Information Technology

Tax-related identity theft is a persistent problem in the US. In fact, the IRS’s Criminal Investigation Division reported that it identified $2.3 billion in tax fraud in fiscal year 2020, with the fraud ranging from cyber crimes to tax-related identity theft.Have you fallen victim to tax identity theft and need help dealing with the financial ramifications? Or do you just want to learn ways to prevent it from happening to you? Either way, this guide can help.What is tax identity theft?Tax identity theft occurs when someone files a tax return using your Social Security Number (SSN). In some cases, thieves do this in order to claim a fraudulent tax refund. In others, they may have used your SSN to obtain employment. When this occurs, their employer will report all income to the IRS using that SSN. When you don’t report that same income on your own return, the IRS will flag it as suspicious and require you to pay taxes on that additional income. It may even lead to a tax audit.Victims of tax identity theft face serious financial ramifications. Not only are they unable to file their own returns (or claim their tax refund), but other financial vulnerabilities might be at work. Unauthorized loans, credit cards, and other accounts may have been opened using the victim’s identity. Victims are typically encouraged to freeze their credit when tax-related identity theft occurs. They may also need to work with creditors and credit reporting agencies to clear their name of any fraudulent activity.How does tax identity theft happen?Generally, tax identity theft — and all identity theft, for that matter — occurs after a person’s sensitive information has become public or fallen into the wrong hands. This often happens due to security breaches or digital data hacks.Tax identity theft often occurs in February and early March, as thieves must file the fraudulent returns before the real taxpayers file their legitimate ones. Fortunately, the IRS has taken steps to reduce identity theft from many angles. The agency has hired more employees dedicated to stopping fraud, implemented additional safeguards, and changed many of the standards used to file and authorize returns. 

