ATM Fraud , Fraud

ATM Attacks: Why We Must Remain Vigilant Fraudsters Are Increasingly Turning to Explosives to Steal ATM Cash John Buzzard • November 3, 2016     John Buzzard's photo of damaged ATM

My recent business trip to San Francisco netted a startling discovery when I spotted a flame-kissed ATM in the city during my morning walk to work. I photographed the ATM and took particular note that the card acceptor was seriously melted and burned by some sort of accelerant-soaked fabric or paper that had been laid against it. The accelerant alone rendered a decent amount of damage.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

This incident is an example of increasing threats to ATMs in both the United States and abroad, as criminals attempt to blow up ATMs in a quest for speedy cash.

I discovered the damaged ATM shortly after I had finished reading BankInfoSecurity's article, Attackers 'Hack' ATM Security with Explosives, which outlined the destruction reported by the European ATM Security Team - 492 explosive attacks have been reported in Europe since the beginning of 2016.

All of these attacks involved solid explosives and/or explosive gases. You simply can't make this stuff up unless you are a professional script writer pitching your next big action adventure drama to a studio.

Explosives are scary, and I am concerned from a security and safety perspective. Situational awareness is key here. Cardholders, vendors and employees could easily be at risk if exposed to an explosive attack, but I take comfort in the fact that the majority of these vandals do their work during non-peak hours, so the risk of harming an employee or customer would be rare.

I recently had the pleasure of speaking with a credit union colleague in North Carolina who immediately shared my concern over the dangerous and dramatic methods that criminals are using today to gain entry into our ATMs. She pointed out that the industry has seen a shift from physical ATM security threats, such as ram raids and card skimming, to more serious criminal destruction from explosives. Her exact comment was: "The days of only worrying about someone wrapping a chain around your ATM and dragging it off are over."

Criminals today are bold, technologically savvy and, in some cases, armed with explosives. I don't think that we will ever see all of our physical risks shift entirely to the threat of accelerants and explosives. But clearly we have to add this to our threat matrix and prepare to at least properly identify the trend as it emerges in the marketplace. Let's not forget other risks:

ATM Ram Raids

These attacks are still incredibly popular in Europe and Australia, but they show up regularly in the U.S. as well. The ATM Industry Association has often pointed out that ram raids are the one the leading threats to ATMs worldwide, second only to card skimming.

Jackpotting

Criminals have been quietly testing their ability to physically manipulate and re-program ATMs in Europe, Mexico and the U.S. in recent years. This is how a "jackpotting" attack is waged. Once reprogrammed, ATMs can be controlled by hackers and instructed to spit out cash on-demand or at specific times of day.

Chip Skimming Prototypes

The emergence of periscope skimmers, which are undetectable on the surface, is another concerning trend. These skimmers are installed inside the ATM, usually by accessing the device's enclosure with a universal or stolen key, to capture card numbers after cards are inserted into the ATM's reader. And card-reading "shimmers," which have been found to defeat EMV chip technology designed to prevent skimming, prove criminals are progressively experimenting with technology as a weapon.

In a shimming attack, a shimmer is placed inside the ATM's card reader to intercept communications between the chip card and the chip reader. Information that can be intercepted includes personal account number and expiration date. ATM security experts have pointed out, however, that card information compromised via a shimming attack only pays off for fraudsters if issuing banks fail to appropriately authorize their card transactions. Because EMV chip cards can't be skimmed, if a fraudster tries to duplicate a card with an EMV chip and use it for purchases, the bank should catch it.

My advice to banks is to be observant, educate your employees and, by all means, report unusual instances of extreme ATM damage and attempted robbery to the appropriate authorities in your area. We cannot prevent every attack. But we can be savvier and more prepared with our defense battle plans.

Anti-Malware , Cybersecurity , DDoS

10 Hot Sessions at Black Hat Europe 2016 Top-Flight Information Security Conference Decamps to London Mathew J. Schwartz (euroinfosec) • November 2, 2016     Black Hat Europe comes to London's Business Design Center. Photo: Mathew Schwartz/ISMG

The annual Black Hat Europe information security conference gets underway again this week.

See Also: Secure Access in a Hybrid IT World

Seeking more space, the conference - now in its 16th year - decamps from Amsterdam to London for the first time, setting up shop at the city's Business Design Center.

Organizers are expecting more than 1,500 attendees and have booked more than 65 speakers to present 40 research-based briefings, as selected by the Black Hat Review Board, composed of 23 leading information security experts.

