Technology

Tik Tok Ban, Tech Titans Talk to Congress, Twitter Hackers Arrested

• Trump threatens to ban Tik Tok
• Trump wants Microsoft to buy Tik Tok
• Mr. Cook, Zuck, Bezos, and Pichai go to Washington
• What should the government do to Google, Facebook, Amazon, and Apple?
• Twitter hackers arrested
• Our Covid year: CES will be all-virtual in 2021
• Huawei is the #1 phone maker in the world
• Need a job? The US Digital Service is hiring!
• Microsoft will end mobile support for Cortana in 2010
• Election Cyber Surge wants to help America vote
• Trump is witholding funds from the Internet Freedom Fund
• Watch the Samsung Note 20 and Galaxy Z Fold announcement this week with TWiT!
• Emmys will be all-virtual this year
• Quibi lost 92% of its day one subscribers
• Bernie Sanders wants to send you 3 masks
• Analogue Pocket comes out tomorrow
• Brianna Wu is the 8th best Super Mario 2 speedrunner in the world
• Fyre Festival and GSA Auctions

Host: Leo Laporte

Guests: Brianna Wu, Paris Martineau, and Matt Cutts

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

• monday.com/TWIT
• www.stamps.com - promo code: TWIT
• ZipRecruiter.com/Twit
• barracuda.com/twit

Three individuals have been charged for their alleged roles in the July 15 hack on Twitter, an incident that resulted in Twitter profiles for some of the world’s most recognizable celebrities, executives and public figures sending out tweets advertising a bitcoin scam.

Amazon CEO Jeff Bezos’s Twitter account on the afternoon of July 15.

Nima “Rolex” Fazeli, a 22-year-old from Orlando, Fla., was charged in a criminal complaint in Northern California with aiding and abetting intentional access to a protected computer.

Mason “Chaewon” Sheppard, a 19-year-old from Bognor Regis, U.K., also was charged in California with conspiracy to commit wire fraud, money laundering and unauthorized access to a computer.

A U.S. Justice Department statement on the matter does not name the third defendant charged in the case, saying juvenile proceedings in federal court are sealed to protect the identity of the youth. But an NBC News affiliate in Tampa reported today that authorities had arrested 17-year-old Graham Clark as the alleged mastermind of the hack.

17-year-old Graham Clark of Tampa, Fla. was among those charged in the July 15 Twitter hack. Image: Hillsborough County Sheriff’s Office.

Wfla.com said Clark was hit with 30 felony charges, including organized fraud, communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to a computer or electronic device without authority. Clark’s arrest report is available here (PDF).

On Thursday, Twitter released more details about how the hack went down, saying the intruders “targeted a small number of employees through a phone spear phishing attack,” that “relies on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

By targeting specific Twitter employees, the perpetrators were able to gain access to internal Twitter tools. From there, Twitter said, the attackers targeted 130 Twitter accounts, tweeting from 45 of them, accessing the direct messages of 36 accounts, and downloading the Twitter data of seven.

Among the accounts compromised were democratic presidential candidate Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.

The hacked Twitter accounts were made to send tweets suggesting they were giving away bitcoin, and that anyone who sent bitcoin to a specified account would be sent back double the amount they gave. All told, the bitcoin accounts associated with the scam received more than 400 transfers totaling more than $100,000.

Sheppard’s alleged alias Chaewon was mentioned twice in stories here since the July 15 incident. On July 16, KrebsOnSecurity wrote that just before the Twitter hack took place, a member of the social media account hacking forum OGUsers advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

The OGUsers forum user “Chaewon” taking requests to modify the email address tied to any twitter account.

On July 17, The New York Times ran a story that featured interviews with several people involved in the attack, who told The Times they weren’t responsible for the Twitter bitcoin scam and had only purchased accounts from the Twitter hacker — who they referred to only as “Kirk.”

One of the people interviewed by The Times used the alias “Ever So Anxious,” and said he was a 19-year from the U.K. In my follow-up story on July 22, it emerged that Ever So Anxious was in fact Chaewon.

The person who shared that information was the principal subject of my July 16 post, which followed clues from tweets sent from one of the accounts claimed during the Twitter compromise back to a 21-year-old from the U.K. who uses the nickname PlugWalkJoe.

