US Jails Chinese Scientist for Stealing $1bn of Trade Secrets

US Jails Chinese Scientist for Stealing $1bn of Trade Secrets

A Chinese scientist convicted of stealing trade secrets worth $1bn from an Oklahoma petroleum company has been jailed in the United States. 



Hongjin Tan was employed by the unnamed company in June 2017 to work in a group whose goal it was to develop next-generation battery technologies for stationary energy storage. 



Vigilant coworkers caught the 36-year-old Chinese national and US legal permanent resident stealing hundreds of files containing proprietary information specifically related to flow batteries.



After being confronted with the theft, Tan admitted intentionally copying and downloading the research and development materials onto a thumb drive without authorization from his employer.



Realizing the jig was up, Tan turned in the thumb drive along with his resignation in December 2018. But when investigators examined the storage device, they found evidence that five documents that had been stored on it had since been deleted. 



The missing files were later located on an external hard drive recovered during a search of Tan’s premises. It transpired that Tan had swiped the files and squirreled them away at home, where they could be accessed, and potentially sold, at a later date. 



On November 12, 2019, Tan pleaded guilty to theft of a trade secret, unauthorized transmission of a trade secret, and unauthorized possession of a trade secret.



Speaking at the time, Assistant Attorney General for National Security John C. Demers said: “Tan’s guilty plea continues to fill in the picture of China’s theft of American intellectual property.



“The Department launched its China Initiative to battle precisely the type of behavior reflected in today’s plea—illegal behavior that costs Americans their jobs—and we will continue to do so.”  



Yesterday, US District Judge Gregory K. Frizzell sentenced Hongjin Tan to 24 months in federal prison and ordered him to pay $150,000 in restitution to his former employer. After completing his two-year prison sentence, Tan will spend a further three years on supervised release.



“The sentencing of Hongjin Tan underscores the FBI’s commitment to protecting our country’s industries from adversaries who attempt to steal valuable proprietary information,” said Melissa Godbold, special agent in charge of the FBI Oklahoma City Field Office, said.



“American companies invest heavily in advanced research and cutting-edge technology. Trade secret theft is detrimental to our national security and free-market economy. It takes profits away from companies and jobs away from hard working Americans.”


Source: Infosecurity
US Jails Chinese Scientist for Stealing bn of Trade Secrets

CVE-2020-9463

Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
Source: NIST
CVE-2020-9463

FBI Indicts Alleged Ticketfly Hacker

FBI Indicts Alleged Ticketfly Hacker

The FBI has indicted a man suspected of being responsible for a hack that compromised the accounts of 127 million Ticketfly users.



Moulak O. Ishak allegedly hacked into Ticketfly’s systems in 2018. Ticketfly punters who tried to purchase tickets for upcoming live gigs were greeted with a picture of the V for Vendetta character and the message “Ticketfly HacKeD By IsHaKdZ.”



At the time of the attack, Ticketfly was owned by Eventbrite, which made the decision to temporarily take the platform offline in the wake of the breach. Eventbrite issued the online message, “Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident.”



Following the attack, Motherboard claimed that hacker IsHaKdZ told them via email that he had warned Ticketfly of a vulnerability that allowed him to take control of all the databases for Ticketfly and its website. 



In what sounds a lot like a ransom demand, the hacker is purported to have told Motherboard that he offered to share details of the vulnerabilities with Ticketfly in exchange for 1 bitcoin but never received a reply from the platform’s operators. 



Following the hack, the personal details of six Ticketfly users were posted to a server as proof that IsHaKdZ’s claims of being able to access the databases were real.



According to the indictment issued on February 18, the FBI believes that Ishak, using the pseudonym IsHaKdZ, attempted to extort money from Ticketfly over a five-day period. 



Ishak has been indicted on one count of forfeiture and one felony count of extortion in relation to damage to a protected computer.



The alleged cyber-criminal has not been apprehended, though a warrant has been issued for his arrest. If caught and convicted of these charges, Ishak could face a fine of $250,000 and up to three years behind bars. 



