Los Angeles partnership launches platform to help people catch phishes | Nonprofit LA Cyber Lab launches app to help small businesses spot phishing, malware.

Los Angeles partnership launches platform to help people catch phishes

Los Angeles partnership launches platform to help people catch phishes

Los Angeles partnership launches platform to help people catch phishes

Los Angeles partnership launches platform to help people catch phishes

Los Angeles partnership launches platform to help people catch phishes

Los Angeles partnership launches platform to help people catch phishes
Los Angeles partnership launches platform to help people catch phishes
  • By: arstechnica.com
  • Views 0

The relentless march of ransomware, business email compromises, and other attacks against small private and public organizations over the past few years has demonstrated the hazard of operating below the information security poverty line—the point at which local governments, small and midsize businesses, and other institutions lack the expertise and budget required to implement basic computer and network security best practices needed to protect the organizations against cybercrime.

So on September 17, a Los Angeles-based cybersecurity nonprofit organization unveiled a new effort to help end that cycle, at least locally. Partnering with IBM Security and enterprise intelligence management provider TruStar, LA Cyber Lab has launched two initiatives to help organizations spot and stop malware and phishing attacks—a Web portal for sharing threat data and a mobile application targeted at helping small businesses detect and avoid email-based attacks like spear phishing.

LA Cyber Lab, a 501(c) nonprofit organization, received $3 million in funding from the US Department of Homeland Security in 2017. The organization is a "private-public partnership," LA Cyber Lab executive director Joshua Belk told Ars, "which works with the City of Los Angeles and the business committee of the Greater Los Angeles area." The lab's mission is helping Los Angeles area organizations "protect themselves and be more aware of cyberattacks and just different things that are happening in that realm," Belk explained.

The daily feed

Up until now, LA Cyber Lab's intelligence sharing has taken two forms: a daily threat report distributed by email and a regularly shared comma-separated value (CSV) file containing "indicators of compromise" (IOCs)—fingerprints for known attacks that businesses can use to detect attacks. But this week, LA Cyber Lab announced that the organization was moving to provide automated access to current threat data through its new Threat Intelligence Sharing Platform (TSIP) Web portal. Businesses that sign up as members will be able to connect their existing tools to the data as well through a Web application programming interface (API).

The threat data LA Cyber Lab distributes currently comes from over 25 data sources, including IBM X-Force IRIS's threat data, information collected from partner organizations, and open-source threat feeds (including those from the Department of Homeland Security's US-CERT). The IBM data comes from IBM X-Force Exchange, an 800 terabyte set of threat activity data that includes information on over 17 million spam and phishing attacks, real-time reports of live attacks, and reputation data on nearly one million malicious IP addresses.

"The partners are a group of companies around Los Angeles, both public and private sector, who are sharing whatever they want to in terms of IOCs," Belk said. They currently include the City of Los Angeles, City National Bank, AT&T, and IBM. Other companies in the region are in the process of being enrolled as well. "We're asking partners to share only vetted information so that we're not receiving false positives and a lot of noise," Belk explained.

"What we're doing on the back-end," said Wendi Whitmore, Global Lead for IBM X-Force Security Services, "is feeding in IBM X-Force IRIS threat intelligence—and in particular, premium threat intelligence which is more of our human analyzed, curated intelligence—into the submissions, and ensuring that we're leveraging that when the analysis is being conducted." TruStar was brought in to build the portal and provide "all the connectors between the different organizations," she added.

Belk said organizations that become members of the LA Cyber Lab information sharing network "have the opportunity to interact with some of the threat data…they can take it back to their environment, look through their network's logs and see if there's anything in the past, a breach that might've already happened that they weren't aware of, or they can look forward and they can block it the edge of their security network and blacklist or put rules in place to allow different activities to happen when they see some of those indicators come through."

Partner organizations submitting data will also get the benefit of extra eyes on their data—and alerts back from IBM X-Force. "If we're finding things that are of high risk—maybe they're new, perhaps not zero-day, but a new tactic or a new way to leverage a certain tactic—then we're going to provide that information back to the organizations that submitted as well as to the group," Whitmore explained.