That individual shared a series of screenshots showing he had been in communications with Chaewon/Ever So Anxious just prior to the Twitter hack, and had asked him to secure several desirable Twitter usernames from the Twitter hacker. He added that Chaewon/Ever So Anxious also was known as “Mason.”

The negotiations over highly-prized Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams. PlugWalkJoe is pictured here chatting with Ever So Anxious/Chaewon/Mason using his Discord username “Beyond Insane.”

On July 22, KrebsOnSecurity interviewed Sheppard/Mason/Chaewon, who confirmed that PlugWalkJoe had indeed asked him to ask Kirk to change the profile picture and display name for a specific Twitter account on July 15. He acknowledged that while he did act as a “middleman” between Kirk and others seeking to claim desirable Twitter usernames, he had nothing to do with the hijacking of the VIP Twitter accounts for the bitcoin scam that same day.

“Encountering Kirk was the worst mistake I’ve ever made due to the fact it has put me in issues I had nothing to do with,” he said. “If I knew Kirk was going to do what he did, or if even from the start if I knew he was a hacker posing as a rep I would not have wanted to be a middleman.”

JavaScript would gain record and tuple value types under a proposal before ECMA International, the standards body that oversees the popular programming language for web development.

Records and tuples would introduce two deeply immutable data structures to JavaScript: Record, an object-like structure, and Tuple, an array-like structure. A draft of the plan with ECMA Technical Committee 39, which governs ECMAScript, the standard underlying JavaScript.

To read this article in full, please click here

It’s pretty significant when the Wall Street Journal talks about cloud issues, and this story (behind a paywall) is no different. The gist is that as enterprises support a mostly remote workforce with cloud computing, they are, of course, seeing rapid growth in the monthly public cloud bills. 

Although a 20 percent expansion in dollars burned each month is average, I’ve seen expenses go as much as 50 percent higher in month-to-month growth. This is without expanding the number of applications or data—just how the clouds are now being used. 

To read this article in full, please click here

GitHub has published a public roadmap, offering users a glimpse of what to expect from the popular code-sharing platform in the coming months. New capabilities in the works range from code scanning to workflow and security enhancements.

The GitHub roadmap covers a multitude of release phases, ranging from alpha to general availability, for feature areas including planning, code-to-cloud devops, collaboration, security and compliance, client applications, repos, pull requests, and gists. Timelines are included, with the first marking the current quarter of this year.

Some features noted in the GitHub roadmap include:

To read this article in full, please click here

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

A chip-based credit card. Image: Wikipedia.

Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions.

Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key — referred to as a token or “cryptogram” — to be generated each time the chip card interacts with a chip-capable payment terminal.

Virtually all chip-based cards still have much of the same data that’s stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants — particularly those in the United States — still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card’s chip or a merchant’s EMV-enabled terminal has malfunctioned.

But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.”

The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone.

The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.

However, for EMV’s security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction.

The trouble is that not all financial institutions have properly set up their systems this way. Unsurprisingly, thieves have known about this weakness for years. In 2017, I wrote about the increasing prevalence of “shimmers,” high-tech card skimming devices made to intercept data from chip card transactions.

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.

More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.

There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.

Earlier this month, the world’s largest payment card network Visa released a security alert regarding a recent merchant compromise in which known POS malware families were apparently modified to target EMV chip-enabled POS terminals.

“The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date,” Visa wrote. “Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV® Chip.”

Visa did not name the merchant in question, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed a card breach in March 2020, but two weeks ago updated its advisory to clarify that EMV transaction data also was intercepted.

“The POS devices at the store locations involved were EMV enabled,” Key Food explained. “For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).”

While Key Food’s statement may be technically accurate, it glosses over the reality that the stolen EMV data could still be used by fraudsters to create magnetic stripe versions of EMV cards presented at the compromised store registers in cases where the card-issuing bank hadn’t implemented EMV correctly.

Earlier today, fraud intelligence firm Gemini Advisory released a blog post with more information on recent merchant compromises — including Key Food — in which EMV transaction data was stolen and ended up for sale in underground shops that cater to card thieves.

