Monthly Archives: August 2016

As the Greek philosopher Heraclitus famously noted, “the only constant is change”. This statement was as accurate 2,500 years ago as it is now. The world around us changes constantly, often times at a somewhat frenetic pace. The field of information security is no different. Both the organizations we support and the threat landscape we face are changing and evolving constantly.

One unfortunate side effect of continual change can be what I colloquially call “shiny object syndrome” (SOS). As you might imagine, there are some organizations, and indeed some people, that seem to run continually from one “shiny object” to another, unfortunately. In other words, rather than approach security strategically, adjusting the plan in a calculated manner to account for changes to the risks and threats the organization faces, many organizations repeatedly chase after the fad of the day.

Rather than discuss why this occurs, I’d like to focus on what organizations can do to avoid falling victim to shiny object syndrome. Hype, buzz, and trends change constantly, but the fundamentals of a good security program stay the same.

Signs: Change is Contstant

While this is certainly not an exhaustive list, here are my top five ways that organizations can stay grounded and focused amidst a sea of distractions:

1. Stick to the plan: As I and many others have previously noted, if you don’t already have an incident response plan, you should. If you do already have a plan, then you are already one step ahead of the game. The trick is to stick to the plan, even when the temperature gets a little hot in the kitchen. If you’ve done your homework properly, or worked with qualified professionals who have helped you do it properly, you will pull through. Just as long as you don’t succumb to the near constant temptation of distraction and the knee-jerk reactions it causes.

2. Focus on risk: The best security organizations use a variety of techniques to understand the unique threat landscape they face. Those same organizations use this knowledge to help them prioritize the risks and threats that they wish to mitigate. In addition to helping these organizations prioritize spending and mitigate risk more effectively, this approach helps them stay focused and avoid running astray in pursuit of shiny objects. When the temptation to run in a particular direction arises, the organization can evaluate this new direction against its prioritized list of risks and threats. This helps the organization understand how this potential new direction impacts the organization, specifically regarding any additional risk that it may or may not introduce. In this sense, it is fairly easy to identify distractions by understanding their lack of relevance to the risk mitigation goals of the organization.

3. Prioritize holes to plug: In the security world, new techniques for intruding into organizations appear fairly frequently. Some of them grab big headlines, which of course can increase attention and pressure on security types from non-security types in leadership or executive positions within our respective organizations. But how firm of a grasp do we have on the primary ways in which we are being attacked and owned, as well as broader patterns and trends across the industry? It is far too easy to divert important resources away from their strategically prioritized day-to-day work and onto the hack du jour. But if today’s distraction poses a minor risk to our organization, does it make sense to divert resources from mitigating risks or plugging holes that we know pose serious risk to the organization? Not particularly, although without a quantitative handle on risk that includes a robust risk register, it can be hard to justify that stance in the heat of the moment.

4. Go beyond the buzz: A few years ago, I remember walking around the RSA Conference vendor expo hall and seeing signs that read “big data”, “security analytics”, or “big data security analytics” everywhere. Everyone was talking about the topic, and many still are, for good reason. But let’s go beyond the buzz and take a look at one of my favorite questions: So what? What will you use security analytics for? Do you have a list of risks to mitigate that will require a variety of different people, process, and technology to mitigate, including security analytics? For example, identifying stolen credentials and attackers masquerading as legitimate users? Having insight beyond the buzz allows an organization to more efficiently and effectively apply people, process, and technology to solve real world problems and challenges. Otherwise, solutions that are purchased and implemented wind up looking for a problem to solve. Not a great place to be, particularly when looking to justify expenditures and show return on investment.

5. Measure what matters: Did your security organization open and close 500 tickets last week and handle 10,000 IDS alerts? Pardon my candor, but who cares? How do those metrics help you assess how you are or are not progressing against the prioritized list of risks and threat you’re looking to mitigate? Measuring what matters allows an organization to produce metrics that actually help it assess its progress against its strategic objectives. Unfortunately, I am not able to expand on this concept in this piece, but I have written about if previously. Metrics that matter have the added benefit of allowing an organization to assess and measure whether activities (whether new or old) are adding value to the security program. You guessed it -- that helps a security organization stay focused on adding value, rather than chasing after shiny objects.

