Securing Social Media

As always, strong password protection is the number one priority for securing social media accounts. This includes using your phone to enable two factor authentication (2FA) for them. Due to the simple fact that social accounts usually hold far less important data/information than emails, I am willing to bet anything that close to 100% of all hacks against your social accounts will be deterred if you simply enable 2FA for them. It is also a widely known fact that more social accounts are compromised as a result of weak passwords than any other single factor.

Password Security Guide + 2FA: https://roguemedia.co/2019/10/30/tutorial-learning-how-to-write-remember-un-hackable-passwords/

While using your social media accounts, just as with emails, never open a message from or click on links by users, senders or accounts you do not know personally, were not expecting to hear from or haven’t done business with in the past. As I have already with emails, hackers can phish your social media accounts all the same. Moreover, it is actually much easier for a hacker to uncover your “IP Address” through something like Facebook Messenger than it is through email. This can also be done without you clicking on any individual hyperlink. For example, you can find someone’s IP when engaging them on Facebook by using a simple sequence of “cmd commands” – which are freely available on every Windows device.

Like your mother always told you, never talk to strangers – especially online 😉

You can add an extra layer of security to your accounts by preventing them from being “indexed” by search engines and web crawlers. This can be accomplished by making small changes to your account settings. By default, the largest social media platforms are all designed to connect to search engines like Google, Bing or Yahoo, in order to make social networking more accessible and convenient for everyone. However, allowing your account to be indexed means that theoretically anyone in the world could search for and find your account if they really wanted. Whereas if you disable your account from being indexed then the only people you personally give your account information to will know where to find it.

To do this, simply go under your accounts setting, scroll to Privacy Settings and uncheck the “Public Search Results” box. This will remove your profile’s page from Google, Bing, and Yahoo search returns. This is also a security practice instructed to Federal Employees and members of the US Defense Department.

Email Security Strategies

Before we begin, you can have the most advanced cyber security practices and anti-virus in place, but if you do not have a strong enough password to secure your devices or online accounts, all your security measures might as well be useless. As I have already explained in a previous tutorial, more people are hacked as a result of weak passwords than any other single factor. With that established, the 2nd most common way to hack someone is through their email inboxes or accounts – just ask Hillary Clinton, John Podesta, John Brennan and the DNC about that.

Make no mistake, if some of the worlds most powerful people can have their personal emails hacked, so can you. This is also why learning how to practice better email habits should be of the upmost importance for you heading into the future.

What To Avoid & How Email Hacks are Pulled Off:

While browsing through your email account(s), never open a single email or click on any link(s) from a sender you do not know personally. It might seem harmless, but the simple act of curiously opening an email or clicking on a link within an email can open Malware or register and transmit the IP Address of the device you are using to the sender of that email or link.

When a hacker sends compromising emails or links to your personal inbox it is a technique known as “Phishing,” and it is perhaps the most common form of cyber-attack you will ever encounter. I am willing to bet that everyone whom has ever owned an email account has seen a phishing scheme at one point or another in their lifetime, whether they were even aware of it or not. This is also why it is important to not just leave your email out in the open for all the world to see, or blindly pass it around to so many pages across the internet – especially if you have something to lose.

Believe it or not, there are even free and public services which allow any person to secretly attach a program to any given link or email they send, which automatically transmits data such as your IP Address as soon as you open it. This type of program also reveals things like the time of day you clicked the link, the type of browser you were using and how long you kept the window open. This is also what is referred to as a “trap-link.” The most common of which comes in the form of an “IP-logger,” which automatically registers the data of any device that clicks on it. While this might sound extremely complicated or foreign to you, again, regardless of the legality of it all, there are actually multiple free services, platforms and tools available on the internet for people to do just this.

Needless to say, always use caution and judgement when clicking on any links in your inbox, online chat, message or social media network alike – especially from people/sources/senders you do not know/trust or have never done business with directly. Lastly, getting your IP logged is the least of your concerns – it’s just the most common practice. Typically, hackers will “Spear-Phish” different/specific emails with malicious links that can secretly upload or install malware onto a users device, granting further access to their information. Additionally, every file you download should be immediately scanned by your anti-virus, because Microsoft Word documents and weaponized pdf’s are increasingly being used by the world’s most sophisticated hackers – because these are the most widely downloaded types of documents online, making them the easiest means to widely install malware on more peoples devices.