“The payment cards stolen during this breach were offered for sale in the dark web,” Gemini explained. “Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback.”

Gemini says it has verified that another recent breach — at a liquor store in Georgia — also resulted in compromised EMV transaction data showing up for sale at dark web stores that sell stolen card data. As both Gemini and Visa have noted, in both cases proper iCVV verification from banks should render this intercepted EMV data useless to crooks.

Gemini determined that due to the sheer number of stores affected, it’s extremely unlikely the thieves involved in these breaches intercepted the EMV data using physically installed EMV card shimmers.

“Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning,” the company wrote.

Stas Alforov, Gemini’s director of research and development, said financial institutions that aren’t performing these checks risk losing the ability to notice when those cards are used for fraud.

That’s because many banks that have issued chip-based cards may assume that as long as those cards are used for chip transactions, there is virtually no risk that the cards will be cloned and sold in the underground. Hence, when these institutions are looking for patterns in fraudulent transactions to determine which merchants might be compromised by POS malware, they may completely discount any chip-based payments and focus only on those merchants at which a customer has swiped their card.

“The card networks are catching on to the fact that there’s a lot more EMV-based breaches happening right now,” Alforov said. “The larger card issuers like Chase or Bank of America are indeed checking [for a mismatch between the iCVV and CVV], and will kick back transactions that don’t match. But that is clearly not the case with some smaller institutions.”

For better or worse, we don’t know which financial institutions have failed to properly implement the EMV standard. That’s why it always pays to keep a close eye on your monthly statements, and report any unauthorized transactions immediately. If your institution lets you receive transaction alerts via text message, this can be a near real-time way to keep an eye out for such activity.

Although not due to arrive until March 2021, Java Development Kit (JDK) 16 is beginning to take shape, starting with enabling C++ 14 language features in JDK C++ source code.

JDK 16 will be the reference implementation of the version of standard Java set to follow JDK 15, which is due on September 15. The six-month release cadence for standard Java would have JDK 16 arriving next March.

As of July 29, three proposals were targeted to JDK 16:

To read this article in full, please click here

The OpenJDK Community effort to move the source code of standard Java from Mercurial repos to Git repos on GitHub is proceeding, with early-September set as the target date.

Current plans have Oracle’s Java Platform Group transitioning the jdk/jdk repo hosted on GitHub, which is currently a read-only mirror, to become the read-write master for Java Development Kit (JDK) 16 sources by that time. This transition would take place a few weeks before the planned general availability of JDK 15 on September 15.

As per standard Java’s six-month release cycle, JDK 16 is due in March 2021. The repo migration plan has been done through Project Skara, which has involved investigating alternative source code management and code review options for OpenJDK source code, and migrating to GitHub.

To read this article in full, please click here

Most of the civilized world years ago shifted to requiring computer chips in payment cards that make it far more expensive and difficult for thieves to clone and use them for fraud. One notable exception is the United States, which is still lurching toward this goal. Here’s a look at the havoc that lag has wrought, as seen through the purchasing patterns at one of the underground’s biggest stolen card shops that was hacked last year.

In October 2019, someone hacked BriansClub, a popular stolen card bazaar that uses this author’s likeness and name in its marketing. Whoever compromised the shop siphoned data on millions of card accounts that were acquired over four years through various illicit means from legitimate, hacked businesses around the globe — but mostly from U.S. merchants. That database was leaked to KrebsOnSecurity, which in turn shared it with multiple sources that help fight payment card fraud.

An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards.

Among the recipients was Damon McCoy, an associate professor at New York University’s Tandon School of Engineering [full disclosure: NYU has been a longtime advertiser on this blog]. McCoy’s work in probing the credit card systems used by some of the world’s biggest purveyors of junk email greatly enriched the data that informed my 2014 book Spam Nation, and I wanted to make sure he and his colleagues had a crack at the BriansClub data as well.

McCoy and fellow NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

“What surprised me most was there are still a lot of people swiping their cards for transactions here,” McCoy said.

In 2015, the major credit card associations instituted new rules that made it riskier and potentially more expensive for U.S. merchants to continue allowing customers to swipe the stripe instead of dip the chip. Complicating this transition was the fact that many card-issuing U.S. banks took years to replace their customer card stocks with chip-enabled cards, and countless retailers dragged their feet in updating their payment terminals to accept chip-based cards.

