Americans lost over $4.2 billion to cybercriminals and scammers in 2020, according to FBI figures based on complaints it received.  Over the year, the FBI’s Internet Crime Center (IC3) received 791,790 complaints of suspected internet crime, or about 300,000 more than it did in 2019 when the agency recorded estimated losses at more than $3.5 billion. 

More on privacy

“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” the FBI says in its Internet Crime Report 2020.  SEE: Network security policy (TechRepublic Premium) Once again, business email compromise (BEC) or email account compromise (EAC) were by far the biggest sources of reported losses, totaling $1.8 billion across 19,369 complaints. That’s up slightly from $1.77 billion in reported losses from 23,775 BEC complaints in 2019. Last year saw a steep rise in BEC complaints stemming from identity theft and funds being converted into cryptocurrency.  The identity theft frequently occurred after a victim provided a form of ID to a tech support scammer or romance scammers. The stolen ID would be used to set up a bank account to receive stolen BEC funds and convert those to a less traceable cryptocurrency, according to IC3. 

The technique and switch to cryptocurrency differs from previous years when a senior executive’s email address may have been spoofed and used to instruct a subordinate to wire funds to the fraudster’s bank account.  The FBI report notes that tech support fraud continues to be a growing problem, but recently victims have complained about criminals posing as customer support for banks, utility companies or virtual currency exchanges.  While the pandemic caused a brief lull in this type of fraud, losses in this category grew to $146 million, or 171% more than losses from 2019. IC3 received 15,421 complaints from victims in 60 countries.  Ransomware is the other threat that won’t go away. The IC3 received 2,474 complaints and reported losses of $29.1 million. The report, however, notes that this is an underestimate as it doesn’t account for does victim reports made directly to FBI field offices and agents.   “The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” the FBI stresses in the report.  SEE: Phishing: These are the most common techniques used to attack your PC The most common type of internet crime type reported to IC3 was phishing (including vishing, smishing, and pharming), with 241,342 complaints. This was more than twice the number of phishing complaints IC3 received in 2019.     Notable rises in reported losses from specific crime types when comparing years (2019 versus 2020) included: confident fraud/romance ($475 million versus $600 million); corporate data breach ($53 million versus $129 million); investment fraud ($222 million versus $336 million); personal data breach ($120 million versus $194 million); ransomware ($8.8 million versus $29 million); and tech support ($54 million versus $146 million).  More

Image: Armis
Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit. Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices. “Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said. “They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.” If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle. “Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state,” Arris said. “When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.” Additionally, all Smart-UPS devices use the same symmetric key for encryption and decryption, and it can be extracted from the devices. As a bonus, the devices do not check if any firmware is signed, allowing attackers to remain persistently on the device. In the words of the Bloodhound Gang: We don’t need no water.
Image: Armis
On the extreme physical end of the equation, replacing the firmware allows an attacker bypass software-based physical protections, such as a short circuit alert turning off the UPS. “By using our RCE vulnerability we were able to bypass the software protection and let the current spike periods run over and over until the DC link capacitor heated up to ~150 degrees celsius (~300F), which caused the capacitor to burst and brick the UPS in a cloud of electrolyte gas, causing collateral damage to the device,” the researchers state in a white paper [PDF]. “The exploitation risk is no longer limited to the IT world — an attacker can turn the UPS to a physical weapon. From a cyber security point of view, these kinds of systems must be handled as a flammable substance that sits in the heart of an organization.” Armis recommends users install the patches from Schneider Electric, and use access control lists to restrict and encrypt communications with the UPS to management devices and Schneider Electric Cloud. If the device has a network management card, Armis recommends changing the default password from “apc” to something else, and installing a publicly-signed certificate to prevent password sniffing. The security company said it believes 80% of organisations are vulnerable, with healthcare organisations hitting over 92% with a vulnerable device and retail just behind on 89%. Updated at 3:52pm AEST, 9 March 2022: Clarified technical information. Related Coverage More