Separate Your Inboxes:

A good practice is to also use separate accounts for different purposes. For example, use a separate email account for your online banking and/or business than you would use for family, friends, or subscribing to magazines. This ensures that if one account is ever breached or compromised, not every aspect of your life gets compromised along with it. Additionally, use separate passwords for separate accounts and always reserve your strongest passwords for your most important accounts. You should also utilize two-factor authentication whenever and wherever possible.

If you are a website domain owner, or own multiple email accounts, you can also secure your personal or business inbox behind a mail forwarding service through your domains DNS settings or an alternative service provider. Selecting this option will allow you to pass out an email address without actually revealing the true end destination where those emails will be sent, essentially turning the mail forwarding address into an “alias” or “proxy” for your real account.

If you would like to learn more about alternative/encrypted email service providers, as well as why you should consider making the switch to them, please utilize the following link: https://roguemedia.co/2019/11/02/making-the-switch-to-encrypted-emails-2/

If you need help learning how to read, write and remember stronger passwords to secure your online accounts, please utilize the following link: https://roguemedia.co/2019/10/30/tutorial-learning-how-to-write-remember-un-hackable-passwords/

97% of American Failed This Basic Cyber Security Test, Myself Included

For the first time in my life, I am actually a part of the majority. What I’m referring to are results from a new cyber security test launched by Google developers designed to see how well Americans are able to pick up on subtle security warnings/threats online. While I didn’t necessarily take the test seriously at the time and rushed through them just to see how it was structured, I did fail it nonetheless – despite writing extensive tutorials on phishing attacks, email security and website security. Maybe that explains why Rogue Security Labs doesn’t have a single customer, but who whom knows – right?

Conduced throughout the course of March 2019 and consisting of over 2,000 American adults over the age of 16, Google discovered that….

– Despite 55% of Americans saying they would grade themselves as A level experience in cyber security, 97% got at least one question wrong on a basic, six-question security test
48% of Americans say they would like to build their own websites in the future
45% say their websites would be designed around business, while 43% say their websites would be for hobby
– Only 20% of Americans have actually built a website at one point or another in the past
64% of internet users never realized they could be re-directed to a false website without their knowledge/consent simply by clicking on a link
42% of internet users didn’t realize there is a security difference between websites with http and https
29% of internet users have no idea what the “s” in https stands for, nevermind look for it

See Full Results & Take The Test: https://safe.page/survey

Phishing Scam Spread Using Information Stolen Off BodyBuilding.com Email Data Servers

Unfortunately, it appears as though many of my colleagues in the industry have already beaten me to a report on this subject, but I can guarantee none of them have been published by BodyBuilding.com like I have – so f*ck em. Regardless, earlier today, April 22nd 2019, BodyBuilding.com came out with a press release revealing that their customers had been the victim of a massive phishing campaign spread using the email addresses stored on company servers. In the release, company representatives claim to have discovered the breach in February 2019, 8 months after the spread of the phishing campaign began in July 2018.

According to the release, “exposed data includes names, email addresses, physical addresses, phone numbers, order histories, communications with Bodybuilding.com, birthdays, account usernames and passwords, and information included in customers’ BodySpace profiles.” Additionally, the company claims that “the last four digits of stored payment card numbers may also have been affected,” but all other payment information remained safe. In response to the conclusion of the investigation into the data breach, BodyBuilding.com has took it upon themselves to reset the account passwords of every single one of their customers – myself included.

Lastly, as I just ordered something from the site last night, at least I can confirm that nothing fraudulent has been done to/with my account or any of the data on it – and the company certainly wont be losing my business over this in the future.

Full Release from BodyBuilding.com: https://www.bodybuilding.com/help?notifications&data-incident

 

 

Egyptian Government Implicated In Massive Phishing Campaign Targeting Journalists, Political Activists & NGO’s Alike

(AI) – A new Amnesty International investigation has found a wave of digital attacks that likely originated from government-backed bodies starting from early January 2019 and involving multiple attempts to gain access to the email accounts of several prominent Egyptian human rights defenders, media and civil society organizations’ staff. The attacks appear to be part of a wider strategy, occurring amid an unprecedented crackdown on the same groups in what have turned Egypt into an “open-air” prison for critics. Because of the identities of the targets we have identified, the timing of these attacks, their apparent coordination and the notifications of state-sponsored attacks sent from Google, we conclude that these attacks were most likely carried out by, or on behalf of, the Egyptian authorities.

