Iran angered by US imposition of cyber sanctions


Iran has railed against US sanctions imposed on 10 citizens and a tech firm accused of cyber attacks on at least 320 universities worldwide, along with US firms and government agencies.

Tehran called the sanctions a gimmick that was provocative, illegal and unjustified.

The Mabna Institute is accused of stealing 31 terabytes of “valuable intellectual property and data”.

Iranian foreign ministry spokesperson Bahram Qassemi said the new US sanctions were an act of provocation, and that the move would not prevent Iran’s technological progress.

“The US will definitely not benefit from the sanctions gimmick, aimed at stopping or preventing the scientific growth of the Iranian people,” Mr Qassemi said in a statement.

The indicted individuals are still in Iran. They were called “fugitives of justice” by US Deputy Attorney General Rod Rosenstein, and could face extradition in more than 100 countries if they travelled outside Iran.

Many of the “intrusions”, Mr Rosenstein said, were done “at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps”.


Facebook Collected Your Android Call History and SMS Data For Years

By: Swati Khandelwal

Facebook knows a lot about you, your likes and dislikes—it’s no surprise.

But do you know, if you have installed Facebook Messenger app on your Android device, there are chances that the company had been collecting your contacts, SMS, and call history data at least until late last year.

tweet from Dylan McKay, a New Zealand-based programmer, which received more than 38,000 retweets (at the time of writing), showed how he found his year-old data—including complete logs of incoming and outgoing calls and SMS messages—in an archive he downloaded (as a ZIP file) from Facebook.

Facebook was collecting this data on its users from last few years, which was even reported earlier in media, but the story did not get much attention at that time.

Since Facebook had been embroiled into controversies over its data sharing practices after the Cambridge Analytica scandal last week, tweets from McKay went viral and has now fueled the never-ending privacy debate.

A Facebook spokesperson explained, since almost all social networking sites have been designed to make it easier for users to connect with their friends and family members, Facebook also uploads its users’ contacts to offer same.

As Ars reported, in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.

Eventually, Google changed the way Android permissions worked in version 16 of its API, making them more clear and granular by informing users whenever any app tries to execute permissions.


Für Krypto-Anleger: Dieses Smartphone kann angeblich nicht gehackt werden.

By: msn finanzen

Wie das Portal “CNET” berichtet, soll im August ein Smartphone speziell für Krypto-Anleger auf den Markt kommen. Besonders macht es nicht nur das vorinstallierte Wallet für Bitcoin, Ethereum und Co., sondern allem voran die Tatsache, dass das Smartphone laut Hersteller nicht “hackbar” sein soll.Sie möchten in Kryptowährungen investieren? Unsere Ratgeber erklären, wie es innerhalb von 15 Minuten geht:

Auf die Sicherheit bedacht

Der brasilianische Konzern Sikur setzt mit seinen Smartphones insbesondere auf das Thema Sicherheit. Der neueste Spross aus Sikurs Reihen, das “SikurPhone”, ist mit seiner Hardware-Ausstattung nichts besonderes: Ein 5,5 Zoll-Display ist inzwischen Standard. Die 13 Megapixel-Kamera ist ebenso bei Nokia und auch bei Xiaomi zu finden. Hinzu kommen 4 GB Arbeitsspeicher und 64 GB interner Datenspeicher. Ausschlaggebend soll jedoch die Sicherheit des Android-Smartphones sein. Das Unternehmen versichert, dass das Gerät vollständig verschlüsselt sei und damit “unhackbar”.

In einem Statement ließ Sikur-CEO Cristiano Iop verlauten: “Informationen sicher auf unseren Geräten zu speichern ist eine unserer Stärken. Wir waren bei Browser- und Messaging-Sicherheit erfolgreich. Also fragten wir uns, wieso nicht auch bei Kryptowährungen?”.


Snowden Releases NSA Documents Showing Bitcoin Was “#1 Priority”

By: C Edward Kelso

Xkeyscore. MAC addresses. OAKSTAR. MONKEYROCKET. Edward Snowden is at it again. This time the world’s most notorious whistleblower has handed over National Security Agency (NSA) documentation to online investigative news outlet The Intercept revealing an invasive covert program to track bitcoin users using spy tools he uncovered during his infamous first go-round. The implications include the future of privacy along with warrantless data collection being used to prosecute bitcoiners such as Ross Ulbricht of Silk Road.