There is no shortage of distractions in the information security realm. As security professionals, we need to stay focused on managing, mitigating, and minimizing risk to our respective organizations, even as both the business and the threat landscape change around us. If we stay grounded, adapt strategically, and adjust incrementally, we stand a far better chance of successfully accomplishing our goals. Running off course on all sorts of impulsive tangents never made anyone more secure.

view counter

Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.

Previous Columns by Joshua Goldfarb:

Tags:


SecurityWeek RSS Feed

Saudi cyber experts held urgent talks on Tuesday after government facilities were hacked, official media reported.

The cyber attacks "in recent weeks targeted government institutions and vital installations in the kingdom," the Saudi Press Agency reported, without identifying the targeted agencies.

It said the kingdom's Cybersecurity Centre "held an urgent workshop with a number of parties" to discuss the results of its investigations.

The attacks originated abroad and subjected users' accounts to viruses which spy on information, it said.

Experts outlined how the attacks occurred and presented "necessary procedures to fix and to protect those sites", Saudi Press Agency said. It gave no indication as to the source of the hacking.

In June a major Saudi newspaper said hackers briefly seized control of its website to publish false information.

Four years ago, a damaging malware assault hit the state oil company Saudi Aramco. US intelligence officials believed it was linked to Iran.

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

At some point in the recent past -- he is not sure exactly when -- F-Secure's Chief Research Officer Mikko Hypponen coined the term 'cyber crime unicorn'. His purpose was to highlight the growing professionalism of cyber criminals; and the term caught on. Now he has asked the question seriously: could a ransomware product actually be a criminal tech unicorn; that is, a start-up business valued at more than $ 1 billion?

In a new article his short answer is No; but that's only because it would be impossible for the founders to cash-out through the traditional IPO route. By most other yardsticks, cyber crime relates favorably to legal business. Consider one of today's prime businesses, Uber. According to a Thursday report in Bloomberg, Uber is on course to recording a $ 2 Billion loss this year following a similar loss last year -- and yet its latest valuation is $ 69 billion. Cyber criminals do not make losses.

There is little financial risk in cyber crime -- and especially with ransomware. Following a relatively low cost and short investment period it starts making profit very rapidly. And the profits can be extensive. One of the facilitators is the rise of bitcoin -- it allows the criminals to move and launder money relatively easily and safely; but it also allows researchers to get some idea of the amounts involved.

"Ransomware gives each victim a unique bitcoin wallet into which the ransom should be paid," Hypponen told SecurityWeek. "By getting ourselves infected in laboratory conditions we can follow what happens. The ransom is usually moved from each unique wallet into a central wallet controlled by the criminals -- and from there it is laundered." The laundering is often through buying pre-paid cards and then selling them on eBay and Craigslist; or directly through gambling casinos. But in the meantime, security firms such as F-Secure can monitor the amounts that pass through the central wallets -- and it is millions of dollars.

If this were a legitimate business making this amount of money this fast, it could indeed become a unicorn. But until there are underworld stock exchanges with access to as much money as Wall Street and London, crime cannot take that final hurdle towards becoming a billion dollar business. While cyber criminals follow basic good business principles, there is not -- at least, not yet -- an underworld Big Business.

But if cyber crime cannot be modelled on business investments and unicorns, is it already modelled on the gangster gangs of old Chicago? "If you mean protection rackets then yes," said Hypponen. "But it's more crimes such as DDoS that relate directly. Taking an ecommerce site off-line is very similar to closing a high street shop through violence if the protection money isn't paid."

This analogy goes even deeper, because in 'old Chicago' there were turf wars between rival gangs. To a degree, this already happens with cyber crime -- different gangs will steal ideas and even code from other gangs. "There's even an example of one gang 'taking out' a rival by stealing and publishing its decryption keys," said Hypponen.

