Tag: security

Russian hackers steal $10 million from ATMs through bank networks

The recent rash of bank system hacks goes deeper than you might have thought -- it also includes stealing cash directly from ATMs. Researchers at Group-iB have published details of MoneyTaker, a group of Russian hackers that has stolen close to $10 million from American and Russian ATMs over the past 18 months. The attacks, which targeted 18 banks (15 of which were American), compromised interbank transfer systems to hijack payment orders -- "money mules" would then withdraw the funds at machines.

The first known attack was in the spring of 2016, when MoneyTaker hit First Data's STAR network (the largest transfer messaging system for ATMs in the US). They also compromised Russia's AW CRB network, and swiped documents for OceanSystems' Fed Link system used by roughly 200 banks across the Americas. And in some cases, the group stuck around after the initial heist -- at least one US bank's documents were stolen twice, while the perpetrators kept spying on Russian bank networks.

While it's not clear who's behind MoneyTaker, you're only hearing about them now because they're particularly clever. They've repeatedly switched their tools and methods to bypass software, and have taken care to erase their tracks. For instance, they've 'borrowed' security certificates from the US federal government, Bank of America, Microsoft and Yahoo. One Russian bank did manage to spot an attack and return some of the ill-gotten gains.

This particular hack didn't directly affect users, since it was more about intercepting bank-to-bank transfers than emptying personal accounts. However, it illustrates both the sophistication of modern bank hacks and the vulnerability of the banks themselves. While it would be difficult to completely prevent hacks, it's clear that attackers are having a relatively easy time making off with funds and sensitive data.

Via: Reuters

Source: Group-iB (reg. required)


All the cool gifts are made for spying on you

It's the gift-giving season, and high-tech gadgets are more exciting than ever. Alexa, Siri, Cortana, and even "Okay Google" are ready to come over for holiday ham, ready to help you turn on a light or play you some Spotify. Those always-on microphones, cameras, and WI-FI connected devices are cheaper, cooler, and more convenient than ever.

Yet, you still feel a little weird about their, you know, baser functions. Google and Amazon only record what they need to. Plus, you've read 1984, watched Big Brother (and thought the contestants were nuts for being watched 24-7), and you think spying on people's everyday lives is generally bad.

And yet, look at us. We're marinating in surveillance tech. We carry an always-on combination tracker and eavesdropping device everywhere we go (a smartphone). We agonize over picking out the best smart home microphone-speaker combination. We snarf up the latest in connected appliances. We say "yes" to all the apps, and surf the web looking for deals like it's the pre-condom era of porn.

We know the connected devices, no matter how big the company they come from, are all bug-infested, insecure, preyed upon, and riddled with shady backroom data deals. And yet.

WHOLE-FOODS-M-A-AMAZON/

And yet.

The trend toward in-home surveillance devices is only continuing, with this year's gift-giving aspirations. Here at Engadget, we're modeling the trend: decrying privacy invasions, yet playing with privacy fire, indulging our lust for convenience and futurism with all the sexy gadgets on our 2017 best-of gift list.

We want the Echo, the Google Home, a Sonos One, and all the privacy-devouring spy tech we can cram into our voice-activated games console. I'm with you! Yet I know better than to let companies spy on me! Give me a new MacBook, a Chomebook, an iPad or a Surface, damn the easily-hackable onboard cameras and microphones, full speed ahead. I'd push grandpa into a mall fountain and jam his walker into Best Buy's revolving doors to get my hands on the hottest new tracking devices, the iPhone, a Pixel, a Galaxy.

And that's the thing: We all know the risks these days. It's not like ten years ago when some of us were trying to raise the alarm about webcam hacking and data dealing, and everyone thought we were fringey conspiracy weirdos in tinfoil bras doing Flickr updates from our freaky internet-connected phones.

If anything, security and surveillance are even bigger concerns. Just in October, a woman's new webcam was taken over practically the minute she plugged it in. In a Facebook post, she described the incident, going on to film the camera's complete hijacking while in progress. But here's the thing: The story didn't surprise anyone, and didn't compete with any headlines. We're all like, yeah, that's a thing that happens now, while in our heads we silently practice what we'll do when it happens to us.

young male technician...

I know what you were thinking when your eyes traveled the wishlist above, with the Echos and the Homes, and the highly desirable appliances that make Inspector Gadget's kit look like unimaginative stupidity. You're thinking, "but Amazon will protect me from unlawful requests" and "Google Home wouldn't do that on purpose, it would harm consumer trust."

And in the instances we know of, you'd be right. When a man was murdered in November 2015, Amazon initially refused to hand over its Alexa data from the scene of the crime when prosecutors demanded the records. The company said that Alexa's questions and answers are protected by the first amendment and Amazon "seeks to protect the privacy rights of its customers." Amazon later relented and shared the data when the defendant, the Echo's owner, gave permission. That a hacker had fun turning the Echo into a wiretap did not endeavor to reassure.

And that whole thing where Google Home was recording everything just this last October, well that was a "bug." Never mind that "bug" is Facebook's perennial catch-all term/excuse for getting caught doing something people don't like (and that's not a good look for anyone). Google said its little smart home speaker was having an "issue" that caused it "to behave incorrectly." That probably wasn't reassuring for journalist Artem Russokovskii, who discovered he was being recorded 24-7.

