Making a Ransomware Payment? It May Now Violate U.S. Sanctions

Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions.

This week the Department of Justice unsealed a grand jury indictment against two Iranian hackers allegedly responsible for the SamSam Ransomware. As part of this indictment, for the first time the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency.

Complete article on bleepingcomputer.com

Pentagon Draws Back the Veil on APT Malware with Sudden Embrace of VirusTotal

Two samples have already been added to the malware zoo, indicating a new openness from the federal government when it comes to cyber.

The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that’s used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape.

Complete article on threatpost.com

Longer Minimum Passwords Help Prevent Fraud

The all-too-common practice of using the same email address/password combination to log into multiple websites can be damaging, especially for employers with many users and valuable assets protected by passwords, like universities.

“If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see,” said Indiana University’s Dan Calarco, co-author on a new paper that examines the practice of password reuse.

Complete article on securitymagazine.com

Cloudflare Advances New Internet Standards for Speed and Security

As part of its Birthday Week, Cloudflare announces support for internet standards that help to improve speed and security, as well as unveiling the new Bandwidth Alliance that could help to save customers millions of dollars in bandwidth costs.

Cloudflare is celebrating its eighth birthday this week with a series of announcements that look to accelerate and secure the internet, as well as helping organizations to save some money.

On Sept. 24, Cloudflare announced its support of the Encrypted Server Name Indication (ESNI) service in a bid to keep service providers from being able to spy on users. On Sept 25, the company announced its support for the QUIC protocol to help accelerate mobile traffic over User Datagram Protocol (UDP). On Sept. 26, Cloudflare announced the Bandwidth Alliance, which is a multi-stakeholder group of cloud providers that have pledged to reduce data transfer fees for mutual customers.

Complete article on eweek.com

For Hackers, Anonymity Was Once Critical. That’s Changing.

At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.

LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed.

After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh.

Complete article on nytimes.com

Black Hat and Defcon cybersecurity experts share tips on how to protect yourself

During the week of Black Hat and Defcon, tens of thousands of security experts and hackers flock to Las Vegas for the back-to-back conferences. They hold discussions on issues like smart cities getting hacked, two-factor authentication, and security issues with voice assistants.

It can all get a little technical. But with so much cybersecurity knowledge in one place, I decided to ask individual experts for a single useful cybersecurity tip for the average person.

Complete article on cnet.com

Black Hat 2018: Google’s Tabriz Talks Complex Security Landscapes

At Black Hat, Google’s Parisa Tabriz discussed how to navigate the complex security environment with long-term thinking and a policy of open collaboration.

LAS VEGAS – The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors, third-party ecosystems and even governments all trying to come to a consensus for making the cyber-world a safer place.

For security experts, navigating these choppy and crowded waters means embracing partnerships across these stakeholders, according to Parisa Tabriz, director of engineering at Google.

Complete article on threatpost.com

Symantec Warns of Increasingly Sophisticated Tech Support Scams

Symantec issued a report on Aug. 3 revealing that technical support fraud scammers are using call optimization services to improve their results. The new techniques come as the volume of tech support scams blocked by Symantec continues to grow.

Tech support scams come in multiple forms, including malware advertising where an ad shows up on a user’s screen warning that they have been infected with malware and need to call a certain number to get help. Symantec researchers found that scammers are making use of call optimization services to inject local numbers into malware alerts, as well providing additional features to improve call delivery.

Complete article on eweek.com

The Year Targeted Phishing Went Mainstream

A story published  on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.

Complete article on krebsonsecurity.com

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Complete article on krebsonsecurity.com