In recent years, the Egyptian authorities have been harassing civil society and undermining freedom of association and expression through an ongoing criminal investigation into NGOs and a repressive NGO law. The authorities have been investigating dozens of human rights defenders and NGO staff for “receiving foreign funding” Many of them could face prison if convicted. The investigative judges have also ordered a travel ban against at least 31 NGO staff, and asset freezes of 10 individuals and seven organizations. Meanwhile, the authorities have also closed El Nadeem Center for Rehabilitation of Victims of Violence and continue to detain human rights defenders Ezzat Ghoniemand Hisham Gaafar, directors of the Egyptian Coordination for Rights and Freedoms and Mada for media studies, respectively.

The list of individuals and organizations targeted in this campaign of phishing attacks has significant overlaps with those targeted in an older phishing attack wave, known as Nile Phish, disclosed in 2017 by the Citizen Lab and the Egyptian Initiative for Personal Rights (EIPR).

Translated English Version: https://citizenlab.ca/2017/02/nilephish-report/

Full Nile Phish Report: 

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/03/nilephish.pdf”]

Amnesty International is deeply concerned that these phishing attacks represent yet another attempt by the authorities to stifle Egyptian civil society and calls on the Egyptian authorities to end these attacks on human rights defenders, and the crackdown on civil society, including by dropping the foreign funding case and repealing the NGO law.

A new year and a new wave of attacks

Since January 2019 several human rights defenders and civil society organizations from Egypt started forwarding dozens of suspicious emails to Amnesty International. Through the course of our investigation we discovered that these emails were attempts to access the email accounts of their targets through a particularly insidious form of phishing known as “OAuth Phishing” (which we explain in detail below). We estimate the total number of targeted individuals to be in the order of several hundreds.

These coincided with a number of important events that took place in the country. In the run-up to the eighth anniversary of Egypt’s 25 January uprising, which ended with the removal of former president Hosni Mubarak, after 30 years in power, we recorded 11 phishing attacks against NGOs and media collectives. We saw another burst of attacks during French President Emmanuel Macron’s visit to Cairo to meet with President Abdel Fatah al-Sisi on 28 and 29 January. The attacks peaked on 29 January, the day that President Macron met with human rights defenders from four prominent Egyptian NGOs. Later, in the first week of February, several media organizations were targeted as part of this campaign of digital attacks; they were reporting on the process of amending the Egyptian Constitution that the parliament had just officially started.

The attacks all bear the same hallmarks and appear to be part of a coordinated campaign to spy on, harass and intimidate their targets. While definitive attribution is difficult, the selective targeting of human rights defenders from Egypt, particularly in concomitant with specific political events, suggests this current wave of digital attacks is politically, rather than financially, motivated.

Additionally, we learned that multiple targets of this campaign received an official warning from Google alerting that “government-backed attackers are trying to steal your password.

No photo description available.

Google warning to one of the targets – 19 January 2019

These elements reinforce the suspicion that a state-sponsored group might be behind this campaign, further contributing to the chilling effect on Egyptian civil society and silencing those who voice criticism of the government.

What an OAuth phishing attack looks like: Step by step

Traditional phishing attacks attempt to deceive the targets into providing their passwords by creating a fake clone of, for example, Google’s or Facebook’s login page. If the target is successfully lured into entering their password, the attacker then “steals” their credentials and can reuse these to access their email account. Typically, this kind of phishing attack can be prevented through the use of two-step verification procedures such as those provided by most mainstream platforms these days, or by authenticator apps, or even better, security keys.

However, in this phishing campaign we have documented in Egypt, the attackers instead leverage a simple but less known technique generally called “OAuth Phishing.” Rather than cloning a legitimate login prompt that aims to trick targets into entering their password on a dubious-looking site, OAuth Phishing abuses a legitimate feature of many online service providers, including Google, that allows third-party applications to gain direct access to an account. For example, a legitimate external calendar application might request access to a user’s email account in order to automatically identify and add upcoming events or flight reservations.

With OAuth Phishing, attackers craft malicious third-party applications that are disguised not to raise suspicion with the victims. (More information on this functionality is available on Google Support in English or Arabic). Here we provide a step by step look at the ways in which these attacks work, and we follow on below with some concrete ways that people can better protect themselves from these kinds of attacks.

Step 1

We identified a few variants of the phishing emails received by the human rights defenders who shared these with Amnesty International. In the most common case pictured below, the email imitates a security warning from Google and solicits the target to apply a “Secure Email” security update to their Google account.

Screen Shot Example of Phishing Email Used In Attack:

No photo description available.

