Tech news

Japan to probe citizens’ IoT devices in the name of security

Smart devices were targeted by more than one-half of cyberattacks detected in the country in 2017

Japan has approved a plan to test the security of around 200 million Internet-of-Things (IoT) devices in the country in a bid to beef up their cyber-resilience, according to a report by Japan’s public broadcaster NHK World.

Armed with lists of default and commonly used passwords, employees of Japan’s National Institute of Information and Communications Technology (NICT) will attempt to log into randomly-selected smart gadgets. Routers and webcams in both home and business networks are set to be probed first, with this large-scale ‘penetration test’ due to begin in the middle of February.

The institute will then work with internet service providers (ISPs) and local authorities, so that they can notify the owners of unsecured devices and help them lock down their smart tech.

IoT devices are particularly low-hanging fruit for cybercriminals. Default, unchangeable and weak passwords, along with vulnerable embedded firmware and the absence of patches, are just some of the main problems that plague all sorts of internet-connected things.

Threats associated with vulnerable IoT devices were exemplified a few months ago, when malware known as VPNFilter compromised half a million routers, prompting the US Federal Bureau of Investigation (FBI) to advise people to reboot their routers. Of course, many will still remember the damage that a botnet made up of IoT tech caused in October 2016.

The law that paved the way for the large-scale ‘pentest’ was adopted back in November 2018 and covers a period of five years. Tokyo is hosting the Summer Olympics next year and, needless to say, major international events attract threat actors of various ilks. The institute said that IoT gadgets were targeted by 54 percent of cyberattacks that it detected in Japan in 2017.

Meanwhile, the ‘survey’, as the effort has been dubbed, has prompted privacy concerns. After all, the government’s ‘white hats’ may invade, however inadvertently, people’s private lives. On the other hand, it may ultimately encourage not only the Japanese public to look into and, wherever possible, beef up the security of their smart things before somebody can ‘test’ it for them, be it for good or ill.

The security of data gathered during the project is another source of worry at a time when data-related incidents are increasingly frequent. In this context, NICT researcher Daisuke Inoue sought to dispel the concerns by telling NHK World that the institute will make sure to prevent any data leaks.

31 Jan 2019 – 03:58PM

This story was originally published on We Live Security by Eset

Cybercrime black markets: Dark web services and their prices

A closer look at cybercrime as a service on the dark web

The cybercrime industry cost the world three trillion dollars in 2015 and it is predicted that this amount will rise to six trillion by 2021, according to this 2018 Cybersecurity Ventures post.  When we say cost, we are talking about all the expenses incurred in the aftermath of an incident. In a ransomware attack, for example, it is not only the payment of the ransom that counts, but also all the costs of the subsequent loss of productivity, improvements to security policies, investments in technology, and damage to the company’s image, just to name a few.

Of course, we know that cybercrime as a service is nothing new. The criminals offer their products or infrastructure on the black market for a price. But what do they offer and how much does it cost? We spent some time browsing the dark web to find the answers to these questions.

Ransomware as a service

A wide range of ransomware packages are on sale on the dark web, just as if it were the sale of legal software. Updates, technical support, access to C&C servers, and a range of payment plans are some of the features on offer.

Image 1: Ranion ransomware is available on the dark web

One of the ransomware packages offered is Ranion, whose payment model is based on monthly and yearly subscriptions. There are various subscription plans available at different prices, the cheapest being US$120 for just a month and the most expensive being US$900 for a year, which can rise to US$1900 if you add other features to the ransomware executable.

Image 2: Subscription plans offered by cybercriminals for Ranion ransomware

Another payment model that cybercriminals use to sell their ransomware is to offer the malware and C&C infrastructure free of charge initially, but then take a cut of any payments received from the victims.

Whichever strategy is used, we can see that anyone who wants to be contracted for these services would also need to take care of propagating the malware. In other words, they would need to get the ransomware to their victims, for example, running spam email campaigns or by accessing vulnerable servers via RDP.

Selling access to servers

There are various services on the dark web offering credentials that give access to servers in various parts of the world via remote desktop protocol (RDP). The prices are in the range of US$8-15 per server and you can search by country, by operating system, and even by which payment sites users have accessed from that server.

Image 3 – Selling access via RDP to servers in Colombia

In the image above, we can see how filtering has been used to show only servers located in Colombia, and that there are 250 servers available. For each server, certain details are provided, which can be seen in the next image.

Image 4: Detailed information about server access offered on the dark web

After buying such access, a cybercriminal might then use it to run ransomware or perhaps to install more discreet malware, such as banking Trojans or spyware.

Renting infrastructure

Some criminals who have developed botnets, or networks of compromised computers, rent out their computing power to be used for sending spam emails or for launching DDoS attacks.

For denial of service attacks, the price varies depending on how long the attack is to last (ranging from 1 to 24 hours) and how much traffic the botnet is capable of generating during that time. The image below shows an example of US$60 for three hours.

