Author: rescue@crimefire.in

By Austin R. Ramsey
Workplace retirement savers who fall victim to cyber crimes are finding they don’t always have an easy way to get their money back as employers and service providers grapple over who’s responsible.
The $19.8 trillion employer-sponsored retirement industry is ripe for web-based thieves, especially as portfolio management and distribution services shift online. Several high-profile federal lawsuits involving companies such as Abbott Laboratories Inc., Colgate-Palmolive Co., and Estee Lauder Cos. Inc. have shed light on the millions of dollars retirement savers are losing.
Those lawsuits also are exposing the extreme lengths to which workers and retirees must go to be made whole after a cyber breach. The insurance products that protect plan sponsors and service providers when they point fingers at each other in the event of a cyber crime don’t cover the actual benefits at the center of the US workplace retirement industry, but are usually designed to cover business and legal costs. Without additional protections, advisers say, participants may have little recourse against a growing threat online.
“One of if not the biggest threat for retirement plan assets are cyber attacks or cyber criminals,” said Kelly Geary, national executive risk and cyber practice leader at EPIC Insurance Brokers & Consultants, a subsidiary of Edgewood Partners Insurance Center Inc. “This is an incredibly lucrative target for criminals to go after, but, absent suing the company you do or used to work for, there are few avenues participants and beneficiaries have to be repaid.”
Private-sector retirement plan decision-makers are held to a strict fiduciary standard to ensure that appropriate processes are in place to mitigate risks, safeguard assets, and do business with reputable vendors.
The US Labor Department last year upped the ante for plan fiduciaries, issuing subregulatory guidance making it clearer that cyber protections were part of those routine duties. Emerging case law has split blame between fiduciaries and their vendors when crimes do occur.
The actual victims of those crimes don’t always have a clear path forward, said José Jara, an employee benefits attorney at Fox Rothschild LLP in Morristown, N.J.
“Participants and beneficiaries don’t have much control,” Jara said. “The service providers are selected by the plan sponsor, and they negotiate contracts. The participants don’t have any say on those contracts or the terms and conditions they cover.”
Plan sponsors purchase fiduciary liability insurance to protect against negligence or fiduciary misconduct in the event of litigation and sponsors and their service providers such as recordkeeping firms may purchase criminal liability or cyber insurance to protect against their own losses. But few companies purchase insurance on behalf of their participants.
The Employee Retirement Income Security Act of 1974 (Pub.L. 93-406) requires plan fiduciaries to purchase fidelity bonds that protect participants and beneficiaries from internal threats when the criminal involved is their own employer or benefits advisory panel. External threats, however, aren’t covered.
“What is a participant supposed to do when no one but the criminal is in the wrong?” said Daniel Aronowitz, managing principal and owner of Euclid Fiduciary Managers LLC.
Benefit protections for cyber crimes do exist, but they’re not popular among retirement plan fiduciaries focused on curtailing legal threats against themselves first and foremost.
The Labor Department has suggested that plan sponsors ask recordkeeping firms about cyber insurance they already have in place, which is a good place to start, Aronowitz said. Employers should demand a multifaceted security guarantee from their recordkeepers that includes both criminal and cybersecurity insurance designed to protect participants against fraudulent deferrals and social engineering, he added.
“There’s a reason you don’t hear about these kinds of flagrant cyber breaches from major recordkeeping financial institutions,” Aronowitz said. “It’s not that they aren’t occurring, it’s that they have systems in place to automatically pay back participants well before it goes to court.”
Next, plan sponsors themselves should consider taking out additional insurance policies that protect participants in addition to themselves, he added.
Geary and Jara have pushed for Congress to mandate additional plan sponsor coverage that protects participants from external threats the same way they are from their own employers. The pair authored an article for Bloomberg Tax’s Tax Management Compensation Planning Journal recommending swift action to bolster ERISA fidelity bond coverage.
“Fiduciaries have a responsibility to manage the plan prudently,” said Jara. “That doesn’t mean fiduciaries are FBI agents. They’re not in the business of protecting against crimes, especially more sophisticated crimes like cybersecurity.”
To contact the reporter on this story: Austin R. Ramsey in Washington at aramsey@bloombergindustry.com
To contact the editor responsible for this story: Martha Mueller Neff at mmuellerneff@bloomberglaw.com
To read more articles log in.
Learn more about a Bloomberg Law subscription

source

Thanks for signing up!
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
Investigating cybercrime was supposed to be the FBI’s third-highest priority, behind terrorism and counterintelligence. Yet, in 2015, FBI Director James Comey realized that his Cyber Division faced a brain drain that was hamstringing its investigations.
Retention in the division had been a chronic problem, but in the spring of that year, it became acute. About a dozen young and midcareer cyber agents had given notice or were considering leaving, attracted by more lucrative jobs outside government. As the resignations piled up, Comey received an unsolicited email from Andre McGregor, one of the cyber agents who had quit. In his email, the young agent suggested ways to improve the Cyber Division. Comey routinely broadcast his open-door policy, but senior staff members were nevertheless aghast when they heard an agent with just six years’ experience in the bureau had actually taken him up on it. To their consternation, Comey took McGregor’s email and the other cyber agents’ departures seriously. “I want to meet these guys,” he said. He invited the agents to Washington from field offices nationwide for a private lunch. As news of the meeting circulated throughout headquarters, across divisions and into the field, senior staff openly scorned the cyber agents, dubbing them “the 12 Angry Men,” “the Dirty Dozen” or just “these assholes.” To the old-schoolers — including some who had risked their lives in service to the bureau — the cyber agents were spoiled prima donnas, not real FBI.
Subscribe to the Big Story newsletter.

