Following a four-day trial, a federal jury in Nebraska convicted the former acting director of cybersecurity at the United States Department of Health and Human Services (HHS) for his involvement in a child pornography enterprise, the Department of Justice announced on Tuesday.

Timothy DeFoggi, aged 56, is the sixth individual to be convicted as a result of an FBI investigation dubbed “Operation Torpedo,” which has targeted three child pornography websites. The former director has been convicted on three charges: accessing a computer with intent to view child pornography, engaging in a child exploitation enterprise, and conspiracy to advertise and distribute child pornography.

DeFoggi, who will be sentenced on November 7, 2014, is said to have signed up for a membership on an illegal website on March 2, 2012, and was an active member until authorities took down the site in December of the same year. In addition to accessing and soliciting illegal content from other members of the website, investigators said the man also exchanged private messages with other users, expressing interest in raping and murdering children.

The website on which DeFoggi registered an account was one of the three Tor-based pedophile sites owned and operated by 31-year-old Aaron McGrath, of Bellevue, Nebraska, who has been sentenced to 20 years in prison.

Documents obtained by Wired show that the FBI tracked down McGrath after his IP address was provided to the agency by the Dutch national police’s high tech crime unit, which in August 2011 started cracking down on pedo websites.

Operation Torpedo has been controversial because the FBI didn’t immediately arrest McGrath. Instead, they monitored him for a year, time during which they planted malware on the illegal websites in an effort to identify members. The drive-by download method, which the FBI calls a “network investigative technique,” has helped the agency track down the IP addresses, MACs and hostnames of at least 25 individuals, with 14 of them facing trial.

The malware, designed only to identify the computers that had visited the illegal websites, was planted based on search warrants signed by a federal judge, who also allowed the agency to delay notifying the targeted individuals for a period of 30 days. Since some of the suspects learned only well after the 30-day period about the use of malware to identify them, defense lawyers asked the court to throw out the evidence, a motion rejected by the judge.

 Christopher Soghoian of the American Civil Liberties Union (ACLU) has pointed out that while the use of malware might seem justified in the case of Operation Torpedo, because it’s unlikely for innocent people to be prosecuted, the technique could prove problematic in other cases, such as campaigns targeting terrorists, whose online resources might be accessed for research purposes by individuals who have nothing to do with terrorism.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Cybercrime

MANILA – Philippine police arrested eight suspects and are hunting more in connection with an Internet extortion racket that has victimized hundreds of people in Hong Kong, Singapore and Macau, an official said Saturday.

This is the second large-scale arrest of suspects allegedly for “sextortion” — using the Internet to lure foreigners into sending them compromising material which they can use for blackmail, said Jhoanna Fabro, spokeswoman of the national police anti-cybercrime division.

The eight suspects were arrested and five minors taken into custody following a raid on Thursday in towns just outside Manila, she said.

But Fabro warned that an undetermined number may have escaped before the raid.

“There are other targets but we weren’t able to get them,” she told AFP.

About 400 people from Hong Kong, Singapore and Macau were targeted by the group and the arrests were made due to complaints from victims, Fabro said.

The suspects operated from towns in Bulacan province, about 30 kilometres (17 miles) from Manila. They used social media websites such as Facebook to meet people overseas and then used video call services such as Skype to engage in “cybersex,” the police said.

“Unknown to the victim, these acts were recorded. Once the suspect captured sufficiently lewd video footages, he/she would stop the call instantly. Immediately, the victim would receive messages… from the suspect, threatening the victim that his lewd acts were video recorded with a video link to prove it,” the cybercrime division said in a statement.

The suspect would then demand the victim pay a huge amount or the footage would be made public on social media or even sent to the victim’s friends or relatives, the division said.

Each victim would usually be forced to pay about $ 30,000 but Fabro said she could not immediately give a figure for the total gained from the “sextortion”.

Initially, the group used women but later recruited five minors who were taught to lure other victims. The minors have since been turned over to social workers, said Fabro adding that the suspects would be charged with human trafficking along with extortion.

