Month: June 2020

Four in five drivers don’t remove their personal information before selling their car, a new survey from Which? reveals. Between December 2019 and February 2020, the consumer advisory group surveyed more than 14,000 individuals who had sold their car in the previous two years, exposing concerning behavior.

More than 50% of drivers admit to having synced their smart phones to their cars, allowing the transfer of their contact list, text messages and Wi-Fi information to the onboard system. While this alone is not enough to raise an alarm, most drivers ignore instructions on how to delete their data or perform a factory reset before selling their car.

This implies that drivers are freely handing over sensitive information, including their phonebooks, home addresses and home Wi-Fi, to complete strangers. If the system is not properly wiped before selling your vehicle, the new owner can easily view this information.

Modern cars even provide apps that can be installed on the owner’s phone. These apps allow drivers to track the car’s location, activate the lights or horn, lock and unlock the doors, and even stop the engine.

The survey found that, 1,893 car owners who had sold a car in the previous two years also downloaded the associated app. However, 50% failed to unpair or delete the associated app, creating new possibilities for stalking and other crimes.

“If cars are not treated the same as a smartphone, tablet or other connected devices when it comes to data security, motorists risk giving away a treasure trove of information about themselves when they decide to sell their car,” said Harry Rose, editor of Which? Magazine. “Manufacturers must do much more to prioritise customers’ personal privacy so that drivers fully understand how much data their vehicle could be harbouring and how to delete this information in order to eradicate these risks.”

If you are thinking of selling or buying a second-hand car, do some homework. As a seller, you should always delete any personal information that could be stored in the vehicle’s infotainment system. If you are also using a dedicated app, unpair and delete the software from your smartphone. If you are browsing the market for a used car, ask for evidence that any previous data was wiped and the access rights were revoked.

The activist group Distributed Denial of Secrets, perhaps better known by their shorter but clumsy moniker DDoSecrets, has been permanently banned from Twitter.

The self-declared “transparency collective”, which published leaked and hacked data it claimed was of public interest, earned its banishment from Twitter after it distributed a gigantic collection of sensitive documents related to police and law enforcement across the United States.

As we previously reported, the 270GB data dump (dubbed “BlueLeaks”) contains many years worth of information from over 200 US police departments, FBI reports, and other law enforcement agencies.

As investigative journalist Brian Krebs reports, the data appears to have been exfiltrated following a security breach at web development firm Netsential.

The publication of the data appears to have been deliberately timed by DDoSecrets to coincide with “Juneteenth”, the United States’s national day of commemoration of the ending of slavery, June 19th.

Unfortunately, the group’s haste to release the data in time appears to have overtaken any desire to redact details which could put innocent parties at risk: such as images of suspects in police investigations, banking details, and other personally identifiable information (PII).

There are additionally concerns that the breach could endanger ongoing police investigations, and the lives of law enforcement officers.

And as the dumped data contains information reaching back as far as perhaps the mid-1990s, there is additionally the risk that information may be completely out-of-date.

Speaking to Wired, DDOSecrets founder Emma Best admitted that the group had probably failed to redact all information related to crime victims, children, and unrelated private businesses:

“Due to the size of the dataset, we probably missed things. I wish we could have done more, but I’m pleased with what we did and that we continue to learn.”

That’s a startling admission of failure. More clearly could have been done, but from the sound of things DDoSecrets and its supporters were working to too tight a deadline.

And clearly Twitter was not impressed to see the dissemination of the hacked data, which is in conflict with its policies.

Having been criticised in the past for its tardy response in banning other hacking groups, such as The Dark Overlord, DC Leaks, and Guccifer 2.0, Twitter clearly felt it couldn’t stand silent while the BlueLeaks data leak was being so overtly disseminated on its platform.

Such a ban, however, may not silence DDoSecrets permanently. Don’t be surprised if they pop up again, in a new guise, to share stolen secrets on Twitter.

Adobe is taking further steps in its Flash-dismantling
process scheduled to take place by the end of 2020, and said users should
uninstall it long before the end-of-life date.