But for now, Hypponen's response to his own question is no, we won't see cyber crime unicorns in the immediate future. But we do need to take note of the business-like organization and discipline within some of the gangs. He believes there are close to a hundred of these ransomware gangs, although a few might be one gang operating more than one ransomware. For now there would seem to be ample return on effort for all of them.

Off-line backups remain our best defense against ransomware -- that and an up-to-date anti-malware product. It is worth noting -- as Hypponen commented -- that 'backing-up' to online services such as Drobox, Drive and One Drive, will not solve the problem -- these are on-line and not off-line backups.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

Did you know that Dick Cheney, former US Vice President who held that office from 2001 to 2009, had the wireless telemetry on his implantable cardioverter-defibrillator disabled during his time in office for fear of political assassination?

That was in 2007, and already the fear of what hackers could do to implanted medical electronic devices was real.

hacking brain implants

Now, almost ten years later, the fear must be even bigger for those who need to use implants, as the realization that all electronic devices can be tampered with by a motivated attacker is slowly becoming widespread knowledge.

Researchers have already proven that attackers could mess with people’s insulin pumps and implantable defibrillators. With the increased use of electronic brain implants, we can assume some of them will begin testing the security of those devices, as well.

Brainjacking

A group of researchers, neurosurgeons, and doctors of philosophy from Oxford Functional Neurosurgery and several Oxford University departments have recently published a paper exploring the issue of brain implant hacking (“brainjacking”).

Neuroimplants are used to treat a wide range of neurological and psychiatric conditions – Parkinson’s disease, chronic pain, depression, etc. – and will likely be used for an even wider range of ailments, as well as a way to correct “abnormal moral behaviour,” in the future.

“Until recently the risk of neurological implants being used against their users was firmly in the realm of fantasy. However, the increasing sophistication of invasive neuromodulation, coupled with developments in information security research and consumer electronics, has resulted in a small but real risk of malicious individuals accessing implantable pulse generators (IPGs),” they noted.

Attack scenarios

These implants, therefore, have the potential of being switched off or made to function in undesired ways by unauthorized persons, leading to tissue damage, increased pain, altered impulse control, unwanted mental conditioning, and more, all to the detriment of the people who need these implants.

“The current risk of brainjacking is low,” the group has noted, but “it is better to consider this issue seriously now, rather than in a several years’ time when the sophistication of these implants is far greater, as would be the harm that an attacker may cause by subverting them.”

In the paper, they addressed a number of attack scenarios that might be pulled off even now, but added that there is no evidence that any of them has ever been attempted. Although, even if they had been successfully performed, it’s likely that they might not have been noticed.

“Wireless exploitation of implants is also likely to be subtle – device failures are a somewhat common eventuality and post-failure device diagnostics are rarely performed. Even if an attack were detected, tracking down the attacker would be a highly challenging task,” they noted.

Secure implant design

The group has delved into the current secure implant design, and the different factors that manufacturers have to weigh when adding features to these implants. The balance between usability and security is rarely so crucial to achieve.

“It may be valuable to develop codes of best practice for neurosecurity, or to formulate overall guidelines for medical device security that can be tailored to the specific requirements of neural implants. Any such code should be formulated to encourage cooperation between stakeholders and be sufficiently flexible to adapt to the rapid pace of change in neurological implant design,” they pointed out.

“Device manufacturers must strive to improve upon recent advances, ensuring that security concerns are considered throughout the design process and not relegated to an afterthought, and should cooperate with security researchers who seek to responsibly disclose design flaws. Regulatory bodies must balance use of their powers to encourage good neurosecurity practices with the risk of impairing real-world security through overly burdensome regulations.”

“Given that neurosecurity is not an immediate concern, there is sufficient time for manufacturers and regulatory agencies to carefully consider methods of risk mitigation. While there is a responsibility for manufacturers to make their devices secure, the expected value of any novel security features should be carefully weighed against other clinically relevant factors, and innovation should not be unduly stifled by the demands of neurosecurity,” they concluded.


