Information Technology

techrepublic cheat sheet

The npm security team has removed a malicious JavaScript library from the npm portal that was designed to steal sensitive files from an infected users’ browser and Discord application.
The malicious package was a JavaScript library named “fallguys” that claimed to provide an interface to the “Fall Guys: Ultimate Knockout” game API.
However, after developers downloaded the library and integrated it inside their projects, when the infected dev would run their code, the malicious package would also execute.
Per the npm security team, this code would attempt to access five local files, read their content, and then post the data inside a Discord channel (as a Discord webhook).
The five files the package would attempt to read are:
/AppData/Local/Google/Chrome/Userx20Data/Default/Localx20Storage/leveldb
/AppData/Roaming/Operax20Software/Operax20Stable/Localx20Storage/leveldb
/AppData/Local/Yandex/YandexBrowser/Userx20Data/Default/Localx20Storage/leveldb
/AppData/Local/BraveSoftware/Brave-Browser/Userx20Data/Default/Localx20Storage/leveldb
/AppData/Roaming/discord/Localx20Storage/leveldb
The first four files are LevelDB databases specific to browsers like Chrome, Opera, Yandex Browser, and Brave. These files usually store information specific to a user’s browsing history.
The last file was a similar LevelDB database but for the Discord Windows client, which similarly stores information on the channels a user has joined, and other channel-specific content.
Of note is that the malicious package did not steal other sensitive data from the infected developers’ computers, such as session cookies or the browser database that was storing credentials.
The malicious package appears to have been performing some sort of reconnaissance, gathering data on victims, and trying to assess what sites the infected developers were accessing, before delivering more targeted code via an update to the package later down the road.
The npm security team advises that developers remove the malicious package from their projects.
The malicious package was available on the site for two weeks, during which time it was downloaded nearly 300 times. More

The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job. 

CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions. 
The narrative in the charging documents (Note: This is not yet a criminal indictment) issued by the FBI against Uber’s former CSO (Sullivan) paints him as actively masterminding and executing a plan to cover up a major data breach, obstruct federal regulators, and conceal activity from senior executives. 
The Case Against Uber 
A data breach in 2014 exposed the records of 50,000 Uber drivers. In 2016, the Federal Trade Commission (FTC) investigated Uber for the 2014 data breach. Approximately 10 days after Sullivan provided sworn testimony to the FTC, he learned of a second data breach involving similar records but on a much larger scale. This time, the breach included millions of records. Uber and Sullivan cooperated with investigators, and the hackers were caught and charged. 
According to the charging document, Sullivan, former Uber CEO Travis Kalanick, and others took the following steps after learning of the 2016 data breach: 

They confirmed the data was real. 

Sullivan modified an existing bug bounty program to pay a ransom to keep the hackers from exposing the data breach publicly. 

The bounty amount paid was 10 times higher than the maximum of the existing bug bounty program, and the breach type and records were also not covered by the existing bug bounty program. 

Sullivan required that the hackers sign a non-disclosure agreement (NDA), another change to the existing bounty program. 

Sullivan did not mention the 2016 hack to the FTC. 

Sullivan did not fully explain the data breach to the new Uber CEO in 2017. Note that Sullivan is not charged for the first four. Instead, these are being used as supporting evidence for the charges of obstruction of justice and misprision of a felony. 

The Other Side Of The Story 
In November 2016, Uber learned of a data breach. Hackers threatened to expose the stolen data. Uber paid a ransom to the hackers under its bug bounty program and made the hackers sign NDAs to avoid the breach becoming public knowledge. 
Sullivan did not inform the FTC during the sworn investigative hearing because he couldn’t have: Sullivan learned of the 2016 breach 10 days later. To inform the FTC, Sullivan would have needed to reach out and inform them about a separate, new, but similar breach. There’s also some confusion as to whether Sullivan was under any legal obligation to do so. 
Sullivan briefed the new CEO in 2017 but did not provide the details necessary for the new executive. This is not necessarily surprising since communication between senior security leaders and senior executives remains a challenge. 
This version of the facts matches the case laid out in the charging documents but does so by examining the decisions without viewing them as linked to criminal activity. If this case goes to trial, Sullivan’s attorneys will have a chance to offer their own version of events. 
Sullivan is innocent until proven guilty. But regardless of the outcome, for CISOs, there’s a critical lesson here. You must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact. 
What Should CISOs Take Away From The Charges? 
Here’s what senior security leaders should know and understand about these events: 

This is a warning to CSOs and CISOs: Remove all sense of impropriety in IR. Concealing a data breach is illegal. Every decision made during an incident might be used in litigation and will be scrutinized by investigators. In this case, it’s also led to criminal charges filed against a well-known security leader. If your actions seem to conceal rather than investigate and resolve a data breach, expect consequences. 

