Cybercrime

 

 

https://sm.asisonline.org/Pages/The-Cost-of-a-Connection.aspxThe Cost of a ConnectionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-02-01T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>Kevin Patrick Mallory served in the U.S. military, worked as a special agent for the U.S. State Department Diplomatic Security Service, and later as a CIA case officer--often stationed around the world to work with defense contractors and on U.S. Army active duty deployments.</p><p>He had a Top Secret security clearance and was fluent in Mandarin. He was also convicted of espionage​ for passing information to an agent of the People's Republic of China (PRC).​</p><p>How did Mallory and the agent initially connect? Via LinkedIn, when the operative—called Michael Yang—reached out to Mallory, posing as representative of a PRC think tank—the Shanghai Academy of Social Sciences—and requested to meet with him.</p><p>Mallory ended up traveling to Shanghai with eight classified documents, which he gave to Yang and his supervisor during a meeting. When Mallory returned to the United States, he was detained by U.S. Customs and Border Protection (CBP) for a secondary search and interview.</p><p>During the interview, Mallory claimed he had traveled to Shanghai for business and met with an individual he knew through his church to consult on anti-bullying and family safety development. He also checked on a form from CBP that he was not carrying more than $10,000 in U.S. or foreign currency.</p><p>Upon a search of his belongings, however, CBP found $16,000 in Mallory’s carry-on bags. The FBI later interviewed Mallory, who told agents that he had been contacted on social media by a Chinese recruiter, had phone interviews with that recruiter’s client, and traveled to Shanghai on two occasions to meet with the recruiter’s boss.</p><p>Mallory was ultimately arrested, charged, and convicted of conspiracy to deliver, attempted delivery, delivery of defense information to aid a foreign government, and making material false statements. </p><p>“This trial highlights a serious threat to U.S. national security,” Nancy McNamara, the FBI’s assistant director in charge of the Washington Field Office, said in a statement. “Foreign intelligence agents are targeting former U.S. government security clearance holders in order to recruit them and steal our secrets.”</p><p>U.S. Director of the National Counterintelligence and Security Center William Evanina went on record in the summer of 2018 to discuss what he—and the U.S. intelligence community—had been seeing on LinkedIn.</p><p>In an interview with Reuters, Evanina explained that China was conducting a campaign to target thousands of LinkedIn members at a time to recruit Americans with access to government and commercial secrets.</p><p>Evanina declined to say how many of these recruitment accounts U.S. intelligence had discovered or how much success China has had in using them. </p><p>While individuals and organizations have been using social media to target users for government secrets or corporate intellectual property, LinkedIn is especially attractive for social engineering, says James Carnall, vice president, customer support group, at LookingGlass Cyber Solutions.</p><p>“When you look at what the levers are for social engineering, you’re either appealing to authority, emotions, or logic,” he explains. “This platform appeals to a lot of that in an emotional way. We want to connect to our boss because we want to feel important. When we talk about community, we want to collect people and be seen as smart and clever.”</p><p>Nefarious actors can use LinkedIn for a honeypot attack, like they might use a dating site, to appeal to that feeling of being appreciated and wanting to connect with someone to obtain information about their business or level of access.</p><p>This is a tactic that Don Aviv, CPP, PCI, PSP, president at Interfor International—an investigation and corporate intelligence firm—says he sees others using against his corporate clients. </p><p>“When you break it down to its bare bones, utilizing LinkedIn is another attempt at using social media to engineer an attempt at fraud, theft of proprietary information, whatever the company does for a living,” Aviv says. “We work for Fortune 500 companies that have been hit by these attacks…and the goal is to figure out who is reaching out and why.”</p><p>Besides espionage, one of the most prevalent reasons malicious actors are targeting individuals on LinkedIn is to find out more information about a company’s financial protocols and procedures so they can carry out CEO or CFO spoofing attacks.</p><p>For instance, a fraudster might look to connect with various individuals in a company’s finance department to learn who is responsible for initiating wire transfers and when that individual might be traveling.</p><p>Aviv himself set up a test to teach Interfor employees and clients how this works. He created a fake profile for himself on LinkedIn, connected with other individuals, and shared his travel plans on the account.