitch.

“But if they do, that’s when they have the high ground and detect an adversary and eject them before any damage is done”.

BREAKING NEWS: A little birdy got itself hacked. And boy was it an epic doozie!

#Twitter is currently recovering from one of the biggest breaches I have ever seen.

Nearly every major verified account was compromised and perhaps much more.

The criminals Tweeted a clever scam from very wealthy people like Bill Gates asking for $1000 in #Bitcoin (CrimeCoin) and they would give you back double. $2000 for nothing.

Many fell for this “TOO GOOD TO BE TRUE” scam even though well… red flag 🚩 🤦‍♂️

What we know so far is it was an insider breach. An employee was either paid off to help the attackers or they were tricked.

Sadly this is a case where strong passwords and two factor authentication will not help.

This is a policy and best practices issue. Lack of detection and alerts… lack of EDR… lack of user risk policies… many fails.

The aftermath of this will be huge. Stay tuned for more.

#cybersecurity#founditdata#riskmangement

Holiday Scams to Watch for This Season

The holidays are roaring down on us, and we’re all looking to get the best deals as we shop online and explore cyber sales. Here at DSA Technologies, we want to help you avoid that “Nightmare Before Christmas” that could arise from a stolen card number or hacked personal data as a result of online shopping. We’ve all heard it. If it seems too good to be true, it probably is. There are many websites that offer as much as 60, 70, even 80% off during this time of year. Don’t be the one that enters your payment information to capture a quick special and find out days, weeks, possibly even months later that you’ve been phished. How can you make sure you’re as safe as possible? As we get ready for Cyber Monday specials and online shopping throughout the month of December, there are several tips we can offer for businesses and individuals alike.

The golden rule? Be careful what you click on
Make sure the site you are entering your personal information has HTTPS. It’s important to see the “S” after HTTP, but that still does not mean you’re out of the woods. According to research from Venafi, the number of typosquatting domains (which is a bait-and-switch lookalike URL) is 400% greater than the number of authentic retail domains. That’s right, the bad guys are coming up with “fake” domains that look like the real domain of vendors like Facebook, PayPal, Amazon, and many others. Be careful what you type, and make sure you see the correct URL when you’re going to a website.

Bogus Shipping Notices 
Households receive a deluge of packages as the holidays get closer. A message from UPS, FedEx, or Amazon that notifies you that there is a missing or delayed package can be easily glanced over and taken for granted. Most of the time the message will include a link for easy access. Don’t click on this link. It may take you to a bogus website or better yet, download a virus directly onto your computer. If you are expecting a package, go to the vendor’s website by typing in the correct URL and tracking your package from there.

Phishing Emails
This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.

This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.


Relatives in Distress
This tactic is commonly known as “Virtual Kidnapping Ransom Scam.” It can begin with a phone call saying your family member is being held captive or in trouble with the law in another country. The caller might allege that a child or grandchild has been kidnapped with someone screaming or yelling in the background. They will typically provide instructions to ensure a safe return of the family member. They will ask you for money and give you directions on who and where to wire the money. If this happens to you, take a deep breath and realize this could be a scam. Ask to talk to your family members being held, and if they don’t let you speak to them, ask them to identify your family members. Attempt to call or text your family members. To prepare for an event like this, have code words that can be used so you know it actually is a real event. Call your local law enforcement as soon as possible.

Fake Charities

Possibly one of the most unfortunate scams out there, fake charity requests can be heartbreaking. This may be a fake GoFundMe account for what you think is a good cause, a social media thread, or an email chain. They may be impersonating someone you know or a friend of a friend. They might impersonate a legitimate charity on the phone. If you receive a phone call, the best thing to do is tell the caller you will call them back. Wherever you see the request, be sure to look up the correct charity and call them to see if they contacted you, or have outreach campaigns in progress. It may take you a little more time, but remember, it’s better to be safe than sorry. We hope these simple tips can ensure your holiday stays merry and bright!

WiFi Finder app exposes 2 million network passwords!