Indeed, three years later the U.S. Federal Reserve estimated (PDF) that 43.3 percent of in-person card payments were still being processed by reading the magnetic stripe instead of the chip. This might not have been such a big deal if payment terminals at many of those merchants weren’t also compromised with malicious software that copied the data when customers swiped their cards.

Following the 2015 liability shift, more than 84 percent of the non-chip cards advertised by BriansClub were sold, versus just 35 percent of chip-based cards during the same time period.

“All cards without a chip were in much higher demand,” McCoy said.

Perhaps surprisingly, McCoy and his fellow NYU researchers found BriansClub customers purchased only 40% of its overall inventory. But what they did buy supports the notion that crooks generally gravitate toward cards issued by financial institutions that are perceived as having fewer or more lax protections against fraud.

Source: NYU.

While the top 10 largest card issuers in the United States accounted for nearly half of the accounts put up for sale at BriansClub, only 32 percent of those accounts were sold — and at a roughly half the median price of those issued by small- and medium-sized institutions.

In contrast, more than half of the stolen cards issued by small and medium-sized institutions were purchased from the fraud shop. This was true even though by the end of 2018, 91 percent of cards for sale from medium-sized institutions were chip-based, and 89 percent from smaller banks and credit unions. Nearly all cards issued by the top ten largest U.S. card issuers (98 percent) were chip-enabled by that time.

The researchers found BriansClub customers strongly preferred cards issued by financial institutions in specific regions of the United States, specifically Colorado, Nevada, and South Carolina.

“For whatever reason, those regions were perceived as having lower anti-fraud systems or those that were not as effective,” McCoy said.

Cards compromised from merchants in South Carolina were in especially high demand, with fraudsters willing to spend twice as much on those cards per capita than any other state — roughly $1 per resident.

That sales trend also was reflected in the support tickets filed by BriansClub customers, who frequently were informed that cards tied to the southeastern United States were less likely to be restricted for use outside of the region.

Image: NYU.

McCoy said the lack of region locking also made stolen cards issued by banks in China something of a hot commodity, even though these cards demanded much higher prices (often more than $100 per account): The NYU researchers found virtually all available Chinese cards were sold soon after they were put up for sale. Ditto for the relatively few corporate and business cards for sale.

A lack of region locks may also have caused card thieves to gravitate toward buying up as many cards as they could from USAA, a savings bank that caters to active and former military service members and their immediate families. More than 83 percent of the available USAA cards were sold between 2015 and 2019, the researchers found.

Although Visa cards made up more than half of accounts put up for sale (12.1 million), just 36 percent were sold. MasterCards were the second most-plentiful (3.72 million), and yet more than 54 percent of them sold.

American Express and Discover, which unlike Visa and MasterCard are so-called “closed loop” networks that do not rely on third-party financial institutions to issue cards and manage fraud on them, saw 28.8 percent and 33 percent of their stolen cards purchased, respectively.

Some people concerned about the scourge of debit and credit card fraud opt to purchase prepaid cards, which generally enjoy the same cardholder protections against fraudulent transactions. But the NYU team found compromised prepaid accounts were purchased at a far higher rate than regular debit and credit cards.

Several factors may be at play here. For starters, relatively few prepaid cards for sale were chip-based. McCoy said there was some data to suggest many of these prepaids were issued to people collecting government benefits such as unemployment and food assistance. Specifically, the “service code” information associated with these prepaid cards indicated that many were restricted for use at places like liquor stores and casinos.

“This was a pretty sad finding, because if you don’t have a bank this is probably how you get your wages,” McCoy said. “These cards were disproportionately targeted. The unfortunate and striking thing was the sheer demand and lack of [chip] support for prepaid cards. Also, these cards were likely more attractive to fraudsters because [the issuer’s] anti-fraud countermeasures weren’t up to par, possibly because they know less about their customers and their typical purchase history.”

The NYU researchers estimate BriansClub pulled in approximately $24 million in profit over four years. They calculated this number by taking the more than $100 million in total sales and subtracting commissions paid to card thieves who supplied the shop with fresh goods, as well as the price of cards that were refunded to buyers. BriansClub, like many other stolen card shops, offers refunds on certain purchases if the buyer can demonstrate the cards were no longer active at the time of purchase.

