Information Technology

New York state has fixed an issue with the Excelsior Pass Wallet that allows users to acquire and store COVID-19 vaccine credentials.The issue — discovered by researchers at the NCC Group — allows someone “to create and store fake vaccine credentials in their NYS Excelsior Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine.” The researchers found that the application did not validate vaccine credentials added to it, allowing forged credentials to be stored by users.New York State was notified of the issue on April 30 but spent months ignoring messages from the NCC Group. It was only until the researchers contacted NYS ITS Cyber command center in July that they got a response from the state about the problem.A patch solving the issue was released on August 20. New York State officials did not respond to requests for comment from ZDNet. Siddarth Adukia, technical director at NCC Group, told ZDNet that the widespread rollout of vaccine credential passport applications and their inherent security and privacy implications make them a natural area of interest for security research. “At NCC Group, we’ve been looking into a number of these apps recently. We wanted to gauge the extent to which a user (or venue) should trust these systems, and how the privacy of someone using such systems would be affected,” Adukia said. 

“We started with the NYS Excelsior Pass applications as they were one of the first to rollout in the US, and we had consultants who live in New York State, including myself, who were personally vested in assuring the security and privacy of the system. We found the issue after threat modeling possible attack and abuse vectors against the application and the system in general.” Adukia said his team reverse-engineered the mobile application and intercepted network traffic, allowing them to examine the application for possible problems such as information leak, weak cryptography and other common application security issues.Adukia explained that the application allows users to scan a QR code to add a credential to the wallet or add one through the device’s photo gallery.”The issue we found allowed fake credentials to be stored in the wallet. Both vectors allowed even non-technical users to scan a fake credential (created by themselves or via a website), and store it as a digital vaccine credential in the NYS Excelsior Wallet application,” Adukia added. “Users could then present the credential through the official app to venues, and attempt to gain physical access. A lot of venues don’t use the scanner app or ignore the verification results and trust the seemingly legitimate data on a user’s device, allowing bypass of credential checking.”The current version of the app available in stores is not susceptible to this issue, Adukia noted, but users who may not have updated to the latest version of the app can still upload forged vaccine credentials today. In a technical advisory from NCC Group, researchers included screenshots of forged credentials that can be scanned by the Wallet app and added as a legitimate pass. A screenshot of the fake credentials.
NCC Group
Adukia said NCC Group researchers are currently analyzing and discussing issues in other state-run COVID-19 apps and plan to follow the routine disclosure processes with any vendors. Millions of people have found ways to acquire fake vaccine cards or other verifications allowing them to pretend they received one of the many free COVID-19 vaccines available in the US. A variety of COVID-19 vaccine verifications are being sold at increasingly low prices on the dark web, according to a report in August from Check Point Research. Researchers found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100. Check Point Research’s study found groups advertising the fake vaccine verifications in groups with more than 450,000 people. In March, a previous report from the company found that the price for fake vaccine passports was around $250 on the dark web and that advertisements for the scams were reaching new levels. The researchers now can find fake certificates being sold from groups and people in the US, UK, Germany, Greece, Netherlands, Italy, France, Switzerland, Pakistan and Indonesia. The spike in demand for fake vaccine passports and cards comes as hundreds of companies are forcing employees and customers to show evidence of COVID-19 vaccination before coming into offices or businesses.  More

Fujitsu has confirmed that data being marketed by cybercriminals is not related to any cyberattack on its systems.Criminal marketplace Marketo claimed to have 4GB of data from Fujitsu last month and began marketing it widely.At the time, Fujitsu said it was investigating a potential breach and told ZDNet that “details of the source of this information, including whether it comes from our systems or environment, are unknown.” Marketo claimed to have confidential customer information, company data, budget data, reports and other company documents, including project information.But now both sides have confirmed that the data stolen is not connected to Fujitsu and is instead related to one of the company’s partners in Japan.Fujitsu spokesperson Andrew Kane sent an update to ZDNet confirming that an investigation revealed the stolen data was not from their systems and he noted that even Marketo has since changed how they are marketing the stolen data. “While Fujitsu is aware that Marketo claims that it has uploaded data pertaining to the commercial relationship between Fujitsu and a customer in Japan, we have conducted a thorough review of this incident, and to date there are no indications that this data comes from Fujitsu systems or environments,” Kane said. 