Cisco has been ordered by a US District judge to pay over $1.9 billion to a Virginian security company for infringing upon four cybersecurity patents.
Senior District Judge Henry Morgan made the decision following a month-long trial over video conference, saying it was “clear and not a close call”. The trial did not use a jury due to the coronavirus pandemic.
The Virginian company, Centripetal Networks, made the allegations at the start of 2018 after it claimed Cisco’s network devices used its solutions and patents.
According to Morgan, virtually all of Cisco’s exhibits, technical documents, and demonstratives for the trial focused on its old technology rather than the accused products.
“Their demonstratives of the functionality of Cisco’s accused products were not based upon their own current technical documents, but rather upon inaccurate animations produced post facto for use in the litigation which served to confuse the issues, rather than inform the court,” Morgan said.
“Most of Cisco’s challenges amounted to no more than conclusory statements by its experts without evidentiary support.”
The $1.9 billion owed to Centripetal Networks comprises of $1.89 billion in damages and $13.7 million in interest. 
While the actual damages suffered by Centripetal Networks amounted to around $755 million, the court multiplied that figure by 2.5 times to reflect Cisco’s wilful and egregious conduct in infringing upon the cybersecurity patents. 
In addition, the court also ordered a running royalty of 10% on the apportioned sales of Cisco’s products that infringed upon Centripetal Network’s patents. These royalties will be provided for a period of three years followed by a second three-year term of a running royalty of 5%.
Cisco said it was disappointed with the decision and would make an appeal at the US Court of Appeals for the Federal Circuit.
“We are disappointed with the trial court’s decision given the substantial evidence of non-infringement, invalidity and that Cisco’s innovations predate the patents by many years,” Cisco said in a statement.
Related Coverage
Cisco announces plans to acquire Kubernetes security player Portshift
Portshift’s platform is used to secure cloud applications on Kubernetes environments.
Cisco, ServiceNow announce integration for workplace contact tracing
The companies said they will integrate Cisco’s indoor location services platform, DNA Spaces, with ServiceNow’s contact tracing and workplace safety application.
Former IT director gets jail time for selling government’s Cisco gear on eBay
Former Horry County IT security director sentenced to two years in federal prison.
Cisco warns of actively exploited IOS XR zero-days
Cisco said it discovered the attacks last week during a support case the company’s support team was called in to investigate.
Patch now: Cisco warns of nasty bug in its data center software
Cisco Data Center Network Manager (DCNM) exposed to critical flaw that can be exploited by anyone on the internet. More

Kerry Wan/ZDNETA quick scan through ZDNET’s list of the best phones, and two names usually top the list — Samsung and Apple. That’s no exception with our most recent picks, as the Galaxy S25 Ultra and the iPhone 16 Pro Max take the top two spots. That list will likely be changing soon, though, as Apple is expected to unveil a successor that is the iPhone 17 Pro Max.Also: Should you buy the iPhone 16 or iPhone 17? How to decide which model to buyBoth the 16 Pro Max and the S25 Ultra are their brand’s most impressive phones to date, with each handset packed with premium features and high-end specs, and both being the largest of their lineups. They also feature a whole lot of AI, like it or not.If you’re already locked into a specific ecosystem, the choice here is simple. But if you’re on the fence or you’re considering switching sides, you have a decision to make. Fortunately, there’s enough of a difference between these two devices that you can make a choice. Here’s what you need to know.  Specifications Samsung Galaxy S25 UltraiPhone 16 Pro MaxDisplay 6.9″ QHD AMOLED 120Hz, 2600 nits peak6.8-inch AMOLED with 120Hz, 2000 nits peakWeight 218 grams227 gramsProcessor Snapdragon 8 EliteA18 ProDimensions77.6 x 162.8 x 8.2mm  77.6 x 163 x 8.25RAM/Storage12GB with 256GB, 512GB, 1TB8GB with 256GB, 512GB, 1TBBattery5000 mAh4685 mAhCamera200MP wide / 50MP telephoto (5x) / 10MP telephoto (3x) / 50 MP ultrawide / 12MP front48MP Fusion / 48MP Ultra Wide  / 12MP telephoto (5x) / 12MP front    Price$1,299$1,199 You should buy the Samsung Galaxy S25 Ultra if… More

A man looking tired and stressed out while sitting at his computer. Image: Getty/PeopleImages Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.  According to research by VMware, 47% of cybersecurity incident responders say they’ve experienced burnout or extreme stress over the past 12 months.   While […] More