Neither the ransom nor the bug bounty are at issue here. Paying the ransom through the bug bounty was alleged to help conceal the breach. Firms should develop a digital extortion policy, so that there are no allegations of impropriety should they choose to pay a ransom. In addition, the guidelines of your bug bounty program should not be altered on the fly to facilitate non-bug bounty program activities. 

Work closely and openly with senior leadership on breaches and issues of ransom. Sullivan tried to get the hackers to sign non-disclosure agreements — a legal document between two legitimate entities effectively acknowledging the hackers as business entities — which allowed Uber to treat the hackers as third parties. Treating the ransom as a “cost of doing business” helped them conceal the payment from the management team as well. The charging documents state that only Sullivan and Kalanick were aware of the payment and the way it was routed through the bug bounty program. No other senior leaders were involved. 

It’s the CISO’s job to make leadership understand the importance of cybersecurity. Often CISOs and other security and risk leaders will note that it’s hard to make board members and CEOs understand the technical points around cybersecurity and breaches. While that is most certainly true and understandable, it’s not a valid reason to allow for failures. If the board doesn’t understand, the CISO must make them understand, even if they have to whiteboard the issue. Make them understand. Failure is not an option. 

The CISO job can be high risk, high reward; take steps to protect yourself. Burnout is a very real concern, while other risks can include legal liability on the job and becoming a scapegoat. If you have the ability to negotiate, consider a rider to the company’s corporate director and officer liability insurance policy, which offers you coverage, or have your CISO position added as an officer to the company’s bylaws, which offers you the same indemnification as other C-level officer positions. Ever hear of golden parachute clauses for executives? CISOs can have golden bullet clauses. 

For more cybersecurity insights, be sure to register for Forrester’s Security & Risk Global, a live, virtual event on September 22–23, 2020, to learn about emerging cyberthreats, new regulatory requirements, and the latest tools and strategies needed to keep your enterprise secure. 
This post was written by Principal Analyst Jeff Pollard, and it originally appeared here.  More

Even they don’t get it.
It’s an empty feeling.

You discover that something you’ve always suspected to be true — even when denied by a tech company — turns out to be, oh, true.
In some way, you almost feel guilty. You want to beat yourself about the head muttering “I knew it. I just knew it.”
So here we are finally seeing that Google’s own engineers don’t even understand the company’s privacy controls.
In court documents unsealed last week in Arizona, a (sadly unnamed) Google engineer offers this 2018 email about the company’s location tracking controls: “Location off should mean location off, not ‘except for this case or that case.’ The current UI feels like it is designed to make things possible, yet difficult enough that people won’t figure it out.”
Who would ever believe a company that flouted privacy more enthusiastically and more often than a flasher could make privacy controls so impenetrable that even the company’s own large brains couldn’t figure them out?
Those tech companies were run by such wily young people in days of yore. Ever since Facebook CEO Mark Zuckerberg insisted in 2010 that people didn’t want privacy, you had a feeling that you were never going to get any.
You suspected that the likes of Facebook and Google would make untold billions from dealing your private information to the highest bidder on an hourly basis.
Indeed, it was only when their transgressions became laughably obvious that such tech companies even introduced any privacy controls worth the name. Well, the name privacy something-or-other, not necessarily the name privacy control.
In that same 2010, Facebook made its privacy controls simpler. Or, should I say, “simpler.” Real people, though, didn’t find them so simple. I fear they still don’t.
As for Google, well, who felt unable to laugh when, during 2018 congressional hearings, CEO Sundar Pichai declared: “Our mission is to protect your privacy.”
How odd, then, that during that very same year, another Google engineer offered bracing words, as revealed by the court documents.
Wondering about location data and how Google kept it private, the engineer wrote: “I’d want to know which of these options (some? All? none?) enter me into the wrongful-arrest lottery. And I’d want that to be very clear to even the least technical people.”
Clarity and tech companies go together like fish and trees. For too long, one of the secret joys of running a tech company lay in the sure knowledge that your users had no real idea what you were doing or how. And you didn’t feel compelled to enlighten them.
Those least technical people had no hope of knowing what was going on. Of course, they contributed greatly by not caring enough or even at all. It was too exciting to post pictures of the cake you just baked, the bike you just bought, or the spouse you just married.
Somewhere, though, there was the expectation of trust. Yes, oh tech company, you’re doing wizard work and making my life so much better and easier, but please try not to take (too much) advantage.
How it must have felt for these Google engineers to see just how much advantage was taken.
Of course, Google’s attitude is to say it’s working so very hard to improve privacy controls.
Indeed, last year Google introduced an option by which users could ensure that location history data and even search history data could be auto-deleted.
This may have been only because some in government are working so hard to enact stern legislation which may make tech companies’ lives a little harder.
It may also have been because the likes of Google and Facebook have discovered all sorts of new ways to follow people around and monetize their every move and thought. Indeed, the Arizona lawsuit mentions that switching off location tracking won’t mean Google can’t target you. It merely means the company can’t target you quite as precisely as the fourth pavement slab outside number 83, Outofharms Way.
And then there’s DoubleClick. If you want to address this ad service’s penchant for offering location-based ads, it seems you have to go to another little interface. (Disclosure: Google owns DoubleClick.)
Should users have to work so hard to gain a little privacy? How many people do you know who consciously and regularly update their privacy settings on their devices and apps?
Perhaps there’ll come an uplifting day when we can easily set all our social media and other online activities in far more precise ways. Perhaps we’ll be able to dictate, in some astoundingly easy way, precisely who gets to learn anything about us at all.
Perhaps I’m dreaming and kidding at the same time. More

