Image:Azlan Baharudin Special feature Cyberwar and the Future of Cybersecurity Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly. Read More A Chinese state-sponsored hacking group has been targeting Malaysian government officials, computer experts with […] More

The US Securities and Exchange Commission (SEC) has charged a former Amazon finance manager with insider trading. 

On Monday, the regulatory watchdog said that from at least January 2016 to July 2018, Laksha Bohra conducted securities trading based on confidential information she had access to as a member of the e-commerce giant’s tax department. 
The senior manager was involved in preparing and reviewing financial statements included in Amazon’s quarterly earnings. Bohra allegedly leveraged this knowledge to play the market in what is known as insider trading in order to reap “illicit profits,” according to SEC.
See also: Shopin founder charged by SEC for running $42 million scam cryptocurrency ICO
36-year-old Bohra not only played this game herself but also allegedly tipped off members of her family, including her father-in-law and husband. 
“Bohra disregarded quarterly reminders prohibiting her from passing material nonpublic information or recommending the purchase or sale of Amazon securities,” SEC’s complaint reads. 
If an individual has access to pre-release financial information, they may be able to buy or sell stocks and shares based on predictions of what will happen to a company’s share prices. For example, profits may send stock prices upward, whereas the disclosure of losses or lawsuits can cause a share price slump.
In total, over the course of roughly two years, the former manager and her family traded in 11 separate brokerage accounts, earning themselves roughly $1.4 million. Bohra’s father-in-law reportedly told one of the brokerage firms used that the accounts were treated as a “one family thing.”
“Amazon considered [..] pre-release financial information to be confidential, highly sensitive, material, and nonpublic,” the US agency says, adding in the complaint that Amazon has previously demonstrated a “zero tolerance” stance on insider trading. 
CNET: Universal Health Services slammed by massive cyberattack
Amazon suspended Bohra’s employment in October 2018, leading to Bohra’s resignation. However, the reason for the termination was not disclosed in the complaint.
Filed in Seattle federal court, the complaint (.PDF) lays out charges against all three family members for violating federal securities laws. 
TechRepublic: 5 more things to know about ransomware
According to SEC, all three have agreed to pay back $1,428,094, interest of $118,406, and additional penalties of $1,106,399.
“Employees with access to confidential, potentially market-moving corporate information may not use that information to enrich themselves, their friends, or their families,” commented Erin Schneider, Director of the SEC’s San Francisco Regional Office. 
ZDNet has reached out to Amazon and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware-as-a-Service (RaaS) ads on hacking forums
Image: ZDNet
Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.
RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.
These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.
Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.
RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.
The RaaS tiers
According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking scene.
While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.
Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public exposure.
This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.
With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.
These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).
Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.
This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.

Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.
This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.

All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.
A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks. More

Image: Omar Al-Ghossen
When users are on the web they can opt out of a lot of tracking present, thanks to a combination of GDPR-induced prompts, ad and trackers blocks, and incognito modes — however, this is far from the case on mobile phones and apps. In an effort to close the gap, Apple believes efforts like its Identifier For Advertisers can help advertisers and preserve privacy. “Identifiers such as the Identifier For Advertisers (IDFA) and email address help identify a specific device across a network. They also allow advertisers to create a detailed profile of your activity across different apps or websites when they see your device identifier and associate your activity with it,” Apple says in an updated version of its A Day in the Life of your Data document. “The Identifier For Advertisers (IDFA) is a user-controllable identifier assigned by iOS to each device. As a software-based identifier rather than one that is tied to the hardware itself, the IDFA can be blocked for a particular app by the user via the App Tracking Transparency prompt. This gives the user control over IDFA-based tracking.” The updated document has added a pair of pages on advertising auctions and ad attribution, with Apple stating advertisers can track ad performance without tracking users. The mechanisms for this are its SKAdNetwork API and Private Click Measurement. Pointing to the way web browsers have clamped down on trackers on the web, Apple has dismissed concerns that clamping down on trackers in apps will force app creation to be less profitable. The tech giant believes advertisers will have to respond by providing users with a higher level of privacy and app makers will still be able to monetise from apps.