Thanks for signing up. If you like our stories, mind sharing this with a friend?
For more ways to keep up, be sure to check out the rest of our newsletters.
Fact-based, independent journalism is needed now more than ever.
The cyber agents were as stunned as anyone to have an audience with Comey. Despite their extensive training in interrogation at the FBI Academy in Quantico, Virginia, many were anxious about what the director might ask them. “As an agent, you never meet the director,” said Milan Patel, an agent who attended the lunch. “You know the director, because he’s famous. But the director doesn’t know you.”
You also rarely, if ever, go to the J. Edgar Hoover Building’s seventh floor, where the executive offices are. But that day, the cyber agents — all men, mostly in their mid-30s, in suits, ties and fresh haircuts — strode single file down the seventh-floor hall to Comey’s private conference room. Stiffly, nervously, they stood waiting. Then Comey came in, shirt sleeves rolled up and bag lunch in hand.
“Have a seat, guys,” he told them. “Take off your coats. Get comfortable. Tell me who you are, where you live and why you’re leaving. I want to understand if you are happy and leaving, or disappointed and leaving.”
Around the room, everyone took a turn answering. Each agent professed to be happy, describing his admiration for the bureau’s mission.
“Well, that’s a good start,” Comey said.
Then sincerity prevailed. For the next hour, as they ate their lunches, the agents unloaded.
They told Comey that their skills were either disregarded or misunderstood by other agents and supervisors across the bureau. The FBI had cliques reminiscent of high school, and the cyber agents were derisively called the Geek Squad.
“What do you need a gun for?” SWAT team jocks would say. Or, from a senior leader, alluding to the physical fitness tests all agents were required to pass, “Do you have to do pushups with a keyboard in your backpack?” The jabs — which eroded an already tenuous sense of belonging — testified to the widespread belief that cyber agents played a less important role than others in the bureau.
At the meeting, the men also registered their opposition to some of the FBI’s ingrained cultural expectations, including the mantra that agents should be capable of doing “any job, anywhere.” Comey had embraced that credo, making it known during his tenure that he wanted everyone in the FBI to have computer skills. But the cyber agents believed this outlook was misguided. Although traditional skills, from source cultivation to undercover stings, were applicable to cybercrime cases, it was not feasible to turn someone with no interest or aptitude in computer science into a first-rate cyber investigator. The placement of nontechnical agents on cyber squads — a practice that dated to the 1990s — also led to a problem that the agents referred to as “reeducation fatigue.” They were constantly forced to put their investigations on hold to train newcomers, both supervisors and other cyber agents, who arrived with little or no technical expertise.
Other issues were personal. To be promoted, the FBI typically required agents to relocate. This transient lifestyle caused family heartache for agents across the bureau. One cyber agent lamented the lack of career opportunities for his spouse, a businesswoman, in far-flung offices like Wichita. The agents told Comey they didn’t have to deal with “the shuffle” around the country for professional advancement because their skills were immediately transferable to the private sector and in high demand. They had offers for high-profile jobs paying multiples of their FBI salaries. Unlike private employers worried about staying competitive, the FBI wasn’t about to disrupt its rigid pay scale to keep its top cyber agents. Feeling they had nothing to lose, the agents recommended changes. They told Comey that the FBI could improve retention by centralizing cyber agents in Washington instead of assigning them to the 56 field offices around the country. That made sense because, unlike investigating physical crimes like bank robbery, they didn’t necessarily need to be near the scene to collect evidence. Plus, suspects were often abroad.
Most important, they wanted the bureau’s respect.
Comey listened, asked questions and took notes. Then he led them to his private office. They glanced around, most of them knowing they were unlikely to be granted such access to power again. Comey’s desk featured framed photos of his wife and children, and the carpet was emblazoned with the FBI’s seal. The agents had such respect for the bureau that they huddled close so that no one had to step on any part of the seal.
Perhaps the most striking feature of the office was the whiteboard that sprawled across one of the walls. On it was an organizational chart of the bureau’s leadership with magnets featuring the names and headshots of FBI executives and special agents in charge of field offices. Many were terrorism experts who had risen through the hierarchy in the aftermath of the Sept. 11, 2001, attacks.
Comey was sympathetic to his visitors and recognized the importance of cyber expertise to the FBI’s future. At the same time, he wasn’t going to overhaul the bureau and alienate the powerful old guard to please a group of short-timers.
“Look, I know we’ve got a problem with leadership here,” Comey told the cyber agents as they studied the whiteboard, according to agents who were there. “I want to fix it, but I don’t have enough time to fix it. I’m only here for a limited amount of time; it’s going to take another generation to fix some of these cultural issues.” But the agents knew the FBI couldn’t afford to wait another generation to confront escalating cyberthreats like ransomware. Ransomware is the unholy marriage of hacking and cryptography. Typically, the attackers capitalize on a cybersecurity flaw or get an unsuspecting person to open an attachment or click a link. Once inside a computer system, ransomware encrypts the files, rendering them inaccessible without the right decryption key — the string of characters that can unlock the information — for which a ransom is demanded.
Although attacks were becoming more sophisticated, bureau officials told counterparts in the Department of Homeland Security and elsewhere in the federal government that ransomware wasn’t a priority because both the damages and the chances of catching suspects were too small. Instead of aggressively mobilizing against the threat, the FBI took the lead in compiling a “best practices” document that warned the public about ransomware, urged prevention and discouraged payments to hackers. Through an intermediary, Comey, fired from his FBI position by then-President Donald Trump in 2017, declined to comment on the meeting. The FBI acknowledged but did not respond to written questions.
To FBI leadership, ransomware was an “ankle-biter crime,” said an agent who attended the meeting with Comey.
“They viewed it as a Geek Squad thing, and therefore they viewed it as not important,” he said.
Many of the issues the FBI cyber agents raised during their meeting with Comey were nothing new. In fact, the bureau’s inertia in tackling cybercrime dated all the way back to a case involving the first documented state-sponsored computer intrusion.
In 1986, Cliff Stoll was working as a systems administrator at the Lawrence Berkeley National Laboratory when his boss asked him to resolve a 75-cent shortfall in the accounting system the lab used for charging for computing power. Stoll traced the error to an unauthorized user and ultimately unraveled a sprawling intrusion into computer systems of the U.S. government and military. Eventually, the trail led to German hackers paid by the Soviet Union’s intelligence service, the KGB. Stoll immortalized his crusade in the 1989 book “The Cuckoo’s Egg.” In the course of his investigation, he tried seven times to get the attention of the FBI but was rebuffed each time.
“Look, kid, did you lose more than a half million dollars?” the FBI asked him.
“Uh, no,” Stoll replied.
“Any classified information?”
“Uh, no.”
“Then go away, kid.”
Stoll later spoke with an Air Force investigator who summed up the FBI’s position: “Computer crimes aren’t easy — not like kidnapping or bank robbery, where there’s witnesses and obvious losses. Don’t blame them for shying away from a tough case with no clear solution.”
It wasn’t until almost a decade later that the federal government took its first significant step to organize against cyberthreats. After the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, the Clinton administration called together a dozen officials from across the government to assess the vulnerability of the nation’s critical infrastructure. Since essential services such as health care and banking were moving online, the committee quickly turned its attention from physical threats, like Timothy McVeigh’s infamous Ryder truck, to computer-based ones.
The group helped establish what became known as the National Infrastructure Protection Center in 1998. With representatives from the FBI, the Secret Service, intelligence agencies and other federal departments, the NIPC was tasked with preventing and investigating computer intrusions. The FBI was selected to oversee the NIPC because it had the broadest legal authority to investigate crime.
Turf battles broke out immediately. The National Security Agency and the Pentagon were indignant about reporting to the FBI about sophisticated computer crimes that they believed the bureau was incapable of handling, said Michael Vatis, then a deputy U.S. attorney general who led the effort to launch the center.
“They said: ‘Oh, no, no, no. It can’t be the FBI,’” Vatis recalled. “‘All they know how to do is surround a crime scene with yellow tape and take down bad guys. And they’re notorious for not sharing information.’”
Meanwhile, infighting over resources roiled the FBI. “You had a lot of old-line people arguing about whether cybercrime was real and serious,” Vatis said. “People who came up through organized crime, or Russian counterintelligence. They were like: ‘This is just a nuisance from teenagers. It’s not real.’”
At the time, only a couple of dozen FBI agents had any experience or interest in investigating computer crime. There weren’t nearly enough tech-literate agents to fill the scores of new job openings in the NIPC. Needing warm bodies, the FBI summoned volunteers from within its ranks, regardless of background. Among them was the New Orleans-based agent Stacy Arruda. During her first squad meeting in 1999, as her supervisor talked about “Unix this, and Linux that,” she realized she was in over her head.
“Arruda, do you have any idea what I’m talking about?” the supervisor asked her.
“Nope.”
“Why are you nodding and smiling?”
“I don’t want to look stupid.”
It was an easy admission because most of the new NIPC agents were similarly uninformed about the world they would be investigating.
When the bureau ran out of volunteers to join the NIPC, agents were “volun-told” to join, Arruda said. That’s what happened to Scott Augenbaum. He said he was assigned to the NIPC because he was the only agent in his Syracuse, New York, office “who had any bit of a technology background,” meaning he “could take a laptop connected to a telephone jack and get online.” He was disappointed by the assignment because it was “not the cool and fun and sexy job to have within the FBI.” His friends in the bureau teased him. “They told me, ‘This cyber thing is going to hurt your career.’”
Following the Sept. 11, 2001, terrorist attacks, FBI Director Robert Mueller created the bureau’s Cyber Division to fight computer-based crime. The division took over the NIPC’s investigative work, while prevention efforts moved to the Department of Homeland Security, which was established in November 2002. The DHS, however, put the computer crime prevention mission on hold for years as it focused instead on deterring physical attacks.