You don’t need to spend a fortune on making your home office secure, but thanks to mobile technology, our options are now far beyond a locked door and window fastenings. 
Smart video doorbells that create and record both video and audio feeds in real-time when you have a visitor. Motion and sound sensors that can be used in and outside, digital door locks, cameras with excellent night vision — the range of products that leverage mobile connectivity, apps, and Internet of Things sensors are endless. 
That is not to say that all smart home security products are created equal, and not every home needs to have bells and whistles on when it comes to security — sometimes, a few select pieces can create a home ecosystem that is enough to protect your home (and office) against intruders, as well as alert you when suspicious activity is detected. 
ZDNet has created a list suiting a variety of budgets and setups to help homeowners and remote workers decide how best to protect their properties, ranging from full kits to useful window sensors and cameras suitable for use both in and outdoors. 

Ring Video Doorbell Pro

A smart video doorbell is one of those products that you didn’t realize could be a great addition to daily life until you invest in one. It may seem like overkill to go for a doorbell with Internet connectivity, video and audio feeds, and the ability to check-in remotely, but once you get used to the convenience of being able to chat to visitors and delivery staff no matter where you are, you can see their value. 
Convenience, however, it just one benefit, as these types of products can be a useful security addition, too, as you can clearly see visitors before opening the door, as well as deter potentially unwanted ‘visitors’ checking out your home. 
Currently on sale at $189.99, the Ring Video Doorbell Pro is one product for consideration. The hardwired doorbell is able to record 1080p HD footage with two-way talk, and also comes with infrared night vision, sensors, and customizable ‘zones’ for motion detection alerts. 
Compatible With iOS, Android, Mac, and Windows 10, users can check in on their doorbell at any time. Live view is free but continual recording requires a subscription.
$189 at Amazon

Ring home security system

If the Ring ecosystem appeals to you, Ring also offers a full smart home security system that can be customized depending on the property and the user’s wishes when it comes to security. 
You can create your own security system by combining elements including home alarms, motion sensors, window and door contact sensors, keypads, a smart doorbell, panic buttons, and both indoor and outdoor cameras. 
Ranging in price from single $19.99 window sensors to a robust $649.99 security package, the Ring range considers every point of entry into a home, whether you live in a small condo or a large house with extensive grounds. 
$159 at Amazon

Nest Cam Indoor

For do-it-yourself types who want a few security gadgets but not an entire setup, Google’s Nest Cams are worth considering. 
Nest Cam Indoor products are standalone security cameras that plug into an outlet. Once connected to the Nest mobile app, users are sent alerts when motion is detected and it is also possible to tap into the camera at any time to see what is going on at home — not only useful as a security measure but also something that could be used to keep an eye on pets at home, for example. Built-in speakers and a microphone are included. 
Event-based or continual recording is on offer, and for free, snapshots taken over a three-hour time period are saved and viewable. A subscription option for 24/7 recording and storage is also available. 
Outdoor alternatives are on sale for $199.
$129 at Amazon

