How Hackers Hijacked a
Bank’s Entire Online Operation
… Researchers at the security firm Kaspersky
on Tuesday described an unprecedented case of wholesale bank fraud, one that
essentially hijacked a bank’s entire internet footprint. At 1 pm on
October 22 of last year, the researchers say, hackers changed the Domain Name
System registrations of all 36 of the bank’s online
properties, commandeering the bank’s desktop and mobile website
domains to take users to phishing sites. In practice, that meant the
hackers could steal login credentials at sites hosted at the bank’s legitimate
web addresses. Kaspersky researchers believe the hackers may have even
simultaneously redirected all transactions at ATMs or point-of-sale systems to
their own servers, collecting the credit card details of anyone who used their
card that Saturday afternoon.
… Kaspersky believes the attackers
compromised the bank’s account at Registro.br. That’s the domain
registration service of NIC.br, the registrar for sites ending in the Brazilian
.br top-level domain, which they say also managed the DNS for the bank.
With that access, the researchers believe, the attackers were able to
change the registration simultaneously for all of the bank’s domains,
redirecting them to servers the attackers had set up on Google’s Cloud
Platform.2
With that domain hijacking in place, anyone visiting the
bank’s website URLs were redirected to lookalike sites. And those sites
even had valid HTTPS certificates issued in the name of the bank, so that visitors’
browsers would show a green lock and the bank’s name, just as they would with
the real sites. Kaspersky found that the certificates had been issued six
months earlier by Let’s Encrypt, the non-profit certificate authority that’s made obtaining
an HTTPS certificate easier in the hopes of increasing HTTPS adoption.
… Ultimately, the hijack was so complete that
the bank wasn’t even able to send email. “They couldn’t even communicate
with customers to send them an alert,” Bestuzhev says. “If your DNS is
under the control of cybercriminals, you’re basically screwed.”
They record the IP address of anyone who clicks on their
video. If someone had spammed that link as “cute puppies,” could they
tell?
Joseph Cox reports:
Last year, Motherboard found Australian authorities had unmasked Tor
users in the US as part of a child pornography investigation. Judging by
court documents, Australian authorities sent targets a hyperlink to a video
that, when clicked, would give their real IP address to investigators.
Now, it has emerged the hacking
operation was broader in scope, with authorities placing a booby-trapped video
not only in messages to individual targets, but on a more widely accessible
forum, allowing investigators to identify hundreds of suspects around the
world. The case highlights the growing
trend of law enforcement agencies using hacking tools and malware to identify
criminals located outside of their immediate jurisdiction.
Read more on Motherboard.
[From the Motherboard
article:
… investigators would have had no way of
knowing where the people clicking the video would have been located; that is
the very problem authorities face when dealing with suspects on the dark web.
However, that also means law enforcement agencies may be searching
computers across international borders and beyond their legal remit. Task
Force Argos has repeatedly declined to answer questions from Motherboard on
whether the unit obtained a warrant to unmask suspects in this operation.
This won’t succeed, will it?
The government is
demanding to know who this Trump critic is. Twitter is suing to keep it a
secret.
Twitter filed a lawsuit Thursday to block an order from
the Department of Homeland Security that seeks to reveal the user of an account
who has been critical of the Trump administration's immigration policies.
Tweets from the account -- @ALT_uscis -- indicate that it
is run by someone who is an employee of the U.S. Citizenship and Immigration
Services division of Homeland Security.
Free speech advocates said the DHS order appeared to be
the first time the government has attempted to use its powers to expose an
anonymous critic -- a development that, if successful, would have a "grave
chilling effect on the speech of that account" as well as other accounts
critical of the U.S. government, Twitter said.
… the Homeland Security case struck free
speech advocates as more remarkable because the information request was about
the identity of a government critic, rather than public safety.
"Twitter has a pretty strong argument," said
Andrew Crocker, a staff attorney for the Electronic Frontier Foundation.
"It does look and smell like the government is going after a critic.
There's nothing in the summons that CBP [Customs and Border Protection]
sent to Twitter that authorizes this request under the power that they have."
… As of the time of the court filing, the
account had been active for two months and amassed more than 32,000 followers.
By 8:15 p.m., that figure had grown to more than 86,000. [A bit of a Streisand Effect there… Bob]
Since I have no social media accounts, I must be
invisible.
Companies want to sell, and they want to sell to you.
The best way for them to turn you into a loyal customer is to gather as
much information as possible about who you are, where you go, and what you
like.
Enter your social media profiles.
Even just your basic information — such as your gender,
name, and age — is ideal for targeted advertising. Add a few public
images, some geo-linked Instagram posts, and an opinionated Twitter feed, and
companies hit a goldmine of opportunity.
Do I copyright my data? How can I protect my data
if I share it?
Data Clash Heats Up
Between Banks and New York Stock Exchange -- Update
Several of the biggest firms on Wall Street are balking
at a contract that the New York Stock Exchange is requiring them to sign to
keep trading on its markets, people familiar with the dispute said.
… The behind-the-scenes spat over the
contract, called the NYSE Master User Agreement, is the latest flashpoint in a
long-running battle over the market data that exchanges sell to their
customers.
Such data are crucial for banks and other financial
heavyweights that use computerized trading strategies. It has been a
growing source of revenue for stock exchanges in recent years, prompting
complaints from Wall Street firms that they are being overcharged.
At the heart of the dispute is legal language about who
owns the data that brokers submit to the exchange when they buy and sell
stocks. The contract implies that NYSE owns the data. Brokers and
big trading firms say the data are rightfully theirs.
The agreement, a seven-page document available on NYSE's
website, differs from similar contracts from the Big Board's competitors,
lawyers say.
Of course it could happen here.
So, Bad News: Now
Militants Are Using Drones as Projectiles
Background.
The Four Flavors of
Automated License Plate Reader Technology
by Sabrina I.
Pacifici on Apr 6, 2017
EFF – “Automated License Plate Readers (ALPRs) may be the most
common mass surveillance technology in use by local law enforcement around the
country—but they’re not always used in the same way. Typically, ALPR
systems are comprised of high-speed cameras connected to computers that
photograph every license plate that passes. The photo is converted to
letters and numbers, which are attached to a time and location stamp, then
uploaded to a central server. This allows police to identify and record
the locations of vehicles in real time and also identify where those vehicles
have been in the past. Using this information, police could establish
driving patterns for individual cars. The type of data ALPRs collect,
analyze, and access often depends on what kind of systems they use and how they
combine the data. Whether you’re a policymaker, journalist, or a citizen
watchdog, it is important to note the specifics about how these technologies
are used…”
Spinning the story for her next run?
Hillary Clinton Says
Russia Used Hacking ‘to Great Effect’ in Her Defeat
Hillary Clinton
left no doubt on Thursday that she believes Russia contributed to her defeat by
interfering in the election, condemning what she called Moscow’s “weaponization
of information.”
“I didn’t fully understand how impactful that was,” Mrs.
Clinton said at a women’s conference in New York.
I wonder if this would help you learn a language if you
found someone (in Japan for example) that wanted to learn English?
Skype’s real-time voice
translation tool now works in Japanese
Microsoft is expanding its real-time Skype translation tool for spoken
word into Japanese, its tenth language.
The software giant first introduced Skype Translator in English and Spanish back in 2014, and it has since expanded
into a number of additional languages, including Mandarin, Italian, Russian, and Arabic.
No comments:
Post a Comment