To ramp up the new division, the FBI put a cyber squad in each field office and launched a training program to help existing agents switch tracks. It also benefited from the “patriot effect,” as talented computer experts who felt a call to service applied. Among them were Milan Patel and Anthony Ferrante, two of the agents who would attend the meeting with Comey.
Fresh out of college, Ferrante was working as a consultant at Ernst & Young on 9/11. From his office in a Midtown skyscraper, he watched the towers fall. In the days that followed, he resolved to use his computer skills to fight terrorism. While pursuing a master’s degree in computer science at Fordham University, he met with an FBI recruiter who was trying to hire digital experts for the new Cyber Division. The recruiter asked Ferrante what languages he knew.
“HTML, JavaScript, C++, Business Basic,” he answered.
“What are those?” the perplexed recruiter responded. “I mean, Russian, Spanish, French.”
It wouldn’t be the last time Ferrante felt misunderstood by the bureau. When he arrived at Quantico in 2004, he found himself in a firearms class of about 40 new agents-in-training. There, the instructor asked: “Who here has never shot a gun?”
With his gaze cast downward as he concentrated on taking notes, Ferrante raised his hand. The room became silent. He looked around and saw he was the only one. Everyone stared.
“What’s your background?” the instructor asked.
“I’m a computer hacker,” Ferrante said.
On a campus that recruits jokingly referred to as “college with guns,” his answer was not well received. The instructor shook his head, rolled his eyes and moved on.
Patel arrived at the FBI Academy in 2003 with a college degree in computer science from the New Jersey Institute of Technology. From Quantico, he was assigned to a cyber squad in New York, where his new boss didn’t quite know what to do with him. The supervisor handed him a beeper, a Rand McNally map and the keys to a 1993 Ford Aerostar van that “looked like it was bombed out in Baghdad,” Patel said. Another agent set him up with a computer running a long-outdated version of Windows.
“Oh my God, this is like the Stone Age,” he thought. As time went on, Patel discovered how cumbersome it was to brief supervisors about cyber cases. Since many of them knew little about computers, he had to write reports that he considered “borderline childish.”
“You had to try to relate computers to cars,” he said. “You’re speaking a foreign language to them, yet they’re in charge, making decisions over the health of what you do.”
Patel realized that most of his Cyber Division colleagues, like Arruda and Augenbaum, didn’t have a technical background. The bureau tried to turn traditional law enforcement officers into tech specialists while passing over computer scientists who could not meet its qualifications to become agents. “Is the person who can do 15 pull-ups and run 2 miles around the track in under 16 minutes the same guy that you want decrypting ransomware?” Patel said. “Typically people who write code and enjoy the passion of figuring out malware, they’re not in a gym cranking out squats.”
Some agents ended up in the Cyber Division because it had openings when they graduated from Quantico, or because it was a stop on the way to a promotion. In a popular move, many senior agents and supervisors pursued a final assignment in the division before becoming eligible for retirement at age 50, knowing it made them more attractive to private-sector employers for their post-FBI careers.
“On a bureau cyber squad, you typically have one or two people, if you’re lucky, who can decrypt and do network traffic analysis and programming and the really hard work,” Patel said. “And you’ve got two or three people who know how to investigate cybercrime and have a computer science degree. And the rest — half of the team — are in the cyber program, but they don’t really know anything about cyber.” Some of those agents made successful cases anyway, but they were the exception.
Despite the internal headwinds, Patel worked on some of the bureau’s marquee cybercrime cases. He led the investigation into Silk Road, the black-market bazaar where illegal goods and services were anonymously bought and sold. As part of a sprawling investigation into the dark web marketplace, law enforcement located six of Silk Road’s servers scattered across the globe and compromised the site before shutting it down in October 2013. Ross Ulbricht, of San Francisco, was later found guilty on narcotics and hacking charges for his role in creating and operating the site. He is serving two life sentences plus 40 years in prison. Patel was nominated for the FBI Director’s Award for Investigative Excellence; he became a Cyber Division unit chief, advising on technology strategy. Then, shortly after the Dirty Dozen meeting with Comey, he left the FBI for a higher-paying job in the private sector.
Ferrante was selected for the FBI’s Cyber Action Team, which deployed in response to the most critical cyber incidents globally. As a supervisory special agent, he became chief of staff of the FBI’s Cyber Division. After the meeting with Comey, Ferrante remained in the FBI for another two years. He left in 2017 to become global head of cybersecurity for FTI Consulting, where he worked with companies victimized by ransomware.
He kept tabs on the bureau’s public actions in fighting the crime. Despite occasional successes, he said in 2021 that he was disappointed by the small number of ransomware-related indictments in the years that followed Comey’s 2015 gathering.
“They would work cases, but those cases would just spin, spin, spin,” Ferrante said. “No, they’re not taking it seriously, so of course it’s out of control now because it’s gone unchecked for so many years. … Nobody understood it — nobody within the FBI, and nobody within the Department of Justice. Because they didn’t understand it, they didn’t put proper resources behind it. And because they didn’t put proper resources behind it, the cases that were worked never got any legs or never got the attention they deserved.”
By 2012, FBI leadership recognized that most crimes involved some technical element: the use of email or cellphones, for example. So that year, it began to prioritize hiring non-agent computer scientists to help on cases. These civilian cyber experts, who worked in field offices around the country, did not carry weapons and were not required to pass regular physical fitness tests. But respect for the non-gun-carrying technical experts was lacking. This widespread condescension was reflected in a nickname that Stacy Arruda, the early NIPC agent who went on to a career as a supervisor in the Cyber Division, had for them: dolphins.
“Someone who is highly intelligent and can’t communicate with humans,” said Arruda, who retired from the FBI in 2018. “When we would travel, we would bring our dolphins with us. And when the other party started squeaking, we would have our dolphins squeak right back at them.”
If agents like Patel and Ferrante had a hard time winning the institutional respect of the FBI, it seemed almost impossible for the dolphins to do so. They worked on technical aspects of all types of cases, not just cyber ones. Yet, despite the critical role they played in investigating cyber cases — sometimes as the sole person in a field office who understood the technical underpinnings of a case — these civilian computer scientists were often regarded as agents’ support staff and treated as second-class citizens.
Randy Pargman took a circuitous route to becoming the Seattle field office’s dolphin. As a kid in California, Pargman regularly hung out with his grandma, who was interested in technology. She bought magazines that contained basic code and helped Pargman copy it onto their Atari video game console. It was his introduction to computer programming. Later, as a teenager, Pargman was drawn to a booth of ham radio enthusiasts at a county fair and soon began saving up to buy his own $300 radio. It was the early 1990s, before most home users were online, so Pargman was thrilled when he used the radio to access pages from a library in Japan and send primitive emails.
After high school, Pargman put his radio skills to work when he became a Washington State Patrol dispatcher. Although it wasn’t a part of the job description, he created one computer program to improve the dispatch system’s efficiency and another to automate the state’s process for investigating fraud in vehicle registrations. The experience led him to study computer science at Mississippi State. In the summer of 2000, while still in college, Pargman completed an FBI internship, an experience that left him with a deep appreciation for the bureau’s mission. So, following brief stints working for the Department of Defense and as a private sector software engineer once he graduated, he applied to become an agent. He was hired in 2004, around the same time as Patel and Ferrante.
Like those two agents, Pargman was shocked by the digital Stone Age he found himself in upon arriving. At the FBI Academy, a computer instructor gave lessons on typing interviews and reports on WordPerfect, the word processing platform whose popularity had peaked in the late 1980s. To Pargman, even more outrageous than the FBI’s use of WordPerfect was the notion that agents would need instruction on such a basic program. The first week of class, the instructor delivered another surprise.
“OK, who are the IT nerds in here?” he asked.
After Pargman and a classmate raised their hands, the instructor addressed them directly.
“You’re not going to be working on cybercrimes. You’re going to be working on whatever the bureau needs you to do.”
The other tech-savvy recruit later confided to Pargman that he was dropping out of the FBI Academy to return to private industry. “This is not what I thought it was going to be,” he said.
Pargman was similarly torn. He believed in the FBI’s mission but wanted to work solely on cybercrime. Like Ferrante, he didn’t have experience with guns, and he was unsure about how he would handle that aspect of the job. He faced a reckoning when an FBI speaker led a sobering session about the toughest aspects of working for the bureau, from deadly force scenarios to the higher-than-average rates of suicide and divorce among agents.
After consulting with FBI counselors and a bureau chaplain, Pargman decided he didn’t want to become an agent. Instead, he stayed in the FBI as a civilian, working as a software developer at the FBI Academy. Eight years later, when the FBI launched the computer science track, Pargman eagerly applied. He became the Seattle field office’s dedicated computer scientist in October 2012.
“This is why I had gotten into the FBI to begin with,” Pargman said. “I can concentrate just on cybercrime investigations and not have to deal with the whole badge and gun.”
Once Pargman got to Seattle, he began to dream big. His vision: The FBI could model its Cyber Division after one of the world’s most successful computer crime-fighting law enforcement organizations, the Dutch High Tech Crime Unit. He knew how traditional and hidebound the bureau was, how different from the HTCU and its innovative culture. But, ever idealistic, he hoped that the HTCU’s remarkable track record would persuade the FBI to adopt elements of the Dutch approach.
