Information Technology

T-Mobile’s CEO has finally spoken out about the massive hack that exposed millions of customers’ sensitive information, apologizing for the leak and announcing a cybersecurity pact with Mandiant.CEO Mike Sievert on one hand sought to downplay the incident — which led to the leak of nearly 48 million social security numbers alongside other information from a total of 50 million people — by touting the fact that no financial information was lost.He also implied that the leak of social security numbers, driver’s licenses and ID information was “like so many breaches before,” but admitted that the company had failed to keep their customers’ data safe. “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them,” Sievert said. “We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.” Sievert explained that the company hired Mandiant to conduct an investigation into the incident and said they have since closed the server entry points that gave the hacker, allegedly 21-year-old John Binns, access to T-Mobile data. He would not provide more information about the breach because they are “actively coordinating with law enforcement on a criminal investigation.” On Thursday, Binns openly took credit for the hack in an interview with the Wall Street Journal while mocking T-Mobile’s lackluster cybersecurity. 

“I was panicking because I had access to something big. Their security is awful,” Binns said, adding that he launched the attack because of his anger at US law enforcement agencies for allegedly torturing him in Germany and Turkey. Binns initially claimed he had access to the information of about 100 million customers but T-Mobile later confirmed that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach. Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised.”  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. T-Mobile did not respond to requests for further comment from ZDNet. The telecom giant, which is the second largest in the US behind Verizon, has a terrible cybersecurity track record. Before the attack two weeks ago, the company had announced four data breaches in the last three years.  More

If you’re running NoSQL databases on Microsoft’s Azure cloud, chances are you’re running Cosmos DB. And, if that’s you, you’re in trouble. Even Microsoft had admitted that this newly discovered critical vulnerability, ChaosDB, enables intruders to read, change or even delete all your databases.

ZDNet Recommends

Ouch! According to the Microsoft email describing the problem to affected customers, “Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.” That’s a good thing because according to the cloud security firm, WIZ, which uncovered the ChaosDB security hole, it “gives any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment and impacts thousands of organizations, including numerous Fortune 500 companies.” How trivial is the exploit? Very.  According to WIZ, all an attacker needs to do is exploit an easy-to-follow chain of vulnerabilities in Cosmos DB’s Jupyter Notebook. Jupyter Notebook is an open-source web application that is directly integrated with your Azure portal and Cosmos DB accounts. It allows you to create and share documents that contain live code, equations, visualizations, and narrative text. If that sounds like a lot of access to give to a web application, you’re right, it is.  As bad as that is, once you have access to the Jupyter Notebook, you can obtain the target Cosmos DB account credentials, including the databases’ Primary Key. Armed with these credentials, an attacker can view, modify, and delete data in the target Cosmos DB account in multiple ways. 

To patch this hole, you must regenerate and rotate your primary read-write Cosmos DB keys for each of the impacted Azure Cosmos DB accounts. That’s easy enough. And, Microsoft claims, while this vulnerability is bad news, you don’t have to worry that much about it. Microsoft states: We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent [the] risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.WIZ isn’t so optimistic. While agreeing that Microsoft’s security took immediate action to fix the problem and disabled the vulnerable feature within 48 hours of being told about ChaosDB, the researchers point out that “the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed.” I agree. It’s far better to be safe than sorry when dealing with a security hole of this size and magnitude. Related Stories: More

The parents of two teenagers allegedly responsible for stealing $1 million in Bitcoin are being sued. 

According to court documents obtained by Brian Krebs, Andrew Schober lost 16.4552 in Bitcoin (BTC) in 2018 after his computer was infected with malware, allegedly the creation of two teenagers in the United Kingdom.  The complaint (.PDF), filed in Colorado, accuses Benedict Thompson and Oliver Read, who were minors at the time, of creating clipboard malware.  The malicious software, designed to monitor cryptocurrency wallet addresses, was downloaded and unwittingly executed by Schober after he clicked on a link, posted to Reddit, to install the Electrum Atom cryptocurrency application. During a transfer of Bitcoin from one account to another, the malware triggered a Man-in-The-Middle (MiTM) attack, apparently replacing the address with one controlled by the teenagers and thereby diverting the coins into their wallets.  According to court documents, this amount represented 95% of the victim’s net wealth at the time of the theft. At today’s price, the stolen Bitcoin is worth approximately $777,000. “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family,” the complaint reads. 

