WIRED on the devastating jackpotting ATM hack phenomenon finally starting to spread throughout the United States:

ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed “jackpotting,” quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that “well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.

This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM’s physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen. With those hardware and software modifications in place, another attacker can approach the compromised ATM and stand with a bag while co-conspirators remotely instruct it to dispense cash. In past incidents, law enforcement observed a cashflow rate of 40 bills every 23 seconds.

Diebold Nixdorf has to be one of the worst companies on the planet. This is the same company from years ago that had a host of issues with their voting machines and failed to take the appropriate action to fix their vulnerabilities.

The NL Times reports on some extraordinarily shocking cyber security news:

Two Dutch intelligence services uncovered substantial evidence detailing how a Russian-backed hacking group infiltrated the Barack Obama White House, the U.S. Department of State, and the Democratic National Committee, according to a ground breaking report from broadcaster NOS and newspaper Volkskrant. The evidence was uncovered by a Dutch cyber defense team gained access to the “Cozy Bear” hacker group’s systems, including a hallway security camera that allowed the Dutch team to maintain visual surveillance of the hackers.

Information collected by the Dutch Joint Sigint Cyber Unit (JSCU) was turned over to the NSA, CIA, and FBI, and helped form the basis for the U.S. special counsel investigation examining claims of Russian meddling during the 2016 presidential election campaign battle between current U.S. President Donald Trump and former Secretary of State Hillary Clinton. The JSCU, comprised of members from the AIVD and MIVD intelligence agencies, kept watch over Cozy Bear from anywhere between 12 to 30 months.

It started in the summer of 2014 “most likely before” the crash of Malaysia Airlines flight MH17, the Volkskrant reported. The flight, which originated in Amsterdam, was shot out of the sky over the Ukraine. The incident was suspected to be the act of Russian-backed separatists or Russian military.

The Dutch owned the owners – they had not only been able to acquire access to Russian backed Cozy Bear networks, but even physical security camera’s in the building where the team performed their operations. This is tremendous news, and a highly interesting revelation that likely nobody has expected.

Business Insider reports on a jailed hacker claiming to have breached the DNC as part of a Russian-led intelligence operation:

A Russian hacker believed to be a member of a hacking collective called Lurk said in court over the summer that he was ordered by Russia’s security services, known as the FSB, to hack the Democratic National Committee.

The hacker, Konstantin Kozlovsky, told a Moscow court in August of this year that his nine-member hacking group – which has been accused of stealing over $17 million from Russia’s largest financial institutions since 2013 – has been cooperating with the FSB for several years, according to the independent Russian news outlet The Bell. Part of that cooperation included hacking the DNC, he said.

Kozlovsky said during a hearing on August 15 that he “performed various tasks under the supervision of FSB officers,” including a DNC hack and cyberattacks on “very serious military enterprises of the United States and other organizations.”

Doubtful this is legit, but even if it is not, I think it is safe to say the Russians are responsible for the DNC breach and other recent similar attacks.

Russian criminals are leveraging cyber to steal money from banks from Moscow to Utah:

A previously unknown ring of Russian-language hackers has stolen as much as $10 million from U.S. and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.

The hackers, who also breached a U.K. software and service provider, are now probing institutions in Latin America and may be trying to compromise the Swift international bank messaging service, according to the security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. “Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.

Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found.

The average haul from U.S. banks was about $500,000, and it stole over $3 million from three Russian lenders.

Group-IB said the U.S. banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions.

Russia is all over the internet, using it for everything from stealing money, to geopolitical operations, to stealing intellectual property, and more. Do not expect the Russians to cease anytime soon considering how lucrative, and inexpensive it is to use cyber for these attacks

I am always intrigued by stories about the esoteric NSA and its cyber expertise. On the one hand, NSA appears to be extremely talented. On the other, there appears to be a lot of internal shortcomings when it comes to preventing insider attacks. Certainly it is important to trust employees who hold TS/SCI clearances. However, there is a point when too much trust becomes an unacceptable risk. NSA seems to have not yet been able to find the right balance.

It is with great interest that the Shadow Brokers breach continues to confuse the NSA and has it reeling to determine the exact cause:

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both.

There is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach.

“Is NSA chasing shadowses?” the Shadow Brokers asked in a post on Oct. 16, mocking the agency’s inability to understand the leaks and announcing a price cut for subscriptions to its “Monthly dump service” of stolen N.S.A. tools.

There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.

N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.

The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

American officials believe Russian intelligence was piggybacking on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wherever they could be found.

Watching how Russia has been leveraging cyber security for its geopolitical ambitions has been educational, but the successful attacks on the NSA are the most intriguing. It will be interesting to see how things play out over the coming months and years, and if there will ever be a story confirming exactly how the Shadow Brokers were able to compromise such a huge treasure trove of the most dangerous cyber weapons on the planet.

CNET on what potential security incidents to expect in the next year:

If you’ll permit me to be Debbie Downer for a moment, our security situation is likely to get worse, not better in 2018.

In the WannaCry attack, hackers used NSA hacking tools that leaked into the criminal underworld, repurposing them to launch ransomware at regular computer users.