Pargman had long been familiar with the HTCU’s reputation for arresting hackers and disrupting their infrastructure. When he met a Dutch officer through an FBI program for midcareer professionals, he asked her the secret to the HTCU’s success. Her response was straightforward: the HTCU was effective because it paired each traditional police officer with a computer scientist, partnerships that had been a founding priority of the unit. While the HTCU computer scientists weren’t required to pass police exams, meet physical fitness requirements, or handle weapons, they nonetheless were entitled to the same rank and promotions as their traditional counterparts. They also were not obligated to pivot to noncomputer work during their police careers.
The density of computer science experts in the HTCU astounded Pargman, who thought it was brilliant. He suggested the Dutch approach to managers in the FBI’s Operational Technology Division, which oversaw the new computer science track. They laughed.
“We can’t get funding for that many computer scientists,” one contact told him. “That would be crazy.”
Pargman acknowledged that, since the FBI’s Cyber Division was much larger than the Dutch Police’s HTCU, establishing a one-to-one partnership was a stretch. Yet the FBI’s setup all but ensured that its drastically outnumbered computer scientists would not find a collective voice, as the tech experts had done in the HTCU. As Pargman dug into cyber investigations in Seattle, he learned that the bureau’s staffing imbalance was straining its cyber experts, both civilian computer scientists and technically advanced agents like Patel and Ferrante.
Many of the cyber agents Pargman worked with in Seattle had prior careers as accountants, attorneys or police officers. To get acquainted with the digital world, they took crash courses offered by the SANS Institute, the bureau’s contractor for cybersecurity training; popular offerings included Introduction to Cyber Security and Security Essentials Bootcamp. From an institutional perspective, learning on the job to investigate computer crime was no different from learning on the job to investigate white-collar or gang crime. But FBI leadership didn’t take into account something that early leaders in the Dutch HTCU knew from the unit’s start: It’s not easy to teach advanced computer skills to someone who has no technical background.
Cyber agents routinely came to Pargman with basic tasks such as analyzing email headers, the technical details stored within messages that can contain helpful clues.
“This is easy, you need to learn how to do this,” Pargman told one agent. He produced the IP address from the headers.
“What does that mean?” the agent responded. “What is this IP address?”
Pargman had to make the time to help because, if he didn’t, the agent might do something embarrassing, like attempt to subpoena publicly available information “because they just didn’t know any better.”
In the FBI, investigations into specific ransomware strains were organized by field office. For example, Springfield, Illinois, investigated complaints involving a strain called Rapid, while Anchorage, Alaska, investigated those related to Russia-based Ryuk, one of the first ransomware gangs to routinely demand six-figure payments and to carefully select and research its targets. From time to time, Pargman learned of victim complaints to the Seattle office about emerging ransomware strains. Since cases weren’t assigned directly to computer scientists, he pushed the agents to take them on. “Oh boy, here’s one that nobody is working,” he told one colleague.
“Let’s jump on this.”
“That sounds amazing,” the agent responded. “But I’ll be so busy with that case that I won’t get to do anything else.”
In the early days of ransomware, when hackers demanded no more than a few hundred dollars, the FBI was uninterested because the damages were small — not unlike Cliff Stoll’s dilemma at Berkeley. Later, once losses grew to hundreds of thousands or even millions of dollars, agents had other reasons to want to avoid investigating ransomware. In the FBI, prestige springs from being a successful “trial agent,” working on cases that result in indictments and convictions that make the news. But ransomware cases, even with the enthusiastic support of a computer scientist like Pargman, were long and complex, with a low likelihood of arrest.
The fact that most ransomware hackers were outside the United States made the investigative process challenging from the start. To collect evidence from abroad, agents needed to coordinate with federal prosecutors, FBI legal attachés and international law enforcement agencies through the Mutual Legal Assistance Treaty process. Seemingly straightforward tasks, such as obtaining an image of a suspicious server, could take months. And if the server was in a hostile country such as Iran or North Korea, the agents were out of luck. Aware of this international labyrinth, even some federal prosecutors discouraged agents from pursuing complex cyber investigations.
During Pargman’s time as Seattle’s computer scientist, the field office took on a number of technically sophisticated cases. He was especially proud of one that led to the Justice Department’s indictment, unsealed in 2018, of hackers accused in the notorious Fin7 attacks. They breached more than 100 U.S. companies and led to the theft of more than 15 million customer credit card records. But during his seven years in Seattle, the office never got a handle on ransomware.
“If you spend all of your time chasing ransomware, and for years you never make a single arrest of anybody, you’re seen as a failure,” Pargman said. “Even if you’re doing a ton of good in the world, like sharing information and helping protect people, you’re still a failure as an investigator because you haven’t arrested anybody.” Despite its own inaction, the FBI feuded with the other federal agency responsible for investigating ransomware: the Secret Service. Although the Secret Service has been guarding presidents since 1894, its lesser-known mission of combating financial crimes dates back even longer — to the day in April 1865 that Abraham Lincoln was assassinated. Before heading to Ford’s Theatre, Lincoln signed legislation creating the agency and giving it the mandate to fight counterfeit currency. As financial crime evolved and moved online, the Secret Service and the FBI squabbled over cases. Although it, too, had a federal mandate to fight computer crime, the Secret Service was sometimes bigfooted by the FBI, said Mark Grantz, who was a supervisory special agent for the Secret Service in Washington.
“They’d say: ‘Yeah, we’ve got a case on that already. We were looking at him five years ago. Give us everything you’ve got and we’ll go from there.’ That was their M.O.,” Grantz said. It left him wondering: “You haven’t touched that case in five years, why are you asking me for my case file?”
Grantz led an investigation into a ransomware attack in January 2017, eight days before Donald Trump’s inauguration. The strike disabled computers linked to 126 street cameras in a video surveillance system monitoring public spaces across Washington, D.C., including along the presidential parade route. Instead of paying the five-figure ransom, the district scrambled to wipe and restart the cameras, which were back online three days before the swearing-in. Assisted by other law enforcement organizations, the Secret Service traced the hack to two Romanians, who were arrested in Europe, extradited to the United States and found guilty on wire fraud charges — an uncommon U.S. law enforcement success against ransomware operators.
Other Secret Service investigations sometimes stalled because agents had to rotate away for protective detail. “That’s where it gets frustrating,” Grantz said. “You’d train someone. They’d do digital forensics for five years. They’d get really good at it. And then you’d send them off to do presidential detail.”
Randy Pargman also grew frustrated by the FBI’s reluctance to engage meaningfully with private-sector cybersecurity researchers like the Ransomware Hunting Team. An elite, invitation-only group of tech wizards in seven countries, the team has uncovered keys to hundreds of ransomware strains, saving millions of individuals, businesses, schools and other victims from paying billions of dollars in ransom. When the FBI did connect with experts in the private sector, sensitive information typically flowed only in one direction — to the bureau.
Following large cyberattacks against U.S. targets, the FBI routinely affirmed its commitment to public-private partnerships to help prevent and gather intelligence on such strikes. But some agents believed the rhetoric was hollow, comparing it to public officials’ offering “thoughts and prayers” after mass shootings. The reality was that many people in the FBI had a deep distrust of private-sector researchers.
“There’s this feeling among most agents that if they share even a little bit of information with somebody in the private sector, that information will get out, broadcast over the internet — and the bad guys will definitely read it, and it will destroy the whole case,” Pargman said.
Even though he couldn’t work on ransomware cases, Pargman found ways to feel fulfilled in his job, including by helping organizations defend themselves against impending cyber intrusions. He examined malware command-and-control servers obtained through the MLAT process, then alerted potential victims to imminent attacks. “That was a really good feeling because we stopped a ton of those intrusions,” he said. FBI leadership rewarded his efforts: Pargman earned both the FBI Director’s Award for Excellence in Technical Advancement and the FBI Medal of Excellence.
Read More
But he grew tired of his subordinate role as an “agent helper,” and he thought about how things would be different if the FBI were more like the Dutch HTCU. In the bureau, he couldn’t be promoted since Cyber Division leadership roles were open only to agents. And while agents could retire at 50 with full pensions, he had to wait until age 62, and would receive less money. In 2019, Pargman resigned from the FBI, telling his supervisor he wanted to be in a role where he could enact changes rather than just suggest them.
“I love working for the FBI,” he told his supervisor. “It’s very meaningful and fulfilling. But there is no leadership spot for me to go to, only because I’m not an agent. So you cannot be upset that I’m going to get a job where I can be a leader, and make changes, and create a team to do big things.”
When it came to ransomware, the FBI didn’t have a lengthy roster of achievements to boast about. It would not be until after the May 2021 attack on the Colonial Pipeline, which shuttered gas stations across the Southeast, that the FBI would prioritize the ransomware threat and embrace assistance from private researchers like the Ransomware Hunting Team. But even with its new emphasis on ransomware, the FBI didn’t undertake fundamental reforms to expand its roster of cyber experts. It still wanted its cyber agents to be athletic college graduates with relevant job experience, who also had to be willing to shoot a gun, relocate their families and pivot away from investigating cybercrime as needed.
The bureau’s reluctance to adapt disappointed some former agents. “I think the next generation of cyber people in the bureau should be the type of people who want to be cyber first, and not agents at all,” said Patel, one of the agents who attended the 2015 meeting with Comey. “The bureau needs expertly trained technical programmers, cybersecurity engineers, that know how to write code, compile, dissect and investigate — and it has nothing to do with carrying a gun.”
Excerpted from “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime” by Renee Dudley and Daniel Golden. Published by Farrar, Straus and Giroux. Copyright © 2022 by Renee Dudley and Daniel Golden. All rights reserved.
Filed under —
Renee Dudley is a tech reporter at ProPublica.
Daniel Golden is a Boston-based senior editor and reporter at ProPublica.