The pair, tracked down during an investigation paid for by Schober, are now adults and are studying computer science at UK universities.  The mothers and fathers of Thompson and Read are named in the complaint. Emails were sent to the parents prior to the complaint requesting that the teenagers return the stolen cryptocurrency to prevent legal action from being taken.  The letter reads, in part: “As his parents, I am appealing to you to first give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future.” However, the requests, sent in 2018 and 2019, were met with silence.  Schober’s complaint claims that the parents “knew or reasonably should have known” what their children were up to, and that they also failed to take “reasonable steps” in preventing further harm.  In response (.PDF), the defendants do not argue the charge, but rather have requested a motion to dismiss based on two- and three-year statutes of limitation. “Despite his knowledge of his injury and the general cause thereof, Plaintiff waited to file his lawsuit beyond the two and three years required of him by the applicable statutes of limitations,” court documents say. “For this reason, Plaintiff’s claims against Defendants should be dismissed.” However, Schober’s legal team has argued (.PDF) that the teenagers were not immediately traced, and roughly a year passed between separately identifying Read and Thompson.  Schober’s lawyers have requested that the motion to dismiss is denied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has outlined its efforts to shape the US government’s zero-trust initiative, based on Biden’s May Executive Order on cybersecurity.Google’s $10 billion commitment to beefing up critical US infrastructure includes expanding zero-trust programs, helping to secure software supply chains, and enhancing open-source security.Its contributions will see the company leverage initiatives that have been underway at Google for many years, spanning open-source fuzzing tools to funding Linux kernel developers to work on security, and pushing for the use of memory-safe languages in Linux. It comes after US president Joe Biden called on the chiefs of Apple, Google, Microsoft and JPMorgan Chase earlier this week to beef up the nation’s protection of critical infrastructure.Although Google was not among the 18 cybersecuity companies selected to work with the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) program — which will establish create Zero Trust designs for federal agencies to implement — it is now collaborating with NIST to develop a framework, Google’s Eric Brewer and Dan Lorenc said in a blog post. Zero Trust assumes that a network has been breached and refocuses cybersecurity on apps, data and people, rather than hardening the network perimeter.   “Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms, and frameworks that stop entire classes of bugs,” said Brewer and Lorenc.

“Preventing problems before they leave the developer’s keyboard is safer and more cost-effective than trying to fix vulnerabilities and their fallout.”

Biden appealed to the private sector at the White House cybersecurity summit on Wednesday, noting that federal government alone couldn’t meet the challenge of protecting critical infrastructure from cyberattacks. Google and Microsoft committed $10 billion and $20 billion, respectively, over five years to improve the US response to future threats, following recent high-profile cyber attacks including the Colonial Pipeline ransomware attack, the SolarWinds software supply chain attack and widespread hacking of Microsoft Exchange server vulnerabities.   “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do,” Biden said, according to The Washington Post. In June, Brewer submitted four papers in response to Biden’s cybersecurity Executive Order 14028 on enhancing software supply chain security. One of the papers discusses the security problems inherent to coding in the C programming language and the emergence of Rust. “Secure languages and application frameworks can be used to impose a structure on software that enables high-confidence reasoning about its security, at scale,” Brewer wrote. 

SolarWinds Updates

“But ensuring that this requirement is actually fulfilled for real-world C code is challenging, and often requires difficult reasoning about heap memory structure. Similarly, it is difficult to ensure correct validation and escaping for all data that flows into a web application’s HTML markup, since data often passes through several components on its way from inputs to outputs, such as through a storage schema.””In contrast, Rust has emerged as a practical alternative to C and C++ as a systems-development language, embodying a secure-by-construction stance on memory safety. Rust’s type system imposes an ownership discipline that ensures, for example, that freed memory cannot be accessed.”To that end, Google is backing a plan to get Rust into the Linux kernel as a second language to C. Lorenc and Brewer argue that software bugs should be limited from the outset, rather than just reacting to new vulnerabilities. Microsoft and Amazon Web Services are also backing Rust as a memory-safe alternative to C and C++ for systems programming.    Google advocates for software code testing, including using tools from Microsoft-owned GitHub, such as Dependabot — a tool for keeping open source software packages or dependencies up to date. Google also offered its opinion on the idea of a software bill of materials (SBOMs) as part of the official US response to software supply chain attacks. The Linux Foundation is contributing this aspect of Biden’s order. It’s a complex problem to solve in both open-source and proprietary software due to the vast number of library dependencies used in modern programs. “SBOMs need a reasonable signal-to-noise ratio: if they contain too much information, they won’t be useful, so we urge the NTIA [National Telecommunications and Information Administration] to establish both minimum and maximum requirements on granularity and depth for specific use-cases,” Google said. More

The US Securities and Exchange Commission (SEC) has charged the former CEO of HeadSpin for allegedly defrauding investors.