</p><p>Shortly after Aviv left on his fake trip, a fraudster sent an angry email that appeared to come from Aviv to Interfor’s finance director. The email had information about the company’s vendors, contained an invoice requesting payment, and contained a modified wire transfer code to use for the transaction.</p><p>Aviv says he sees roughly six or seven requests per month from companies that received similar emails and are looking to find out who is perpetuating the fraud and how to prevent it. </p><p>This type of fraud is also more prevalent in the Asia and Pacific regions, as opposed to the United States and Europe, where Aviv said there is more awareness of CEO and CFO spoofing.</p><p>“It has become much more publicized—a lot of the compliance departments are catching on,” Aviv says. “In Asia, there’s a demographic difference. A lower-level employee will be much more reluctant to not follow that transaction order.”</p><p><em>Security Management </em>reached out to LinkedIn to discuss the matter, but the company declined an interview. Instead, spokesperson Anne Trapasso sent over three blog posts by the company on cultivating trust, fake account detection, and reporting spam, inappropriate posts, and abusive content.</p><p>“When you’re on LinkedIn, you want to know that you’re talking to real people, you feel safe, and you’re engaging with professionally relevant content,” wrote Madhu Gupta, director of product management, trust, and security for LinkedIn in a post after Evanina’s statements. “One of the most important ways we do this is by empowering you to control your LinkedIn experience. From deciding whether to accept a connection request to displaying contact information on your profile, you control your interactions on LinkedIn.”</p><p>This control includes deciding how to present yourself on LinkedIn—the content of your profile, posts you make, and who can see this information is visible—and vetting your community of connections, Gupta explained.</p><p>“Examples of these features include filters for who you can receive messages from and invitation controls that allow you to accept, deny, or ignore a connection request,” she wrote.</p><p>Mark Folmer, CPP, vice president, security industry, TrackTik, is a robust social media and LinkedIn user who joined the network roughly 10 years ago.</p><p>He does not share a lot of personal information in his profile but does have his phone number and main business email posted. Folmer also regularly receives what he would call “fishy” connection requests from other LinkedIn users.</p><p>“It happens all the time—the standard no personalized message, just an invite from x, y, or z, with one connection or no connections in common,” Folmer says. </p><p>Other signs that a profile might be fake are connection requests from someone based in a country TrackTik does not do business in, an incomplete profile, titles that do not seem to line up with the general business market, or someone whose employment record jumps around.</p><p>“If it’s too good to be true, someone who sounds like they would be the perfect connection—why are they writing to me from Romania?” Folmer says. “Why are they interested in connecting with me?”</p><p>Instead, Folmer says he will likely connect with those who are in the same industry, have connections in common, are ASIS International members, or include a personalized message in their connection request.</p><p>“When I reach out to someone—especially someone I haven’t met yet—I try to put some context into the invite, such as, ‘Hey these are the people we have in common, certification, or I’ve seen you write about this and I’d like to meet,” Folmer explains. “It’s my way of saying I’m a real person and I’m not going to sell you something or try to skim something off of you.”</p><p>These are good rules to follow, and both Carnall and Aviv say employers should discuss best practices for Linked­In hygiene with employees to help prevent them—and the company—from being targeted by malicious actors.</p><p>For example, Carnall suggests creating guidelines that prohibit discussing secret projects on social media or posting about budgetary amounts.</p><p>“Looking from a criminal perspective, that provides too much information for people to socially engineer,” he says. </p><p>And if an employee is posting information online that could make the company vulnerable, Carnall says security and human resources should speak with the employee to use it as a teaching moment. </p><p>“HR should incorporate a conversation about social media as part of any onboarding for any new employee,” he adds. “It’s important for the organization to work with the employee; there’s a balance of promoting themselves as an individual to be proud of themselves and advertise to others the work they and the company are doing.”</p><p>LinkedIn has a process for reporting suspicious activity and fake user accounts, which Carnall says works well if you are able to establish that a malicious user is posing as a real user.</p><p>He also recommends that visible people, such as executives, create legitimate accounts on social media services in their own name to claim that name and “because it’s much easier to have a site take action” if you are a user.</p><p>And approach all connection requests with a certain level of skepticism, Aviv says.</p><p>“Look at their profile and ask why they are reaching out to you—and be willing to ask them via the message function,” he adds. “When you challenge it, they may go away. And the people who talk to you, you’ll be able to figure out if they’re up to no good.”</p>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Book-Review-Digital-investigations.aspx2019-02-01T05:00:00ZBook Review: Digital investigations