Thanks for signing up!
© Copyright 2023 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:

source

Grace Buller, Campus Reporter|January 15, 2023
Some Calvin faculty and students may have been affected by a data breach at Hope College last fall.
On Sept. 27, 2022, Hope College discovered potential, unauthorized access to files containing sensitive information, according to a document released by Hope. This information was later determined to include individuals’ first and last names, in combination with their date of birth, Social Security number, driver’s license number, and student ID number. Financial information — such as credit card numbers — was unaffected. 
After Nov. 8, the college began sending out letters to those it believes to have been affected. While the college’s statement does not say how many were affected, a lawsuit filed on Dec. 26 alleges that up to 156,783 individuals were potentially affected by the breach, according to MLive. 
While Hope students and alumni are among those primarily affected, some Calvin faculty, staff and students may also have been affected. 
Many Calvin faculty who have spoken or taught at Hope are in Hope’s system from filing tax information. Rebecca DeYoung, professor of philosophy, said she received a letter saying she may have been impacted. DeYoung said her information was probably in Hope’s system from a talk she gave there in 2017. 
DeYoung, who has been affected by other data breaches, said she views data breaches as a “risk you take by operating online.”
Michael Dirksen, a teaching fellow and 2012 Hope graduate, also received a letter. Dirksen taught a class at Hope in 2020. Following news of the breach, he removed his banking information from Hope as a precaution. However, other information, such as his Social Security number, could not easily be removed. 
Like DeYoung, he does not view the Hope breach as an unusual situation.
“These kinds of problems are going to happen more and more frequently,” he said.
However, there are ways to prevent data breaches and minimize their effects.
According to Brian Paige, vice president and chief information officer, this includes using multifactor authentication and minimizing where Social Security numbers are stored. Paige said Calvin’s IT team “routinely practice[s] our responses to cyber incidents with tabletop exercises and scenario planning.”
Paige did not give details on how information is stored or protected. “Not disclosing the ‘playbook’ is part of the approach to preventing data breaches,” Paige said.  
Paige recommended that everyone follow good information security practices, such as using different passwords on every account and multifactor authentication as much as possible. 
He also said it is wise to “consider sharing less personal information on social media, making identity theft and impersonation more difficult.”
According to Attorney General Dana Nessel, those specifically affected by the Hope breach and other data breaches should monitor their credit, place a fraud alert on their credit report, and consider placing a credit freeze on their credit report. Hope College is offering free credit monitoring services to those affected for a year. 
If anyone has not received a letter but believes they may be impacted, they may contact 1-833-540-0798.
Campus & Community
Calvin University's official student newspaper since 1907
Cancel reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *

source

12 most in-demand cybersecurity jobs in 2022
Your email has been sent
Cybersecurity is becoming an increasingly more important field than ever before, and jobs in this industry will only become more sought after as the years roll by.
Think you know what the hottest cybersecurity jobs are right now? Well, think again.
With the rise in cyberattacks in 2021, many business organizations around the world are now beefing up their security team to respond to incidents of cyberattacks. As a result, there has been a 350% increase in global cybersecurity job demand between 2013 and 2021. In the United States, for instance, the available record suggests that there are currently more than 590,000 cybersecurity job openings that need to be filled.
SEE: Help meet the cybersecurity demand by getting CompTIA-certified (TechRepublic Academy)
While cybersecurity roles such as penetration testers, security analysts and incident responders have gained a lot of mentions lately, new positions are quickly emerging on the scene. Hence, we’ll take a look at some of the hottest cybersecurity jobs in 2022.
The chief information security officer (CISO) is responsible for an organization’s overall security posture. They develop and implement security strategies, policies and procedures to protect the company’s data and systems from cyberattacks. CISOs also oversee the work of other security professionals, such as security architects and engineers.
A cybersecurity architect is responsible for designing, developing and implementing an organization’s security infrastructure. They work with a company’s CISO to create a comprehensive security strategy that takes into account the latest threats, as well as the company’s business goals. A cybersecurity architect also designs and oversees the implementation of security controls, such as firewalls, intrusion detection systems and encryption technologies.
SEE: Hiring Kit: Security architect (TechRepublic Premium)
A security engineer is responsible for implementing and maintaining an organization’s security infrastructure. They work closely with cybersecurity architects to deploy and configure security controls, such as firewalls, intrusion detection systems and encryption technologies. Security engineers also conduct regular security audits to identify vulnerabilities and recommend solutions to mitigate risks.
SEE: Hiring Kit: Security engineer (TechRepublic Premium)
A security analyst is responsible for identifying cybersecurity threats and vulnerabilities in an organization’s network. They use various tools, such as penetration testing to simulate attacks and assess the effectiveness of an organization’s security controls. Security analysts also develop mitigation plans to address identified risks.
SEE: How to recruit and hire a Security Analyst (TechRepublic Premium)
An incident response coordinator is responsible for coordinating an organization’s response to a security incident. They work with a team of security experts to investigate the cause of an incident, contain the damage and restore normal operations. Incident response coordinators also develop plans to prevent future incidents from occurring.
A cybersecurity consultant is an independent contractor who provides expert advice to organizations on how to improve their cybersecurity posture. They assess an organization’s current security practices and make recommendations on how to improve them. Cybersecurity consultants also often provide training on cybersecurity best practices.
A security awareness trainer is responsible for educating employees on cybersecurity risks and best practices. They design and deliver training programs that raise awareness of potential threats, such as phishing attacks, ransomware, data protection, etc. Security awareness trainers also develop policies and procedures to ensure that employees follow best practices.
A vulnerability management specialist is responsible for identifying, assessing and mitigating cybersecurity risks in an organization. They work closely with security analysts to identify vulnerabilities in an organization’s systems and networks. Vulnerability management specialists also develop plans to remediate identified risks.
A cybersecurity project manager is responsible for overseeing the implementation of cybersecurity initiatives. They work with a team of security experts to plan and execute projects, such as the deployment of new security controls or creating a security awareness training program. Cybersecurity project managers also track the progress of projects and report on their status to senior management.
An information security manager is responsible for developing and implementing an organization’s cybersecurity strategy. In addition, they work closely with the CISO to ensure that all security controls are in place and effective. Information security managers also develop incident response plans and conduct regular security audits.
A penetration tester is responsible for identifying and exploiting security vulnerabilities in an organization’s systems and networks. They use various tools and techniques to conduct their tests, including social engineering, network scanning and password cracking. Penetration testers typically work with ethical hackers to help improve an organization’s security posture.
Ethical hackers are responsible for conducting security testing on an organization’s systems and networks. They use the same tools and techniques as malicious hackers, but they do so with the organization’s permission. Ethical hackers help identify security weaknesses to be fixed before attackers exploit them.
SEE: Start a new career in ethical hacking with these 18 training courses (TechRepublic Academy)
Given the avalanche of jobs in the cybersecurity space, pursuing a career in the IT security industry might be one of your best decisions. Fortunately, there are many training resources out there to get you up and running, including these offerings from TechRepublic Academy: Become a cybersecurity analyst for just $9 and Delve into cybersecurity with this two-part training bundle.
Importantly, some cybersecurity training resources and certifications are curated to serve organizations that are interested in educating their staff on cybersecurity issues. Although this move might not turn them into security experts, it will keep them abreast with the forms of cyberattacks and how to respond when they sense one.
The roles outlined above are just the hottest ones; as the threat landscape evolves, new cybersecurity positions will likely emerge. With the right skills and experience, you can launch a successful career in this exciting and important field.

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
12 most in-demand cybersecurity jobs in 2022
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Looking for the best payroll software for your small business? Check out our top picks for 2023 and read our in-depth analysis.
Next year, cybercriminals will be as busy as ever. Are IT departments ready?
The company, which for several years has been on a buying spree for best-of-breed products, is integrating platforms to generate synergies for speed, insights and collaboration.
Organize a number of different applicants using an ATS to cut down on the amount of unnecessary time spent finding the right candidate.
Whether you are a Microsoft Excel beginner or an advanced user, you’ll benefit from these step-by-step tutorials.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Internet use in the course of conducting business is a foregone conclusion. For most industries, lacking access is an encumbrance, at best, to getting things done. However, significant risk accompanies internet access, such as viruses, ransomware and data theft, all of which result from unsafe practices. In other words, infections can occur just from connecting …
These guidelines cover the procurement, usage and administration of IoT devices, whether provided by the company or employee owned. From the policy: SUMMARY The Internet of Things refers to network- or internet-connected devices, such as appliances, thermostats, monitors, sensors and portable items, that can measure, store and transmit information. IoT devices may be business oriented, …
It’s an unfortunate event when an employee becomes severely ill and requires an extended sick leave from work, but companies should have a plan in place for these situations. This plan needs to ensure that both the employee and the company have a set of duties and responsibilities and provide a fair arrangement for all …
Developing software in a modern business enterprise requires cooperation, collaboration and coordination. Long gone are the days when a single mythical coder can single-handedly develop software applications sophisticated and flexible enough for modern business needs. Successfully managing the development of quality software in such an environment requires a deft touch of experience. This is a …