Fabro also said they were still investigating whether this new group was related to a larger but similar “sextortion” operation that was broken up by police in May.

In that case, dozens of people operating from industrial-sized call centers were arrested after allegedly blackmailing hundreds of people around the world, luring them on social media in order to get sexually explicit information or images.

One of their victims was a 17-year-old boy in Scotland who committed suicide last year.

This newest operation “is more mobile. If they have a strong enough Internet connection, they just do it from their homes,” Fabro said.

Interpol has warned that “sextortion” has emerged as a major concern in recent years as criminals take advantage of more people using social media and greater mobile Internet access via smartphones.

Tags:

The days when the Black Hat USA and Defcon conferences are ongoing are two times when surfing the Internet in Las Vegas can be a gamble all on its own.

According to Imperva, there was a spike in malicious activity emanating from Sin City two weeks ago when the conferences were under way.

“I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline,” blogged Barry Shteiman, Imperva’s director of security strategy. “In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.”

Here’s what the company found. Typically, it detects roughly 20 attacks originating from Las Vegas on a normal day. However, during the conferences that number peaked at 2,612. There was a significant drop off as Black Hat began winding down. On Aug. 6, the conference’s second to last day, there were just 20 detected attacks. The start of Defcon – which is also the final day of Black Hat – erased that decline however and the number of attacks shot back up to 1,916 on Aug. 7.

On the final day of Defcon, Aug. 10, the number of detected attacks fell to 7.

Imperva also noted a jump in attack volume during the NAACP conference in July, which indicates one of a few possibilities: either a large crowd in a conference-scale event causes a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there, Shteiman wrote. As for Black Hat and Defcon, they are not exactly typical conferences, he added.

“They have some of the brightest security/hacking minds in the world attending,” he blogged. “Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefore are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Redwood Shores, California-based Imperva announced on Monday that it has appointed Anthony J. Bettencourt as the company’s new president and chief executive officer. Bettencourt replaces Shlomo Kramer, Imperva founder and CEO, who will continue to serve as chairman of the company’s board and serve as Chief Strategy Officer.

Bettencourt came to Imperva from Coverity Inc., where he recently served as chief executive officer, leading the company through its acquisition by Synopsys for roughly $ 375 million in February 2014. Prior to Coverity, Bettencourt served as CEO of Verity, a provider of enterprise search solutions, leading the company through its acquisition by Autonomy Corp. in 2005.

Bettencourt currently serves on the boards of Proofpoint, Blinkx and Formation Data Systems.

“I am very pleased to be joining Imperva, and look forward to capitalizing on the opportunities at Imperva for Imperva shareholders, employees and partners,” Bettencourt said. “Imperva has established a strong leadership position in the data center security market and has a proven track record of success and innovation. I am excited to be working with the Imperva executive team, board of directors and employees to grow the company to its highest potential.”

“We are very excited to welcome Anthony to Imperva. He was chosen for his distinguished track record of executive leadership, as well as his ability to build highly effective organizations. Anthony has demonstrated an ability to drive shareholder value in competitive market segments and he brings experience driving technology excellence and global growth,” Kramer commented, “I look forward to working with Anthony and am confident that he is the right person to lead Imperva on the next stage of growth.”

Earlier this year, Imperva announced its plans to acquire two security firms and assets from another, in a move that will help extend its data center security strategy across the cloud.

In its most recent quarter, Imperva (IMPV) posted revenues of $ 38.40 million, up 22.7% year-over-year, beating analysts’ estimates by $ 3.98 million. Within services revenue, overall subscription revenue grew 110% to $ 5.3 million, compared to the second quarter of 2013. Combined product and subscriptions revenue was $ 21.8 million compared to $ 18.2 million in the second quarter of 2013. The company said that during the second quarter of 2014, it booked 88 deals with a value over $ 100,000 compared to 76 deals during the second quarter of last year.

As of July 31, the company said it has over 3,300 customers in more than 75 countries around the world.

Tags:

• NEWS & INDUSTRY
• Management & Strategy

Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.