https://sm.asisonline.org/Pages/Book-Review-One-False-Click.aspx2019-01-01T05:00:00ZBook Review: One False Click
https://sm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches
https://sm.asisonline.org/Pages/Book-Review-IT-Policies.aspx2018-12-01T05:00:00ZBook Review: IT Policies
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI
https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspx2018-12-01T05:00:00ZTop Five Challenges for Managing Cybersecurity Risk
https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Book-Review---Credit-Card-Fraud.aspx2018-07-01T04:00:00ZBook Review: Credit Card Fraud
https://sm.asisonline.org/Pages/Artificial-Adversaries.aspx2018-06-01T04:00:00ZArtificial Adversaries
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspx2018-04-01T04:00:00ZThe Problem with Bots
https://sm.asisonline.org/Pages/Global-Cyber-Awareness.aspx2018-01-01T05:00:00ZGlobal Cyber Awareness
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspx2017-12-01T05:00:00ZAn Identity Crisis
https://sm.asisonline.org/Pages/Cutting-Edge-Criminals.aspx2017-12-01T05:00:00ZCutting-Edge Criminals
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology
https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Data-Breach-Trends.aspx2017-08-01T04:00:00ZData Breach Trends
https://sm.asisonline.org/Pages/Book-Review---Data-Hiding.aspx2017-08-01T04:00:00ZBook Review: Data Hiding

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Book-Review---Emergency-Planning-for-Nuclear-Power-Plants-.aspxBook Review: Emergency Planning for Nuclear Power Plants <p>​Published by Routledge; crcpress.com; 362 pages; $105.</p><p>Starting with a sound historical platform, <em>Emergency Planning for Nuclear Power Plants </em>prepares the reader to understand the complex nature and evolution of emergency preparedness requirements for nuclear power plants. The author focuses on the technical basis for nuclear emergency planning and provides the reader with a good understanding of issues and risks from a radiological dose perspective. He also leaves room to apply emergency management principles, such as fire and security, that also play a role in response planning. </p><p>The book explains how certain directions taken by the U.S. Nuclear Regulatory Commission have helped shape the industry abroad. A key example is a discussion on reactor consequence analysis and the probabilistic risk assessment that is used widely across the industry. The author's focus is on U.S. regulations, although one could argue that difference in regulation today across countries is not significant, thus increasing the relevance of the book to industry emergency managers around the world. </p><p>The discussion centers on emergency planning considerations that address the issues associated with two reactor types—pressurized water reactors and boiling water reactors—that are prevalent in the United States. Some risks attributed to other reactor types are not fully addressed in the book.</p><p>By effectively deploying mitigation strategies developed since the Fukushima nuclear accident in 2011, the expected radiological dose from large-scale nuclear accidents can be significantly reduced. The author provides good explanations of all aspects of emergency planning. However, too much detail in some sections might confuse the reader. Still, this book is a must-read for all nuclear industry emergency planning managers.</p><p><em>Reviewer: Dan McArthur has more than 30 years of experience in the nuclear industry and now serves as senior strategist at Bruce Power, where he focuses on regulatory and government affairs pertaining to emergency management policy. He is a member of the Canadian Standards Association providing technical input and guidance on emergency preparedness requirements for nuclear power plants in Canada.</em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Space-Jam.aspxSpace Jam<p>​Much of the western United States was put on notice earlier this year when the U.S. Air Force announced that it would be blocking GPS signals on its base south of Las Vegas, Nevada. The tactic—which occurred during an annual month-long military training exercise—could cause air traffic disruption and potentially require flight rerouting due to inconsistent GPS, the notice stated. While the Air Force would not confirm that the GPS disruption was a part of its yearly exercises, experts believe that the military is training its pilots to fly in conditions where GPS signals are inaccurate or nonexistent—a scenario that has become increasingly common.