Timesdelhi.com

September 24, 2018
Category archive

cybercrime

Russian hackers slipped up in attempt to hack senator

in Crime/cybercrime/Delhi/democratic national committee/fancy bear/India/phishing/Politics/Russia/social engineering/TC/wikileaks by

Hackers that targeted a Democratic senator up for reelection this year may have left behind clues in their attack that further suggest Russian involvement.

The office of Claire McCaskill, a Missouri senator, was targeted in an apparent targeted phishing attack from a fake Microsoft domain that the software giant later seized pursuant to a court order. The Daily Beast reported that a then-McCaskill staffer was the target of the attack, which was attributed to hackers linked to Russian intelligence — largely because the effort was similar to the phishing attack on Hillary Clinton’s campaign chair John Podesta, whose account was successfully breached and emails were shared with WikiLeaks.

Now, new research suggests that the phishing page used in the McCaskill attack contains language-specific code references that lends further credence that Russian hackers were involved.

When the hackers built the phishing page used to trick the McCaskill staffer, they scraped the code from a legitimate Microsoft login page that staff would use to log into their network. That code included a browser-generated link of the original web page that was scraped, the research said. That link appended a language marker at the end which varies depending on which country the user is located in the world — such as “gb” for the UK, or “fr” for France.

Because the language tag was “ru”, which researchers say shows that the code was likely scraped from a user in Russia.

Yonathan Klijsnma, threat researcher at RiskIQ, said that in many cases hackers won’t build a phishing page from scratch but will simply copy and save the page it’s trying to imitate. In doing so, any saved language tags embedded in the code “can be a crucial clue in connecting operators with their malicious campaigns.”

Klijsnma said these tags are often overlooked by the hackers. That which resulted in a sloppy phishing page that was saved by RiskIQ’s vast internet crawling operation.

Although McCaskill, a vocal Russia critic, confirmed the “unsuccessful” attempted hack in a press release in July that she attributed to Russia, a spokesperson for McCaskill declined to comment further when reached Wednesday prior to publication.

In an additional twist, Klijsnma also found that the same Russian hackers also targeted reporter Serhiy Drachuk, whose work has long criticized of the Russian regime. Code from the page that was used in the McCaskill phishing attempt contained leftover references to the journalist’s work email address, which was previously accessed by the hackers.

We reached out to Serhiy Drachuk for comment, but did not hear back by the time of writing.

It’s the latest in a long string of cyberattacks and phishing efforts to target US political institutions before and during the 2016 presidential election and later. Just this week, Democratic National Committee officials said they thwarted an attempt to access their voter database. It comes hot on the heels of Microsoft’s announcement that it prevented a Russian-backed advanced persistent threat group known as Fancy Bear (or APT28) to steal data from political organizations.

News Source = techcrunch.com

What happens when hackers steal your SIM? You learn to keep your crypto offline

in Apps/bank/blockchain/Business/coinbase/cryptography/cybercrime/Delhi/Economy/identity theft/India/mining/mobile/Politics/social engineering/T-Mobile/TC by

A year ago I felt a panic that still reverberates in me today. Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto. Their social engineering tactics, to be clear, were laughable but they could have been catastrophic if my friends were less savvy.

Flash forward a year and the same thing happened to me again – my LTE coverage winked out at about 9pm and it appeared that my phone was disconnected from the network. Panicked, I rushed to my computer to try to salvage everything I could before more damaged occurred. It was a false alarm but my pulse went up and I broke out in a cold sweat. I had dealt with this once before and didn’t want to deal with it again.

Sadly, I probably will. And you will, too. The SIM card swap hack is still alive and well and points to one and only one solution: keeping your crypto (and almost your entire life) offline.

Trust No Carrier

Stories about massive SIM-based hacks are all over. Most recently a crypto PR rep and investor, Michael Terpin, lost $24 million to hackers who swapped his AT&T SIM. Terpin is suing the carrier for $224 million. This move, which could set a frightening precedent for carriers, accuses AT&T of “of fraud and gross negligence.”

From Krebs:

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

While we can wonder in disbelief at a crypto investor who keeps his cash in an online wallet secured by text message, how many other servicse do we use that depend on emails or text messages, two vectors easily hackable by SIM spoofing attacks? How many of us would be resistant to the techniques that nabbed Terpin?

Another crypto owner, Namek Zu’bi, lost access to his Coinbase account after hackers swapped his SIM, logged into his account, and changed his email while attempting direct debits to his bank account.

“When the hackers took over my account they attempted direct debits into the account. But because I blocked my bank accounts before they could it seems there are bank chargebacks on that account. So Coinbase is essentially telling me sorry you can’t recover your account and we can’t help you but if you do want to use the account you owe $3K in bank chargebacks,” he said.

