6 Real-World Threats to Chromebooks and ChromeOS

Chromebooks and ChromeOS have earned themselves a deserved reputation for being more secure than many other devices and operating systems, so much so that “Chromebooks don’t get viruses” is the new “Macs don’t get viruses”. But as many Mac users of the past will now tell you today, complacency in taking proper security measures is the first step on the path to compromise.

The popularity of Chromebooks among students and in educational institutions means they provide an enticing target to threat actors looking to scoop up PII for sale, or credentials to leverage in targeted attacks. Chromebooks may not have the same kind or number of security problems as, say, Windows devices, but that’s not to say there are not genuine threats that ChromeOS users need to be aware of.

1. Actors Actively-Exploiting Chrome Zero Days

One of Chromebooks’ most-vaunted security features is its ability to check and repair the integrity of the operating system on reboot. It’s a great feature and one partly copied by Apple’s macOS, where Apple’s signed system volume (SSV) protection checks the integrity of the OS on boot.

But such a system cannot protect the user or their data against zero-days that are invisible to the operating system. Flaws like CVE-2020-15999 were found to be actively exploited in the wild and needed Google to push out an update to protect users after-the-fact.

Google fixed another actively-exploited Chrome zero-day, CVE-2021-21148, in 2021. While details of how these bugs were deployed against users in the wild is scarce, the fact that Google stated they were “actively exploited” should be enough to tell Chromebook users that the device and the OS is being targeted and attackers are finding ways through.

And indeed, there is no shortage of high-risk bugs being found in Chrome and ChromeOS by security researchers. 2021 alone saw Google patch over 300 bugs, with some 260 or more related to potential or actual remote attacks.

Some of the many remote attack bugs reported in 2021 against Chrome and ChromeOS

2. Android Apps and App Stores

When Chromebooks were first introduced, they were touted as being highly secure because they prevented the most common way for security compromises to occur: the download and execution of executable files. The only problem was, Chromebooks weren’t that useful. Most people’s computing needs extended beyond the reach of the limited, and sometimes clunky, web apps being offered by Google.

Since those days, Chromebooks have gained the ability to download many different kinds of apps, increasing both their utility and their attack surface at the same time. Android apps give Chromebooks more versatility, but Android malware is also extremely common.

In November 2021, researchers discovered four different families of malware infecting more than 300,000 Android devices via malicious apps downloaded from Google Play Store. The threat actors had uploaded initially benign apps to get past Google’s automated review, then later delivered banking trojan malware to select users via an app update.

In January 2022, researchers reported another financially motivated scamware campaign dubbed Dark Herring that, they say, poses a threat to all devices capable of running Android apps. The threat actors behind Dark Herring uploaded almost 470 malicious apps to the Google Play store and achieved over 100 million installations.

3. Sideloading Linux and Linux Apps

Making Chromebooks more useful has been one of the major demands of its users over the years, and back in 2018 they got their wish when Google made it possible to run Linux apps and share the ChromeOS downloads folder with a natively-hosted Linux VM. Perfect for developers and others that want to do more with their Chromebook device. The catch? An increased attack surface. Linux malware may not be common in comparison to Windows, but it’s on the rise, by 35% in 2021 according to some estimates.

The question for those managing Chromebooks that allow Linux app installations, as with Android app installations, is what to do about visibility? In other words, if you did get hit by some Linux malware, how would you know? On top of that, ChromeOS has no native security mechanisms that can protect, detect or mitigate Linux-based malware.

4. Windows Malware on ChromeOS? Oh, Yes (Oh, No!)

Despite Google’s best intentions, it seems that in the end everything comes full circle. The original idea to deliver an OS that didn’t have Windows’ horrific problem with malware is finally undermined when it turns out that savvy users can in fact install Windows 10 apps if they choose.

But who would do that? Well, for one, users coming from a Windows background. Many students and teachers were brought up on Windows machines and Microsoft software, and old habits–and dependencies–die hard. Data that may be locked in proprietary software or just software that users are long-habituated to can now be accessed on a Chromebook by running Windows apps on ChromeOS.

On older versions of ChromeOS, they would have been out of luck, but thanks to the ability to run Linux apps discussed above, they can also install WINE, a Windows emulator, and with WINE they can download and execute Windows 10 applications.

Running Windows apps on a Chromebook doesn’t mean you will get malware, anymore than running Windows apps on a PC means you will get malware. But it does mean the attack surface has now opened up and the Chromebooks original promise–no downloading or launching of local, executable files–is entirely broken.

5. Malicious Chrome Extensions

Browser extensions have always been a security problem on every platform, and with ChromeOS’s heavy reliance on the Chrome browser, some of its biggest security headaches have been around users unknowingly installing malicious extensions.

The situation was particularly bad up until 2019, until Google started tackling the problem in more earnest, but the problem of malicious Chrome extensions is still with us in 2022.

6. Google Chromebook, The Internet and Scams

Chromebooks originally made their name on the concept of having users do everything in the cloud and on the web, but the internet is a dangerous place. The web only works because of JavaScript, and malicious websites that take advantage of the powers of JavaScript are easy to come across even during the safest of searches.

Some extortion sites use JavaScript to lock a user’s browser and try to extort money in order to “free” the computer. Others offer phoney ‘cloned’ login pages of popular websites in an attempt to steal credentials.

As with any other device, Google Chromebooks are susceptible to man-in-the-middle (MiTM) attacks when using public Wi-Fi. Coffee shops, beloved by study groups and tutors, are a prime location for an attacker to set up a fake network and sniff traffic. While encryption between the browser and most websites these days offer better protection than in the past, attackers can still scrape useful data that may help them target or profile users.