</p><p>Thirty-one satellites currently orbiting the earth transmit signals to civilian and military terrestrial receivers, essentially using time signals to run location-based devices and activities and syncing networks around the world. The satellites—called the GPS constellation—are owned by the United States and operated by the Air Force. Since 1978, the satellites have provided location, navigation, and timing capabilities to the military, and an unencrypted version became available for public use in the 1980s. Over the years, the signals from the GPS constellation have become critical for a variety of applications, including communications, precise time measurements, and critical infrastructure technologies—in addition to its military uses of navigation, target tracking, and missile guidance. </p><p>However, the signal—which is inherently weak—is susce​ptible to outside interference. Anything from space weather to malfunctioning machinery to malicious actors can cause problems with GPS, including blocking the signal—called jamming—and sending false signals, known as spoofing. Even small interferences can cause big headaches.<img src="/ASIS%20SM%20Callout%20Images/0518%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /> </p><p>For example, a man who drove a company car purchased a GPS jammer to keep his boss from knowing his whereabouts, but when he passed near Newark airport in New Jersey, the jammer blocked signals from reaching the air traffic controller system. Although the sale and use of jammers is illegal in the United States, they can be purchased online for less than $50 and can successfully hide a vehicle's location.</p><p>In January 2016, a routine equipment switch caused a series of 13-microsecond timing errors in half of the GPS constellation satellites, which triggered about 12 hours of confusion for computers, networks, and timing devices around the world. </p><p>The U.S. government has referred to GPS as a single point of failure for critical infrastructure and, in 2004, called for the U.S. Department of Transportation to acquire a backup capability for GPS. However, an alternative has never come to fruition. </p><p>U.S. President Donald Trump reemphasized the need for redundancy by including a section in the 2018 National Defense Authorization Act that requires the U.S. Departments of Defense, Transportation, and Homeland Security to demonstrate a GPS backup capability within the next 18 months.</p><p>"We were concerned that the federal government was not doing all of the things it said it would do in order to protect GPS signals, which are being interfered with on a regular basis," says Dana Goward, the president of the Resilient Navigation and Timing Foundation (RNTF). He established the nonprofit in 2013 to protect, toughen, and augment GPS signals. "Since we started, over the last five years, GPS has been interfered with more and more," he notes.</p><p>Goward and other members of RNTF are also members of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board, which has existed since the call for a GPS backup capability was issued in 2004. </p><p>It's hard to tell exactly how big an impact a widespread GPS outage would have on critical infrastructure sectors around the world, but Goward notes that glitches such as the January 2016 blip can foreshadow what systems might be affected. "The implementation and use of GPS signals is so widely spread for so many different things it was never intended to be used for that it's really impossible to outline all the bad things that would happen and the sequence in which they would occur," he says. "But there are some things we do know." </p><p>Say a terrorist plants a high-powered GPS jammer hidden in a suitcase in the middle of a city. Transportation will probably be the first system visibly affected, which could quickly impact an entire metropolitan area, Goward says. Traffic lights will become desynchronized and GPS-based apps will no longer function, creating distracted and dangerous driving conditions. Airplanes and other forms of mass transportation will have to slow down or alter routes to stay in contact with people who can keep them on course. Package delivery routes as well as land, sea, and air-based supply chain operations will be disrupted. "All forms of transportation will be forced to carry less capacity in the area," Goward notes.</p><p>Countless systems that rely on GPS's perfectly synchronized timing—including data networks, financial activities, the electric grid, and other utilities—will slowly become out of sync, causing system failures. </p><p>"When the networks start to fall apart, it's hard to tell how much of a cascading failure you're going to see," Goward notes. "Networks depend on each other. It's really such a vast and hyper complex system, the structures of which are not known and may not be knowable."