Step 2

Clicking the “Update my security now” button directs to a page that initiates the OAuth authorization process of the malicious third-party application named by the attackers as “Secure Mail.

Step 3

At this point the target is requested to log into Google or choose an existing logged in account.

Screenshot of Google’s login prompt requesting authorization to the malicious app:

No photo description available.

Step 4

Now the target is asked to explicitly authorize the malicious “Secure Email” third-party application to be granted access to their email account. While this authorization prompt does contain a warning from Google, it may be overlooked as the user has been directed from what appeared to be a legitimate email from Google.

Screenshot of confirmation to authorize the malicious app on victim’s account:

No photo description available.

Step 5

Once the “Allow” button is clicked, the malicious “Secure Email” application is granted access to the target’s email account. The attackers are immediately able to read the email’s content, and the victims are directed to the real Google account settings page, which further reduces any suspicion on the part of the target that they have been victim of a fraudulent attack.

In addition to Google, we observed that the same attackers make use of similar tactics against Yahoo, Outlook and Hotmail users.

Defending Against OAuth Phishing

OAuth Phishing can be tricky to identify. Often, security education for individuals at risk does not include mentions of this particular technique. People are usually trained to respond to phishing by looking for suspicious domains in the browser’s address bar and by enabling two-factor verification. While those are very useful and important safety practices to adopt, they would not help with OAuth Phishing because victims are in fact authenticating directly through the legitimate site.

If you are an activist, human rights defender, journalist, or anyone else concerned about being targeted by these kinds of attacks, it is important to be alert whenever you are requested to authorize a third-party application on your accounts.

Occasionally it is a good exercise to review your account’s security settings and check for authorized external applications. In the case of this campaign, the malicious Secure Email application will appear authorized as pictured below.

No photo description available.

Screenshot of the malicious third-party applications used by the attackers as it appears in the Google account settings page

You might also want to consider revoking access to any other authorized application that you do not recognize or that you might have stopped using.

Google also offers an Advanced Protection Program that in addition to enforcing the authentication with a security key, disables third-party applications on your account. Beware that enabling this configuration introduces some limitations, so make sure it fits your particular requirements before enrolling.

Here you can find instructions on how to check for authorized third-party applications on your Yahoo account instead.

Get in touch

If you received any suspicious email like those we described in this report, or other forms of suspected targeted attack, you can contact us at share@amnesty.tech.

Appendix

Indicators of Compromise and attacks Infrastructure available here.

Following are screenshots of other phishing emails used in this same campaign:

No photo description available.

No photo description available.

No photo description available.


This report was originally published by Amnesty International on March 5th 2019. It was republished, with permission, under a Creative Commons BY-NC-ND 4.0 International License, in accordance with the Terms & Conditions of Amnesty International | Formatting Edits and PDF added and embedded by Rogue Media Labs

Amnesty Investigation – State Sponsored Hackers Launching Massive Hacking Operations Across Middle East & North Africa

(AI)

Summary

  • We have identified several campaigns of credentials phishing, likely operated by the same attackers, targeting hundreds of individuals spread across the Middle East and North Africa.
  • In one campaign, the attackers were particularly going after accounts on popular self-described “secure email” services, such as Tutanota and ProtonMail.
  • In another campaign, the attackers have been targeting hundreds of Google and Yahoo accounts, successfully bypassing common forms of two-factor authentication.

Introduction

From the arsenal of tools and tactics used for targeted surveillance, phishing remains one of the most common and insidious form of attack affecting civil society around the world. More and more Human Rights Defenders (HRDs) have become aware of these threats. Many have taken steps to increase their resilience to such tactics. These often include using more secure, privacy-respecting email providers, or enabling two-factor authentication on their online accounts.

However, attackers too learn and adapt in how they target HRDs. This report documents two phishing campaigns that Amnesty International believes are being carried out by the same attacker (or attackers) likely originating from amongst the Gulf countries. These broad campaigns have targeted hundreds, if not a thousand, HRDs, journalists, political actors and others in many countries throughout the Middle East and North Africa region.

What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets. The first campaign, for example, utilizes especially well-crafted fake websites meant to imitate well-known “secure email” providers. Even more worryingly, the second demonstrates how attackers can easily defeat some forms of two-factor authentication to steal credentials, and obtain and maintain access to victims’ accounts. As a matter of fact, Amnesty Tech’s continuous monitoring and investigations into campaigns of targeted surveillance against HRDs suggest that many attacker groups are developing this capability.