“WiFi Finder” is a popular hotspot finder app that is used to locate free wifi spots nearby.  Unfortunately, the company utilized a database with minimal security to store information such as the Wi-Fi network name, its exact geolocation, its basic service set identifier (BSSID) and network password. All this data was stored in plain text. While the app developer claims the app only stores passwords for public hotspots, after a review of the data, countless home Wi-Fi networks were also discovered.

The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on. While working in this setup, the hacker has access to every piece of information you’re sending out on the Internet: important emails, credit card information and even security credentials to your business network. Once the hacker has that information, he can — at his leisure — access your systems as if he were you.

Utilizing free Wi-Fi in public locations is a major security risk, however, there may come a time when your only option is an unsecured, free, public WiFi hotspot, and your work simply cannot wait. If you must use public Wi-Fi there are a few steps you should take to stay safe (well….as safe as possible….because you shouldn’t use public Wi-Fi).

What to do:

  1.  Use a Virtual Private Network (VPN).
  2. Disable file sharing on your device.
  3. Log out of accounts when you are done.
  4. Only visit sites using HTTPS.
  5. Disable Wi-Fi auto-connect.
  6. Turn off Wi-Fi (and Bluetooth) when not in use.
  7. Access Web sites that do not hold sensitive or personally identifiable information (i.e. don’t do your banking while waiting for your flight).

While not all Wi-Fi is a security risk, without the right protection your personal information could become public information.

Citrix admits attackers breached its network

.@NakedSecurity: Citrix admits attackers breached its network – what we know – On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network. According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” […]


Citrix admits attackers breached its network – what we know
nakedsecurity.sophos.com


Those are NOT your grandchildren! FTC warns of new scam

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phoney family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.

Slick scripts

It started with a phone call one morning in April, Franc Stratton told the station. The caller pretended to be a public defender from Austin, Texas, who was calling to tell Stratton that his grandson had been in a car wreck, had been driving under the influence, and was now in jail.

Don’t be afraid, the imposter told Stratton: you can bail out your grandson by sending $8,500 in cash via FedEx. It didn’t raise flags for a good reason: Stratton had done exactly that for another family member in the past.

The cherry on top: the “attorney” briefly put Stratton’s “grandson” on the phone. The fake kid sounded injured, so Stratton drove to the bank to get the cash.

Stratton went so far as to go to a local FedEx to overnight the money to an Austin address. But later that night, he said, he and his wife looked at each other and said, Scam!

Fortunately, they came to their senses in time to call FedEx to have the package returned. He got his money back, but Stratton is still frustrated. Of all people, he should know better, he says: he’s retired now, after a career spent working in intelligence, first for the Air Force and later as a cybersecurity programmer.

That’s how slick the scammers are, with their meticulously prepared scripts, and it shows that they know exactly how to put people into a panicked state, where they’re likely to make bad decisions. Stratton said he fell for it “because of the way that they scripted it.”

I’m the last person, I thought, would ever fall for a scam like this.

The FTC says that Americans have lost $41 million in the scam this year: nearly twice as much as the $26 million lost the year before.

Self-defense for grandparents

These scams are growing more sophisticated as fraudsters do their homework, looking you and/or your grandkids up on social media to lace their scripts with personal details that make them all the more convincing.

Grandparents, no matter how savvy you are, you’ve got an Achilles heel: your love for your grandchildren. The fakers know exactly how to milk that for all it’s worth.

The FTC warns that they’ll pressure you into sending money before you’ve had time to think it through. The Commission offers this advice to keep the shysters from wringing your heart and your wallet:

  • Stop. Breathe. Check it out before you send a dime. Look up your grandkid’s phone number yourself, or call another family member.
  • Don’t overshare. Whatever you share publicly on social media becomes a weapon in the arsenals of scammers. The more personal details they know about you, the more convincing they can sound. It’s one of many reasons to be careful about what you share on social media.
  • Pass the information on to a friend. Even if you haven’t been targeted yourself, you probably know somebody who’s either already gotten a call like this or who will.
  • Report it. The FTC asks us all to please report these scams. US residents can do so online to the FTC. If you’re in the UK, report scams to ActionFraud.

