Information Technology

The parents of two teenagers allegedly responsible for stealing $1 million in Bitcoin are being sued. 

According to court documents obtained by Brian Krebs, Andrew Schober lost 16.4552 in Bitcoin (BTC) in 2018 after his computer was infected with malware, allegedly the creation of two teenagers in the United Kingdom.  The complaint (.PDF), filed in Colorado, accuses Benedict Thompson and Oliver Read, who were minors at the time, of creating clipboard malware.  The malicious software, designed to monitor cryptocurrency wallet addresses, was downloaded and unwittingly executed by Schober after he clicked on a link, posted to Reddit, to install the Electrum Atom cryptocurrency application. During a transfer of Bitcoin from one account to another, the malware triggered a Man-in-The-Middle (MiTM) attack, apparently replacing the address with one controlled by the teenagers and thereby diverting the coins into their wallets.  According to court documents, this amount represented 95% of the victim’s net wealth at the time of the theft. At today’s price, the stolen Bitcoin is worth approximately $777,000. “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family,” the complaint reads. 

The pair, tracked down during an investigation paid for by Schober, are now adults and are studying computer science at UK universities.  The mothers and fathers of Thompson and Read are named in the complaint. Emails were sent to the parents prior to the complaint requesting that the teenagers return the stolen cryptocurrency to prevent legal action from being taken.  The letter reads, in part: “As his parents, I am appealing to you to first give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future.” However, the requests, sent in 2018 and 2019, were met with silence.  Schober’s complaint claims that the parents “knew or reasonably should have known” what their children were up to, and that they also failed to take “reasonable steps” in preventing further harm.  In response (.PDF), the defendants do not argue the charge, but rather have requested a motion to dismiss based on two- and three-year statutes of limitation. “Despite his knowledge of his injury and the general cause thereof, Plaintiff waited to file his lawsuit beyond the two and three years required of him by the applicable statutes of limitations,” court documents say. “For this reason, Plaintiff’s claims against Defendants should be dismissed.” However, Schober’s legal team has argued (.PDF) that the teenagers were not immediately traced, and roughly a year passed between separately identifying Read and Thompson.  Schober’s lawyers have requested that the motion to dismiss is denied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has outlined its efforts to shape the US government’s zero-trust initiative, based on Biden’s May Executive Order on cybersecurity.Google’s $10 billion commitment to beefing up critical US infrastructure includes expanding zero-trust programs, helping to secure software supply chains, and enhancing open-source security.Its contributions will see the company leverage initiatives that have been underway at Google for many years, spanning open-source fuzzing tools to funding Linux kernel developers to work on security, and pushing for the use of memory-safe languages in Linux. It comes after US president Joe Biden called on the chiefs of Apple, Google, Microsoft and JPMorgan Chase earlier this week to beef up the nation’s protection of critical infrastructure.Although Google was not among the 18 cybersecuity companies selected to work with the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) program — which will establish create Zero Trust designs for federal agencies to implement — it is now collaborating with NIST to develop a framework, Google’s Eric Brewer and Dan Lorenc said in a blog post. Zero Trust assumes that a network has been breached and refocuses cybersecurity on apps, data and people, rather than hardening the network perimeter.   “Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms, and frameworks that stop entire classes of bugs,” said Brewer and Lorenc.

“Preventing problems before they leave the developer’s keyboard is safer and more cost-effective than trying to fix vulnerabilities and their fallout.”

Biden appealed to the private sector at the White House cybersecurity summit on Wednesday, noting that federal government alone couldn’t meet the challenge of protecting critical infrastructure from cyberattacks. Google and Microsoft committed $10 billion and $20 billion, respectively, over five years to improve the US response to future threats, following recent high-profile cyber attacks including the Colonial Pipeline ransomware attack, the SolarWinds software supply chain attack and widespread hacking of Microsoft Exchange server vulnerabities.   “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do,” Biden said, according to The Washington Post. In June, Brewer submitted four papers in response to Biden’s cybersecurity Executive Order 14028 on enhancing software supply chain security. One of the papers discusses the security problems inherent to coding in the C programming language and the emergence of Rust. “Secure languages and application frameworks can be used to impose a structure on software that enables high-confidence reasoning about its security, at scale,” Brewer wrote. 