Help Net Security

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

Emergency iOS Update Patches Zero Days Used by Government Spyware

August 25, 2016 , 5:33 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Brazilian Banking Trojan Uses Windows PowerShell Utility

August 19, 2016 , 1:00 pm

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Two Million Passwords Breached in Ubuntu Hack

July 18, 2016 , 1:17 pm

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm


Threatpost | The first stop for security news

The infamous Ramnit Trojan is on the prowl again, and this time it targets personal banking customers of six unnamed UK banks.

Ramnit Trojan rides again

The Trojan has not changed much since we last saw it targeting banks and e-commerce sites in Canada, Australia, the USA, and Finland in December 2015: it still uses the same encryption algorithms, and the same (but updated) data-grabbing, web-injection, and file-exfiltrating modules (the latter is after files with interesting keywords, like ‘wallet’, ‘passwords’, and bank names targeted in the configurations).

“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real time web-fraud attacks targeting online banking sessions,” IBM X-Force researchers explain. “Not all attacks have to happen in real time or from the victim’s device. Ramnit’s operators can also gather credentials from infected users and use them at a later time, in account takeover fraud from other devices.”

IBM warns of the Trojan’s resurgence after X-Force researcher Ziv Eli spotted the malware’s operators have set up two new attack servers and a new command and control server.

Whether these are the same operators that developed and used Ramnit in the last six years and went into temporary hiding after, in February 2015, a coalition of European law enforcement agencies shut down C&C servers used by the RAMNIT botnet is impossible to tell.

The Trojan’s source code was never sold or shared on underground forums, and IBM researchers believe it to be either still in the hands of the original cybergang, or of another one that bought it off of them.

If past delivery techniques are used again, the Trojan will be spread via spam, malvertising and exploit kits. IBM has helpfully provided indicators of compromise for administrators to use to spot the malware.


Help Net Security

Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout.

Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical. Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation.

MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit. The more the shares fell, the higher MedSec's profits would be.

Muddy duly published details of the flaws earlier today, on Thursday, and sent this doom-laden alert to investors:

Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.

We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.

St Jude's share price fell 4.4 per cent to $ 77.50.

MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner.

"We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog.

"Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products."

Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed. If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case.

Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit. Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the flaws, which could help depress the share price further and thus boost his profits.

"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed.

But based on his own company's report today into the St Jude devices, that seems unlikely. The two attack vectors mentioned include a battery draining attack and one that could crash a pacemaker, but both require the attacker to get access to the device's home control unit for about an hour.

The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security. It estimates the faults will take years to rectify.

Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec.

The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong. So it seems they publicized that some flaws were merely present instead and cashed in on short selling.

Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ®

Sponsored: 2016 Cyberthreat defense report


The Register - Security

Miscreants are attracted to law-skirting schemes that generate strong revenues without significant ongoing investments. You can observe these characteristics in the trademark registration campaign described below. It seems to have been active for at least a decade and spans Texas, Delaware, Washington and the Principality of Liechtenstein. This is a manifestation of the broader set of fake invoice scams, such is the website backup “invoices” that I outlined in an earlier article.

Protected Trademarks on the Internet

After I registered the name of the malware analysis toolkit that I maintain, REMnux, as a trademark with the US Patent and Trademark Office, I began receiving postal solicitations requesting that I include this trademark in various private registries. You can see one of these letters below. (Click the image to see the PDF of the full page.)

The letter looks like an official invoice for trademark registration. In reality, the solicited $ 992 fee is for the proposed “service” that the notice describes in all capital letters as follows:

“THE TRADEMARK PUBLICATION PROVIDES THE NAME OF TRADEMARK OWNERS AND PRODUCT NAMES ON THE INTERNET.”

The letter states that “YOUR DATA WILL BE PUBLISHED FOR A TERM OF TWO YEARS UPON RECEIPT OF PAYMENT.” It describes the benefits of the service by claiming that “PUBLICATION ON THE TRADEMARK DATABASE REGISTER ENSURES THE REGISTERED PARTY A WORLDWIDE PUBLICATION ON THE INTERNET.”