Snowden Reveals How NSA Tracked Bitcoin Users

Ever get the feeling you’re being watched? Department of Homeland Security (DHS) Acting Assistant Secretary for Legislative Affairs Brian de Vallance, in a November 2013 letter to Congress, worried that “with the advent of virtual currencies and the ease with which financial transactions can be exploited by criminal organizations, DHS has recognized the need for an aggressive posture toward this evolving trend.” Infamous whistleblower Edward Snowden seems to have found a trove of heavily redacted, classified NSA documents attesting to that “aggressive posture.”

It’s fitting Mr. Snowden should share them with The Intercept, an online investigative news organization founded by his benefactor, attorney turned journalist Glenn Greenwald. Mr. Greenwald was then writing for The Guardian, and the two unleashed the largest batch of government security documents ever revealed about US and UK global surveillance.


Snowden Releases NSA Documents Showing Bitcoin Was "#1 Priority"

Interestingly, the documents tracking bitcoin users stem from roughly the same period, 2013. They detail bitcoiners all over the world were targeted as powers granted the NSA under the rubric of fighting terrorism expanded, and might have even begun to play a role in early crypto prosecutions such as Ross Ulbricht and Silk Road.

American Civil Liberties Union’s Patrick Toomey, of its National Security Project, explained, “If the government’s criminal investigations secretly relied on NSA spying, that would be a serious concern. Individuals facing criminal prosecution have a right to know how the government came by its evidence, so that they can challenge whether the government’s methods were lawful. That is a basic principle of due process. The government should not be hiding the true sources for its evidence in court by inventing a different trail.”



Email Fraud is a Top Business Risk for 2018

By: Phee Waterfield

Email fraud is a top risk for 2018, resulting in employee termination.

Reports from Proofpoint and Clearswift show that businesses across the globe are concerned about email phishing campaigns.

Today, two reports highlight that email phishing is a top concern for global businesses. However, a third of employees believe it is lack of support from execs that is the biggest challenge to protection – demonstrating a disconnect between the board and IT.

Proofpoint’s 2018 Understanding Email Fraud Survey asked 2250 senior IT decision makers across the US, UK, France, Germany and Australia for their email fraud experiences from the last two years. The results found 75% of organizations had experienced at least one targeted email fraud attack, with 41% suffering multiple attempts in the last two years.

Concerningly, more than 77% of businesses expect they will fall victim to email fraud in the next 12 months, and only 40% have full visability into email threats.

“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact,” said Robert Holmes, vice-president of email security products for Proofpoint. “These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”

Clearswift also identified that UK organizations were concerned about ex-employees retaining access to business networks and human error.


Infographic: How to safely buy and sell cryptocurrency

By: Brandon Vigliarolo

Cryptocurrency exchanges and theft have been regular news since Bitcoin went big, but that hasn’t deterred investors: The number of digital cryptocurrency wallets in existence by the end of 2017 was 21.5 million. That’s a huge increase from 2015, when only 5.4 million wallets were around.

Along with the new popularity of cryptocurrency has come a new breed of cryptocurrency criminals. In 2016 $95 million worth of Bitcoin was stolen, and in 2017 the amount stolen exploded: $115 million was lost to phishing, $103 million to exploitation of software and storage, $7.4 million to hacks, and $4,000 to Ponzi schemes.

That’s a lot of lost cryptocurrency—so how are criminals doing it?

Five ways cryptocurrency gets stolen

There are five popular ways that cryptocurrency criminals get their hands on your virtual coins:

  • Brute forcing, in which an attacker simply tries again and again to guess a password until they finally get in.
  • Phone porting, in which criminals call cellular customer service, have a number transferred to their phone, and use the number to reset a crypto account password.
  • Phishing, which installs malware that looks for, and steals, digital wallet addresses.
  • Ponzi schemes, in which investors are paid returns that are actually just the money new investors put in (see BitConnect).
  • Mining malware, which uses a victim’s computer to do the mining for the hacker.

