Information Technology

US Senator Bob Menendez and other lawmakers this week demanded the Internal Revenue Service (IRS) and ID.me contact taxpayers who have uploaded biometric information to the platform and inform them of their right to delete their selfie or photo account immediately after the service is available.In a letter to IRS Commissioner Charles Rettig, Menendez and Senators Cory Booker, Alex Padilla, and Catherine Cortez Masto called on the IRS to provide taxpayers with plain language instructions in multiple languages on how to complete the process of deleting their selfie. 

The IRS announced last week that it will no longer be using ID.me facial recognition software after signing an $86 million contract with the company, adding in a statement that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts.” The IRS had faced overwhelming backlash from civil rights groups and members of Congress from both parties, all of whom questioned how the IRS could begin the use of facial recognition without advance warning. But the announcement did little to quell outrage about the initial decision to use ID.me’s tools and senators on both sides of the aisle continue to raise concerns about what information ID.me gained access to. “Despite well-documented concerns with this technology — especially for individuals who have poor internet service at home, rely on computers in public libraries, use older phones, or for whom English is not their first language — the IRS required the use of this technology to access and review advanced child tax credit (CTC) payment information,” the senators added. “Nearly 35 million families received the advanced Child Tax Credit last year, including numerous Black, Hispanic, Asian, and Native American families, and many immigrant families using an Individual Taxpayer Identification Number.” 

Menendez said the IRS and ID.me need to clarify whether facial recognition will remain an option for verification during the 2022 filing season. “If it will remain an option, we request the IRS clarify how it will ensure taxpayers using ID.me — especially last-minute filers — are not forced to rely on facial recognition technology as their only practical option to avoid long wait times for live-video verification,” the letter said.

The senators demanded the IRS and ID.me send them a list of all federal, state, or local law enforcement agencies that would have been provided access to biometric data through the IRS’ ID.me verification system no later than Friday, February 25. “Congress has repeatedly expressed concern with the development of an unconstrained and pervasive surveillance infrastructure, fueled by systems like ID.me. The Project on Government Oversight (POGO), a leading oversight watchdog, has cautioned that the use of this type of technology often plays an outsized role in law enforcement investigations, despite serious flaws that can lead to wrongful arrests and civil rights violations,” the senators wrote.The letter also explains a range of concerns Congress has about how ID.me will manage the vast amount of government documents provided by American taxpayers since the IRS started using the platform last summer. “We are concerned about whether taxpayers will be offered a meaningful choice to protect their biometric data, whether ID.me will properly manage the vast amount of biometric data provided by taxpayers, and whether there has been substantial oversight of this facial recognition technology since the launch of ID.me verification at the IRS last summer,” the letter added.The senators’ letter comes as 46 civil rights organizations continue the push to stop other government agencies at the federal and state level from using ID.me for vital services. ID.me says it is used by agencies in 30 states as well as by the Veterans Affairs Administration and Social Security Administration. 

Led by EPIC in partnership with Algorithmic Justice League and Fight for the Future, the organizations’ letter demands that all federal and state government agencies immediately end their use of ID.me and any other facial verification tools. It also highlights the lack of assessments by federal and state agencies to determine whether face verification technology has a disproportionate impact on marginalized groups, and argues that “sensitive biometric data should not be used to access government services.” The letter also asserts that ID.me’s recent announcement about offering a non-facial verification option to all users doesn’t adequately address the massive privacy and security concerns created by ID.me’s tools, arguing that “the vast majority of people are not aware of the risks associated with handing over their sensitive biometric information, and making this tech ‘optional’ puts the onus on the individual to have the right information about those risks.”Evan Greer, director of Fight for the Future, said in addition to ending all contracts, a full scale investigation is needed to reveal how it came to be that US tax dollars were used “for such invasive and unsafe technology.””The revelations about ID.me exploiting its workers, lying about its facial recognition technology, and continuing to recklessly amass millions of people’s personal data all point to the same conclusion: it’s irresponsible and unacceptable to do business with a company as shady as ID.me, much less allow it anywhere near our most personal information,” Greer said.

Government More

The US Justice Department announced on Thursday that seasoned prosecutor Eun Young Choi has been chosen to lead the National Cryptocurrency Enforcement Team (NCET). Before working as senior counsel to Deputy Attorney General Lisa Monaco, Choi was an Assistant US Attorney for the Southern District of New York serving as the office’s Cybercrime Coordinator. She helped lead the investigations into a number of cybercrimes, including a hack involving J.P. Morgan Chase, while also prosecuting those connected to Coin.mx. 

