Information Technology

Flying in the face of claims by President Donald Trump of voting fraud, the US Department of Homeland Security says the 2020 presidential election was in fact the most secure in US history. 
In a statement, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of “many unfounded claims” and “opportunities for misinformation” about the election process.

“[But] we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too,” CISA said.
“The November 3 election was the most secure in American history.”
SEE: Managing AI and ML in the enterprise 2020: Tech leaders increase project development and implementation (TechRepublic Premium)
CISA said election officials are reviewing and double-checking the entire election process before finalizing the result.
“When states have close elections, many will recount ballots. All the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors,” it said. 

“There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
The DHS issued the statement following a report from Reuters that CISA director Chris Krebs said he expects to be fired by the White House. 
Trump, who has yet to acknowledge Joe Biden’s victory, on Thursday tweeted without evidence that 2.7 million votes for him had been deleted, Associated Press reported.
Krebs in a tweet today repeated the CISA line that, “We have confidence in the security of your vote, you should too.”
In the days leading up to the election, Krebs released a message warning Americans not to overreact to bogus claims about election security.
“The election experience is designed to ensure that technology is not a single point of failure and there are measures in place to ensure that that you can vote and that your vote is counted correctly,” he said. 
“You should have confidence in the integrity of the process and don’t overreact to claims that exaggerate the importance of insignificant events,” said Krebs.
SEE: Technology’s next big challenge: To be fairer to everyone
CISA noted that the US had implemented pre-election testing and state certification of voting equipment, while the US Election Assistance Commission had a certification process for vetting voting equipment. 
“When you have questions, turn to elections officials as trusted voices as they administer elections,” the agency said. 

CISA director Chris Krebs: “We have confidence in the security of your vote, you should too.”
Image: CISA More

Chainalysis has launched a program designed to manage and store cryptocurrency seized during criminal investigations. 

Announced on Thursday, the blockchain analysis firm said the “asset realization program” will handle, hold, and track seized assets, which could include cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), and alternative tokens. 
While traditional bank accounts can be frozen when criminal conduct is suspected, cryptocurrencies represent more of a challenge. There is a gray area when it comes to virtual coins — usually stored in either hot wallets with online connectivity or cold wallets, offline — and how to both seize and secure funds until an investigation is complete. 
See also: KuCoin CEO says 84% of stolen cryptocurrency has been recovered
This is the niche business opportunity that Chainalysis is attempting to enter. “When law enforcement discovers and investigates illicit cryptocurrency assets, they need to seize and store them until they can be legally forfeited,” the company says. “As such, government agencies and insolvency practitioners — licensed professionals who advise on insolvency matters — need a safe way to track, store, and ultimately sell seized cryptocurrency assets for fiat currency.”
Chainalysis is also partnering with Asset Reality to develop advisory services for clients in how to sell seized funds, as well as provide training and education to officers in cryptocurrency matters. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does

“As cryptocurrencies become more mainstream, they will increasingly be used by good and bad actors alike,” said Jason Bonds, CRO of Chainalysis. “Chainalysis is dedicated to building trust in digital assets, and that means helping to detect and investigate illicit activity. As our government partners become more successful in rooting out bad actors, assisting them with asset recovery and realization is a natural next step.”
The announcement was made a week after the US government announced the seizure of BTC worth $1 billion in the largest confiscation of digital coins recorded. The cryptocurrency was allegedly stolen by an unnamed threat actor from Ross Ulbricht, the operator of the underground Silk Road marketplace, prior to his arrest. 
TechRepublic: New survey details IT challenges, shadow IT risks, 2021 outlook, and more
Operating from 2011 to 2013, Silk Road generated an estimated revenue of 9.5 million Bitcoin, together with 600,000 BTC in commission. 
The US Department of Justice (DoJ) is seeking forfeiture of the seized cryptocurrency. Chainalysis says the company assisted law enforcement during this investigation, as well as in other recent probes into North Korean hacking activities and terrorism financing. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon has filed a lawsuit against Instagram and TikTok personalities for allegedly participating in a scheme to sell counterfeit luxury goods. 

Filed in the United States District Court for the Western District of Washington and made public on Thursday, the complaint alleges that 13 individuals and businesses ran a scam to lure followers into buying fake luxury products — and deceive Amazon in the process. 
The influencers, Kelly Fitzpatrick and Sabrina Kelly-Krejci, allegedly peddled counterfeit items listed on Amazon — but disguised — by sellers they conspired with. Amazon claims that Fitzpatrick and Kelly-Krejci used social media platforms, such as Instagram, Facebook, and TikTok — as well as their own websites — to advertise fake products. 
According to the lawsuit, the influencers posted side-by-side photos of generic, unbranded items and a luxury — but counterfeit — product. The text “Order this/Get this” was posted alongside the photos, with “Order this” referring to a generic product listed on Amazon, and “Get this” referring to a fake luxury good, also referred to as a dupe. 
See also: Inexpensive gifts: Best tech and gadgets for under $100
As shown in the court filing example below, a generic black wallet would be listed on Amazon, but customers would receive a dupe of a branded product. The generic item, therefore, was nothing more than a placeholder. 