There’s an app for that

This type of data isn't something that small businesses can typically act on, which leads to LA Cyber Lab's second new tool. The LA Cyber Lab mobile app, which is now available on both the Google Play and Apple iOS app stores, will allow anyone to push suspicious emails to LA Cyber Lab for automated evaluation based on threat data. Users can also vet malicious links or content using analysis provided by IBM X-Force IRIS, based on data from the threat platform's feeds.

When users create an account with the application, they get an email address to forward suspicious messages to. "They're able to send in emails to our platform," Belk explained, which then processes the message using analysis tools provided by IBM X-Force IRIS. A response indicating whether the email was malicious or not is sent back through the mobile application to the email addresses used to enroll in the application.

The platform backing the application reviews the email and extracts headers, links, attachments, and other data. "We're analyzing if there's an actionable link, like a hash or IP address, or domains that are bad," Belk explained. "We've got a list of roughly 15 different indicators of compromise that we're utilizing in the first beta release that get pulled from the email and then bounced against the known sets of phishing indicators." Any malicious indicators found in the email are then added to the LA Cyber Lab threat data feed.

"There's no action taken on the information," Belk said. "The user has to decide what they want to do because it's theirs. They're just sending it in to say, 'Hey, I think this is bad, is it bad?' And to the best of our ability we are providing them an answer and a ranking. When they get that back, it comes back as either 'guarded' or 'critical' and it gives them some steps of things that they might consider based on whatever was seen or not seen." The application also includes access to trending data to give users an idea of what's happening in a wider context—in theory helping organizations become more aware of other, similar threats that they may face in the near future.

Belk sees LA Cyber Lab's platform as a model that can be reproduced in other regions across the country. But the success of the platform will be driven largely by adoption—and by whether organizations, large or small, will be willing to both share and act on the data.

Advanced hackers are infecting IT providers in hopes of hitting their customers

Advanced hackers are infecting IT providers in hopes of hitting their customers

A previously undocumented attack group with advanced hacking skills has compromised 11 IT service providers, most likely with the end goal of gaining access to their customers' networks, researchers from security firm Symantec said on Wednesday.

The group, dubbed Tortoiseshell, has been active since at least July 2018 and has struck as recently as July of this year, researchers with the Symantec Attack Investigation Team said in a post. In a testament to Tortoiseshell’s skill, the new group used both custom and off-the-shelf hacking tools. At least two of the 11 compromises successfully gained domain admin level access to the IT providers’ networks, a feat that gave the group control over all connected machines.

Tortoiseshell's planning and implementation of the attacks was also notable. By definition, a supply chain attack is hacking that compromises trusted software, hardware, or services used by targets of interest. These types of attacks require more coordination and work. Taken together, the elements suggest that Tortoiseshell is likely a skilled group.

“The most advanced part of this campaign is the planning and the implementation of the attacks themselves,” a member of Symantec’s research team wrote in an email. “The attacker had to have multiple objectives achieved in an operational fashion in order to compromise the true targets which would have relationships with the IT provider.”

The researcher continued: “The use of custom, unique malware developed for an advanced campaign such as this shows the attacker has resources and capabilities that most low to mid level adversaries simply do not have. Putting all these pieces together built a bigger picture, which matched the profile of an advanced well-resourced attacker.”

Blown cover

The campaign, which primarily infected IT providers in Saudi Arabia, was by no means perfect. A custom backdoor used by Tortoiseshell had a “kill me” command that allowed attackers to uninstall the malware and remove all traces of infection. The presence of this feature suggested that stealth was a key objective in the campaign. But two of the compromised networks had several hundred connected computers infected with malware. The unusually large number was likely the result of the attackers having to infect many machines before finding the ones of interest. Whatever the cause, the large number of infections made it easier to detect the campaign.