Despite these efforts, tax identity fraud does still occur. It’s important everyday Americans are prepared should it happen.How to know if you’ve been victimizedIf you’ve fallen victim to tax identity theft, there are several ways you might learn of it. First, your legitimate tax return may be rejected. When you go to e-file your tax return, the IRS will reject it if a return has already been filed for your SSN. If you filed a paper return, you will get a rejection notice in the mail, alerting you that your return has already been filed.In the event the thief used your SSN to obtain a job, you likely won’t learn of the issue until your returns have been filed and processed. Once the IRS sees that your reported income does not match the income reported by employers to your SSN, they will send you a letter saying you failed to report income or that you owe additional taxes.It’s important to note that all communications from the IRS will come via mail. The IRS will not call, text, or email you regarding your returns or any suspicious activity. Do not provide sensitive information to anyone pretending to be an IRS agent via these methods, and report the issue to the U.S. Treasury Inspector General for Tax Administration.What to do next If you discover that you are the victim of tax identity theft, you’ll need to report it to both the IRS and the Federal Trade Commission.Specifically, you’ll need to:Fill out Letter 5071C, if you’ve received it. The IRS may send you Letter 5071C if it flags your return as suspicious or suspects fraud has been committed. This form requires you to verify your identity and breaks down the steps for doing so. Follow these directions exactly, and take any additional recommended steps once your identity has been confirmed.Use Form 14039 to alert the IRS of the issue. Fill out the form and mail it, along with a copy of your Social Security card and driver’s license, to Internal Revenue Service, P.O. Box 9039, Andover, MA, 01810-0939. Make sure to send the letter by certified mail to ensure it arrives safely. If you received a notice in the mail, include this with your letter as well.Apply for an Identity Protection PIN. These are six-digit numbers that the IRS will use to confirm your identity on all future returns and filings. (Please note that this service will be unavailable until January 2022 for planned maintenance.)Notify the Federal Trade Commission. File an identity theft report at IdentityTheft.gov in order to alert the FTC. This website can also help you create a plan of action for responding to identity theft.Contact your state tax agency. There may be additional steps your state requires when identity theft occurs.If you tried to e-file and got rejected, you should go ahead and file your paper return and pay any taxes you owe via mail. If at any point you need help in the process, call the IRS Identity Protection Specialized Unit at 1-800-908-4490 for assistance. An agent can walk you through the appropriate steps to both report and respond to the theft.The road ahead: Rebuilding your credit and financesThe IRS says it typically takes 120 days or less to address cases of identity theft, but due to “extenuating circumstances” caused by the COVID-19 pandemic, the IRS’s identity theft inventories have increased dramatically. It’s taking them 260 days on average to resolve identity theft cases.This doesn’t even include the time and resources needed to address other consequences of identity theft, such as unauthorized loans, credit cards, and purchases. Depending on how deep the theft goes and how available your personal information was, the financial ramifications can often last months or even years.The important thing to do is to remain vigilant. This means:Pulling your credit report and monitoring for suspicious financial activity. Look at your credit report and make sure there are no unauthorized accounts or loans in your name. Contact the creditors and close these if necessary. You should also check with your banks and lenders to ensure there is no suspicious activity. If there is, dispute the charges and follow the steps to have those waived from your accounts.Placing a fraud alert on your credit profile. Contact one of the three major credit reporting bureaus (Experian, TransUnion, or Equifax) and ask that a fraud alert be placed on your record. This can prevent thieves from opening up new credit cards or loans in your name. You can also request a total credit freeze if you want to be extra safe.Considering credit monitoring. Though these services come at a fee, they can help you keep tabs on your credit profile — as well as any changes that occur.Working with the Social Security Administration. Report the identity theft and take any additional steps recommended. In severe cases, you may need to apply for a new Social Security Number.Continuing to work with the IRS and FTC as necessary. Respond quickly to any FTC or IRS request. Any delays will slow the resolution of your case and the delivery of your refund.In some cases, you may want to involve a lawyer — especially if your investments, retirement accounts, mortgage, or other major financial products have been affected. They can help you traverse the legal issues that crop up with creditors, lenders, and financial institutions along the way.Your options for financial recovery Many victims of tax identity theft experience cash flow issues or must deal with additional debt as a result of the experience. They also may be unable to take out traditional loans or credit accounts due to the impact the theft has had on their credit score and profile.When this occurs, victims have five options:Tax Refund Advance Loan: A Tax Refund Advance Loan gives you an advance on your projected refund. While sometimes helpful, these aren’t the best idea if your refund is small. They can also impact your credit score and often require a significant chunk of your refund to secure.A personal loan: Personal loans can offer access to more cash, as well as more lenient (and longer) repayment terms. These can be especially helpful for victims hit hard by their identity theft.Credit-builder loans: These loans are beneficial if your credit score was severely impacted by the theft. Typically offered through community banks and credit unions, they help you improve your score by reporting your consistent payments to credit bureaus.Secured credit cards: If the identity theft required you to close your credit accounts, a secured credit card can be a good option. These require you to deposit money up front as collateral. They then function like traditional credit cards, while also helping you establish good credit standing (as long as you pay on time, every time).Help from loved ones: In many cases, family members, friends, and other loved ones are willing to provide financial help. They might offer no-interest loans or even gifts to help you get through your rough patch.There’s always the option to wait it out, too. If the damage was minimal or you weren’t relying on your refund for financial stability, you may be able to await the IRS’ resolution of your case.Reducing your riskIf you aren’t already the victim of tax-related identity theft, you should take action to ensure you never become one. This means protecting your personal information, shredding sensitive documents, and using strong passwords on all online accounts.You can also:Lock your mailbox.Use a secure computer on a secure network when e-filing.Check your credit report annually for suspicious activity.Install a firewall and antivirus software on your computer.Learn how to recognize phishing emails and fraudulent requests for information.Keep sensitive documents (like your Social Security card) in a safety deposit box.Only provide your Social Security Number when absolutely necessary.You should also file your returns as early as possible. A fraud cannot file a return using your Social Security Number if one has already been filed. Make it a point to file your taxes as soon as you have the information necessary to do so.[This article was originally published on the Simple Dollar in February, 2019. It was updated in December, 2021.] More

more coverage

A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.” “This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says. Apache has already released a patch, Log4j 2.16.0, for this issue. The CVE says Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI functionality by default. It notes that the issue can be mitigated in prior releases by removing the JndiLookup class from the classpath. John Bambenek, principal threat hunter at Netenrich, told ZDNet the solution is to disable JNDI functionality entirely (which is the default behavior in the latest version). “At least a dozen groups are using these vulnerabilities so immediate action should be taken to either patch, remove JNDI, or take it out of the classpath (preferably all of the above),” Bambenek said. The original flaw in Log4j, a Java library for logging error messages in applications, has dominated headlines since last week. Exploits started on December 1, according to Cloudflare, and an initial alert by CERT New Zealand sparked others by CISA and the UK’s National Cyber Security Centre. 