The Harvard graduate previously argued in the appeal case of Silk Road founder Ross Ulbricht and participated in the only US prosecution brought in connection with the “Panama Papers.” Choi is starting work in her new position at NCET today. “The department has been at the forefront of investigating and prosecuting crimes involving digital currencies since their inception,” said Choi, who will serve as director of NCET. “The NCET will play a pivotal role in ensuring that as the technology surrounding digital assets grows and evolves, the department in turn accelerates and expands its efforts to combat their illicit abuse by criminals of all kinds. I am excited to lead the NCET’s incredible and talented team of attorneys, and to get to work on this important priority for the department.”  NCET was created last year to tackle “the criminal misuse of cryptocurrencies and digital assets,” with a focus on virtual currency exchanges, mixing and tumbling services, infrastructure providers, and other entities. Blockchain analytics company Chainalysis said last month that cybercriminals managed to launder at least $8.6 billion worth of cryptocurrency in 2021, a 30% increase compared to 2020. The company released another report this week highlighting the connections between cybercriminals and a vast crypto exchange infrastructure designed to launder stolen funds.  

The Justice Department is coming off of a streak of successes. A DOJ restraining order revealed that $30 million was seized from NetWalker ransomware affiliate Sebastien Vachon-Desjardins, who was sentenced to seven years in prison for hacking several companies. Two weeks ago, the Department of Justice announced the seizure of more than $3.6 billion in cryptocurrency that was stolen during an attack on the Bitfinex cryptocurrency exchange in August 2016. The DOJ arrested 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan for their role in attempting to launder 119,754 bitcoin that were stolen during the attack on the Hong Kong exchange. Deputy Attorney General Lisa Monaco called the seizure the “department’s largest financial seizure ever.”Assistant Attorney General Kenneth Polite Jr. said NCET will serve as the focal point for the department’s efforts to tackle the growth of crime involving cryptocurrency. He called Choi an “accomplished leader on cyber and cryptocurrency issues” and noted that the problem has emerged as one of the most important the office deals with. “With the rapid innovation of digital assets and distributed ledger technologies, we have seen a rise in their illicit use by criminals who exploit them to fuel cyberattacks and ransomware and extortion schemes; traffic in narcotics, hacking tools and illicit contraband online; commit thefts and scams; and launder the proceeds of their crimes,” Polite Jr. said.   More

Singapore is aiming to build a quantum-safe network that it hopes will showcase “crypto-agile connectivity” and facilitate trials with both public and private organisations. The initiative also includes a quantum security lab for vulnerability research. The three-year initiative is led by the Quantum Engineering Programme (QEP), with SG$8.5 million ($6.31 million) set aside to fund its deployment. Supported by the National Research Foundation (NRF), the project has roped in 15 partners from the public and private sectors including two local universities, ST Telemedia Global Data Centres, Cyber Security Agency, and Amazon Web Services (AWS). QEP was launched in 2018 to provide the research and ecosystem needed to drive the development of quantum technologies. Its work focuses on four key areas including quantum sensing, quantum communication and security, and the establishment of a national quantum fabless foundry. 

Its plans for a national quantum-safe network (NQSN) would facilitate trials of commercial technologies and in-depth evaluation of security systems. It also would develop guidelines to support companies in adopting such technologies, QEP said in a statement Thursday. It added that the nationwide trials of quantum-safe communication technologies aimed to provide robust network security for critical infrastructures and companies handling sensitive data. This was critical as public-key encryption was expected to be vulnerable to attacks by quantum computers in future. There was increasing urgency to address the cybersecurity threat as the technology advanced, QEP said.”Quantum-safe communication technologies are designed to counter the threat of quantum computing with specialised hardware and new cryptographic algorithms,” it said. “They could secure communication systems for governments, critical infrastructure such as energy grids, and companies handling sensitive data in areas such as healthcare and finance.”