The indictment reads: “On or about 27 May 2018, and continuing to at least 31 May 2018, in the Northern District of California and elsewhere, the defendant, with intent to extort from Ticketfly money and other things of value, transmitted in interstate and foreign commerce a communication containing a demand and request for money and other things of value in relation to damage to a protected computer, to wit, Ticketfly’s servers, where such damage was caused to facilitate the extortion.”


Source: Infosecurity
FBI Indicts Alleged Ticketfly Hacker

#RSAC: The Five Most Dangerous New Attacks of 2020 Aren't All That New

#RSAC: The Five Most Dangerous New Attacks of 2020 Aren’t All That New

A key highlight of any RSA Conference in San Francisco is the annual “Top 5 Most Dangerous New Attack Techniques and How to Counter Them” session led by experts from the SANS Institute.



For the 2020 edition, however, many of the attack vectors presented weren’t entirely new, as old threats resurfaced. Additionally of note, while the title of the session is about the top five new attacks, researchers outlined more than that at this particular event.



Command and Control (C2) Returns



Ed Skoudis, instructor at the SANS Institute, highlighted what he referred to as the “golden age of c2” as one of his top new threats. C2, which stands for command control, is commonly associated with botnet activity that is controlled from a central command point.



Skoudis identified several ways that organizations can help protect themselves from C2 activity. Among his suggestions is for defenders to vigorously control outbound traffic and look for beacons and log anomalies. He also suggested that security professionals enforce application white-listing to limit what can run within the enterprise.



Living Off the Land



Another trend that Skoudis identified is the concept of living off the land, which refers to attackers’ making use of tools that are already present within an organization and then abusing them for malicious gain.



“If you’re an attacker, what you could do is you could use the resources of the operating system itself to attack that machine, and to spread to other systems in the environment, so you’re living off the land,” he said.



The concept of living off the land is not entirely new either, having been reported on at least as far back as 2015.



There are several things that organizations can do to protect against living off the land attacks. One set of resources cited by Skoudis is the LOLBAS project, which provides tools to help identify and limit the risk of attacks.




Deep Persistence



With the threat of deep persistence, Skoudis warned that malware can now be embedded deep into devices in a way that wasn’t happening before. For example, he noted that it is now possible to embed malware in a USB charging cable.



With the charging cable example, even if an organization is able to purge whatever malware gets installed on a given system, with deep persistence, the next time the cable is plugged in, it will reinfect the system all over again.



Skoudis said that it’s important for individuals and companies to not just plug anything into their system and to make sure that cables and other peripherals are acquired from trusted sources.




Mobile Device Integrity



Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute highlighted the risk of mobile devices as one of her top threats.



Given that mobile phones have become an essential part of daily life, she noted that if a phone falls into the wrong hands it could be catastrophic. She wasn’t just talking about lost or stolen devices, but also about the risk of refurbished devices that have not been properly wiped of the previous owner’s data.



She also mentioned the risk of the checkm8 vulnerability in Apple IOS devices, which is a silicon vulnerability that enables the checkra1n jailbreak.




How 2FA Can Hurt You



Two-Factor Authentication (2FA) is a recommended best practice to help improve user security, but it’s not a panacea either. Mahalik noted that simply having a code that needs to be typed in for 2FA isn’t enough.



She also warned that there are some apps that only require a phone number, which is a risk if a user gives up their phone number and the carrier then reissues that number to a new customer.



“You want a password and 2FA,” she said. “If it’s just one or the other, it’s not a good scenario.”



Mahalik suggested that when users get a new phone number they should make sure they go into every application that has 2FA and change to the new number.




Enterprise Perimeter Vulnerabilities



Johannes Ullrich, dean of research at SANS Institute, identified the risk of enterprise perimeter vulnerabilities as one of his top threats.



Over the past year there have been numerous publicly reported issues in widely deployed enterprise firewall and perimeter security devices.



Aside from patching, Ullrich suggests that users never expose an administrative interface on an enterprise perimeter device to the public internet.



Localhost APIs



The final emerging threats identified by Ullrich are localhost APIs that are embedded in enterprise applications that call out to third-party resources. While the intention for the APIs is to enable functionality such as tech agent support, they also open up enterprises to potential risk.



To help limit the risk, Ullrich suggests that users, where possible, identify what is listening in to ports on a system and monitor how applications call out to external resources.


