After Yet Another Equifax Hack, IRS Suspends Contract Worth $7.5M

Equifax just can’t seem to get out of its own way.

Not long ago, the company suffered a massive data breach which saw the sensitive information of more than 145 million consumers exposed.

As a result, congressional hearings were convened, and the CEO resigned in disgrace. Amazingly, though, despite these events, the IRS opted to award the company a contract worth $7.5 million for its help and expertise in verifying taxpayer identification to prevent identity theft.

The irony did not escape the notice of security professionals around the world, who wrote literally hundreds of Op-ed and protest pieces.

Then, Equifax got hacked again. The company’s website was found to have been hacked, redirecting users to a malicious site that sent them to download adware.

Almost as soon as the issue was discovered, Equifax took the page down, insisting that this latest hack was due to a third-party contractor and did not constitute another breach of their network. However, that explanation was insufficient to the IRS, which suspended the recently awarded contract in response.

The decision has real and immediate impact on the nation’s tax payers because it will prevent them from creating new accounts through the IRS’s “Secure Access” program, which provides taxpayer access to transcripts and other records. If you already have an account set up, you will not be impacted.

The decision to pull the contract was seen as a positive development by the congressional committee convened to hold hearings on the matter, which concluded that, given the company’s recent track record, there was no real way to argue that this somehow increased user security.

On the other hand, as was pointed out by IRS Commissioner John Koskinen, the move would prevent literally thousands of recent hurricane victims from accessing their tax information.

Both points are true, but it’s hard to see how it could be argued that pulling the contract was the wrong move, even if it temporarily inconveniences a small percentage of taxpayers.

Windows 10 Gets New Set Of Recommended Security Standards

Microsoft has introduced a new set of standards designed to make computers running Windows 10 more secure.

Obviously, these standards are not industry requirements, and most of the off-the-shelf PCs you can buy will struggle to meet all of these requirements. In time, of course, that could change, but as things stand now, if you’re interested in making your computer as safe and secure as it possibly can be, this is a road you’ll have to go down on your own and make the necessary mods and additions to your existing equipment. Here’s the summary, in a nutshell:

• 7th generation AMD or Intel Processors, because these contain MBEC (Mode-Based Execution Control)
• 64-bit processor architecture to take advantage of VBS (Virtualization-Based Security)
• Support for AMD-Vi, Intel VT-d, or ARM64SMMUs (this, to take advantage of Input-Output Memory Management Unit device virtualization)
• Purchase a Trusted Platform Module, if one is not already built into your existing chipset
• Make use of Platform Boot Verification to prevent the loading of firmware that was not designed by the manufacturer of your system
• A minimum of 8GB of RAM
• Use a system that implements UEFI (Unified Extensible Firmware Interface) 2.4 or above
• Systems should also support the Windows UEFI Firmware Capsule Update specification
• All drivers used should be Hypervisor-based Code Integrity compliant

At first blush, this list seems a bit daunting, but the cost requirements to better secure the Windows 10 PCs on your network are really not as bad as they first appear. In fact, it is possible to find a few off-the-shelf PCs that meet the newly published security standards, so if you’re ready to replace some of your network equipment, you do have at least a few options that don’t require you to custom build.

In any case, although it’s true that the new standards aren’t a magic bullet, they will certainly go a long way toward making your network as a whole more secure, making them a welcome addition indeed.

Hard Drives Susceptible To Sound Waves, Can Double As Microphones

File this one away under “obscure and terrifying.”

Recently, a security researcher named Alfredo Ortega, speaking at a security conference in Buenos Aires, unveiled research revealing that the hard drive in your computer can be, with a bit of work, turned into a rudimentary microphone and used to spy on you.

It should be noted that this hack only works on HDDs and takes advantage of the way they are designed. Understand that this isn’t a flaw; it’s simply the way the technology works.

An HDD cannot be read or written to if it is subject to vibration. Your machine has to wait for the oscillation to stop before it can perform an action. Modern OSs come with built in tools that measure HDD operations to the nanosecond, and herein lies the secret of Ortega’s discovery.

The longer the delay, the louder the sound, and the more intense the vibration, which leads to longer delays in the read-write function of the drive.

Knowing this, Ortega figured that it would be possible to work backwards and reconstruct the sound that caused the vibration on the HDD platters.

He was at least partially correct. While his reverse engineering technology is not yet sufficiently developed to pick up conversations, he notes that there is research that can recover voice data from very low-quality signals using pattern recognition. He figures that it’s just a matter of time before someone applies it to his research.

Per Mr. Ortega: “I didn’t have time to replicate the pattern-recognition portion of that research into mine. However, it’s certainly applicable. For that reason, I would not discard that additional data like voice could be recovered in the future.”

It’s not something to be worried about immediately, but the day’s coming when your own hard drive could be used against you.

