Login
If the past couple of months have taught us anything, itβs that partnerships matter in times of crisis. Weβre better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.
We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.
The new normal
All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, thereβs no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.
At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers β even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.
Getting the basics right
Thatβs why Trend Micro has been pushing out regular updates β not only on the latest scams and threats weβre picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. Weβre also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.
Yet thereβs always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. Thatβs why weβre delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns weβve collaborated on, to tackle BEC and crypto-jacking.
This time, weβll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And weβll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.
Weβre all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then itβs that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profitΒ from tragedy.
The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .
ns-1200-logo-podcast-with-mic-and-rodent-emoji
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.
Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administrationβs intelligence sharing portal.
On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.
KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response.
βDEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,β the agency said in a statement shared via email.
According to this page at the Justice Department website, LEIA βprovides federated search capabilities for both EPIC and external database repositories,β including data classified as βlaw enforcement sensitiveβ and βmission sensitiveβ to the DEA.
A document published by the Obama administration in May 2016 (PDF) says the DEAβs El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.
EPIC and LEIA also have access to the DEAβs National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).
βThe EPIC System Portal (ESP) enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,β the 2016 White House document reads. βLaw Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.β
The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.
Claims about the purloined DEA access were shared with this author by βKT,β the current administrator of the Doxbin β a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.
As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of LAPSUS$, a data extortion group that hacked into some of the worldβs largest tech companies this year β including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.
That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested canβt wait for a warrant because it relates to an urgent matter of life and death.
From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.
Weaver said itβs clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.
βI donβt think these [people] realize what they got, how much money the cartels would pay for access to this,β Weaver said. βEspecially because as a cartel you donβt search for yourself you search for your enemies, so that even if itβs discovered there is no loss to you of putting things ONTO the DEAβs radar.β
The DEAβs EPIC portal login page.
The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a βPersonal Identity Verificationβ or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each userβs appropriate security level.
However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.
Itβs not clear why there are still sensitive government databases being protected by nothing more than a username and password, but Iβm willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87Β of a Justice Department βdata inventory,β which catalogs all of the data repositories that correspond to DOJ agencies.
There are 3,330 results. Granted, only some of those results are login portals, but thatβs just within the Department of Justice.
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.
Iβll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level β preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.
I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). Itβs not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.
But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations β all because someone stole, found or bought a username and password β itβs time for drastic measures.
Related tags
FreshRSS