Taken together, these campaigns are a reminder that phishing is a pressing threat and that more awareness and clarity over appropriate countermeasures needs to be available to human rights defenders.

Phishing Sites Imitating “Secure Email” Providers

Amnesty International has identified several well-crafted phishing sites for the popular email services Tutanota and ProtonMail. The providers are marketed as “secure email” solutions and have consequently gained some traction among activists.

These sites contain several elements that make them especially difficult for targets to identify as fakes. For instance, the attackers managed to obtain the domain tutanota.org and used it to almost completely replicate the original website for the Tutanota service, which is actually located at tutanota.com.

No automatic alt text available.

Many users rightfully expect that online services control the primary .com.org and .net domain variants of their brand. If an attacker manages to acquire one of these variants they have a rare opportunity to make the fake website appear significantly more realistic. These fake sites also use transport encryption (represented by the https:// prefix, as opposed to the classic, unencrypted, http://). This enables the well-recognized padlock on the left side of the browser’s address bar, which users have over the years been often taught to look for when attempting to discern between legitimate and malicious sites. These elements, together with an almost indistinguishable clone of the original website, made this a very credible phishing site that would be difficult to identify even for the more tech-savvy targets.

If a victim were tricked into performing a login to this phishing site, their credentials would be stored and a valid login procedure would be then initiated with the original Tutanota site, giving the target no indication that anything suspicious had occurred.

No automatic alt text available.

Because of how remarkably deceptive this phishing site was, we contacted Tutanota’s staff, informed them about the ongoing phishing attack, and they quickly proceeded to request the shutdown of the malicious infrastructure.

These same attackers were also operating a ProtonMail phishing website (another popular email service marketed as secure) located at protonemail.ch, where the additional letter “e” is all that distinguishes this well-built replica from the original valid website protonmail.ch.

No automatic alt text available.

No automatic alt text available.

Widespread Phishing of Google and Yahoo Users

Throughout 2017 and 2018, human rights defenders and journalists from the Middle East and North Africa region have been sharing with us suspicious emails they have been receiving. Investigating these emails, we identified a large and long-running campaign of targeted phishing attacks that has targeted hundreds, and likely over one thousand people overall. Most of the targets seemingly originating from the United Arab Emirates, Yemen, Egypt and Palestine.

It is worth noting that we found this campaign to be directly connected to some attacks included in section 2.4.2 of a technical report by UC Berkeley researcher Bill Marczak, in which he suggests various overlaps with other campaigns of targeted surveillance specifically targeting dissidents in the UAE.

Our investigation leads us to additionally conclude that this campaign likely originates with the same attacker – or attackers – who cloned the Tutanota and ProtonMail sites in the previous section. As in the previous campaign, this targeted phishing campaign employs very well-designed clones of the commercial sites it impersonates: Google and Yahoo. Unlike that campaign, however, this targeted phishing campaign is also designed to defeat the most common forms of two-factor authentication that targets might use to secure their accounts.

Lastly, we have identified and are currently investigating a series of malware attacks that appear to be tied to these phishing campaigns. This will be the subject of a forthcoming report.

Fake Security Alerts Work

In other campaigns, for example in our Operation Kingphish report, we have seen attackers create well developed online personas in order to gain the trust of their targets, and later use more crafty phishing emails that appeared to be invites to edit documents on Google Drive or participating in Google Hangout calls.

In this case, we have observed less sophisticated social engineering tricks. Most often this attacker made use of the common “security alert” scheme, which involves falsely alarming the targets with some fake notification of a potential account compromise. This approach exploits their fear and instills a sense of urgency in order to solicit a login with the pretense of immediately needing to change their password in order to secure their account. With HRDs having to be constantly on the alert for their personal and digital security, this social engineering scheme can be remarkably convincing.

The following is one example of a phishing email sent by this attacker.

No automatic alt text available.

No automatic alt text available.

Clicking on the links and buttons contained in these malicious emails would take the victim to a well-crafted and convincing Google phishing website. These attackers often and regularly create new sites and rotate their infrastructure in order to avoid detection and reduce the damage of unexpected shutdowns by domain registrars and hosting providers. You can find at the bottom of this report a list of all the malicious domains we have identified.

Image may contain: text

No automatic alt text available.

How Does the Phishing Attack Work?

In order to verify the functioning of the phishing pages we identified, we decided to create a disposable Google account. We selected one of the phishing emails that was shared with us, which pretended to be a security alert from Google, falsely alerting the victim of suspicious login activity, and soliciting them to change the password to their account.

The first step was to visit the phishing page.

