Tech Crunch

New Orleans declares state of emergency following ransomware attack

Tech Crunch Security - 2 hours 12 min ago

New Orleans declared a state of emergency and shut down its computers after a cyber security event, the latest in a string of city and state governments to be attacked by hackers.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

While ransomware was detected there are no requests made to the city of New Orleans at this time, but that is very much a part of our investigation, New Orleans Mayor LaToya Cantrell said during a press conference.

Numerous local and state governments have been plagued by ransomware, a file-encrypting malware that demands money for the decryption key. Pensacola, Florida and Jackson County, Georgia are just a few examples of the near-constant stream of ransomeware attacks over the past year. Louisiana state government was attacked in November, prompting officials to deactivate government websites and other digital services and causing the governor to declare a state of emergency. It was the state’s second declaration related to a ransomware attack in less than six months.

Governments and local authorities are particularly vulnerable as they’re often underfunded and unresourced, and unable to protect their systems from some of the major threats.

New Orleans, it appears was somewhat prepared, which officials said was the result of training and its ability to operate without internet. The investigation is in its early stages, but for now it appears that city employees didn’t interact with or provide credentials or any information to possible attackers, according to officials.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

Police, fire and EMS are prepared to work outside of the city’s internet network. Emergency communications are not affected by the cybersecurity incident, according to city officials. However, other services such as scheduling building inspections are being handled manually.

New Orleans’s Real-Time Crime Center does work off the city network, however the cameras throughout the city record independently, so right now all of those cameras are still recording regardless of connectivity to the city’s network, Arnold added. 

A declaration of a state of emergency has been filed with the Civil District Court in connection with today’s cyber security event. pic.twitter.com/OQXDGv7JS4

— The City Of New Orleans (@CityOfNOLA) December 13, 2019

Federal, state and local officials are now involved in an investigation into the security incident.

 

Categories: Tech Crunch

FBI secretly demands a ton of consumer data from credit agencies. Now lawmakers want answers

Tech Crunch Security - 6 hours 12 min ago

Recently released documents revealed the FBI has for years secretly demanded vast amounts of Americans’ consumer and financial information from the largest U.S. credit agencies.

The FBI regularly uses these legal powers — known as national security letters — to compel credit giants to turn over non-content information, such as records of purchases and locations, that the agency deems necessary in national security investigations. But these letters have no judicial oversight and are typically filed with a gag order, preventing the recipient from disclosing the demand to anyone else — including the target of the letter.

Only a few tech companies, including Facebook, Google, and Microsoft, have disclosed that they have ever received one or more national security letters. Since the law changed in 2015 in the wake of the Edward Snowden disclosures that revealed the scope of the U.S. government’s surveillance operations, recipients have been allowed to petition the FBI to be cut loose from the gag provisions and publish the letters with redactions.

Tech companies have used “transparency reports” to inform their users of government demands for their data. But other major data collectors, like credit agencies, have failed to publish their figures altogether.

Three lawmakers — Democratic senators Ron Wyden and Elizabeth Warren, and Republican senator Rand Paul — have sent letters to Equifax, Experian, and TransUnion, expressing their “alarm” as to why the credit giants have failed to disclose the number of government demands for consumer data they receive.

“Because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data,” the letters said. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”

Spokespeople for Equifax, Experian, and TransUnion did not respond to a request for comment outside business hours.

It’s not known how many national security letters were issued to the credit agencies since the legal powers were signed into law in 2001. The New York Times said the national security letters to credit agencies were a “small but telling fraction” of the overall half-million FBI-issued demands made to date.

Other banks and financial institutions, as well as universities, cell service and internet providers, were targets of national security letters, the documents revealed.

The senators have given the agencies until December 27 to disclose the number of demands each has received.

Many smart home device makers still won’t say if they give your data to the government

Categories: Tech Crunch

Many smart home device makers still won’t say if they give your data to the government

Tech Crunch Security - Wed, 12/11/2019 - 3:00pm

A year ago, we asked some of the most prominent smart home device makers if they have given customer data to governments. The results were mixed.

The big three smart home device makers — Amazon, Facebook and Google (which includes Nest) — all disclosed in their transparency reports if and when governments demand customer data. Apple said it didn’t need a report, as the data it collects was anonymized.

As for the rest, none had published their government data-demand figures.

In the year that’s past, the smart home market has grown rapidly, but the remaining device makers have made little to no progress on disclosing their figures. And in some cases, it got worse.

Smart home and other internet-connected devices may be convenient and accessible, but they collect vast amounts of information on you and your home. Smart locks know when someone enters your house, and smart doorbells can capture their face. Smart TVs know which programs you watch and some smart speakers know what you’re interested in. Many smart devices collect data when they’re not in use — and some collect data points you may not even think about, like your wireless network information, for example — and send them back to the manufacturers, ostensibly to make the gadgets — and your home — smarter.

Because the data is stored in the cloud by the devices manufacturers, law enforcement and government agencies can demand those companies turn over that data to solve crimes.

But as the amount of data collection increases, companies are not being transparent about the data demands they receive. All we have are anecdotal reports — and there are plenty: Police obtained Amazon Echo data to help solve a murder; Fitbit turned over data that was used to charge a man with murder; Samsung helped catch a sex predator who watched child abuse imagery; Nest gave up surveillance footage to help jail gang members; and recent reporting on Amazon-owned Ring shows close links between the smart home device maker and law enforcement.

Here’s what we found.

Smart lock and doorbell maker August gave the exact same statement as last year, that it “does not currently have a transparency report and we have never received any National Security Letters or orders for user content or non-content information under the Foreign Intelligence Surveillance Act (FISA).” But August spokesperson Stephanie Ng would not comment on the number of non-national security requests — subpoenas, warrants and court orders — that the company has received, only that it complies with “all laws” when it receives a legal demand.