That’s because hackers are coming up with ransomware attacks that are harder for consumer security products to detect.

The passwords you and I use daily are a terrible security tool that we only rely on because nothing better has come along.

Password manager LastPass patched a big security flaw, and OneLogin got hacked.

Security software will continue to be a target for hackers, who would love to trick you into downloading a malicious tool with high-level access to your computer or phone.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

One recommendation: use a password manager, and use 1Password. I have been using them for the better part of seven years, and the product is the both the safest and the best on the market.

This detailed article explaining how the Shadow Brokers acquired some of the most coveted and sophisticated cyber attack weapons ever developed is quite interesting:

The Justice Department Friday announced that Nghia Hoang Pho, a 67-year-old from Ellicott City, Maryland, has admitted to willful retention of national defense information.

Pho illegally mishandled classified information in spite of being an agent in the NSA’s elite Tailored Access Operations foreign hacking group from 2006 to 2016.

Though it’s somewhat astonishing that someone with his position and training would cause such a basic breach, Pho brought classified data and paper documents to his home between 2010 and 2015.

“In connection with his employment, Pho held various security clearances and had access to national defense and classified information. Pho also worked on highly classified, specialized projects,” the DoJ said in a statement on Friday.

Pho stands out among recent NSA leak culprits in that he specifically worked as a developer for TAO, which would have brought him into contact with a diverse array of sensitive NSA data, systems, and materials.

The case documents don’t give much indication of what types of data and materials Pho took and left on his personal computer.

The frantic investigation into valuable NSA tools stolen by Russian spies indicates that Pho may have exposed more than just resume materials.

This story is about the NSA employee who had installed Kaspersky anti-virus on their home computer, which was then allegedly compromised by Russian operatives.

In a number of presentations I have given about the NSA TAO tools stolen by the Shadow Brokers, I hypothesized the agency was hesitant to publicly comment on the Kaspersky link because of the embarrassment it would cause the NSA. Why one of the NSA’s top TAO operatives thought it was safe to use Kaspersky anti-virus, a product created by a Russian company, is extremely curious. It really makes me wonder what he knows that the rest of us do not.

Disclaimer: I work for McAfee, a Kaspersky competitor.

There were a lot of security incidents in 2017 leading towards more awareness of the dangers and risk. But now that this knowledge is being presented in mainstream media, what comes next?

The National Cyber Security Alliance, where Kaiser serves as executive director, helped create the awareness campaign in 2004, but nothing has been more effective than the hacks of 2017 at making security a household word.

“It was my job to be responsible for things like raising awareness of cybersecurity risk,” said Reitinger, CEO of the Global Cyber Alliance and a former cybersecurity director at the Department of Homeland Security.

Yahoo gave the public 3 billion reasons to worry about security.

“Pretty much everybody was affected. That’s what brought security into the mainstream lexicon.”

Remember, Equifax was completely aware of its security flaws, but it didn’t fix them.

There are just so many moving parts to the security equation, it is an exceedingly difficult problem to solve. I do not know we will ever reach security enlightenment; there will always be security issues to tackle. What we can do is collectivity lower the risk by being more cognizant of the dangers involved in using online tools.

Senator Bill Nelson, ranking Democrat on the Commerce Committee, has revived the Data Security and Breach Notification Act, a bill calling for jail time for corporate executives who conceal data breaches:

If it becomes law, then it would overrule the many statewide laws regulating breach notifications by establishing a nationwide standard.

There’s a requirement for companies to notify customers within 30 days, along with the potential criminal penalties.

It also directs the FTC to develop standards businesses must follow if they collect customer information, like naming a person in charge of information security, establishing a process to identify vulnerabilities, have a process for the disposal of information, and other items in that vein.

In a statement, Nelson said “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”

In 2015 Nelson’s bill was one of several introduced to deal with the issue of protecting customers from these leaks and it’s likely that it will again have company.

It is doubtful the bill goes anywhere, and this is likely all just for show for Nelson’s constituents. The bill is a pipe dream and will almost certainly never become law.

Malicious actors – whether of the criminal, hacktivist, or nation state variety – will use any avenue possible to attack their intended targets. Some evil folks have turned to leveraging MailChimp as a means of spreading malware:

The “View Invoice” button leads to a .zip file, which, according to scans on malware analysis site Virus Total, is malicious.

Companies and websites sometimes outsource their newsletter distribution to another company, to handle the infrastructure and headaches of firing out tens or hundreds of thousands of emails at a time. In this case, that was MailChimpaccording to another apparent email from Business News Australia.

“This morning our MailChimp subscriber database was hacked and a fake invoice (Inoice 00317) [sic] was sent to our list,” the email reads, according to a screenshot tweeted by Hunt.

Why is a Hewlett Packard Enterprise Services Contractor carrying a laptop with sensitive information on 130,000+ current and former U.S. Navy Sailors? Just another in a series of embarrasing NMCI blunders for HPE:

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy said on Wednesday.

It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.

There is no valid reason for an HPE Services employee to be running around with this type of data stored locally on a laptop. Why does a contractor even have access to PII data of this nature?

