Pete Recommends – Weekly highlights on cyber security issues, January 3, 2021

Subject: “Evil mobile emulator farms” used to steal millions from US and EU banks
Source: Ars Technica

Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices, as shown in the following image: Enlarge image from IBM Trusteer.

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.

To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.

The researchers believe that bank accounts were compromised using either malware or phishing attacks. The IBM Trusteer report doesn’t explain how the crooks managed to steal SMS messages and device IDs. The banks were located in the US and Europe.

The operation raises the usual security advice about using strong passwords, learning how to spot phishing scams, and keeping devices free of malware. It would be nice if banks provided multi factor authentication through a medium other than SMS, but few financial institutions do. People should review their bank statements at least once a month to look for fraudulent transactions.

Subject: Zoom scam alert: Never click on this kind of invite
Source: Fast Company

Zoom phishing scams are the latest conduit for planting malware, designed to leave victims with stolen identities, destroyed credit histories, compromised passwords, and empty bank accounts.

The bait is decorated with the Zoom logo and sent via text, email, or social media message to say that your account has been suspended (but can be reactivated by clicking on the attached link), that you missed a meeting (but can click on the link to find out the details and schedule), or that Zoom is welcoming you (but you need to click on the link to activate your account), according to the Better Business Bureau. Of course, the link does none of those things and instead downloads malware to your computer or mobile device or takes you to login page where you need to enter your login and password, which lets the thieves gain access to other accounts with similar combinations.

According to the IT security company Check Point Software Technologies, 16,004 Zoom-related domains were registered between late April and today. Con artists are impersonating Microsoft Teams and Google Meet, too.

Getting a message from the videoconferencing platform makes sense when so much of socializing and business happens there every day. That’s the open door for phishing scams. Overall, phishing attacks have skyrocketed since the pandemic began. According to the Anti-Phishing Working Group, an international consortium of industry, government, and law enforcement, the number of phishing sites went from around 75,000 to an estimated 200,000 between March and September and unique email subjects jumped from less than 50,000 to about 125,000 in the same period.

“We recommend users report all phishing emails to the U.S. Anti-Phishing Working Group at [email protected].”

Subject: The SolarWinds Breach Reinforces Why Boards And Audit Committees Need More Tech Expertise
Source: Forbes

Audit questions

Major audit firms are asking the same questions and, accordingly, have further upped client IT controls scrutiny. Given this shift away from arcane accounting inspections, boards can no longer construct audit committees with only financial experts. They need to add tech leaders, with CIOs consulted regularly in oversight decisions and audit planning.

Without adequate compliance and control, no strategy can succeed. As supply chains in every industry rely more and more heavily on software, the SolarWinds hack shows that cyber risk can lurk in vendors’ inadequate controls. Even the most well-intentioned, non-tech independent directors are unlikely to be suitably prepared to address complex IT issues that are now central to operations, data security and audits.

Boards can no longer afford to take an approach that cybersecurity is not a problem until it’s a problem. PwC’s 2020 Annual Corporate Directors’ Survey found that two-thirds of respondents agreed that a cyber breach would reflect poorly on their board. Yet only 37% said they knew their company’s crisis management plan “very” well. Even fewer (32%) said they deeply understand cybersecurity.

Here are five meaningful actions that boards, audit committees and executives should take to best prepare and protect their enterprises…

Subject: Company Gives Workers a Painful Phishing Test
Source: Copper Courier via Newser

(Newser) – The timing was about right, and the sentiment seemed genuine. Hundreds of GoDaddy employees received an email on Dec. 14 saying, “2020 has been a record year for GoDaddy, thanks to you,” the Copper Courier of Arizona reports. “Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” Just click on the links below to provide a few details to ensure the bonus arrived quickly, the email said. The Scottsdale company did have record growth during this pandemic year, per Gizmodo, though it had layoffs. A small gesture might have seemed appropriate, but that was never the plan. Instead, about 500 workers were told two days later that they’d failed a phishing test. There were no bonuses….

The exercise inspired the Verge to create the Most Evil Company Email Of The Year Award and make GoDaddy the first winner. There’s no bonus with the honor.

