Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence in order to settle scores and disputes with their rivals.

Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.

“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”

Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.

Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.

“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”

The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.

Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.

“They had a list of people they wanted to hit consecutively as far as I know,” he said.

The foiled robbery is the latest example of how members of certain hacking communities are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.

Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.

Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.

The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.

Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017 while living with his mom, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.

In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.

Read More

The social network TikTok is chockfull of interesting, fun, laugh-out-loud videos shared by creators worldwide. Kids, as well as parents, can easily spend hours glued to the platform. But as with most popular platforms, the fun can eventually turn dark, even deadly, when viral challenges make their rounds.  

The latest viral challenge, the “blackout challenge,” first became popular online in 2008 and made its unfortunate comeback in 2021. Before this second round, the CDC attributed nearly 80 deaths to the dangerous online game. In the past month, authorities are attributing the tragic, high-profile deaths of Archie Battersbee, 12, and Leon Brown, 14 to the challenge. 

What is it? 

The blackout challenge is a choking game that involves intentionally trying to choke oneself or another to obtain a brief euphoric state or “high.” Death or serious injury can result if strangulation is prolonged. Those doing the challenge do it privately or broadcast their attempt to friends or followers. The CDC also found that most deaths occurred when a child engaged in the choking game alone and that most parents were unaware of the game before their child’s death.

What’s the appeal? 

It’s easy to look at a challenge like this and dismiss it thinking your child would never be involved in such a dangerous game. However, in a recent post from HealthyChildren.org on why kids participate in online dares, pediatricians point to the reality that the teen brain is still developing. The part of the brain that processes rational thought, the prefrontal cortex, is not fully developed until a person’s mid-20s. This physiological reality means teens are naturally impulsive and can do things without stopping to consider the consequences.  

Another lure that entices teens is that social media’s fast-moving, impulsive environment rewards outrageous behavior—the more outrageous the content, the bigger the bragging rights. The fear of losing out (FOMO is natural for teens. 

Signs to look for 

According to the CDC, signs that a child may be engaging in the blackout challenge include: 

They may talk about the game or use alternate terms such as “pass–out
game” “choking game,” or “space monkey.” 
They may have bloodshot eyes 
You may see marks on their neck 
They might have severe headaches 
They could show signs of disorientation after spending time alone 
You might notice the presence of ropes, scarves, or belts tied to furniture or doorknobs 
They may have unexplained items like dog leashes, choke collars, or bungee cords in their room. 

5 talking points for families

Dig in and discuss hard stuff. Set time aside to talk about the viral challenges your child may or may not notice online. Discuss the dangers, the physiology of being impulsive, and how social network communities inherently reward reckless behavior with likes and shares.  
Make the consequences personal. Do your homework. Pull up the relevant headlines and discuss the implications of the blackout challenge (and others), such as lack of oxygen to the brain, seizures, long-term complications, and death.  
Talk about digital peer pressure. Coach your kids through the dangers they encounter online they may take for granted. Ask them how they feel when they see someone doing dangerous things online and ways to avoid or discourage it. Are your kids rallying around the challenges or sharing the content? Do they try to be funny to get attention online?  
Establish ground rules. As tragic as these challenges are, they allow parents to pause and refresh family ground rules for online behavior and media use. Your kids have changed over time, as have their online communities, and interests. Design ground rules and media use expectations to help shape a safe, balanced digital life that reflects their current online activity. 
Add extra protection. We add security systems to our homes for additional protection from outside threats, so too, it’s wise to add security to our family devices to encourage content filtering, monitoring, and time limits.  

Viral challenges will continue to emerge and shock us. There’s no way to anticipate them or control them. However, staying informed about dangerous online trends and keeping the lines of communication with your child open and honest is a big step toward equipping them to live a safe, balanced digital life.  

The post Deadly Digital Dares: The Blackout Challenge on TikTok appeared first on McAfee Blog.

Read More

200,000 customers of Starbucks in Singapore have had their personal details put up for sale online, after a security incident at the coffee chain.

Read more in my article on the Hot for Security blog.

Read More

It’s big:

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

It looks like a pretty basic phishing attack; someone gave the hacker their login credentials. And because Uber has lousy internal security, lots of people have access to everything. So once a hacker gains a foothold, they have access to everything.

This is the same thing that Mudge accuses Twitter of: too many employees have broad access within the company’s network.

More details. Slashdot thread.