Founded in 2015 and based in Silicon Valley, HeadSpin markets itself as an AI testing, dev-ops, and mobile testing platform. The co-founder and former chief executive, Manish Lachwani, led the company until May 2020.  According to the SEC and the US Department of Justice (DoJ), the 45-year-old allegedly defrauded investors out of $80 million “by falsely claiming that the company had achieved strong and consistent growth in acquiring customers and generating revenue.” For approximately two years, the executive allegedly pushed for a valuation beyond $1 billion by inflating key financial metrics, doctoring internal sales records, and falsely increasing deal values currently under discussion with potential clients, making out that they were secure and guaranteed revenue streams.  The SEC says that through these methods, as well as the creation of fake, inflated customer invoices, Lachwani also “enriched himself” by selling $2.5 million of his own HeadSpin shares during a funding round. Monique Winkler, Associate Regional Director of the SEC’s San Francisco Regional Office, said these activities misled investors into believing the startup had achieved “unicorn” status, the term used for a privately-held startup that passes the $1 billion valuation threshold.  However, his alleged actions did not go unnoticed, and an internal investigation by the firm’s board found issues with HeadSpin’s financial reporting. 

According to the US agencies, the probe resulted in the startup’s valuation being slashed from $1 billion to $300 million. The former CEO was then required to resign.Lachwani was arrested on Wednesday by US law enforcement.  HeadSpin has not been charged and says it is cooperating with the US agencies. The SEC’s complaint, filed in the Northern District of California, charges Lachwani with violating US antitrust laws. The regulator is pursuing penalties, an injunction, and a court order to prevent the former CEO from acting as an officer or director in the future.  Separately, the DoJ has filed one count of wire fraud and one count of securities fraud against the former executive. If convicted, Lachwani faces a maximum sentence of 20 years in prison for each charge, as well as fines of up to $250,000 and $5 million, respectively. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware attacks are going to get worse – and one could eventually take out the infrastructure of an entire 5G-enabled smart city, a cybersecurity expert has warned. Cyber criminals deploying ransomware regularly target government services. Not only do public sector IT budgets mean networks are less secure against attacks, but said networks are also used to provide vital services to the community.  In some cases, local government agencies sime pay the ransom to decrypt the network and restore services, making them ideal targets for extortion.Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more are, increasingly becoming connected to 5G Internet of Things (IoT) services and sensors in order to collect data and provide better, more efficient services. But while connected cities have the potential to improve urban services, any lack of security in IoT devices could make them a very appealing target for ransomware attacks – and, given the current ransomware climate, it’s not a matter of if, but when.”I look two years out and my prediction is a 5G smart city will be held for ransom. I don’t see anything happening right now that tells me that this prediction is not going to come true,” Theresa Payton, CEO of Fortalice Solutions and former CIO at The White House said in an interview with ZDNet Security Update. There have been many cases of cities and public infrastructure being compromised by ransomware – and it can be extremely disruptive. When cyber criminals attack hospitals with ransomware, for example, the nature of the industry means that in many cases – but not all – health service providers feel as if they have no option but to pay. 

And the continued success of ransomware attacks means going after connected infrastructure is the logical next step for cyber criminals. “I just don’t see enough progress being made that we’re going to be able to eradicate ransomware – I see it getting a lot worse, unfortunately, before we really figure out how to tackle it and it gets better,” said Payton, adding that cyber criminals “really don’t care what the downstream impacts are they’re just trying to make a buck”. However, measures can be applied across smart cities to help protect them against cyber attacks.Guidance on smart city security from the UK’s National Cyber Security Centre (NCSC) recommends that cities should only roll out devices from trusted vendors, and that no IoT device on the network should use the default username and password, as this makes them easy targets. Organisations should also regularly check to see whether credentials belonging to employees with high-level account privileges have been exposed in a data breach. If so, passwords – and perhaps even account names – should be changed in order to reduce the risk of them being abused by ransomware groups or other cyber criminals. “Look for those email accounts look for those passwords and think about actually abandoning email accounts that are in password data dumps that have access to core systems,” said Payton. READ MORE ON CYBERSECURITY More