Now Zu’bi is facing a different issue: Coinbase is accusing him of being $3,000 in arrears and will not give him access to his account because he cannot reply from the hacker’s email.

“I tried to work with coinbase hotline who is supposed to help with this but they were clueless even after I told them that the hackerchanged email address on my original account and then created a new account with my email address. Since then I’ve been waiting for a ‘specialist’ to email me (was supposed to be 4 business days it’s been 8 days) and I’m still locked out of my account because Coinbase support can’t verify me,” he said.

It has been a frustrating ride.

“As an avid supporter and investor in crypto it baffles me how one of the market leaders who just supposedly launched institutional grade custody solutions can barely deal with a basic account take-over fraud,” Zu’bi said.

How do you protect yourself?

I’ve been using Trezor hardware wallets for a while, storing them in safe places outside of my home and maintaining a separate record of the seeds in another location. I have very little crypto but even for a fraction of a few BTC it just makes sense to practice safe storage. Ultimately, if you own crypto you are now your own bank. That you would trust anyone – including a fiat bank – to keep your digital currency safe is deeply delusional. Heck, I barely trust Trezor and they seem like the only solution for safe storage right now.

When I was first hacked I posted recommendations by crypto exchange Kraken. They are still applicable today:

Call your telco and:

  • Set a passcode/PIN on your account

    • Make sure it applies to ALL account changes
    • Make sure it applies to all numbers on the account
    • Ask them what happens if you forget the passcode
      • Ask them what happens if you lose that too
  • Institute a port freeze

  • Institute a SIM lock

  • Add a high-risk flag

  • Close your online web-based management account

  • Block future registration to online management system

  • Hack yo’ self

    • See what information they will leak

    • See what account changes you can make

They also recommend changing your telco email to something wildly inappropriate and using a burner phone or Google Voice number that is completely disconnected from your regular accounts as a sort of blind for your two factor texts and alerts.

Sadly, doing all of these things is quite difficult. Further, carriers don’t make it easy. In May a 27-year-old man named Paul Rosenzweig fell victim to a SIM-swapping hack even though he had SIM lock installed on his account. A rogue T-Mobile employee bypassed the security, resulting in the loss of a unique three character Twitter and Snapchat account.

Ultimately nothing is secure. The bottom line is simple: if you’re in crypto expect to be hacked and expect it to be painful and frustrating. What you do now – setting up real two-factory security, offloading your crypto onto physical hardware, making diligent backups, and protecting your keys – will make things far better for you in the long run. Ultimately, you don’t want to wake up one morning with your phone off and all of your crypto siphoned off into the pocket of a college kid like Joel Ortiz, a hacker who is now facing jail time for “13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.” Sadly, none of the crypto he stole has surfaced after his arrest.

News Source = techcrunch.com

Russian hackers already targeted a Missouri senator up for reelection in 2018

in 2018 midterm elections/Congress/Crime/cybercrime/Cyberwarfare/Delhi/fancy bear/Government/identity theft/India/Josh Hawley/Microsoft/phishing/Politics/Putin/Russia/Russian election interference/Security/social engineering/spamming/U.S. Senate by

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target from last week’s statement by Microsoft’s Tom Burt that three midterm election candidates had been targeted by Russian phishing campaigns.

The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence.

“We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” Burt said during the Aspen Security Forum. Microsoft removed the domain and noted that the attack was unsuccessful.

Sen. McCaskill confirmed in a press release that she was targeted by the attack, which appears to have taken place in August 2017:

Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable. While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.

TechCrunch has reached out to Sen. McCaskill’s office for additional details on the incident. McCaskill, a vocal Russia critic, will likely face Republican frontrunner and Trump pick Josh Hawley this fall.

News Source = techcrunch.com

Tall Poppy aims to make online harassment protection an employee benefit

in Abuse/American Civil Liberties Union/behavior/bill de blasio/bullying/Canada/cyberbullying/cybercrime/Delhi/Department of Education/Donald Trump/eventbrite/Facebook/harassment/Honeywell/India/law enforcement/linux/Mayor/Microsoft/New York/online abuse/online communities/online harassment/Politics/Ron Wyden/Salesforce/Security/Sexual harassment/slack/social network/Startups/TC/teacher/ticketfly/United States/Y Combinator by

For the nearly 20 percent of Americans who experience severe online harassment, there’s a new company launching in the latest batch of Y Combinator called Tall Poppy that’s giving them the tools to fight back.

Co-founded by Leigh Honeywell and Logan Dean, Tall Poppy grew out of the work that Honeywell, a security specialist, had been doing to hunt down trolls in online communities since at least 2008.

That was the year that Honeywell first went after a particularly noxious specimen who spent his time sending death threats to women in various Linux communities. Honeywell cooperated with law enforcement to try and track down the troll and eventually pushed the commenter into hiding after he was visited by investigators.