Nest Secure

If your smart home is making use of the Nest ecosystem and already includes products such as Google Home, or Nest fire or C02 alarms, the Secure package could be of interest to bolster home security. 
The $399 Nest Secure includes Nest Guard, an alarm, keypad, and motion sensor; two Nest Detect sensors suitable for use in monitoring doors, windows, or entire rooms, two open/close magnets for doors or windows, two Nest tags that are used to enable or disable alarms quickly, and mounting brackets.
The Nest Detect sensors are able to detect motion and sound, and can also be set to chime when a door or window is opened — a useful feature if you have young children at home.
A limited free option is available, alongside a feed monitoring and storage subscription. As Secure products are compatible with Google’s overall IoT ecosystem, users can ask their assistant to arm or disarm the Nest alarm remotely, and if the system thinks you have left home without arming, a reminder can be sent to your smartphone. 
$399 at Best Buy

SimpliSafe home security system

For hunters of a full security system without a long-term subscription, SimpliSafe’s home security system should be considered. 
SimpliSafe offers a $220 entry-level kit containing a motion sensor, entry sensor, panic button, and a key fob, which can be customized to include additional products such as a siren, video doorbell, glass break sensor, or smoke, water, and C02 sensors. 
The Wi-Fi-connected system has a backup battery in case of a power outage, and the vendor maintains six monitoring centers to keep an eye on homes within the network — with operators alerting the police even if the devices are damaged by intruders. 
SimpliSafe offers a variety of subscriptions and accounts for over three million users in the United States. 
$220 at SimpliSafe

Blink XT2 security camera

Blink XT2 security cameras, suitable for indoor and outdoor use, should be considered as an alternative for Amazon Alexa voice assistant users. 
These cameras are best suited for those who want versatility and do not want to deal with wires or installation, as each camera is powered by lithium-ion batteries. 
Blink XT2 cameras contain motion detection sensors, two-way speakers and a microphone, and is able to take 1080p HD video through the day, as well as infrared-based footage at night. 
The cameras can be armed or disarmed through Alexa and free cloud storage for one year is on offer, with no need for a subscription or contract. 
$284 at Amazon

Honeywell smart home security starter kit

Another popular option on the market is Honeywell’s home security kit. The $189 bundle contains a selection of motion sensors, key fobs, and a camera able to record visual and audio footage in 1080p HD video. Night vision is also included. 
Honeywell’s security system can be set to automatically arm itself when you leave home, and if you forget to shut a window or door where a sensor is installed, for example, you can be sent alerts to this oversight. 
A key selling point about this option is versatility, as the security system can be set up to operate in existing IoT setups offered by various vendors. Amazon’s Alexa voice assistant is inbuilt to accept commands.
$189 at Amazon

Abode Essentials starter kit

Abode’s offering is a budget-friendly package that comes with an Abode hub, a motion sensor suitable for entryways or specific rooms, a small window or door sensor, and a keyfob for quickly arming or disarming the system. 
Users can install the system themselves and connect the hub to their mobile device, as well as control their kit through Amazon Alexa, Google Assistant, or Apple HomeKit. 
If you want to extend your security system further, additional Abode sensors and cameras can be added to the network. 
A basic, free plan or more extensive subscription is available. 
$199 at Amazon

August Wi-Fi smart lock

An additional component you might want to consider for your home security setup is a smart lock. An alternative to a traditional deadbolt, a lock such as the August Wi-Fi Smart lock, available in black and silver, connects to a user’s mobile device or Alexa assistant to monitor the lock status of a door.
You do not need to replace your existing lock-and-key setup; instead, you attach the smart lock to a deadbolt. It is possible to set up the product to automatically detect when you come home and unlock the door, and in the same way, auto lock when the door closes. 
If you want to grant others access to your home, “secure keys” can be sent to their mobile devices via the August app. 
However, it is worth noting this smart lock requires a 2.4GHz Wi-Fi network. 
The August Wi-Fi Smart lock is currently on sale for $238. 
$238 at Amazon
Buyer’s Guide:
When ZDNet compiled this list, we wanted to consider as many security angles to protecting a home and home office as possible. Entry points including windows and doors can be protected through smart door locks, sensors, and cameras, and should an intruder manage to get into a property, monitoring systems that send alerts to homeowners can make all the difference between perpetrators being caught or getting away with their actions. 
Unlike a business premise, however, homeowners and remote workers do not need to spend a fortune in order to adequately protect their assets. Instead, a few products that have been carefully selected and placed in weak or entry points — including a front porch, garden, or by ground floor windows — can be all they need. 
A camera or two — preferably with night vision — sensors monitoring windows, and, perhaps, a video doorbell or smart lock to protect your front door. Larger properties can benefit from additional security components linked to the same network, but in either case, today’s smart home security products can give you peace of mind in or outside of the house.