Buried in the paragraph that describes the offer is the phrase “THIS PUBLICATION IS AN ELECTIVE SERVICE WHICH NEITHER SUBSTITUTES THE REGISTRATION… WITH U.S.P.T.O.” So, the letter does indicate that it’s not associated with the US Patent and Trademark Office. Unfortunately, plenty of its recipients don’t look closely at what they assume are bills, and probably pay what they believe is an official trademark registration invoice.

Send This Stub With Check in the Remittance Envelope

Recipients of the letter are asked to make checks payable to Trademark-DB Corp and mail them to 10223 W Broadway St Ste P, PMB # 336, Pearland, TX 77584. This is the location of a UPS Store, pictured by Google’s Street View on the photo below. The term “PMB” means it’s a private mailbox, which is a private company’s version of a PO Box.

After some research, I came across another trademark registration company that was associated with the same fax number as Trademark-DB, 011-423-3841889. That company was called Trademark Info Corp. Its mailing address was the same UPS Store location, but it was using private mailbox number 330 instead of 336.

The “invoices” sent by Trademark Info looked very much like the letters from Trademark-DB, as you can see in the excerpt below. This solicitation appears to have been sent in 2006. I found it in the collection of trademark scam examples published by the firm Hodgson Legal, where you can see the full letter on page 4.

fake-trademark-invoice2-preview

Based on the “invoices” I located for Trademark-DB, it was using the Texas location in 2015-2016. I came across additional invoices (1, 2) sent by this firm in 2013 and 2014 that specified a different address: 2207 Concord Pike, PMB # 582, Wilmington, DE 19803. This is a shop called My Mailbox Store, which, among other services, rents mailboxes.

Interestingly, this private mailbox number at this location was used in 2006 by a company called Americash Hotline, LLC d/b/a Direct Cash Express, LLC, which the Attorney General of the State of West Virginia accused of being “engaged in the business of making usurious payday loans to consumers” according to the Petition to Enforce Investigative Subpoenas filed that year. However, the use of the same mailbox by Trademark-DB ten years later might be a coincidence.

Another letter sent by Trademark-DB, probably dated 2015, uses the drop address of 2100 M St. NW, Ste 170, # 330, Washington, DC 20037. This is a UPS Store location. Note the use of the same mailbox number (330) as in the Texas location. Perhaps coincidentally, another mailbox (170) in the Washington store was reported to be associated with an unrelated award-acceptance scam in 2012.

Though the addresses where trademark letter recipients were urged to send payments were in the United States, bother Trademark-DB and Trademark Info are located elsewhere.

Court of Vaduz, Principality of Liechtenstein

Trademark Info and Trademark-DB maintain separate websites, www.trademark-info.net and www.trademark-db.info respectively. Each site includes a Terms of Business section stating that the companies are registered in Principality of Liechtenstein, though at different addresses.

Liechtenstein is a small sovereign country nestled between Switzerland and Austria, according to Wikipedia. Its capital is Vaduz. Trademark-DB’s site states that:

“The Court of Vaduz, Principality of Liechtenstein, shall have exclusive jurisdiction over all claims or disputes arising in relation to, out of or in connection with Trademark-DB AG…”

I was able to locate Trademark-DB’s record in the Liechtenstein business registry. The mailing address of the company in Liechtenstein matches the one on Trademark-DB’s website, though the record also indicates that the correspondence should be sent care of Treufid Trust. This company’s website, www.treufid.li, markets the firm as “your contact for start-ups and their management, accounting, tax and business consulting, auditing and secretarial services.” (I translated it from German via Google.)

trademark-db-registration-record-preview

I found Trademark Info’s record, too. It indicates that the company is in “in liquidation,” if I’m interpreting it correctly. This firm’s latest address is different from Trademark-DB’s address, and its point of contact is Kimar Anstalt. According to the Panama Offshore Leaks Database, it’s a subsidiary of Majoria Investments Limited, which the same database lists as being “defaulted.”