source

More than 4,100 publicly disclosed data breaches occurred in 2022 equating to approximately 22 billion records being exposed. Cyber security publication Security Magazine reported that the figures for 2022 are expected to exceed this figure by as much as five percent.
In this article, we reveal which data breaches and leaks and the phishing, malware and cyber attacks ranked among our top ten most-read cyber security news stories of 2022.
Read on to hear about data breaches at Revolut, Twitter, Uber and Rockstar, and let us know if you were impacted by any of the incidents covered in the comment section below. 
The personal information for more than 50,000 users of fintech start-up Revolut was accessed during a data breach that took place on September 11, 2022. The breach involved a third-party gaining access to Revolut’s database and the personal information of 50,150 users. 
The data accessed included names, home and email addresses, and partial payment card information, although Revolut has stated that card details were masked.  
The Lithuanian government said that Revolut had taken “prompt action to eliminate the attacker’s access to the company’s customer data and stop the incident” once it was discovered.
Learn more about public response to the breach in this September post.
In October, Zoetop Business Company, the firm that owns fast fashion brands SHEIN and ROMWE, was fined US$1.9mn by the state of New York after failing to disclose a data breach which affected 39 million customers. 
The cyber security incident which took place in July 2018 saw a malicious third party gain unauthorized access to SHEIN’s payment systems. According to a statement issued by the state of New York’s Attorney General’s office, SHEIN’s payment processor contacted the brand and disclosed that it had been “contacted by a large credit card network and a credit card issuing bank, each of which had information indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen”. 
The discovery was made after the credit card network found SHEIN customers’ payment details for sale on a hacking forum.
Read more about SHEIN’s mishandling of the breach in this October post.
A data breach on student loan servicer Nelnet Servicing caused the confidential information of more than 2.5 million users to be leaked in June 2022.  
It was concluded by the investigation on August 17, 2022, that due to a vulnerability in its system, student loan account registration information including names, home and email addresses, phone numbers and social security numbers, were accessible to an unknown third party from June until July 22, 2022.  
Following this discovery, Nelnet Servicing notified the US Department of Education and law enforcement.
Learn more about the response to the data breach in this August post.
In July 2022, a hacker that went by the alias ‘devil’ posted on hacking forum BreachForums that they had the data of 5.4 million Twitter accounts for sale.
The stolen data included email addresses and phone numbers from “celebrities, companies, randoms, OGs”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a word that is desirable as a screen name, for example, a first name with no misspelling, numbers or punctuation. The hacker ’devil’ said they would not be accepting offers “lower than [$30,000]” for the database. 
The data breach was the result of a vulnerability on Twitter that was discovered in January 2022.
Learn more about the vulnerability that led to the data breach here.
Between September 15–19, 2022, a hacker allegedly hit both rideshare company Uber and video game company Rockstar.
On September 15, Uber’s internal servers were accessed following after a contractor’s device was infected with malware and their login details were sold on the dark web. The hacker accessed several other employee accounts, which then gave them access to a number of internal tools. The hacker then posted a message to a company-wide Slack channel and reconfigured Uber’s Open DNS to display a graphic image to employees on some internal sites.
The hack into Rockstar Games, developer of the Grand Theft Auto (GTA) game series, was discovered on September 19, 2022. A user called teapotuberhacker posted on Grand Theft Auto game series fan site GTAForums: “Here are 90 footage/clips from GTA 6. It’s possible I could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.” 
In the post’s comments, the hacker claimed they had “downloaded [the gameplay videos] from Slack” via hacking into channel used for communicating about the game.
Rockstar Games made a statement via Twitter that said the company had suffered a “network intrusion” which had allowed an unauthorized third party to “illegally access and download confidential information form [its] systems”, including the leaked GTA 6 footage. 
Discover who orchestrated the hack and what happened to them in this September post.
On October 13, 2022, Australian healthcare and insurance provider Medibank detected some “unusual activity” on its internal systems. The company was then contacted on October 17 by the malicious party, who aimed to “negotiate with the [healthcare] company regarding their alleged removal of customer data”. However, Medibank publicly refused to bend to the hacker’s demands.
Medibank revealed the true extent of the hack on November 7, announcing that the malicious actor had gained unauthorized access to and stole the data for 9.7 million past and present customers. The information included confidential and personally identifying information on medical procedures including codes associated with diagnosis and procedures given.
Following Medibank’s continued refusal to pay a ransom, the hacker released files containing customer data called “good-list” and “naughty-list” on November 9, 2022.
The so-called “naughty-list” reportedly included details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders. 
On November 10, they posted a file labelled “abortions” to a site backed by Russian ransomware group REvil, which apparently contained information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.
Find a full timeline of the Medibank data leak in this November post.
On November 16, 2022, a hacker posted a dataset to BreachForums containing what they claimed to be up-to-date personal information of 487 million WhatsApp users from 84 countries.  
In the post, the alleged hacker said those who bought the datasets would receive “very recent mobile numbers” of WhatsApp users. According to the bad actor, among the 487 million records are the details for 32 million US users, 11 million UK users and six million German users. 
The hacker did not explain how such a large amount of user data had been collected, saying only that they had “used their strategy” to obtain it.
Learn more about the data breach in this November post.
Australian telecommunication company Optus suffered a devastating data breach on September 22, 2022 that has led to the details of 11 million customers being accessed. 
The information accessed included customers’ names, dates of birth, phone numbers, email and home addresses, driver’s license and/or passport numbers and Medicare ID numbers. 
Files containing this confidential information were posted on a hacking forum after Optus refused to pay a ransom demanded by the hacker. Victims of the breach also said that they were contacted by the supposed hacker demanding they pay AU$2,000 (US$1,300) or their data would be sold to other malicious parties.
Find out more about how the Optus data breach occurred in this September post.
Carding marketplaces are dark web sites where users trade stolen credit card details for financial fraud, usually involving large sums of money. On October 12, 2022, carding marketplace BidenCash released the details of 1.2 million credit cards for free. 
A file posted on the site contained the information on credit cards expiring between 2023 and 2026, in addition to other details needed to make online transactions.
BidenCash had previously leaked the details of thousands of credit cards in June 2022 as a way to promote the site. As the carding marketplace had been forced to launch new URLs three months later in September after suffering a series of DDoS attacks, some cyber security experts suggested this new release of details could be another attempt at advertising.  
Discover how BidenCash gained access to 1.2 million credit card details in our October coverage.
On November 23, 2022, Los Angeles-based cyber security expert Chad Loder tweeted a warning about a data breach at social media site Twitter that had allegedly affected “millions” across the US and EU. Loder claimed the data breach occurred “no earlier than 2021” and “has not been reported before”. Twitter had previously confirmed a data breach that affected millions of user accounts in July 2022, as seen in point seven of this article. 
Loder stated, however, that this “cannot” be the same breach as the one they reported on unless the company “lied” about the July breach. According to Loder, the data from the November breach is “not the same data” as that seen in the July breach, as it is in a “completely different format” and has “different affected accounts”. Loder said they believed that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.
Learn more about the data breach and those impacted in this November post.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
Join Now
February 21 – 22, 2023
Free CS Hub Online Event
22 February, 2023
Online
01 March, 2023
Online
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
Insights from the world’s foremost thought leaders delivered to your inbox.
2023-03-15
10:00 AM – 11:00 AM EST
2023-03-08
10:00 AM – 11:00 AM EST
2023-03-01
11:00 AM – 12:00 PM PST
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