SolarWinds Updates

“But ensuring that this requirement is actually fulfilled for real-world C code is challenging, and often requires difficult reasoning about heap memory structure. Similarly, it is difficult to ensure correct validation and escaping for all data that flows into a web application’s HTML markup, since data often passes through several components on its way from inputs to outputs, such as through a storage schema.””In contrast, Rust has emerged as a practical alternative to C and C++ as a systems-development language, embodying a secure-by-construction stance on memory safety. Rust’s type system imposes an ownership discipline that ensures, for example, that freed memory cannot be accessed.”To that end, Google is backing a plan to get Rust into the Linux kernel as a second language to C. Lorenc and Brewer argue that software bugs should be limited from the outset, rather than just reacting to new vulnerabilities. Microsoft and Amazon Web Services are also backing Rust as a memory-safe alternative to C and C++ for systems programming.    Google advocates for software code testing, including using tools from Microsoft-owned GitHub, such as Dependabot — a tool for keeping open source software packages or dependencies up to date. Google also offered its opinion on the idea of a software bill of materials (SBOMs) as part of the official US response to software supply chain attacks. The Linux Foundation is contributing this aspect of Biden’s order. It’s a complex problem to solve in both open-source and proprietary software due to the vast number of library dependencies used in modern programs. “SBOMs need a reasonable signal-to-noise ratio: if they contain too much information, they won’t be useful, so we urge the NTIA [National Telecommunications and Information Administration] to establish both minimum and maximum requirements on granularity and depth for specific use-cases,” Google said. More

The US Securities and Exchange Commission (SEC) has charged the former CEO of HeadSpin for allegedly defrauding investors.

Founded in 2015 and based in Silicon Valley, HeadSpin markets itself as an AI testing, dev-ops, and mobile testing platform. The co-founder and former chief executive, Manish Lachwani, led the company until May 2020.  According to the SEC and the US Department of Justice (DoJ), the 45-year-old allegedly defrauded investors out of $80 million “by falsely claiming that the company had achieved strong and consistent growth in acquiring customers and generating revenue.” For approximately two years, the executive allegedly pushed for a valuation beyond $1 billion by inflating key financial metrics, doctoring internal sales records, and falsely increasing deal values currently under discussion with potential clients, making out that they were secure and guaranteed revenue streams.  The SEC says that through these methods, as well as the creation of fake, inflated customer invoices, Lachwani also “enriched himself” by selling $2.5 million of his own HeadSpin shares during a funding round. Monique Winkler, Associate Regional Director of the SEC’s San Francisco Regional Office, said these activities misled investors into believing the startup had achieved “unicorn” status, the term used for a privately-held startup that passes the $1 billion valuation threshold.  However, his alleged actions did not go unnoticed, and an internal investigation by the firm’s board found issues with HeadSpin’s financial reporting. 

According to the US agencies, the probe resulted in the startup’s valuation being slashed from $1 billion to $300 million. The former CEO was then required to resign.Lachwani was arrested on Wednesday by US law enforcement.  HeadSpin has not been charged and says it is cooperating with the US agencies. The SEC’s complaint, filed in the Northern District of California, charges Lachwani with violating US antitrust laws. The regulator is pursuing penalties, an injunction, and a court order to prevent the former CEO from acting as an officer or director in the future.  Separately, the DoJ has filed one count of wire fraud and one count of securities fraud against the former executive. If convicted, Lachwani faces a maximum sentence of 20 years in prison for each charge, as well as fines of up to $250,000 and $5 million, respectively. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware attacks are going to get worse – and one could eventually take out the infrastructure of an entire 5G-enabled smart city, a cybersecurity expert has warned. Cyber criminals deploying ransomware regularly target government services. Not only do public sector IT budgets mean networks are less secure against attacks, but said networks are also used to provide vital services to the community.  In some cases, local government agencies sime pay the ransom to decrypt the network and restore services, making them ideal targets for extortion.Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more are, increasingly becoming connected to 5G Internet of Things (IoT) services and sensors in order to collect data and provide better, more efficient services. But while connected cities have the potential to improve urban services, any lack of security in IoT devices could make them a very appealing target for ransomware attacks – and, given the current ransomware climate, it’s not a matter of if, but when.”I look two years out and my prediction is a 5G smart city will be held for ransom. I don’t see anything happening right now that tells me that this prediction is not going to come true,” Theresa Payton, CEO of Fortalice Solutions and former CIO at The White House said in an interview with ZDNet Security Update. There have been many cases of cities and public infrastructure being compromised by ransomware – and it can be extremely disruptive. When cyber criminals attack hospitals with ransomware, for example, the nature of the industry means that in many cases – but not all – health service providers feel as if they have no option but to pay. 

