Tag Archives: Cyber Extortion

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

How Would You Respond to a Ransom Demand?

Since we have been talking a lot about ransomware lately, here is a slightly different twist to it.  A few weeks ago, hackers stole the whole upcoming season of Orange is the New Black and leaked 10 episodes on the Internet after the studio refused to pay their ransom.  Likely this had a significant effect on advertising rates for the hit series and may affect the show’s viewership as the most rabid fans probably viewed the pirated versions.

But now, Disney has admitted that real life (cyber) pirates have stolen a copy of the new Pirates of the Caribbean movie that is due out  next week and are demanding  what Disney says is a huge ransom.  They say that if they do not get the ransom, which Disney says they are not going to pay, that they will release 20 minute segments until they do get paid.  So far, they have not released anything.  While this MAY not have much of an effect on the theatre revenue since it comes with popcorn and a big screen experience, it could impact DVD and PPV revenue, neither of which come with popcorn.

In both of these cases, Pirates and OITNB, the movies (and the number of movies and TV series stolen now come to almost 40), were likely stolen from suppliers, not from the studios themselves.

This sort of begs two questions.

First, how good is your third party vendor risk management program?  Do you know if your vendors’ information security programs are up to dealing with a cyber attack?

And, second, what would you do if a hacker stole your intellectual property, possibly deleting or worse yet corrupting what was left behind (note that if the hackers know that you have, say 10 days of backups and wait until day 11 to tell you that they corrupted your data, you would not have a clean backup to restore and likely would not know what they corrupted)?  What if the hackers stole, say, NFL players socials,  credit cards and legal records as happened after a breach at PIP printing that went on for four months earlier this year?  Or if hackers stole confidential client information from a law firm?  Or all of the mortgage applications from a mortgage company?

Some hackers are figuring out that they can extract more money from stealing intellectual property than by stealing credit cards.

If you don’t pay the ransom and they do release the information, the legal fees, fines, lost customers, reputational damage and other costs could be very significant.

One question to ask is whether you have extortion insurance coverage for intellectual property extortion, but the bigger question is are you ready to deal with this situation?  It could cost you lawsuits and lost clients, so it is a serious situation – one that should be planned for in advance.

Don’t hope that the bad guys are going to pass you over.  For the most part, it is a crime of opportunity caused by an employee opening the wrong email or clicking on the wrong link.  The hackers don’t, for the most part, care who’s intellectual property they steal.

Now is the time to plan for the worst and hope for the best.

 

Information for this post came from NBC, and Forbes.