“As for the authenticity and origins of the data, we’re not in a position to speculate and will refrain from further comment for the time being.”Marketo has also changed its tune, now writing that the stolen data is entirely from Japanese manufacturing giant Toray Industries. Toray Industries did not respond to requests for comment. Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, said in August that the 24.5MB ‘evidence package’ initially provided on Marketo had screenshots of data relating to Toray. But many thought the data came from Fujitsu and not Toray Industries. Marketo is still using the Fujitsu logo to market the stolen data but has changed the description under the photo to focus on Toray Industries.While security experts have previously said the data on Marketo is generally accurate, the changes and revelations are yet another example of how unreliable criminal marketplaces like Marketo can be.  More

Cybersecurity is one of the highest-paid careers in the tech industry, probably because those skills were cited as most in-demand by over a third of IT professionals surveyed around the globe. So if you’ve reached even an intermediate level of experience in a tech position, you can turbocharge your career into one of the hottest jobs on the market by training at your own pace with the very affordable Ultimate 2021 Cyber Security Survival Training Bundle. The Cisco 210-260 IINS: Implementing Cisco Network Security course covers the technologies used by the company in its security infrastructure, so it’s perfect for anyone who wants to specifically work for one of the most successful tech companies in the world. But all of the other courses are vendor-neutral.The Certified Information Systems Auditor (CISA) course is good for anyone from entry-level to mid-career IT professionals. It will cover everything you need to gain skills that will qualify you for positions that require you to monitor, assess, audit, and control a company’s business and IT systems.With so much of today’s technology residing in the cloud, the Cloud Computing Security Knowledge (CCSK) course can qualify you for a certification that will really polish up a resume. It teaches the fundamentals of how to keep data secure in the cloud and provides a foundation for more advanced cloud credentials.Anyone looking to level up to a management position will probably find the Certified Information Security Manager (CISM) class extremely helpful. It covers program development and management as well as incident and risk management.Those who already have a couple of years of experience in security-related IT administration would benefit from the CompTIA Security+ SY0-501 class. You’ll learn all about secure installation and configuration of devices, networks, and applications, as well as threat analysis, risk mitigation, and much more.ITU Online Training has specialized in technical skills for almost a decade, using video modules created by highly qualified instructors. All of the courses include practice exams, a note-taking function, and progress trackers. So it’s no wonder the company has over 650 000 satisfied students, as well as numerous awards such as Cybersecurity Excellence and Best in Biz.

Don’t pass up this opportunity to train for a highly paid tech career. Grab The Ultimate 2021 Cyber Security Survival Training Bundle today while it’s on sale for just $29.99.

ZDNet Academy Deals More

Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks.LifeLong Medical Care, a California health center, is sending letters to about 115 000 people about a ransomware attack that took place on November 24, 2020. The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021. It took until August 9, 2021, for Netgain and LifeLong Medical Care to complete their investigation, and the companies eventually found that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment and diagnosis information were “accessed and/or acquired” during the attacks.LifeLong Medical Care urged those affected to enroll in credit monitoring services, place fraud alerts or security freezes on credit files, obtain credit reports and “remain vigilant” when it comes to “financial account statements, credit reports and explanation of benefits statements for fraudulent or irregular activity.”A toll-free response line at (855) 851-1278 has been created for anyone with questions.Arizona-based Desert Wells Family Medicine was forced to send out a similar letter to 35 000 patients after they too were hit by a ransomware attack that exposed sensitive patient information. 

Desert Wells Family Medicine discovered it was suffering from a ransomware incident on May 21 and immediately hired an incident response team to help with recovery. Law enforcement was also notified of the attack. Still, the healthcare facility found that the ransomware group “corrupted the data and patient electronic health records in Desert Wells’ possession prior to May 21.”The data held by the healthcare facility and their backups were unrecoverable after the threat actors accessed it.”This information in the involved patient electronic health records may have included patients’ names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information,” Desert Wells Family Medicine said in its letter. The organization said it is still in the process of rebuilding its patient electronic health record system and said it would also offer victims “complimentary credit monitoring and identity theft protection services.””Patients also are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see any medical services they did not receive,” the letter added. Ransomware groups have shown no signs of slowing down in their attacks on healthcare facilities during the COVID-19 pandemic. With the Delta variant of the virus causing hospitals to fill up with patients, ransomware actors have stepped up their attacks. Knowing the urgency of the situation will force hospitals to pay ransoms. Sascha Fahrbach, cybersecurity evangelist at Fudo Security, said these latest attacks show that the healthcare industry, with its valuable personal information, continues to be a tempting and lucrative target for hackers and insiders.  “There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data,” Fahrbach said. “In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk.”  The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.”Unfortunately, many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Memorial Health System CEO Scott Cantley said.  More

Google has introduced new features to Android’s Private Compute Core, a secure environment currently in the beta stages of development.