“Compromising hundreds of hosts in this type of attack takes away from the impressiveness of the campaign,” the Symantec researcher wrote in the email. “Specifically, having a smaller attack footprint (smaller number of infected hosts), the less likely defenders are to identify and mitigate the threat. So by having to infect many hosts, the attacker put themselves at a disadvantage and increased their risk of being caught.”

One unexplained piece of the puzzle was the installation of a malicious tool, dubbed Poison Frog, about a month before the Tortoiseshell tools were deployed. Several security providers have linked Poison Frog to an Iranian-government sponsored attack group known as APT34, or alternately OilRig. In April, an unknown person or group started publishing secret data, tools, and alleged member identities belonging to OilRig.

In early 2018, OilRig also experienced a hostile take-over of its servers by Turla, another attack group that multiple researchers over the years have linked to the Russian government. Wednesday’s report from Symantec said it’s not clear if the same person installed both Poison Frog and the Tortoiseshell tools. Given the gap of time between the infections, the researchers are assumin they’re unrelated, but without more evidence, there’s no way to be sure.

Symantec has yet to figure out how Tortoiseshell infected the 11 networks. A Web shell—which is a script that’s uploaded to a Web server to provide remote administration of the machine—was the first indication of infection for one of the targets. Its presence suggests that Tortoiseshell members likely compromised a Web server and then used this to deploy malware onto the network.

Wednesday’s report contains IP addresses of Tortoiseshell control servers and cryptographic hashes of the software that the group used. Security people can use these indicators of compromise to tell if networks they defend have experienced the same infections.

More evidence points to Iranian cruise missiles, drones in attack on Saudi oilfield

More evidence points to Iranian cruise missiles, drones in attack on Saudi oilfield

Debris gathered from the drones and missiles used to attack an oil field and refinery in eastern Saudi Arabia increasingly lends credence to US and Saudi accusations that Iran was in some way behind the attacks. Other evidence presented thus far also suggests that the attacks may have been launched from Iran rather than Yemen, as the leadership of the Houthi militia fighting Saudi Arabia there has claimed.

A total of 25 drones and missiles were used in the attack. The missiles appear to have been identical to the Quds-1 cruise missile revealed by Ansar Allah (the Houthi militia) in a weapons display on July 7. The drones were delta-winged, propeller-driven unmanned aircrafts with stabilizer fins at the tips of each wing.

Quds it be?

An Ansar Allah video of the unveiling of the Quds-1 cruise missile and other Houthi drones and weapons on July 7, 2019.

The Quds-1 is a smaller missile than the Soumar—Iran's clone of a Soviet-era cruise missile obtained from Ukraine in 2001—and its latest iteration, the Hoveyzeh. The Quds-1 uses what appears to be a Czech-built turbojet engine, the PBS Aerospace TJ100 (which PBS advertises as "especially suitable for unmanned aerial vehicles") stuck onto its upper fuselage for propulsion.

Based on analysis of photographs and other evidence, Fabian Hinz of the James Martin Center for Nonproliferation Studies and others have posited that the Quds-1 was used in the September 14 attacks. A TJ100 engine was found in the wreckage, and the missile had a smaller diameter than the Soumar, with rounded control fins identical to those in photos of the Quds.

This doesn't get Iran off the hook for the attack. Drones displayed by Iran have had TJ100 turbojets (or engines that are nearly identical knockoffs). And the Houthi Ansar Allah, while having some technical capabilities, would be hard-pressed to produce turbojet engines—let alone an entire cruise missile with terrain following systems and satellite navigation.

There's a possibility of an even more direct Iranian connection: while the Soumar would have plenty of range to be launched from Yemen and strike northeastern Saudi Arabia, the TJ100 has significantly less thrust and is less fuel efficient than the engine used in the bigger missile. In order to reach its target, it would more likely have had to been launched from southwestern Iran. While Iran has not publicly displayed the Quds-1 under any name, it is likely that it is a simplified weapon built specifically for Iran's proxies, just as Iran has done with some drone weapons.

