Hackers Steal Millions in Bitcoin Using Only A Phone Number

Just after midnight on August 11th, Jered Kenna in Medellin, Columbia  was notified that two of his email accounts had their passwords reset.

He tried regaining control of the accounts by getting the services to send him a text, which he never received.

When he called his phone company (T-Mobile), they said that he didn’t have a phone with them, the number was transferred to another phone company.

It turns out that it is relatively simple, using a fake ID and some social engineering to steal someone’s phone account at a phone company.

Once you have control of someone’s phone number, you can reset account passwords since most websites will send you a text or email with a code or URL to reset your password.

After all, your phone is secure, right?

Not so much.

Within 7 minutes, his access to 30 accounts was lost.

Among the accounts that he lost control of were two bank accounts, a Paypal account, two Bitcoin services and his Windows account, which locked him out of his PC.  This is one reason why I tell people NEVER use a Microsoft Online account to log in to your PC at home, even though Microsoft actually makes it difficult for you not to use one (there is a trick to it).  The hacker can’t lock you out of your PC remotely if you do not use a Microsoft Online password.

Kenna was an early Bitcoin miner, having millions in Bitcoin.  For security, the Bitcoin had been stored offline, but for some stupid reason, a few weeks earlier he had brought the Bitcoin online to move them to a more secure service.

Apparently not.

Suffice it to say, he lost millions of dollars.

He says he now has only about 60 Bitcoin (worth something less than $60,000).

He still doesn’t have his phone number back.

In January 2016, there over 2,000 Bitcoin theft reports filed with the FTC.  Remember that 99+% of the time, if you lose your Bitcoin, they are gone forever.  No way to get them back.  No insurance.  No recourse.

Coinbase, the highest volume cryptocurrency exchange, says the number of cryptocurrency fraud cases is on track to double between November and December.

It would seem that this attack was very specifically targeted at Kenna.

The fundamental problem here is that ALL service providers think customer service first, security second.

So when someone contacts your phone company pretending to be you, even though you (AKA they) violate all of the security protocols, the prime directive prevails – CUSTOMER SERVICE FIRST, SECURITY LAST.

In this case, it cost someone millions of dollars.

If you lost access to your phone number, then your email(s), then your bank accounts then:

  • What would you do?
  • What would the consequences be?

In the case of bank accounts, it is likely that you will be able to eventually get your money back.

In the case of other digital assets, the story is not so clear.  If someone gains access to say, your iTunes account, you MAY, EVENTUALLY, get it back, but the attacker likely still has all of your data.  If you recall the event called “The Fappening” a couple of years ago, a number of celebrities lost control of their iTunes accounts and thousands of nude photos appeared on the Internet.  Try to get that genie back in the bottle.

Many service providers from Facebook to banks offer an extra level of security called two factor authentication.  Only 10 percent, at most, of people use two factor authentication.  It is a little bit complicated and it is a little inconvenient.   But it is also a little inconvenient to lose all the money in your bank or brokerage account.

When convenience bumps up against security, in almost all cases, convenience wins.  Many banks use text messages as the second factor but if you lose control of your phone, that doesn’t help because the hacker gets the text messsages.  The government (NIST) says that SMS text messages as the second factor is not sufficiently secure and they want people to stop using it and replace it with encrypted, data based second factor authenticators.

Still, using SMS as the second factor is WAY more secure than not having a second factor.

In this case, it was millions of dollars of Bitcoin.

Who knows what the next case is.

So when Marissa Mayer, CEO of Yahoo (who seems to have lost control of 1.7 billion user accounts) says it is too inconvenient to put a password on her phone, I get it.  After all, compared to 1.7 billion accounts, what could she lose that is more valuable than that?

And remember, even though you MAY, EVENTUALLY, get control back of your email, your bank accounts, your phone number, it may take weeks and you may have to expend a LOT of time and money to do so.

So when you say who would want to steal my stuff, you might want to reconsider that statement.  I am sure that Jered Kenna wishes he did some things differently.

And when it comes to corporate intellectual property, it is likely that you will never be able to undo the damage unless the crook is very stupid or you are very lucky.

Food for thought.

Information for this post came from Forbes.

Uber Spies on Customers, Including Celebs

One thing about data rich environments – you have to trust that the data keepers do what they say they are going to do.