Quantum-safe cryptography or post-quantum cryptography looks to establish algorithms that can combat attacks by both traditional and quantum computers. Hosted on National University of Singapore (NUS), the NQSN would provide quantum key distribution, which offered a hardware approach to quantum-safe communication. This involved the installation of devices to create and receive quantum signals, QEP explained. The network also would offer post-quantum cryptography, in which software was enhanced to run new cryptographic algorithms deemed to be resistant to attacks by quantum computers. The NQSN initially would comprise 10 network nodes to be rolled out across the city-state, connected to fibre. These would include two at NUS, two at Nanyang Technological University (NTU), and others on the premises of government and private organisations. Expected to be up within a year, the nodes would be connected to provide a public network that could serve as a living lab for companies looking to experience quantum-safe communication technologies. This would run separate from government and private networks trialling applications, according to QEP. Another experimental node at NUS would provide a free-space fibre connection to the public network. This could facilitate the development of technologies that could extend secure links to locations unable to connect to fibre, such as boats.A quantum security lab also would be set up to facilitate advanced quantum security vulnerability research and security design. NQSN’s co-coordinator and Fraunhofer Singapore’s department director for cyber and information security, Michael Kasper, said: “Quantum-safe communication can play a crucial role in long-term information security. With NQSN, we aim to demonstrate crypto-agile connectivity for our partners and support the deployment of quantum networks for broader use in industry and society.”Fraunhofer, along with NUS and NTU, would provide expertise, coordination, and locations for hardware needed in the initiative. Other partners such as NetLink Trust and ST Telemedia would provide access to Singapore fibre network and develop use cases, respectively. CSA would work with its Common Criteria testing labs T-Systems and UL on security certification of quantum-safe technologies, while DSO National Laboratories and Horizon Quantum Computing would partake in quantum network research projects.”Singapore can build on its heritage in quantum science, optics, and cybersecurity engineering to become a trusted global provider of quantum network technology and services, said Charles Lim, NQSN’s lead principal investigator and assistant professor with NUS’ Department of Electrical and Computer Engineering and Centre for Quantum Technologies. “In NQSN, we will bring quantum innovation to deployed optical networks, where we can study operational issues such as a quantum network’s reliability and resilience together with our industry partners,” Lim said. RELATED COVERAGE More

The number of ransomware attacks has more than doubled over the last year as cybercriminals continue their relentless campaigns to hold networks and data to ransom.According to an analysis by cybersecurity researchers at SonicWall, the volume of attempted ransomware attacks targeting their customers rose by 105% in 2021, to a total of 623.3 million attempted incidents throughout the year. The figure also represents more than triple the number of attempted ransomware attacks recorded in 2019.The biggest surge in ransomware attacks came between June and September 2021, a period that featured some of the most significant incidents of last year. These included the Colonial Pipeline ransomware attack, the JBS ransomware attack and the Kaseya ransomware attack.Both Colonial and JBS were among the ransomware victims who opted to pay cybercriminals millions of dollars in ransom demands in order to obtain a decryption key to restore their networks.Cybersecurity providers and law enforcement agencies recommend against giving in to ransom demands, as it shows criminals that ransomware attacks work. But in some cases, victims perceive it to be the most efficient way of restoring the network – although even with the correct decryption key, this can still take months of effort.Cybercriminals are also using the extra leverage provided by threatening to leak data stolen from compromised networks if they don’t receive a ransom payment.

SEE: A winning strategy for cybersecurity (ZDNet special report)According to SonicWall’s statistics, the United States was by far the largest target for ransomware attacks, but the volume of detected incidents more than doubled in many regions around the world including Europe and Asia.While action has been taken against some significant ransomware groups, such as the apparent takedown of REvil in January, the SonicWall report warns that this has been “largely ineffective” in stemming the tide of ransomware as a whole.”Due to the lucrative nature of ransomware, as soon as one group is taken down, new ones rise to fill the void,” says the paper. But despite the continuing scourge of ransomware, according to SolarWinds, there are relatively simple steps that organisations can take to prevent them from falling victim – such as practising better password hygiene and using multi-factor authentication.Cracking simple passwords is one of the easiest ways for cybercriminals to gain access to accounts and networks, particularly if they’re common passwords, or the username and password have previously been leaked in a breach. Using unique passwords on accounts can help prevent unauthorised access.In addition, applying multi-factor authentication across the network provides an extra barrier of protection against hackers attempting to breach an account.”The Colonial Pipeline breach could almost certainly have been prevented with the use of two-factor authentication,” said the paper.”While cyberdefense has become more sophisticated and specialized over time, in some cases the simplest prevention is still some of the best”.MORE ON CYBERSECURITY More

Microsoft has warned of new threats impacting blockchain technologies and Web3 including “ice phishing” campaigns. 