Videos describing the “high quality” of the fake products were also published by the influencers. 

“By posting only generic products on Amazon, Fitzpatrick and Kelly-Krejci — and the sellers they coordinated with — attempted to evade our anti-counterfeit protections while using social media to promote the true nature of these counterfeit products,” Amazon says. 
Fitzpatrick, a former member of the Amazon Influencer Program, has now been booted out of the program. 
Amazon says dupes are still being advertised on her personal website. At the time of writing, the domain is inaccessible, as is her Instagram profile, now made private. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
The e-commerce giant says that Kelly-Krejci’s scheme was also “detected and blocked.”
The social media influencer pool can be a valuable tool for marketers and legitimate, sponsored product placements, listings, and shout-outs do exist. However, as the lawsuit may show, social media platforms can also be abused to conduct fraud and to peddle counterfeit items. 
Amazon has attempted to crack down on fake goods and dupes in recent years, investing over $500 million to combat such alleged scams in 2019 alone. In June this year, Amazon launched its Counterfeit Crimes Unit to investigate and launch legal action against “bad actors” involved in the sale of counterfeit goods. 
TechRepublic: New survey details IT challenges, shadow IT risks, 2021 outlook, and more
Cristina Posa, Director of Amazon’s Counterfeit Crimes Unit, described the alleged scam and defendants as “brazen.” 
“This case demonstrates the need for cross-industry collaboration in order to drive counterfeiters out of business,” Posa commented. “Amazon continues to invest tremendous resources to stop bad actors before they enter our store and social media sites must similarly vet, monitor, and take action on bad actors that are using their services to facilitate illegal behavior.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Vertafore blames incident on human error after user data was stored on an unsecured external storage service. The files were accessed by an external party. More

The ACSC says it has seen an uptick in attacks targeting the health sector with SDBBot, a known precursor of the Clop ransomware. More

BlackBerry’s security team has published details today about a new hacker-for-hire mercenary group they discovered earlier this year, and which they tied to attacks to victims all over the world.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group discovered this year after the likes of:
BellTrox (aka Dark Basin) [1, 2, 3]
DeathStalker (aka Deceptikons) [1, 2]
Bahamut [1, 2]
Unnamed group [1]
CostaRicto’s discovery also comes to retroactively confirm a Google report from May, when the US tech giant highlighted the increasing number of hacker-for-hire mercenary groups, and especially those operating out of India.
However, while BellTrox has been linked to an Indian entity and Bahamut is suspected of operating out of India as well, details about CostaRicto’s current origins and whereabouts still remain unknown.
What is currently known is that the group has orchestrated attacks all over the globe across different countries in Europe, the Americas, Asia, Australia, and Africa.
However, BlackBerry says the biggest concentration of victims appears to be in South Asia, and especially India, Bangladesh, and Singapore, suggesting that the threat actor could be based in the region, “but working on a wide range of commissions from diverse clients.”
As for the nature of the targets, the BlackBerry Research and Intelligence Team said in a report today that “the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.”

Furthermore, BlackBerry says that “the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state” but suggests that they are “a mix of targets that could be explained by different assignments commissioned by disparate entities.”
CostaRicto group linked to new sophisticated Sombra malware
BlackBerry also adds that while the group is using custom-built and never-before-seen malware, they are not operating using any innovative techniques.
Most of their attacks rely on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and exfiltrate important documents.
This data is usually sent back to CostaRicto command-and-control infrastructure, which BlackBerry says it is usually hosted on the dark web, and accessible only via Tor.
Furthermore, the infected hosts usually connect these servers via a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation security,” when compared to your usual hacking groups.
All the CostaRicto malware samples that BlackBerry discovered have been traced back to as early as October 2019, but other clues in the gang’s servers suggest the group might have been active even earlier, as far back as 2017.
Furthermore, researchers said they also discovered an overlap with past campaigns from APT28, one of Russia’s military hacking units, but BlackBerry believes the server overlap may have been accidental.
Hacker-for-hire groups — the new landscape
For many years, most hacking groups have operated as stand-alone groups, carrying out financially-motivated attacks, stealing data, and selling for their own profit.
The public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this year show a maturing hacker-for-hire scene, with more and more groups renting their services to multiple customers with different agendas, instead of operating as lone wolfs.
The next step in investigating these groups will need to look at who their clients are. Are they private corporations or foreign governments. Or are they both? More

Back in 2008, Domain Name System (DNS) server cache poisoning was a big deal. By redirecting the results from DNS with misleading Internet Protocol (IP) addresses, hackers could redirect your web browser from the safe site you wanted to a fake one loaded with malware. Fixes were discovered and DNS cache poisoning attacks became rare. Now, thanks to a discovery by the University of California at Riverside researchers, a new way has been found to exploit vulnerable DNS caches: Sad DNS.