ZDNet Recommends More

A former Cisco engineer has admitted to illegally accessing Cisco’s network and wiping 456 virtual machines as well as causing disruption to over 16,000 Webex Teams accounts.

Sudhish Kasaba Ramesh has taken a plea agreement in a federal court in San Jose after being accused of intentionally accessing a protected computer without authorization and recklessly causing damage, according to the US Department of Justice (DoJ). 
CNET: Best Android VPNs for 2020
The 30-year-old engineer resigned in April 2018, but chose to access Cisco’s Amazon Web Services (AWS) environment roughly five months after leaving the company in order to deploy code that deleted 456 virtual machines (VMs).
On September 24, 2018, the code was launched from Ramesh’s Google Cloud Project account, obliterating the VMs. As a result of this action, over 16,000 Webex Teams accounts were deactivated for two weeks. 
US prosecutors say that the tech giant needed to pay $1.4 million in additional employee time to restore and rectify the damage caused to the system, as well as issue refunds of approximately $1 million to customers impacted by the network issues. 
“He admitted that he acted recklessly in deploying the code, and consciously disregarded the substantial risk that his conduct could harm to Cisco,” the DoJ says. 
It is not believed that any customer information was compromised. 
See also: Your email threads are now being hijacked by the QBot Trojan
The engineer was formally charged on July 13, 2020, and is currently out on bail. Ramesh faces up to five years behind bars and a fine of up to $250,000. Sentencing has been set for December 9, 2020. 
In a statement, Cisco said additional safeguards have been implemented and the company dealt with the damage as quickly as possible. 
“We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice,” Cisco said. “We are confident processes are in place to prevent a recurrence.”
TechRepublic: North Korean hackers are actively robbing banks around the world, US government warns
In related news, earlier this week, Cisco purchased BabbleLabs, a company that specializes in technology designed to reduce background noise. 
Noise and environmental distractions can be extremely irritating, and in a time when many of us are working from home due to the coronavirus pandemic, remote teleconferencing tools have become crucial to keeping businesses running. 
BabbleLabs’ technology will be integrated into the Cisco collaboration portfolio, including Webex Meetings.  

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Clay Banks

A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.
This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card’s PIN code.
The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.
However, in reality, the attacker is actually paying with data received from a (stolen) Visa contactless card that is hidden on the attacker’s body.
How the attack works
According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.

Image: ETH Zurich
The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
“Our app does not require root privileges or any fancy hacks to Android and we have successfully used it on Pixel and Huawei devices,” researchers said.
[embedded content]
Attack caused by an issue with the Visa contactless protocol
At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa’s contactless protocol.
These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.
“The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” researchers said.
“The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal,” they added.
“The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer’s device (e.g., a smartphone).”
These modifications are carried out on the smartphone running the POS emulator, before being sent to the second smartphone, and then relayed to the actual POS device, which wouldn’t be able to tell if the transaction data was modified.
This security issue was discovered earlier this year by academics from the Swiss Federal Institute of Technology (ETH) in Zurich.
ETH Zurich researchers said they tested their attack in the real world, in real stores, without facing any issues. The attack was successful at bypassing PINs on Visa Credit, Visa Electron, and VPay cards, they said.
A Visa spokesperson did not return an email seeking comment on the research paper’s findings, which ZDNet sent on Thursday, but the ETH Zurich team said they notified Visa of their findings.
Second attack discovered, also impacting Mastercard
To discover this bug, the research team said they used a modified version of a tool called Tamarin, which was previously used to discover complex vulnerabilities in the TLS 1.3 cryptographic protocol [PDF] and in the 5G authentication mechanism [PDF].
Besides the PIN bypass on Visa contactless cards, the same tool also discovered a second security issue, this time impacting both Mastercard and Visa. Researchers explain:
“Our symbolic analysis also reveals that, in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the ApplicationCryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods.”
Unlike the first bug, the research team said it did not test this second attack in real-world setups for ethical reasons, as this would have defrauded the merchants.
Additional details about the team’s research can be found in a paper preprint entitled “The EMV Standard: Break, Fix, Verify.” Researchers are also scheduled to present their findings at the IEEE Symposium on Security and Privacy, next year, in May 2021. More