Secure Your Chromebooks Like Any Other Device

Here’s a simple truth that the recent history of malware and cyber attacks has proven time and time again: all computing devices are at risk of compromise if they contain valuable data, or are connected to a network where other devices contain valuable data. There is no such thing as a device or OS that can’t get malware. Threat actors have successfully exploited every kind of device and operating system at some point in time: Windows, Mac, iOS, Android, Linux, Docker containers, IoT devices, and yes, Chromebooks, too.

The only responsible security stance to take on all endpoints is to install an agent that offers you visibility and protection. If you would like to know more about how SentinelOne can help protect your Chromebooks and other devices, read more here, contact us, or request a free demo.

Singularity for ChromeOS
Real-Time Protection for Chromebooks

Paw Patrol Toddler Bed – A Trendy Big Kid Bed For Your Little Paw Patrol Fan!

What kid doesn’t love Paw Patrol?! It is the #1 TV show for kids and has the highest ratings on Nickelodeon! My son is obsessed. All of his friends are obsessed, too. We keep hearing great things about Paw Patrol, and we just had to see what the fuss was all about: that’s why we have already compiled a list of Paw Patrol kids chairs!

Paw Patrol TV series tells a story about boy-and-his-dog adventures with his six best friends: Chase, Marshall, Skye, Rocky, Zuma, and Rubble. Their mission is to protect Adventure Bay from different threats with technology or superpowers. The pups have their own land, sea, and air transportation vehicles.

Its primary audience is 2-5 years old, but I think that older kids would enjoy this show as well. 4 of the pups are boys and 1 girl pup – Skye. They are all fun and cute, very lovable!

We invest in the toys and cartoons we buy our kids to help shape their development. They love to watch, read, and play it all (and ask for more!). So when you decide to look into getting your toddler their very first big boy/big girl bed, of course, you want to look for one that they would be excited about – and one that would continue their love for Paw Patrol!

Paw Patrol Toddler Bed

When looking for a kids’ bed, you want it to be safe, sturdy, and stable. But you also want it to have the cool factor – something that your kid will enjoy and love! That’s why we were so excited about this Paw Patrol toddler bed: we knew our son would go nuts over this! When in doubt, get them something with their favorite Paw Patrol character on it!

The Paw Patrol Toddler Bed is an excellent gift for your child. A new toddler bed with a Paw Patrol design will give them the feeling of being in their own room and of sleeping safely on their own.

Toddler beds are a great way to transition your toddler from the crib into a regular bed, and with this Paw Patrol Toddler Bed, they’ll feel like part of the action straight away!

We have done our best to provide you with the most popular models on the market – toddler beds that are durable, comfortable, and aesthetically pleasing. Have a look!

Delta Children Wood Toddler Bed

This Paw Patrol Toddler Bed from Delta Children is just perfect! It comes in a bright, fun red color. The bed’s frame looks like a firetruck, with all the Paw Patrol decals you’ll love. It is, no doubt, the perfect firetruck bed for toddlers!

This toddler bed has elevated bedsides to help children feel secure and cozy at night – which is very important for little ones transitioning away from a crib. Thanks to them, your little one is safe from falling out of bed or from climbing over the edge.

The Delta Children Wood Toddler Bed is a great transitional item for toddlers up through preschool-aged kids. Made from solid wood construction with non-toxic paint, this bed is sturdy and built to hold up against the roughest of pups.

The mattress is not included with this toddler bed, but it’s easy to buy one separately! Any standard toddler mattress will fit.

Delta Children Plastic Toddler Bed

This Paw Patrol toddler bed from Delta Children is an excellent option for those looking for something less pricey.

Made from plastic; it is lightweight and easy to move around the room. It easily assembles. The Paw Patrol graphics are very cute – just right for toddlers!

The material used to create this bed is covered with non-toxic paint. On top of that, it’s very durable and lightweight – perfect for kids transitioning into their first big boy/girl bed! It includes an attached guard rail to keep your pup secure.

The bed matches regular-sized toddler mattresses. You can also get a matching Paw Patrol toddler bed set!

This Paw Patrol toddler bed is definitely one that you should consider buying. It has everything that your little fan will love – it’s fun, comfortable, and safe! Not just that, but the great design of this bed makes it very easy to fit in any kid’s room. Let your child feel like part of the team with this awesome toddler bed!

Delta Children 3D-Footboard Toddler Bed

If your child is a huge fan of Paw Patrol, then this bed is going to be his favorite for sure! It is fun, comfy, and very safe. The best part? It has a guard rail to prevent your toddler from falling off! Let’s face it – toddlers are not the most coordinated creatures. They are still exploring their sense of balance so that this Paw Patrol toddler bed will provide maximum safety for them.

Also, the Paw Patrol 3D-Footboard Toddler Bed has a low height for ease of access; it’s perfect for toddlers transitioning from the cot to a bed. The bed itself is made of non-toxic PVC. It has the Paw Patrol design with Chase on top, and it’s straightforward to assemble and clean (which is great for parents).

This bed does not come with a mattress, but it accommodates a standard crib mattress size, so you won’t have any trouble finding the right fit for your toddler’s bed. Recommended for ages 15 months+/ holds up to 50 lbs.

This is a quality toddler bed at a very reasonable price. It’s sturdy and safe for your little Paw Patrol fan to use! We love it!


This was our selection of the best toddler beds for your little Paw Patrol fan. Just pick one, order it and let your child feel like part of the team! They will surely fall in love with his new big kid bed!

We hope that through our review, you can make up your mind about which toddler bed is the best one for you. So hurry up and get yours! Your little pup will surely love it!

The post Paw Patrol Toddler Bed – A Trendy Big Kid Bed For Your Little Paw Patrol Fan! appeared first on Comfy Bummy.

