May 172018
 

May 16 – A federal jury today convicted a  Latvian “non-citizen,” meaning a citizen of the former USSR who had been residing in Riga, Latvia, of three counts related to his operation of “Scan4you,” an online counter antivirus service that helped computer hackers to determine whether the computer viruses and other malicious software they created would be detected by antivirus software, announced Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division, Acting U.S. Attorney Tracey Doherty-McCormick of the Eastern District of Virginia and Special Agent in Charge Matthew J. DeSarno of the FBI Washington Field Office’s Criminal Division.

Ruslans Bondars, 37, was convicted after a five-day jury trial of one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting. Sentencing is scheduled for Sept. 21.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said Acting Assistant Attorney General Cronan.  “Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

“Ruslan Bondars designed and operated a service that provided essential aid to some of the world’s most destructive hackers,” said Acting U.S. Attorney Doherty-McCormick. “This verdict demonstrates our commitment to holding such actors accountable. I commend the work of the agents and prosecutors, both in the United States and in Latvia, who worked together to bring him to justice.”

According to testimony at trial and court documents, from at least 2009 until 2016, Bondars operated Scan4you, which for a fee provided computer hackers with information they used to determine whether their malware would be detected by antivirus software, including and especially by antivirus software used to protect major U.S. retailers, financial institutions and government agencies from computer intrusions.

For example, one Scan4you customer used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.

Another Scan4you customer used the service to assist the development of “Citadel,” a widely used malware strain that was used to infect over 11 million computers worldwide, including in the United States, and resulted in over $500 million in fraud-related losses.  The Citadel developer took advantage of a special feature of Scan4you that allowed its integration directly into the Citadel malware toolkit through an Application Programming Interface, or API.  The API tool allowed Scan4you users the flexibility to scan malware without the need to directly submit the malware to Scan4you’s website.

At its height, Scan4you was one of the largest services of its kind and had at least thousands of users.  Malware developed with the assistance of Scan4you included some of the most prolific malware known to the FBI and was used in major computer intrusions committed against American businesses.

Scan4you differed from legitimate antivirus scanning services in multiple ways.  For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.

The FBI Washington Field Office investigated the case.  Trial Attorneys C. Alden Pelker and Ryan Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Kellen Dwyer and Laura Fong of the Eastern District of Virginia are prosecuting the case. The Government of Latvia, including the Latvia State Police International Cooperation Department, the Latvia State Police Cybercrime Unit, and the General Prosecutor’s Office of the Republic of Latvia – International Cooperation Division, provided assistance and support during the investigation.  Additional assistance was provided by the Criminal Division’s Office of International Affairs, the FBI’s Atlanta and Minneapolis Field Offices and the Operational Technology Division, and the U.S. Attorney’s Offices for the District of Minnesota and the Northern District of Georgia.

SOURCE U.S. Attorney’s Office, Eastern District of Virginia

May 142018
 

Danny O’Brien and Gennie Gebhart write:

A group of European security researchers have released a warningabout a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

Read more on EFF, who provide directions on how to disable plugins.

You can read more about the vulnerability here, on https://efail.de.  And the full technical paper in draft form can be found here:

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft][PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, San Diego, August 2018.

Update:on Twitter, a spokesperson for Enigmail advised users not to believe all the hype.

He later added, “The flaw can be completely mitigated by watching for packets with missing or invalid MDCs and reacting appropriately. Most email clients already do this. If you’re one of them, you’re safe.”

You may wish to read the entire thread on Twitter, beginning with GNUPG’s statement.

Apr 182018
 

Will Yakowicz reports:

For some entrepreneurs, getting customers is a matter of marketing. For Jobert Abma and Michiel Prins, it’s a matter of sniffing out security vulnerabilities and staving off cyber threats.

The two self-taught computer hackers today lead HackerOne, one of the largest white-hat hacking platforms in the world. With $74 million in venture funding from the likes of Benchmark and Dragoneer Investment Group, the San Francisco-based firm tasks 160,000 computer security experts around the world with finding bugs and cybersecurity vulnerabilities for companies like General Motors, Starbucks, Airbnb, and Twitter. It also works with government agencies, like the U.S. Department of Defense, and airlines like Lufthansa.

Read more on Inc.

Apr 182018
 

David Bender writes:

Today, 34 global technology and security companies announced that they have signed a Cybersecurity Tech Accord, which publicly commits them “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”  The signatories include Cisco, Dell, Facebook, HP, Intuit, and Microsoft.

The text of the Accord references recent events that have put online security at risk, and sets forth four principles:

Read more on Covington & Burling Inside Privacy.

Mar 262018
 

Joseph Cox and Lorenzo Franceschi-Bicchierai report:

In early March, Motherboard reported that a new, mysterious government-malware company called Grey Heron is advertising malware designed to steal data from Signal and Telegram messaging apps. The company seemingly came out of nowhere, suddenly advertising its wares at surveillance fairs over the last few months.

But Grey Heron does have a history: The company emerged from controversial spyware firm Hacking Team, despite Grey Heron not mentioning these links publicly, Motherboard has learned. The move, it appears, may be to distance Grey Heron from the notorious, and perhaps damaged, brand of Hacking Team.

Read more on Motherboard.