As we all know, Uber collects a lot of data – even data that they don’t know what they will use it for – but surely they will need it in the future – for something.

Uber has said that it can’t access ride information for users, but a former Uber security expert says that is not the case.  He says that Uber employees stalked ex boyfriends and girlfriends and celebrities.

Spangenberg, who is now suing Uber for age discrimination, says that employees can track politicians, Ex’es, celebrities and personal acquaintances of Uber employees.

A couple of years ago, the concept of “God View” became public – a feature in the Uber software that allowed employees to bypass privacy and security controls.

According to Spangenberg, even driver’s socials are at risk.

The only data, he says, that is not at risk, is credit card information.  That is not because they protect it but rather because they use a third party (Braintree) to process credit card transactions.

Spangenberg objected, he says, to reckless and illegal practices and Uber fired him.

Another ex Uber employee, Michael Sierchio, a former senior security engineer, said that when he was at Uber, you could stalk an ex or look up anyone’s ride with the flimsiest of excuses.  There was no approval required.  He said that Uber was interested in growth at all costs and was told that they were not a security company.

Uber said that it fired fewer than 10 employees who abused the feature.  Of course, if you don’t look, you won’t find any problems, so that number is meaningless.  They claim to have hundreds of security and privacy experts working around the clock.

According to security experts, Uber’s policy is based on the honor system, which employees can abuse at any time.

While Uber has instituted some controls, Spangenberg says that if you know what you are doing you can get around them forever.

Personally, taxis work pretty well for me most of the time.  If you do use Uber, you should probably kill the app or reboot your phone after you get out of the car.

Information for this post came from Fox News.

What You Say Can Be Used Against You

The 5th Amendment to the U.S. Constitution guarantees that you cannot be forced to testify against yourself.

All that is about to change and I don’t mean that the Constitution is going to change.

Like the Apple-FBI fight earlier this year, Amazon is in a fight with the law and I don’t think it is going to come down the same way.

In Apple’s case, the Feds invoked a 200+ year old law to try and get Apple to develop new software to hack one of their phones.

In this case, police in Arkansas want Amazon to turn over the data from a defendant’s Amazon Echo that Amazon already has in its possession.  Amazon, so far, has refused to turn over the data.  Since the Echo doesn’t have a right against self incrimination or the incrimination of its owner, I am not clear what Amazon’s plans are.

They have already turned over purchase records and other account information – just not the data from the defendant’s Echo.

Amazon says that it will only turn over the data upon presentation of a proper warrant – one that is valid and legally binding, not overly broad or otherwise inappropriate – whatever that means – they are not explaining, but I am sure they will explain, eventually, to the court.

The case in question is a murder case.  A friend of the defendant’s was found floating in the defendant’s hot tub, somewhat worse for the wear – i.e. dead.

The police want to hear what he told his Echo and what his Echo told him.

The police already know, they say, how much hot water he used – due to a smart water meter.

I think, eventually, Amazon will turn over the data.  Whether the defendant asked his Echo “Hey Amazon, how do I kill my friend” or “Hey Echo, Can I get bleach from Amazon today?”

But what is going to be true in the future is that there is an amazing amount of data about you that can be used against you.

Whether it is GPS data from your phone, location and other data from your car or information from your water meter, there is an amazing amount of data about you.

Your smart TV is listening. Maybe so is your baby monitor.

Consider that many people have Echos in their bedrooms.  Then consider what might be said in your bedroom.  Do you want to reconsider whether that Echo in your bedroom is a good idea?

Some people have webcams inside their house.  More amazingly, some people have webcams in their bedrooms (there was a recent story about a webcam in a Houston family’s kid’s bedroom that went viral on the Internet, no doubt with some inappropriate footage.

The framers of the Constitution never considered that there would be an Internet of Things and the implications thereof.

This case is a murder case and I am sure that Amazon is grandstanding to make sure that its customers understand that it takes privacy seriously, but I predict they will turn over the data.

You may recall a couple of months ago the Director of National Intelligence said that he didn’t care much about encrypted phones because there was so much other data available for them to hack.

Guess what he was talking about?  Yup, that is it.

And while the NSA has some of the best and the brightest in terms of  hacking into devices, if recent news accounts of various IoT breaches are any indication, hacking many of these devices is like taking candy from a baby.