It should come as no surprise to see yet another web site with terrible security get get hacked and a massive amount of user account data leaked online:

Adult dating service company Friend Finder Network has reportedly been hacked, with over 412 million accounts, e-mail addresses and passwords from their websites made available on criminal marketplaces. Notably, the database does not include more detailed personal information, but could still be used to confirm whether a person was a user of the service.

Breach notification site LeakedSource first reported the attack, indicating that over 300 million AdultFriendFinder accounts were affected, as well as over 60 million accounts from Cams.com. Other company holdings, such as Penthouse, Stripshow, and iCams were also breached, for a total of 412,214,295 affected users.

The hack also revealed that the company had kept information on 15 million accounts that users had deleted, as well as information on users for assets it no longer owned, such as Penthouse. By comparison, the Ashley Madison hack that took place in July 2015 revealed 32 million accounts, although that attack was also accompanied by a more aggressive extortion campaign.

Staggering number of exposed accounts. Web properties like Adult Friend Finder need to take security seriously before these embarrassing breaches.

The financial industry has shown time and time again they cannot be trusted, and hiding cyber attacks seem to be par for the course. This time the Federal Deposit Insurance Corporation was hacked by China and covered up by the CIO:

The FDIC failed at the time of the “advanced persistent threat” attacks to report the incidents. Then-Inspector General at FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches, and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg’s chances of confirmation.

The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October “Florida incident.” On October 23, 2015, a member of the Federal Deposit Insurance Corporation’s Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC’s data loss prevention system of a significant breach of sensitive data—over 1,200 documents, including Social Security numbers from bank data for over 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC’s Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.

Sure, successful breaches are embarrassing, but it is always better to get out ahead of these incidents rather than allowing them to drive the story themselves.

Security experts are dissecting the speech from yesterday by FBI Director James Comey, and pretty much everyone agrees Hillary Clinton’s personal email server was likely hacked. That is, everyone but Clinton herself:

Mr. Comey described, in fairly blistering terms, a set of email practices that left Mrs. Clinton’s systems wide open to Russian and Chinese hackers, and an array of others. She had no full-time cybersecurity professional monitoring her system. She took her BlackBerry everywhere she went, “sending and receiving work-related emails in the territory of sophisticated adversaries.” Her use of “a personal email domain was both known by a large number of people and readily apparent.”

In the end, the risks created by Mrs. Clinton’s insistence on keeping her communications on a private server may prove to be a larger issue than the relatively small amount of classified data investigators said they found on her system. But the central mystery — who got into the system, if anyone — may never be resolved.

“Reading between the lines and following Comey’s logic, it does sound as if the F.B.I. believes a compromise of Clinton’s email is more likely than not,” said Adam Segal, the author of “Hacked World Order,” who studies cyberissues at the Council on Foreign Relations. “Sophisticated attackers would have known of the existence of the account, would have targeted it and would not have been seen.”

It does not take a rocket scientist to come to the same conclusion. Especially in recent years, it is a given. The US DoD even went so far as to develop a cyber security strategy around the idea that the agency must operate under the assumption of compromise.

I found the following passage the most interesting part of the article:

Mrs. Clinton’s best defense, and one she cannot utter in public, is that whatever the risks of keeping her own email server, that server was certainly no more vulnerable than the State Department’s. Had she held an unclassified account in the State Department’s official system, as the rules required, she certainly would have been hacked.

Russian intruders were thoroughly inside that system for years — since at least 2007 — before the State Department shut its system down several times to perform a digital exorcism in late 2014, nearly two years after Mrs. Clinton left office.

Either out of embarrassment or to protect its sources of intelligence, the Obama administration has never publicly blamed Russia for stealing data from the unclassified systems at the State Department and the White House, just as it has never publicly identified China as the culprit in the theft of security-clearance information on nearly 22 million Americans stored by the Office of Personnel Management.

Mrs. Clinton’s campaign has insisted that the server did have some cyber protection software, but they have not said what kind.

I find it interesting The New York Times purports the State Department unclassified email was breached by Russian attackers between 2007 through 2014. While I know about some of the compromises, this makes it appear as if DoS is utterly incompetent.

Lastly, sure Clinton’s personal email server had cyber protection. Likely it was some anti-virus software and probably not much else, if anything at all. There most certainly was no standard suite of email security software, such as an email gateway, firewall, sandboxing for file attachments, and other similar technology.

Clinton did not care. All she wanted was email on her Blackberry, at all costs.

The question is this: will it cost her the Presidency?

This is quite humorous:

Isis[sic] sites have been moving onto the dark web in an attempt not to be discovered. But a hacking group called Ghost Sec, which is related to Anonymous, took the site down and replaced it with a message telling readers that there was “Too Much ISIS”.

“Enhance your calm,” the full message read. “Too many people are into this ISIS-stuff. Please gaze upon this lovely ad so we can upgrade our infrastructure to give you ISIS content you all so desperately crave.”

The ad — which linked to an online pharmacy where payments can be made in bitcoin, and which appears to be hosted by the hacking group — would allow people to click through to by online prescription drugs, including Prozac and Viagra.

Not that I condone this type of behavior, nor that I believe this will have any lasting affects on ISIS, but it is funny nonetheless.