Please report these scams. Doing so helps the authorities nail these imposters before they can victimize others.

Employees Actively Seeking Ways to Bypass Corporate Security Protocols in 95 % of Enterprises

In today’s world cyber incidents activities such as data theft, insider threat, malware attack most are significant security risks and some it caused by the employees of the company both intentionally or unknowingly, also around 95% of threat and Activities with access to corporate endpoints, data, and applications.

Many of the security testing among the most alarming discoveries was that 95 percent of assessments revealed employees were actively researching, installing or executing security or vulnerability testing tools in attempts to bypass corporate security.

They are using anonymity tools like  Tor,VPNs frequently to hide who is Trying to breaking the corporate security.

Christy Wyatt, CEO at Dtex Systems said, “Some of the year’s largest reported breaches are a direct result of malicious insiders or insider negligence.

People are the weakest security link

Last year survey reported by Dtex Systems said, 60 percent of all attacks are carried out by insiders. 68 percent of all insider breaches are due to negligence, 22 percent are from malicious insiders and 10 percent are related to credential theft.  Also, the current trend shows that the first and last two weeks of employment for employees are critical as 56 percent of organizations saw potential data theft from leaving or joining employees during those times.

Increased use of cloud services puts data at risk

64 percent of enterprises assessed found corporate information on the web that was publicly accessible, due in part to the increase in cloud applications and services.

To make matters worse, 87 percent of employees were using personal, web-based email on company devices. By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.

Inappropriate internet usage is driving risk

59 percent of organizations analyzed experienced instances of employees accessing pornographic websites during the work day.

43 percent had users who were engaged in online gambling activities over corporate networks, which included playing the lottery and using Bitcoin to bet on sporting events.

This type of user behavior is indicative of overall negligence and high-risk activities taking place.

Dtex Systems analyzed and prepared these risk assessments from 60 enterprises across North America, Europe and Asia with the industries like IT, Finance, Public Sector, Manufacturing, Pharmaceuticals and Media & Entertainment.

Please consider your cybersecurity posture when it comes to your employees, again people are the leading cause to “Risk”.

 

 

 

Vulnerable ship systems: Many left exposed to criminal hacking

Pen Test Partners’ Ken Munro and his colleagues – some of which are former ship crew members who really understand bridge and propulsion systems – have been probing the security of ships’ IT systems for a while now and the results are depressing: satcom terminals exposed on the Internet, admin interfaces accessible via insecure protocols, no firmware signing, easy-to-guess default credentials, and so on.

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” Pen Test Partners’ Ken Munro says, and points out that the advent of always-on satellite connections has exposed shipping to hacking attacks.

A lack of security hygiene

Potential attackers can take advantage of poor security hygiene on board, but also of the poor security of protocols and systems provided by maritime product vendors.

For example, the operational technology (OT) systems that are used to control the steering gear, engines, ballast pumps and so on, communicate using NMEA 0183 messages. But there is no message authentication, encryption or validation of these messages, and they are in plain text.

“All we need to do is man in the middle and modify the data. This isn’t GPS spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course,” Munro says.

They found other examples of poor security practices in a satellite communication terminal by Cobham SATCOM: things like admin interfaces accessible over telnet and HTTP, a lack of firmware signing and no rollback protection for the firmware, admin interface passwords embedded in the configuration (and hashed with unsalted MD5!), and the possibility to edit the entire web application running on the terminal.

They shared this with the public because all these flaws can be mitigated by setting a strong admin password, but they also found other issues that have to be fixed by the vendor (and so they disclosed them privately).

Electronic chart systems are full of flaws

ECDIS – electronic chart systems that are used for navigation – are also full of security flaws. They tested over 20 different ECDIS units and found things like old operating systems and poorly protected configuration interfaces. Attackers could ‘jump’ the boat by spoofing the position of the GPS receiver on the ship, or reconfigure the ECDIS to make the ship appear to be wider and longer than it is.

