Iran (?) Attacks Saudi Central Bank and Other Saudi Agencies

Starting in mid November, someone, possibly Iran, wiped many computers at a number of Saudi government agencies, including the Saudi Civil Aviation Agency .  A total of 6 agencies were attacked; 4 were compromised; 2 agencies repelled the attack.

The attack was made to look identical to an attack attributed to Iran in 2012 where tens of thousands of computers at the Saudi Aramco oil company were destroyed.

How “destroyed” is also unclear.  In the case of the Aramco attack, the oil company chose to be ultra cautious and replaced the disk drives in those 35,000 computers, causing a spike on the global market for disk drives.  We don’t know what they plan to do regarding this attack or how many computers were affected.

This is kind of similar to the attack on Sony, attributed to North Korea and the less successful attack 6 months before Sony on Sheldon Adelson’s Sands Hotel chain.

Since the Aramco attack is pretty public, someone wanting to cast a shadow of guilt on Iran (such as the CIA, KGB or Mossad) could have certainly planted the malware to stir up trouble.  We just don’t know.

For the soon-to-be-president Trump, this could get messy.  If he decides that it was Iran and that the U.S. needs to retaliate (big IF), then this escalates things.  It is pretty clear that the Iranians and their allies could certainly attack U.S. infrastructure – whether it is the San Francisco Metro or Gorilla Glue, if all they want to do is cause mischief, there are certainly plenty of soft targets.  If they want to get ugly, they could try for a critical infrastructure attack like the Russians did in Ukraine last year.  That could really get ugly.

The Saudis have not released much information about the attack; likely more will leak out over time, but how much and when is unknown.

Was it the Iranians?  Were they testing Trump?  Who knows, but get some buttered popcorn and stay tuned for the show.

Information for this post came from Bloomberg.

 

[TAG:Breach]

Protecting Classified Information

While we focused during the election on possibly classified emails on Hillary Clinton’s mail server, in Europe they have their own version.

Shodan, the IoT search engine turned up on an Internet connected disk drive that was not password protected.  While Trump says that Clinton should be thrown in jail, in Europe they said it was the result of an “absent minded European Union police officer”.

In this case, Mr. Absent Minded took 700 pages of documents on Europol investigations without permission and stored them on an unprotected Internet connected disk drive.

While the information was old, it was “packed” with personally identifiable information on terrorism suspects and also details on a number of Europol investigations on terror attacks such as the 2004 Madrid train bombing and other terrorism incidents.

The disk drive is a Lenovo Iomega drive.

As is common in the computer hardware and software industry, Lenovo says that security is the responsibility of the owner.  Said differently, don’t sue us, read the license agreement, we are not responsible.,

What this seems to indicate is that until computer vendors have at least some skin in the game, they are going to ignore security and vulnerabilities, since, after all, protecting your information is not their problem.  What this does mean is that you have to be responsible for both the vendor and yourself.

Getting back to the Europol police officer, the data taken was for personal use and in violation of policy, but as we all know, easy to do.  99% of the time,  we don’t hear about these incidents as they are swept under the rug – or not even detected.

For all organizations, you can replace classified with proprietary with the same results.  Employees often take data and rarely do organizations find out about it.  If they do find out about it, they often don’t prosecute because they want to avoid the bad PR.

This is not case of someone making a mistake or security which is too hard to follow.  Instead, this is a case of someone intentionally taking information which they did not have authority to take.  Unfortunately, this happens all too often and often times is not even detected.

Information for this post came from SC Magazine.

 

The (Not So) High Price of Crime

Ever wonder how much a hacker charges to hack someone’s email for you?  Wonder no more.

Dell Secureworks, now a separate publicly traded company, publishes an annual report on the cost of crime.  They look at both Russian speaking and English speaking underground markets.