On average, BriansClub paid suppliers commissions ranging from 50-60 percent of the total value of the cards sold. Card-not-present (CNP) accounts — or those stolen from online retailers and purchased by fraudsters principally for use in defrauding other online merchants — fetched a much steeper supplier commission of 80 percent, but mainly because these cards were in such high demand and low supply.

The NYU team found card-not-present sales accounted for just 7 percent of all revenue, even though card thieves clearly now have much higher incentives to target online merchants.

A story here last year observed that this exact supply and demand tug-of-war had helped to significantly increase prices for card-not-present accounts across multiple stolen credit card shops in the underground. Not long ago, the price of CNP accounts was less than half that of card-present accounts. These days, those prices are roughly equivalent.

One likely reason for that shift is the United States is the last of the G20 nations to fully transition to more secure chip-based payment cards. In every other country that long ago made the chip card transition, they saw the same dynamic: As they made it harder for thieves to counterfeit physical cards, the fraud didn’t go away but instead shifted to online merchants.

The same progression is happening now in the United States, only the demand for stolen CNP data still far outstrips supply. Which might explain why we’ve seen such a huge uptick over the past few years in e-commerce sites getting hacked.

“Everyone points to this displacement effect from card-present to card-not-present fraud,” McCoy said. “But if the supply isn’t there, there’s only so much room for that displacement to occur.”

No doubt the epidemic of card fraud has benefited mightily from hacked retail chains — particularly restaurants — that still allow customers to swipe chip-based cards. But as we’ll see in a post to be published tomorrow, new research suggests thieves are starting to deploy ingenious methods for converting card data from certain compromised chip-based transactions into physical counterfeit cards.

A copy of the NYU research paper is available here (PDF).

Companies today are increasingly using container technology to accelerate application development and deployment, while ensuring the portability of apps across different clouds.

However, containers require a higher level of orchestration and management skills, as well as resources, than many companies have on hand. That’s why there is increasing interest in and use of Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. It orchestrates a multitude of container tasks, such as managing virtual machine clusters, load balancing, network traffic distribution, and more.

Kubernetes is gaining momentum: 20% of companies are using it either in test/development or production environments, and 34% are researching or experimenting with it, according to the 2020 IDG Cloud Computing survey.

To read this article in full, please click here

The more popular or more powerful a programming language, the better the odds of finding not only many books about it, but a diversity of books. As Python has soared in popularity, so have the number and variety of the books created to help people learn the language and master its intricacies.

Here are seven of the best books on programming with Python, ranging from beginner’s guides to power-Python proficiency. Whether you’re just starting out, or you’ve been working with Python for some time, there is most likely a book here for you. A few are available in online or PDF editions for free. 

To read this article in full, please click here

• F5 Networks "Big-IP" devices in Big-Trouble
• Twitter bitcoin hack update
• GnuTLS vs OpenSSL
• The Garmin outage then and now
• Cisco's latest trouble
• Surprising SpinRite results

We invite you to read our show notes at https://www.grc.com/sn/SN-777-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• barracuda.com/securitynow
• expressvpn.com/securitynow
• GetRoman.com/SECURITYNOW

Kotlin 1.4, a major upgrade to the JetBrains-developed statically typed language initially built for the JVM, has reached its release candidate (RC) stage, with improved IDE support and a preview of Node.js API bindings.

The Kotlin 1.4 RC, published July 27, features improvements to IDE support for Gradle Kotlin DSL scripts (*.gradle.kt files) including explicit loading of script configurations, either by clicking Load Gradle Changes or reimporting the Gradle project. Previously, when developers added a new plug-in to the buildscript or plugins block of build.gradle.kts, the new script configuration was loaded automatically in the background, a process that often hindered IDE performance. 

To read this article in full, please click here

Although Python finished second behind JavaScript is the June edition of the RedMonk Programming Language Rankings, is nonetheless considered the report’s big winner, because it took sole possession of the number two ranking after tying with Java in January. The RedMonk rankings are published every six months. 

