All posts by rocco

What CISOs can learn about insider threats from Iran’s human espionage tactics

Read Time:49 Second

Over the last few months, there has been an uptick of espionage revelations concerning Iran and its interest in collecting information against regional adversaries as well as Iranian ex-pats whose views are divergent to those of the current regime. It is important for CISOs to understand the human side to the Iranian offensive efforts to gather information of interest.

Iran recruits eyes within Israel

In mid-January Israel’s Shin Bet (internal security service) revealed four Israeli women had been arrested for espionage, having been successfully recruited by Iranian intelligence via Facebook. The women, all of Iranian descent, were contacted by an individual who identified himself as Rambod Namdar, who claimed to be a Jewish man living in Iran. The modus operandi is one that has been seen many times before: Establish contact via a social network and then daisy-chain the contact to a seemingly more secure communication medium, in this case, WhatsApp.

To read this article in full, please click here

Read More

BadUSB explained: How rogue USBs threaten your organization

Read Time:57 Second

In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed “BadUSB,” and the FIN7 hacker organization has been named as the culprit. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.

BadUSB definition

“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed,” explains Karl Sigler, senior security research manager at Trustwave SpiderLabs. His malware research team initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.

To read this article in full, please click here

Read More

Red Cross: Supply Chain Data Breach Hit 500K People

Read Time:1 Minute, 42 Second

Red Cross: Supply Chain Data Breach Hit 500K People

The International Committee of the Red Cross (ICRC) has revealed a major data breach that compromised the personal details of over 515,000 “highly vulnerable” victims.

It was stolen from a Swiss contractor that stores the data on behalf of the global humanitarian organization headquartered in Geneva.

The ICRC claimed it originated from at least 60 Red Cross and Red Crescent National Societies worldwide.

Some of the most vulnerable members of society are affected, including individuals separated from their families due to conflict, migration and disaster, missing persons and their families and people in detention, it added.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, the ICRC’s director-general.

“This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

There’s no indication the information has been shared publicly yet, but that’s no guarantee it won’t be in the future. That’s why Mardini pleaded with the threat actors not to leak or sell the spoils of its attack.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” he said.

“The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

Given financially motivated cyber-criminals have targeted hospitals with ransomware in the past, there’s certainly no guarantee that Mardini’s words will be heard. Nor is it clear whether it was a criminal rather than a state-sponsored attack.

As a result of the attack, the ICRC said it had been forced to shut down its Restoring Family Links service, which it claims reunites 12 missing people on average with their families every day.

Read More

INTERPOL and Nigerian Police bust business email compromise ring, arrest 11

Read Time:27 Second

INTERPOL and the Nigerian Federal Police today announced the arrests of 11 business email compromise (BEC) actors in Nigeria as part of an international operation to disrupt and tackle sophisticated BEC cybercrime. Many of the suspects are thought to be members of SilverTerrier, a network known for BEC scams that have impacted thousands of companies globally. The results are the latest example of industry and law enforcement efforts to thwart BEC activity, the most common and costly cyberthreat facing organizations.

To read this article in full, please click here

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Researchers Hack Olympic Games App

Read Time:1 Minute, 50 Second

Researchers Hack Olympic Games App

Cybersecurity researchers in Canada have found a “devastating flaw” in the MY2022 app, designed for use by attendees of this year’s Winter Olympic Games in Beijing.

The vulnerability was discovered by the Citizen Lab – an academic research laboratory based at the Munk School of Global Affairs at the University of Toronto.

In findings published Tuesday, researchers said that the flaw allows encryption that protects users’ voice audio and file transfers to be “trivially sidestepped.”

Researchers warned: “Health customs forms which transmit passport details, demographic information and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.”

The Citizen Lab reported its findings to the app’s vendor but did not respond.

“While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress,” stated researchers. 

The German Olympic Sports Confederation (DOSB) said that downloading the app has been mandated for travelers seeking entry to the People’s Republic of China to attend the 2022 Winter Olympic Games.

“Without My 2022 there is no immigration into China according to the Beijing playbooks,” said the DSOB.

The confederation shared some cybersecurity advice it had received from the German Federal Institute of Information Security (BSI) regarding the MY2022 app.