The malware, detected by the security firm as Android/Spy.Krysanec, is capable of infiltrating both free and paid Android apps, and it has been distributed via a file sharing website, a Russian social network and other channels. It has been disguised as 3G Traffic Guard, a mobile banking app from Russia’s top lender Sberbank, and even ESET Mobile Security. However, unlike the legitimate programs, the trojanized versions are not signed with valid digital certificates.

According to ESET’s Robert Lipovsky, the malicious applications they have discovered actually contain the old multi-platform RAT known as Unrecom (previously known as Adwind). Trend Micro revealed back in April that the threat was upgraded to run on Android devices. At the time, the security firm also discovered that Unrecom worked as an APK binder, giving it the ability to trojanize legitimate applications.

Once it finds itself on a device, the threat can be used to download and execute additional components that enable cybercriminals to perform various activities, like recording audio through the microphone, taking pictures, accessing text messages, obtaining the current GPS location, and collecting information on installed apps, placed calls and visited webpages.

Researchers have found that some of the samples communicate with a command and control (C&C) server hosted on a domain belonging to No-IP, the dynamic DNS provider whose domains were seized recently by Microsoft as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets. The domains were later returned to the DNS company and the case was dropped after Microsoft determined that No-IP was not knowingly facilitating the distribution of malware. 

 “It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities, and re-build it as new,” Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an emailed statement. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Malware

A group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.

In an open letter to “Automotive CEOs” posted (PDF) on the I am the Cavalry website, a group of security researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.

“The once distinct world of automobiles and cybersecurity have collided,” read the letter. “Now is the time for the automotive industry and the security community to connect and collaborate..”

Vehicles are “computers on wheels,” Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the open letter. The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. Security experts have warned that unless the systems are built with better security features, cyberattacks against cars could result in a physical injury to the driver and possible passengers. The five star plan can conceivably be used by consumers, ala Consumer Reports style, to understand which automakers are thinking about security, Corman said.

The first “star,” safety by design, simply means automakers should design and build automation features with security in mind. Engineers should be stopping to think about how the systems could be tampered with and then build in blocks to prevent such an attack. Automakers should also implement a secure software development program within their companies to encourage better coding and design.

Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. This doesn’t mean bug bounties—where companies would pay for bugs—but rather designing a process that ensures bug reports and other information from third-party researchers reach the right engineers.

“Tesla already gets a star,” Corman said, noting the electronic car maker recently established such a policy.

Evidence capture is the first technical piece in the Five Star program, and asks for forensics capabilities such as events logging in car systems.

“We have black boxes in airplanes,” Corman said, noting it’s currently impossible to collect any information on why something failed in car systems. Security updates mean the issues found and reported which have been fixed actually get pushed out to individual cars in a timely and effective manner. And the final star—and the last technical piece—is segmentation and isolation, referring to keeping critical systems separate from the rest of the car’s network.

“With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes,” said Corman.

Vehicles, transportation systems, industrial control systems, and medical devices represent some of the hottest areas of cyber research. At Black Hat this year, Charlie Miller, an engineer at Twitter, and Chris Valasek, director of vehicle security research at IOActive, demonstrated how they could remotely control vehicles by compromising non-critical systems. The panel built on last year’s research, which showed how they could take over the breaks and the car’s steering from the back seat of the car. There were sessions discussing medical device security, and a DEF CON presentation looked at how traffic control systems were not secure.

The security industry reaching out directly to the automobile industry was a good idea, said Andrew Ruffin, a former staffer for Sen. Jay Rockefeller (D-WV), a member of the Senate Commerce Committee. Ruffin attended the press conference at DEF CON 22 on Friday. “I’m encouraged by the letter and hope there’s a quick response,” said Ruffin. “I think this has some legs.”

Considering how technology has permeated practically all parts of modern life, the group wants manufacturers to think about security and start implementing security features in their designs and business processes. The goal is to start thinking about security and implementing safeguards before the major cyberattack happens, said Corman. To people who say these things take time and would require a lot of work, Corman had two words: “We know.” The time to start is now, so that in a few years, these efforts would actually show results, he said.