Read More

Uber has suffered a security breach which allowed a hacker to break into its network, and access the company’s internal documents and systems.

How did they do it? By bombarding an employee with a spate of multi-factor authentication (MFA) push notifications.

Read More

Ride-hailing giant Uber has confirmed that it is responding to a cybersecurity incident as reports emerge that the firm has suffered a significant network data breach forcing it to shut down several internal communications and engineering systems.

Attacker announces Uber breach through compromised Slack account

In a statement on Twitter, Uber wrote “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” While details from the company were sparse at the time of writing, a report by the New York Times on Thursday claimed that a hacker was able to compromise an employee’s Slack account and used it to send a message to Uber employees announcing that the company had suffered a data breach.

To read this article in full, please click here

Read More

Topics that are top of mind for the week ending Sept. 16 | How cybersecurity excellence boosts business | CISOs on a vendor-consolidation campaign | A quick check on converged OT/IT cybersecurity | Guides to help developers beef up on security | And much more!

1. Top-notch cybersecurity yields business gains

Companies that excel at cybersecurity, consumer data protection and AI-based services enjoy stronger customer loyalty and generate higher revenue and profits.

That’s a key finding from a global survey on digital trust of more than 1,300 business leaders and 3,000 consumers conducted by management consulting firm McKinsey & Co.

(Source: McKinsey Global Survey on Digital Trust, Sept. 2022)

So how can a company earn a reputation for being digitally trustworthy and ethical, and for having outstanding data-protection practices?

Here are recommendations for joining the exclusive club of digital-trust leaders:

Set goals for digital-risk management, such as:

Improving operational performance via use of most accurate AI models
Gaining a competitive edge through fast recovery from industry disruptions
Complying with regulations

Actively mitigate digital risks in areas like:

Cloud migration and configuration
Data retention, privacy and quality
AI modeling and transparency
Cybersecurity

Adopt best practices for data privacy, AI ethics and cybersecurity, including:

Have data-storage and data-access policies
Assess privacy risks when using external data
Outline clear standards for AI risk
Establish consistent processes to identify failures of AI models
Use automated cybersecurity tools to boost prevention, response and efficiency
Integrate security considerations when designing new technology

For more information, read the McKinsey & Co. article “Why digital trust truly matters” and view the accompanying infographic “Consumers value digital trust.”

2. Guides to help developers with cybersecurity

As security shifts left in the software development lifecycle, developers have become responsible for security tasks, checks and tests that traditionally fell outside their scope of work. As a result, many developers need security training and education. 

Hot off the press come a pair of guides from the Open Source Security Foundation (OpenSSF) aimed at helping developers sharpen their security knowledge. Here’s a sampling of tips from each guide:

Concise Guide for Developing More Secure Software

To prevent attackers from hijacking developer accounts – including those with commit or accept privileges – require them to use multifactor authentication (MFA) tokens. 
Take advantage of free courses about secure software development. 
Use a combination of tools in your CI (continuous integration) pipeline for vulnerability detection. 
Before selecting software as a direct dependency, evaluate it, only add it if needed and make sure you retrieve it from the correct repository.
Use package managers to automatically manage dependencies and enable rapid updates.

Concise Guide for Evaluating Open Source Software

Consider if you really need to add a new open source (OSS) dependency or if you can instead use an existing one.
Ensure you’re evaluating the right version of the OSS component and not a fork created by an attacker.
Check if the software is being actively maintained. If not, it’s likely to contain security issues.
Investigate whether the software component was created using secure coding best practices.
Find out if the software project provides instructions for reporting and disclosing vulnerabilities. 

For more information:

“OpenSSF director warns over secure development” (The Stack)
“Can ‘shift left’ in DevOps pipelines go too far?” (TechTarget)
“How Security Leaders Can Become Dev and Ops Whisperers” (Tenable)
“How to Boost Shift-Left Security in the SDLC” (DarkReading)
“Shift left: Still a work in progress” (Tenable)

3. A quick poll on converged IT/OT security

The cybersecurity of converged IT and OT systems used by critical infrastructure providers is very much in the spotlight, so we asked attendees at a recent Tenable webinar a couple of questions about this topic. Check out the responses to our admittedly unscientific poll.