No automatic alt text available.

When we logged into the phishing page, we were redirected to another page where we were alerted that we had been sent a 2-Step Verification code (another term for two-factor authentication) via SMS to the phone number we used to register the account, consisting of six digits.

No automatic alt text available.

Sure enough, our configured phone number did receive an SMS message containing a valid Googleverification code. After we entered our credentials and the 2-Step Verification code into the phishing page, we were then presented with a form asking us to reset the password for our account.

No automatic alt text available.

To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is.

After checking the security events on our disposable Google account, we noticed that a password change was in fact issued by Windows computer operated by the attackers, seemingly connecting from an IP address that Google geolocates within the USA.

No automatic alt text available.

(The IP address used by the attackers to automatically authenticate and modify our Google account, 196.19.3.66, is actually an unauthenticated Squid HTTP proxy. The attackers can use open proxies to obscure the location of their phishing server.)

The purpose of taking this additional step is most likely just to fulfill the promise of the social engineering bait and therefore to not raise any suspicion on the part of the victim.

After following this one last step, we were then redirected to an actual Google page. In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account. The phishing attack is now successfully completed.

Similarly, we created a new Yahoo account and configured two-factor authentication using the available phone verification as visible in the account settings:

No automatic alt text available.

Image may contain: text

No automatic alt text available.

Challenges in Securing Online Accounts

Finding a secure way to authenticate users is a very difficult technical issue, although some progress has been made over the years that has raised the bar of difficulty for attackers attempting to compromise accounts at scale.

Two-factor authentication has become a de-facto standard that is almost always recommended as a required step for securing online accounts. With two-factor authentication procedures enabled, users are required to provide a secondary form of verification that normally comes in the form of a numerical token that is either sent via SMS or through a dedicated app to be installed on their phone. These tokens are short-lived, and normally expire after 30 seconds. In other cases, like that of Yahoo, the user is required instead to manually allow an ongoing authentication attempt by tapping a button on their phone.

Why is this useful? Requiring a secondary form of authentication prevents some scenarios in which an attacker might have obtained access to your credentials. While this can most commonly happen with some unsophisticated phishing attempts, it is also a useful mitigation to password reuse. You should definitely configure your online accounts to use different passwords (and ideally use a password manager), but in the case you reuse – accidentally or otherwise – a password which was stolen (for example through the numerous data breaches occurring all the time) having two-factor authentication enabled will most likely mitigate against casual attackers trying to reuse the same password on as many other online accounts as possible.

Generally, there are three forms of two-factor authentication that online services provide:

  • Software token: this is the most common form, and consists in asking the user to enter in the login form a token (usually composed of six digits, sometimes it includes letters) that is sent to them either via SMS or through a dedicated app the user configured at the time of registration.
  • Software push notification: the user receives a notification on the phone through an app that was installed at the time of registration. This app alerts the user that a login attempt is being made and the user can approve it or block it.
  • Hardware security keys: this is a more recent form of two-factor authentication that requires the user to physically insert a special USB key into the computer in order to log into the given website.

While two-factor push notifications often provide some additional information that might be useful to raise your suspicion (for example, the country of origin of the client attempting to authenticate being different from yours), most software-based methods fall short when the attacker is sophisticated enough to employ some level of automation.

As we saw with the campaigns described in this report, if a victim is tricked into providing the username and password to their account, nothing will stop the attacker from asking to provide the 6-digits two-factor token, eventually the phone number to be verified, as well as any other required information. With sufficient instrumentation and automation, the attackers can make use of the valid two-factor authentication tokens and session before they expire, successfully log in and access all the emails and contacts of the victim. In other words, when it comes to targeted phishing software-based two-factor authentication, without appropriate mitigation, could be a speed bump at best.

Don’t be mistaken, two-factor authentication is important and you should make sure you enable it everywhere you can. However, without a proper understanding of how real attackers work around these countermeasures, it is possible that people are misled into believing that, once it is enabled, they are safe to log into just about anything and feel protected. Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge to make sure they aren’t improperly lowering their level of caution online.

While it is possible that in the future capable attackers could develop ways around that too, at the moment the safest two-factor authentication option available is the use of security keys.

This technology is supported for example by Google’s Advanced Protection program, by Facebook and as of recently by Twitter as well. This process might appear painful at first, but it significantly raises the difficulty for any attacker to be successful, and it isn’t quite as burdensome as one might think. Normally, you will be required to use a security key only when you are authenticating for the first time from a new device.