And the continued success of ransomware attacks means going after connected infrastructure is the logical next step for cyber criminals. “I just don’t see enough progress being made that we’re going to be able to eradicate ransomware – I see it getting a lot worse, unfortunately, before we really figure out how to tackle it and it gets better,” said Payton, adding that cyber criminals “really don’t care what the downstream impacts are they’re just trying to make a buck”. However, measures can be applied across smart cities to help protect them against cyber attacks.Guidance on smart city security from the UK’s National Cyber Security Centre (NCSC) recommends that cities should only roll out devices from trusted vendors, and that no IoT device on the network should use the default username and password, as this makes them easy targets. Organisations should also regularly check to see whether credentials belonging to employees with high-level account privileges have been exposed in a data breach. If so, passwords – and perhaps even account names – should be changed in order to reduce the risk of them being abused by ransomware groups or other cyber criminals. “Look for those email accounts look for those passwords and think about actually abandoning email accounts that are in password data dumps that have access to core systems,” said Payton. READ MORE ON CYBERSECURITY More

The Department of Home Affairs on Friday said it agrees with submissions from industry that government currently does not have the technological capability for implementing a travel rule for cryptocurrencies.A travel rule, if ratified, would require financial institutions to pass certain information onto another financial institution to provide more transparency regarding cryptocurrency movement.The travel rule was recommended by the Financial Action Task Force (FATF) in May as it believed the rule would aid in preventing terrorists and other criminals from having unfettered access to electronically-facilitated funds transfers for moving their funds and for detecting such misuse when it occurs. “I think it depends on the way that [the travel rule] is implemented so a technological solution that takes a lot of the legwork out of that would be a game changer. [But] we are not at the point where, globally, there is such a technological solution,” said Home Affairs assistant secretary Daniel Mossop, who appeared before the Senate Committee on Australia as a Technology and Financial Centre on Friday afternoon. Australian Transaction Reports and Analysis Centre (Austrac) national manager Bradley Brown shared a similar sentiment during the hearing, saying a solid basis for a technological solution for facilitating the travel rule would be required if the travel rule were to go live. Brown’s input to the committee is an update of Austrac’s view of the travel rule. Shortly after the FATF recommended the rule, Austrac CEO Nicole Rose said her agency was interested in regulating the exchanges that “turn cash into cryptocurrency” and would consider the merits of implementing the rule within Anti-Money Laundering and Counter-Terrorism Financing regulation. Later in the afternoon, the committee questioned Australian Securities and Investments Commission (ASIC) representatives about the scope of Australia’s regulatory powers in relation to crypto assets. Commissioner Cathie Armour said ASIC’s own powers currently were limited when regulating crypto assets, clarifying that it can only regulate crypto assets if they are a financial product.  

Armour added that Australian regulation of crypto assets has primarily been an exercise of crime enforcement rather than financial regulation. Committee chair Senator Andrew Bragg then asked whether Parliament could enact custody arrangements for digital assets in the financial space that leverage existing rules. Armour explained that this would be dependent on how Australia wants to regulate crypto assets. “Is it as a separate category that they decide covers all digital assets? Or is it more an identification of which digital asset might fit into the existing categories of financial products better,” she said. “I think once your committee has considered what would be the best approach there, that could happen,” Armour said. The committee is currently in the last phase of its inquiry, which is focusing on removing more barriers to Australian growth as a technology and finance centre. The inquiry first kicked off in October 2019.Related Coverage More

The FBI has released an alert about the Hive ransomware after the group took down Memorial Health System last week. The alert explains that Hive is an affiliate-operated ransomware first seen in June that deploys “multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol to move laterally once on the network.””After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks,'” the FBI explained. “Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension.”The alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms. Most victims face a payment deadline ranging between two and six days but others were able to extend their deadlines through negotiation. The group operates a leak site that they use to threaten victims into paying. The FBI included indicators of compromise, a link to the leak site and a sample of a ransom note given to a victim. 