For more information, check out these Tenable resources:

“IT/OT Convergence: Now Is the Time to Act” (blog)
“Securing Critical Infrastructure: What We’ve Learned from Recent Incidents” (blog)
“How Can We Strengthen the Cybersecurity of Critical Infrastructure?” (blog) 
“The State of OT Security, a Year Since Colonial Pipeline” (podcast)
“What is operational technology?” (FAQ)
“The Many Faces of OT Security” (webinar) 

4. Survey: CISOs firmly in the business inner circle

After raising their profile by helping their organizations deal with pandemic challenges, such as securing remote work, CISOs have retained their prominence and influence among CxOs and board members.

So says ClubCISO, a non-commercial group of about 600 cybersecurity leaders, in its annual “Information Security Maturity Report” report, which was just released.

“CISOs are now being seen not just as a valuable asset, but as a business driver and solver of challenges,” wrote Stephen Khan, chairman of the ClubCISO Advisory Board.

Other good news for CISOs and their cybersecurity teams:

Half of CISOs surveyed report their organizations now have a “no blame policy,” up from 27% in 2021 – meaning that cyber incidents are viewed as an organizational problem, not as the exclusive fault of security leaders.
Two thirds of respondents reported that their budgets increased in 2022, with one-fifth saying it grew 50% or more compared with last year.
The percentage of respondents reporting that “no material cyber incident occurred” rose to 54% from 28% in 2021.
Faced with a tough recruitment environment, CISOs are casting a wider net to find good candidates outside of the traditional IT and cybersecurity fields, as this graphic shows:

(Source: “Information Security Maturity Report 2022” from ClubCISO, Sept. 2022)

And here are some not-so-encouraging findings:

75% of respondents believe industry challenges remain daunting, and are compounded by insufficient staff and the fast pace of business change.
Cloud security maturity continues to be a tough nut to crack.
Stress remains a problem for CISOs and their teams – only 11% of respondents believe their organizations are taking effective actions to combat stress.

For more information:

“Here are what CISOs named as their 20 critical priorities for 2022” (SC Media)
“CISOs say stress and burnout are their top personal risks” (CNBC)
“CXO of the Week: Robert Huber, Chief Security Officer, Tenable” (CIOL)
“The evolving CISO role: What success looks like” (Korn Ferry)

5. Gartner: Sharp increase in organizations pursuing security vendor consolidation

Further proof that CISOs want to decrease the number of security vendors their organizations do business with comes from Gartner.

The percentage of organizations seeking to consolidate their security vendors has increased from 29% in 2020 to 75% this year, according to a Gartner press release that cites results from a recent survey.

“Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, VP Analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.”

The survey, which was conducted online during March and April 2022 among 418 respondents from North America, Asia Pacific and EMEA, found that already 57% of organizations are working with fewer than 10 vendors for their security needs. 

The main drivers of vendor consolidation efforts are a desire to reduce complexity and to improve risk posture – not to reduce spending nor improve procurement, according to Gartner.

For more information:

“Most enterprises looking to consolidate security vendors” (CSO Magazine)
“Security leaders are increasingly consolidating vendors, says Gartner” (ITWorld Canada)
“Analyst: CISOs shifting from ‘best of breed’ products to platforms” (Tenable)
“Thanks to the economy, cybersecurity consolidation is coming” (Protocol)

6. Quick takes

Here’s a roundup of recent patches, incidents and trends to have on your radar screen.

The White House this week released guidelines designed to ensure that U.S. government agencies use software that was built securely. As Federal Chief Information Security Officer Chris DeRusha said in a statement, the guidance “directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.” More from TechTarget, FCW, FedScoop, Roll Call and Bloomberg.

Microsoft addressed 62 CVEs in its September 2022 Patch Tuesday, including five critical flaws.

Trend Micro patched six vulnerabilities in its Apex One on-prem and SaaS products, one of which has been exploited in the wild.

A group of global cybersecurity agencies issued a joint advisory about Iranian-government sponsored threat actors that are exploiting vulnerabilities to enable ransomware attacks.

Apple fixed multiple vulnerabilities in its products, including an actively-exploited zero day bug. More from TechCrunch, the Center for Internet Security, The Register and Help Net Security.

Adobe patched a raft of vulnerabilities in products including Illustrator, Photoshop and InDesign.

Spending in cybersecurity insurance is expected to hit $32.6 billion in 2028, representing a compound annual growth rate of almost 19% between 2019 and 2028, according to Research and Markets.

The FBI is warning about the dangers of unpatched and outdated medical devices.

Read More

US authorities indict and sanction in fresh crackdown

Read More

Attacker looks to have admin access to cloud accounts

Read More