So, risks come from all angles: anonymous hackers on the internet, fake exchanges that run away with your money, or even malware that makes you do the work for someone else’s gain.

That doesn’t mean safe investment isn’t possible.

How to safely invest in cryptocurrency

Cryptocurrency brokerage CryptoGo has some tips for investing in cryptocurrency without placing yourself in harm’s way.

  • Encrypt and back up safely so that you always have a record of your wallet. Use a mnemonic phrase to ensure you can recover a lost wallet.
  • Use an antivirus product that was built with cryptocurrency in mind, such as Spybot Anti-Beacon or Comodo.
  • Only use “hot wallets,” those that are connected to the internet, for small transactions. If you’re going to store large amounts of cryptocurrency for long-term investment keep them in a secure, offline wallet.
  • Use multifactor authentication, either through a hardware token or an app, to secure cryptocurrency-related accounts.
  • Don’t use SMS authentication—phone numbers can be stolen via phone porting.
  • Diversify your holding through different exchanges and use different passwords and recovery methods for each one.


Bitgrail to Refund Hack Victims with Newly Created BGS Tokens

By: Samuel Haig

Bitgrail has denied responsibility for the recent hack that saw the theft of 17 million XRB, or Nano, in comments made in a Telegram group for victims of the hack. Despite rejecting responsibility for the incident, the exchange states that it will “voluntarily” refund users through the creation and issuance of BGS tokens.

Bitgrail Operator Denies Responsibility for Hack

A document prepared by the operator of Bitgrail, Francesco “The Bomber” Firano, has been the subject of widespread reporting, following its dissemination to members of a Telegram group comprised of victims of Bitgrail’s hack.

A translated summary of the document has been made available by the Telegram group, as Mr. Firano apparently “did not want […] the whole doc[ument]” shared. The release of the translated document was approved by Mr. Firano.

The summary states that Bitgrail “plans [to] reopen soon,” adding that the date on which it will re-launch “will be announced soon.” The document also asserts that Bitgrail “still sees themselves as not responsible for the theft and therefore they believe they have no obligation to refund stolen coins”.

Bitgrail to Refund Users with BGS Tokens

Bitgrail states that “on reopen […] all non-nano funds will be available and withdrawable, nano balance will be set to 20% of what it was before.” In order to repay the remaining 80% of nano balances, Bitgrail states that it will “voluntarily” introduce a new token called BGS (Bitgrail Shares), which will be distributed to victims of the hack. Bitgrail claims that it will then purchase back the BGS tokens at a rate of “$10.50 USD” per token, with purchases set to take place at the end of each month. The summary states that Bitgrail will use half of its monthly profits to conduct the purchases.

Participation in the company’s “voluntar[y]” refund comes with a stipulation, however, as customers of the “platform after reopen will [be] requir[ed] to sign a “waiver of all rights for legal action.”


Sofacy Targets Government Agency with New Spear-Phishing Campaign

By: Phee Waterfield

The Sofacy group, also known as APT28 and Fancy Bear, has carried out an attack on an unnamed European government agency using an updated variant of DealersChoice.

Details of the attack, which have been published by Unit42 – part of Palo Alto Networks – describe the espionage group using doc.x files titled “Defence & Security 2018 Conference Agenda,” which appears to have been copied directly from the website for the “Underwater Defence & Security 2018 Conference.”

Back in October 2016, the security researchers published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which was documented in December 2016.

However, the attacks that took place on March 12 and 14 used a different variation of the spear-phishing attack, something not seen from Sofacy before.

Unlike in the fall of 2016, the Flash object in the document is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded in. Then the object contacts an active C2 server to download an additional Flash object containing exploit code.


How Secure Is Your Online Banking App?

By: Sarah Vonnegut

When it comes to developing applications that handle such sensitive information, making sure security is baked into every step of the SDLC is crucial.

Learning by doing is more effective than learning by watching – that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.

Banking has gone digital. Nearly every major bank offers both an online portal as well as a mobile app, and people seem to prefer it that way. A recent PwC survey found that 46% of consumers only use online banking, a massive jump from their previous survey in 2012, in which only 27% used online banking exclusively.