Topics to be covered range from ransomware and threat intelligence to targeted attacks and how to hack secure boot.

Another 30 briefings are also scheduled for the Business Hall, wherein vendors will be delivering everything from a deep dive into the Cerber ransomware-as-a-service gang and threat hunting to using machine learning and the growth of commoditized malware.

Where to begin? Here are 10 especially good-looking briefings:

Day 1

Detecting Mobile-Targeting Ransomware (Thursday, 10:00): Only 10 ransomware families currently target mobile devices, say researchers Federico Maggi of Trend Micro and Stefano Zanero of Politecnico di Milano. They promise to detail new techniques for how related attack code can be spotted. Mobile Espionage Malware (Thursday, 12:30): Lookout Mobile Security researchers Max Bazaliy, Seth Hardy and Andrew Blaich will offer a technical teardown of Pegasys "lawful intercept" spyware to detail its technical features as well as "how this espionage software utilizes remote jailbreaks and backdoors to embed itself into the device," plus related defensive recommendations. More Qualcomm Chipset Flaws (Thursday, 16:00): Adam Donenfeld of Check Point Software Technologies will detail multiple brand-new, zero-day, privilege escalation vulnerabilities in Qualcomm chipsets, dubbed "Qualaroot," following on the heels of his firm's previous Quadrooter vulnerability research. Waging "Offensive Cyber Defense" (Thursday, 16:00): Microsoft's Tal Be'ery and Itai Grady argue that defenders need to adopt more of the techniques being used against them by attackers, including wielding Kerberos error injection as a defense against certain types of attacks and using internal network reconnaissance against attackers to identify them.

Day 2

Unraveling "Ego Markets" (Friday, 9:30): Click farms and Gameover Zeus botnets are being used to supply fake followers. GoSecure researchers Masarah Paquet-Clouston and Olivier Bilodeau will detail new insights into how one such large-scale botnet, known as Linux/Moose 2.0, supports this "criminal market for social media fraud," as well as just what that market entails. Suborning Belkin Home Automation Devices (Friday, 9:30): Joe Tanen and Scott Tenaglia of Invincea Labs found flaws in Belkin IoT devices - and related Android apps - that could be used to root devices, run arbitrary code on paired smartphones as well as use the devices to launch distributed denial-of-service attacks without having to first root the device. OAuth 2.0 Mayhem (Friday, 12:00): Ronghai Yang and Wing Cheong Lau - both hailing from the Chinese University of Hong Kong - say they have discovered a brand-new flaw in how OAuth 2.0 - for single sign-on - is being used by nearly half of all mobile apps they tested, which could allow attackers to sign into a victim's account without any user interaction. Billions of apps are reportedly at risk. Quantum-Proof Crypto (Friday, 14:00): Cryptographers continue to double down on quantum-resistant cryptography. Jennifer Fernick, a cryptography and security researcher at the Institute for Quantum Computing and the Center for Applied Cryptographic Research at Canada's University of Waterloo, promises to round up related issues as well as to "demonstrate the world's first open-source library offering a full range of secure implementations of quantum-safe cryptographic algorithms." Top Web Attack Payloads (Friday, 15:30): When attackers exploit vulnerabilities such as Shellshock and ImageTragick, they typically do so to launch exploit-code payloads at targets. But which types of payloads are most prevalent? John Graham-Cumming of CloudFlare will share payload-related information that's been spotted by his DDoS defense firm. Black Hat Locknote (Friday, 16:15): The annual and always insightful closing keynote presentation features Black Hat founder Jeff Moss, as well as three members of the Black Hat Review Board. This year, Sharon Conheady, Daniel Cuthbert and Chris Wysopal join Moss to discuss key takeaways from the conference.

With everything on offer this year, the above is just my starting point. What are your top picks?

Breach Response , Cybersecurity , Data Breach

Trump-Russia Conspiracy? Nope, Just Regular DNS Lookups Report's Supposed Technical Evidence Doesn't Add Up, Security Experts Say Jeremy Kirk (jeremy_kirk) • November 2, 2016    

It's the story several media outlets were pursuing, but highly cautious about publishing: Was there secret communication between Donald Trump's camp and a Russian bank?

See Also: Avoid Theft of Your Privileged Credentials

In a U.S. presidential election where hacking - for the first time ever - has tremendously shaped the campaign, it was an alluring tip. With the U.S. vowing revenge for what it claims are Russian-led cyber operations, it is a potentially explosive story that could have thrown another last-minute hurdle before Election Day next Tuesday (see Clinton, Trump: Head-to-Head Over Purported Russian Hacks).