Here’s how it works: First, DNS is the internet’s master address list. With it, instead of writing out an IPv4 address like “173.245.48.1,” or an IPv6 address such as “2400:cb00:2048:1::c629:d7a2,” one of Cloudflare’s many addresses, you simply type in “http://www.cloudflare.com,” DNS finds the right IP address for you, and you’re on your way.
With DNS cache poisoning, however, your DNS requests are intercepted and redirected to a poisoned DNS cache. This rogue cache gives your web browser or other internet application a malicious IP address. Instead of going to where you want to go, you’re sent to a fake site. That forged website can then upload ransomware to your PC or grab your user name, password, and account numbers. In a word: Ouch!
Modern defense measures — such as randomizing both the DNS query ID and the DNS request source port, DNS-based Authentication of Named Entities (DANE), and Domain Name System Security Extensions (DNSSE) — largely stopped DNS cache poisoning. These DNS security methods, however, have never been deployed enough, so DNS-based attacks still happen.
Now, though researchers have found a side-channel attack that can be successfully used against the most popular DNS software stacks, SAD DNS. Vulnerable programs include the widely used BIND, Unbound, and dnsmasq running on top of Linux and other operating systems. The major vulnerability is when the DNS server’s operating system and network are configured to allow Internet Control Message Protocol ICMP error messages. 
Here’s how it works: First, the attacker uses a vice to spoof IP addresses and a computer able to trigger a request out of a DNS forwarder or resolver. Forwarders and resolvers help work out where to send DNS requests. For example, with a forwarder attack, when the attacker is logged into a LAN managed by a wireless router such as a school or library public wireless network. Public DNS resolvers, such as Cloudflare’s 1.1.1.1 and Google 8.8.8.8, can also be attacked. 
Next, the researchers used a network channel affiliated with, but outside of, the main channels used in the DNS requests. It then figures out the source port number by holding the channel open long enough to run 1,000 guesses per second until they hit the right one. With the source port derandomized, the group inserted a malicious IP address and successfully pull off a DNS cache poisoning attack.

In their study, they found just over 34% of the open resolver population on the internet is vulnerable. They found that 85% of the most popular free public DNS services are open to attacks. 
You can check to see if you’re open to attack simply by going to this Sad DNS web page and following the instructions. I’ll add that I’m both very security and network conscious and my systems were vulnerable. 
There are ways to stop these attacks. Indeed, we already have these methods. DNSSEC would help, but it’s still not deployed enough. If you used the relatively new RFC 7873 DNS cookie that would help as well. 
The simplest mitigation, though, is to disallow outgoing ICMP replies altogether. This comes at the potential cost of losing some network troubleshooting and diagnostic features. 
Another easy fix is to set the timeout of DNS queries more aggressively. For example, you should set it so that’s less than a second. This way the source port will be short-lived and disappear before the attacker can start injecting rogue responses. The downside, however, is the possibility of introducing more retransmitted queries and overall worse performance.
Whichever method you use, one thing though is clear. If you run a DNS server or forward you must do something. This attack is too easy. It will soon be used by criminal hackers. And, while I certainly recommend the quick and easy fixes, would it really kill you to finally start using DNSSEC? It’s way past time for everyone to adopt it. 
As for users, you must be more careful than ever that when you go to a commerce site like Amazon or your local bank that the site really is the one you think it is. If you don’t, you can kiss your online identity and a lot of money goodbye.
Related Stories: More

Cyber-security firm Comodo has open-sourced this week its endpoint detection and response (EDR) solution, becoming the first major security vendor to take this route.

Released as OpenEDR, the project’s source code was released this week on GitHub after Comodo touted the move to open source back in September [1, 2].
EDRs are considered the next step in the evolution of antivirus software. Classic antivirus software is designed to block malware when it executes.
EDRs are built differently, with a more proactive approach. They work by actively monitoring for suspicious behavior on endpoints and the local network and then sending alerts to a company’s IT staff to investigate.
They don’t necessarily look for confirmed threats but, instead, can also look for indicators of suspicious activity that sometimes precedes actual malware infections or threat actor intrusions.
“We are offering our EDR as open source because we feel strongly that as cyber-threats increase, every company should have access to this capability regardless of budget or ability to purchase it,” Alan Knepfer, President and Chief Revenue Officer at Comodo, said back in September.
“Our competitors offer endpoint protection that falls short of protecting customers, and then charge additional for EDR capability. This kind of pricing strategy from cybersecurity vendors will weaken the cybersecurity resources available to enterprises.

“The model of charging for multiple layers because they fail in protecting customers is not a healthy business model for the long term. We are putting an end to that by open sourcing the world’s most sophisticated EDR,” Knepfer added.
Comodo’s OpenEDR will include all the basic functionality of an EDR. This will include the ability to roll out custom detection rules and IOCs, real-time monitoring of workstation filesystems, detection of fileless threats, a recommendation engine that advises of measures that need to be taken, a GUI, and a threats vector investigation capability.
A technical breakdown of OpenEDR is available here, while the project’s support forum is here.
Besides OpenEDR, other open-source EDR and similar solutions also available today include the likes of: More