Information Technology

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they’re using cryptographic code in an unsafe way.
Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019.
Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.
The top three most broken rules were:
Rule #18 – 1,775 apps – Don’t use an unsafe PRNG (pseudorandom number generator)
Rule #1 – 1,764 apps – Don’t use broken hash functions (SHA1, MD2, MD5, etc.)
Rule #4 – 1,076 apps – Don’t use the operation mode CBC (client/server scenarios)
These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space.

Image: Piccolboni et al.
Only 18 of 306 app developers replied to the research team
The Columbia University academics said that after they tested the apps, they also contacted all the developers of the 306 Android applications found to be vulnerable.
“All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million,” the research team said. “Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings.”
While some crypto bugs were in an application’s code, some common bugs were also being introduced as part of Java libraries used as part of the apps.
The researchers say they also contacted the developers of 6 popular Android libraries, but just like before, they only received answers from 2 of them.
Since none of the developers fixed their apps and libraries, researchers refrained from publishing the names of the vulnerable apps and libraries, citing possible exploitation attempts against the apps’ users.
A complementary tool to CryptoGuard
All in all, the research team believes they’ve built a powerful tool that can be reliably used by Android developers as a complementary utility to CryptoGuard.
The two tools are complementary because CryptoGuard is a static analyzer (analyzes source code before being executed), while CRYLOGGER is a dynamic analysis tool (analyzes code while it’s being executed). Since the two work on different levels, academics believe both could be used to detect cryptography-related bus in Android apps before app code hits user devices.
Just like CryptoGuard, CRYLOGGER’s code is also available on GitHub.
Additional details about the team’s research are available in a pre-print named “CRYLOGGER: Detecting Crypto Misuses Dynamically,” set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021. More

Cyber-security agencies from France, Japan, and New Zealand have published security alerts over the past week warning about a large uptick in Emotet malware attacks targeting their respective countries.
Emotet activity described in the alerts refers to email spam campaigns that originated from Emotet infrastructure and targeted companies and government agencies in the three countries.
Victim organizations who received the emails, opened, and then ran the attached documents were at risk of getting infected with one of today’s most dangerous malware.
Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet that the Emotet botnet has been particularly active in recent weeks, and especially active in the three countries.
For example, Roosen said New Zealand had been heavily targeted by Emotet operators via emails originating from E3 (one of the three mini-botnets that make the larger Emotet infrastructure).
On the other hand, while E3 was busy spamming New Zealand, Roosen said that all three mini-Emotet botnets (E1, E2, and E3) were targeting Japan. According to CERT Japan, these Emotet spam waves led to a tripling of Emotet sightings tripled last week, causing experts to sound a sign of alarm.

Image: CERT Japan
But while Japan and New Zealand have been under heavy spam waves, things were lighter in France, where, Roosen said, Emotet spam waves haven’t been at the same levels as in the other two countries.
Nonetheless, Emotet infected computers on the network of the Paris court system, turning heads, making headlines, and triggering a state of emergency among French officials.
The French Interior Ministry reacted by blocking all Office documents (.doc) from being delivered via email, and France’s cyber-security agency ANSSI followed through with an official cyber-security alert on Monday, urging government agencies to pay attention to the emails they’re opening.

Conversations hijacking
According to all three alerts, the attacks appear to have been the same.
Emotet operators used their old trick of infecting one victim and then stealing older email threads. The group would then revive these old conversations, add malicious files as attachments, and target new users with a legitimate-looking conversation.
Users part of the conversations, or those added on, would often open the malicious files attachments added to the email thread out of curiosity and get infected.
In the recent campaigns that targeted France, Japan, and New Zealand, Emotet appears to have used Windows Word documents (.doc) and password-protected ZIP archive files as the malicious email attachments, attacks that have been seen targeting companies in other countries as well.
All three security alerts contain sound advice for anyone looking for ways to prevent or deal with Emotet infections, regardless of the country of origin.
At one point or another, Emotet will switch targeting and go after other countries, as the botnet can send out spam in multiple languages, according to cyber-security firm Proofpoint.
But the best Emotet advice ZDNet can give is in regards to systems that have been found to be already infected. In this case, companies should take down their entire networks and audit each system. This is because Emotet has features that allow it to spread laterally to the entire network, and Emotet is also often used to download other malware, including ransomware. Taking infected systems or the entire network offline while systems are scanned and re-imagined is the best way to avoid an even more costly security incident. More

BancoEstado, one of Chile’s three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend.
“Our branches will not be operational and will remain closed today,” the bank said in a statement published on its Twitter account on Monday.