This is the first time a language besides Java or JavaScript has occupied the second spot alone since the rankings began in 2012, and it’s the first time Java has ranked lower than first or second. By way of explanation, RedMonk said Python is the glue for thousands of small projects and the basis for countless personal scripts, including a few that retrieve data for RedMonk’s rankings. The company noted that Python also has found niches in areas such as data science.

To read this article in full, please click here

A common approach to application migration to the public clouds is to alter the applications to take advantage of cloud-native features. This means that the applications can speak with the native management systems, native security systems, and other native services.

The alternative is lift-and-shift: doing as few modifications to the applications as you can get away with. This means avoiding cloud-native altogether, practically speaking.

Best practices have been emerging around the binary approaches of either go all-in cloud native or don’t go native at all. The reality is that it’s not a binary decision, and the answer you’re seeking may operate across a spectrum.   

To read this article in full, please click here

Microsoft’s family of low- and no-code application tools is one of its fastest growing developer platforms. Building on top of technologies from the Dynamics line-of-business applications and from Office, the Power Platform is perhaps best thought of as the spiritual successor to familiar tools such as Visual Basic for Applications: a quick way of building those little applications to solve problems that don’t merit diverting limited developer resources.

Until recently much of the Power Platform tools focused on building and managing workflows using Power Automate for basic business process automation and Power Apps as a basic front-end application builder, with a focus on constructing forms and queries. Much like Visual Basic did for client-server computing, they’re a translation for general audiences of the API and message foundations of modern, cloud-centric, distributed computing.

To read this article in full, please click here

As modern, containerized applications continue to prove popular with organizations, it was only a matter of time before the major vendors started to offer container infrastructure and management “as-a-service.”

Use of containers is firmly on the rise with enterprises globally, with 65 percent of organizations stating they use Docker containers, and 58 percent using the Kubernetes orchestration system in some manner, according to Flexera’s latest 2020 State of Cloud report.

To read this article in full, please click here

Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic, KrebsOnSecurity has learned. This story is about the victims of a particularly aggressive business ID theft ring that’s spent years targeting small businesses across the country and is now pivoting toward using that access for pandemic assistance loans and unemployment benefits.

Most consumers are likely aware of the threat from identity theft, which occurs when crooks apply for new lines of credit in your name. But the same crime can be far more costly and damaging when thieves target small businesses. Unfortunately, far too many entrepreneurs are simply unaware of the threat or don’t know how to be watchful for it.

What’s more, with so many small enterprises going out of business or sitting dormant during the COVID-19 pandemic, organized fraud rings have an unusually rich pool of targets to choose from.

Short Hills, N.J.-based Dun & Bradstreet [NYSE:DNB] is a data analytics company that acts as a kind of de facto credit bureau for companies: When a business owner wants to open a new line of credit, creditors typically check with Dun & Bradstreet to gauge the business’s history and trustworthiness.

In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft. For 2020, the company estimates an overall 258 percent spike in the crime. Dun & Bradstreet said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.

“The ferocity of cyber criminals to take advantage of COVID-19 uncertainties by preying on small businesses is disturbing,” said Andrew LaMarca, who leads the global high-risk and fraud team at Dun & Bradstreet.

For the past several months, Milwaukee, Wisc. based cyber intelligence firm Hold Security has been monitoring the communications between and among a businesses ID theft gang apparently operating in Georgia and Florida but targeting businesses throughout the United States. That surveillance has helped to paint a detailed picture of how business ID thieves operate, as well as the tricks they use to gain credit in a company’s name.

Hold Security founder Alex Holden said the group appears to target both active and dormant or inactive small businesses. The gang typically will start by looking up the business ownership records at the Secretary of State website that corresponds to the company’s state of incorporation. From there, they identify the officers and owners of the company, acquire their Social Security and Tax ID numbers from the dark web and other sources online.

To prove ownership over the hijacked firms, they hire low-wage image editors online to help fabricate and/or modify a number of official documents tied to the business — including tax records and utility bills.

The scammers frequently then file phony documents with the Secretary of State’s office in the name(s) of the business owners, but include a mailing address that they control. They also create email addresses and domain names that mimic the names of the owners and the company to make future credit applications appear more legitimate, and submit the listings to business search websites, such as yellowpages.com.