That early success led Honeywell to assume a not-so-secret identity as a security expert by day for companies like Microsoft, Salesforce, and Slack, and a defender against online harassment when she wasn’t at work.

“It was an accidental thing that I got into this work,” says Honeywell. “It’s sort of an occupational hazard of being an internet feminist.”

Honeywell started working one-on-one with victims of online harassment that would be referred to her directly.

“As people were coming forward with #metoo… I was working with a number of high profile folks to essentially batten down the hatches,” says Honeywell. “It’s been satisfying work helping people get back a sense of safety when they feel like they have lost it.”

As those referrals began to climb (eventually numbering in the low hundreds of cases), Honeywell began to think about ways to systematize her approach so it could reach the widest number of people possible.

“The reason we’re doing it that way is to help scale up,” says Honeywell. “As with everything in computer security it’s an arms race… As you learn to combat abuse the abusive people adopt technologies and learn new tactics and ways to get around it.”

Primarily, Tall Poppy will provide an educational toolkit to help people lock down their own presence and do incident response properly, says Honeywell. The company will work with customers to gain an understanding of how to protect themselves, but also to be aware of the laws in each state that they can use to protect themselves and punish their attackers.

The scope of the problem

Based on research conducted by the Pew Foundation, there are millions of people in the U.S. alone, who could benefit from the type of service that Tall Poppy aims to provide.

According to a 2017 study, “nearly one-in-five Americans (18%) have been subjected to particularly severe forms of harassment online, such as physical threats, harassment over a sustained period, sexual harassment or stalking.”

The women and minorities that bear the brunt of these assaults (and, let’s be clear, it is primarily women and minorities who bear the brunt of these assaults), face very real consequences from these virtual assaults.

Take the case of the New York principal who lost her job when an ex-boyfriend sent stolen photographs of her to the New York Post and her boss. In a powerful piece for Jezebel she wrote about the consequences of her harassment.

As a result, city investigators escorted me out of my school pending an investigation. The subsequent investigation quickly showed that I was set up by my abuser. Still, Mayor Bill de Blasio’s administration demoted me from principal to teacher, slashed my pay in half, and sent me to a rubber room, the DOE’s notorious reassignment centers where hundreds of unwanted employees languish until they are fired or forgotten.

In 2016, I took a yearlong medical leave from the DOE to treat extreme post-traumatic stress and anxiety. Since the leave was almost entirely unpaid, I took loans against my pension to get by. I ran out of money in early 2017 and reported back to the department, where I was quickly sent to an administrative trial. There the city tried to terminate me. I was charged with eight counts of misconduct despite the conclusion by all parties that my ex-partner uploaded the photos to the computer and that there was no evidence to back up his salacious story. I was accused of bringing “widespread negative publicity, ridicule and notoriety” to the school system, as well as “failing to safeguard a Department of Education computer” from my abusive ex.

Her story isn’t unique. Victims of online harassment regularly face serious consequences from online harassment.

According to a  2013 Science Daily study, cyber stalking victims routinely need to take time off from work, or change or quit their job or school. And the stalking costs the victims $1200 on average to even attempt to address the harassment, the study said.

“It’s this widespread problem and the platforms have in many ways have dropped the ball on this,” Honeywell says.

Tall Poppy’s co-founders

Creating Tall Poppy

As Honeywell heard more and more stories of online intimidation and assault, she started laying the groundwork for the service that would eventually become Tall Poppy. Through a mutual friend she reached out to Dean, a talented coder who had been working at Ticketfly before its Eventbrite acquisition and was looking for a new opportunity.

That was in early 2015. But, afraid that striking out on her own would affect her citizenship status (Honeywell is Canadian), she and Dean waited before making the move to finally start the company.

What ultimately convinced them was the election of Donald Trump.

“After the election I had a heart-to-heart with myself… And I decided that I could move back to Canada, but I wanted to stay and fight,” Honeywell says.

Initially, Honeywell took on a year-long fellowship with the American Civil Liberties Union to pick up on work around privacy and security that had been handled by Chris Soghoian who had left to take a position with Senator Ron Wyden’s office.

But the idea for Tall Poppy remained, and once Honeywell received her green card, she was “chomping at the bit to start this company.”

A few months in the company already has businesses that have signed up for the services and tools it provides to help companies protect their employees.

Some platforms have taken small steps against online harassment. Facebook, for instance, launched an initiative to get people to upload their nude pictures  so that the social network can monitor when similar images are distributed online and contact a user to see if the distribution is consensual.

Meanwhile, Twitter has made a series of changes to its algorithm to combat online abuse.

“People were shocked and horrified that people were trying this,” Honeywell says. “[But] what is the way [harassers] can do the most damage? Sharing them to Facebook is one of the ways where they can do the most damage. It was a worthwhile experiment.”