Removing Flash from online content is a long and
complicated process that has taken years, but the end is finally approaching
for this piece of software. It’s been a cornerstone for websites for so many
years, but that journey will be over at the end of 2020.

The implementation of HTML5, WebGL, and WebAssembly made
Flash obsolete, but it was so widespread that pulling the plug quickly would
have been impossible. The official announcement came way back in July 2017, and
you can still find Flash-powered websites today. It’s very likely that some
websites will continue to use Flash after the December 31 deadline, but
browsers won’t allow users to view them.

Adobe added some information
to the Flash Player EOL information page, letting people know what exactly will
happen after the EOL date.

“Adobe will be removing Flash Player download pages from
its site and Flash-based content will be blocked from running in Adobe Flash
Player after the EOL Date,” reads the website.

“We recommend that all users uninstall Flash Player
before the EOL. Users will be prompted by Adobe to uninstall Flash Player on
their machines later this year and Flash-based content will be blocked from
running in Adobe Flash Player after the EOL Date.”

Even with all the warnings, many users will likely continue
to keep Flash and its components installed for a long time, leaving them open
to possible exploits. Hopefully, developers and webmasters will migrate their
content, hastening the end of Flash and its glorious era.

This week, Cyber News researchers announced that cyber thieves are offering for sale more than 1.3 million user records from the free-to-play Stalker Online MMO game on dark web marketplaces.

The data leak was discovered by the team overseeing the dark web-monitoring project implemented by the independent cybersecurity research publication, and contains personal identifiable information such as email addresses, usernames, passwords (MD5 hashed and salted), phone numbers and IP addresses.

Apparently, two separate data dumps were on sale. The first contains over 1.2 million user records, while the second includes over 136,000 user records from Stalker Online forums.

To verify the validity of the data, researchers purchased the database from the attacker, and after a though analysis, determined that the data samples and email addresses were indeed genuine.

According to an announcement by the researchers, the trove of data was found on May 5, after the attacker opened a Stalker Online database thread on a dark web forum.

As proof of his successful server compromise, the hacker also posted a link that directs users to a page on the official Stalker Online website containing the intruder’s message.

“The security of this web server has been compromised and all of your files and userdata are now in our possession,” the message reads. “Contact us on [redacted] for assistance in securing your web server. If not reach within 24 hours – data gathered will be posted for all to download.”

Researchers contacted the game developers and parent company on May 8, but no reply or comment was received. However, the team managed to get in touch with the e-commerce platform Shoppy.gg, where the attacker was storing the exfiltrated data. On May 29, the database was removed from the platform.

“Both databases were hosted on Shoppy.gg and were available for anyone to download for several hundred euros worth of Bitcoin,” the report said. “It’s currently unknown if anyone else bought and downloaded the databases, but we assume that anyone who had money to spare and knew where to look could have accessed the databases during the exposure period.”

The game has an extensive reach in Russia and Eastern Europe, and gamers are advised to immediately change the password to their online account. Converting MD5 salted passwords to plain text is possible, and combined with the email address, users are exposed to account takeover attacks.

Zoom announced that end-to-end encryption (E2EE) will be
available to all users, free and premium, marking a shift in strategy at the US
company.

One of the more controversial measures announced by Zoom
a few weeks ago was related to their end-to-end encryption (E2EE) option and
the company’s decision to only offer the feature to paying customers. The main
reason pertained to security, as the implementation of E2EE would make it
difficult to identify Zoom bombers and other similar infractions.

Their decision wasn’t received with open arms, and the
company continued to look for a solution, helped by civil liberties
organizations, child safety advocates, encryption experts, and others. Finally,
it looks like a resolution was reached, allowing them to offer E2EE to all
tiers of users.

“Free/Basic users seeking access to E2EE will
participate in a one-time process that will prompt the user for additional
pieces of information, such as verifying a phone number via a text
message,” said Eric
S. Yuan, Zoom’s CEO.

“Many leading companies perform similar steps on
account creation to reduce the mass creation of abusive accounts. We are
confident that by implementing risk-based authentication, in combination with
our current mix of tools — including our Report a User function — we can
continue to prevent and fight abuse,” he continued.

