The consultative body aims to tackle cyber-attacks used to fund Pyongyang’s weapons development, including its nuclear program

Read More

The Flipper Zero is an incredibly versatile hacking device. Now it can be used to crash iPhones in its vicinity by sending them a never-ending stream of pop-ups.

These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilities generally required expensive SDRs­—short for software-defined radios­—that, unlike traditional hardware-defined radios, use firmware and processors to digitally re-create radio signal transmissions and receptions. The $200 Flipper Zero isn’t an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price and with a form factor that’s much more convenient than the previous generations of SDRs.

Read More

Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today’s Part II, we’ll examine clues about the real-life identity of “Fearless,” the nickname chosen by the proprietor of the SWAT USA Drops service.

Based in Russia, SWAT USA recruits people in the United States to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 story, SWAT currently employs more than 1,200 U.S. residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.

The current co-owner of SWAT, a cybercriminal who uses the nickname “Fearlless,” operates primarily on the cybercrime forum Verified. This Russian-language forum has tens of thousands of members, and it has suffered several hacks that exposed more than a decade’s worth of user data and direct messages.

January 2021 posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT, who’d been operating the service for years. SWAT agreed to transfer the business in exchange for 30 percent of the net profit over the ensuing six months.

Cyber intelligence firm Intel 471 says Fearlless first registered on Verified in February 2013. The email address Fearlless used on Verified leads nowhere, but a review of Fearlless’ direct messages on Verified indicates this user originally registered on Verified a year earlier as a reshipping vendor, under the alias “Apathyp.”

There are two clues supporting the conclusion that Apathyp and Fearlless are the same person. First, the Verified administrators warned Apathyp he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified’s automated systems had detected that Apathyp and Fearlless were logging in from the same device.  Second, in his earliest private messages on Verified, Fearlless told others to contact him on an instant messenger address that Apathyp had claimed as his.

Intel 471 says Apathyp registered on Verified using the email address triploo@mail.ru. A search on that email address at the breach intelligence service Constella Intelligence found that a password commonly associated with it was “niceone.” But the triploo@mail.ru account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte, the Russian answer to Facebook.

However, in Sept. 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp told the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella reveals it was used by just four different email addresses, two of which are particularly interesting: gezze@yandex.ru and gezze@mail.ru. Constella discovered that both of these addresses were previously associated with the same password as triploo@mail.ru — “niceone,” or some variation thereof.

Constella found that years ago gezze@mail.ru was used to create a Vkontakte account under the name Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial city in the southern region of Russia. That same email address is now tied to a Vkontakte account for an Ivan Sherban who lists his home as Saint Petersburg, Russia. Sherban’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.

A pivotal clue for validating the research into Apathyp/Fearlless came from the identity intelligence firm myNetWatchman, which found that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”

Care to place a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten points if you answered August 18 (18081991).

Mr. Sherban did not respond to multiple requests for comment.

Read More

Here is an overview of the CIS Benchmarks that the Center for Internet Security updated or released for November 2023.

Read More

Many say it led to a subsequent data breach

Read More

“History repeatedly has demonstrated that inferior forces can win when leaders are armed with accurate intelligence.” – Central Intelligence Agency; Intelligence in War

In the ever-changing landscape of global cybersecurity, the boundaries between traditional military intelligence and cybersecurity are increasingly blurred. At the heart of this convergence lies the science of intelligence analysis—a process fundamental to both realms. Equally important is the recognition of target indicators, which serve as harbingers of impending activities, whether on a battlefield or within the complex circuits of cyberspace.

For the modern organization, Security Information and Event Management (SIEM) systems serve as the nexus where the ancient art of intelligence gathering meets the contemporary needs of cybersecurity. This fusion is further enriched by dark web monitoring, a relatively new frontier in information gathering that equips analysts with a fuller understanding of the threat landscape in the darker recesses of the Internet where cybercriminals do their bidding.

Traditionally, military intelligence has been the linchpin of strategic and tactical decision-making. It involves complex processes for data collection, analysis, and interpretation.  In short, it turns ubiquitous data into actionable intelligence. The types of data used in intelligence analysis range from intercepted radio communications, satellite images, and even information gathered from troops on the ground. Analysts and applications sift through this plethora of information to extract actionable insights, scrutinizing for target indicators—clues that signal the enemy’s intent or location. For instance, an unusual accumulation of vehicles in a remote area could indicate the staging of troops, thereby serving as a target indicator. Recognizing such cues is crucial for informed decision-making.

Likewise, in cybersecurity, intelligence analysis serves as the backbone of protective strategies. Here, data collection is continuous and automated, thanks to SIEM systems and security correlation engines. These systems aggregate logs from various network endpoints, generating alerts based on defined rules that flag anomalies or known indicators of compromise. Just as military analysts look for signs like troop movement or weapons stockpiling, cybersecurity analysts review SIEM logs for target indicators such as repeated failed login attempts or abnormal data transfers, which might indicate a cyber-attack.

The enrichment of SIEM data sets through dark web monitoring brings a novel depth to cybersecurity. For the uninitiated, the dark web serves as a haven for cybercriminals, offering a marketplace for anything from hacking tools to stolen data. This space is often the first point of compromise, where stolen data may appear for sale or where impending cyber-attacks might be discussed.

Dark web monitoring involves the tracking of these criminal forums and marketplaces for specific keywords, threats, or data sets related to an organization. Information gleaned from the dark web provides that extra layer of intelligence, allowing for a more proactive cybersecurity posture. For example, a company might discover on the dark web that its stolen user credentials or company client lists are being sold. This type of information is a specific target indication that a company has experienced a data breach at some level.

The parallels between military intelligence and cybersecurity are not merely conceptual; they have practical implications. Military operations often employ real-time data analytics to generate quick situational reports, enabling rapid decision-making. In a similar vein, a well-configured SIEM system can offer real-time analysis of security alerts generated by hardware and software infrastructures. In both contexts, the speed and accuracy of the intelligence analysis are crucial for successful outcomes. 

Organizations that successfully implement both dark web monitoring and SIEM solutions stand to benefit in manifold ways. Apart from augmenting the data pool for analysis, it adds a proactive element to the generally reactive field of cybersecurity. It allows for the anticipation of attacks rather than just preparation for them, thereby offering the strategic advantage of time—often the most crucial factor in both military and cybersecurity operations.

In summary, the art of intelligence gathering and analysis, forged and refined through centuries of military strategy, finds a new battleground in the domain of cybersecurity. SIEM systems serve as the operational hubs where these time-tested strategies meet the unique challenges posed by the digital age. Further enriched by the advent of dark web monitoring, the modern SIEM system is a testament to the synergetic power of combining the old with the new. As we continue to navigate the evolving landscape of threats, both physical and digital, the integration of these diverse yet interrelated fields will be key to devising more robust, resilient defense mechanisms for the future.

AT&T provides a number of advanced cybersecurity products and solutions designed to help companies navigate the challenging landscape of today’s cyber threats.  AT&T’s Dark Web Monitoring provides an industry leading dark web monitoring solution to identify credentials, and other target indicators of a breach. Additionally, AT&T’s USM Anywhere, a centralized security monitoring solution, is essentially a SIEM on steroids.  By providing security events and alerts in a single pain of glass, USM Anywhere enables decision makers to make decisions based upon actionable intelligence. 

Read More

NCSC wants to ease transition to quantum safety

Read More