Roomba maker iRobot said, as it did last year, that it has “not received” any government demands for data. “iRobot does not plan to issue a transparency report at this time,” but it may consider publishing a report “should iRobot receive a government request for customer data.”

Arlo, a former Netgear smart home division that spun out in 2018, did not respond to a request for comment. Netgear, which still has some smart home technology, said it does “not publicly disclose a transparency report.”

Amazon-owned Ring, whose cooperation with law enforcement has drawn ire from lawmakers and faced questions over its ability to protect users’ privacy, said last year it planned to release a transparency report in the future, but did not say when. This time around, Ring spokesperson Yassi Shahmiri would not comment and stopped responding to repeated follow-up emails.

Honeywell spokesperson Megan McGovern would not comment and referred questions to Resideo, the smart home division Honeywell spun out a year ago. Resideo’s Bruce Anderson did not comment.

And just as last year, Samsung, a maker of smart devices and internet-connected televisions and other appliances, also did not respond to a request for comment.

On the whole, the companies’ responses were largely the same as last year.

But smart switch and sensor maker Ecobee, which last year promised to publish a transparency report “at the end of 2018,” did not follow through with its promise. When we asked why, Ecobee spokesperson Kristen Johnson did not respond to repeated requests for comment.

Based on the best available data, August, iRobot, Ring and the rest of the smart home device makers have hundreds of millions of users and customers around the world, with the potential to give governments vast troves of data — and users and customers are none the wiser.

Transparency reports may not be perfect, and some are less transparent than others. But if big companies — even after bruising headlines and claims of co-operation with surveillance states — disclose their figures, there’s little excuse for the smaller companies.

This time around, some companies fared better than their rivals. But for anyone mindful of their privacy, you can — and should — expect better.

Now even the FBI is warning about your smart TV’s security

Categories: Tech Crunch

ACLU sues Homeland Security over ‘stingray’ cell phone surveillance

Tech Crunch Security - Wed, 12/11/2019 - 11:00am

One of the largest civil liberties groups in the U.S. is suing two Homeland Security agencies for failing to turn over documents it requested as part of a public records request about a controversial cell phone surveillance technology.

The American Civil Liberties Union filed suit against Customs & Border Protection (CBP) and Immigration & Customs Enforcement (ICE) in federal court on Wednesday after the organization claimed the agencies “failed to produce records” relating to cell site simulators — or “stingrays.”

Stingrays impersonate cell towers to trick cell phones into connecting to them, allowing its operator to collect unique identifiers from the device and determine their location. The devices are used for surveillance, but also ensnare all other devices in their range. It’s believed newer, more advanced devices can intercept all the phone calls and text messages in range.

A government oversight report in 2016 said both CBP and ICE collectively spent $13 million on buying dozens of stingrays, which the agencies used to “locate people for arrest and prosecution,” the ACLU said.

But little else is known about stingray technology because the cell phone snooping technology is sold exclusively to police departments and federal agencies under strict non-disclosure agreements with the device manufacturer.

The ACLU filed a Freedom of Information Act request in 2017 to learn more about the technology and how it’s used, but both agencies failed to turn over any documents, it said.

The civil liberties organization said there is evidence to suggest that records exist, but has “exhausted all administrative remedies” to obtain the documents. Now it wants the courts to compel the agencies to turn over the records, “not only to shine a light on the government’s use of powerful surveillance technology in the immigration context, but also to assess whether its use of this technology complies with constitutional and legal requirements and is subject to appropriate oversight and control,” the filing said.

The group wants the agencies’ training materials and guidance documents, and records to show where and when stingrays were deployed across the United States.

CBP spokesperson Nathan Peeters said the agency does not comment on pending litigation as a matter of policy. A spokesperson for ICE did not comment.

US border officials are increasingly denying entry to travelers over others’ social media

Categories: Tech Crunch

Accel and Index back Tines, as the cybersecurity startup adds another $11M to its Series A

Tech Crunch Security - Wed, 12/11/2019 - 4:00am

It was just a couple of months ago that Tines, the cybersecurity automation startup, raised $4.1 million in Series A funding led by Blossom Capital, and now the Dublin-based company is disclosing an $11 million extension to the round.

This additional Series A funding is led by venture capital firm Accel, with participation from Index Ventures and previous backer Blossom Capital. The extra cash will be used to continue developing its cybersecurity automation platform and for further expansion into the U.S. and Europe.

Founded in February 2018 by ex-eBay, PayPal and DocuSign security engineer Eoin Hinchy, and subsequently joined by former eBay and DocuSign colleague Thomas Kinsella, Tines automates many of the repetitive manual tasks faced by security analysts so they can focus on other high-priority work. The pair had bootstrapped the company as recently as October.

“It was while I was at DocuSign that I felt there was a need for a platform like Tines,” explained Hinchy at the time of the initial Series A. “We had a team of really talented engineers in charge of incident response and forensics but they weren’t developers. I found they were doing the same tasks over and over again so I began looking for a platform to automate these repetitive tasks and didn’t find anything. Certainly nothing that did what we needed it to, so I came up with the idea to plug this gap in the market.”

To remedy this, Tines lets companies automate parts of their manual security processes with the help of six software “agents,” with each acting as a multipurpose building block. The idea is that, regardless of the process being automated, it only requires combinations of these six agent types configured in different ways to replicate a particular workflow.