Details about the attack have not been made public, but a source close to the investigation told ZDNet that the bank’s internal network was infected with the REvil (Sodinokibi) ransomware.
The incident is currently being investigated as having originated from a malicious Office document received and opened by an employee. The malicious Office file is believed to have installed a backdoor on the bank’s network.
Investigators believe that on the night between Friday and Saturday, hackers used this backdoor to access the bank’s network and install ransomware.
Bank employees working weekend shifts discovered the attack when they couldn’t access their work files on Saturday.
BancoEstado reported the incident to Chilean police, and on the same day, the Chilean government sent out a nationwide cyber-security alert warning about a ransomware campaign targeting the private sector.
While initially, the bank hoped to recover from the attack unnoticed, the damage was extensive, according to sources, with the ransomware encrypting the vast majority of internal servers and employee workstations.
The bank initially disclosed the attack on Sunday, but as time went by, bank officials realized employees wouldn’t be able to work on Monday, and decided to keep branches closed, while they recover.
Luckily, it appears the bank had done its job and properly segmented its internal network, which limited what the hackers could encrypt. The bank’s website, banking portal, mobile apps, and ATMs were untouched, according to multiple statements released by the bank, in order to reassure customers that their funds were safe.
The REvil ransomware gang is one of the few groups that operate a leak site, where it leaks files from networks it breaches, in case the victim doesn’t want to pay. At the time of writing, BancoEstado’s name is not on the leak site, suggesting the bank has either paid the ransom demand, or is still negotiating with the hackers.
This marks the second time hackers have targeted a Chilean bank. In June 2018, North Korean hackers deployed disk-wiping malware on the network of Banco de Chile, while attempting to hide a bank hack. A year later they also breached Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks, during an attempt to orchestrate an ATM cash-out scheme. More

Image: SWIFT
Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks; the SWIFT financial organization said in a report last week.
“Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods,” said SWIFT, the organization that runs the SWIFT inter-bank messaging system used by almost all banks across the world to wire funds across borders.
These traditional methods include the use of money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking.
Past cases of cryptocurrency use to launder stolen bank funds
SWIFT saud that incidents where hackers laundered money via cryptocurrencies have been rare and far between.
One example listed in the organization’s report is the case of a criminal gang who performed an ATM cashout attack. SWIFT says the gang converted the stolen cash funds into cryptocurrency rather than use money mules to buy and re-sale expensive products with the stolen cash, as most other similar groups tend to operate.
Another example is an Eastern European gang who set up their own bitcoin farm in East Asia. The gang used funds stolen from banks to operate the farm, generate bitcoin, and then spent the minted bitcoin in Western Europe. When the gang was arrested, SWIFT said authorities found 15,000 bitcoins valued at USD$109 million, two sports cars and jewelry worth USD$557,000 at the house of the group leader.
Another case where cryptocurrency was used to launder stolen bank funds includes Lazarus Group, a group of hackers operating for the benefit of the North Korean government. SWIFT said the group stole money from banks, converted it into cryptocurrency, moved the cryptocurrency assets across different exchanges to hide its origin, and then converted the crypto-assets back into fiat currency and had it sent to North Korea.
But that’s not all. SWIFT also said it seen “some cases” where hackers used stolen bank funds to buy and load prepaid cryptocurrency cards with funds. These are real debit cards that can store cryptocurrency instead of real (fiat) money, and these cards can be used with special ATMs to withdraw cryptocurrency back into fiat currency, or they can be used for real-world card transactions.
SWIFT said several financial platforms in Europe and the UK had been used to load prepaid cards with bitcoin, which were subsequently used to purchase jewelry, cars, and property with stolen funds.
Use of cryptocurrency expected to rise
But SWIFT says these are only edge cases when compared to the number of incidents and the volume of stolen funds that are being laundered through traditional methods.
Nevertheless, SWIFT believes that the use of cryptocurrency for laundering stolen bank funds will rise in the future.
Favorable factors include the growing number of altcoins (alternative cryptocurrencies) that have recently launched and which focus on providing full transaction anonymity.
In addition, criminals are also increasingly seen using services like mixers and tumblers that obscure the source of cryptocurrency transactions by blending stolen/laundered funds with large amounts of other legitimate transactions.

Further, SWIFT also warns about the emergence of online marketplaces where users can sign up with nothing but an email address — hiding their identities — and then purchase high-end products, land, and real-estate assets across the world, such as expensive watches, jewelry, gold bars, fine art, luxury penthouses, and tropical islands.
These three factors provide increased anonymity to criminal groups that traditional methods like money mule gangs and front companies can never provide, and the reason why SWIFT believes more groups will eventually adopt cryptocurrencies to launder stolen bank funds.
Traditional methods reign supreme
Nonetheless, SWIFT says that, for the time being, most stolen bank funds are being laundered through tried and tested techniques.
The stolen funds usually come from (1) attacks on a bank’s money transferring system, or (2) attacks against a bank’s ATM systems and related infrastructure.
These funds are usually laundered using an assortment of techniques, such as money mules, front companies, cash businesses, cryptocurrencies, and investments back into other forms of crime. Some groups might rely on one technique, while others may combine multiple.