The two firms are clearly connected:

  • Both listed the same fax number on their letters, which included very similar content.
  • Both were using the same location in US as the drop point for checks. Both were registered in Liechtenstein, albeit at different addresses.
  • In addition, both specified the same phone number, 4233841077, in their domain registration records.
  • Moreover, a search of PassiveTotal records showed that the firms’ web servers employed the same DNS and registrar servers and at some point were assigned IP addresses on the same Class C subnet 195.225.200.0.

I suspect Trademark Info was the first incarnation of the scheme and has now been dissolved. Trademark-DB seems like a reincarnation of the service, or perhaps it is a copycat effort. It is active as of this writing.

Unsecured Nonpriority Claims

Though Trademark Info as a company appears to have been liquidated, the database hosted on its site is still available. I found no way to browse its full contents, but one can perform searches to query the records. For instance, when I search for records where the owner of the trademark contained an “a”, the site showed me 20 records of companies with addresses in the US and Canada.

Presumably, each of these companies paid around $ 600 to be included in this listing, possibly because they misinterpreted the letter sent by Trademark Info as an invoice. The service for which they paid was of dubious value. As far as I can tell search engine don’t include the site’s contents in their index, so people are unlikely to come across the trademark’s entry in this database unless they specifically search the database for it.

Another indication that companies issued payments to Trademark Info comes in the form of unclaimed funds that Texas Comptroller of Public Accounts is holding for the now-defunct company. I came across these records on the Texas government’s website that lets you search for such funds. It listed two unclaimed payments for $ 587 and two for $ 1,174, dating from 2005 to 2010.

Another example of the recipients treating Trademark Info’s letters as invoices can be seen in the petition that Mineola Water Corporation filed with the US Bankruptcy Court in Alabama. The company listed Trademark Info as a creditor “holding unsecured nonpriority claims” for its Sip of the South trademark in the amount of $ 596. The claim seems to be dated to 2008.

The database maintained by Trademark-DB is online as well. Like the Trademark Info catalog, the contents of this database do not seem to be available in search engines’ indexes. A few queries that I ran showed me various records registered between 2005 and 2012. It’s strange that I didn’t come across the more recent entries, given that I came across “invoices” that Trademark-DB sent between 2013 and 2015. I doubt people stopped responding, so perhaps the company stopped bothering to add new entries to its database? Or maybe the dates in its database are wrong?

Non-USPTO Solicitations

The US Patent and Trademark Office maintains a page that warns about “non-USPTO solicitations that may resemble official USPTO communications.” It includes several examples of what the page calls “non-USPTO solicitations about which we have received complaints within the past several months.” It carefully avoids using the term “scam,” except when referring to the criminal indictment issued against one of the listed entities.

Though the list of non-USPTO examples includes three letters sent by Trademark-TD (1, 2, 3) for its Texas, Washington and Delaware locations, the scheme involving Trademark-TD is still active. If it is, indeed, associated with the actions of Trademark Info, these machinations have been going on for at least a decade. The longevity of the campaign isn’t surprising, given the difficulty of tracking down the companies and individuals behind them, especially when the controlling organizations are in the Principality of Liechtenstein.

Yet, the checks are being collected from US-based locations, which can be used as a starting point for further investigating the schemes that, at best, push the boundaries of US laws.  For example, Title 39, United States Code, Section 3001, reportedly “makes it illegal to mail a solicitation in the form of an invoice, bill, or statement of account due unless it conspicuously bears a notice” stating that it’s not a bill. Furthermore, I wonder whether the lack of value in being listed in a private trademark registry might violate US federal and state laws that prohibit deceptive and unfair trade practices.

If you receive misleading communications from private trademark registration entities, the USPTO encourages you to file a complaint with the Federal Trade Commission (FTC). It also says that if you receive solicitations that are not already listed on the USPTO page mentioned above, that you email  [email protected] Lastly, USPTO recommends that you report the incident to your state’s “consumer protection authorities,” which you can locate via this link.