The Home of the Security Bloggers Network
Home » Cybersecurity » Cyberlaw » The FBI Told Me: Analyzing the FBI’s Cyber Crime Report
When you are a vendor who provides a valuable service, you look for opportunities to help companies. Sometimes, a vendor’s claims can be exaggerated or even contrived. For that reason, we refer to trusted third-party data to make our point. This month we will use the FBI’s annual Internet Crime Report to show the continued rise of social engineering attacks in the US, especially through voice phishing, or as its commonly referred, vishing.
The FBI’s Internet Crime Complaint Center tracks cybercrime complaints and data each year and compares the result from the previous five years. As one might expect, both the number of complaints and the financial losses to cybercrimes has increased each year.
The report breaks down the crime types into thirty different categories including denial of service, computer intrusion and gambling. However, the majority could be considered scam or social engineering related. Among the scams, the FBI includes Romance Scams, Rental Scams and the largest category, Phishing/Vishing/SMiShing/Pharming.
This FBI report graph shows just how much the social engineering category outweighs even the next four most common crime types.
Most are aware of phishing as a malicious attack that often comes through a messaging service like email. Vishing is voice phishing, where an attacker tries to elicit sensitive information or action over the phone. SMiShing is similar to phishing but uses SMS, or text messages.
The last category, pharming, can be difficult to understand its difference from phishing, as both will often include a lookalike or fake web page that steals data. The real difference between the two is how the victim arrives at the page. With phishing, the victim will be directed to the data-stealing page by a message of some type, often an email. In a pharming attack, the victim will arrive at the page passively, such as by search results, purchased advertising, or a watering hole attack. Instead of the attack being targeted through a message like an email or text, the attack sits passively, letting interested and unaware victims walk right in.
The FBI report also includes other attack types, including Business Email Compromise (BEC) and Ransomware. These are two other attack vectors we hear about often. These are both legitimately concerning attacks for businesses and keep security practitioners awake at night. However, there is an aspect to them that is often overlooked, the initial vector to these attacks. How does an attacker send emails from inside a business executive’s mail account? How does an attacker get sufficient access to a network to install ransomware? That initial threat vector is often through social engineering.
The attackers may use a phishing email to obtain a password to a mailbox. Once they have access to the victim’s mailbox, the attackers can send trusted emails within the company. If your job is to pay invoices and the Chief Financial Officer sent you an email from their corporate account and asked you to pay an invoice, you likely would do it. If a high-level manager sends an email asking for information on employees, salaries, customers or the latest project, the recipient will trust that email and respond. This is how a BEC can be devastating to a company.
Malware and ransomware also will often find a foothold through social engineering. Attackers may try to attach the malware to an email, but modern email filters are doing a much better job of blocking those attacks. Another vector is to load the malware from a web site after the victim clicks on a link.
A third method attackers use is through what the FBI refers to as Tech Support Fraud (TSF). Over the last five years, the FBI has reported a huge increase in TSF financial losses from $14 million in 2017 to more than $347 million in 2021. The way that TSF can play a role in malware and ransomware infections is the attacker calls employees as a trusted member of the IT department and gets the employee to install remote access software on their computer. Once the software is installed, the attacker has full access to the workstation, the same access as if they were sitting in the employee’s seat. The attacker can then install the ransomware, force it to propagate through the network, locking up vital resources within the company.
We know that cybersecurity intrusions are a problem, and this FBI report indicates they are increasing. Where problems of past years have been in the software and lack of updates and patching, now they are more human-based. IT departments have done an outstanding job of hardening their networks to technical attacks. However, companies now need to be more focused on the employees. Companies need to focus more on education and testing of the human attack vector. As the FBI report showed, social engineering is currently the top risk, and it is increasing.
To test your employees against vishing and phishing attacks or even from an on-site physical access compromise see how Social-Engineer, LLC can help you.
 
At Social Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:
https://www.Social-Engineer.com/Managed-Services/.
*** This is a Security Bloggers Network syndicated blog from Social-Engineer, LLC authored by Social-Engineer. Read the original post at: https://www.social-engineer.com/the-fbi-told-me-analyzing-the-fbis-cyber-crime-report/
More Webinars

Step 1 of 4
Δ

source

In the shadow of a turbulent future, The Bloomberg New Economy Forum brought together world leaders for face-to-face discussions on the global threats we face. This special highlights the best of the fifth annual event which was held in Singapore from November 14-17.
Bloomberg Best features the best stories of the day from Bloomberg Radio, Bloomberg Television, and 120 countries around the world.
Prognosis explores health, wellness, and the ways in which modern science is allowing us to live better – in both the long term, and day-to-day
Sealing Drafty UK Homes to Save Energy Raises a £19 Billion Tab
Your Sunday Asia Briefing: Adani Results, BOJ’s Ueda, Super Bowl
UK Wage and Inflation Data Set to Fuel Further BOE Rate Hikes
Japan’s LDP Policy Head Says Monetary Policy Has Room for Reform
Power Bill Relief Central in Australia Budget, Treasurer Says
Pilots of American Airlines Jet in JFK Runway Near Miss Receive Subpoenas
Ford Plans to Build EV Battery Plant in Michigan With Chinese Partner
Cash Crisis Proves a Boon for Mobile-Money Startups in Nigeria
Coolant Leak at Russian Spacecraft, Station Crew Safe
Social Media Buzz: Lyft, Alaska, Anna Paulina Luna, Rihanna
Macron’s Meloni Snub Shows the Draghi Legacy Starting to Unravel
Quake Latest: Turkey Goes After Builders Over Poor Construction
Izzy Englander’s Wife Withdraws Suit Over Post-Nuptial Agreement
Trump’s 40 Wall St. Put on Lender Watch as Vacancies, Costs Rise
Disney Streaming Tech Chief Leaves Ahead of Larger Staff Cuts
Music Rights Firm Launches With Robbie Williams and Placebo Hits
Can ChatGPT Write a Better Novel Than I Can?
Adani Draws Parallels to Evergrande, But It’s Far More Vulnerable
If Pixar Can Do it, So Can You: ‘How Big Things Get Done’
Tech Holdouts Are Making Life Hell for Their Colleagues
Brazil’s Richest Man Loses Billions as His M&A Machine Breaks Down
Forget Hard or Soft Landing: Meet the Rolling Recession
UK Salesman Wins $86,000 Ageism Payout for ‘Bald’ Discrimination
Trump Offers Deal to Provide DNA in Rape-Accuser’s Suit
Maple Syrup’s $1.5 Billion Industry Splinters as Winters Get Warmer
New Zealand Braces as Cyclone Gabrielle Nears North Island
In the DC Suburbs, an Artful Compromise Over Density and Housing
The Rise of the Millionaire Renters
Super Bowl Parties Produce Tons of Trash. Phoenix Is Hoping to Fix That
A $92 Billion Crypto Profit Maker Is in Line for a Shake-Up
This Week in Crypto: Billionaires Reconcile, ‘Britcoin’ in Works (Podcast)
Real World Courts Come For Digital Crypto Hackers (Podcast)
Olivia Rockeman
Subscriber Benefit
Subscribe
President Joe Biden has urged U.S. companies to “harden your cyber defenses immediately” amid a growing risk of Russian cyberattacks. For many, that won’t be easy. 
The war for talent has been well-telegraphed throughout the country, but it’s particularly acute in cybersecurity. And it’s only worsened as competition in the broader labor market has heated up, heightening both companies’ potential vulnerability to hackers and the urgency to boost the workforce.