Scary Fraud Ensues When ID Theft & Usury Collide

What’s worse than finding out that identity thieves took out a 546 percent interest payday loan in your name? How about a 900 percent interest loan? Or how about not learning of the fraudulent loan until it gets handed off to collection agents? One reader’s nightmare experience spotlights what can happen when ID thieves and hackers start targeting online payday lenders.

The reader who shared this story (and copious documentation to go with it) asked to have his real name omitted to avoid encouraging further attacks against his identity. So we’ll just call him “Jim.” Last May, someone applied for some type of loan in Jim’s name. The request was likely sent to an online portal that takes the borrower’s loan application details and shares them with multiple prospective lenders, because Jim said over the next few days he received dozens of emails and calls from lenders wanting to approve him for a loan.

Many of these lenders were eager to give Jim money because they were charging exorbitant 500-900 percent interest rates for their loans. But Jim has long had a security freeze on his credit file with the three major consumer credit reporting bureaus, and none of the lenders seemed willing to proceed without at least a peek at his credit history.

Among the companies that checked to see if Jim still wanted that loan he never applied for last May was Mountain Summit Financial (MSF), a lending institution owned by a Native American tribe in California called the Habematelol Pomo of Upper Lake.

Jim told MSF and others who called or emailed that identity thieves had applied for the funds using his name and information; that he would never take out a payday loan; and would they please remove his information from their database? Jim says MSF assured him it would, and the loan was never issued.

Jim spent months sorting out that mess with MSF and other potential lenders, but after a while the inquiries died down. Then on Nov. 27 — Thanksgiving Day weekend — Jim got a series of rapid-fire emails from MSF saying they’ve received his loan application, that they’d approved it, and that the funds requested were now available at the bank account specified in his MSF profile.

Curiously, the fraudsters had taken out a loan in Jim’s name with MSF using his real email address — the same email address the fraudsters had used to impersonate him to MSF back in May 2021. Although he didn’t technically have an account with MSF, their authentication system is based on email addresses, so Jim requested that a password reset link be sent to his email address. That worked, and once inside the account Jim could see more about the loan details:

The terms of the unauthorized loan in Jim’s name from MSF.

Take a look at that 546.56 percent interest rate and finance charges listed in this $1,000 loan. If you pay this loan off in a year at the suggested bi-weekly payment amounts, you will have paid $3,903.57 for that $1,000.

Jim contacted MSF as soon as they opened the following week and found out the money had already been dispersed to a Bank of America account Jim didn’t recognize. MSF had Jim fill out an affidavit claiming the loan was the result of identity theft, which necessitated filing a report with the local police and a number of other steps. Jim said numerous calls to Bank of America’s fraud team went nowhere because they refused to discuss an account that was not in his name.

Jim said MSF ultimately agreed that the loan wasn’t legitimate, but they couldn’t or wouldn’t tell him how his information got pushed through to a loan — even though MSF was never able to pull his credit file.

Then in mid-January, Jim heard from MSF via snail mail that they’d discovered a data breach.

“We believe the outsider may have had an opportunity to access the accounts of certain customers, including your account, at which point they would be able to view personal information pertaining to that customer and potentially obtain an unauthorized loan using the customer’s credentials,” MSF said.

MSF said the personal information involved in this incident may have included name, date of birth, government-issued identification numbers (e.g., SSN or DLN), bank account number and routing number, home address, email address, phone number and other general loan information.

A portion of the Jan. 14, 2022 breach notification letter from tribal lender Mountain Summit Financial.

Nevermind that his information was only in MSF’s system because of an earlier attempt by ID thieves: The intruders were able to update his existing (never-deleted) record with new banking information and then push the application through MSF’s systems.

“MSF was the target of a suspected third-party attack,” the company said, noting that it was working with the FBI, the California Sheriff’s Office, and the Tribal Commission for Lake County, Calif.  “Ultimately, MSF confirmed that these trends were part of an attack that originated outside of the company.”

MSF has not responded to questions about the aforementioned third party or parties that may be involved. But it is possible that other tribal lenders could have been affected: Jim said that not long after the phony MSF payday loan was pushed through, he received at least three inquiries in rapid succession from other lenders who were all of a sudden interested in offering him a loan.

In a statement sent to KrebsOnSecurity, MSF said it was “the victim of a malicious attack that originated outside of the company, by unknown perpetrators.”

“As soon as the issue was uncovered, the company initiated cybersecurity incident response measures to protect and secure its information; and notified law enforcement and regulators,” MSF wrote. “Additionally, the company has notified individuals whose personal identifiable information may have been impacted by this crime and is actively working with law enforcement in its investigation. As this is an ongoing criminal investigation, we can make no additional comment at this time.”

According to the Native American Financial Services Association (NAFSA), a trade group in Washington, D.C. representing tribal lenders, the short-term installment loan products offered by NAFSA members are not payday loans but rather “installment loans” — which are amortized, have a definite loan term, and require payments that go toward not just interest, but that also pay down the loan principal.

NAFSA did not respond to multiple requests for comment.

Nearly all U.S. states have usury laws that limit the amount of interest a company can charge on a loan, but those limits traditionally haven’t applied to tribal lenders.

Leslie Bailey is a staff attorney at Public Justice, a nonprofit legal advocacy organization in Oakland, Calif. Bailey says an increasing number of online payday lenders have sought affiliations with Native American tribes in an effort to take advantage of the tribes’ special legal status as sovereign nations.

“The reason is clear: Genuine tribal businesses are entitled to ‘tribal immunity,’ meaning they can’t be sued,” Bailey wrote in a blog post. “If a payday lender can shield itself with tribal immunity, it can keep making loans with illegally-high interest rates without being held accountable for breaking state usury laws.”