The Department of Home Affairs on Friday said it agrees with submissions from industry that government currently does not have the technological capability for implementing a travel rule for cryptocurrencies.A travel rule, if ratified, would require financial institutions to pass certain information onto another financial institution to provide more transparency regarding cryptocurrency movement.The travel rule was recommended by the Financial Action Task Force (FATF) in May as it believed the rule would aid in preventing terrorists and other criminals from having unfettered access to electronically-facilitated funds transfers for moving their funds and for detecting such misuse when it occurs. “I think it depends on the way that [the travel rule] is implemented so a technological solution that takes a lot of the legwork out of that would be a game changer. [But] we are not at the point where, globally, there is such a technological solution,” said Home Affairs assistant secretary Daniel Mossop, who appeared before the Senate Committee on Australia as a Technology and Financial Centre on Friday afternoon. Australian Transaction Reports and Analysis Centre (Austrac) national manager Bradley Brown shared a similar sentiment during the hearing, saying a solid basis for a technological solution for facilitating the travel rule would be required if the travel rule were to go live. Brown’s input to the committee is an update of Austrac’s view of the travel rule. Shortly after the FATF recommended the rule, Austrac CEO Nicole Rose said her agency was interested in regulating the exchanges that “turn cash into cryptocurrency” and would consider the merits of implementing the rule within Anti-Money Laundering and Counter-Terrorism Financing regulation. Later in the afternoon, the committee questioned Australian Securities and Investments Commission (ASIC) representatives about the scope of Australia’s regulatory powers in relation to crypto assets. Commissioner Cathie Armour said ASIC’s own powers currently were limited when regulating crypto assets, clarifying that it can only regulate crypto assets if they are a financial product.  

Armour added that Australian regulation of crypto assets has primarily been an exercise of crime enforcement rather than financial regulation. Committee chair Senator Andrew Bragg then asked whether Parliament could enact custody arrangements for digital assets in the financial space that leverage existing rules. Armour explained that this would be dependent on how Australia wants to regulate crypto assets. “Is it as a separate category that they decide covers all digital assets? Or is it more an identification of which digital asset might fit into the existing categories of financial products better,” she said. “I think once your committee has considered what would be the best approach there, that could happen,” Armour said. The committee is currently in the last phase of its inquiry, which is focusing on removing more barriers to Australian growth as a technology and finance centre. The inquiry first kicked off in October 2019.Related Coverage More

The FBI has released an alert about the Hive ransomware after the group took down Memorial Health System last week. The alert explains that Hive is an affiliate-operated ransomware first seen in June that deploys “multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol to move laterally once on the network.””After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks,'” the FBI explained. “Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension.”The alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms. Most victims face a payment deadline ranging between two and six days but others were able to extend their deadlines through negotiation. The group operates a leak site that they use to threaten victims into paying. The FBI included indicators of compromise, a link to the leak site and a sample of a ransom note given to a victim. 

John Riggi, American Hospital Association senior advisor for cybersecurity, said the new Hive ransomware is of particular concern for healthcare organizations. Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The non-profit runs a number of hospitals, clinics and healthcare sites across Ohio and West Virginia.CEO Scott Cantley said in a statement that staff at three hospitals — Marietta Memorial, Selby, and Sistersville General Hospital — were forced to use paper charts while their IT teams worked to restore their systems. All urgent surgical cases and radiology exams for Monday, August 16 were cancelled because of the attack. Memorial Health System Emergency Departments were forced to go on diversion due to the attack, with Marietta Memorial Hospital agreeing only to keep taking patients suffering from strokes and trauma incidents. Anyone else in need of help simply had to be transported to other hospitals. The FBI, CISA and cybersecurity experts helped the hospital respond to the attack. In a statement three days later, Cantley said the hospital system “reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible.”He later admitted to The Marietta Times that the hospital paid a ransom to receive the decryption keys. “We have completed an agreement and received the keys to unlock our servers and begin to process recovery. The FBI has their suspicions of an Eastern European entity that is relatively new and sophisticated,” Cantley explained. “It’s good news for our staff to get our tools back. We have 800 servers and more than 3,000 personal devices that our physicians use to serve patients. We will keep services to essential and next week we should be back to typical services. We continue to serve our patients with great care in the face of adversity.”The hospital’s systems were brought back online by the weekend and Cantley said there was no “indication that any patient or employee data has been publicly released or disclosed.””It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Cantley said.  More