May 31 2017

FBI Releases Article on Protecting Business Email Systems

Original release date: May 31, 2017

The Federal Bureau of Investigation (FBI) has released an article on Building a Digital Defense with an Email Fortress. FBI warns that scammers commonly target business email accounts with phishing and social engineering schemes. Strategies for preventing email compromises include avoiding the use of free web-based email accounts; using multi-factor authentication; and updating firewalls, antivirus programs, and spam filters.

US-CERT encourages users and administrators to review the FBI article for more information and refer to US-CERT Tips on Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

May 31 2017

Defense contractor stored intelligence data in Amazon cloud unprotected

Enlarge / NGA headquarters. A trove of top secret data processed by NGA contractor Booz Allen Hamilton was left exposed on a public Amazon cloud instance. (credit: Trevor Paglen)

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The files, which were connected to the US National Geospatial-Intelligence Agency (NGA)—the US military's provider of battlefield satellite and drone surveillance imagery—were posted to an account linked to defense and intelligence contractor Booz Allen Hamilton. The data was classified at up to the Top Secret level.

Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer's remote login (SSH) keys, as well as login credentials for at least one system in the company's data center.

Vickery immediately sent an e-mail to Booz Allen Hamilton's chief information security officer but received no response. The next morning, he contacted the NGA and within nine minutes, access to the storage bucket was cut off. At 8PM Eastern time on May 25, Booz Allen Hamilton's security team finally responded and confirmed the breach.

Read 1 remaining paragraphs | Comments

May 31 2017

Bachosens: Highly-skilled petty cyber criminal with lofty ambitions targeting large organizations

Eastern Europe based attacker’s advanced malware bears comparison with that used by nation-state actors, but basic missteps indicate a threat actor who is skilled but lacking in expertise.

May 30 2017

New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats

Enlarge / Gambling. (credit: Jamie Adams)

The mysterious group that over the past nine months has leaked millions of dollars' worth of advanced hacking tools developed by the National Security Agency said Tuesday it will release a new batch of tools to individuals who pay a $21,000 subscription fee. The plans, announced in a cryptographically signed post published Tuesday morning, are generating an intense moral dilemma for security professionals around the world.

On the one hand, the Shadow Brokers, as the person or group calls itself, has in the past released potent hacking tools into the wild, including two that were used to deliver the WCry ransomware worm that infected more than 200,000 computers in 150 countries. If the group releases similarly catastrophic exploits for Windows 10 or mainstream browsers, security professionals are arguably obligated to have access to them as soon as possible to ensure patches and exploit signatures are in place to prevent similar outbreaks. On the other hand, there's something highly unsavory and arguably unethical about whitehats paying blackhats with a track record as dark as that of the Shadow Brokers.

"It certainly creates a moral issue for me," Matthew Hickey, cofounder of security firm Hacker House, told Ars. "Endorsing criminal conduct by paying would be the wrong message to send. Equally, I think $21k is a small price to pay to avoid another WannaCry situation, and I am sure many of its victims would agree with that sentiment."

Read 11 remaining paragraphs | Comments