We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.
Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down WebStresser.org, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.
The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.
Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.
In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.
Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.
We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).
If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.
The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.
There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”
ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”
Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.
The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.
Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.