Bailey said in one common type of arrangement, the lender provides the necessary capital, expertise, staff, technology, and corporate structure to run the lending business and keeps most of the profits. In exchange for a small percent of the revenue (usually 1-2%), the tribe agrees to help draw up paperwork designating the tribe as the owner and operator of the lending business.

“Then, if the lender is sued in court by a state agency or a group of cheated borrowers, the lender relies on this paperwork to claim it is entitled to immunity as if it were itself a tribe,” Bailey wrote. “This type of arrangement — sometimes called ‘rent-a-tribe’ — worked well for lenders for a while, because many courts took the corporate documents at face value rather than peering behind the curtain at who’s really getting the money and how the business is actually run. But if recent events are any indication, legal landscape is shifting towards increased accountability and transparency.”

In 2017, the Consumer Financial Protection Bureau sued four tribal online payday lenders in federal court — including Mountain Summit Financial — for allegedly deceiving consumers and collecting debt that was not legally owed in many states. All four companies are owned by the Habematolel Pomo of Upper Lake.

The CFPB later dropped that inquiry. But a class action lawsuit (PDF) against those same four lenders is proceeding in Virginia, where a group of plaintiffs have alleged the defendants violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and Virginia usury laws by charging interest rates between 544 and 920 percent.

According to Buckley LLP, a financial services law firm based in Washington, D.C., a district court dismissed the RICO claims but denied the defense’s motion to compel arbitration and dismiss the case, ruling that the arbitration provision was unenforceable as a prospective waiver of the borrowers’ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ choice of tribal law unenforceable as a violation of Virginia’s strong public policy against unregulated lending of usurious loans.”

Buckley notes that on Nov. 16, 2021, the U.S. Court of Appeals for the Fourth Circuit upheld the district court ruling, concluding that the arbitration clauses in the loan agreements “impermissibly force borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent.”

Jim said he learned of the Thanksgiving weekend MSF loan only because the hackers apparently figured it was easier to push through loans using existing MSF customer account information than it was to alter anything in the records other than the bank account for receiving the funds.

But had the hackers changed the email address, Jim might have first found out about the loan when the collection agencies came calling. And by then, his exorbitant loan would be in default and racking up some wicked late charges.

Jim says he’s still hopping mad at MSF, and these days he’s just waiting for the other shoe to drop.

“They issued this loan in my name without verification and without even checking my credit at all, even though they were already on notice that they shouldn’t have been dealing with me from the May incident,” Jim said. “I still feel like I’m going to get that call at some point from a collection agency asking why I haven’t been making payments on some installment loan I never asked for.”

Speed, Accuracy, Scale: Redefining Enterprise-Grade Response with Kroll and SentinelOne

We live in an age in which cyber attacks make front page news on a weekly, sometimes even daily basis. As the threat actors behind these attacks move faster, more deliberately, and more audaciously than ever before, it becomes increasingly clear that cyber incident preparedness and response must be treated as more than just a checkbox for today’s businesses. Moreover, not all approaches to incident response are created equal. Few organizations know this better than Kroll.

Kroll and Meeting the Needs of a Complex Threat Landscape

For 50 years, Kroll has been a premier provider of services and digital products related to valuation, governance, risk, and transparency, including cyber risk and incident response services. As organizations around the globe face disruptive, potentially devastating security events, they call on Kroll to detect, mitigate, and recover from the incident as quickly, accurately, and efficiently as possible. Evolving at pace with the growing complexity of cyber attacks requires Kroll’s responders to be equipped with the “latest and greatest technology,” defined by proven accuracy, enterprise scalability, and deep investigative capabilities.

Dave Wagner, Senior Vice President of Cyber Risk, heads up response operations at Kroll. As the front line operators of EDR technology from deployment and triage through remediation and recovery, Dave’s team “needs a partner that empowers us to deliver at the high level our clients expect and not be bound by technological limitations.” Enter SentinelOne.

“We are dealing with a complex threat landscape. Attacks are shifting really fast. The quicker we can get answers, the more likely our clients are to avoid costly implications.” — Dave Wagner, Vice President of Response Operations, Kroll


Accelerate Forensic Collection, Triage, and Response at Scale with Remote Script Orchestration

For SentinelOne clients, Kroll delivers three critical stages of the response process: collection of forensic artifacts, hunting and monitoring of active threat actor activity, and eradication of malicious activity in the environment followed by steps to build resilience in the long term. Plus, Kroll can also help with post-incident challenges thanks to their end-to-end solutions across cyber governance, assessments, and litigation support.

A crucial tool for the success of each of these steps is Remote Script Orchestration (RSO) powered by SentinelOne. Thanks to proprietary integrations between Kroll’s digital forensics tools like KAPE, SentinelOne RSO eliminates the need for Kroll clients to deploy additional agents during an incident, maximizing the value of the existing security stack to conduct forensics at scale and remotely respond to events on endpoints.

This enables Kroll to rapidly pull forensic triage from a client’s entire enterprise estate; Dave compares this to the days—if not weeks—it sometimes requires firms who are still markedly limited in their remote collection and response capabilities.

Additionally, RSO empowers the Kroll team to more quickly identify and diagnose the “patient zero” machine from an attack often in just minutes or hours, saving clients precious time and money, while formulating an appropriate response. For example, in the case of a ransomware attack, Kroll can leverage SentinelOne to determine the degree of data exfiltration that has occurred in the client environment.

Tracking and Mitigating Malicious Activity in Real Time

From these collected artifacts and the live telemetry recorded through SentinelOne’s ActiveEDR technology, Dave’s team can then determine relevant Indicators of Compromise (IOCs) and hunt for malicious behaviors using the Deep Visibility module. With these IOCs, they can also put detections in place using Storyline Active ResponseTM (STAR). STAR lets Kroll incorporate custom detection logic and immediately push it out to their customer’s entire fleet, or a subset, to either kill any matching process or alert on it for further investigation.