Slate's Franklin Foer took the leap, publishing a lengthy piece that detailed an odd discovery noticed by researchers with access to Domain Name System logs. DNS is the system that translates domain names into IP addresses. It underpins all internet activity, from email to loading web pages.

The researchers analyzed what are known as passive DNS logs, which record DNS lookups by hosts on the internet. Passive DNS is extremely useful, and many security companies have large visibility into DNS. For example, researchers use it to figure out which servers malicious software programs are trying to reach, which can lend further clues to where stolen data may be stashed.

Earlier this year, the Russian financial institution Alfa Bank began querying DNS hundreds of times for a host name registered to the Trump Organization. The pattern of DNS lookups suggested people within the organizations were communicating, Slate contends.

"The logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence," Foer writes.

It's tantalizing information, particularly since Trump encouraged Russia to find Hillary Clinton's missing emails, part of the long-running controversy over her use of a private email server. But since Foer's story was published, there are wide doubts as to whether that data has been accurately interpreted to the exclusion of more plausible explanations.

Alfa Bank has also strongly dismissed the Slate report and its allegations. "Alfa Bank wishes to make clear that there is no connection between Alfa Bank and Donald Trump, the Trump campaign, or the Trump organization," the bank says in a Nov. 1 statement. "Any suggestion to the contrary by this article is false."

Secret Communication, Anonymous Sources

Foer's piece does not lack for sourcing and includes Paul Vixie, a widely regarded computer scientist. But the core research came from someone nicknamed Tea Leaves, who runs a cybersecurity company, and two unnamed others. Foer goes to lengths to assure readers that Tea Leaves is an authoritative person and that the other two didn't want to be named due to their positions in industry and law enforcement.

The Intercept writes that it and other media outlets were passed an academic-style white paper, an analysis of that paper and a dossier on Alfa Bank. None of the authors of any of the documents have been identified, and it doesn't appear that material has been publicly released. But Alfa Bank says the information was given to reporters "by an anonymous cyber group."

The Trump server in question, mail1.trump-email.com, was set up for marketing purposes but didn't handle much traffic. The DNS lookups from Alfa Bank, which began earlier this year, spiked at key points during the campaign and during the Democratic and Republican conventions, which further raised eyebrows.

After The New York Times queried the Trump campaign in mid-September, the host was shut down. Four days later, a new host name was created, trump1.contact-client.com, which Alfa Bank reportedly tried to resolve. Vixie is quoted as saying someone would have had to inform Alfa Bank of the new host name for that to happen.

Several Investigations

Because the research has been circulating for a while privately, the FBI - on heightened alert over Russian hacking - investigated. But The New York Times reported Oct. 31 that the FBI "ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts."

While this was unfolding, Alfa Bank hired FireEye's computer forensics unit Mandiant to investigate. The bank allowed Mandiant access to systems in Moscow and gave investigators a scanned copy of a printed log showing 2,800 DNS lookups over three months earlier this year, which were provided to the bank by the media.

Anti-spam or other security software can generate such DNS lookups contained in the log, Mandiant says. "Nothing we have or have found alters our view as described above that there isn't evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization," according to a statement provided to ISMG.

Experts See 'Non-Scandal'

Robert Graham, CEO of Errata Security, has dismissed Slate's story as nonsense. He writes that the trump-email.com is registered to the Trump Organization but is actually administered by a company called Cendyn, which does marketing for hotels. DNS records show that Cendyn has set up many similar host names for its other marketing clients.

The system set up for Trump was probably sending marketing emails to Alfa Bank, which then did reverse DNS queries to figure out where the email was coming from.

"I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for 'mail1.trump-email.com' from all over the world, especially from tools like FireEye that process lots of spam email," Graham writes on his blog.

Graham's opinions on computer security are polarizing at times, but his analysis received praise from other experts who often spar with him.

"I rarely agree with @erratarob, but his analysis of the 'trump email server' non-scandal is spot on," writes Christopher Soghoian, principal technologist and a senior policy analyst with the ACLU Speech, Privacy, and Technology Project.

Thomas H. Ptacek, a principal with Latacora and founder of Matasano Security, humorously writes: "I rarely agree with @csoghoian and actively avoid agreeing with Rob Graham, but: yes. This is some shameful shit."

Beware Journalism Errors

The situation serves a cautionary tale when interpreting highly technical data and casting it in support of an unsubstantiated theory. It's not an uncommon problem in publishing: a journalist whose determination to publish a scoop clouds their otherwise objective, critical view of the facts.