“This doesn’t sound bad, until you appreciate that the ECDIS often feeds the AIS [Automatic Identification System] transceiver – that’s the system that ships use to avoid colliding with each other,” Munro noted.

“It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”

Tracking vulnerable ships

Pen Test Partners also created a vulnerable ship tracker by combining Shodan’s ship tracker, which uses publicly available AIS data, and satcom terminal version details.

The tracker does not show other details except the ship’s name and real-time position because they don’t want to help hackers, but it shows just how many vulnerable ships are out there.

Hacking incidents in the shipping industry

Hacking incidents affecting firms in the shipping industry are more frequent than the general public could guess by perusing the news. Understandably, the companies are eager to keep them on the down-low, if they can, as they could negatively affect their business competitiveness, Munro recently told me.

Some attacks can’t be concealed, though. For example, when A.P. Møller-Mærsk fell victim to the NotPetya malware, operations got disrupted and estimated losses reached several hundred millions of dollars.

That particular attack thankfully did not result in the company losing control of its vessels, but future attacks might lead to shipping security incidents and be more disruptive to that aspect of companies’ activities.

“Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur,” he concluded.

 

Hack of DNA Website Exposes Data From 92 Million Accounts

Consumer genealogy website MyHeritage said that email addresses and password information linked to more than 92 million user accounts have been compromised in an apparent hacking incident.
MyHeritage said that its security officer had received a message from a researcher who unearthed a file named “myheritage” containing email addresses and encrypted passwords of 92,283,889 of its users on a private server outside the company.
“There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.

MyHeritage lets users build family trees, search historical records and hunt for potential relatives. Founded in Israel in 2003, the site launched a service called MyHeritage DNA in 2016 that, like competitors Ancestry.com and 23andMe, lets users send in a saliva sample for genetic analysis. The website currently has 96 million users; 1.4 million users have taken the DNA test.

According to MyHeritage, the breach took place on Oct. 26, 2017, and affects users who signed up for an account through that date. The company said that it doesn’t store actual user passwords, but instead passwords encrypted with what’s called a one-way hash, with a different key required to access each customer’s data.  So we ask “Why did it take so long to declare a breach”

In some past breaches, however, hashing schemes have been successfully converted back into passwords. A hacker able to decrypt the hashed passwords exposed in the breach could access personal information accessible when logging into someone’s account, such as the identity of family members. But even if hackers were able to get into a customer’s account, it’s unlikely they could easily access raw genetic information, since a step in the download process includes email confirmation.
In its statement, the company emphasized that DNA data is stored “on segregated systems and are separate from those that store the email addresses, and they include added layers of security.”

MyHeritage has set up a 24/7 support team to assist customers affected by the breach. It plans to hire an independent cybersecurity firm to investigate the incident and potentially beef up security. In the meantime, users are advised to change their passwords.

Why would hackers “Criminals” want to steal and then sell DNA back for ransom?  Hackers could threaten to revoke access or post the sensitive information online if not given money.  This data could be very valuable to insurance companies (Medical, and Life), mortgage companies, and then you ask “why”?  In a world where data is posted online, it could be used to genetically discriminate against people, such as denying mortgages or increasing insurance costs.  (it doesn’t help that interpreting genetics is complicated and many people don’t understand the probabilities anyway.)  This data could be sold on the down-low or monetized to insurance companies,  You can imagine the consequences: One day, I might apply for a long-term loan and get rejected because deep in the corporate system, there is data that I am very likely to get Alzheimer’s and die before I would repay the loan. In the future, if genetic data becomes commonplace enough, people might be able to pay a fee and get access to someone’s genetic data, the way we can now access someone’s criminal background.

Case and point, Sacramento investigators tracked down East Area Rapist suspect Joseph James DeAngelo using genealogical websites that contained genetic information from a relative, the Sacramento County District Attorney’s Office confirmed Thursday.

The effort was part of a painstaking process that began by using DNA from one of the crime scenes from years ago and comparing it to genetic profiles available online through various websites that cater to individuals wanting to know more about their family backgrounds by accepting DNA samples, said Chief Deputy District Attorney Steve Grippi.