Earlier this week, US authorities arrested and charged a Russian national for traveling to the US to recruit and convince an employee of a Nevada company to install malware on their employer’s network in exchange for $1 million.
While no court indictment named the targeted company, several news outlets specialized in covering the electric cars scene speculated today that the attack had very likely targeted US carmaker Tesla, which operates a mega-factory in Sparks, a town near Reno, Nevada.
While Tesla had not returned requests for comment on the topic, in a tweet earlier today, Tesla CEO Elon Musk officially confirmed that the hacking plot did, indeed, target his company.
“Much appreciated. This was a serious attack,” Musk wrote, answering to one of the multiple news reports speculating that Tesla was the supposed target.
Employee went to the FBI early in the recruitment process
The entire attack was a rare case where hackers decide to use so-called “malicious insiders,” a term the cyber-security industry uses to describe rogue employees.
According to court documents, a 27-year-old Russian man named Egor Igorevich Kriuchkov reached out to one of Tesla’s employees via WhatsApp, after the two had previously met four years ago, in 2016.
Kriuchkov said he was vacationing in the US and arranged for the two to meet, with the Russian hacker traveling to Reno for this purpose.
Throughout multiple meetings, Kriuchkov revealed to the Tesla employee that he was working with a Russian-based hacker group and proposed the employee to install a piece of custom-built malware on Tesla’s internal network. 
Kriuchkov said the malware, which the group spent $250,000 to build, would exfiltrate data from Tesla’s network, and upload it to a remote server. The plan was to steal sensitive Tesla files and then threaten to release the data unless Tesla paid a huge ransom demand.
The employee, who the FBI described as a Russian-speaking immigrant, notified Tesla and the FBI about the proposal after his first meeting with Kriuchkov.
Subsequent meetings were recorded and documented in the indictment, including the employee negotiating his cut from $500,000 to $1 million, and how the Russian-based hacker gang delayed the Tesla hack for later this fall as they breached another company and they needed to focus on the current target.
FBI agents arrested Kriuchkov as he tried to leave the US via Los Angeles over the weekend, and charged him on Monday. If found guilty, Kriuchkov could face up to five years in prison for his role in the scheme. More

The New Zealand Stock Exchange (NZX) is still suffering from the aftermath of distributed denial of service (DDoS) attacks that hit the exchange earlier this week.
On Friday morning, the NZX said its markets would open as normal, following ongoing work to put in place additional measures to maintain system connectivity and address the severe DDoS attacks. 
Two hours later, however, the NZX said it was experiencing connectivity issues which appeared to be similar to those caused by the DDoS attacks from earlier this week.
“Given the current issue, we have extended the pre-open for the NZX main board and Fonterra shareholders market. The NZX debt market was placed into a halt at 9:58am [NZST],” the exchange said. “The NZX derivatives market remains open.”
See also: DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
The exchange was aiming for business as usual on Friday, after keeping the NZX main board, NZX debt market, and Fonterra shareholders market offline on Thursday and closing the NZX derivatives market at 11:00am NZST.
The exchange’s website is currently offline.
NZX was on Tuesday struck down by a DDoS attack, which resulted in the exchange halting trade in its cash markets from 3:57pm NZST.
A joint statement made earlier this week by NZX and its network service provider Spark said the DDoS attack came from offshore, via Spark’s networks, to impact NZX system connectivity.
The NZX has since been repeatedly targeted by the attacks.
Earlier on Thursday, ZDNet reported the attacks were attributed to a criminal gang that has launched DDoS attacks against some of the world’s biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks.
The NZX and Spark were hopeful markets would resume normal operations on Wednesday.
NZX said it has been continuing to work with Spark, and national and international cybersecurity partners, including GCSB, to address the attacks. 
The exchange said it has been in close contact with market participants and that it “appreciates the support and level of understanding during the periods of disruption to trading”.
MORE FROM NEW ZEALAND More