Subject: DHS issues warning on risks of businesses using data services from China-association firms
Source: Homeland Preparedness News

The Department of Homeland Security issued a business advisory warning to American businesses about the risks of using data services and equipment from firms associated with China.This advisory cites the increasing risk of government-sponsored data theft due to newly enacted laws in China that can compel Chinese businesses and citizens to collect, transmit, and store data in ways that run counter to the U.S. and international law and policy. For example, the laws require companies to store data within Chinese borders and turn over routine data to the government under the pretense of national security. The advisory also highlights China’s history of manipulation, misuse, and exploitation of that data.

Subject: DHS Modernizes Critical Identification Requirements after Congress Passes REAL ID Modernization Act
Source: Homeland Security

Release Date: December 28, 2020 – As a result of extensive state, industry, and government collaboration, Congress has passed the bipartisan REAL ID Modernization Act. The Act modernizes REAL ID requirements originally set more than 15 years ago.

“This new law marks another important step toward meeting the 9/11 Commission’s recommendations to close dangerous vulnerabilities to terrorist travel and fraud,” said Acting Secretary of Homeland Security Chad F. Wolf. “With this authority, the Department can help states better streamline the identity document issuance process before the October 1, 2021 enforcement deadline.”

After DHS issues implementing regulations as necessary, states may:

  • Accept the identity and lawful status information from individuals using electronic transmission methods; and
  • Reuse existing photographs, under certain conditions, taken by states and used to issue applicants current driver’s license or identification card and stored as part of their official state record.

The Act also helps lay the groundwork for future REAL ID-compliant mobile/digital driver’s licenses to individuals holding a valid REAL ID compliant physical DL/ID. The Act also provides some immediate relief by allowing applicants to provide their social security number without having to bring in a separate document containing the social security number during the application process. Finally, to further publicize upcoming REAL ID requirements, aircraft operators and third-party reservation entities must begin notifying airline travelers of REAL ID enforcement starting 90 days before the enforcement deadline.

Subject: Top 5 ways to protect MFA codes
Source: TechRepublic SMS for multi-factor authentication is helpful, but not always secure or reliable. What if you lose your phone? Tom Merrittlists five additional ways to receive MFA codes, without SMS.Someone wrote in, after seeing my Top 5 about avoiding using SMS for multi-factor authentication, and asked, “Do you have any suggestions on how to protect myself from getting locked out of my accounts if my phone disappears or dies?” Great question. One advantage of SMS multi-factor authntication (MFA) is that when you get your phone number on a new phone all the factors will get texted to you there. That’s also how people can steal your second factor. Which is one reason you might not want to use SMS. What if you’re not using SMS and you lose your phone? Here are five ways to protect MFA codes if you lose your phone, without resorting to SMS.

Subject: How your digital trails wind up in the hands of the police
Source: WIRED via ARS Technica via beSpacific

Ars Technica – Phone calls. Web searches. Location tracks. Smart speaker requests. “…Data collected for one purpose can always be used for another. Search history data, for example, is collected to refine recommendation algorithms or build online profiles, not to catch criminals. Usually. Smart devices like speakers, TVs, and wearables keep such precise details of our lives that they’ve been used both as incriminating and exonerating evidence in murder cases. Speakers don’t have to overhear crimes or confessions to be useful to investigators. They keep time-stamped logs of all requests, alongside details of their location and identity. Investigators can access these logs and use them to verify a suspect’s whereabouts or even catch them in a lie. It isn’t just speakers or wearables. In a year where some in Big Tech pledged support for the activists demanding police reform, they still sold devices and furnished apps that allow government access to far more intimate data from far more people than traditional warrants and police methods would allow…”WIRED topics


Subject: She didn’t know her kidnapper. But he was using Google Maps — and that cracked the case.
Source: NBC News via Yahoo

Law enforcement authorities say geofence warrants are legal because Google users agree to have their location tracked. Both police and Google say they take steps in the geofence warrant process to protect people’s privacy, by first using anonymized data showing devices near a crime scene, and then getting more specific for devices that police believe belong to a suspect.

But the increasing use of geofence warrants has spurred pushback from defense attorneys, privacy advocates and some judges, who say such widely drawn dragnets are not necessary — and may violate people’s Fourth Amendment protections against unreasonable searches. The warrants could be used to track people going to church, an abortion clinic or political activities or protests — and mistakenly lead police to identify an innocent person as a suspect, the critics say.