In addition, the platform doesn’t rely on pre-built integrations to interact with external systems. Instead, Tines is able to plug in to any system that has an API. “This means integration with commercial, off-the-shelf products, or existing in-house tools is quick and simple, with most security teams automating stories (workflows) within the first 24 hours,” says the startup. Its software is also starting to find utility beyond cybersecurity processes, with several Tines customers using it in IT, DevOps, and HR.

“We heard that Eoin, a senior member of the security team at DocuSign (another Accel portfolio company), had recently left to start Tines, so we got in touch,” Accel’s Seth Pierrepont tells TechCrunch. “They were in the final stages of closing their Series A. However, we were so convinced by the founders, their product approach, and the market timing, that we asked them to extend the round”.

Pierrepont also points out that a unique aspect of the Dublin ecosystem is that many of the world’s largest tech companies have their European headquarters in the country (often attracted by relatively low corporation tax), “so it’s an incredibly rich talent pool despite being a relatively small city”.

Asked whether Accel views Tines as a cybersecurity automation company or a more general automation play that puts automation in the hands of non-technical employees for a multitude of possible use cases, Pierrepont says, given Hinchy and Kinsella’s backgrounds, the cybersecurity automation sector should be the primary focus for the company in the short term. However, longer term it is likely that Tines will be adopted across other functions as well.

“From our investment in Demisto (which was acquired by Palo Alto Networks earlier this year), we know the security automation or SOAR category (as Gartner defines it) very well,” he says. “Demisto pioneered the category and was definitively the market leader when it was acquired. However, we think the category is just getting started and that there is still a ton of whitespace for Tines to go after”.

Meanwhile, in less than a year, Tines says it has on-boarded 10 enterprise customers across a variety of industries, including Box, Auth0 and McKesson, with companies automating on average 100 thousand actions per day.

Categories: Tech Crunch

An iOS bug in AirDrop let anyone temporarily lock-up nearby iPhones

Tech Crunch Security - Tue, 12/10/2019 - 1:31pm

Apple has fixed a bug in iOS 13.3, out today, which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop.

Kishan Bagaria found a bug in AirDrop, which lets users share files from one iOS device to another. He found the bug let him repeatedly sent files to all devices able to accept files within wireless range of an attacker.

When a file is received, iOS blocks the display until the file is accepted or rejected. But because iOS didn’t limit the number of file requests a device can accept, an attacker can simply keep sending files again and again, repeatedly displaying the file accept box, causing the device to get stuck in a loop.

Using an open source tool, Bagaria could repeatedly send files again and again to not only a specific target in range, but every device set to accept files in wireless range. 

A demonstration of an ‘AirDoS’ attack. (Image: Kishan Bagaria/supplied)

Bagaria calls the bug “AirDoS,” the latter part is short for “denial-of-service,” which effectively denies a user access to their device.

Devices that had their AirDrop setting set to receive files from “Everyone” were mostly at risk. Turning off Bluetooth would effectively prevent the attack. But Bararia said that the file accept box is so persistent it’s near-impossible to turn off Bluetooth when an attack is under way.

The only other way to stop an attack? “Simply run away,” he said. Once a user is out of wireless range of the attacker, they can turn off Bluetooth.

“I’m not sure how well this’d work in an airplane,” he joked.

Apple fixed the bug by adding a rate-limit, preventing a barrage of requests over a short period of time. Because the bug wasn’t strictly a security vulnerability, Apple said it would not issue a common vulnerability and exposure (CVE) score, typically associated with security-related issues, but would “publicly acknowledge” his findings in the security advisory.

Apple says its ultra wideband technology is why newer iPhones appear to share location data, even when the setting is disabled

Categories: Tech Crunch

Is your startup protected against insider threats?

Tech Crunch Security - Tue, 12/10/2019 - 1:31pm

We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.

The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.

“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.

Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.

There are plenty of examples, many not too far back in recent history.

Categories: Tech Crunch

‘Plundervolt’ attack breaches chip security with a shock to the system

Tech Crunch Security - Tue, 12/10/2019 - 1:01pm

Today’s devices have been secured against innumerable software attacks, but a new exploit called Plundervolt uses distinctly physical means to compromise a chip’s security. By fiddling with the actual amount of electricity being fed to the chip, an attacker can trick it into giving up its innermost secrets.

It should be noted at the outset that while this is not a flaw on the scale of Meltdown or Spectre, it is a powerful and unique one and may lead to changes in how chips are designed.

There are two important things to know in order to understand how Plundervolt works.

The first is simply that chips these days have very precise and complex rules as to how much power they draw at any given time. They don’t just run at full power 24/7; that would drain your battery and produce a lot of heat. So part of designing an efficient chip is making sure that for a given task, the processor is given exactly the amount of power it needs — no more, no less.

The second is that Intel’s chips, like many others now, have what’s called a secure enclave, a special quarantined area of the chip where important things like cryptographic processes take place. The enclave (here called SGX) is inaccessible to normal processes, so even if the computer is thoroughly hacked, the attacker can’t access the data inside.

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?

The creators of Plundervolt were intrigued by recent work by curious security researchers who had, through reverse engineering, discovered the hidden channels by which Intel chips manage their own power.

Hidden, but not inaccessible, it turns out. If you have control over the operating system, which many attacks exist to provide, you can get at these “Model-Specific Registers,” which control chip voltage, and can tweak them to your heart’s content.

Modern processors are so carefully tuned, however, that such tweak will generally just cause the chip to malfunction. The trick is to tweak it just enough to cause the exact kind of malfunction you expect. And because the entire process takes place within the chip itself, protections against outside influence are ineffective.

The Plundervolt attack does just this, using the hidden registers to very slightly change the voltage going to the chip at the exact moment that the secure enclave is executing an important task. By doing so they can induce predictable faults inside SGX, and by means of these carefully controlled failures cause it and related processes to expose privileged information. It can even be performed remotely, though of course full access to the OS is a prerequisite.

