Hacking Henchmen for Hire | TechSNAP 218

chris

7 years ago

This week, how hard lessons learned in 1982 could be apply to 2015’s security breaches, hacking for hire goes big & a savage sentient car that needs better programming.

Plus some fantastic questions, a rocking round-up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Cyber Security and the Tylenol Murders

“When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.”
“This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law. But the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.”
If only we could learn from this example in the case of Internet Security, or even just security in general
“To folks who understand computer security and networks, it’s plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.”
“So if we were to approach this as a safety problem, the way forward is clear: We need better incentives for companies who store our data to keep it secure. In fact, there is broad agreement that we can easily raise the bar against cyberthieves and spies. Known vulnerabilities frequently go unpatched. For instance, The New York Times reported that the J.P. Morgan hack occurred due to an un-updated server. Information is too often stored in the clear rather than in encrypted form and many devices like smart phones or tablets, that increasingly store our entire lives, don’t even allow for key security upgrades.”
“Not only is Congress failing to address the need for increased computer and network security, key parts of the government are working to undermine our safety. The FBI continues to demonize strong cryptography, trying instead to sell the public on “technologically stupid” strategy that will make us all less safe. Equally outrageous, the recent Logjam vulnerabilities show that the NSA has been spending billions of our tax dollars to exploit weaknesses in our computer security—weaknesses caused by the government’s own ill-advised regulation of cryptography in the 1990s—rather than helping us strengthen our systems.”
So how can we actually solve the problem?
“We need to ensure that companies to whom we entrust our data have clear, enforceable obligations to keep it safe from bad guys. This includes those who handle it it directly and those who build the tools we use to store or otherwise handle it ourselves. In the case of Johnson & Johnson, products liability law makes the company responsible for the harm that comes to us due to the behavior of others if safer designs are available, and the attack was foreseeable. Similarly, hotels and restaurants that open their doors to the public have obligations under the law of premises liability to take reasonable steps to keep us safe, even if the danger comes from others. People who hold your physical stuff for you—the law calls them bailees—also have a responsibility to take reasonable steps to protect it against external forces.”
“Looking at the Congressional debate, it’s as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to “share” its customer lists with the government and with the folks over at Bayer aspirin. We wouldn’t have stood for such a wrongheaded response in 1982, and we shouldn’t do so now.”
Additional Coverage: USNews — A cybersecurity bill with White House support may weaken both network security and privacy
Additional Coverage: PBS — How the Tylenol Murders changed how we consume medication

IRS reports thieves stole tax data on over 100,000 people

“Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.”
They used the “Get Transcript” feature to steal the data
The criminals already had most of the sensitive data about the users, including their SSN, Date of Birth, and Address
This data was used to attempt to file fraudulent tax returns
The IRS is careful to note that this was not a breach, the data was not stolen in a hack, but rather, Criminals used the sensitive data they had already collected to impersonal each of the 100,000 affected people, an access their IRS account “legitimately”
“The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013”
The thieves tried to access over 200,000 accounts, but were only successful in about half of the cases. The IRS will notify all those who had attempts against their accounts, in the cases where they were successful, the IRS will provide credit monitoring. The users of the accounts that had attempts but were not compromised, should also consider carefully monitoring their credit reports, as it is likely the thieves already have most of your sensitive data to make the attempts in the first place
This attack may actually be a symptom of another breach, where this data was stolen in bulk from somewhere else, and then used against the IRS
It will be interesting to see if there are any commonalities between all of the 200,000 victims
It also suggests that the IRS’ online system doesn’t have a very good IDS (Intrusion Detection System), if a small set of IP addresses are attempting to access 200,000 accounts, this should set off alarms. Especially if half of the attempts are failures, but even if they are not.

CaaS: Crime as a Service — The cybercrime service economy

“In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients’ adversaries, prosecutors say, they hired a pair of hackers.”
“Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account “krowten.a.lortnoc”—”control a network” in reverse, according to the indictment.”
“The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives”
Some call it Espionage as a Service (EaaS), but it is really just Crime as a Service.
“While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Company examined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. “The threat landscape is very complex,” he says. “A hacker group will sell to whoever wants to pay.””
“At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking’s done.”
How much do you trust a site selling an illegal service?
“In a report released in March, Europol, the European Union’s law enforcement arm, predicts online networking sites and anonymous cash-transfer mechanisms like cryptocurrencies will continue to contribute to the growth of “crime as a service” and to criminals who “work on a freelance basis . . . facilitated by social networking online with its ability to provide a relatively secure environment to easily and anonymously communicate.””
“The environment isn’t always secure. Earlier this month, one security sleuth unmasked the apparent owner of Hackers List as Charles Tendell, a Denver-based security expert. Soon after, Stanford legal scholar Jonathan Mayer crawled the site’s data, revealing the identities of thousands of the site’s visitors and their requests for hacks.”
“Mayer found only 21 satisfied requests, including “i need hack account facebook of my girlfriend,” completed for $90 in January, “need access to a g mail account,” finished for $350 in February, and “I need [a database hacked] because I need it for doxing,” done for $350 in April. A majority of requests on the service involve compromising Facebook (expressly referenced in 23% of projects) and Google (14%), and are sparked by a business dispute, jilted romance, or the desire to artificially improve grades, with targets including the University of California, UConn, and the City College of New York.”
Dell Research: Chart
It will be interesting to see what happens in this area, I expect the more serious hacking forums to go further underground, and the more obvious ones to be infiltrated by researchers and law enforcement. I also expect to see lots of scams.
Additional Coverage: WebPolicy.org