Apple’s New Face ID May Have Been Compromised

Tech companies of all shapes and sizes have been on the hunt for the “Holy Grail” of security features since before the rise of the internet. So far, a number of strategies have been developed, but none have proved to be successful. Hackers have found ways around each and every one to date.

Apple recently made another attempt when they released their new iPhone X, complete with a new “ultra-secure” Face ID security feature, which was touted during the new phone’s September launch event. During that event, Apple’s Senior VP of Worldwide Marketing, Phil Schiller, had this to say about the new feature:

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID.”

Unfortunately, the new feature has proved to be somewhat less “ultra-secure” than was originally advertised. Just one week after Apple’s announcement, the Vietnamese security firm Bkav was able to unlock the iPhone X using a mask.

It cost the company roughly $150 to create the mask, which was built using a combination of 2d images, a bit of makeup and a few 3D-printed components, with special attention paid to the areas around the eyes, cheeks and nose (which was printed on a 3D printer).

A spokesman for Bkav had this to say about their efforts:

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means that the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

All that to say, don’t put too much faith in the new “ultra-secure” Face ID feature. It’s far from the bullet-proof security feature the company touted it as being.

Paypal-Owned Company Sees Breach Of 1.6 Million Customers

TIO Networks, a cloud-based, multi-channel bill payment platform purchased by Paypal for $233 million in 2017, was breached earlier this year, exposing PII (Personally Identifiable Information) for an estimated 1.6 million of the service’s users.

TIO Networks primarily does payment processing and accounts receivables for cable, utility, wireless and telecom companies in North America. If you do business with TIO, it’s possible that your company or personal information may have been compromised.

So far, neither Paypal nor TIO Networks has released any significant details about the breach, so we do not yet have any indication of how it happened, who was responsible or exactly which of their customers had their information exposed. Paypal did release a brief statement concerning the incident, which said, in part:

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.”

The statement went on to say that as soon as PayPal identified the breach, they took action by “initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO’s bill payment platform.”

For their part, TIO Networks has suspended all operations until the investigation into the matter has been completed, and has begun notifying impacted customers. In addition to that, as is common with situations like these, they’re also working with Experian to provide a year’s worth of free credit monitoring for people who were affected.

A part of TIO’s statement about the incident reads as follows: “At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills….We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”

Apple Is On Track To Become A Trillion Dollar Company

Recently, Apple’s stock closed at $175.88, giving it a market valuation slightly above $900 billion. A Drexel Hamilton analyst named Brian White predicts that over the course of the next twelve months, the company’s stock could be trading as high as $235 per share, and at that price, Apple’s market valuation would be over one trillion dollars, making it the only trillion-dollar company on the planet.

“With a market cap of over $900 billion, we believe Apple is on its way to becoming a ‘trillion dollar baby’ as reflected in our price target. We were the first on Wall Street to project that Apple would reach a $1 trillion market cap as reflected by a price target; our current price target of $235 equates to approximately a $1.2 trillion market cap.”

Mr. White is not alone. Another analyst, Amit Daryanani, working for RBC Capital Markets, has made a similar prediction, stating:

“In our view, Apple’s quarterly results will be less important this summer as investors are focused on the iPhone 8 this fall, along with the company’s raised capital distribution initiative, depressed valuation and potential new innovations. We believe Apple remains among the most underappreciated stocks in the world.”

If you don’t yet own stock in the company, now would probably be a great time to buy. As Apple edges closer to the one trillion-dollar threshold, it’s sure to generate an increasing number of headlines, which will increase interest in the company and push the stock price higher still, hastening the day when it hits the mark.

If you already own a stake in the company, hold onto it, and if you concur with Daryanani’s assessment, add to it as you’re able. You could soon be the proud owner of a tiny slice of investment history.

Ransomware Continues To Evolve On Android Devices

Hackers around the world are continuing to innovate at a terrifying, relentless pace, and that truth is reflected in the latest form of ransomware to be found in the wild.

Dubbed “DoubleLocker,” this new strain targets Android devices. It uses and abuses the platform’s Accessibility Service, reactivating itself every time the user presses the phone’s “Home” button.

Initial forensic analysis of the code base reveals this new threat to be based on Svpeng, which is a nasty form of malware that has a rather infamous reputation among Android users. It is one of the best-known banking trojans on the platform, used to steal money from people’s bank accounts, change PINs, brick devices and demand ransoms to return them to operability.

Although DoubleLocker does not contain Svpeng’s banking hack features, it is a very advanced, highly sophisticated piece of code.

As with so many other malicious programs, it gains an initial foothold on the user’s machine by disguising itself as some other, perfectly legitimate program (most often, Flash Player). Once installed, if the user grants the app access, Android’s Accessibility service allows the app to mimic user screen taps and swipes, allowing it to navigate around on the user’s phone.

It immediately locks the user’s PIN with a ransom PIN code and encrypts all files on the device.

This is the most significant development, because previous to finding DoubleLocker in the wild, most other Android ransomware worked by simply locking the user’s phone. This one takes cues from PC-based ransomware and takes the added step of encrypting the files themselves.