In a way it’s a very primitive attack, essentially giving the chip a whack at the right time to make it spit out something good, like it’s a gumball machine. But of course it’s actually quite sophisticated, since the whack is an electrical manipulation on the scale of millivolts, which needs to be applied at exactly the right microsecond.

The researchers explain that this can be mitigated by Intel, but only through updates at the BIOS and microcode level — the kind of thing that many users will never bother to go through with. Fortunately for important systems there will be a way to verify that the exploit has been patched when establishing a trusted connection with another device.

Intel, for its part, downplayed the seriousness of the attack. “We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt,” it wrote in a blog post acknowledging the existence of the exploit. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Plundervolt is one of a variety of attacks that have emerged recently taking advantage of the ways that computing hardware has evolved over the last few years. Increased efficiency usually means increased complexity, which means increased surface area for non-traditional attacks like this.

The researchers who discovered and documented Plundervolt hail from the UK’s University of Birmingham, Graz University of Technology in Austria, and KU Leuven in Belgium. They are presenting their paper at IEEE S&P 2020.

Categories: Tech Crunch

Over 750,000 applications for US birth certificate copies exposed online

Tech Crunch Security - Mon, 12/09/2019 - 1:00pm

An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments has exposed a massive cache of applications — including their personal information.

More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications but these could not be accessed or downloaded.)

The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.

Each application process differed by state, but performed the same task: allowing customers to apply to their state’s record-keeping authority — usually a state’s department of health — to obtain a copy of their historical records. The applications we reviewed contained the applicant’s name, date-of-birth, current home address, email address, phone number, and historical personal information, including past addresses, names of family members, and the reason for the application — such as applying for a passport or researching family history.

The applications for copies of birth certificates from many U.S. states — including California, New York, and Texas — were left online. (Image: TechCrunch)

The applications dated back to late-2017 and the bucket was updating daily. In one week, the company added about 9,000 applications to the bucket.

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

Fidus and TechCrunch sent several emails prior to publication to warn of the exposed data, but we received only automated emails and no action was taken. We are not naming the company. When reached, Amazon would not intervene but said it would inform the customer.

We also reached out to the local data protection authority to warn of the security lapse, but it did not immediately comment

Read more:

Categories: Tech Crunch

RaySecur, a mailroom security startup, raises $3M in seed funding

Tech Crunch Security - Sun, 12/08/2019 - 5:23am

Raysecur says at least ten times a day someone sends a suspicious package containing powder, liquid, or some other kind of hazard.

The Boston, Mass.-based startup says its desktop-sized 3D real-time scanning technology, dubbed MailSecur, can intercept and detect threats in the mailroom before they ever make it onto the office floor.

Mailroom security may not seem fancy or interesting, but they’re a common gateway into a corporate environment. They’re a huge attack vector for attackers — both physical and cyber. Earlier this year we wrote about warshipping, a “Trojan horse”-type attack that can be used as a way for hackers to ship hardware exploits into a business, break the Wi-Fi, and pivot onto the corporate network to steal data.

Now, the company has raised $3 million in seed-round funding led by One Way Ventures, with participation from Junson Capital, Launchpad Venture Group, and also Dreamit Ventures, a Philadelphia-based early stage investor and accelerator, which last year announced it would move into the early-stage security space.

Raysecur’s proprietary millimeter-wave scanner, MailSecur. (Image: supplied)

Raysecur uses millimeter-wave technology — similar to the scanners you find at airport security — to examine suspicious letters, flat envelopes, and small parcels. Its technology can detect powders as small as 2% of a teaspoon or a single drop of liquid, the company claims.

The startup said the funding will help expand its customer base. Although still in its infancy, the company has about ten Fortune 500 customers using its MailSecur scanner.

Since it was founded in 2018, the company has scanned more than 9.2 million packages.

Semyon Dukach, managing partner at One Way Ventures, said the funding will help “bring this compelling technology to an even broader market.”

With warshipping, hackers ship their exploits directly to their target’s mail room

Categories: Tech Crunch

Reddit links UK-US trade talk leak to Russian influence campaign

Tech Crunch Security - Sat, 12/07/2019 - 5:59am

Reddit has linked account activity involving the leak and amplification of sensitive UK-US trade talks on its platform during the ongoing UK election campaign to a suspected Russian political influence operation.

Or, to put it more plainly, the social network suspects that Russian operatives are behind the leak of sensitive trade data — likely with the intention of impacting the UK’s General Election campaign.

The country goes to the polls next week, on December 12.

The UK has been politically deadlocked since mid 2016 over how to implement the result of the referendum to leave the European Union . The minority Conservative government has struggled to negotiate a brexit deal that parliament backs. Another hung parliament or minority government would likely result in continued uncertainty.

In a post discussing the “Suspected campaign from Russia”, Reddit writes:

We were recently made aware of a post on Reddit that included leaked documents from the UK. We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.

Earlier this year Facebook discovered a Russian campaign on its platform, which was further analyzed by the Atlantic Council and dubbed “Secondary Infektion.” Suspect accounts on Reddit were recently reported to us, along with indicators from law enforcement, and we were able to confirm that they did indeed show a pattern of coordination. We were then able to use these accounts to identify additional suspect accounts that were part of the campaign on Reddit. This group provides us with important attribution for the recent posting of the leaked UK documents, as well as insights into how adversaries are adapting their tactics.

Reddit says that an account, called gregoratior, originally posted the leaked trade talks document. Later a second account, ostermaxnn, reposted it. The platform also found a “pocket of accounts” that worked together to manipulate votes on the original post in an attempt to amplify it. Though fairly fruitlessly, as it turned out; the leak gained little attention on Reddit, per the company.