The body of Foer's piece centers on establishing that these two servers communicated, which is indisputable, and that we should then believe:

This is strange because many experts say so; This means there is something else going on.

But the "something else" is never justified with facts, leaving a gaping hole that attempts to be filled with endless background on U.S.-Russian cyber tension.

For the reader, reaching the end of the piece might induce a chin-stroking moment and interpretation that tilts toward impropriety by Trump's people. But Foer hedges heavily in the second-to-last paragraph, warning that the evidence is no smoking gun and there could be alternative explanations. By then, however, perhaps it's too late.

Anti-Malware , DDoS , Technology

Are Attacks a Test Run for a Larger One to Come? Jeremy Kirk (jeremy_kirk) • November 4, 2016    

The small west African country of Liberia recently became an unlikely target for the Mirai botnet, the vast army of poorly secured internet-connected devices that security experts worry may continue to cause distributed denial-of-service attack problems for service providers.

See Also: Secure Access in a Hybrid IT World

The DDoS attacks against targets in Liberia went on for at least a week, says Kevin Beaumont, a security architect based in Liverpool, England. By late Nov. 3, the attacks stopped. But at one point, they reached 500 gigabits per second, an intensity unheard of until recently.

The country apparently was struck by the same botnet that last month hit networking company Dyn, which supplies DNS services to Twitter and Spotify and many other popular websites, Beaumont says. The attack on Dyn underscored how a focused electronic assault on just one company could be amplified for maximum effect (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

DDoS attacks blast streams of unwanted data traffic to websites, online gaming companies, ISPs and other entities, aiming to make their services unresponsive. Organizations hit with DDoS attacks can't actually stop them but rather have to put in place expensive mitigations that filter the attack traffic.

The strikes have reached a new level of intensity since mid-September. Security experts say hackers have taken control of millions of internet of things devices, such as CCTV cameras, digital video recorders and baby monitors, and infected them with DDoS attack code.

The targeting of Liberia, which has a population of 4.2 million and experienced a bloody 14-year civil war that ended in 2003, is puzzling.

"I suspect they were using Liberia for testing because nobody would notice," Beaumont tells Information Security Media Group.

Evolution of DDoS Attacks

Experts are closely watching the evolution of the attacks. That's done, in part, by setting up "honeypots," or traps consisting of IoT devices that researchers know will become immediately infected by DDoS malware. Studying the honeypots gives insight into targets as well as the command-and-control servers used to send attack instructions to the bots.

The researchers known as @MalwareTechBlog and @2sec4u have set up an automated Twitter feed, @miraiattacks, that provides real-time information on IP addresses that Mirai is targeting and the type of DDoS attacks conducted. Since the Twitter feed was launched on Oct. 23, it has posted updates on 28 Mirai botnets. Each number represents a different command-and-control server.

Mirai botnet #14 is the dry name given to the group of devices that attacked Liberia. "The botnet is huge," Beaumont says. The attacks against Liberian operators were short but made up of large bursts of traffic, he adds.

The attacks in Liberia likely would not have drawn much attention if it weren't for Beaumont, who began investigating where Mirai traffic was aimed. He wrote a blog post on Nov. 3, which subsequently drew media attention.

Liberia's internet connectivity is served, in part, by a submarine fiber optic cable activated in December 2012. The Africa Coast to Europe cable winds from Europe to the southern part of the continent along the west coast. Its total capacity is 12.8 Tbps, according to operator Orange.

The landing point in the country is managed by the Cable Consortium of Liberia, which involves the country's Telecommunication Authority and private operators. Efforts to reach operators weren't immediately successful.

Unknown Attackers

Although DDoS attacks have been a nuisance for more than two decades, the intensity of the latest IoT attacks has been surprising. DDoS attacks are typically between 1 Gbps and 15 Gbps, but at least two over the last two months have reached between 500 Gbps and 1 Tbps.

In September, computer security journalist Brian Krebs saw his website hit with a 665 Gbps attack, and French hosting provider OVH saw Mirai-powered attack traffic peak at 800 Gbps.

Those attacks received attention in computer security circles, but it was the later Dyn attack, which hampered access to Amazon, PayPal, Spotify, Twitter and many other popular websites, that brought the problems around hacked internet-connected devices to mainstream attention.

Large DDoS attacks are noisy and tend to draw attention. Shortly after the Dyn attacks, the White House said the Department of Homeland Security was investigating. But those behind the attacks remain unknown.