So while we do not know how the Amazon story will wind up, it is different than the Apple story because Amazon CAN turn over the data.

Here is an interesting question.  What if Amazon does not want to turn over the data because they are collecting more data than we think they are?  I know that borders on conspiracy theory, but ….

And, of course, subpoenaing your water heater is not limited to murder cases.  It certainly could apply to civil lawsuits as well.

Consider this.  Could your Amazon Echo testify against you in a divorce case?  Or your webcams?  Or any other appliance in your house.  Or even your car.  There is a lot of data in them there devices.

And, for those of you with legal expertise, ponder this.  In both criminal and civil cases, parties may have a “duty to preserve”, meaning that you are not allowed to destroy (read: delete) any evidence that may be relevant to the case.

How, exactly, do you preserve the data in your water heater?

Do you even know what data might exist in smart devices?

What if the data is stored in the cloud?  By a third party.  Do you even have the ABILITY to preserve it?  Who pays to preserve it?

There is NO legal precedent in this area of law.

Could you be held in contempt or lose a case because you didn’t preserve the data in your smart TV?  Seems far fetched, but I promise you, at some point, it WILL come up.

Just food for thought.

Information for this  post came from International Business Times.

Law Firms Under Cyber Attack – Revisited

Some of you may be aware that earlier this year the FBI outed two major New York based law firms – Cravath, Swaine & Moore (500 attorneys) and Weil, Gotshal & Manges (1,000 attorneys) – as being hacked.  But they did not give a lot of details.  Now some of the details are coming out, but you have to connect the dots yourself.

The New York Law Journal reported today that three Chinese nationals have been charged with hacking into two unnamed law firms.

The three hacked into the law firms systems and stole information about pending deals.  They used that information to trade stocks in these pending deals and made about $4 million in profits.

According the the charges, one law firm, called Law Firm 1, advised Intel on their acquisition of Altera and the other law firm, called Law Firm 2, represented a company (unnamed) that was in deal talks with InterMune, which sold to Roche.

Roche’s press release on the InterMune acquisition said that Cravath was acting as legal counsel to InterMune.  The Law Journal article said that Weil represented Intel in their acquisition.

The Law Journal article concludes that Law Firm 1 and Law Firm 2 are Cravath and Weil.

U.S. Attorney Preet Bharara of the Southern District of New York said that the hackers attempted to hack at least 5 other law firms on over 100,000 occasions during 2015.

Once they got in, they watched email traffic as the deals came to an announcement so that they would know when to buy the company stock.

As I have said before, the theft of intellectual property is the prime target for many hackers for a couple of reasons.  First, unlike credit cards, the odds of getting caught the very first time you use stolen IP is almost zero.  It is not clear how many trades the $4 million in profits represented, but I am guessing several.

Secondly, if you are not greedy, the odds of ever getting caught is low.  If, instead of trying to make $4 million on these two deals they tried to make, say $250,000, it likely would have flown under the radar.

Third, your ability to make a profit is often not dependent on the victims doing something or not doing something,  Depending on your own ability to time the trading, in this case, of the stocks, you can make a lot of money – or not.

Of course Bharara gets to stand up and claim that the problem is solved once he decides to charge someone.

Reality is a little different.

One defendant has been arrested in Hong Kong and is awaiting extradition.  Whether the Chinese will ever extradite him is unclear.  The second defendant is from Macau and the third from China.  Those two are at large.  I think it is unlikely that the Chinese will extradite these guys, but who knows.

So, of the millions of attacks a year, the U.S. Attorney caught one of them and does not have any of the defendants in custody.

THAT is why the legal system is more than a little bit challenged in dealing with cyber crimes.  For a crime that happened in 2014 and 2015, it is now almost 2017 and one person has been arrested, no one has been extradited, two people are at large, no one has been brought to trial and no one has been convicted.

It is a REALLY challenging problem.

From a law firm’s standpoint, their reputation is again being dragged through the mud and if any of these defendants ever come to trial, their reputation – and possibly their technical competence – will get dragged through the mud again.  And, the law firms really have very little ability to cut a deal and make this go away.  The defendants might plead to avoid a trial, but they might not.  If there is a trial, more dirty laundry will come out.

