“If they did not break Russian law, there is nothing to prosecute them for in Russia,” Mr. Putin said. “You must finally realize that people in Russia live by Russian laws, not by American ones.”

After the Colonial attack, President Biden said that intelligence officials had evidence the hackers were from Russia, but that they had yet to find any links to the government.

“So far there is no evidence based on, from our intelligence people, that Russia is involved, though there is evidence that the actors, ransomware, is in Russia,” he said, adding that the Russian authorities “have some responsibility to deal with this.”

This month, DarkSide’s support staff scrambled to respond to parts of the system being shut down, which the group attributed, without evidence, to pressure from the United States. In a posting on May 8, the day after the Colonial attack became public, the DarkSide staff appeared to be hoping for some sympathy from their affiliates.

“There is now the option to leave a tip for Support under ‘payments,’” the posting said. “It’s optional, but Support would be happy :).”

Days after the F.B.I. publicly identified DarkSide as the culprit, Woris, who had yet to extract payment from the publishing company, reached out to customer service, apparently concerned.

“Hi, how’s it going,” he wrote. “They hit you hard.”

It was the last communication Woris had with DarkSide.

Days later, a message popped up on the dashboard saying the group was not exactly shutting down, as it had said it would, but selling its infrastructure so other hackers could carry on the lucrative ransomware business.

“The price is negotiable,” DarkSide wrote. “By fully launching an analogous partnership program it’s possible to make profits of $5 million a month.”

Oleg Matsnev contributed reporting.

View Source

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

A Phishing Test Promised Workers a Covid Bonus. Now They Want an Apology.

A report released this week by Britain’s National Cyber Security Centre showed a 15-fold increase in the number of scams removed from the internet, and said the agency had taken more fraudulent sites offline in the past year than in the previous three years combined.

In the first quarter of this year, according to government statistics, almost 40 percent of businesses in Britain reported digital breaches or attacks, with an average cost for medium to large firms of around 13,400 pounds, or $18,800. And the cost of a serious breach can be far more daunting: One study conducted last year by the Ponemon Institute for IBM Security, which interviewed 524 organizations across 17 countries, found that data breaches in 2020 cost an organization on average $3.86 million.

Phishing has also been used by scammers attempting to swindle grandparents out of their savings, by intelligence agencies to gain information and diplomatic leverage, and by IT departments to see if employees are paying attention.

“A sufficiently well-designed phishing email will get clicked on 100 percent of the time,” said Steven J. Murdoch, a professor of security engineering at University College London, adding all companies were vulnerable to phishing.

But testing employees with fake emails about bonuses was “entrapment,” he said, adding that it risked harming the relationship between companies and employees, which was crucial for security. Some attacks, as an example, come from disgruntled employees, he said. “People responsible for fire safety don’t set fire to the building,” he said of the tests.

Rather than discouraging employees from clicking on any link, he said, more effective strategies could include blocking phishing emails, installing software to protect against ransomware, and addressing use of passwords.

Alienating employees also meant they could be less likely to report suspicious activity to their company departments, a crucial method of stopping attacks from becoming more serious, said Jessica Barker, a co-founder of Cygenta, a cybersecurity company.

View Source

Five Tech Commandments to a Safer Digital Life

Tech is always changing, and so is the way we use it. That means we are always finding new ways to let our guard down for bad actors to snoop on our data.

Remember when you shared your address book with that trendy new app? Or when you posted photos on social networks? Those actions may all pose consequences that weaken security for ourselves and the people we care about.

Vijay Balasubramaniyan, the chief executive of Pindrop, a security firm that develops technology to detect fraudulent phone calls, said we should always remember that any piece of our identity we post online could eventually be used by fraudsters to hijack our online accounts.

“Your digital identity, which comprises all your pictures, videos and audio, is going to fundamentally allow hackers to create a complete persona of you that looks exactly like you, without you being in the picture,” he said.

password manager, software that helps automatically generate long, complex passwords for accounts. All the passwords are stored in a vault that is accessible with one master password. My favorite tool is 1Password, which costs $36 a year, but there are also free password managers like Bitwarden.

The other option is to jot down passwords on a piece of paper that is stored in a safe place. Just make sure the passwords are long and complex, with some letters, numbers and special characters.

offer methods of two-step verification involving text messages or so-called authenticator apps that generate temporary codes. Just do a web search for the setup instructions.

If a company doesn’t offer multifactor authentication, you should probably find a different product, Mr. Balasubramaniyan said.