That said, security keys have downsides as well. Firstly, they are still at a very early stage of adoption: only few services support them and most email clients (such as Thunderbird) are still in the process of developing an integration. Secondly, you can of course lose your security key and be locked out of your accounts. However, you could just in the same way lose the phone you use for other forms of two-factor authentication, and in both cases, you should carefully configure an option for recovery (through printed codes or a secondary key) as instructed by the particular service.

As with every technology, it is important individuals at risk are conscious of the opportunities as well as the shortcomings some of these security procedures offer, and determine (perhaps with the assistance of an expert) which configuration is best suited for their respective requirements and levels of risk.

How the Bypass for Two-Factor Authentication Works

The servers hosting the Google and Yahoo phishing sites also mistakenly exposed a number of publicly listed directories that allowed us to discover some details on the attacker’s plan. One folder located at /setup/ contained a database SQL schema likely used by the attackers to store the credentials obtained through the phishing frontend:

No automatic alt text available.

A folder located at /bin/ contained an installation of Selenium with Chrome Driver, which is a set of tools commonly used for the automation of testing of web applications. Selenium allows to script the configuration and launch of a browser (in this case Google Chrome) and make it automatically visit any website and perform certain activity (such as clicking on a button) in the page.

While the original purpose was to simplify the process of quality assurance for web developers, it also lends itself perfectly to the purpose of automating login attempts into legitimate websites and streamlining phishing attacks. Particularly, this allows attackers to easily defeat software-based two-factor authentication.

No automatic alt text available.

Yet another folder called /profiles/ instead contained hundreds of folders generated by each spawned instance of Google Chrome, automated through Selenium as explained.

No automatic alt text available.

Because all the profile folders generated by the spawned Google Chrome instances operated by the attackers are exposed to the public, we can actually get a glimpse at how the accounts are compromised by inspecting the History database that is normally used by the browser to store the browsing history.

No automatic alt text available.

Through the many Chrome folders we could access, we identified two clear patterns of compromise.

The first pattern of compromise, and most commonly found across the data we have obtained, is exemplified by the following chronological list of URLs visited by the Chrome browser instrumented by the attackers:

  1. https://mail.yahoo.com/
  2. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  3. https://login.yahoo.com/?done=https%3A%2F%2Fmail.yahoo.com%2F
  4. https://login.yahoo.com/account/challenge/push?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&sessionIndex=QQ–&acrumb=[REDACTED]
  5. https://login.yahoo.com/account/challenge/phone-obfuscation?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–&eid=3640
  6. https://login.yahoo.com/account/challenge/phone-verify?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–
  7. https://login.yahoo.com/account/challenge/pre-change-password?done=https%3A%2F%2Fguce.yahoo.com%2Fconsent%3Fgcrumb%3D[REDACTED]%26trapType%3Dlogin%26done%3Dhttps%253A%252F%252Fmail.yahoo.com%252F%26intl%3D%26lang%3D&authMechanism=prima$
  8. https://login.yahoo.com/account/security/app-passwords/list
  9. https://login.yahoo.com/?done=https%3A%2F%2Flogin.yahoo.com%2Faccount%2Fsecurity%2Fapp-passwords%2Flist%3F.scrumb%3D0
  10. https://login.yahoo.com/account/security/app-passwords/list?.scrumb=[REDACTED]
  11. https://login.yahoo.com/account/security/app-passwords/add?scrumb=[REDACTED]

As we can see, the attackers are automatically visiting the legitimate Yahoo login page, entering the credentials, and then following all of the required steps for eventual two-factor authentication that might have been configured by the victim. Once the full authentication process is completed, the attackers proceed to create what is commonly known as an “App Password”, which is a separate password that some services, including Yahoo, offer in order to allow third-party apps that don’t support two-factor verification to access the user’s account (for example, if the user wants to use Outlook to access the email). Because of this, App Passwords are perfect for an attacker to maintain persistent access to the victim’s account, as they will not be further required to perform any additional two-factor authentication when accessing it.