As a result of the investigation Reddit says it has banned 1 subreddit and 61 accounts — under policies against vote manipulation and misuse of its platform.

The story doesn’t end there, though, because whoever was behind the trade talk leak appears to have resorted to additional tactics to draw attention to it — including emailing campaign groups and political activists directly.

This activity did bear fruit this month when the opposition Labour party got hold of the leak and made it into a major campaign issue, claiming the 451-page document shows the Conservative party, led by Boris Johnson, is plotting to sell off the country’s free-at-the-point-of-use National Health Service (NHS) to US private health insurance firms and drug companies.

Labour party leader, Jeremy Corbyn, showed a heavily redacted version of the document during a TV leaders debate earlier this month, later calling a press conference to reveal a fully un-redacted version of the data — arguing the document proves the NHS is in grave danger if the Conservatives are re-elected.

Johnson has denied Labour’s accusation that the NHS will be carved up as the price of a Trump trade deal. But the leaked document itself is genuine.

It details preliminary meetings between UK and US trade negotiators, which took place between July 2017 and July 2019, in which discussion of the NHS does take place, in addition to other issues such as food standards.

Although the document does not confirm what position the UK might seek to adopt in any future trade talks with the US.

The source of the heavily redacted version of the document appears to be a Freedom of Information (FOI) request by campaigning organisation, Global Justice Now — which told Vice it made an FOI request to the UK’s Department for International Trade around 18 months ago.

The group said it was subsequently emailed a fully unredacted version of the document by an unknown source which also appears to have sent the data directly to the Labour party. So while the influence operation looks to have originated on Reddit, the agents behind it seem to have resorted to more direct means of data dissemination in order for the leak to gain the required attention to become an election-influencing issue.

Experts in online influence operations had already suggested similarities between the trade talks leak and an earlier Russian operation, dubbed Secondary Infektion, which involved the leak of fake documents on multiple online platforms. Facebook identified and took down that operation in May.

In a report analysing the most recent leak, social network mapping and analysis firm Graphika says the key question is how the trade document came to be disseminated online a few weeks before the election.

“The mysterious [Reddit] user seemingly originated the leak of a diplomatic document by posting it around online, just six weeks before the UK elections. This raises the question of how the user got hold of the document in the first place,” it writes. “This is the single most pressing question that arises from this report.”

Graphika’s analysis concludes that the manner of leaking and amplifying the trade talks data “closely resembles” the known Russian information operation, Secondary Infektion.

“The similarities to Secondary Infektion are not enough to provide conclusive attribution but are too close to be simply a coincidence. They could indicate a return of the actors behind Secondary Infektion or a sophisticated attempt by unknown actors to mimic it,” it adds.

Internet-enabled Russian influence operations that feature hacking and strategically timed data dumps of confidential/sensitive information, as well as the seeding and amplification of political disinformation which is intended to polarize, confuse and/or disengage voters, have become a regular feature of Western elections in recent years.

The most high profile example of Russian election interference remains the 2016 hack of documents and emails from Hillary Clinton’s presidential campaign and Democratic National Committee — which went on to be confirmed by US investigators as an operation by Russia’s GRU intelligence agency.

In 2017 emails were also leaked from French president Emmanuel Macron’s campaign shortly before his election — although with apparently minimal impact in that case. (Attribution is also less clear-cut.)

Russian activity targeting UK elections and referendums remains a matter of intense interest and investigation — and had been raised publicly as a concern by former prime minister, Theresa May, in 2017.

Although her government failed to act on recommendations to strengthen UK election and data laws to respond to the risks posed by Internet-enabled interference. She also did nothing to investigate questions over the extent of foreign interference in the 2016 brexit referendum.

May was finally unseated by the ongoing political turmoil around brexit this summer, when Johnson took over as prime minister. But he has also turned a wilfully blind eye to the risks around foreign election interference — while fully availing himself of data-fuelled digital campaign methods whose ethics have been questioned by multiple UK oversight bodies.

A report into Russian interference in UK politics which was compiled by the UK’s intelligence and security parliamentary committee — and had been due to be published ahead of the general election — was also personally blocked from publication by the prime minister.

Voters won’t now get to see that information until after the election. Or, well, barring another strategic leak…

Categories: Tech Crunch

After criticism, Homeland Security drops plans to expand airport face recognition scans to US citizens

Tech Crunch Security - Thu, 12/05/2019 - 1:27pm

Homeland Security has confirmed it will not expand face recognition scans to U.S. citizens arriving and departing the country, days after it emerged the agency proposed making the scans for citizens mandatory.

The department, whose responsibility is border protection and immigration checks, said in a government filing that it it wanted to “amend the regulations to provide that all travelers, including U.S. citizens, may be required to be photographed upon entry and/or departure.”

The American Civil Liberties Union criticized the move, saying it had “profound privacy concerns” despite promises from the government that it had no plans to expand the face recognition checks to Americans.

Currently, U.S. citizens are allowed to opt-out of face recognition scans at the airport, but foreign nationals and visitors are required to have their faces scanned when arriving or leaving the U.S., where the systems are installed.

Homeland Security says the scans are to help crack down on illegal immigration and visa overstays.

A spokesperson for Customs & Border Protection, which filed the proposal, said the agency has “no current plans to require U.S. citizens to provide photographs upon entry and exit from the United States,” and that it “intends to have the planned regulatory action regarding U.S. citizens removed from the unified agenda next time it is published.”