“With STAR, Kroll’s team can automate responses to suspicious processes based on additional behaviors such as IP address or DNS, which is helpful when IOCs are not hashes where a hash blacklist makes sense. We want to treat these IOCs as malicious, so whatever is reaching out will be killed and quarantined automatically, helping with containment. We use STAR rules as part of our engagements and are really pleased with it.” – Dave Wagner

Full-Circle Remediation and Recovery

With a clear, comprehensive picture of the attacker’s movements in the client environment, Kroll can then engage RSO once more to roll out custom remediation scripts and/or automated response playbooks to impacted machines.

These scripts can not only eradicate the malicious files that may have been found, but also capture, log, and remove any persistence mechanisms or other malicious artifacts that may have been put in place.

An added bonus? SentinelOne’s approach to RSO helps orchestrate script usage, mitigating delays or errors that might otherwise result when systems are offline.

Answering Key Incident Response Questions with Ranger

Implementing the right course of action in a cyber incident starts with visibility and insight. In turn, SentinelOne’s Ranger helps accelerate Kroll’s response by quickly identifying potential blind spots in coverage.

The network discovery and attack surface control capabilities of SentinelOne Singularity Ranger allow Dave and team to understand their coverage of the client environment and the scope of the threat within.

With Ranger, Dave can track the deployment of the Sentinel Agent in a tangible, measurable way. If 80% of an environment is covered by an agent, Ranger can quickly and easily install the agent on the unprotected 20%. Having eyes on every corner of the enterprise environment helps ensure his team carries out a complete, comprehensive response.

Ranger also comes into play in the many cases where attacks move laterally within the client’s network. Ranger can, for example, help Dave’s team hone in on DNS records resolving to a device with a particular IP address, and achieve visibility of the device’s current connectivity. This allows them to identify and contain affected devices in the attacker’s path, and even prevent further proliferation of the threat.

Revolutionize Incident Response With The Power of Partnership

Though many of the world’s top incident preparedness and response firms are equipped with a sweeping array of technologies with which they can eliminate a cyber threat, these technologies alone do not guarantee the most comprehensive, effective incident response.

It’s when technology is paired with expertise and strategic partnership that we can deliver sustainable solutions for organizations in their moments of need. That’s why SentinelOne and Kroll, partnered together, are following through on speed, efficiency, and accuracy for Kroll’s clients every day.

Beyond an intuitive user interface and support team that makes it easier to streamline operations, the response team at Kroll also has access to a dedicated Technical Account Manager at SentinelOne for immediate, informed guidance—even in the midst of an engagement. This ultimately drives faster results and recovery for Kroll’s clients when they need it most.

The Kroll team even directly interfaces with SentinelOne’s product management team, helping both parties to evolve their solutions and approach as the threat landscape grows in complexity and pace.

With this teamed approach, Kroll and SentinelOne can continue to defeat the cyber threats putting organizations around the globe at risk.

To read more, visit the SentinelOne Cyber Risk Partners page. If you would like to learn more about RSO, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

Cyber Risk Partners
SentinelOne partners are ready to respond to any type of security incident, and extend our technology, intelligence, and expertise to the complete security lifecycle.

The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good

This week, it was announced that several members of the ‘SilverTerrier’ group have been arrested. The Nigerian Police Force, along with Interpol, took down eleven members of the criminal outfit as part of Operation Falcon II.

The SilverTerrier group is tied to massive BEC (Business Email Compromise) campaigns across the region. BEC involves target organizations being tricked into making wire transfers or other payments to a malicious 3rd party rather than the intended recipient.

The operation was carried out in late December 2021, with the resulting arrests taking place across Lagos and Asaba. This is not the first time this group has been disrupted. Many additional members of the SilverTerrier group were arrested back in 2020 as part of Operation Falcon I.

The current operation discovered more than 50,000 possible targets within the group’s crosshairs. One of the suspects was in possession of over 800,000 sets of stolen credentials, said to have been obtained as per the group’s standard, malicious operations. At present, the IGFCTF (INTERPOL’s Global Financial Crime Taskforce) is working towards seizing or freezing the bank accounts and additional assets tied to the group.

It’s no surprise that email and spam are still the number one attack vectors out there. Criminals know that large corporations are still largely email-dependent when it comes to commerce with 3rd parties, and it is exactly this scenario that they target. It can not be said enough: be careful what you open and be cautious of what you click. The full Operation Falcon II release can be found here.

The Bad

This week it was disclosed that Italian fashion company, Moncler, was the target of a large-scale ransomware attack. The attack took place in the last weeks of 2021 and appears to have been the handiwork of BlackCat, a relatively new RaaS delivering payloads written in Rust.

The reveal comes on the heels of the BlackCat group publishing some of the pilfered data on their TOR-based victim blog. This includes all of “the logistics activities related to the shipping of final products”. In addition, the company has stated that unauthorized access to potentially sensitive personal information did occur, including information related to employees, consultants, and customers that appeared on the BlackCat leaks site.

The company has admirably taken a firm stance against paying ransoms. In addition, the company has issued a stern warning with regards to the holding and distribution of any of their stolen data.

“Moncler reminds all that information in the possession of cybercriminals is the result of illegal activities and that consequently, the acquisition, use and dissemination of the same constitutes a criminal offense.”

The company also stated that no payment or credit card data was compromised during the attack.

The Ugly

This week, it was revealed that the personal data of over a half-million individuals may have been exposed due to a large-scale cyberattack on a Red Cross contractor, according to an announcement from the ICRC (International Committee of the Red Cross).