The Dutch National Cyber Security Center released a lengthy list of software that is affected by the vulnerability.International security company ESET released a map showing where Log4j exploitation attempts have been made, with the highest volume occurring in the US, UK, Turkey, Germany, and the Netherlands.
ESET
“The volume of our detections confirms it’s a large-scale problem that won’t go away anytime soon,” Roman Kováč, Chief Research Officer at ESET, said.Many companies are already experiencing attacks leveraging the vulnerability; security platform Armis told ZDNet that it detected log4shell attack attempts in over a third of its clients (35%). Attackers are targeting physical servers, virtual servers, IP cameras, manufacturing devices, and attendance systems. More

Microsoft has released 67 security fixes for software including seven critical issues and a zero-day flaw being actively exploited by cybercriminals. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems in software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and denial-of-service issues.Products impacted by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.  Read on: Some of the most severe vulnerabilities resolved in this update are a total of six zero-days, although only one is known to be actively exploited in the wild: CVE-2021-43890: This Windows AppX Installer Spoofing zero-day vulnerability, issued a CVSS severity score of 7.1 and rated important, is publicly known and under exploitation. Microsoft says that it is “aware of attacks that attempt to exploit this vulnerability by using specially crafted packages” and that the bug is being weaponized to spread the Emotet/Trickbot/Bazaloader malware families. CVE-2021-41333: Issued a CVSS score of 7.8, this Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity. CVE-2021-43880: This security flaw is described as a Windows Mobile Device Management Elevation of Privilege (EoP) vulnerability that allows local attackers to delete targeted files on a system.CVE-2021-43893: James Forshaw of Google Project Zero reported this issue (CVSS 7.5), which is described by Microsoft as an EoP in the Windows Encrypting File System (EFS). CVE-2021-43240: Issued a CVSS score of 7.8, Microsoft says this flaw, an NTFS Set Short Name elevation of privilege bug, has proof-of-concept exploit code available and is known publicly.CVE-2021-43883: The final zero-day flaw impacts Windows Installer. This issue, assigned a CVSS score of 7.8, can permit unauthorized privilege escalation. An additional 16 CVEs in the Chromium-based Edge browser were patched earlier this month.  According to the Zero Day Initiative (ZDI), 887 CVE-assigned vulnerabilities have been patched by Microsoft this year. While this figure may seem high, the team notes this is a 29% decrease from 2020 (not including Chromium-based Edge). 

Last month, Microsoft resolved 55 bugs in the November batch of security fixes. In total, six were assigned critical ratings and 15 were remote code execution issues. Zero-day vulnerabilities, too, were resolved by the tech giant.A month prior, the tech giant tackled 71 vulnerabilities during the October Patch Tuesday. This included four zero-day flaws, one of which was being actively exploited in the wild. In other Microsoft security news, the company recently warned that a patched Exchange Server post-authentication flaw, tracked as CVE-2021-42321, is being weaponized in new attacks — adding to the last year’s woes surrounding four zero-days in the server platform. The company also recently published research on Iranian threat actors and their ranking in the cybercriminal space. Microsoft says that there has been a massive surge in Iran state-sponsored attacks this year against IT services, despite being close to non-existent in 2020. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Credit: Microsoft