It will take a while until this feature is available for
everyone. Testing for E2EE will start in July 2020, in a Beta version. Until
E2EE becomes the norm, the others users will have to settle for the existing AES
256 GCM transport encryption.

Moreover, it will be up to hosts to toggle E2EE for each
meeting. Zoom says that this encryption technology limits some of the app’s
functionalities, such as the inclusion of traditional PSTN phone lines or
SIP/H.323 hardware conference room systems.

On June 19, an activist group called Distributed Denial of Secrets (DDoSecrets) published a 270-gigabyte collection of sensitive documents exfiltrated from 200 police departments, law enforcement agencies and fusion centers across the United States.

DDoSecrets claims that the leaked data was received from the infamous Anonymous hacktivist group, saying that, “we provide a stable platform for the public to access data and an anonymity shield for sources to share it, but are uninvolved in the exfiltration of data.”

The sensitive data can be perused on an online platform, dubbed BlueLeaks, and contains more than 1 million files, including police and FBI reports, security bulletins, law enforcement guides, scanned documents, videos, emails, and audio files.

“Ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more,” DDoSecretssaid in a recent Tweet.

According to KrebsOnSecurity, the National Fusion Center Association (NFCA) has confirmed the validity of the data leak. Fusion centers are state-owned associations that act as intermediaries between local and state law enforcement and federal government agencies across the US, providing training, alerts, guides and instructions between various law enforcement bodies.

“Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports,” reads the NFCA alert.

The leaked cache of data raises a high degree of concern for law enforcement agencies across the nation, as cyber criminals might seek to leverage the sensitive data in cyber campaigns.

Moreover, the BlueLeaks data sets may endanger ongoing investigations and the lives of law enforcement agents.

“With this volume of material, there are bound to be compromises of sensitive operations and maybe even human sources or undercover police, so I fear it will put lives at risk,” said Stewart Baker, the former assistant secretary of policy at the U.S. Department of Homeland Security.

“Every organized crime operation in the country will likely have searched for their own names before law enforcement knows what’s in the files, so the damage could be done quickly,” he said. “I’d also be surprised if the files produce much scandal or evidence of police misconduct. That’s not the kind of work the fusion centers do.”

Last week, the Department of Justice (DOJ) announced that the individual who allegedly breached the human resource database of University of Pittsburgh Medical Center (UPMC) in 2014 was arrested in Michigan.

In a press release, the DOJ accuses Justin Sean Johnson of stealing personal identifiable information of more than 65,000 UPMC employees, and selling the treasure trove of information on dark web forums “for us by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII.”

According to the indictment, in December 2013, Johnson infiltrated UPMC’s HR database managed by PeopleSoft, and performed a ‘test query’ for PII belonging to 23,500 employees. Between January and February 2014, the culprit remotely accessed the HR database, viewing and exfiltrating additional PII of UPMC employees.

The 29-year-old, aka ‘TDS’ or ‘DS,’ was highly active on the dark web for about 3 years, his fraudulent schemes ultimately resulting in $1.7 million in unauthorized federal tax returns.

The fake tax returns were converted into Amazon gift cards, and used to purchase goods that were shipped to Venezuela through multiple reshipping services in Miami.

“Approximately $885,578 in electronic merchandise such as Samsung and Apple cell phones, gaming devices and other electronics was ordered using the Amazon.com gift cards,” the May 20 indictment reads.

“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” U.S. Attorney Brady said.”After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud. Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.”

Johnson is charged in a 43-count indictment with conspiracy, wire fraud, and aggravated identity theft. If found guilty, the accused faces a maximum sentence of five years in prison and a fine of $250,000 for conspiracy to defraud the United States, 20 years in prison and a fine of $250,000 for each count of wire fraud, and 24 months in prison along with a fine of $250,000 for each count of aggravated identity theft.

58-year-old Danielle Bulley may not look like your typical cybercriminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

As North Yorkshire police report, Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

Once upon a time, Bulley was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon.

At some point things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

Unable to continue to operate, the business was forced to close down.

When specialist police from North Yorkshire Police’s Cyber Crime Unit investigated, they discovered that the Dropbox account had been remotely accessed from an IP address associated with Danielle Bulley.