The blockchain, decentralized technologies, DeFi, smart contracts, the concept of a ‘metaverse’ and Web3 — the decentralized foundation built on top of cryptographic systems that underlay blockchain projects — all have the potential to produce radical changes in how we understand and experience connectivity today. Read on: What is Web3? Everything you need to know about the decentralized future of the internetHowever, with every technological innovation, there may also be new avenues created for cyberattackers and Web3 is no exception.  Today’s most common threats include mass spam and phishing conducted over email and social media platforms, social engineering, and vulnerability exploitation.  On February 16, the Microsoft 365 Defender Research Team said that phishing, in particular, has made its way over to the blockchain, custodial wallets, and smart contracts – “reaffirming the durability of these threats as well as the need for security fundamentals to be built into related future systems and frameworks.” Microsoft’s cybersecurity researchers say that phishing attacks focused on Web3 and the blockchain can take various forms. 

One of the threats to watch out for is an attacker trying to obtain the private, cryptographic keys to access a wallet containing digital assets. While emailed phishing attempts do occur, social media scams are rife. For example, scam artists may send direct messages to users publicly asking for help from a cryptocurrency service — and while pretending to be from a support team, they ask for the key.  Another tactic is by launching fake airdrops for free tokens on social media sites, and when users try to access their new assets, they are redirected to malicious domains that either try to steal credentials or execute cryptojacking malware payloads on a victim’s machine.  In addition, cybercriminals are known to conduct typo-squatting to impersonate legitimate blockchain and cryptocurrency services. They register website domains containing small errors or changes — such as cryptocurency.com rather than cryptocurrency.com — and set up phishing websites to steal keys directly.  Ice phishing is different and ignores private keys entirely. This attack method attempts to dupe a victim into signing a transaction that hands over the approval of a user’s tokens to a criminal.  Such transactions can be used in DeFi environments and smart contracts to permit a token swap to take place, for example.
Microsoft
“Once the approval transaction has been signed, submitted, and mined, the spender can access the funds,” Microsoft noted. “In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all victim’s wallets quickly.”The most high-profile example of ice phishing is last year’s BadgerDAO compromise. Attackers were able to compromise the front-end of BadgerDAO to obtain access to a Cloudflare API key, and malicious scripts were then injected — and removed — from the Badger smart contract.  Customers with high balances were selected and they were asked to sign fraudulent transaction approvals. BadgerDAO said in a post-mortem of the phishing attack that “the script intercepted Web3 transactions and prompted users to allow a foreign address approval to operate on ERC-20 tokens in their wallet.” “After phishing a number of approvals, a funding account sent 8 ETH to the exploiter’s account to fuel a series of transferFrom calls on the users’ approved tokens,” BadgerDAO said. “This allowed the attacker to move funds on behalf of the users to other accounts, which then liquidated the funds and exited via the Badger Bridge to BTC.” Approximately $121 million was stolen. An audit and recovery plan is underway.  “The Badger DAO attack highlights the need to build security into Web3 while it is in its early stages of evolution and adoption,” Microsoft says. “At a high level, we recommend that software developers increase security usability of Web3. In the meantime, end-users need to explicitly verify information through additional resources, such as reviewing the project’s documentation and external reputation/informational websites.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Trickbot malware is a thorn in the side of cybersecurity professionals and is now targeting the customers of 60 major institutions in phishing attacks and through web injections. 

Trickbot began its journey as a relatively simple Banking Trojan alongside the likes of Zeus, Agent Tesla, Dridex, and DanaBot. However, after the Dyre botnet was retired in 2016 and the infrastructure supporting the prolific Emotet botnet was disrupted by Europol and the FBI last year, more attention has been paid to Trickbot activities. The malware is modular, which means that users can adopt the software to conduct a wide range of attacks – and these assaults can be tailored depending on the desired victims. On February 16, Check Point Research (CPR) published a new study on Trickbot, noting that the malware is now being used in targeted attacks against customers of 60 “high profile” organizations, many of whom are located in the United States.  The companies themselves are not the victims of the malware. Instead, TrickBot operators are leveraging the brands’ reputations and names in numerous attacks.  According to CPR, the brands being abused by TrickBot include the Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood, Blockchain.com, and the Navy Federal Credit Union, among others.  Financial organizations, cryptocurrency exchanges, and technology firms are all on the list. 