For banks and other financial institutions, offering an online app that allows either online or mobile banking access is now a necessity when looking at those numbers. Users crave the convenience that comes with banking on the go, and while the advantages that come with being able to perform personal banking on your mobile or computer is undeniable, another question still persists: Just how secure are these online banking apps?

Research that was released at the end of 2017 may offer an answer to that question. The research, carried out at the University of Birmingham, found security issues in mobile banking apps that could leave millions of their users open to attacks. The main issue they found pertains to a flaw in certificate pinning, which meant that tests were failing to detect “a serious vulnerability that could let attackers take control of a victim’s online banking,” The Register said.

It’s security issues like this that show just how important it is to cover all your bases when developing digital banking apps. While digital banking can help foster new connections and offer new and innovative services, thus bringing more gains for financial institutions, digital banking also carries plenty of risk.

7 Critical Steps for Banking App Developers

While consumers carry a burden of security that includes using secure wifi to access their banking app, locking their devices when not using them, using a unique password, and not using public computers to access their accounts, the main burden of ensuring customers’ security is on the banks. Or rather, the developers and teams working on the applications.

Developing an SDLC, or software development lifecycle, is vital to the continued development of secure applications. The SDLC will put in place a strategy for making sure security is built into the product, without slowing the development process down. Here are seven critical steps in the SDLC that developers and security teams should work together on to ensure the release of a secure online or mobile banking app.

1. Establish Security Requirements

The first step is to understand the security requirements of the banking app. Because of the sensitive nature of banking apps, it is important to assign at least one member of the security team to work with the build team – and this partnership needs to begin before development does.

During this part of the SDLC, development and security should identify the key security risks within the software, including what standards (both organizational and legal/regulatory) the software must follow. Stakeholders from both development and security teams should be identified to make sure communication is clear from the outset, and any gaps in the process should be noted. Only once security requirements have been established and agreed upon by all parties can development begin.


Cryptocurrency scammers run off with more than $2 million after ditching their investors


Scammers appear to have made off with more than $2 million in cryptocurrency after carrying out an apparent fake initial coin offering (ICO), and the individuals linked to the incident may be connected to another recent theft, CNBC has learned.

A bad actor or actors used a fake LinkedIn profile and copied pictures from another user’s Instagram to create a false persona — and successfully drew more than 1,000 investors into the ICO project, which was called Giza.

The Wild West world of ICOs

An initial coin offering or ICO is a way for start-ups to crowd-fund investment. Instead of raising cash from venture capitalists, a company can hold an ICO, which allows people to invest a cryptocurrency, such as ethereum or bitcoin, in exchange for a new token that’s issued by the start-up. The new digital coin is not equity. Instead, it can be used in exchange for future services offered by the company. It’s also possible that the new coin may climb to a much higher value than the initial investment.

There is big money in ICOs, and they are largely unregulated. Last year, companies raised $3.8 billion via ICOs, and this year alone they have already raised $2.8 billion, according to data from CoinSchedule, a site which tracks the activity in the space.

But ICOs are unregulated in most countries, meaning investors don’t have the protections that they enjoy with other assets such as stocks. However regulators are keeping a closer eye on ICO activity, amid a rising number of reports of scams.

What happened with Giza?

Investors who spoke to CNBC all described a common experience with the ICO in question: They thought the project was legitimate until warning signs began to appear, including a falling out with the company’s sole supplier, a lack of correspondence from its supposed founders, and failed attempts to recoup the lost funds.

The apparently well-orchestrated scam centers around a mysterious individual called Marco Fike, the COO of Giza. Among the eight investors, partners and former employees of Giza interviewed by CNBC, all claim they have never seen Marco Fike’s face.

The ICO was for a supposed start-up called Giza, which claimed to be developing a super-secure device that would allow people to store cryptocurrencies.

It carried out its ICO in January and drew investors for several weeks after. One person who put money into the project told CNBC that they invested ether that was equivalent to $10,000 at the time, and another said they had put in around $5,000 worth of ether.

At the beginning of February, Giza had raised and was holding more than 2,100 ethereum coins, which at the time were worth around $2.4 million. All but $16 worth of those ethereum coins are now missing.