On Thursday, Suzanne Frey, VP, Product, Android & Play Security and Privacy said in a blog post that the new suite will “provide a privacy-preserving bridge between Private Compute Core and the cloud.” Currently in Android 12 Beta, Private Compute Core is an open source platform that aims to isolate itself from other apps and the main operating system on an Android device to improve privacy and security.  The new features are: Live Caption: Captions added to media using on-device speech recognitionNow Playing: Machine learning (ML) algorithms able to recognize music playing nearbySmart Reply: Suggests relevant responses based on the messaging and active conversations While these features, in themselves, aren’t privacy-based, Google says that new functionality will be implemented with each Android release — and each one brings the sandboxed Android area closer to completion.  Each feature utilizes ML and to keep data gathered by them private and secure — including speech records, environmental noise detection, and the context of conversations, should users enable it — they will be processed in the Private Compute Core and will not be shared with other apps unless expressly permitted by the handset owner.  Frey added that the core will “let your device use the cloud (to download new song catalogs or speech-recognition models [for example]) without compromising your privacy.”

Google intends to publish the source code of Private Compute Services to allow third-party researchers the opportunity to perform audits.”We’re enthusiastic about the potential for machine learning to power more helpful features inside Android, and Android’s Private Compute Core will help users benefit from these features while strengthening privacy protections via the new Private Compute Services,” Frey commented.  Google outlined plans to improve Android security in February. A particular focus for the tech giant is to tackle memory problems — such as corruption and buffer overflows — as over half of vulnerabilities impacting the operating system are related to this area. In addition, media, Bluetooth, and NFC are also on the radar for hardening. The firm is encouraging developers to take advantage of programming languages including Java and Rust, and Google is also working on ways to improve the security of C and C++ applications.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new study from HP has highlighted the precarious — and often contentious — situations IT teams are facing when trying to improve cybersecurity for remote workers.  The new Rebellions & Rejections report from HP Wolf Security surveyed 1100 IT decision-makers and also gleaned insights from a YouGov online survey of 8443 office workers who now work from home.  The study found that IT workers often feel like they have no choice but to compromise cybersecurity in order to appease workers who complain about how certain measures slow down business processes. Some remote workers — particularly those aged 24 and younger — outright reject cybersecurity measures they believe “get in the way” of their deadlines.  More than 75% of IT teams said cybersecurity took a “backseat to business continuity during the pandemic,” and 91% reported feeling pressured into compromising security for business practices.  Nearly half of all office workers under the age of 24 said cybersecurity tools were “a hindrance”, and 31% admitted to outright bypassing certain corporate security policies to get work done.  Unfortunately, almost half of the office workers of all ages believe cybersecurity measures waste their time, and the figure increases to 64% among those under the age of 24. The survey found that 54% of 18-24-year-olds cared more about their deadlines than causing a data breach.  Researchers found that 39% of respondents did not fully know what their organization’s security policies are, causing 83% of all IT workers surveyed to call remote work a “ticking time bomb” for data breaches. 

Ian Pratt, global head of security for personal systems at HP, said the fact that workers are actively circumventing security should be a worry for any CISO.  “This is how breaches can be born,” Pratt said. “If security is too cumbersome and weighs people down, then people will find a way around it. Instead, security should fit as much as possible into existing working patterns and flows with unobtrusive, secure-by-design and user-intuitive technology. Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up.” IT leaders have had to take certain measures to deal with recalcitrant remote workers, including updating security policies and restricting access to certain websites and applications.  But these practices are causing resentment among workers, 37% of whom say the policies are “often too restrictive.” The survey of IT leaders found that 90% have received pushback because of security controls, and 67% said they get weekly complaints about it.  More than 80% of IT workers said, “trying to set and enforce corporate policies around cybersecurity is impossible now that the lines between personal and professional lives are so blurred”, and the same number of respondents said security had become a “thankless task.”  Nearly 70% said they were viewed as “the bad guys” because of the restrictions they impose to protect workers.  “CISOs are dealing with increasing volume, velocity and severity of attacks. Their teams are having to work around the clock to keep the business safe while facilitating mass digital transformation with reduced visibility,” said Joanna Burkey, HP’s CISO. “Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage.” Burkey added that IT teams need to engage and educate employees on the growing cybersecurity risks while understanding how security impacts workflows and productivity.  Cybersecurity experts like YouAttest CEO Garret Grajek said every new access method, user pool and technology adds attack vectors and vulnerabilities for hackers.  “We just saw that even the best WFH plans might be vulnerable w/ over 500k of Fortinet VPN users being exposed,” Grajek noted. “As with the other attack vectors, enterprises have to assume they will be breached and then ensure that rogue users access and actions are mitigated or limited.” More

A former US Army reservist has been charged and sent behind bars for scams that targeted the lonely, the elderly, and businesses. 