Image 5: Example of a cybercriminal offering to rent out their infrastructure to run DDoS attacks

You can even see young teens and adults offering to rent out their (small) botnets, mostly to attack servers used by online games like Fortnite. They use  social networks to promote themselves and they do not seem particularly concerned about staying anonymous. Often, they also offer to sell stolen accounts.

Image 6 – Instagram being used as a platform to offer botnets for rent

Image 7 – YouTube users show DDoS attacks on Fortnite servers

Selling PayPal and credit card accounts

Cybercriminals who run successful phishing attacks do not usually take the risk of using the stolen accounts themselves. It is already profitable enough and much safer for them to resell the accounts to other criminals. As we see in the next image, they generally charge about 10% of the total credit available in the stolen account.

Image 8 – Selling PayPal and credit card accounts

Some sellers are even happy to show the tools and fake sites they use to operate their phishing activity.

Image 9 – Cybercriminals explain things step by step

So, we can see that cybercriminals, hidden by tools that give them a certain degree of anonymity, have put together a profitable criminal industry, which includes everything from advertising and marketing to customer service, updates, and user manuals. It is worth noting, however, that within this criminal ecosystem there are a lot of internal customers, and the real profit is made by the big fish that already have a well-established infrastructure or service.

As ESET’s Global Security Evangelist Tony Anscombe mentioned during his presentation at Segurinfo 2018, “The malware industry has stopped being disruptive and now has characteristics similar to those of a software company.” This means the software, products, and services offered by cybercriminals in this industry now benefit from established processes for sales, marketing, and distribution.

31 Jan 2019 – 01:57PM

This story was originally published on We Live Security by Eset

Haidilao: Robots staff China's top hotpot chain

China’s biggest hotpot restaurant chain by sales, Haidilao, started almost 25 years ago and has already established more than 360 restaurants around the world, including in Japan, the US and Taiwan.

The popular chain has opened Beijing’s first robot-aided hotpot restaurant to much fanfare and is looking to spread the concept across its other outlets if it proves successful.

Reporter: Stephen McDonell; series produced by Pamela Parker.

This story was originally published on BBC Technology News

How Apple's iPhone has changed through the years

After falling sales, Apple boss Tim Cook has hinted the firm could be about to reduce iPhone prices.

Apple has seen a 15% fall in revenue from the handsets in its latest financial quarter.

But can you remember how we got to a point where an iPhone can cost over a thousand pounds in just over eleven years of existence?

We’ve taken a look at the key changes – from its size and features to its fluctuating price.

The beginning – otherwise known as iPhone 2G

Let’s not get our Gs mixed up here – the 1st generation iPhone was released in the United States, June 2007.

Apple gave a $499 (£381) price tag for the 4GB model and $599 (£457) for the 8GB model.

Despite being the first generation it became known as the iPhone 2G because Apple decided only to make it work with the 2G data network, not the faster 3G.

It is now considered a collector’s item by some – and has been sold on eBay for significantly more than its original retail price.

iPhone 3G

The iPhone 3G was released in July 2008 across 22 different countries and sold over 1 million units in its first weekend.

The second generation phone came in two colours – black and white – and was priced significantly cheaper at £99 with a two-year contract.

The phone came with iOS 2.0 software and received a wave of other updates enabling features such as multimedia messaging (MMS) and copy and paste.

A year later the iPhone 3GS was released – the S stood for speed – the new slogan being: “The fastest, smartest phone yet.”

The iPhone 3G was discontinued in June 2010.

iPhone 4

Back in June 2010, the fourth generation iPhone was revealed at Apple’s Worldwide Developers Conference in San Francisco,

CEO Steve Jobs dubbed the iPhone 4 as the thinnest smartphone in the world at the time.

“This changes everything. Again,” was the slogan this time.

The phones newly introduced front-facing camera gave Apple an edge on other Smartphone competitors – as it meant there was now FaceTime video chat.

The 16GB model would have cost you £499, and the 32GB version £599.

A fifth generation device, the iPhone 4S was released just over a year later – which introduced voice-assistant Siri for the very first time in October 2011.

iPhone 5

The iPhone 5 was released in September 2012 and was the last Apple device which had been overseen by Steve Jobs – he had died the year before in 2011.

When Apple had began taking pre-orders they’d received over two million orders in 24 hours.

Its new features included being 4G enabled, being thinner, lighter and having a taller screen than its predecessors.

The iPhone 5 was priced at £529 (16GB), £599 (32G) and £699 (64GB),

The announcement of the iPhone 5C and 5S in 2013 signified Apple’s discontinuation of the original iPhone 5.

iPhone 6

The release of the iPhone 6 and 6 Plus in September 2014 saw Apple introduce a plus-size option.

The 6 and 6 Plus sported 4.7 and 5.5 inch displays respectively.

An upgraded camera, increased battery life and the introduction of Apple Pay were just some of the many features of the new device.

The iPhone 6 was priced at £539, sim-free.

