50 Million Dollar African IP Address Heist

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication Mybroadband.co.za who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from domaintools.com [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — ipv4leasing.org and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show ipv4leasing.org tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group Spamhaus.org began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

If you would like IT security help  for your  organisation then  we're here to help.

Just Contact Us  

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com 

Botnet Operator Pleads Guilty

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

If you would like IT security help  for your  organisation then  we're here to help.

Just Contact Us  

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com 

Security Breach at PCM Inc. United States

A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients.

El Segundo, California based PCM [NASDAQ:PCMI] is a provider of technology products, services and solutions to businesses as well as state and federal governments. PCM has nearly 4,000 employees, more than 2,000 customers, and generated approximately $2.2 billion in revenue in 2018.

Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp. 
One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.

In that respect, the motivations of the attackers seem similar to the goals of intruders who breached Indian IT outsourcing giant Wipro Ltd. earlier this year. In April, Krebs Security   broke the news that the Wipro intruders appeared to be after anything they could quickly turn into cash, and used their access to harvest gift card information from a number of the company’s customers.

It’s unclear whether PCM was a follow-on victim from the Wipro breach, or if it was attacked separately. As noted in that April story, PCM was one of the companies targeted by the same hacking group that compromised Wipro. The intruders who hacked into Wipro set up a number of domains that appeared visually similar to that of Wipro customers, and many of those customers responded to the April Wipro breach story with additional information about those attacks.

PCM never did respond to requests for comment on that story. But in a statement shared to a IT firm on 19 June 2019 , PCM said the company “recently experienced a cyber incident that impacted certain of its systems.”

“From its investigation, impact to its systems was limited and the matter has been remediated,” the statement reads. “The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had.”

On June 24, PCM announced it was in the process of being acquired by global IT provider Insight Enterprises [NASDAQ:NSIT]. Insight has not yet responded to requests for comment.Earlier this week, cyber intelligence firm RiskIQ published a lengthy analysis of the hacking group that targeted Wipro, among many other companies. RiskIQ says this group has been active since 2016 and posits that the hackers may be targeting gift card providers because they provide access to liquid assets outside of the traditional western financial system. 

The breach at PCM is just the latest example of how cybercriminals increasingly are targeting employees who work at cloud data providers and technology consultancies that manage vast IT resources for many clients. On Wednesday, Reuters published a lengthy story on “Cloud Hopper,” the nickname given to a network of Chinese cyber spies that hacked into eight of the world’s biggest IT suppliers between 2014 and 2017.

If you would like IT security help  for your  organisation then  we're here to help.
Just Contact Us  

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com 

Malware Techie Pleads Guilty to Writing, Selling Banking Malware

A 24-year-old blogger and malware researcher Marcus Hutchins arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security. “I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

If you would like help with your Malware Protection  for your websites then  we're here to help.

Just Contact Us 

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com 

80 Million Americans Personal Info Exposed due to unprotected Database

A team of security researchers has claims to have found a publicly-accessible database that exposes information on more than 80 million U.S. households—nearly 65 percent of the total number of American households.

Discovered by VPN Mentor's research team lead by hacktivists Noam Rotem and Ran Locar, the unsecured database includes 24GB of extremely detailed information about individual homes, including their full names, addresses, ages, and birth dates.

The massive database which is hosted on a Microsoft cloud server also contains coded information noted in "numerical values," which the researchers believe correlates to homeowners' gender, marital status, income bracket, status, and dwelling type. Fortunately, the unprotected database does not contain passwords, social security numbers or payment card information related to any of the affected American households.

The researchers verified the accuracy of some data in the cache, but they did not download the complete data in order to minimize the invasion of privacy of the affected ones.

The research team discovered the database accidentally while running a web mapping project using port scanning to examine known IP blocks in order to find holes in web systems, which they then examine for weaknesses and data leaks.

Usually, the team alerts the database owner to report the leak so that the affected company could protect it, but in this case, the researchers were unable to identify the owner of the database.

"Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to," the team says in a blog post. "It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner."

The unsecured Database was online until Monday and required no password to access, which has now been taken offline.Since each entry in the database ends with 'member_code' and 'score' and no one listed is under the age of 40, the researchers suspect the database could be owned by insurance, healthcare, or mortgage company.

However, information like policy or account numbers, social security numbers, and payment types is missing from the database that someone may expect to find in a database owned by brokers or banks.

The researchers then called on the public on Monday to help them identify who might own the database in question so that it can be secured.

Though the database did not expose sensitive card information or SSNs, the disclosed data is enough to be concerned about identity theft, fraud, phishing scams, and even home invasion.

Rotem is the same security researcher who earlier this year found a severe vulnerability in the popular Amadeus online flight ticket booking system that could have allowed remote hackers to view and modify travel details of millions of major international airlines' customers and even claim their frequent flyer miles.

If you would like help with your Data Protection compliance we're here to help.

Just Contact Us 

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com 

Who needs a Data Protection Officer?

The Office of the Data Protection Commissioner Ireland, recently shared its advice on who needs a Data Protection Officer, their role, responsibilities and obligations...

The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.

The DPC (Data Protection Commissioner) recommends that all organizations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organization’s preparations for the GDPR and meeting the accountability obligations.

A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organizations, which are all options provided for in the GDPR.

It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor. 

Who needs a DPO?

1.    All public authorities and bodies, including government departments.

2.    Where the core activities of the organization (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.

3.    Where the core activities of the organization consist of special categories of data (ie health data) or personal data relating to criminal convictions or offences.

Public Authority or Body?

Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law.

It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO.

Core activities can be defined as the key operations necessary to achieve an organization’s (controller or processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organization undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities. 

Large-scale processing

  ü  While the GDPR does not define large-scale the following factors should be taken into consideration.

  ü  The number of individuals (data subjects) concerned – either as a specific number or as a proportion of the relevant population.

     ü  The volume of data and/or the range of different data items being processed

  ü  The duration, or permanence, of the data processing activity.

  ü  The geographical extent of the processing activity.

Examples of large-scale processing include:

ü  Processing of patient data in the regular course of business by a hospital processing of travel data of individuals using a city’s public transport system (e.g.  tracking via travel cards).

  ü  Processing of real time Geo-location data of customers of an international fast  food chain for statistical purposes by a processor specialized in providing these services processing of customer data in the regular course of business by an insurance company or a bank.

Examples that do not constitute large-scale processing include:

1.        processing of patient data by an individual doctor
2.        processing of personal data relating to criminal convictions and offences by        an Individual lawyer. 

Regular and systematic monitoring

Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the internet, including for behavioral advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.

‘Regular’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one or more of the following:

Ongoing or occurring at particular intervals for a particular period.

Recurring or repeated at fixed times.

Systematic’ is interpreted as meaning one or more of the following:

            Occurring according to a system

            Pre-arranged, organised or methodical

            Taking place as part of a general plan for data collection

            Carried out as part of a strategy.

Special Categories of Data – these include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences.

If you would like help with your Data Protection compliance we're here to help.

Just Contact Us 

Best Regards ,

Web Admin

LATVIK SECURE

LATVIK TECHNOLOGIES ™

www.latvikhost.com | https://latviksecure.blogspot.com