What can we do, but take Google and Amazon at their word? No one trusts these companies or their interests in serving us better ads or suggestions. They say they'll protect us, they're big companies and can afford to properly test everything, and they fix their mistakes when we find them.

Haven't we learned anything from dystopian books and films? How is this now aspirational? Or is it just that we're so miserable from politics that a little convenience-at-a-cost is our only salve to soothe our tortured souls?

Don't feel bad. Everyone's doing it, the gleeful self-surveillance. Even hackers, who know better than anyone, and I can tell you that they're shopping for the same things and going home to strip down and roll in piles of connected crap like they hate privacy, too. We're all going to privacy hell together.

I'm sure it'll be fine. As long as we remember that it pays to be paranoid because we're all so depressed and angry at the state of the state that we deserve a little fluff, a little fun, a little convenience.

Facebook may be insidious, Apple might've conditioned us, and everyone with a stake in the surveillance pie has tried to soothe us. But we still need to cover our webcams, turn off geotagging, drill into settings to fight the data creeping, and stay awake and alert to the ways that companies make us targets.

Take my advice for the holidays: Shop like no one's watching, but never forget that someone might be listening.

Images: Brendan McDermid/Reuters (Amazon Echo); Shutterstock (Security camera).


Kaspersky Lab is closing its Washington, DC office

Kaspersky Lab Inc. has had a rough time with the US government this year and now Bloomberg reports that the company will be closing its Washington, DC office. However, while its government business seems to be dead in the water, Kaspersky still plans to sell to non-federal US customers and will be opening offices in Chicago and Los Angeles next year.

In July, the Trump administration removed Kaspersky from its list of approved IT vendors and in August reports surfaced that the FBI was trying to convince companies to ditch Kaspersky's products. These moves were a result of US government suspicions that Kaspersky funnels information from its customers to the Russian government. Best Buy pulled Kaspersky products from its shelves shortly thereafter and the US government ultimately banned federal agencies from using the company's security software in September.

While the UK's cybersecurity authority, the National Cyber Security Centre, also advised government agencies against using Kaspersky software, the company's vice president, Anton Shingarev said in a recent interview, "We are in talks with NCSC and are trying to figure out what's needed to deserve an opposite recommendation. In general, they support the idea of opening the source code of our software for independent audit." He also said that Europe's regulators are "fact-driven" while the US ban was based on "emotions" and "speculations." Kaspersky has repeatedly maintained that it does not share its information with the Russian government.

To quell concerns about the company, Kaspersky announced in October that it would open up its source code to third-party review. That's set to begin early next year.

Via: Bloomberg


Researchers find another smart toy that’s easy to hack

A team of security researchers that has warned of the dangers of smart toys has found another that can be used to spy on your children. Pen Test Partners examined the Teksta Toucan, finding that it's easy to hack the device's microphone and speaker. According to The Register, the device is built by Genesis Industries, makers of the iQue and My Friend Cayla, two devices that are already feeling the heat from regulators. Both are currently being looked at in the US and Europe, while the latter has been withdrawn from sale in Germany.

The Toucan had two ways of being accessed, the first of which was simply by connecting to the device's built-in Bluetooth speaker. Crucially, however, the microphone was also accessible, so sufficiently local and motivated attackers could snoop on what you, or your kids, were saying. The second method required breaching the device's OS and replacing its library of MP3 files for something less suitable. To demonstrate the hack, Pen Test filmed the Toucan turning the air blue, which you can see in this NSFW clip below.

Parents are advised to steer clear of all three devices, and return them if they've snagged them as a gift for the holidays. Pen Test is also sharing its findings with regulators in the hope of ensuring that the device is banned.

Via: The Register

Source: Pen Test Partners


iOS HomeKit bug exposed smart locks to unauthorized access

Apple has another security issue to deal with. As 9to5Mac reports today, Apple's HomeKit framework has a vulnerability that allows unauthorized access to connected smart devices like locks and garage door openers. Apple has already put in a server-side fix that rectifies the issue, but the fix also disables remote access to shared users. Apple says that the reduced functionality will be restored with an iOS 11.2 update next week.

While 9to5Mac didn't share the details of the vulnerability, it also reportedly opened up smart lights, thermostats and plugs to unauthorized control. This issue follows a High Sierra bug discovered last month that allowed users to gain admin access without a password.

Because the server-side fix has already been implemented, users do not need to take any additional steps to secure their smart products. Just be sure to install the iOS update when it's released in order to regain the reduced functionality.

Source: 9to5Mac


Cryptocurrency mining marketplace loses $64 million to hackers

A cryptocurrency marketplace called NiceHash has suffered a security breach that left its bitcoin wallet tens of millions of dollars lighter. Slovenia-based NiceHash connects miners, or people selling their hashing/computer power, with people willing to pay for that power. Andrej P. Škraba, the marketplace's head of marketing, told Reuters that the company was targeted by "a highly professional attack" that involved "sophisticated social engineering." He also revealed that the infiltrators got away with 4,700 bitcoins -- or around $64 million.