This summer, a federal magistrate judge in Chicago rejected federal authorities’ requests for a geofence warrant in an investigation into stolen pharmaceutical drugs, citing the danger to “our collective sense of privacy and trust in law enforcement officials.”

In New York, state lawmakers have proposed a bill that would make it illegal for police to use geofence warrants.

Albert Fox Cahn, executive director of the New York-based Surveillance Technology Oversight Project, said that geofence warrants might sometimes solve a case, but at a steep cost. Some judges don’t even realize how many people’s information is scooped up in the searches, he said.

Subject: A Black man spent 10 days in jail after he was misidentified by facial recognition, a new lawsuit says
Source: Business Insider via Yahoo! News

  • A Black man is suing a New Jersey police department after he says he was misidentified by facial-recognition software and wrongly spent 10 days in jail.
  • The man, Nijeer Parks, said he had “never been” to the site of a shoplifting incident but was arrested after contacting the police to clear his name.
  • About a year after the incident, New Jersey’s attorney general, Gurbir Grewal, ordered the police to stop using facial-recognition technology.

According to NJ Advance Media, Parks fought the charges and ultimately got them dismissed. Parks’ attorney says the police and prosecutors pursued his client based only on evidence provided through facial-recognition technology.

The incident wouldn’t be the only case of mistaken identity via facial-recognition technology, which experts have said has a racial bias and can be less accurate with nonwhite skin tones.

In Parks’ lawsuit, his attorney reportedly accused the police of excessive force, false imprisonment, and cruel and unusual punishment and is seeking compensation for physical and emotional suffering.

Subject: Bill to help local governments thwart cyberthreats signed into law
Source: Homeland Preparedness News

A provision to encourage local governments to adopt the .gov domain for websites and email accounts was signed into law as a part of the year-end omnibus funding bill.The provision was originally introduced as the DOTGOV Online Trust in Government Act. It directs the Department of Homeland of Security (DHS) to provide resources and assistance to local governments to adopt .gov web addresses. The bill was introduced by Sens. Gary Peters (D-MI), Ron Johnson (R-WI), Amy Klobuchar (D-MN), and James Lankford (R-OK).

While federal and state government agencies typically use the .gov domain, it is not widely used for local government entities. This trusted domain increases resilience to hackers that target local government systems.

Specifically, the DOTGOV Online Trust in Government Act directs the Cybersecurity and Infrastructure Security Agency (CISA), a component of DHS, to work with local governments to help them transition to .gov domains. It also directs DHS to develop an outreach strategy and resources to help local government offices take advantage of .gov security features. Further, the changes are an allowable expense under the DHS Homeland Security Grant Program.

Subject: 11 healthcare malware, ransomware and phishing incidents in December
Source: Becker’s Health IT

Subject: CISA updates SolarWinds guidance, tells US govt agencies to update right away
Source: ZDNet

[h/t Sabrina] The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack. In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year.

Agencies that can’t update by that deadline are to take all Orion systems offline, per CISA’s original guidance, first issued on December 18. The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday.

Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident. Orion update verified by the NSA.

Subject: The Most Dangerous People on the Internet in 2020
Source: WIRED via beSpacific
Wired: “For many of us, 2020 has been a very dangerous year. Alongside the usual headline grabbers like wars, violent crime, and terrorism, we also faced more insidious, creeping threats: a pandemic that has claimed more than 300,000 American lives, and the lives of 1.5 million people worldwide, thanks in part to waves of viral lies dismissing Covid-19’s deathly serious effects. Hackers who have spied on, attacked, and extorted countless companies and government institutions—including even hospitals—during a global health crisis. And a US president who has sought to fundamentally undermine both the response to the Covid-19 pandemic and democracy itself with nakedly self-serving, corrosive misinformation. In a locked-down and socially distanced year that for many of us was spent more online than off, the presence of those dangers on the internet has never felt more real. Digital threats and information warfare were, in 2020, some of the most harmful forces in our society. Every year, WIRED assembles a list of the most dangerous people on the internet. In some respects, the actions of this year’s candidates resemble those of years past, from destructive hacking to sowing disinformation. But in a year where human society seemed more fragile than ever, the consequences of those actions have never been more grave…”
Posted in: AI, Computer Security, Cybercrime, Cyberlaw, Cybersecurity, Disaster Planning, E-Government, Economy, Email Security, Financial System, Government Contracts, Healthcare, Privacy, Search Engines