To underscore how pervasive a problem online harassment is, out of the four companies where the company is doing business or could do business in the first month and a half there is already an issue that the company is addressing. 

“It is an important problem to work on,” says Honeywell. “My recurring realization is that the cavalry is not coming.”

News Source = techcrunch.com

Russian indictments show that the U.S. needs federal oversight of election security

in America/Column/Congress/cybercrime/defcon/Delhi/democratic party/Department of Homeland Security/Election Assistance Commission/election security/elections/federal election/Federal government/Florida/Government/helsinki/India/national security/operating systems/Politics/president/presidential election/Ron Wyden/Russia/Trump/United States by

President Trump’s Helsinki summit with Vladimir Putin, on the heels of twelve Russian intelligence officials indicted for hacking the 2016 election, made it clear that this administration has zero commitment to protect our elections from future Russian attacks.

These events should remind us of an alarming fact we can no longer afford to ignore: our elections are not secure.

As a nation, we underfund and neglect election security. So, much like our aging infrastructure, our election infrastructure is severely outdated and crumbling before our eyes.

Unfortunately, in today’s hyper-partisan environment, even concerns over election security are divided along party lines. Case in point: after his trip to Russia last week, Republican Senator Ron Johnson declared “It’s very difficult to really meddle in our elections. It just is.”

To effectively safeguard our elections, we need to consider yet another conservative taboo: the federal government should have more power in setting election security standards. Our current decentralized, disjointed state-based system is no longer adequate for protecting our elections against foreign interference in the 21st century.

TechCrunch/Bryce Durbin

Right now, the federal government plays a very limited role in the oversight of election security. The Election Assistance Commission and Department of Homeland Security offer optional resources and issue non-binding guidelines for best practices, and states are free to come up with their own standards as they please. The results, unsurprisingly, are abysmal.

In 2016, for example, over two-thirds of all counties in the U.S. used voting machines that were over a decade old. Many machine used outdated softwares and ran in absurdly old operating systems such as Windows 2000. Thirteen states still use machines that are completely electronic, which makes themprone to glitches, and with no paper trails, the results cannot be audited.

Many experts have pointed out that our current machines could be hacked in a matter of minutes. Recently, a 14 year-old participant at DefCon breached a voting machine in 90 minutes, and was able to change the vote tally in the machine remotely, from anywhere.

Besides the machines, there are other major vulnerabilities in many states’ election security standards that would make hacking our elections a breeze for the Russians. Our voter registration databases are outdated and prone to infiltration. Many states have no post-election auditing requirements at all, and those that do are often insufficient, severely undermining our ability to identify and correct an attack.

While federalizing election security has long been castigated as an infringement of state rights, politicians are beginning to acknowledge its necessity. Senator Ron Wyden, for instance, recently introduced The Protecting American Votes and Elections Act of 2018, whichwould require every state to use election machines with paper ballots and mandate risk-limiting post-election audits (the “gold standard” of election auditing).

As Wyden argues: “Americans don’t expect states, much less county officials, to fight America’s wars. The Russians have attacked our election infrastructure and leaving our defenses to states and local entities, in my view, is not an adequate response. Our country needs baseline, mandatory, federal election security standards.”

TechCrunch/Bryce Durbin

Rather than providing concrete solutions, this Republican Congress continues to pretend that all of our election security problems can be solved by tiny, poorly designed federal grant programs alone. In this year’s omnibus spending bill, a bipartisan compromise provided a meager, but much needed $380 million federal grant to states for strengthening election security ahead of the 2018 election. However, the effectiveness of this grant is questionable, given it was earmarked for broad purposes and allocated by a formula that is not competitive or need-based.

Worse still, since states are not required to spend the federal grant allocated to them, some stateshave not even applied to collect their shares. Several state governments are impeding the use of this grant through a combination of delayed action and inaction. For example, Florida’s Republican-led state legislature has refused to authorize their election officials to use the grant before the 2018 election, even when the state is in desperate need for more election security funding.

While inadequate funding is a serious concern that needs to be addressed — House Democrats estimated that we will need $1.4 billion over the next decade to bring our entire election system in line with best practices — increasing federal grants alone would not be enough to secure elections in every state. The Secure Elections Act, a bill currently with the most broad-based, bipartisan support, will provide much needed federal funding to make up for the current shortfall, but as with this year’s federal grant, there is no guarantee states would use the funding in a timely and effective fashion — or at all — given state participation will remain voluntary under this bill.

Our representative democracy cannot survive if we fail to preserve the fairness and integrity of our elections. While it’s too late to implement binding federal guidelines to secure the 2018 midterm, we should accept nothing less for the 2020 presidential election, as we can be certain the Russians will hack that election in order to help their preferred candidate, yet again.

Too many states have proven they are unwilling to take election security seriously. It’s time for the federal government to step in.

News Source = techcrunch.com

Go to Top