Before Škraba talked to Reuters, NiceHash posted an announcement on Reddit and on its website that it's pausing all operations for the next 24 hour to investigate the incident. The post said the company's payment system was compromised, and that it's working with authorities on top of conducting its own investigation.

Unfortunately, Škraba didn't reveal more details than that, but it's advising users to change their passwords on NiceHash and other services -- a great advice now that bitcoin looks more alluring to hackers than ever. It has soared past $15,000 in value, just hours after it broke past the $14,000 mark. Authorities in some countries are cracking down on cryptocurrency, however, in hopes of gaining greater control over the virtual currency.

Source: Reuters, Reddit


Uber paid off a 20-year-old Florida man to destroy hacked data

More details are coming to light about Uber's huge data breach. Reuters is reporting that a 20-year-old Florida man was behind the 2016 extortion-oriented cyberattack and was paid through the firm's bug bounty program. We know that the individual, whose identity Uber refuses to disclose, received $100,000 for destroying the info, which exposed the personal data of roughly 57 million customers and drivers. The ride-hailing firm then kept quiet about the breach for more than a year. You can bet Congress and the five sates investigating Uber will be paying close attention to any new nuggets of info.

Bug bounties (where compensation is offered to hackers who find vulnerabilities) are commonplace within tech circles -- everyone from Apple to Samsung utilizes them. And, while highly-publicized rewards of up to $200,000 are the norm, it's rare that the largest sum is dispensed to any one person. Making Uber's $100,000 silent payout an all-time record for HackerOne, the firm that hosts Uber's bug bounty program, according to a former exec who spoke to Reuters.

The Florida hacker, described in the report as "living with his mom," reportedly paid a second individual for help accessing GitHub's resources to procure credentials for Uber data stored elsewhere.

Upon divulging the breach last month, the company fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for covering up the breach. But Reuters sources claim the coverup went straight to the top of the food chain to former CEO Travis Kalanick. Both Uber and Kalanick refused to comment.

Source: Reuters


ProtonMail Bridge offers encryption for your go-to email client

ProtonMail's encrypted email app went live for everyone a year or so ago. The company offered a free VPN service just this past June and an encrypted contacts system just before Thanksgiving of this year. Now ProtonMail is enabling mainstream email app users safely send and receive email, too.

Called ProtonMail Bridge, the application runs in the background on your computer and will encrypt and decrypt email on the fly. It integrates your ProtonMail account with any email program that supports IMAP and SMTP, like Microsoft Outlook, Apple Mail and Mozilla Thunderbird. Setup takes a bit of effort, but ProtonMail has pictorial guides to help you through it for each email app. Using Bridge with your standard email client allows you to perform full-text searches, use multiple accounts and mass backup features; something you're not able to do with the original ProtonMail itself.

Source: ProtonMail


SEC Cyber Unit’s first charges target cryptocurrency fraud

The Securities and Exchange Commission's new Cyber Unit has filed its first charges since being formed in September. The unit's case is being brought against a company called PlexCorps, its founder Dominic Lacroix and his partner Sabrina Paradis-Royer and the SEC claims that Lacroix and Paradis-Royer were actively defrauding investors. PlexCorps was engaged in an initial coin offering (ICO) -- which was selling securities called PlexCoin -- that had already raised around $15 million since August and it was fraudulently promising that investors would see a 13-fold profit in just under one month. The SEC obtained an emergency asset freeze to halt the ICO.

The SEC's charges seek permanent injunctions, a release of all funds collected so far as well as interest and penalties. In a statement, Robert Cohen, head of the Cyber Unit, said, "This first Cyber Unit case hits all of the characteristics of a full-fledged cyber scam and is exactly the kind of misconduct the unit will be pursuing. We acted quickly to protect retail investors from this initial coin offering's false promises."

Via: Reuters

Source: SEC


Android will flag snooping apps that don’t warn users

Google, a company that known to keep uncomfortably close tabs on users, is taking new measures to ensure that other Android apps don't do the same without proper warning. The company's Safe Browsing team has unveiled stricter enforcement of its "unwanted software policy," warning users off apps that collect your personal data without consent. Google's search engine will even scare users away from websites that offer up apps violating its policies.

Google will flag bad apps with warnings on Play via Google Play Protect, or with the dreaded red boxes that discourage Search users from proceeding to bad sites. To avoid ending up on its naughty list, apps that use personal user data like your phone number, email or location data "will be required to prompt users and to provide their own privacy policy in the app," Google says. You must also provide consent each time an app transmits personal info "unrelated to the functionality of the app."

The search giant is cracking down hard on privacy issues, having recently banned apps that display ads in your lock screen, for instance. That's a noble effort, but Google itself has been conspicuous lately for violating user trust. It was found to have been tracking users' cellphone tower positions and relaying the data back to its servers, ostensibly to improve messaging speed.

It has since halted the practice, but this was happening regardless of whether you had opted in, even if you switched off your cellular service. Since it was neither informing users nor respecting their intentions, Google itself would have been in violation of its new privacy policy.

Source: Google Security Blog