Apple said it would remove apps from its app store if a new way of fingerprinting was developed. Last month, Apple claimed in Australia that its store was not the most dominant app marketplace because the internet was an alternative. “Apple perceives and treats other distributors of apps, for platforms other than iOS, as significant competitors whose pricing and policies constrain Apple’s ability to exercise power over developers,” the iPhone maker said in a submission to the Australian Competition and Consumer Commission (ACCC).”Apple is not in a position to disregard the environment in which its app marketplace operates and does not accept the Commission’s characterisation of the Apple App Store as ‘the most dominant app marketplace by a large margin’.” Apple said it does not consider it has a substantial degree of power in any market relevant to the issues that are the subject of the ACCC’s current inquiry, nor does it agree there is a market failure that requires regulatory intervention or legal action. “Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third party apps and use them on their iOS devices) and outside iOS,” it said. “Even if a user only owns iOS-based devices, distribution is far from limited to the Apple App Store because developers have multiple alternative channels to reach that user. “The whole web is available to them, and iOS devices have unrestricted and uncontrolled access to it. One common approach is for users to purchase and consume digital content or services on a website.” Days earlier, Apple said it was surprised to hear that developers have legitimate concerns about their ability to engage with Apple in the app review process. Related Coverage More

Australia’s Communications Access Coordinator (CAC) is concerned by the level of understanding within the nation’s telcos about the risk that network virtualisation can introduce.
The CAC role was created under Australia’s Telecommunications Sector Security Reforms (TSSR) and is charged with assessing whether changes made by telcos to their networks expose them to unauthorised access or interference, and if that is the case, it issues recommendations for changes.
In the Telecommunications Sector Security Reforms — Report for 2019-20 tabled in Parliament on Tuesday, a number of Australian telcos notified the CAC that they were automating their network configurations.
“These changes featured high levels of technical complexity and equally complex supply chains. In several instances the CAC had concerns about the notifying carrier’s understanding and appreciation of the risks presented by the proposed change, particularly the risks associated with complex multi-vendor/subcontractor, multi-jurisdiction supply chains,” the report said.
“The CAC also had concerns in several instances with carriers misunderstanding the level of exposure they had in proposing to outsource or ‘hybridise’ their infrastructure environment.
“In each of these instances during the reporting period the CAC informed the relevant carriers of the concerns and suggested measures that they could implement to ensure they could continue to comply with their security obligation while proceeding with the change.”
The report also said the CAC received multiple notices of a carrier proposing to use a managed service provider, where the CAC thought the carrier would lose its ability to “maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier”.
The CAC was concerned by the lack of supervision over the provider’s activities, the lack of consideration over the location from where the provider would be serving the telco out of, and “limited assurance” the carrier had “effective control” over the network or facilities being provided. In these instances, the CAC recommended changes.
Over the course of the year to June 30, the CAC responded with 24 “some risk” notices to telcos, 6 “no risk” notices, and had two notices outstanding. The Minister for Home Affairs did not issue any directions over the year.
The TSSR laws were used in 2018 to ban Huawei and ZTE from Australia’s 5G networks.
“The Department [of Home Affairs] has continued to work closely with telecommunications operators to ensure they understand their TSSR obligations with respect to deploying and operating 5G networks and services,” the report said.
“The department has also worked with non-5G mobile network operators to understand and manage the potential sustainment risks associated with the United States’ export restrictions affecting certain telecommunications infrastructure vendors.”
The report said CAC would be able to respond quicker if telcos provided sufficient information.
The TSSR was passed by Parliament in September 2017, after the Parliamentary Joint Committee on Intelligence and Security recommended a number of changes, including an annual reporting mechanism to Parliament.
Also tabled on Tuesday was a report on the operation of the Critical Infrastructure Act for the year to June 30.
Passed in March 2018, the Act created a register of critical infrastructure assets which included asset ownership, access, and control.
Over the year, the nation’s electricity, water, gas, and port sectors reported 118 notifications to Home Affairs, which consisted of 109 changes, and nine new additions to the register.
None of the ministerial directions, information gathering powers, enforcement powers, nor any private declarations were issued.
The recent 2020 Cyber Security Strategy said the federal government was looking to impose an enforceable “positive security obligation” on designated critical infrastructure operators through amendments to the Act.
Related Coverage More