The impacted data is highly sensitive as it pertains to the ‘Restoring Family Links’ program. This program is responsible for assisting the reunification of families that have been separated due to extraordinary factors such as natural disasters, war and conflict. The loss or leak of this type of data could be potentially devastating to those involved in the program. The director-general of the ICRC (Robert Martdini) was quoted as saying

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

It is stated that the attack, in total, affected data from at least sixty Red Cross and Red Crescent National Societies locations around the world.

While further details of the attack have not yet been released, it is likely that the attack mirrors other attacks by ransomware operators. As such, strong hygiene and prevention are the only means of risk avoidance here.

Crime Shop Sells Hacked Logins to Other Crime Shops

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan  — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. All of the credentials being sold by Accountz provide access to services that in turn sell access to stolen information or hijacked property, as in the case of “bot shops” that resell access to infected computers.

One example is Genesis Market, where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. Genesis even offers a custom-made web browser where you can load authentication cookies from botted PCs and waltz right into the account without having to enter a username or password or mess with multi-factor authentication.

Accountz is currently selling four different Genesis logins for about 40-50 percent of their unspent balances. Genesis mostly gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites. Likewise, it appears Accountz also derives much of its stock from a handful of resellers, who presumably are the same ones doing the cybercrime service account cracking.

The Genesis bot shop.

In essence, Accountz customers are paying for illicit access to cybercrime services that sell access to compromised resources that can be abused for cybercrime. That’s seriously meta.

Accountz says its inventory is low right now but that it expects to offer a great deal more stock in the coming days. I don’t doubt that’s true, and it’s somewhat remarkable that services like this aren’t more common: From reporting my “Breadcrumbs” series on prominent cybercrime actors, it’s clear that a great many cybercriminals will use the same username and password across multiple services online.

What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication. That’s probably because so few customers supply their real contact information when they sign up. As a result, it is often far easier for customers to simply create a new account than it is to regain control over a hacked one, or to change a forgotten password. On top of that, most shops have only rudimentary tools for blocking automated login attempts and password cracking activity.

It will be interesting to see whether any of the cybercrime shops most heavily represented in the logins for sale at Accountz start to push back. After all, draining customer account balances and locking out users is likely to increase customer support costs for these shops, lower customer satisfaction, and perhaps even damage their reputations on the crime forums where they peddle their wares.

Oh, the horror.

PowerQuery Brings New Data Analytics Capabilities to Singularity XDR

Endpoint Detection and Response (EDR) provides increased visibility and the data necessary for incident response, detection of threats, threat hunting, and investigations. As Endpoint Detection and Response (EDR) evolves to become Extended Detection and Response (XDR), the amount and types of data will only increase. Adding more data should not require more people to make sense of it. With the SentinelOne acquisition of Scalyr last year, we acquired a rich set of data analytics capabilities that we are bringing to our customers to make it faster and easier to make sense of all that data.

SentinelOne is pleased to announce advanced query capabilities from within the Singularity XDR platform that will change how our users can ask complex data questions and get back answers quickly.

Introducing PowerQuery for Singularity XDR

The SentinelOne PowerQuery interface provides a rich set of commands for summarizing, transforming, and manipulating data. You can filter data, perform computations, create groups and statistical summaries to answer complex questions.

PowerQuery allows you not just to search data, but to get powerful summaries of your data without the limits of having to dig through thousands of events manually. As customers onboard new 3rd-party data via the Singularity Marketplace, PowerQuery will enable them to join data across telemetry sources beyond EDR.

PowerQuery can be very useful when you want to:

  • Group data (Sort, Count, etc.)
  • Use Statistics as part of the query to find anomalies or start a hunt
  • Look for specific things across the environment and get back a summary (IOCs)
  • Have the flexibility to join or union two or more queries together to find the needle in the haystack faster

Key Capabilities

  • Autocomplete makes it fast and effortless to build queries without understanding the schema
  • Save and export queries via the UI or API
  • Simple data summaries make finding threats and answering questions easier and faster
  • Perform numerical, string, and time-based functions on the data
  • Data aggregation (sum, count, avg, median, min, max, percentile, etc.)
  • Support for RegEx in queries (matches)
  • Query support for arithmetic operators (+, -, *, /, %, and negation)
  • Ternary operators to perform complex logic (let SLA_Status = (latency > 3000 OR error_percentage > .2 ) ? “violation” : “ok”)

PowerQuery Commands include:

  • Filter: Support any standard data query with autocomplete to make it simple.
  • Columns: Define which columns you want in the summary table
  • Group by Functions: Aggregates records, grouping them by one or more fields and computing aggregate statistics for each group and supports functions like (sum, count, estimate_distinct, percentile, min, max
  • Join: Execute two or more subqueries and merge the results into a single table. Only the data from the records that match the query will be included in the results.
  • Limit: Cap the number of records displayed or processed by subsequent commands
  • Sort: Determine the order in which records are displayed
  • Filter: Discards records that do not match a specific condition
  • Transpose: Remove columns from a table and create a new column from its values
  • Parse: Use regex to extract columns inline.
  • Union: Executes two or more subqueries and merges the results into a single table
  • Let: Defines one or more new fields in the table

There are many use cases for PowerQuery, but to help you understand the tool’s power, we have identified some examples to demonstrate how you can build queries to provide exportable and straightforward summaries of large amounts of data.

Example 1: Conti Ransomware IOC Hunt

A traditional ransomware search may require a simple query for a file hash; this is effective if you only have a few examples or matches in your environment. If the problem is more widespread, you could get back thousands of rows of data. With PowerQuery, you can quickly summarize all the hosts where you have seen this hash with additional details all from a single query. The question is, “show me a list of all the machines where we have seen this Conti hash” – this can quickly be answered with a PowerQuery.

In this PowerQuery example, we start with a simple search for a hash, but then add additional functions to group by endpoint name, add other columns to the table for source process display name and count and then sort by largest number to smallest.