Along with releasing the open letter, the group participated in a closed-door session with automobile and medical device representatives in a private meeting in Las Vegas on Tuesday and plan to discuss automotive hacking at DEF CON on Sunday. There is also a change.org petition demanding automakers pay attention car safety and cybersecurity.

“When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles,” the letter said.

Signatures and instructions for signing  the petition can be found online. 

Podcast: Car Hacking with Charlie Miller and Chris Valasek

Related: Car-hacking Researchers Hope to Wake up Auto Industry

Related: Forget Carjacking, What about Carhacking?

Tags:

• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Management & Strategy

A Russian hacker group has obtained an estimated 1.2 billion Internet credentials collected from various websites around world, Nicole Perlroth and David Gelles of the New York Times reported Tuesday. 

According to data provided to the newspaper by Hold Security, the Times reported that user names and passwords were stolen from roughly 420,000 websites of all different sizes. According to the report, the hackers also gained access to 500 million email addresses.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, founder and chief information security officer of Hold Security, told the Times.

Most of the sites that the hackers pillaged are still vulnerable, Holden said. The Times said the group is based in a small city in south central Russia and includes fewer than a dozen men in their 20s “who know one another personally — not just virtually.”

“This issue reminds me of an iceberg, where 90 percent of it is actually underwater,” John Prisco, CEO of Triumfant, told SecurityWeek in an emailed statement. “That’s what is going on here with the news of 1.2 billion credentials exposed. So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it.”

“Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it,” Prisco continued.

An Urgent Call for Two-factor Authentication

Eric Cowperthwaite, vice president, advanced security & strategy at Core Security, explained that this is another example of the pressing need for users and companies to leverage two-factor authentication.

“Companies need to transition to two-factor authentication,” Cowperthwaite said. “Companies such as Facebook and Twitter have finally started offering two-factor authentication, but the bottom line is that most users aren’t taking advantage of it.”

“Banks, as a standard practice, should absolutely be using two-factor authentication,” Cowperthwaite added. “They have a certain amount of loss from fraud built into their operating model – they just accept that it will happen. This acceptance is a shame since there are many simple ways to reduce those costs significantly.”

Holden told the Times that his team has started to alert victimized companies of breaches, but had been unable to reach every website. He also said that Hold Security was working to develop an online tool that enables users to test and see if their personal information is in the database.

“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” said Joshua Roback, Security Architect, SilverSky. “We should expect to see these accounts for sale on underground forums before the week is through.”

“Understanding why passwords are so valuable to hackers can both explain and prepare enterprises to deal with potential security vulnerabilities,” SecurityWeek columnist Gil Zimmermann noted in a December 2013 column. “There are potentially hundreds of uses for stolen passwords once they are obtained.”

While not close to the scope of this recently disclosed discover, Germany’s Federal Office for Online Security (BSI) warned Internet users in January that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related: Hackers Just Made Off with Two Million Passwords, Now What?

Tags:

• NEWS & INDUSTRY
• Fraud & Identity Theft
• Cybercrime

Mozilla Exposes Email Addresses of 76,000 Developers and 4,000 Password Hashes

 Mozilla, the foundation behind the popular Firefox Web Browser, warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process.

The discovery was made around June 22 by one of Mozilla’s Web developers, Stormy Peter, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday.

“Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” Peter wrote.

While the data was exposed to the public, it doesn’t necessarily mean that anyone with malicious intentions had discovered it before being cleaned up, and according to Peter, Mozilla hasn’t seen any malicious activity the server, but noted they can’t rule it out.

According to Peter, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peter warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems. Peter further clarified in comments on the blog that the exposed passwords included salts that were unique to each user record.

Mozilla sent notices to those affected, and suggested that for those that had both email and password information exposed, change any similar passwords they may be using.

In typical breach disclosure fashion, Peter explained that Mozilla was examining how the “processes and principles that are in place” could be made better to reduce the likelihood that a similar incident could happen again.

Tags:

• NEWS & INDUSTRY
• Incident Management
• Data Protection