“If a vendor says, ‘All I’m doing is passwords,’ they’re not good enough,” he said.

Many of us rely on our smartphones for our everyday cameras. But our smartphones collect lots of data about us, and camera software can automatically make a note of our location when we snap a photo. This is more often a potential safety risk than a benefit.

Let’s start with the positives. When you allow your camera to tag your location, photo-management apps like Apple’s Photos and Google Photos can automatically sort pictures into albums based on location. That’s helpful when you go on vacation and want to remember where you were when you took a snapshot.

But when you aren’t traveling, having your location tagged on photos is not great. Let’s say you just connected with someone on a dating app and texted a photo of your dog. If you had the location feature turned on when you snapped the photo, that person could analyze the data to see where you live.

aggressive collection of address books.

When signing up for Clubhouse, users could decline to share their address book. But even if they did so, others on the app who had uploaded their address books could see that those new users had joined the service. This wasn’t ideal for people trying to avoid contact with abusive exes or stalkers.

said last week that it had opened an investigation into Clubhouse.

Clubhouse updated the app this month, addressing some of the privacy concerns. It did not immediately respond to a request for comment.

There are kinder ways than sharing your address book to find out whether your friends are using a new service — like asking them directly.

All security experts agreed on one rule of thumb: Trust no one.

When you receive an email from someone asking for your personal information, don’t click on any links and contact the sender to ask if the message is legitimate. Fraudsters can easily embed emails with malware and impersonate your bank, said Adam Kujawa, a director of the security firm Malwarebytes.

When in doubt, opt out of sharing data. Businesses and banks have experimented with fraud-detection technologies that listen to your voice to verify your identity. At some point, you may even interact with customer service representatives on video calls. The most sophisticated fraudsters could eventually use the media you post online to create a deepfake, or a computer-generated video or audio clip impersonating you, Mr. Balasubramaniyan said.

While this could sound alarmist because deepfakes are not an immediate concern, a healthy dose of skepticism will help us survive the future.

“Think about all the different ways in which you’re leaving biometric identity in your online world,” he said.

View Source

Netflix Tests a Clampdown on Password Sharing

Want to watch “The Queen’s Gambit” or “Lupin”? If you’ve been borrowing a Netflix password from a family member or friend, you may now have to pay up.

Netflix has started testing a feature that could prod users who are borrowing a password from someone outside their household to buy a subscription.

The company said the feature was being tested with a limited number of users. It may signal a broader clampdown on the common practice of sharing passwords among relatives and friends to avoid paying for the popular streaming service.

“The test is designed to help ensure that people using Netflix accounts are authorized to do so,” the company said in a statement.

began to notice the feature recently when they logged onto a shared Netflix account and saw a message on their screen that read, “If you don’t live with the owner of this account, you need your own account to keep watching.”

To continue watching, these users were asked to either verify that it was their account by entering a code that was sent to them by text or email, or join with their own account to Netflix. They also had the option to complete the verification process later.

A basic Netflix subscription, which allows customers to watch on one screen at a time, costs $8.99 a month. Customers who pay more can watch on additional screens simultaneously.

Netflix declined to discuss its new feature, previously reported by The Streamable, an industry news site, in detail. But industry analysts said it might be part of an effort to enforce Netflix’s frequently overlooked terms of use, which state that its service and content “are for your personal and noncommercial use only and may not be shared with individuals beyond your household.”

The test also appears to be more of a nudge to buy a subscription than an iron-fisted crackdown. For example, someone who was borrowing a password from a friend or family member could ask for the verification code that had been sent by Netflix.

said in January that it had added 8.5 million customers in the fourth quarter, for a total of 203.6 million paying subscribers by the end of 2020. The company has about 66 million customers in the United States and anticipated adding six million total subscribers in the first three months of this year.

Netflix had earlier hinted that it was looking at ways to stop password sharing. Gregory K. Peters, the company’s chief product officer, said during a call to review the company’s earnings in October 2019 that Netflix was “looking at the situation.”

“We’ll see, again, those consumer-friendly ways to push on the edges of that,” Mr. Peters said, adding that the company had “no big plans to announce at this point.”

Professor Smith said the company clearly loses a significant amount of revenue through people using the service but not paying for it.

two-factor authentication that is used by many social media and banking apps — makes it harder for attackers to break in.

“I’m not sure it’s a huge benefit,” Professor Cranor said, “but there is some benefit.”

View Source