</p><p>Preventing GPS glitches is a multifaceted challenge. The GPS satellites themselves are fairly resilient—they are replaced on a rotating basis depending on their estimated operational life. Still, mechanical glitches like the one that caused the January 2016 blip are possible. The signals transmitted from the satellites are even weaker than cosmic background noise, and Goward notes that even upgraded equipment won't substantially change the strength.</p><p>"The basic problem is fundamental physics," Goward says. "Satellites are 12,500 miles up in space and powered by solar panels and transmitting all the time—unlike other satellites that can store up their solar power, GPS satellites have to transmit all the time. They will always be really weak and easy to interfere with."</p><p>An inherent area of weakness is the equipment used to receive the GPS signal sent by the satellites—anything from cell phones to networks to military ground stations that encrypt the signal.</p><p>"Most GPS receivers in use right now are very vulnerable to jamming and spoofing," Goward notes. "The technology in terms of antennas and software is available to make them much less susceptible to jamming and spoofing, but it costs a little extra and users don't feel motivated to incorporate anti-jamming and spoofing technology into their receivers and systems, even when they involve and support critical infrastructure like phone and IT networks."</p><p>RNTF is working with the government to establish guidance or best practices to improve GPS receiver security.While a fix is relatively simple, Goward says he doubts most companies will make the upgrade unless they are told to do so or they experience a GPS-induced crisis. "We think that for critical infrastructure applications there's a government role there to advocate for, encourage, and perhaps require users to have the latest anti-jamming and spoofing technology."</p><p>Military-level encrypted GPS signals aren't exempt from jamming or spoofing, either. While the use of a secured ground system to control the broadcast of an encrypted signal, along with military-grade receivers, provides an inherent level of protection, it's not foolproof—and it only works when it's used properly.</p><p>"Because of the encryption, that makes military receivers as a practical matter more difficult to use, so we had seen any number of photographs of military folks in the field with GPS receivers they bought at Walmart strapped to their arms and using them instead of military receivers," Goward notes. Encrypted equipment tends to be stored under lock and key—and is usually unwieldy—making it more cumbersome to use. </p><p>It's suspected that the infamous straying of a U.S. naval ship into Iranian waters in 2016 was a result of the sailors using unencrypted receivers that allowed Iran to spoof the signal and direct them into the country's territory. And headlines were made when the movements of U.S. military personnel at several overseas bases could be tracked via a GPS-based fitness app—no jamming or spoofing required.  </p><p>The U.S. Department of Defense (DoD) is in the middle of upgrading the military ground systems and replacing the current GPS constellation—which is near the end of its intended operational life—but the efforts have faced a series of setbacks. The new generation of satellites, called GPS III, are expected to provide a stronger signal that is more resistant to spoofing and jamming and will permit interoperability with other global navigation systems. But, according to the U.S. Government Accountability Office (GAO), the acquisition and timeline of deploying the new satellites has run into several roadblocks, delaying the launch of the new equipment. </p><p>For example, the first GPS III satellite built, which is slated to become operational in 2019, includes energy storage devices that had not been appropriately tested by the subcontractor. When the Air Force discovered the failure to test the equipment, it made the subcontractor remove the devices from the second and third satellites currently being built, but "decided to accept the first satellite and launch it 'as is' with the questionable capacitors installed," the GAO reports. The rest of the GPS III satellites are expected to be launched and operational—replacing the current devices—by 2021.</p><p>Three components of the upgrade—the new ground control systems, GPS III satellites, and contingency operations programs—are expected to face "numerous challenges" over the next 18 months, GAO notes. "If any of the three programs cannot resolve their challenges, the operation of the first GPS III satellite—and constellation sustainment—may be delayed."</p><p>Meanwhile, Goward and the RNTF are continuing to encourage the government to promote more secure GPS receiver technology and build a backup capability when—not if—the GPS signal fails. </p><p>"We are concerned that the federal government does not have a central point of accountability for protecting GPS," Goward explains. "It's possible that this lack of responsibility and governance will mean that nothing is going to happen until the nation has suffered substantial damage because of the failure to protect, toughen, and augment GPS." ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465