Microsoft announced today that it is rolling out end-to-end encryption (E2EE) for one-to-one Teams calls. According to Microsoft’s blog post announcing general availability, admins will have the option to enable and control this feature for their organizations once they receive the update. By default, E2EE won’t be available to all users within a tenant. Once IT configures the policy and enables it for selected users, those users will still need to turn this feature on in Teams settings. IT will be able to disable this feature when needed. Microsoft officials warned that when using E2EE for Teams one-to-one calls, some features will be unavailable. This includes recording; live captions and transcription; and adding participants to make a call a group call. If any of the unavailable features is required, users will need to turn E2EE off.As Microsoft noted in a blog post in October, real-time video and voice data is protected by E2EE. But it doesn’t secure chat or file-sharing, which are both protected at rest and in-transit by other encryption protocols, like HTTPS, for secure connections between a device and a website.  The E2EE Teams call feature is available on the latest version of the Teams desktop client for Windows or Mac, officials said. In other recent Teams news, Microsoft will be introducing a new “Teams Phone with Calling Plan” product on January 1, 2022. This new plan combines Microsoft 365 Business Voice with enterprise capabilities in Teams Calling Essentials. These two products will be discontinued once the new plan is released, officials said. With Teams Phone with Calling Plan — which will be available to Microsoft 365 and Office 365 business users who have subscriptions including Teams — users will get 3,000 minutes for domestic calls in the US and Canada. Users will only get 2,300 minutes for domestic calls in other markets, and calls outside users’ domestic zones will require an add-on calling plan. Teams Phone with Calling Plan will cost $15 per user per month. Teams Phone alone costs $8 per user per month, and domestic calling plan costs another $12 per user per month. More

LogMeIn announced on Tuesday that it is spinning off password manager LastPass into its own company.The cloud-based solutions company explained that the move allows LastPass to invest heavily in “customer experience, go-to-market functions and engineering” as a way to improve its “organic growth in password management,” Single Sign-On (SSO) and multi-factor authentication (MFA). 

ZDNet Recommends

The separation will also help speed up the changes moving forward, with LastPass expecting customers to see the changes in 2022. LogMeIn said LastPass currently has more than 30 million users and 85,000 business customers across the world. LastPass has grown significantly in recent years, with more than 50% revenue CAGR over the last three years. LogMeIn CEO Bill Wagner said the scale, growth, and market position of LastPass make it “a perfect candidate to seize new opportunities as its own standalone company.” “Today’s announcement also reflects our strategic priority to strengthen and invest in our flexible work enablement portfolio across unified communications and collaboration and IT management and support,” Wagner added. LogMeIn owns several other products, including GoToConnect, GoToMeeting and Rescue. 

Investor Andrew Kowal, a partner at Francisco Partners, noted that LogMeIn saw an opportunity to “unlock the full potential” of LastPass and improve the service’s offerings to customers. In a message to users, LastPass reiterated that it could “strategically increase investment and support” in its mission as an independent company. “You will start to see an enhanced LastPass, on an accelerated timeline. We are working on faster, seamless save and fill, a delightful mobile experience, and even more third-party integrations for businesses, among many other updates,” LastPass told users. “This is the same great product, now with even more focus on keeping your data safe.”

Tech Earnings More

Major natural gas supplier Superior Plus announced on Tuesday that it is suffering from a ransomware attack. The billion-dollar propane seller said the incident started on December 12 but did not answer questions about which ransomware group was behind the attack or which systems were affected. “Superior has temporarily disabled certain computer systems and applications as it investigates this incident and is in the process of bringing these systems back online,” the company said, adding that it “took steps to secure its systems and mitigate the impact to the Corporation’s data and operations.” See also: Log4j zero-day flaw: What you need to know and how to protect yourself.The company said it is still figuring out the scope of the impact on its operations and asked customers for “patience” as it responds to the attack. According to the company’s statement, a cybersecurity company was hired to help deal with the attack.Superior brought in more than $1.8 billion in revenue last year and has about 4,300 employees. It provides propane and related services to 780,000 customer locations across the US and Canada. The company also provides natural gas to Canadian customers and is heavily involved in the speciality chemicals industry. Superior becomes the latest oil & gas company to suffer from a ransomware incident this year after the headline-grabbing attack on Colonial Pipeline earlier this year.