The researchers have also provided technical details on three key modules – out of roughly 20 that Trickbot can use – used in attacks and to prevent analysis or reverse-engineering.  The first, injectDll, is a web injection module that can compromise a browser session. This module can inject JavaScript code into a browser to perform banking data and account credential theft, such as by diverting victims to malicious pages that appear to be owned by one of the legitimate companies mentioned above.  In addition, the module’s web inject format uses a tiny payload that is obfuscated to prevent detection.    TabDLL uses five steps to steal information. The malicious code opens up LSASS application memory to store stolen data, injects code into explorer.exe, and then forces the victim to enter login credentials before locking them out of their session. The credentials are then stolen and exfiltrated from LSASS using Mimikatz, before being whisked away to the attacker’s command-and-control (C2) server.  Furthermore, this module is also able to use the EternalRomance exploit to spread Trickbot across SMBv1 networks.  The third module of note is pwgrabc, designed to steal credentials from applications including the Chrome, Edge, Firefox and Internet Explorer browsers; Microsoft Outlook, FileZilla, TeamViewer, Git, and OpenSSH.  “Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families,” the researchers say. “No matter what awaits TrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost and the code would find its usage in the future.” In a separate research study published by IBM Trusteer in January, variants of Trickbot have been discovered that contain new features designed to hamper researchers trying to analyze the malware through reverse-engineering.  Alongside server-side injections and HTTPS C2 communication, Trickbot will throw itself in a loop if ‘code beautifying’ is detected – the automatic clean-up of code to make it more readable and easier to analyze. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A businessman has pleaded guilty to charges laid against him for selling and using surveillance tools and malware in Mexico and the United States. 

On February 15, the US Department of Justice (DoJ) said that Carlos Guerrero, a resident of Chula Vista, California and Tijuana, Mexico, admitted to “conspiring to sell and use hacking tools manufactured by private companies in Italy, Israel and elsewhere.”The 48-year-old appeared in a San Diego federal court, where prosecutors alleged that Guerrero owned a number of companies registered in the US and Mexico that were used as sales brokers for “interception and surveillance tools.” According to the DoJ, the firms worked with Mexican government clientele, commercial, and private customers.  In 2014 and 2015, Guerrero worked with an Italian company that developed tools for hacking devices and tracking victim locations.  Over time, the businessman expanded his reach and secured further brokerage deals with other surveillance software developers located in Israel and elsewhere.  By 2016 – 2017, Guerrero was brokering the sales of hardware able to jam signals, kits designed to intercept and eavesdrop on Wi-Fi connections, IMSI catchers, and software able to compromise the WhatsApp messaging system. 

“Guerrero admitted to knowing that, in some cases, his Mexican government clients intended to use the interception equipment for political purposes, rather than for legitimate law enforcement purposes,” prosecutors say.  In one example, Guerrero “knowingly” arranged for a mayor in Mexico to use the brokered technologies to break into a rival’s iCloud, Hotmail, and Twitter accounts. In another, a Florida-based sales representative was targeted for their phone and email records in exchange for a $25,000 payment.  Guerrero is yet to be sentenced. He faces a maximum penalty of five years in prison and a $250,000 fine.  “The world we live in is increasingly interconnected by technology meant to improve our lives, but as seen in this case, this same technology can be acquired by bad actors with harmful intentions,” commented Chad Plantz, Special Agent in Charge for HSI San Diego. “HSI and our law enforcement partners will remain committed to bringing to justice those who attempt to manipulate these platforms for nefarious purposes.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The State of Missouri will not prosecute a journalist branded a “hacker” for viewing website source code and reporting a serious security leak. 

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud published a story documenting the exposure of Social Security numbers belonging to teachers, administrators, and counselors caused by security flaws in the Missouri Department of Elementary and Secondary Education’s website. Over 100,000 SSNs were reportedly exposed.  Renaud discovered the issue in a search function on the website and all it took to find SSNs was to press F12 and view the website’s HTML through the developer console.  The news outlet did not go ahead with the story until the department took the impacted pages down and remove the search tool.  St. Louis Post-Dispatch reported the flaw, that allowed anyone with a browser to view this sensitive data, privately to DESE prior to publication. However, Missouri Governor Mike Parson took a dim view of the responsible disclosure.  On Twitter, Parson alleged that the journalist “took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.”

Parson said: “This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.” Locke Thompson, a Cole County Prosecutor, has declined to press charges. In a statement last week (.PDF), Thompson thanked the governor for his concerns and while “there is an argument to be made that there was a violation of law,” the “issues at the heart of the investigation have been resolved through non-legal means.” “As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” the prosecutor said.  The Cole County Prosecutor’s Office will not comment further on the case. After the threat of prosecution was dissolved, Post-Dispatch Publisher Ian Caso said that the “accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.” Renaud said the decision was a “relief” but does not “repair the harm done to me and my family.” In an interview with St. Louis on the Air, the journalist added that the governor has missed an opportunity to “change the public discourse” and “to change the way the politics are done in the state.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More