The agency spokesperson said CBP “initially considered” including U.S. citizens in its face recognition checks at airports and other ports of entry “because having separate processes for foreign nationals and U.S. citizens at ports of entry creates logistical and operational challenges that impact security, wait times and the traveler experience.”

“Upon consultation with Congress and privacy experts, however, CBP determined that the best course of action is to continue to allow U.S. citizens to voluntarily participate in the biometric entry-exit program,” the spokesperson noted.

Just yesterday, CBP said it met with privacy experts and that it was “committed to keeping the public informed about our use of facial comparison technology,” said CBP’s John Wagner.

A source with knowledge of the meeting said privacy advocates warned the government against expanding face recognition scans for U.S. citizens, citing privacy risks.

Yes, Americans can opt-out of airport facial recognition — here’s how

Categories: Tech Crunch

Apple says its ultra wideband technology is why newer iPhones appear to share location data, even when the setting is disabled

Tech Crunch Security - Thu, 12/05/2019 - 12:30pm

This week, security reporter Brian Krebs asked why the newest iPhone 11 Pro appeared to be sending out a user’s location even when the user disabled Location Services in their phone’s settings, in conflict with Apple’s privacy policy and the express wishes of the user.

Apple told Krebs it was “expected behavior” and that there were no security implications, but failed to say assuage fears of a location-leaking bug.

Krebs came to a logical conclusion. “It seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services,” he wrote.

He wasn’t wrong. The technology giant now has an explanation — two days after Krebs’ article went up and more than half a day after the company declined to comment on the matter.

Newer iPhones — including the iPhone 11 Pro which Krebs used — come with ultra wideband technology, which Apple says gives its newer handsets “spatial awareness” to understand where other ultra wideband devices are located. Apple only advertises one such use for this technology — users wirelessly sharing files over AirDrop — but it’s believed it may become part of the company’s highly anticipated upcoming “tag”-locating feature, which has yet to be announced.

“Ultra wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” an Apple spokesperson told TechCrunch. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable ultra wideband and comply with regulations.”

“The management of ultra wideband compliance and its use of location data is done entirely on the device and Apple is not collecting user location data,” the spokesperson said.

That seems to back up what experts have discerned so far. Will Strafach, chief executive at Guardian Firewall and iOS security expert, said in a tweet that his analysis showed there was “no evidence” that any location data is sent to a remote server.

Apple said it will provide a new dedicated toggle option for the feature in an upcoming iOS update.

But Strafach, like many others, questioned why Apple hadn’t explained the situation better to begin with.

Apple could have said something days ago, immediately squashing rumors with a simple explanation. But it didn’t. That absence of explanation only welcomed speculation. Credit to Krebs for reporting the matter. But Apple’s delayed response made this a far bigger issue than it ever had to be.

iOS 13: Here are the new security and privacy features you need to know

Categories: Tech Crunch

Justice Dept. charges Russian hacker behind the Dridex malware

Tech Crunch Security - Thu, 12/05/2019 - 10:29am

U.S. prosecutors have brought computer hacking and fraud charges against a Russian citizen, Maksim Yakubets, who is accused of developing and distributing Dridex, a notorious banking malware used to allegedly steal more than $100 million from hundreds of banks over a multi-year operation.

Per the unsealed 10-count indictment, Yakubets is accused of leading and overseeing Evil Corp, a Russian-based cybercriminal network that oversaw the creation of Dridex. The malware is often spread by email and infects computers, silently siphoning off banking logins. The malware has also been known to be used as a delivery mechanism for ransomware, as was the case with the April cyberattack on drinks giant Arizona Beverages.

The Russian hacker is also alleged to have used the Zeus malware to successfully steal more than $70 million from victims’ bank accounts. Prosecutors said the Zeus scheme was “one of the most outrageous cybercrimes in history.”

Justice Department officials, speaking in Washington DC with their international partners from the U.K.’s National Crime Agency, said Yakubets also provided “direct assistance” to the Russian government in his role working for the FSB (formerly KGB) from 2017 to work on projects involving the theft of confidential documents through cyberattacks.

Prosecutors said Evil Corp was to blame for an “unimaginable” amount of cybercrime during the past decade, with a primary focus on attacking financial organizations in the U.S. and the U.K.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Brian Benczkowski, assistant attorney general in the Justice Department’s criminal division, in remarks.

The State Department announced a $5 million reward for information related to the capture of Yakubets, who remains at large.

In a separate statement, Treasury secretary Steven Mnuchin said the department issued sanctions against Evil Corp for the group’s role in international cyber crime, including two other hackers associated with the group — Igor Turashev and Denis Gusev — as well as seven Russian companies with connections to Evil Corp..

“This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” said Mnuchin.

Read more:

Categories: Tech Crunch

Most of the largest US voting districts are vulnerable to email spoofing

Tech Crunch Security - Thu, 12/05/2019 - 7:00am

Only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks, seen as a key attack method by hackers who officials say want to disrupt the upcoming presidential election.

The findings come less than a year before millions of Americans are set to go to the polls to vote for the next U.S. commander-in-chief, amid fears that Russia is preparing to disrupt the upcoming presidential election with tactics to manipulate voters as the U.S. intelligence community found in 2016. U.S. officials aren’t only concerned about the spread of foreign-led disinformation — or “fake news” — to try to alter the outcome of the tally, but also threats facing election infrastructure, like hackers breaking into election websites to dissuade or disenfranchise voters from casting their ballot — or even stealing voter data.

Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects fraudulent or spoofed emails.

DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target’s inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it’s not properly enforced, rendering its filtering efforts largely ineffective.

The researchers said 66% of the district election-related domains had no DMARC recoat all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether.

