|
|
|
|
|
Cyber Daily: Cyber Private Eyes Go After Hackers, Without Counterattacking
|
|
|
|
|
|
Hello. Companies usually focus on defending their networks after they suffer a cyberattack, but some specialist cybersecurity firms are helping victims pursue criminals, WSJ Pro’s James Rundle reports.
The U.S. Computer Fraud and Abuse Act prohibits unauthorized access to computers, making it illegal for companies to launch cyberattacks. However, security-services companies such as Redacted Inc. help victims stop hackers before the attack is over. Employees at Redacted find out about hackers’ tools and try to identify them, in many cases confronting them in the act.
The idea of giving companies permission to hack back gained momentum after the attacks on Colonial Pipeline and meatpacker JBS this year. A bipartisan bill ordering the Department of Homeland Security to study the possibility of allowing counterattacks was introduced in the Senate in June.
Corporate hacking operations are controversial. Critics say giving companies the ability to hack back would create legal difficulties for them, and make them a bigger target for further attacks.
This and other news below.
|
|
|
CONTENT FROM OUR SPONSOR: Netscout
|
|
Record-breaking Number of DDoS attacks in 2021
Cybercriminals are discovering ever-more-ingenious ways to part organizations from their money. Explore our latest report on the constantly changing threat landscape to stay ahead of your adversaries.
Read more
|
|
|
|
|
|
|
Hitting Back Against Hackers
|
|
|
|
|
Specialist cybersecurity firms say they can legally hack cybercriminals who attack companies. PHOTO: JAKUB PORZYCKI/ ZUMA PRESS
|
|
|
|
Companies hit by hackers typically limit themselves to playing defense to comply with a federal law against invading someone’s computer. But some specialist cybersecurity firms say they can pursue criminals without launching their own attacks.
Most cybercrimes in the U.S. fall under the Computer Fraud and Abuse Act, a 1986 law that prohibits unauthorized access of computer systems. The law effectively places offensive cybersecurity actions solely in the hands of the federal government.
Striking back against hackers directly might be off limits but some former spies and cyber cops say that disrupting an attack in progress is a different story, as long as defenders follow the letter of the law. That often means persuading a hacker to give consent to access the computer or database being used in the suspected cyberattack, for instance by posing as a customer for stolen data.
Read the full story.
|
|
|
More Cyber and Privacy News
|
|
|
|
|
Missouri Gov. Mike Parson said the state will prosecute the St. Louis Dispatch for reporting about a security flaw in a state website. PHOTO: CHRIS KOHLEY/ ZUMA PRESS
|
|
|
|
Missouri governor vows to prosecute newspaper for reporting security vulnerability. Missouri Gov. Mike Parson said he would prosecute the staff of the St. Louis Post-Dispatch for reporting about a security vulnerability on the website of the state’s Department of Elementary and Secondary Education.
-
The newspaper published a story last week that said flaws in the website made more than 100,000 teachers’ and other school staff members’ Social Security numbers vulnerable.
-
Gov. Parson said his administration notified the Cole County prosecutor. The efforts might cost up to $50 million "and divert workers and resources from other state agencies," he said. Mr. Parson cited a state law that prohibits tampering with computer data and said the newspaper wasn’t authorized to access teachers’ data.
-
An attorney for the St. Louis Post-Dispatch said the reporter informed the state agency about the vulnerability to prevent data misuse. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent," he said. (NPR)
Suspected ransomware payments for first half of 2021 total $590 million. Financial institutions in the U.S. reported transactions suspected to be ransomware payments worth $590 million, more than the total for all of 2020, according to a Treasury Department report published Friday. Along with the report, Treasury issued new guidance for companies to protect themselves from ransomware and avoid paying ransoms. “Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity,” deputy secretary of the Treasury Wally Adeyemo said in a statement. (WSJ)
U.S. team prepares for esports-style international cyber games. The new U.S. Cyber Games created a team of 25 Americans who will compete in the first International Cybersecurity Challenge in Greece this December. Competitors are between the ages of 18 and 26. The U.S. team’s head coach said the games help competitors understand likely attacks, plan strategies to respond and also teach them how to hack offensively. (Washington Post)
How a Dutch teenager got into hacking. The Dutch teenager Edwin Robbe was arrested at his parents’ home in 2012 for hacking into the network of KPN, the Netherlands’ largest internet service provider. The company said Mr. Robbe’s attack cost it €3 million (or $3.4 million). Mr. Robbe had previously started chatting with hackers online and exploited software vulnerabilities to enter several universities’ networks. Mr. Robbe served a prison sentence for hacking KPN, and later died after his release. (The Guardian)
Dubai prosecutors believe AI voice fraud led to $35 million theft. Investigators in the United Arab Emirates believe fraudsters used artificial intelligence to clone the voice of a corporate director, tricking a bank manager into transferring $35 million for an acquisition on behalf of the director’s company. The bank manager transferred the funds after also receiving fraudulent emails showing correspondence between the director, with whom he had previously spoken, and a lawyer. Prosecutors believe at least 17 individuals were involved in the scheme and money was sent to accounts around the world. U.A.E. investigators are seeking help from American authorities to trace $400,000 that was sent into accounts held by Centennial Bank in the U.S. (Forbes)
|
|
|
Former Cybersecurity and Infrastructure Security Agency election adviser Matt Masterson called for improved election security safeguards. PHOTO: ANDREW HARRER/BLOOMBERG NEWS
|
|
|
Former election security official calls for changes. Matt Masterson, the former election advisor at the U.S. Cybersecurity and Infrastructure Security Agency, said flaws in how the country’s elections are administered are causing distrust in democracy. Mr. Masterson now works at Stanford University's Internet Observatory Cyber Policy Center, which published a report last week recommending improvements such as the publication of baseline, minimum cybersecurity standards for election vendors, increased use of risk-limiting audits and more severe criminal penalties for threats or violence against election staff. (CyberScoop)
|
|
|
|
|
|
|
A Saudi human rights activist sued Twitter for failing to identify spies who worked for the company. PHOTO: OMAR MARQUES/ ZUMA PRESS
|
|
|
Saudi human rights activist sues Twitter for allegedly letting spies in as employees. Human rights activist Ali Al-Ahmed sued Twitter for allegedly hiring two men who worked as spies for the Saudi government. The two men have been indicted by the U.S. government for passing private information to the Saudi government between 2013 and 2015. Mr. Al-Ahmed’s lawsuit accuses Twitter of failing to detect the spying activity of the two men and prevent them from stealing information. The claim alleges that the two men sold Mr. Al-Ahmed’s personal data and private conversations with activists in Saudi Arabia, and that Twitter should have done more to protect his information. (Protocol)
|
|
|
|
|
|
$35 million
|
Amount allegedly stolen from a company using artificial intelligence to clone the voice of a corporate director who asked a bank director to transfer the funds. Dubai prosecutors are investigating. (Forbes)
|
|
|
|
|
|
|
|
|