The tempest

The drone wreckage from the attack introduces another set of questions.  The "suicide" uncrewed aerial vehicles, or "loitering munitions" as they are referred to in the UAV industry, were similar in design—but not identical—to a drone Iran has referred to in the past as the Toofan ("Tempest").

Saudi Ministry of Defense officials identified the drones as "Iranian Delta Wave UAVs." It's doubtful that these were actually Toofan drones. Instead, it's more likely that they were an updated design based on the same delta-wing, "low observable" shape. According to a 2013 report in Iran's Mehr News, the Toofan's top speed is 250 kilometers per hour (155 miles per hour), and it can fly for "over an hour."

That would not give the drone the endurance to reach the targets in Saudi Arabia. Furthermore, the Toofan is optically guided—"a front-facing camera in the nosecone transmits live images until the moment of impact, to increase homing accuracy." That does not appear to be the case with the drones used in the September 14 attacks. However, the drones were small (roughly 2 meters or 7 feet long) and probably only had a range of about 400 kilometers.

Again, given that it is about 1,250 kilometers from Yemen to the target zone of the attacks, it's highly unlikely that these drones were launched by Houthi forces there. It's more likely that, as in similar attacks earlier this year, the drones were launched by Iran-backed militia from Southern Iraq.

Iraq's government has denied that the attacks were launched from Iraqi territory, but a drone was spotted flying through Kuwaiti airspace on the night of the attack.

Listing image by Bloomberg, via Getty Images

AT&T considers getting rid of DirecTV as TV business tanks, WSJ reports

AT&T considers getting rid of DirecTV as TV business tanks, WSJ reports

AT&T is considering whether to "part ways" with DirecTV, just four years after buying the satellite company, the Wall Street Journal reported today. The Journal report doesn't use the word "sale" to describe what AT&T is considering, but the end result could be AT&T no longer owning DirecTV.

"The telecom giant has considered various options, including a spinoff of DirecTV into a separate public company and a combination of DirecTV's assets with Dish Network, its satellite-TV rival," the Journal report said, citing "people familiar with the matter."

It's still early in the process, so AT&T could end up sticking with DirecTV. "AT&T may ultimately decide to keep DirecTV in the fold. Despite the satellite service's struggles, as consumers drop their TV connections, it still contributes a sizable volume of cash flow and customer accounts to its parent," the Journal reported.

The cash generated by DirecTV is helping fuel other investments at AT&T and is helping the company pay down its "towering net debt load, which stood at more than $160 billion earlier this year," the Journal report said. AT&T's $49 billion purchase of DirecTV contributed to that debt load.

A spinoff of DirecTV likely would not happen "until mid-2020 at the earliest" for tax reasons, the Journal report said.

We contacted AT&T and will update this story if we get a response.

TV business in rapid decline

AT&T completed the purchase of DirecTV in July 2015, with high hopes of dominating the pay-TV business using both DirecTV satellite and a new online service based on DirecTV. But AT&T's total number of video subscribers dropped from 25.4 million in Q2 2018 to 22.9 million in Q2 2019, and AT&T told investors last week that it expects to lose another 1.1 million TV customers in the third quarter.

Since April, AT&T has been facing a class-action lawsuit alleging that it lied to investors in order to hide the failure of its DirecTV Now streaming TV service. Last week, the lawsuit was updated to include allegations that AT&T supervisors encouraged sales reps to create fake DirecTV Now accounts and sign AT&T customers up for DirecTV Now "without the customer knowing."

AT&T's TV strategy was criticized in an open letter last week by activist investor Elliott Management Corp., which has a $3.2 billion stake in AT&T. Elliott urged AT&T to consider divesting DirecTV, which may have contributed to AT&T examining whether to offload the TV division.

AT&T also bought Time Warner Inc. in 2018 and is hoping to get a big chunk of the streaming business with next year's launch of HBO Max. But Elliott said that "AT&T has yet to articulate a clear strategic rationale for why AT&T needs to own Time Warner."


Easy Branches Global Network allows You to share Your post within our Network in any Continent or Country on the Global

Your Post
boatshowchina expolifestyle.com