John Riggi, American Hospital Association senior advisor for cybersecurity, said the new Hive ransomware is of particular concern for healthcare organizations. Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The non-profit runs a number of hospitals, clinics and healthcare sites across Ohio and West Virginia.CEO Scott Cantley said in a statement that staff at three hospitals — Marietta Memorial, Selby, and Sistersville General Hospital — were forced to use paper charts while their IT teams worked to restore their systems. All urgent surgical cases and radiology exams for Monday, August 16 were cancelled because of the attack. Memorial Health System Emergency Departments were forced to go on diversion due to the attack, with Marietta Memorial Hospital agreeing only to keep taking patients suffering from strokes and trauma incidents. Anyone else in need of help simply had to be transported to other hospitals. The FBI, CISA and cybersecurity experts helped the hospital respond to the attack. In a statement three days later, Cantley said the hospital system “reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible.”He later admitted to The Marietta Times that the hospital paid a ransom to receive the decryption keys. “We have completed an agreement and received the keys to unlock our servers and begin to process recovery. The FBI has their suspicions of an Eastern European entity that is relatively new and sophisticated,” Cantley explained. “It’s good news for our staff to get our tools back. We have 800 servers and more than 3,000 personal devices that our physicians use to serve patients. We will keep services to essential and next week we should be back to typical services. We continue to serve our patients with great care in the face of adversity.”The hospital’s systems were brought back online by the weekend and Cantley said there was no “indication that any patient or employee data has been publicly released or disclosed.””It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Cantley said.  More

A 21-year-old Virginia native living in Turkey has admitted to being the main force behind the massive T-Mobile hack that exposed the sensitive information of more than 50 million people.John Binns was originally identified as the possible culprit by Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock. 

ZDNet Recommends

On Twitter earlier this month, Gal shared a message he received from Binns that said, “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the hacker allegedly told Gal. “We did it to harm US infrastructure,” Binns allegedly told Gal at the time.Binns has now spoken out publicly in an interview with the Wall Street Journal, telling the newspaper he was in fact behind the attack and conducted it from his home in Izmir, Turkey, where he lives with his mother. His father, who died when he was two, was American and his mother is Turkish. They moved back to Turkey when Binns was 18.Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July. According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files. 

“I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems. The Wall Street Journal story also noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web. Binns repeated his assertion that the attack was done because he was angry about how he was treated by US law enforcement agencies in recent years. Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes, including participation in the Satori botnet conspiracy. In the lawsuit, he said he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.He repeated his claims that he had been abducted in both Germany and Turkey and unfairly placed in a mental institution against his will by US law enforcement agencies. “I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.T-Mobile did not respond to requests for comment but released a statement last week confirming that the names, dates of birth, SSNs, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.Another 40 million former or prospective customers had their names, dates of birth, SSNs and driver’s licenses leaked. More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile. The telecom giant, which is the second largest in the US behind Verizon, is offering victims two years of free identity protection services with McAfee’s ID Theft Protection Service.  More

The Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server.

In a report shared with ZDNet, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online. EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system. The team says that the developers impose “aggressive and deeply troubling tracking, analytics, and permissions settings” when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require.  The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. 
vpnMentor

vpnMentor suspects that up to, or more than, one million users may have had their information exposed. The unsecured server was discovered on July 5 and EskyFun was contacted two days later. However, after receiving no response, vpnMentor made a second attempt on July 27.  Continued silence required the team to also reach out to Hong Kong CERT and the server was secured on July 28.  “Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users,” the researchers commented. “Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse.”ZDNet has reached out to EskyFun and we will update when we hear back. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More