Results of a PowerQuery for a Conti hash
  • Line 1: Search for a specific SHA hash
  • Line 2: Group by event count for each endpoint and source process
  • Line 3: add columns to the table for endpoint name, source process display name, and count
  • Line 4: Sort by largest to the smallest number of events

This query gives back an easy-to-read and understandable summary of potentially millions of records across a broad time range.

Example 2: Network Connection Volume by User and Endpoint

As part of threat hunting or an investigation, it may be helpful to determine hosts that have large amounts of connections on the network. With PowerQuery, you can do statistical calculations to build a table of endpoints and users making a high number of connections.

In this example, we start with a standard query for a process user.

Network Connection Volume by User and Endpoint

Just to walk through this query line by line:

  • Line 1: Simple wildcard search for source process user
  • Line 2: Creating a group called connection_count, the sum of the src.process.netConnCount field by process user and endpoint name
  • Line 3: Add additional columns to the table for endpoint and user
  • Line 4: Sort connection_count from largest to smallest
  • Line 5: Limit the results to the top 25

We provide auto-complete to make it easy to understand available fields and what you might want to do next.

Example 3: Top Threat Indicators by Endpoint

Threat indicators can be valuable data sources for threat hunting and investigations on a host. Many threat indicators are data points that don’t always turn into threat detections. Using PowerQuery, it may be possible to identify hosts with a significant number of threat indicators to potentially identify the early stages of an attack or a breached host.

In this example, we will build a hosts table with large numbers of threat indicators.

Top Threat Indicators by Endpoint

To answer this question with a PowerQuery, we just need a few additional transformations:

  • Line 1: Search for any records that have relevant indicator categories, not “General”
  • Line 2: Create a new column named Tactic, which is equal to the indicator.category field
  • Line 3: Define columns for our table – endpoint, indicator name, and tactic
  • Line 4: Group data by indicator count for each column
  • Line 5: Filter data to endpoints that have more than 1000 indicators over the time period
  • Line 6: Sort from largest indicator count to smallest

PowerQuery Extracts More Value From Your Data

PowerQuery is the next step towards providing the data analytics capabilities you need to unlock the full potential of your EDR and XDR data. While this blog post contains three simple examples of PowerQuery, there are many different capabilities for the tool to allow novice and advanced users to get answers from their data.

Users will have much larger limits on the number of rows in the data they are querying and won’t have to export search results to CSV for further analysis. Users can easily save these queries to come back and generate updated tables within seconds or use the API to pull this data into an external application.

If you would like to learn more about PowerQueries, Singularity XDR and the SentinelOne Data platform, contact us for more information or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Fisher-Prize Space Saver High Chair – When Space Is At The Essence Of Our Everyday Living

Fisher-Price has been a good name in the baby products industry for quite some time now. They are known to produce high-quality products that are safe, durable, and efficient. The Fisher-Price Space Saver High Chair is one of these products that have managed to establish itself as a part of our daily lives.

About Fisher-Prize Space Saver High Chair

The Fisher-Price SpaceSaver High Chair is one of the most popular high chairs in Europe and the US, which allows you to keep your child closer when they need it most: because a full-size high chair is too big for a tiny apartment or a small space in a guest room. But a regular booster seat isn’t safe enough when they start to feed themselves.

When the Fisher-Price high chair was introduced in 2009, it quickly landed on top of the ‘must have’ lists for moms with mobile little ones who prefer to roam around when eating.

The Fisher-Price Space Saver High Chair is simple to use, super safe, and it’s easy to clean. It also comes in a variety of colors so you can find the perfect match for your décor. But let’s take a closer look at this great device:
From a safety point of view, the Fisher-Price Space Saver High Chair has many features that make it safe for you and your child. The five-point harness keeps the baby safely in place while feeding themselves or being fed by others, so there is no need to worry.

You can choose from three different height settings according to what is comfortable for you when using this high chair which makes it easy on your back, and the adjustable tray is removable so you can clean it easily. The Fisher-Price Space Saver High Chair is also easy to transport from home to a grandparent’s house or even on holiday, making it one of the best high chairs for travel.

The size of this chair makes it possible to keep your baby close while they are eating or playing on their own. This means that you can enjoy your meals together while at the same time keeping an eye on them to make sure they are safe and happy.

From a practical point of view, having a high chair in your dining room is not ideal when you have little space. But with this baby device, you don’t sacrifice safety for life’s area because the Fisher-Price Space Saver High Chair only takes a little corner of your dining room.

The price of this product is very reasonable, and it’s more affordable than some other high chairs, which makes it also good value for money compared to others on the market. Some people opt for another type of chair like a booster seat because they don’t want to spend so much, but when you think about is this the safest option for your child? The fact that Fisher-Price has considered all this when designing this product is evident.

There are some disadvantages to owning this chair. One of which is that it can be a bit tricky to assemble, and another is that some people find it hard to adjust the height settings. But considering its many benefits, I think this device is definitely worth having in your home.

If you are thinking about purchasing a high chair for your baby, then you should take a good look at the Fisher-Price Space Saver High Chair. It’s easy to use, has excellent features, and does the job perfectly.

The Fisher-Price Space Saver High Chair is a baby feeding chair that fits seamlessly into your modern-day family life. The chair’s design was in direct response to moms who wanted convenience and simplicity without compromising on safety, comfort, or style for their babies.

The Fisher-Price Space Saver High Chair features:

  • Adjustable seat: 2 height adjustments & 3 recline positions
  • Machine-washable seat pad
  • Dishwasher-safe, segmented tray
  • Reusable tray liner
  • Safety harness
  • Toddler booster mode

Is The Fisher-Price Space Saver High Chair worth it?