That could be a problem for six swing states — Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin — where their largest districts are not protected from impersonation attacks. These states are critical to both Democrats and Republicans, as their historically razor thin majorities have allowed either parties’ candidates to win.

The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data, or delete it altogether, a move that would potentially disrupt the democratic process.

“It does not require a stretch to imagine attackers impersonating election officials via spoofed domains in order to spread disinformation, conduct voter misdirection or voter-suppression campaigns, or even to inject malware into government networks,” said Valimail’s Seth Blank, who authored the research.

“DMARC at enforcement is a crucial best practice for stopping the largest attack vector into any organization,” said Blank.

“It’s time to get it done,” he said.

Only a few 2020 US presidential candidates are using a basic email security feature

Categories: Tech Crunch

A Sprint contractor left thousands of US cell phone bills on the internet by mistake

Tech Crunch Security - Wed, 12/04/2019 - 5:29pm

A contractor working for cell giant Sprint stored on an unprotected cloud server hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers.

The storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. But the bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone to access the data inside.

It’s not known how long the bucket was exposed.

The bills — which contained names, addresses and phone numbers, and many included call histories — were collected as part of an offer to allow cell subscribers to switch to Sprint, according to Sprint-branded documents found on the server. The documents explained how the cell giant would pay for the subscriber’s early termination fee to break their current cell service contract, a common sales tactic used by cell providers.

In some cases we found other sensitive documents, such as a bank statement, and a screenshot of a web page that had subscribers’ online usernames, passwords and account PINs — which in combination could allow access to a customer’s account.

U.K.-based penetration testing company Fidus Information Security found the exposed data, but it wasn’t immediately clear who owned the bucket. Fidus disclosed the security lapse to Amazon, which informed the customer of the exposure — without naming them. The bucket was subsequently shut down.

A Verizon and AT&T phone bill from two customers. (Image: supplied)

A T-Mobile bill found on the exposed servers. A handful of Sprint bills were also found. (Image: supplied)

After a brief review of the cache, we found one document that said, simply, “TEST.” When we ran the file through a metadata checker, it revealed the name of the person who created the document — an account executive at Deardorff Communications, the marketing agency tasked with the Sprint promotion.

When reached, Jeff Deardorff, president of Deardorff Communications, confirmed his company owned the bucket and that access was restricted earlier on Wednesday.

“I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again,” he told TechCrunch in an email.

Given the exposed information involved customers of the big four cell giants, we contacted each company. AT&T did not comment, and T-Mobile did not respond to a request for comment. Verizon spokesperson Richard Young said the company was “currently reviewing” the matter and would have details “as soon as it’s available.” (TechCrunch is owned by Verizon.)

When reached, a spokesperson for Sprint would not disclose the nature of its relationship with Deardorff nor would they comment on the record at the time of writing.

It’s not known why the data was exposed in the first place. It’s not uncommon for AWS storage buckets to be misconfigured by being set to “public” and not “private.”

“The uptrend we’re seeing in sensitive data being publicly accessible is concerning, despite Amazon releasing tools to help combat this,” said Harriet Lester, director of research and development at Fidus. “This scenario was slightly different to usual as it was tricky to identify the owner of the bucket, but thankfully the security team at AWS were able to pass the report on to the owner within hours and public access was shut down soon after.”

We asked Deardorff if his company plans to inform those whose information was exposed by the security lapse. We did not immediately receive a response.

Read more:

Categories: Tech Crunch

DHS wants to expand airport face recognition scans to include US citizens

Tech Crunch Security - Mon, 12/02/2019 - 3:26pm

Homeland Security wants to expand facial recognition checks for travelers arriving and departing the U.S. to also include citizens, which had previously been exempt from the mandatory checks.

In a filing, the department has proposed that all travelers, and not just foreign nationals or visitors, will have to complete a facial recognition check before they are allowed to enter the U.S., but also to leave the country.

Facial recognition for departing flights has increased in recent years as part of Homeland Security’s efforts to catch visitors and travelers who overstay their visas. The department, whose responsibility is to protect the border and control immigration, has a deadline of 2021 to roll out facial recognition scanners to the largest 20 airports in the United States, despite facing a rash of technical challenges.

But although there may not always be a clear way to opt-out of facial recognition at the airport, U.S. citizens and lawful permanent residents — also known as green card holders — have been exempt from these checks, the existing rules say.

Now, the proposed rule change to include citizens has drawn ire from one of the largest civil liberties groups in the country.

“Time and again, the government told the public and members of Congress that U.S. citizens would not be required to submit to this intrusive surveillance technology as a condition of traveling,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union .

“This new notice suggests that the government is reneging on what was already an insufficient promise,” he said.

“Travelers, including U.S. citizens, should not have to submit to invasive biometric scans simply as a condition of exercising their constitutional right to travel. The government’s insistence on hurtling forward with a large-scale deployment of this powerful surveillance technology raises profound privacy concerns,” he said.

Citing a data breach of close to 100,000 license plate and traveler images in June as well as concerns about a lack of sufficient safeguards to protect the data, Stanley said the government “cannot be trusted” with this technology and that lawmakers should intervene.

When reached, spokespeople for Homeland Security and Customs & Border Protection did not immediately have comment.

CBP says traveler photos and license plate images stolen in data breach

Categories: Tech Crunch

Tuft & Needle exposed thousands of customer shipping labels

Tech Crunch Security - Mon, 12/02/2019 - 1:51pm

Mattress and bedding giant Tuft & Needle left on an unprotected cloud server hundreds of thousands of FedEx shipping labels containing customer names, addresses and phone numbers.

More than 236,400 shipping labels were found on an Amazon Web Services (AWS) storage bucket without a password, allowing anyone who knew the easy-to-guess web address access to the customer data. Often, these AWS storage buckets are misconfigured by the owner by being set to “public” and not “private.”