Image: SWIFT
Over time, these techniques have advanced. In its “Follow The Money” report [PDF] last week, SWIFT highlighted the ingenuity of some money laundering tactics that have been recently observed in the wild. Some of these techniques include:
The broad use of various categories of money mules. This includes money mules that willingly receive funds into their accounts and then forward it to a criminal, money mules who use fake IDs to open accounts on behalf of hacker groups, money mules who collect money from cashed-out ATMs, and money mules that re-ship items bought with the stolen funds.
Increased focus on recruiting money mule from the ranks of young adults seeking to fund higher education and adults recently out of work.
The use of legitimate job ads to recruit money mules, sometimes in western countries, with many of these individuals unwittingly working for fake companies set up by criminal gangs.
Some criminal gangs sell access to hacked bank accounts, which are then used to launder money without the owner’s knowledge.
In other cases, some gangs set up legitimate bank accounts to be used as recipients for stolen funds, sometimes months in advance of a hack to give the accounts more legitimacy.
In case banks employ a know-your-customer (KYC) policy and apply due diligence when setting up new accounts, some criminal groups recruited insiders at financial institutions to evade or undermine this process.
Some gangs also used front companies set up in foreign territories to avoid international sanctions.
Most front companies are often set up in jurisdictions that are known for strong banking secrecy laws or for poor enforcement of money laundering regulations (such as the East Asia region).
Gangs who handle cash funds stolen from ATMs usually prefer dealing with cash businesses, where they can buy expensive products to be resold later.
Casinos are also emerging as an excellent medium for money laundering, as crooks buy betting chips with the stolen funds, and then convert the chips back into fiat currency to obtain a cheque with the casino’s name on it, standing for a legitimate transaction/source of the funds.
These and more are detailed in the SWIFT report.
“The aim of this report is to illuminate the techniques used by cyber criminals to ‘cash out’ so that SWIFT’s global community of over 11,000 financial institutions, market infrastructures and corporates can better protect themselves,” SWIFT said. More

A database belonging to the Digital Point webmaster forum leaked the records of over 800,000 users. 

San Diego, California-based Digital Point describes itself as the “largest webmaster community in the world,” bringing together freelancers, marketers, coders, and other creative professionals. 
On July 1, the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. 
See also: Intel investigating breach after 20GB of internal documents leak online
According to the team, names, email addresses, and internal user ID numbers were made publicly available. 
In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports — including allegations of “bad business dealings,” spam, and other reasons, some described as appearing to be “petty and personal.”