For both dormant and existing businesses, the fraudsters attempt to create or modify the target company’s accounts at Dun & Bradstreet. In some cases, the scammers create dashboard accounts in the business’s names at Dun & Bradstreet’s credit builder portal; in others, the bad guys have actually hacked existing business accounts at DNB, requesting a new DUNS numbers for the business (a DUNS number is a unique, nine-digit identifier for businesses).

Finally, after the bogus profiles are approved by Dun & Bradstreet, the gang waits a few weeks or months and then starts applying for new lines of credit in the target business’s name at stores like Home Depot, Office Depot and Staples. Then they go on a buying spree with the cards issued by those stores.

Usually, the first indication a victim has that they’ve been targeted is when the debt collection companies start calling.

“They are using mostly small companies that are still active businesses but currently not operating because of COVID-19,” Holden said. “With this gang, we see four or five people working together. The team leader manages the work between people. One person seems to be in charge of getting stolen cards from the dark web to pay for the reactivation of businesses through the secretary of state sites. Another team member works on revising the business documents and registering them on various sites. The others are busy looking for specific businesses they want to revive.”

Holden said the gang appears to find success in getting new lines of credit with about 20 percent of the businesses they target.

“One’s personal credit is nothing compared to the ability of corporations to borrow money,” he said. “That’s bad because while the credit system may be flawed for individuals, it’s an even worse situation on average when we’re talking about businesses.”

Holden said over the past few months his firm has seen communications between the gang’s members indicating they have temporarily shifted more of their energy and resources to defrauding states and the federal government by filing unemployment insurance claims and apply for pandemic assistance loans with the Small Business Administration.

“It makes sense, because they’ve already got control over all these dormant businesses,” he said. “So they’re now busy trying to get unemployment payments and SBA loans in the names of these companies and their employees.”

Hold Security shared data intercepted from the gang that listed the personal and financial details of dozens of companies targeted for ID theft, including Dun & Bradstreet logins the crooks had created for the hijacked businesses. Dun & Bradstreet declined to comment on the matter, other than to say it was working with federal and state authorities to alert affected businesses and state regulators.

Among those targeted was Environmental Safety Consultants Inc. (ESC), a 37-year-old environmental engineering firm based in Bradenton, Fla. ESC owner Scott Russell estimates his company was initially targeted nearly two years ago, and that he first became aware something wasn’t right when he recently began getting calls from Home Depot’s corporate offices inquiring about the company’s delinquent account.

But Russell said he didn’t quite grasp the enormity of the situation until last year, when he was contacted by a the manager of a virtual office space across town who told him about a suspiciously large number of deliveries at an office space that was rented out in his name.

Russell had never rented that particular office. Rather, the thieves had done it for him, using his name and the name of his business. The office manager said the deliveries came virtually non-stop, even though there was apparently no business operating within the rented premises. And in each case, shortly after the shipments arrived someone would show up and cart them away.

“She said we don’t think it’s you,” he recalled. “Turns out, they had paid for a lease in my name with someone else’s credit card. She shared with me a copy of the lease, which included a fraudulent ID and even a vehicle insurance card for a Land Cruiser we got rid of like 15 years ago. The application listed our home address with me and some woman who was not my wife’s name.”

The crates and boxes being delivered to his erstwhile office space were mostly computers and other high-priced items ordered from 10 different Office Depot credit cards that also were not in his name.

“The total value of the electronic equipment that was bought and delivered there was something like $75,000,” Russell said, noting that it took countless hours and phone calls with Office Depot to make it clear they would no longer accept shipments addressed to him or his company. “It was quite spine-tingling to see someone penned a lease in the name of my business and personal identity.”

Even though the virtual office manager had the presence of mind to take photocopies of the driver’s licenses presented by the people arriving to pick up the fraudulent shipments, the local police seemed largely uninterested in pursuing the case, Russell said.

“I went to the local county sheriff’s office and showed them all the documentation I had and the guy just yawned and said he’d get right on it,” he recalled. “The place where the office space was rented was in another county, and the detective I spoke to there about it was interested, but he could never get anyone from my county to follow up.”