source

Threats to email security are on the rise. Research conducted for Cyber Security Hub’s Mid-Year Market Report 2022 found that 75 percent of cyber security practitioners think that email-based attacks such as phishing and social engineering are the ‘most dangerous’ cyber security threat to their organizations. Companies must protect this vulnerable asset without compromising its efficiency in communication.
Email security is integral to protecting companies from external threats but also essential to protecting a brand’s customers from outbound threats. Without sufficient email security strategies, companies open themselves, their clients, and their customers to the consequences of cyber security incidents such as phishing, data breaches and business email compromise (BEC).
Threats to email security also includes cyber security issues found within companies, like emploees having a lack of cyber security knowledge. Research from Stanford University found that 88 percent of all data breaches are due to an employee mistake, meaning companies must be hypervigilant when training their employees. This training should take place in an easily accessible format so that information is easily retained by employees and future mistakes are avoided.
This threat to the internal workings of a company can also led to further damage to its brand if not dealt with swiftly and effectively. Even long-time customers may lose faith in organizations if they feel they are unable to trust in their cyber security strategy, especially when their personal data is on the line.
In this article, Cyber Security Hub provides guidance on how to implement excellent email security and make sure your employees understand its importance.
Also read: Report on cyber security challenges, focuses & spends
Overlooking email as a security risk is a dangerous oversight for any organization. In 2020, professional services network Deloitte reported that 91 percent of all cyber-attacks began with a phishing email.
There are a number of threats poor email security present, ranging from social engineering attacks, phishing and account compromise to takeover and data theft. Phishing attacks can target users’ passwords and accounts that could contain sensitive and valuable customer information. Credential theft is also a risk as employees may reuse passwords for multiple different platforms across their business and personal life, weakening a business’s security if any of these accounts are compromised or exposed during a data breach.
When it comes to email security, while the best software measure may be put in place, true email security also hinges on employees’ abilities to understand why and how the company may be attacked via email, and what to do in the case of a compromise.
The consequences of phishing campaigns can be devastating for businesses. In 2014, Sony Pictures’ employees, including system engineering and network administrators, were targeted with fake emails that looked like legitimate communications from Apple, asking them to verify their Apple ID credentials. By clicking on the link provided, employees were taken to a legitimate-seeming webpage that required them to input their login details. As these emails were targeted at those who would most likely have access to Sony’s network, these details were then used to hack into its network. The spear phishing campaign led to multiple gigabytes of data being stolen including business-related content, financial records, customer-facing projects, and digital copies of recently released films. The hack cost Sony an estimated US$15mn.
Also read: How to strengthen email security & protection against advanced ransomware attacks
As employees within a business will be used to people from outside the company contacting them, as well as speaking to people they do not know in a business capacity, this can make them less wary of potentially dangerous or fraudulent emails.
Email-based attacks like phishing and social engineering that directly target employees within a business can have devastating consequences for businesses, with three in four cyber security professionals surveyed for Cyber Security Hub’s Mid-Year Market Report 2022 stating these attacks are the ‘most dangerous’ threat to cyber security. These attacks directly target employees inside a business, placing the responsibility for ensuring the attack does not progress in their hands. Additionally, these attacks often rely on psychologically manipulating employees. They can be very effective in convincing employees to act in ways they would not usually, even if they have had security training. stating these attacks are the ‘most dangerous’ threat to cyber security.
The effectiveness of phishing attacks may rely on how effectively employees can evaluate whether an email is safe. This can be an issue if employees do not pay attention to cyber security training. Complacency in this task may be due to a misconception that email antivirus or antimalware software is sufficient to block any and all threats. As antivirus software can only stop and prevent known threats, if a breach attempt involves a new, unknown file or URL, it may not be able to block an attack.
Ensuring good cyber security within businesses requires employees to be engaged with their training so they are better able to retain the information and use it at a later date when they do come across cyber security threats.
In a discussion between Cyber Security Hub’s Advisory Board, one member suggested that linking email security to a company’s universal goals was very beneficial. This involves conducting multiple phishing tests throughout the year, with the score of said tests affecting their employees’ bonuses. This is because phishing attacks have an indirect influence on a company’s bottom line. Cyber-attacks cost a lot of money, meaning if a cyber-attack occurs, companies will lose money in operations costs. Additionally, cyber-attacks may lead customers to lose trust in a company and take their business elsewhere, leading to an overall drop in revenue. With bonuses directly linked to profit, financially motivated employees should be more diligent in not clicking on potentially dangerous links, as their good behavior is reinforced and rewarded.
Companies may also be able to better engage their employees by employing the use of short-form video content using real-life case studies as examples.
One such example is a testimonial from an actor posted on LinkedIn entitled ‘My LinkedIn post cost my company a fortune’.
In the testimonial, the actor explains that someone posing as a recruiter enticed him into communicating with them first through comments on his LinkedIn posts, then via messages with a lucrative job offer. The faux recruiter built a relationship with him, and finally sent him a PDF which, supposedly, contained the job offer. Instead, it contained only a cover letter and two blank pages. When the actor reached out to the supposed recruiter, they explained that it was a secure file, and prompted him to download and install a secure PDF reader. When this still did not work, the actor contacted the recruiter again, but the recruiter did not respond to any of his messages. He dismissed this, but weeks later there was a data breach at his company that cost the company millions of dollars. The breach was traced back to him, as the PDF reader had actually contained malware that was used to level an attack against the company.
The actor explains that job scam attacks are becoming more prevalent as people are expected to communicate with strangers, and download the attachments sent to them.
By using easily-digestible video formats to train employees, companies can help employees realize how much the email security of a business relies on them, as well as offering them a framework of what to do during a cyber security incident. It can also provide them with tips of what to look for in potentially malicious communications.
In terms of ensuring email security beyond training, a layered solution can be beneficial as it allows the use of different controls to respond to different threats. This can be combined with content protection like structural sanitization, which removes active content within the email body and attachments and removal or rewrites URLs to go through a different web browser. Identity protection is particularly important, as social engineering and phishing attacks often rely on posing as someone with authority within the business. By looking for the good senders rather than preventing the bad, this allows software to identify and block bad actors post-delivery, preventing the spread.
Email security is not just important for internal data safety, but for a company’s external brand. Bad email security can affect customers in multiple ways, from exposing their personal information to causing them to see a brand as less secure or trustworthy.
While using DMARC authentication to detect and prevent email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks seems easy in principle, it can be complicated – especially for large organizations.
Attacks against larger or more influential companies may lead to high-sensitivity email disclosure, as attackers may leak highly confidential information to the public, which can affect trust in a company. If this trust is broken due to customers believing companies are not appropriately securing their data, concerned customers may switch to different brands, leading to a drop in revenue.
By ensuring that both employees are fully engaged with and retain information from training, and that there is a robust email security solution in place, companies can put themselves in a better place to identify and mitigate cyber security incidents.
There are a number of threats to email security that employees must face. The most dangerous of these are social engineering and phishing attacks, as they directly target employees and can have potentially devastating consequences for their company.
Email security is fundamentally reliant on employees being vigilant against potential inbound attacks. In order to ensure all employees are in the best place to recognize and not engage with malicious emails, companies must take into consideration the way they are educating their employees in regard to cyber security. Using more engaging techniques like shorter videos, relating the content to themselves as employees or using a rewards-based system can help engage employees better, meaning they are in a better position to ensure email security.
Additionally, companies should ensure that they have robust security in place, including the use of structural sensitization and identity protection like DMARC. By using these methods, companies can ensure that phishing attacks are less successful. This is beacause URLs can be deemed as safe before they are clicked on and malicious actors who attempt to pose as higher-ups in the company during social engineering attacks will be less likely to succeed.
By doing this, companies can protect their employees and the business itself from cyber criminals and inbound threats, while protecting clients and customers from outbound threats. By communicating these efforts with clients and customers, they can build trust in their cyber security, and prevent a loss of trust if a cyber security incident happens. This can prevent customers from feeling their data is not adequately protected, leaving the business and taking their custom elsewhere.
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

MISSOULA – The philosophy at CyberMontana is that everyone, no matter their age or place in life, should be fluent in computer security.
Now one year old, this statewide initiative already counts its alumni middle school students conquering code at summer STEM camps and Montana National Guard members learning to identify cyber breaches and remedying their efforts.
“I like to say if you are in the sixth grade or older, we have something for you,” said Dianne Burke, CyberMontana’s director and a cybersecurity faculty member at the University of Montana’s Missoula College.
Funded by the Montana Legislature in 2021 and housed in Missoula College, CyberMontana provides cybersecurity awareness, training and workforce development for businesses and residents across the state.
Its work is set against a backdrop of growing worldwide cyberbreaches that can pose, at the least, annoying email phishing, and the worst, multimillion-dollar damages to business and institutions. According to IBM the average total cost of a data breach in 2020 was $3.86 million and took an average of 280 days to identify and contain.
Meanwhile, 80% of companies say they have a hard time finding and hiring security personnel according to consulting firm Gartner, and by 2029, the U.S. Bureau of Labor Statistics predicts the cybersecurity job market will grow by more than 31%.
As the first institution in Montana to be recognized by the federal government as a National Center of Academic Excellence in Cyber Defense, Missoula College is uniquely qualified to lead the new initiative, said Tom Gallagher, dean of Missoula College, which operates CyberMontana in coordination with faculty from other two-year colleges across the state.
“The need for trained cybersecurity professionals at all levels is absolutely critical to protect Montana’s businesses and to grow our economy,” he said, adding that the coursework offered through CyberMontana has been vetted and approved by National Security Agency through the Centers of Academic Excellence in Cybersecurity program.
In addition to degree programs in cybersecurity, CyberMontana offers on demand training for business employees featuring 20- to 30-minute training modules, professional development courses like coding bootcamps and customized cyber training, and programs for the public on subjects as diverse as password management and safely navigating Wi-Fi in public settings.
CyberMontana has launched the Montana Cyber Range, a virtual resource that allows participants a platform to practice cyber defense activities through lab exercises, simulations, and competitions from anywhere in the state.
Burke is particularly excited about several innovative programs that CyberMontana also offers – a rapid training program launching this summer for a Certificate of Technical Studies in Cybersecurity and their high school dual-enrollment program providing juniors and seniors with a three-credit online introductory course in cybersecurity. These trainings lead to both academic and industry-recognized credentials.
“We are committed to increasing the number and diversity of young people going into the pipeline for this important professional field,” Burke said. “Our hope is this dual enrollment program will be a key step toward that important goal.”
###
Contact: Dave Kuntz, UM director of strategic communications, 406-243-5659, dave.kuntz@umontana.edu.
Launch UM virtual tour.
© 2023 University of Montana. Privacy Policy

source

Twitter has confirmed that the phone numbers and email addresses from 5.4 million accounts have been stolen due to the zero-day vulnerability on the platform that was originally flagged in January 2022.
The vulnerability meant that if a bad actor entered a phone number or email address and attempted to log in, they were able to learn if that information was associated with an existing account. This then led to the email address and phone numbers associated with 5.4 million accounts being put up for sale on the hacking forum, Breach Forums.
Twitter said in a statement that it “will be directly notifying the account owners [it] can confirm were affected by this issue”.
In a previous article by CS Hub on July 27, it was reported that many of the accounts that were up for sale, according to the hacker belonged to, “celebrities, companies, randoms, OGs, etc.”. ‘OGs’ refers to Twitter handles that are either made up of a desirable word like a first name or are very short and contain only a few letters.  
Twitter went on to suggest that those who operate “pseudonymous” accounts like OGs that may have been affected by the breach “keep [their] identity as veiled as possible by not adding a publicly known phone number or email address” to their Twitter account. The company clarified that while no passwords were compromised in the breach, it encourages “everyone who uses Twitter to enable 2-factor authentication using apps or hardware security keys to protect your account from unauthorized logins”.  
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source