US prosecutors said this week that Joseph Iorhemba Asan Jr. will spend 46 months — or over three-and-a-half years — in prison for conducting both romance and Business Email Compromise (BEC) scams. According to the US Department of Justice (DoJ), from around February 2018 until October 2019, the former serviceman worked with a co-conspirator, named as Charles Ifeanyi Ogozy — another member of the US Army Reserves — to commit fraud “against dozens of victims across the United States, defrauded banks, and laundered millions of dollars in fraud proceeds to co-conspirators based in Nigeria.” The 24-year-old, based in Daytona Beach, Florida, worked with Ogozy to operate romance scams that focused on older men and women. Fake profiles were used to rope in these victims, who believed they were genuinely talking to love interests — and once trust was established, so did the requests for money.  BEC scams were also being conducted by the pair. These forms of attack are usually based on phishing and social engineering and they will target businesses with fake correspondence requesting payment for invoices and services. The more sophisticated BEC groups out there may also compromise emailed communication streams between employees and tamper with bank details used to pay supplier invoices, directing funds, instead, to accounts they control. “Notably, one of the victims of the defendants’ business email compromise scheme included a US Marine Corps veteran’s organization,” prosecutors say. Money fraudulently obtained through these schemes was sent to bank accounts controlled by Asan, Ogozy, and other criminal participants. At least 10 accounts were set up in eight banks, all of which were in the names of non-existent businesses including Uxbridge Capital LLC and Renegade Logistics LLC.

In total, the DoJ says the scam artists transferred and received at least $1.8 million, a large proportion of which was withdrawn in cash and cannot be traced. Asan was arrested on October 31, 2019. He pled guilty to charges of conspiracy to commit bank fraud and wire fraud on December 23, 2020. After serving his prison sentence, Asan must also submit to three years of supervised release. However, there is a financial penalty, too. The scam artist has been ordered to forfeit $184,723 to the United States government and must pay his victims damages of $1,792,015.  “Among the many victims of the internet scams facilitated by Joseph Asan were elderly women and men who were callously fooled into believing they were engaging online with potential romantic interests,” commented US Attorney Audrey Strauss. “[…] Asan’s crimes have indeed led to his own reversal of his fortune, as this former defender of this country now becomes a federal prisoner.” In July, Houston, Texas resident Akhabue “David Harrison” Ehis Onoimoimilin was issued a prison sentence of over seven years and was ordered to pay over $865,000 for conducting both romance and BEC scams. Onoimoimilin netted over $2.2 million by scamming his targets. The US Federal Trade Commission (FTC) estimates that in 2020, romance scams cost the average victim $2,500, with the overall loss of reported cases alone reaching $304 million in the United States. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Ukrainian man was arrested in Poland and extradited to the US to face charges as an alleged botnet operator. 

The US Department of Justice (DoJ) said this week that Glib Oleksandr Ivanov-Tolpintsev was taken into custody in Korczowa, Poland, on October 3 last year. As the US and Poland have an extradition treaty, the 28-year-old was then sent to the US to face charges that could land him up to 17 years in federal prison, if found guilty.  Originally from Chernivtsi, Ukraine, Ivanov-Tolpintsev is suspected of being the operator of a botnet that was able to enslave devices infected with malware and automatically perform brute-force attacks against other internet-facings systems.  If there is no protection in place to stop these attacks from occurring, brute-force attacks will try out username and password combinations in the hopes of finding the right key. Once secured, these login details can be used to access the target system — or, as in Ivanov-Tolpintsev’s case — can be sold on to other cyberattackers.  According to the indictment, Ivanov-Tolpintsev, also known as “Sergios” and “Mars” online, was using an e-commerce front called “The Marketplace” to sell on the information stolen by his botnet.  The alleged botnet operator claimed that his creation was capable of stealing up to 2,000 sets of credentials each week. Cyberscoop reports that investigators were able to track him down with the help of an email address used by the suspect to purchase vape products. The receipt contained within listed his home address and linked him to a phone number and passport. Prosecutors were also able to find other email addresses and a Gmail account connected to online retailers and his conversations with individuals in the dark web. 

Two other co-conspirators, allegedly the operators of The Marketplace, have also been charged but are yet to be named.  Ivanov-Tolpintsev was presented to US Magistrate Julie Sneed on September 7 and has been detained ahead of his trial date.  He faces charges of conspiracy, trafficking in unauthorized access devices, and trafficking in computer passwords, according to the DoJ. Alongside a potentially hefty prison sentence, if found guilty, US prosecutors also intend to pursue forfeiture of $82,648, the amount that was able to be traced as allegedly linked to the sale of data stolen by the suspect.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More