“Our athletes are being equipped with a smartphone from IOC partner Samsung in Beijing. BSI recommends using MY2022 on these devices in China and deinstalling it at home,” it said. 

The International Olympic Committee (IOC) stated that MY2022 users could configure the app to disable access to features including files, media, calendar, camera, contacts, microphone and location data. 

Many countries have planned a diplomatic boycott of the Beijing Olympics over China’s record of human rights violations, including the systemic abuse of the Uyghur and other minority ethnic communities.

Boycotts have been planned by the UK, United States, Lithuania, New Zealand, Scotland, Australia, Canada, Latvia, Estonia, Belgium, Austria, Japan, Netherlands, Denmark and Sweden.

Read More

Ransomware Attack on Moncler

Read Time:1 Minute, 49 Second

Ransomware Attack on Moncler

Cyber-criminals have stolen data from Italian luxury fashion brand Moncler and published it on the dark web.

The maker of down jackets confirmed Tuesday that it had suffered a data breach after being attacked by the AlphV/BlackCat ransomware operation in December. 

Attackers hit Moncler in the final week of 2021, causing a temporary outage of its IT services which delayed shipments of goods ordered online.

Some data stolen in the incident was published online on Tuesday after Moncler refused to pay a ransom to its attackers. 

Data compromised in the security incident relates to Moncler employees, former employees, suppliers, consultants, business partners and some customers registered on the company’s website.

Moncler said in a statement: “​While the investigation related to the attack is still ongoing, Moncler confirms that the stolen information refers to its employees and former employees, some suppliers, consultants and business partners, as well as customers registered in its database. 

“With regard to information linked to customers, the company informs that no data relating to credit cards or other means of payment have been exfiltrated, as the company does not store such data on its systems.”

The fashion brand said that the brief interruption to the logistical side of its operation had not put a major dent in its profits. 

“Data breaches are part of the web attack lifecycle and continue to fuel Account Takeover (ATO) and credential stuffing attacks. Therefore, we need to protect the apps that power our daily lives by disrupting the web attack lifecycle,” commented Kim DeCarlis, CMO at cybersecurity company PerimeterX.

They added: “This includes stopping the theft, validation and fraudulent use of account and identity information everywhere along the digital journey.” 

Trevor Morgan, product manager with data security specialists comforte AG, said that data-dependent businesses need to assume that they are a target for cyber-criminals.

“Squirreling sensitive data away behind protected perimeters won’t cut it anymore as a defensive measure,” said Morgan. 

He added: “Only robust data-centric security, such as tokenization or format-preserving encryption applied directly to sensitive data elements, can help mitigate the situation if the wrong hands get ahold of your data.”

Read More

Drupal core – Moderately critical – Cross site scripting – SA-CORE-2022-002

Read Time:1 Minute, 59 Second
Project: 
Date: 
2022-January-19
Vulnerability: 
Cross site scripting
Description: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:

CVE-2021-41182: XSS in the altField option of the Datepicker widget
CVE-2021-41183: XSS in *Text options of the Datepicker widget

Furthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update module:

CVE-2016-7103: XSS in closeText option of Dialog
CVE-2010-5312: XSS in the title option of Dialog (applicable only to the jQuery UI version included in D7 core)

It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Important note regarding the jQuery Update contrib module

These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.

However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.

Please check the jQuery Update project page for more details, and for announcements when the changes are made to supported releases.

Solution: 

Install the latest version:

If you are using Drupal 7, update to Drupal 7.86

Reported By: 
Fixed By: 
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Lauri Eskola

Read More

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2022-001

Read Time:1 Minute, 21 Second
Project: 
Date: 
2022-January-19
Vulnerability: 
Cross Site Scripting
Description: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

CVE-2021-41184: XSS in the `of` option of the `.position()` util

It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.3.
If you are using Drupal 9.2, update to Drupal 9.2.11.
If you are using Drupal 7, update to Drupal 7.86.

All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: 
Fixed By: 
Lauri Eskola
Chris of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Ben Mullins
xjm of the Drupal Security Team
Théodore Biadala

Read More

IRS Will Soon Require Selfies for Online Access

Read Time:9 Minute, 42 Second

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

Read More