Under questioning, Bulley admitted that she had deleted the files, claiming that she believed she was entitled to do so, but knowing that it would cause chaos the business.

Detective Constable Steven Harris of the Cyber Crime Unit warned other companies of the threat which can be posed by former employees:

“Bulley’s actions had dire consequences for people’s livelihood. During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim. It dealt the new business a blow from which it never recovered.”

“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.”

Sentencing Bulley to an 18-month community order with 80 hours’ unpaid work, Judge Simon Hickey said: “It was done in revenge. She was a respectable woman, but had lost her good character.”

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

And if you believe you have been wronged by a former employer do not make the mistake of thinking your anger should be directed towards them through some criminal action. You may feel that you have not been fairly treated, but you will feel much worse if you end up with a criminal conviction.

A new report from PasswordManagers.co highlights the exposure of countries worldwide to the growing wave of cyberattacks. In its Cybersecurity Exposure Index (CEI) 2020, the company analyzed and rated 108 countries based on exposure to malicious attacks including trojans, ransomware, cryptocurrency mining and phishing.

Finland was the least exposed to cybercrime, according to the report, followed by Denmark, Luxembourg, Australia and Estonia. The most exposed country for cyberattacks was Afghanistan, but countries such as Myanmar, Ethiopia, Palestine and Venezuela were close behind.

The survey also assessed the level of commitment in each country by using the 2018 Global Cybersecurity Index that classifies countries’ approach to cybersecurity issues and cybercrime based on legal, technical, organizations, building capacity and cooperation.

“Where risk is the probability (i.e. the chance that an event or situation will happen), exposure is the extent to which risk can have an affect,” researchers said. “With exposure defined as the fact of experiencing or being affected by something, we chose to research the frequency of malicious attacks alongside the level of cybersecurity commitment to accurately assess each country’s exposure to cybercrime.”

Measuring the exposure score of each state with a rating system from 0 to 1, nearly 71% of European countries classify in the low or very low exposure groups, with a score of 0.329. North America received the second-lowest exposure score, of 0.462, with 66.67% of countries classified in the moderate, low, and very low exposure groups.

40% of South American countries classified in the high and very high exposure groups, with Venezuela, Bolivia, Ecuador, Peru and Columbia scoring between 0.590 and 0.807. In the Asia-Pacific region, Australia was named the least exposed country, followed by Japan, New Zealand, Singapore and Qatar. However, on a global scale, countries in Asia-Pacific account for 40% of high and very high exposure groups.

The report shows that 75% of African countries are classified in the high and very high exposure groups, accounting for 36.67% of all high exposure countries globally.

On June 9, Australian beverage giant Lion announced it had fallen victim to a cyberattack that forced the company to shut down its IT systems, limiting its manufacturing and order placement.

No signs of a ransomware attack were confirmed at first. On June 12th, however, the company confirmed the worst case scenario.

“Our investigations to date have shown that a system outage has been caused by ransomware. The ransomware targeted our computer systems. In response, we immediately shut down key systems as a precaution,” company officials said in an update on their website. “Our IT teams and expert cyber advisors are working around the clock, investigating the issue and assessing how long the impacts will continue”.

It appears that the attackers are now threatening to publish or auction confidential company information unless a ransom of $1 million is paid. Proof of stolen confidential files was posted on the dark web along with a ransom note:

“You have 5 days to contact us and pay, otherwise all your financial, personal information your clients and other important confidential (sic) documents will be published or put up for auction,” the attackers said.

According to Australian media reports, Lion CEO Stuart Irvine told employees that the company was hit by a second attack, and that their focus is on restoring internal systems and improving their defenses.

After the ransom note, company representatives continued to update their cyber incident thread. “There have been reports of Lion document lists posted online in recent days”, said the latest update posted on June 19. “Given this development, our expert teams are doing all they can to investigate whether any data has been removed from our system. Unfortunately, based on the experience of others in this situation, it is possible this may have occurred.”

Stakeholders and employees are advised to be on the lookout for any phishing attempts via SMS, email or social media, and change their online account passwords regularly, enabling a form of multi-factor authentication and installing a local security solution.