Home / Robin's Newsletter

Robins Newsletter #96

 Vol. 3  Iss. 16  19/04/2020, last updated 26/04/2020   Robin Oldham  ~6 Minutes

This week

Knowing your customer in the pandemic-age

This week the German state of North Rhine-Westphalia is reported to have lost between €30M - €100M through fraudulent COVID-19 support claims before closing a state aid website.

Cyber-criminals used phishing campaigns to drive residents to complete applications at fake websites they had established. The personal information was replayed against the official state aid website, but with the bank details changed to match the criminal’s bank accounts.

All this was possible because the website did not conduct a sufficient level of identity checks before paying out. Crucially all the identity information was correct, because it had been supplied by real, legitimate claimants.

The NRW government has now reinstated the website and will only pay-out claims to bank details on record that have previously been used to pay taxes.

These ‘know your customer’ checks - which you have probably encountered when being asked to provide physical copies of passports and utility bills when opening new bank accounts, or by uploading digital copies and selfie videos to challenger banks - are commonplace across financial services.

Their purpose is to help identify fraud as well as crack-down on individuals trying to avoid international sanctions. Organisations can face hefty fines from regulators for breaching these compliance requirements.

Almost 600 official complaints have been filed in relation to the scam while it’s believed that approximately 1% of the 380,000 claims for government support may have been fraudulent.

The FT picks up the compliance story in the UK, where anti-money laundering company SmartSearch has estimated that 30,000 retail financial services firms in the UK rely on manual identity checks.

As businesses adapt their business models to support remote working and more commerce moves online that compliance risk increases with poor cyber security hygiene.

Building identity and security checks into business services should be a priority. Hastily developed technology solutions may be open to replay attacks or not provide the same level of assurance as traditional approaches.

Strengthening identity checks is an obvious area of focus. Other preventative controls like CAPTCHA or detective controls like fingerprinting and logging, can be used to help reduce fraudulent transactions.

Significant state aid packages are an obvious point though other monetary transactions - such as government-backed loans - may increasingly become a target for fraudsters as controls around grants are tightened. zdnet.com, ft.com

Interesting stats

862 victims have lost over… £2.1M to coronavirus-related scams in the UK, according to figures from Action Fraud actionfraud.police.uk 3-4x increase in reports to the FBI’s Internet Crime Complaint Centre (IC3) zdnet.com

79% of people admit to sharing their passwords with someone outside their home, and 39% admit to using the same password for every service, according to a survey of 1,500 Americans by Zebra Insurance zdnet.com

Other newsy bits

GAO report finds DoD has lost track of cyber security goals

Government Accountability Office (GAO) report has found that the US Department of Defense has failed to keep track of dozens of cyber security goals it set to improve basic security hygiene.

The stand-out observation from the report for me was that seven out of seventeen goals are completely unknown because “no one has kept track of the progress.” As the old adage goes, ‘that which is measured, improves.’ If DoD weren’t tracking it to begin with, it may not have even been a priority (though I’m sure the goals were all sensible.)

‘Measure meaningful things’ is one of the mantras that Cydea (my company) focuses on and earlier this year we published seven principles that help create the right culture, based on insights from work with a private equity firm. Focus on the outcome was one of them.

Getting the basics right is hard and it starts with consistency and the culture created at the top. (Also you might not want to consider ‘military-grade’ security software for your next purchase :-)) wired.com, cydea.com

Digital risk intelligence services take a blow as Pastebin limits API access

So-called ‘paste sites’ provide a way to anonymously post snippets (or longer) pieces of code or other text information. They’re used by attackers to post manifestos and make announcements, control botnets and share lists of stolen passwords and personal data. Pastebin is one of the latest such sites and going through (scraping) all the public pastes made on their site informs a lot of open-source and digital risk intelligence services.

This week those services took a blow when Pastebin, at short notice, removed access to their API and published new terms prohibiting scraping of data from their site. Such intelligence typically gives organisation information about key employees or credentials that may have been compromised, for example. Often researchers also alert the site to harmful and unauthorised content so that it may be taken down.

The backlash from the infosec community is that by limit access Pastebin is protecting malware authors and cyber-criminals, while failing to tackle harmful content they host themselves. vice.com

In brief

Attacks, incidents & breaches

Threat intel

  • US offers $5M bounty for information on North Korean hackers amid renewed warning to Financial Services sector us-cert.gov
  • Fake Netflix, Disney+ pages being used to siphon personal data and scam users theguardian.com
  • FBI warns scientists working on Coronavirus are targets for cyber-espionage as nations seek intelligence on how other countries are responding cyberscoop.com
  • Patched that Pulse Secure VPN? You’d best change your domain passwords too zdnet.com, bleepingcomputer.com
  • April’s Patch Tuesday from Microsoft includes fixes for two critical vulnerabilities in font libraries that gives remote code execution bleepingcomputer.com
  • Nemty ransomware-as-a-service group ‘goes private’ to focus on targeted attacks zdnet.com
  • In-the-wild attack against fibre-optic routers to gain remote access theregister.co.uk
  • (Thwarted) Attacks on Airport, hospitals in Czech Republic reuters.com

Security engineering

  • Rapid7 launch ‘AttackerKB’ tool to crowd-source data on which vulnerabilities you should care about cyberscoop.com
  • ‘SkyWrapper’ tool helps to detect intrusions that are persisting by abusing AWS Security Token Service temporary tokens zdnet.com
  • Check if your Internet Service Provider ‘is BGP safe yet’ (spoiler: they’re probably not) and helping to prevent hijack attacks like those featured last week (vol. 3, iss. 15) wired.com, isbgpsafeyet.com
  • Clipboard hijacking malware found in 725 ruby libraries on RubyGems zdnet.com
  • Dell releases SafeBIOS Events & Indicators of Attack tool to detect modifications zdnet.com
  • Riot Games new anti-cheat is a case study on integrity and trustworthy computing arstechnica.com

ICS & Internet of Things

  • ‘Shakespearean’ PoetRAT group targeting government, energy sectors in Azerbaijan, interesting in SCADA and wind farms cyberscoop.com
  • ICEBUCKET Scammers are spoofing smart TVs to defraud advertisers cyberscoop.com

Privacy

  • Google and Apple’s talk about the privacy features of their contact tracing solution wired.com, while…
  • NHS denies draft memo exploring ‘de-anonymisation’ of contact tracing if ministers “judge that to be proportionate at some stage” theguardian.com

And finally

AiR-ViBeR technique bridges air-gapped systems using computer fans

There have been some brilliant proof-of-concepts in the last year at how variations in screen brightness, ultrasonic waves and even lasers can be used to bribe air gapped systems. This week it’s the turn of the humble computer fan, whirring away to keep your computer from over heating, and now hypothetically leaking sensitive information, to boot. zdnet.com