The May attack on Colonial Pipeline caused brief gas shortages along the east coast of the US and sparked a more concerted effort by the federal government to address ransomware incidents, which have been plaguing companies and government institutions for years.Colonial Pipeline CEO Joseph Blount said the company ended up paying the DarkSide ransomware group $5 million in ransom to get its systems back online after the incident forced it to shutter its operations and freeze IT systems to isolate the infection. After that attack, the White House pushed a whole-of-government effort to take on ransomware, kickstarting a number of task forces designed to make the government more resilient while going after the people organizing ransomware gangs. The Department of Justice eventually announced that it managed to recover some of the ransom that was paid by Colonial Pipeline to the DarkSide ransomware group. Deputy Attorney General Lisa Monaco said during a press conference that the Justice Department and FBI seized 63.7 Bitcoins of the 75 Bitcoins that Colonial Pipeline admitted to paying. More

The number of attacks aiming to take advantage of the recently disclosed security flaw in the Log4j2 Java logging library continues to grow. The vulnerability (CVE-2021-44228) was publicly disclosed on December 9 and enables remote code execution and access to servers. What makes it such a major issue is Log4j is widely used in commonly deployed enterprise systems.In some cases, organisations may not even be aware that the Java logging library forms part of the applications they’re using, meaning they could be vulnerable without knowing it. Online attackers have been quick to take advantage of the vulnerability – also known as Log4Shell – as soon as they can.There was evidence of attackers scanning for vulnerable systems and dropping malware just hours after Log4J was publicly disclosed At that point it was reported that were over 100 attempts to exploit the vulnerability every minute. “Since we started to implement our protection we prevented over 1,272,000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups,” said cybersecurity company Check Point.SEE: A winning strategy for cybersecurity (ZDNet special report)And according Check Point, attackers have now attempted to exploit the flaw on over 40 percent of global networks. 

The number of successful exploits is likely to be much lower, but the figure shows that there are those out there who are looking to try their luck against a new – and potentially difficult to patch – vulnerability.”Unlike other major cyber-attacks that involve one or a limited number of software, Log4j is basically embedded in every Java based product or web service. It is very difficult to manually remediate it,” Check Point said in a blog post. Some of the attacks launched by exploiting the Log4j vulnerability include delivering cryptomining malware, as long with delivering Cobalt Strike, a legitimate penetration testing tool which cyber criminals have been known to use to steal usernames and passwords to gain further access to networks.National cybersecurity bodies around the world have been quick to issue warnings as to how dangerous Log4j could be.Jen Easterly, director of CISA described the Log4J vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”.Meanwhile, the UK’s National Cyber Security Centre (NCSC) has urged organisations to install the latest updates wherever Log4j is known to be used.”The key step for organisations is to patch enterprise software quickly, and for developers using Log4j to update and distribute their software as soon as possible,” said an NCSC spokesperson in an email to ZDNet. “For the public it’s important to keep updating devices as developers’ understanding of the vulnerability grows,” they added.  MORE ON CYBERSECURITY More

Industrial networks are among those which are vulnerable to the recently disclosed zero-day in the Log4j2 Java logging library, security researchers have warned. The vulnerability (CVE-2021-44228) was disclosed on December 9 and allows remote code execution and access to servers. Log4j is used in a wide range of commonly used enterprise systems, raising fears that there’s ample opportunity for the vulnerability to be exploited. Within hours of the vulnerability being publicly disclosed, cyber attackers were already making hundreds of thousands of attempts to exploit the critical Log4j vulnerability to spread malware and access networks. Each day on from its disclosure, more is being learned about the flaw and now cybersecurity researchers have warned that it could have significant implications for operational technology (OT) networks which control industrial systems – and for a long time. “Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” said a blog post by cybersecurity researchers at Dragos. And given how easy it is to exploit the vulnerability, combined with the potentially large number of affected applications, researchers recommend an “assume-breach mentality” and active hunting for post-exploitation activity. Dragos says that it has seen attempted and successful exploitation of the Log4j flaw – and has already coordinated a takedown of one of the malicious domains used in these attacks.

Several cybersecurity researchers have already noted that some attackers are exploiting Log4j to remotely run Cobalt Strike – a penetration testing tool that’s often used in ransomware attacks. Many industrial organisations struggle with visibility into their networks due to their complex nature, but it’s important for those running operational technology to know what their network looks like and counter the possibility of attacks attempting to exploit the vulnerability as a matter of urgency. “It’s important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable,” said Sergio Caltagirone, vice president of threat intelligence at Dragos, “Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors,” he added. Researchers suggest that applying the Log4j patch can help prevent attackers from taking advantage of the vulnerability – although the ubiquitous nature of Log4J means that in some cases, network operators might not even be aware that it’s something in their environment which they have to think about.
MORE ON CYBERSECURITY More