So here it is.  Place your orders soon 🙂

  • $129 – cost to hack your GMail or similar account
  • $500 – to hack your corporate email
  • $65 to $103 – to hack popular Russian email accounts
  • $129 – to hack into Ukrainian email accounts
  • $90 – to hack the IP address of your computer
  • $129 – to hack your Facebook or other social media account
  • $194 – to hack into a Russian social media account
  • $173 – fake U.S., U.K., German or Israeli driver’s license
  • $140 to $250 – fake physical social security card
  • $3,000 to $10,000 – fake physical U.S. passport
  • $7 to $15 – fake Visa card
  • $30 – Premium Visa, Amex or Discover card
  • $5 to $10 – remote access trojan software
  • $80 to $440 for encryption malware
  • $20 to $40 for hacking tutorials
  • $350 – for instructions on how to hack a website
  • $40 to $80 – A U.S. bank account with $1,000 to $2,000 in it

The report goes on, but you get the idea.

What surprises me is how cheap this seems to be.  Either they think it is pretty easy or they don’t value their labor very much.  My guess is that it is pretty easy.

The only number that does not surprise me is the cost of a fake U.S. passport.  With the chips and encryption in them now, that is probably hard.

The hackers have definitely turned this into a volume industry and I suspect that they make a lot of money.

Just food for thought.

Information for this post came from Digital Trends.

IRS Going After Bitcoin Users

It is common mythology that Bitcoin users are thieves, hackers and tax cheats.  The IRS doesn’t like tax cheats.

The IRS is asking a court for a “John Doe” summons asking Coinbase, a Bitcoin exchange, to turn over information on any customers that match a certain criteria.

The summons applies as long as the government can’t get the information elsewhere and has “a reasonable basis for believing that such person or group or class of persons may fail or may have failed to comply with any provision of the tax laws.”

The group that the IRS is asking for information on is every customer of Coinbase between 2013 and 2015 in the U.S.  Suffice it to say that this is not a small list.

The reasonable basis?  “a public perception that tax evasion is possible with virtual currency.”  The IRS’s proof for this is limited to a Huffington Post article.

Where did this article appear?  A pretty staid publication called American Banker.  Granted, the banking community has a dog in this fight.  The IRS could ask banks for a list of all of their customers between, say, 2013 and 2015 who deposited or withdrew cash, since cash is used to pay for drugs.  That might upset some customers.

American Banker says that this is a fishing expedition and Coinbase complies with regulations and cooperates with law enforcement on a regular basis, so why attack them.

I think, although my evidence is about as strong as that HuffPo article, that there could be a different reason.

It is liekly that smart crooks are not going to use a U.S. bitcoin exchange.  After all, it seems likely that some government agency might ask questions.  That means that, at best, the IRS will only catch dumb crooks.

Since there are plenty of offshore exchanges in places like Switzerland, Malta, The Netherlands, China, India, Bulgaria, Belize and other places, why not use an offshore exchange?

Of course, you don’t need to use a Bitcoin exchange at all.  In fact, the smart crooks will do transfers that are less demanding of ID such as LocalBitcoins or Bitcoin ATMs.  These methods allow you to use cash and many do not require IDs, since cash, as long as it is not counterfeit, is a pretty safe trade.

The downside of some of these methods is that the buyer and seller have to meet or, in the case of ATMs, you have to visit the ATM.  For many people, one of these methods is perfectly satisfactory.  After all, we visit ATMs to get cash all the time, so why not get Bitcoin instead.

Given that the feds don’t like cash transactions, I can only imagine how they feel about Bitcoin transactions.  Conspiracy theorists might say that the IRS is trying to spook people who are using Bitcoin.  I don’t know, but I certainly would not rule that out.  However, since Bitcoin is basically fancy arithmetic stored in a (digital) ledger, it will be hard to outlaw.  That doesn’t mean that people won’t try.

As of a few hours ago, the court granted the summons.  This is only the first step in a potentially long battle.  Coinbase said they expected this and will begin fighting it when they are served with the order.

The order is asking:

For any customer between 12/31/13 and 12/31/15 with a U.S. address, phone number, email domain or bank account, the following information.

User profiles, preferences, security settings, history, payment methods and funding sources.

Also, all records of activity including date, amount, type of transaction, name, transfer instructions and correspondence.

Given that Bitcoin seems to maintain a lot of documentation, I would think that only stupid people would use it for tax evasion given there are many other much more secretive ways to deal with this, but who knows.

Stay tuned for the cat and dog fight.

Information for this post came from Forbes.