Aside from the usual security ramifications of user data theft and phishing, the database could have become one of many to succumb to Meow Bot, an automated script that was responsible for the compromise of thousands of unsecured MongoDB and Elasticsearch databases in July. Once the script has been deployed, it overrides data with numbers and the word “meow.”
CNET: Online-voting company pushes to make it harder for researchers to find security flaws
“One of the dangers of a non-password protected database is that it is a sitting target waiting to be stolen, encrypted, or deleted,” the team says. 
Fowler sent a responsible disclosure notice to Digital Point on July 1, the same day the leak was discovered, by way of a suitable email address found within the database. The alert was taken seriously and access to the database was revoked within hours. 
However, the forum did not communicate with the researchers or respond to follow-up requests. 
TechRepublic: Apple will release iOS 14 without this privacy feature: What iPhone users and developers need to know
ZDNet has reached out to Digital Point and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts.  
Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts.
The one-stop-shop agency assured, however, there was no evidence that individual MyServiceNSW account data or Service NSW databases were compromised during the cyber attack.
“This rigorous first step surfaced about 500,000 documents which referenced personal information,” Service NSW CEO Damon Rees said.
“The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.
“Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
“We are sorry that customers’ information was taken in this way.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  
Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents. The agency expects to complete notifying customers in December.
“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach,” Rees said.
Service NSW also revealed that NSW Police is currently carrying out an investigation into the incident, which has been labelled as a “criminal attack”. 
A review by the NSW auditor-general into Service NSW’s cybersecurity defences, practices, systems, and education is also underway.
Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional “cyber support”.
“We have accelerated our cybersecurity plans and the modernisation of legacy business processes to keep customer information as safe as possible,” it said.  
Last week, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. 
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.  
In June, the New South Wales government committed AU$240 million to bolster the government’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. 
Alongside this, the state government announced intentions to stand up a sector-wide cybersecurity strategy and is calling for industry submissions to help shape it. 
“The 2020 NSW Cyber Security Strategy will ensure the NSW government continues to provide secure, trusted, and resilient services in an ever-changing and developing environment,” Minister for Customer Service Victor Dominello said.
“The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens.”
Related Coverage
NSW pledges AU$60m to create cyber ‘army’
As part of the New South Wales government’s AU$240 million commitment to all things cyber.
New South Wales to implement sector-wide cybersecurity strategy
With help from industry, the new document will supersede the 2018 strategy.
Australian government pledges 10-year, AU$1.35 billion cyber kitty
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The vast majority of reports published by the cyber-security industry focus on high-end economic espionage and state-sponsored hacking topics, ignoring threats to civil society and creating a distorted view of the actual cyber threat landscape that later influences policy-makers and academic work.
In an article published in the Journal of Information Technology & Politics, a team of academics made up of some of today’s biggest names in cyber-security and internet research fields analyzed 700 cyber-security reports published over the last decade, between 2009 and 2019.
“The reports we collected were derived from two types of sources: first, commercial threat intelligence vendors (629 reports), and second, independent research centers (71 reports),” academics said.
In addition, the team also examined helpline data from AccessNow, a digital rights advocacy group, in order to understand the true digital threats, as reported by the end-users themselves.
The research team — made up by eminent names in the cyber-security field such as  Lennart Maschmeyer, Ronald J. Deibert, and Jon R. Lindsay — found that only 82 of the 629 commercial reports (13%) discussed a targeted threat to civil society.
Of these 82, only 22 reports placed a threat to civil society at the center of their investigations, with the rest 607 commercial reports focusing on cybercrime gangs and nation-state actors (APT groups).
In contrast, most of the reports produced by independent research centers were focused on the threats to civil society.
Cyber-security reports are driven by profits
Maschmeyer, Deibert, and Lindsay believe this is because cyber-security firms are driven by their bottom lines, and the reports they put out serve “as much as advertising as [threat] intelligence.”
“Commercial reporting is driven by specific business interests that determine what gets reported, and what does not,” the research trio said.
Cyber-security firms — chasing large enterprise customers and government contracts — primarily focus on investigating cybercrime, economic espionage, and critical infrastructure sabotage, but ignore threats to individual, minorities, or the civil society as a whole.
“High end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed,” the research team said.
“This situation constitutes a market failure that leaves those most in need of accurate information about threats – vulnerable civil society actors – least well-informed,” they added.
Since commercial cyber-security firms are behind most of today’s cyber-security reports, the research trio says this current state of affairs produces “a systematic bias in reporting” that is likely to “impact perception among both policy-makers and researchers” and end up affecting government policies, national state defense strategies, and academic work in the long run.
Best example: 2016 US Presidential Election
The best example of this theory, which researchers published back in June, is the 2016 US Presidential Election.
US cyber-security agencies expected nation-state entities to hack campaigns, which it happened, but most of the actual damage was done through social media influence campaigns aimed at the civil society.
“This Russian influence campaign focusing on individuals and civil society caught most scholars and policy-makers off guard; it did not correspond to prevailing threat models focusing on critical infrastructure disruption and large-scale digital espionage,” Maschmeyer, Deibert, and Lindsay said. More

Following a 9-month search, the Australian Digital Health Agency (ADHA) has appointed Amanda Cattermole as its new CEO. 
She will take over from Bettina McMahon, who stepped in as interim CEO at the start of February, following the resignation of Tim Kelsey. 
Kelsey worked in the CEO role for three years before leaving the post. 
Cattermole was most recently the COO of Services Australia. She was also previously the interim CEO of Services Australia and held deputy secretary roles at the agency when it was called the Department of Human Services. 
“Amanda Cattermole is held in the highest regard across the public service and health sector and will bring a depth of knowledge and capability to the role of CEO at a time when digital health has never been more important,” ADHA board chair Dr Elizabeth Deveny said.
During her time at Services Australia, the department kicked off a data-matching program of work that saw the automatic issuing of debt notices to those in receipt of welfare payments through the Centrelink scheme. 
The program, colloquially known as robo-debt, automatically compared the income declared to the Australian Taxation Office against income declared to Centrelink, which resulted in debt notices and a 10% recovery fee being issued whenever a disparity in government data was detected.
One large error in the system, however, was that it incorrectly calculated a recipient’s income, basing fortnightly pay on their annual salary rather than taking a cumulative 26-week snapshot of what an individual was paid.
Since admitting to getting around 470,000 debts wrong, Services Australia estimated that it needed to refund around AU$721 million back to Australians.
Cattermole will commence her new role on September 29.
More ADHA Coverage More