Source: Infosecurity
#RSAC: The Five Most Dangerous New Attacks of 2020 Aren’t All That New

CVE-2020-5247

In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Source: NIST
CVE-2020-5247

6 Truths About Disinformation Campaigns

Disinformation goes far beyond just influencing election outcomes. Here’s what security pros need to know.
Source: DarkReading
6 Truths About Disinformation Campaigns

Michigan Healthcare Group Hack Went Undetected for Six Months

Michigan Healthcare Group Hack Went Undetected for Six Months

A data breach that exposed patients’ personal health information (PHI) for almost three months went undetected for half a year at a Michigan healthcare group.



Hackers gained access to patient data placed in the safekeeping of Munson Healthcare Group by compromising the email accounts of at least two employees. Patient records were accessed from July 31, 2019, to October 22, 2019, but the breach went undetected until January 16, 2020.



What data was compromised in the prolonged attack varied from patient to patient, but information accessed by the hackers included financial account numbers, driver’s license numbers, dates of birth, and Social Security numbers. 



Health information, including insurance details, treatments, and diagnostic data were also exposed by the breach. 



Exactly how many patients were affected by the breach has not been revealed by Munson Healthcare, but given the size of the group, the number could potentially be high. From its base in Traverse City, Munson Healthcare operates nine hospitals in 30 counties spread through Northern Michigan.



The group has 7,500 employees and covers an area of 11,177 square miles, which is roughly the size of Vermont and Delaware combined.



“This incident does not affect all patients of Munson Healthcare and not all information was included for all individuals. Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information,” a spokesperson for Munson Healthcare said.



The group went on to say that no evidence had been found to indicate that the information exposed in the breach had been acquired or misused by any third parties who accessed it. Given how long it took the group to detect that the breach had even occurred, this statement may come as cold comfort to Munson patients whose data was accessed by hackers.



“Patient privacy is a top priority and we take this matter very seriously,” said Lucas Otten, Munson Healthcare’s director of information security.



“Munson regularly trains and educates all employees on cybersecurity awareness and risks, and we use a 24×7 staffed cybersecurity response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen.”


Source: Infosecurity
Michigan Healthcare Group Hack Went Undetected for Six Months

Exploitation, Phishing Top Worries for Mobile Users

Reports find that mobile malware appears on the decline, but the exploitation of vulnerabilities along with phishing has led to a rise in compromises, experts say.
Source: DarkReading
Exploitation, Phishing Top Worries for Mobile Users

CVE-2020-9447

The file-upload feature in GwtUpload 1.0.3 allows XSS via a crafted filename.
Source: NIST
CVE-2020-9447

#RSAC: GM CEO Stresses Need to Invest in Developing Next Generation of Cyber Engineers

#RSAC: GM CEO Stresses Need to Invest in Developing Next Generation of Cyber Engineers

Delivering a keynote talk at the RSA Conference in San Francisco, Mary T Barra, chairman and CEO of General Motors Company, said “all of you today are the best and strongest line of defense in this on going and even more complex fight.”



Barra had concluded the first part of her keynote talk by saying that “we know this is a marathon with no finish line” and stressed the need for more talent, citing the most recent (ISC)2 Cyber Workforce Survey, which estimated a shortage of four million skilled people by 2022. She said that “without the right people and the right tools” security risks will increase, “and endanger all of us.”



She added that for long term success of every business that exists in a digital ecosystem “we must fill the talent gap, and not just with anyone but with everyone.”



She highlighted the need to recruit more “women and minorities, who are under-represented in the engineering and IT fields” so GM has run outreach programs to schools with a focus on pursuing “rewarding careers” and encouraging students to pursue science, technology, engineering and mathematics (STEM) careers, and “help them see a path for themselves in this space.” Last year this enabled 300,000 students and teachers across the United States, while General Motors has participated in nationwide careers programs and has encouraged its own engineers to do outreach to schools.



“If we want to cultivate young people of the future, we need to invest in theirs,” she said.


Source: Infosecurity
#RSAC: GM CEO Stresses Need to Invest in Developing Next Generation of Cyber Engineers