The iPhone 6 and 6 Plus were Apple’s flagship phones for just under a year until they were replaced with the iPhone 6S and 6S Plus.

iPhone 7

The iPhone 7 was released in September 2016 – its starting price in the UK was £549.

For £669 you’d get the iPhone 7 Plus.

Both models came in either 32GB or 128GB sizes and were available in a range of colours – grey, black and red.

This generation of iPhone saw the headphone jack removed, the addition of water-resistant technology and a new and improved 12 mega-pixel camera.

iPhone 8, 8 Plus and X

The iPhone 8, 8 Plus and X were announced in September 2017 at the Steve Jobs Theater at Apple’s headquarters in California, US.

The iPhone 8 and 8 Plus were released later that September and were available in silver, space grey and a new gold colour.

Instead of the aluminium casing featured in the iPhone 7, Apple moved swiftly to an all-glass design for the iPhone 8 and 8 Plus.

Prices started at £699 for the 64GB iPhone 8 and £799 for the 64Gb version of the iPhone 8 Plus.

As for the iPhone X – it was released in November 2017, marking the tenth anniversary of the iPhone.

It featured the removal of the home button, an OLED display on a 5.8 inch screen and wireless charging.

Its new and improved features meant the anniversary phone was priced just under the thousand pound mark – at £999.

Since then…

Apple have released three more phones.

iPhone XR, iPhone XS and XS Max.

It would cost you £749 to buy the cheapest of the three and a whopping £1,449 to buy the most expensive.

But those prices could all change after Apple boss Tim Cook’s hint the firm could reduce its iPhone prices – when, where, by how much? We don’t know yet.

Follow Newsbeat on Instagram, Facebook and Twitter.

Listen to Newsbeat live at 12:45 and 17:45 every weekday on BBC Radio 1 and 1Xtra – if you miss us you can listen back here.

This story was originally published on BBC Technology News

‘We’re coming for you’, global police warn DDoS attack buyers

First closing in on operators, now on users, as the hunt continues and law enforcement in many countries is about to swoop down on people who bought DDoS attacks on WebStresser

Remember last year’s takedown of the then-largest marketplace for hiring distributed denial-of-service (DDoS) attacks? The global law enforcement operation, called Power OFF, that shut down webstresser.org also resulted in the arrests of the site’s six suspected admins in four countries, as well as in efforts to bring the service’s major users to justice.

Fast forward nine months and Europol, which is the European Union’s law enforcement agency, and the United Kingdom’s National Crime Agency (NCA) have announced that they’re beginning to deliver on that goal. The concerted effort also involves law enforcement from around 20 countries on four continents.

With “a trove of information” about WebStresser’s user base in their hands, authorities are now conducting actions to track them down, said Europol.

Meanwhile, the NCA said that it has already executed eight warrants against former WebStresser customers and seized more than 60 personal computers, tablets and mobile phones. “A further 400 users of the service are now being targeted by the NCA and partners,” said the NCA.

“Our message is clear. This activity should serve as a warning to those considering launching DDoS attacks. The NCA and our law enforcement partners will identify you, find you and hold you liable for the damage you cause,” Jim Stokley, Deputy Director of the NCA’s National Cyber Crime Unit, was quoted as saying.

Europol also sent a warning to the effect that law enforcement may go knock (or perhaps worse) on the doors of anybody who rents DDoS-for-hire services, “be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain”.

DDoS attack buyers

Webstresser.org post-takedown

WebStresser’s 151,000 registered users (up from 136,000 reported at the time of the sting) are believed to have been collectively responsible for four million DDoS attacks against targets ranging from banks, government institutions, police forces, and the gaming industry across the globe.

WebStresser was one of a number of “stresser”, or “booter”, services that operate openly on the internet as businesses under the pretense of offering to test the resiliency of a company’s servers. The stressers commonly sell access to DDoS botnets, which are networks of compromised computers that are “sublet” to whomever pays. The target is then flooded with a barrage of junk traffic, which takes it offline and renders it inaccessible for legitimate users. The victim may also incur considerable costs involved in fixing the damage.

The shutdown of WebStresser in April 2018 was not an isolated effort, of course. Just weeks ago, for example, the United States Federal Bureau of Investigation (FBI) seized 15 DDoS-for-hire websites.

Meanwhile, clampdowns on people who pay for DDoS attacks are nothing new, either. In December 2016, for example, Europol and a host of international partners arrested 34 and questioned 101 suspected buyers of DDoS-for-hire services, mostly teenagers.

In its latest announcement, Europol also noted the notorious case involving a particularly disruptive DDoS attack against a Liberian internet service provider in 2016. Three weeks ago, the Brit who was hired on the dark web to deploy his own botnet for the attack, crashing much of the country’s internet access in the process, was sentenced to 32 months in prison. He also remains “at the heart of a major international investigation into hundreds of acts of cyber sabotage around the world”, according to this BBC report.

30 Jan 2019 – 05:00PM

This story was originally published on We Live Security by Eset