The Fisher-Price Space Saver High Chair is easy to clean and has adjustable heights and reclines, making it practical for feeding or playing. The price is reasonable compared to other chairs with the same features.

Space Saver High Chair has a removable dishwasher tray and a 3-point harness system that keeps your baby safe and secure. While the baby is seated, a deep seat with soft polyester fabric, a machine-washable seat pad, a 5-point restraint belt for securing the child into the booster seat, and an adjustable height feature that allows you to bring the tray table to your baby.

The Fisher-Price Space Saver High Chair folds down flat for storage or travel. You can use this chair until your little one reaches up to 35 pounds, usually around 1 year of age. The Fisher-Price Space Saver High Chair will give you many years of enjoyment and help to feed your little one in complete safety and comfort.

This high chair is recommended by pediatricians and moms due to its safety standards & compact size. But some parents had issues with the height settings and putting it together.

However, we think that considering all the pros and some minor cons, this chair is still worth having in your home. And if you’re looking for a high chair without all those extra bells & whistles, then this may be something to consider for your family.

If this sounds just like what you have been looking for, don’t wait any longer! Buy the ultimate high chair from Amazon and enjoy your baby feeding time to the fullest!

How to assemble The Fisher-Price Space Saver High Chair

Assembling the Fisher-Price Space Saver High Chair can be a pain if you don’t know what you are doing. It’s not rocket science, but every little part of this device must be in its place.

This is what you need to do to assemble the chair:

  1. Place the seat pad on top of the metal frame and push the two pieces together to attach them.
  2. Place the shoulder straps in between the seat pad and metal frame to connect them.
  3. Feed both armrests through the holes on the back of the metal frame, and you should hear a ‘click’ sound indicating that they are firmly attached.
  4. Make sure that all joints and bolts are correctly tightened.

Now that your chair is assembled, you can start using it as soon as possible. You just have to put the adjustable tray in place and strap your child in with the safety buckle.

Our opinion on Fisher-Price Space Saver High Chair

The Fisher-Price Space Saver High Chair is a great product. It’s simple and does what it’s supposed to do well. Is there anything else to say? We love this baby chair because it allows you to eat dinner as a family without sacrificing your child’s safety. After all, the most important thing is that they are secure and happy.

A quick look on some websites that I trust for buying baby gear reveals a fantastic 95% of very positive reviews, which is definitely a good score, showing how much people love this product.

We love this high chair because it is the perfect solution for small homes, as well as a great alternative to standard high chairs or those bulky baby feeding gadgets that take up too much space. The Fisher-Price Space Saver High Chair is safe and easy to use, so I highly recommend it.

The post Fisher-Prize Space Saver High Chair – When Space Is At The Essence Of Our Everyday Living appeared first on Comfy Bummy.

IRS Will Soon Require Selfies for Online Access

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

The Russian government said today it arrested 14 people accused of working for “REvil,” a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the nation’s border with Ukraine.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members, and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on the appeal of the US authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB said. “Representatives of the US competent authorities have been informed about the results of the operation.”

The FSB did not release the names of any of the individuals arrested, although a report from the Russian news agency TASS mentions two defendants: Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov. Russian media outlet RIA Novosti released video footage from some of the raids:

REvil is widely thought to be a reincarnation of GandCrab, a Russian-language ransomware affiliate program that bragged of stealing more than $2 billion when it closed up shop in the summer of 2019. For roughly the next two years, REvil’s “Happy Blog” would churn out press releases naming and shaming dozens of new victims each week. A February 2021 analysis from researchers at IBM found the REvil gang earned more than $120 million in 2020 alone.

But all that changed last summer, when REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States. Just months later, a multi-country law enforcement operation allowed investigators to hack into the REvil gang’s operations and force the group offline.

In November 2021, Europol announced it arrested seven REvil affliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals, which referred to the men as “REvil Affiliate #22” and “REvil Affiliate #23.”

It is clear that U.S. authorities have known for some time the real names of REvil’s top captains and moneymakers. Last fall, President Biden told Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

So why now? Russia has amassed approximately 100,000 troops along its southern border with Ukraine, and diplomatic efforts to defuse the situation have reportedly broken down. The Washington Post and other media outlets today report that the Biden administration has accused Moscow of sending saboteurs into Eastern Ukraine to stage an incident that could give Putin a pretext for ordering an invasion.

“The most interesting thing about these arrests is the timing,” said Kevin Breen, director of threat research at Immersive Labs. “For years, Russian Government policy on cybercriminals has been less than proactive to say the least. With Russia and the US currently at the diplomatic table, these arrests are likely part of a far wider, multi-layered, political negotiation.”

President Biden has warned that Russia can expect severe sanctions should it choose to invade Ukraine. But Putin in turn has said such sanctions could cause a complete break in diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder of and former chief technology officer for the security firm CrowdStrike, called the REvil arrests in Russia “ransomware diplomacy.”

“This is Russian ransomware diplomacy,” Alperovitch said on Twitter. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.”

The REvil arrests were announced as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the Internet. “Be afraid and expect the worst,” the message warned.

Experts say there is good reason for Ukraine to be afraid. Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

The warning left behind on Ukrainian government websites that were defaced in the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia also has been suspected of releasing NotPetya, a large-scale cyberattack initially aimed at Ukrainian businesses that ended up creating an extremely disruptive and expensive global malware outbreak.

Although there has been no clear attribution of these latest attacks to Russia, there is reason to suspect Russia’s hand, said David Salvo, deputy director of The Alliance for Securing Democracy.

“These are tried and true Russian tactics. Russia used cyber operations and information operations in the run-up to its invasion of Georgia in 2008. It has long waged massive cyberattacks against Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it is completely unsurprising that it would use these tactics now when it is clear Moscow is looking for any pretext to invade Ukraine again and cast blame on the West in its typical cynical fashion.”