Another intriguing difference is that while most ransomware is configured to send the user an unlock code once the ransom is paid, no such code is sent to a user infected by DoubleLocker. Instead, the hackers unlock the phone remotely, upon receiving payment.

For users impacted by DoubleLocker, the following advice has been offered by ESET:

“The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device admin rights for the malware and uninstall it. In some cases, a reboot is needed. As for data stored on the device, there is no way to recover it, as mentioned earlier.”

Ransomware Attackers Are Increasing Their Attacks On Businesses

The ransomware ecosystem is maturing. Strains are divided into “families” and the number of new families that have been discovered in 2017 is half what it was in 2016. Even so, the total number of attacks targeting businesses have risen by 26 percent over last year’s totals, according to the latest statistics released by Kaspersky Lab.

Rather than inventing wholly new software strains, hackers around the world seem content to modify existing strains, with the number of modifications growing from 54,000 to an astonishing 96,000 this year.

The modifications are having impacts that extend far beyond simply allowing them to slip past a company’s defenses. Last year, 29 percent of companies impacted by a ransomware attack claimed that the incident took a week or longer to recover from. This year, that percentage rose to 34 percent.

According to one of Kaspersky’s senior malware analysts, Fedor Sinitsyn, “The headline attacks of 2017 are an extreme example of growing criminal interest in corporate target. We spotted this trend in 2016, it has accelerated throughout 2017, and shows no signs of slowing down.

Business victims are remarkably vulnerable, can be charged a higher ransom than individuals and are often willing to pay up in order to keep the business operational. New business-focused infection vectors, such as through remote desktop systems, are not surprisingly on the rise.”

In addition to the total number of such attacks increasing, we’ve seen several large-scale attacks this year, and there’s no reason to believe that we won’t see more of that in the months and years ahead.

This represents a fundamental shift in strategy as compared to years past and is a clear indication that hacking groups around the world are increasingly coordinating their efforts and learning from one another. That’s bad news for IT security professionals everywhere.

Top Subject People Fall Victim To Is – Data Breach Notification

For hackers around the world, success breeds more success, it seems.

A company called KnowBe4 has released a report entitled “Top Ten Global Phishing Email Subject Lines For Q3 2017.” To prepare it, they analyzed email subject lines from simulated phishing tests to determine what the most effective approach was.

Their findings were that “Official Data Breach Notification” was the hands-down winner, generating far more click-throughs than any other.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer had this to say about the report:

“Phishing attacks are responsible for more than 90% of successful cyber-attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats.

We see urgency and fear of a breach as the drivers. We have over 1400 templates and a concentration of themes so we know what is highly effective. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders, and their clients to prevent phishing schemes.”

Wise words, and the first step on the path to prevention is knowing what triggers are the most effective, which makes the KnowBe4 report especially valuable to data security teams, regardless of what business your company is in.

The irony, however, is inescapable.

The reason that “Official Data Breach Notification” is such a devastatingly effective phishing headline is simply that the hackers have been devastatingly effective. Barely a day goes by that we are not greeted by some grim headline and a news story recounting the woes of yet another company suffering from yet another massive breach resulting in hundreds of thousands, millions, or more consumer data files stolen.

They are, in a very real sense, leveraging the power of their own success to become even more successful, and that’s sadly not likely to change anytime soon.

Black Friday Brings Major Increase In Fraud

Retailers are gearing up for the year’s busiest shopping weekend, which runs from Black Friday to Cyber Monday, but another group is also gearing up.

Scammers.

Security experts are warning that retailers should brace for impact because the best estimates are that there could be as many as fifty million fraud-based attacks between those spectacularly busy shopping days.

The estimate is higher than it’s ever been, and is driven in large part by the sheer number of high profile data breeches that have occurred over the last twelve months.

Account data for hundreds of millions of users flooded the Dark Web on the heels of those attacks. The scammers happily stocked up on them and are more than ready for the holiday season.

According to details provided by ThreatMetrix, the attack will shake out something like this:

• In advance of Black Friday, the scammers will use bots to test the stolen credentials they’ve purchased, tossing the ones that no longer work, and keeping the ones that are still active.

• Once they’ve culled their lists, they’ll spend a bit of time conducting a few million test attacks.

• After they successfully test their software with the valid IDs, they’ll launch large-scale fraud attacks with new user account registrations and attempted fraudulent payments.

According to security researcher Vanita Pandey:

“Many e-commerce merchants choose to accept a greater degree of risk on these key days in order to accept more transactions and reduce the chance that good customers experience friction when placing orders….fraudsters see peak shopping days as the opportunity to make larger purchases/attempt to redeem bigger basket sizes, which are less likely to be flagged as suspicious in among the sea of other high value purchases being made by good customers.”

The long and the short of it is that if you expect to see a spike in sales during the Black Friday – Cyber Monday shopping weekend, brace for a big spike in fraud attempts, too.