Russell said he believes the fraudsters initially took out new lines of credit in his company’s name and then used those to defraud others in a similar way. One of those victims is another victim on the gang’s target list obtained by Hold Security — Mary McMahan, owner of Fan Experiences, an event management company in Winter Park, Fla.

McMahan also had stolen goods from Office Depot and other stores purchased in her company’s name and delivered to the same office space rented in Russell’s name. McMahan said she and her businesses have suffered hundreds of thousands of dollars in fraud, and spent nearly as much in legal fees fending off collections firms and restoring her company’s credit.

McMahan said she first began noticing trouble almost four years ago, when someone started taking out new credit cards in her company’s name. At the same time, her business was used to open a new lease on a virtual office space in Florida that also began receiving packages tied to other companies victimized by business ID theft.

“About four years back, they hit my credit hard for a year, getting all these new lines of credit at Home Depot, Office Depot, Office Max, you name it,” she said. “Then they came back again two years ago and hit it hard for another year. They even went to the [Florida Department of Motor Vehicles] to get a driver’s license in my name.”

McMahan said the thieves somehow hacked her DNB account, and then began adding new officers and locations for her business listing.

“They changed the email and mailing address, and even went on Yelp and Google and did the same,” she said.

McMahan said she’s since locked down her personal and business credit to the point where even she would have a tough time getting a new line of credit or mortgage if she tried.

“There’s no way they can even utilize me anymore because there’s so many marks on my credit stating that it’s been stolen” she said. “These guys are relentless, and they recycle victims to defraud others until they figure out they can’t recycle them anymore.”

McMahan says she, too, has filed multiple reports about the crimes with local police, but has so far seen little evidence that anyone is interested in following up on the matter. For now, she is paying Dun and Bradstreet more than a $100 a month to monitor her business credit profile.

Dun & Bradstreet does offer a free version of credit monitoring called Credit Signal that lets business owners check their business credit scores and any inquiries made in the previous 14 days up to four times a year. However, those looking for more frequent checks or additional information about specific credit inquiries beyond 14 days are steered toward DNB’s subscription-based services.

Eva Velasquez, president of the Identity Theft Resource Center, a California-based nonprofit that assists ID theft victims, said she finds that troubling.

“When we look at these institutions that are necessary for us to operate and function in society and they start to charge us a fee for a service to fix a problem they helped create through their infrastructure, that’s just unconscionable,” Velasquez said. “We need to take a hard look at the infrastructures that businesses are beholden to and make sure the risk minimization protections they’re entitled to are not fee-based — particularly if it’s a problem created by the very infrastructure of the system.”

Velasquez said it’s unfortunate that small business owners don’t have the same protections afforded to consumers. For example, only recently did the three major consumer reporting bureaus allow all U.S. residents to place a freeze on their credit files for free.

“We’ve done a good job in educating the public that anyone can be victim of identity theft, and in compelling our infrastructure to provide robust consumer protection and risk minimization processes that are more uniform,” she said. “It’s still not good by any means, but it’s definitely better for consumers than it is for businesses. We currently put all the responsibility on the small business owner, and very little on the infrastructure and processes that should be designed to protect them but aren’t doing a great job, frankly.”

Rather, the onus continues to be on the business owner to periodically check with DNB and state agencies to monitor for any signs of unauthorized changes. Worse still, too many private and public organizations still don’t do a good enough job protecting employee identification and tax ID numbers that are so often abused in business identity theft, Velasquez said.

“You can put alerts and other protections in place but the problem is you have to go on a department by department and case by case basis,” she said. “The place to begin is your secretary of state’s office or wherever you file your documents to operate your business.

For its part, Dun & Bradstreet recently published a blog post outlining recommendations for businesses to ward off identity thieves. DNB says anyone who suspects fraudulent activity on their account should contact its support team.

Next.js, a framework for building applications that leverage the React JavaScript UI library, is getting a refresh. Next.js 9.5 adds capabilities including incremental static regeneration and rewrites/redirects support.

Incremental static regeneration updates pages by re-rendering them in the background as traffic flows in. Traffic is served uninterrupted, statically, with the newly built page pushed only after it is done generating. Benefits include no spikes in latency and pages never going offline.

To read this article in full, please click here