Cash-out Crew Manager Sentenced to 21 Months in Prison
Posted on October 28, 2014 by Kara Dunlap in Security
A Massachusetts man has been sentenced to 21 months in prison for using information hacked from customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies in a plot to steal $ 15 million.
Robert Dubuc, 41, of Malden, Mass., previously pleaded guilty to charge of wire fraud conspiracy and conspiracy to commit access device fraud and identity theft.
According to court documents, Dubuc and 50-year-old Oleg Pidtergerya of Brooklyn – who has also pleaded guilty – were asked by leaders of the conspiracy to participate in a “cash-out” scheme to help steal money from compromised bank accounts. Pidtergerya managed a cash-out crew in New York for the cyber-ring’s leaders while Dubuc controlled a cash-out crew in Massachusetts for the organization.
Authorities believe Oleksiy Sharapka, 34, of Kiev, Ukraine, directed the conspiracy with the help of Leonid Yanovitsky, 39, also of Kiev.
According to authorities, hackers gained unauthorized access to the bank accounts of customers of more than a dozen organizations ranging from Citibank to E-Trade to the U.S. Department of Defense. After obtaining access to the bank accounts, Sharapka and Yanovitsky allegedly diverted money to bank accounts and pre-paid debit cards they controlled. They then turned to the cash-out crews to withdraw the stolen funds, authorities said.
Both Sharapka and Yanovitsky are under indictment in the United States and remain at large, according to the U.S. Department of Justice.
In addition to the prison term, Judge Sheridan sentenced Dubuc to serve three years of supervised release and pay restitution in the amount of $ 338,685. Sentencing for Pidtergerya is scheduled for Dec. 22.
Hackers Demand Automakers Get Serious About Security
Posted on August 11, 2014 by Kara Dunlap in Security
A group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.
In an open letter to “Automotive CEOs” posted (PDF) on the I am the Cavalry website, a group of security researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.
“The once distinct world of automobiles and cybersecurity have collided,” read the letter. “Now is the time for the automotive industry and the security community to connect and collaborate..”
Vehicles are “computers on wheels,” Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the open letter. The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.
Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. Security experts have warned that unless the systems are built with better security features, cyberattacks against cars could result in a physical injury to the driver and possible passengers. The five star plan can conceivably be used by consumers, ala Consumer Reports style, to understand which automakers are thinking about security, Corman said.
The first “star,” safety by design, simply means automakers should design and build automation features with security in mind. Engineers should be stopping to think about how the systems could be tampered with and then build in blocks to prevent such an attack. Automakers should also implement a secure software development program within their companies to encourage better coding and design.
Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. This doesn’t mean bug bounties—where companies would pay for bugs—but rather designing a process that ensures bug reports and other information from third-party researchers reach the right engineers.
“Tesla already gets a star,” Corman said, noting the electronic car maker recently established such a policy.
Evidence capture is the first technical piece in the Five Star program, and asks for forensics capabilities such as events logging in car systems.
“We have black boxes in airplanes,” Corman said, noting it’s currently impossible to collect any information on why something failed in car systems. Security updates mean the issues found and reported which have been fixed actually get pushed out to individual cars in a timely and effective manner. And the final star—and the last technical piece—is segmentation and isolation, referring to keeping critical systems separate from the rest of the car’s network.
“With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes,” said Corman.
Vehicles, transportation systems, industrial control systems, and medical devices represent some of the hottest areas of cyber research. At Black Hat this year, Charlie Miller, an engineer at Twitter, and Chris Valasek, director of vehicle security research at IOActive, demonstrated how they could remotely control vehicles by compromising non-critical systems. The panel built on last year’s research, which showed how they could take over the breaks and the car’s steering from the back seat of the car. There were sessions discussing medical device security, and a DEF CON presentation looked at how traffic control systems were not secure.
The security industry reaching out directly to the automobile industry was a good idea, said Andrew Ruffin, a former staffer for Sen. Jay Rockefeller (D-WV), a member of the Senate Commerce Committee. Ruffin attended the press conference at DEF CON 22 on Friday. “I’m encouraged by the letter and hope there’s a quick response,” said Ruffin. “I think this has some legs.”
Considering how technology has permeated practically all parts of modern life, the group wants manufacturers to think about security and start implementing security features in their designs and business processes. The goal is to start thinking about security and implementing safeguards before the major cyberattack happens, said Corman. To people who say these things take time and would require a lot of work, Corman had two words: “We know.” The time to start is now, so that in a few years, these efforts would actually show results, he said.
Along with releasing the open letter, the group participated in a closed-door session with automobile and medical device representatives in a private meeting in Las Vegas on Tuesday and plan to discuss automotive hacking at DEF CON on Sunday. There is also a change.org petition demanding automakers pay attention car safety and cybersecurity.
“When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles,” the letter said.
Signatures and instructions for signing the petition can be found online.
Podcast: Car Hacking with Charlie Miller and Chris Valasek
Related: Car-hacking Researchers Hope to Wake up Auto Industry
Related: Forget Carjacking, What about Carhacking?
Hackers Steal User Data From Kickstarter
Posted on February 16, 2014 by Kara Dunlap in Security
Kickstarter, a web site that serves as a funding platform for creative projects, said on Saturday that malicious hackers gained unauthorized access to its systems and accessed user data.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” Yancey Strickler, Kickstarter’s CEO, wrote in a security notice. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”
According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.
“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler said.
The company said via Twitter that “old passwords used salted SHA1, digested multiple times. More recent passwords use bcrypt.”
Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity.
Kickstarter did not say how many user accounts were affected in the breach, but the company says that since launching in 2009, more than 5.6 million people have pledged $ 980 million, funding 56,000 creative projects through its platform.
“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” the advisory suggested.
“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come,” Strickler wrote. “We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”
*Updated with additional details on password encryption.