While I am sure (I hope) that Weil and Cravath have improved their cyber security practices, other firms probably have not.

This is why we tell clients that they need to ask their law firms some very pointed cyber security questions – preferably before engaging them – and they should not take arm waving as a replacement for clear answers.  Contact us if you need advice in this area.

Information for this post came from the New York Law Journal and Roche’s web site.

House Committee Recommends New Rules on Stingray Usage

The cell site simulator device known as a Stingray was originally designed for use by the military in order to create a small, local cell site bubble around our troops, but has been modified by its creator to be able to intercept cell communications in the United States.

While law enforcement – and Harris Corporation who manufactures them – have attempted to keep the usage of Stingrays under the radar, that attempt seems to have failed.

Both Harris and the Department of Justice required local police departments to drop charges in any case where the police might be required to explain their use of Stingrays.

Some people have claimed that law enforcement agencies have bent the truth in their request for warrants to use Stingrays.

Until recently, federal agencies said that they did not need a warrant to use Stingrays, but the DoJ, DHS and IRS recently created rules that say that a warrant is required – at the “suggestion” of the House Oversight Committee.

Now the House Oversight and Government Reform Committee has spent a year looking at the issue and has released a report that says that the government needs to establish a clear nationwide framework to ensure that Americans are adequately protected.

The report says that many times state law enforcement agencies don’t even need probable cause to justify the use of a Stingray.

Since many local law enforcement agencies use federal government funds to buy Stingrays, the feds can make rules for their use and, of course, Congress can pass whatever laws it wants to.

The House Committee is also recommending that the non disclosure agreements in place that have, at least in some cases, obscured the truth to courts and judges be replaced by agreements that require clarity and candor to the court.

Of course, no matter what laws Congress passes, there is nothing to stop a renegade person from using Stingray-like devices in an inappropriate manner, but that seems like a less likely situation.

The issue with Stingrays is that they indiscriminately vacuum up all cell calls in the range of the Stingray.  The interception and possible blocking of cell calls for everyone in the vicinity of a Stingray is the issue here.  That vicinity could be a mile or two radius and represent hundreds of calls at once.  In theory, a Stingray will drop the call quickly if it doesn’t meet the appropriate warrant parameters, but it doesn’t always do that.

Stay tuned for what Congress decides to do next year, if anything.

Information for this post came from MSN.com .



Black Market Medical Record Prices Plunge; Hackers Move On

Until recently, the black market price of medical records was very high compared to stolen credit card records.  Stolen medical records are used to get health care for people who do not have insurance and to submit fraudulent insurance claims.

Medical records used to go for as much as $50 for one complete record.

However, due to over-supply of stolen records, the price has plummeted.

Earlier this summer, hackers were offering medical records for about $12.  Now that price has gone as low as $1.50.

While stolen medical records can generate as much as $20,000 in profits, there is a problem.  In 2015, about 120 million medical records were stolen, causing a gut in the market.  Basic economics.  Supply and demand.  There just aren’t enough crooks to buy all these records.  And the insurance companies are getting better at detecting fraud!

So what is a self respecting hacker to do.  After all, you can’t pay for that Mercedes at $1,50 a record.

Move to ransomware, that’s what!

The great thing about ransomware is the instant gratification.  Unlike making false health insurance claims and hoping the insurance company doesn’t catch the fake claim, you send out a million malware laced emails, a thousand people get infected (that is one tenth of one percent). You tell them that if they don’t pay up in three days you are going to destroy the key.  If a quarter of those those people pay the ransom to get their data back (studies say the number is more like 75% pay), and you charge  1 bitcoin for the encryption key, 1,000 x 25% x 1 bitcoin, based on today’s prices, the hacker would earn over a quarter million dollars.  not a bad living.  And the hacker isn’t paying taxes, so his take-home is pretty good.

If it is 1.5 bitcoins instead and 50% pay, that number goes to around 700,000 bucks.  I could pay for my Mercedes with that.

And, unlike with healthcare fraud where there is a paper trail to use to get caught, there is no paper trail here, so the likelihood of getting caught is pretty low.

So, expect ransomware attacks to go up significantly in 2017 and be prepared so you don’t have to shell out Bitcoins.

On the bright side, healthcare fraud is going down.

Information for this post came from IT World.