Updated


Lenny Zeltser

Juniper Networks has become the latest company to acknowledge that one of the implants leaked by the Shadow Brokers targets some of their products.

Cisco and Fortinet did the same a few days earlier.

NetScreen firewalls

“Juniper Networks is investigating the recent release of files reported to have been taken from the so-called Equation Group,” Juniper employee Derrick Scholl explained in a post.

“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices. We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

As a reminder: last December Juniper found and patched a critical vulnerability affecting ScreenOS on its NetScreen devices, which allowed unauthorized remote administrative access to the device over SSH or telnet and could have allowed a knowledgeable attacker to decrypt encrypted VPN traffic.

At the time, speculation was that the vulnerability arising from unauthorized code in ScreenOS created two backdoors, deliberately inserted by a state-sponsored intruder (or more of them). It was thought that at least one was the work of the NSA, as the NSA documents leaked by Edward Snowden showed that the NSA had the ability to backdoor Juniper’s network equipment.

The exploits and implants leaked by the Shadow Brokers are almost certainly the work of the NSA, i.e. their (formal or informal) hacking “arm” the Equation Group.

It is still unknown who the Shadow Brokers are. Snowden believes they might be state-sponsored Russian hackers, and the leak a way to urge the US government not to be hasty in denouncing Russia as the source of the DNC hack.

According to Shlomo Argamon, professor and director of the Master of Data Science Program at the Illinois Institute of Technology, the text that accompanied the leaked data points to the “Shadow Broker” most likely being a native English speaker trying to appear non-native.

“In the (quite unlikely) event that the writer is, in fact, not a native English speaker, their native tongue is much more likely to be a Slavic language (e.g., Russian or Polish) than either a Germanic or Romance language,” he added.

This opinion seems to prop a theory by former NSA staffers, who said that the “naming convention of the file directories, as well as some of the scripts in the dump” point to the attacker being an insider.


Help Net Security

Banking customers are hesitant to use mobile features due to fraud and security concerns, according to Kaspersky Lab and IDC Financial Insights. Their findings show that of those not using mobile banking at all today (36 percent), 74 percent cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding.

banking customers

While security concerns are holding back non-mobile banking users from embracing the convenient, digital self-service solutions on the market, those who are active users of mobile banking today also share the same concerns. Of both, users and non-users of mobile banking, 85 percent said that they would increase their usage to “some extent” if there was more security and nearly half (44 percent) of those surveyed said that they would “significantly” increase their mobile banking usage with more security.

For financial organizations, an increase in self-service banking usage can drive revenue and reduce transactional costs, but currently customers don’t see a promising future for mobile banking in their lives – with 32 percent of respondents claiming that they do not ever foresee using mobile as the primary channel that they will engage with their bank or credit union. Banks that do not properly strengthen mobile financial security measures could miss out on a significant business opportunity and risk losing valuable customers in the process.

As financial institutions look for new ways to streamline adoption of self-service banking solutions, it is important that they proactively deploy and implement rigorous security solutions. In addition, banks should also reconsider their education strategies to ensure that customers understand the level of security in their mobile offerings. Survey Respondents want to see a proactive and informative approach to security from their banks with 80 percent indicating that they would like to see evidence of security measures being activated when they launch a mobile banking application.

“Consumers are concerned about security on their mobile devices, which has limited adoption of high margin mobile banking and payment activities including account opening, payments and transfers using a mobile phone.” Says Marc DeCastro, research director IDC Financial Insights. “As the next generation of online, mobile first and mobile only customers begin to explore digital banking choices, financial institutions that have and promote stronger security will attract and retain these customers more easily than those who do not.”

“As financial organizations continue to expand their self-service offerings to drive revenue and increase customer convenience, it’s important to proactively approach security technology for consumers’ mobile devices in the same way banks approach security for their own PC-based solutions, web offerings, and technology networks,” said Ross Hogan, Kaspersky Lab Global Head of Fraud Prevention.


Help Net Security