The exposed labels were created between 2014 and 2017 during the company’s early years. Tuft & Needle was founded in 2012 in Arizona. But some labels were printed as recently as 2018.

It’s not known for how long the storage bucket was left open.

Two customer shipping labels of the hundreds of thousands exposed. We have redacted the shipping labels to protect the customers’ privacy. (Screenshot: TechCrunch)

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

We contacted Tuft & Needle about the data exposure on Monday. The storage bucket was quickly shut down.

“We’ve secured any potential exposure and are investigating the matter further,” said spokesperson Brooke Figlo in an email.

Tuft & Needle said it would “comply” with any applicable state data breach notification laws, but did not explicitly say if the company would inform customers of the security lapse.

Stop saying, ‘We take your privacy and security seriously’

Categories: Tech Crunch

Top Israeli VC talks cybersecurity, diversity and ‘no go’ investments

Tech Crunch Security - Mon, 12/02/2019 - 12:18pm

It’s no secret that Israel is second only to the U.S. for its leading cybersecurity acumen, talent, startups and successful exits.

Israel is a powerhouse in both offensive and defensive cyber operations, with cybersecurity giants CyberArk, Check Point, Radware, and Illusive Networks all founded in the country in recent years. For more than two decades behind the scenes and powering some of the country’s largest cybersecurity startups was Jerusalem Venture Partners (JVP), a major venture capital firm in the region with more than $1.4 billion raised to date.

Now, the firm is pushing further into the early stage cybersecurity space. With a $220 million fund dedicated to early stage and pre-seed companies, the venture capital firm has expanded to New York.

Erel Margalit, JVP’s founder and executive chairman, spoke to Extra Crunch about why New York is a prime location for early-stage cybersecurity startups and how Israel became an incubator for some of the world’s biggest cybersecurity companies.

We also discussed why diversity is critical to his firm, how he separates fact from fiction in the security world, ethical investing, and which kinds of companies he would never invest in.

This interview has been edited for clarity and length.

TechCrunch: Tell me a little about your firm and your current work on early-stage investments.

Erel Margalit: I established JVP 25 years ago. A lot of what we were doing in the beginning was taking defense-related technologies, like wireless and fiber optics and large data systems, and transforming them through the communications world into the commercial world. Now we have 14 companies — some of which have been very successful. We’re now at a different stage where we’ve partnered with New York City to create the biggest hub in the city for the next generation of companies — the sorts that are scaling up with solutions that are not necessarily the big solution today,

Israel as a cybersecurity powerhouse

You’ve seen three or four really successful exits in the last few years from former startups you’ve helped to build out. What does the formula look like that results in these successful exits?

One of the things that we’re trying to do with second-generation entrepreneurs is we’re saying, instead of building a company to be sold for $250 million, why don’t we build a sales organization that would reach $250 million in a few years and instead build a very significant robust sales and marketing organization?

Israel has big ideas, but we’re small country. That’s why North America — especially the U.S. — is a key first go-to market. But it’s not always easy to get it right when you’re trying to get into the U.S. and scale in a big way. However, if you are successful, a lot of Israeli companies are also able to sell into European countries and Asian countries. And so what you get is what I call a “mini-multinational,” which is a small organization that’s able to get its first customers in a bunch of places around the world. So — go forward, and then build a sales and marketing organization that is just as strong as your research and your development organization.

Israel has a conscripted military — one that invests heavily in both cybersecurity and offensive cyber capabilities. That’s one way Israel got a considerable amount of cyber talent in one place. But what else contributes to Israel’s ability to create so many strong cybersecurity startups?

Israel needs to be as strong as the seven countries around it. And the only way to do it was through technology. Cybersecurity today is one of the main means of technologically understanding what’s going on. There are state-backed cyberattacks happening all the time — they’re attacking utilities, they’re attacking the banks, but what’s going on now is they’re also attacking democracy and the individual’s rights for something that’s becoming a national issue. The British didn’t have a fair election on Brexit. The same thing happened in the United States.

I think that a lot of us understand that from just protecting large organizations and countries. Now we’re moving to protecting individual democracies and our free way of living. Everything is online. Everything now is penetrable. And if you don’t have the next-generation of strategies, you’re not going to not going to be able to continue to operate.

On the New York hub

The cybersecurity hub in New York clearly means a lot to you. Why did you choose to build a hub in New York and not somewhere else in North America?

Categories: Tech Crunch

A bug in Microsoft’s login system put users at risk of account hijacks

Tech Crunch Security - Mon, 12/02/2019 - 10:00am

Microsoft has fixed a vulnerability in its login system, which security researchers say could have been used to trick unsuspecting victims into giving over complete access to their online accounts.

The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords.

Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could’ve been used to siphon off these account tokens used to access that victim’s account — potentially without ever alerting the user.

CyberArk’s latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user.

With the subdomains in hand, all an attacker would need is trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.

In some cases, the researchers said, this could be done in a “zero-click” way, which as the name suggests requires almost no user interaction at all. A malicious website hiding an embedded webpage could silently trigger the same request as a link in a malicious email to steal a user’s account token.

Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

The security flaw was reported to Microsoft in late October and was fixed three weeks later.

“We resolved the issue with the applications mentioned in this report in November and customers remain protected,” said a Microsoft spokesperson.

It’s not the first time Microsoft has acted to fix a bug in its login system. Almost exactly a year ago, the software and services giant fixed a similar vulnerability in which researchers were allowed to alter the records of an improperly configured Microsoft subdomain and steal Office account tokens.

Read more:

Categories: Tech Crunch

Pages