In the second pattern of compromise we identified, the attackers again seem to automate the process of authenticating into the victim’s account, but they appear to additionally attempt to perform an “account migration” in order to fundamentally clone the emails and the contacts list of from the victim’s account to a separate account under the attacker’s control:

  1. https://mail.yahoo.com/
  2. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  3. https://login.yahoo.com/?done=https%3A%2F%2Fmail.yahoo.com%2F
  4. https://login.yahoo.com/account/challenge/password?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&sessionIndex=QQ–&acrumb=[REDACTED]
  5. https://login.yahoo.com/account/challenge/phone-obfuscation?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–&eid=3650
  6. https://login.yahoo.com/account/challenge/phone-verify?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–
  7. https://login.yahoo.com/account/yak-opt-in/upsell?done=https%3A%2F%2Fguce.yahoo.com%2Fconsent%3Fgcrumb%3D[REDACTED]%26trapType%3Dlogin%26done%3Dhttps%253A%252F%252Fmail.yahoo.com%252F%26intl%3D%26lang%3D&authMechanism=primary&display=n$
  8. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  9. https://mail.yahoo.com/m/
  10. https://mg.mail.yahoo.com/neo/m/launch?
  11. https://mg.mail.yahoo.com/m/
  12. https://mg.mail.yahoo.com/m/folders/1
  13. http://www.gmail.com/
  14. https://www.gmail.com/
  15. https://www.google.com/gmail/
  16. https://mail.google.com/mail/
  17. https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1#
  18. https://mail.google.com/intl/en/mail/help/about.html#
  19. https://www.google.com/intl/en/mail/help/about.html#
  20. https://www.google.com/gmail/about/#
  21. https://accounts.google.com/AccountChooser?service=mail&continue=https://mail.google.com/mail/
  22. https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1
  23. https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin
  24. https://accounts.google.com/signin/v2/sl/pwd?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin&cid=1&navigationDirection=forward
  25. https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&checkConnection=youtube%3A375%3A1&pstMsg=1&chtml=LoginDoneHtml&service=mail&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&gidl=[REDACTED]
  26. https://mail.google.com/accounts/SetOSID?authuser=0&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fauth%3D[REDACTED]
  27. https://mail.google.com/mail/?auth=[REDACTED].
  28. https://mail.google.com/mail/u/0/
  29. https://mail.google.com/mail/u/0/#inbox
  30. https://mail.google.com/mail/u/0/#settings/general
  31. https://mail.google.com/mail/u/0/#settings/accounts
  32. https://mail.google.com/mail/u/0/?ui=2&ik=[REDACTED]&jsver=OeNArYUPo4g.en.&view=mip&fs=1&tf=1&ver=OeNArYUPo4g.en.&am=[REDACTED]
  33. https://api.shuttlecloud.com/gmailv2/authenticate/oauth/[REDACTED]%40yahoo.com?ik=[REDACTED]&email=[REDACTED]@yahoo.com&user=0&scopes=contactsmigration,emailmigration
  34. https://api.login.yahoo.com/oauth2/request_auth?client_id=[REDACTED]&redirect_uri=https%3A//api.shuttlecloud.com/gmailv2/authenticate/oauth/c$
  35. https://api.login.yahoo.com/oauth2/authorize
  36. https://api.shuttlecloud.com/gmailv2/authenticate/oauth/callback?email=[REDACTED]&code=[REDACTED]
  37. https://mail.google.com/mail/u/0/?token_id=[REDACTED]&ik=[REDACTED]&ui=2&email=[REDACTED]%40yahoo.com&view=mas

In this rather longer chronology of URLs visited by the Chrome browser instrumented by the attackers we can see that they designed the system to attempt a login into Yahoo with the stolen credentials and request the completion of a two-factor verification process, as requested by the service. Once the authentication is completed, the phishing backend will automatically connect the compromised Yahoo account to a legitimate account migration service called ShuttleCloud, which allows the attackers to automatically and immediately generate a full clone of the victim’s Yahooaccount under a separate Gmail account under their control.

After such malicious account migration happened, the attackers would then be able to comfortably search and read through all the emails stolen from the victims leveraging the full-fledged functionality offered by Gmail.

Indicators

tutanota[.]org

protonemail[.]ch

accounts-mysecure[.]com

accounts-mysecures[.]com

accounts-secuirty[.]com

accounts-securtiy[.]com

accounts-servicse[.]com

accounts-settings[.]com

account-facebook[.]com

account-mysecure[.]com

account-privacy[.]com

account-privcay[.]com

account-servics[.]com

account-servicse[.]com

alert-newmail02[.]pro

applications-secure[.]com

applications-security[.]com

application-secure[.]com

authorize-myaccount[.]com

blu142-live[.]com

blu160-live[.]com

blu162-live[.]com

blu165-live[.]com

blu167-live[.]com

blu175-live[.]com

blu176-live[.]com

blu178-live[.]com

blu179-live[.]com

blu187-live[.]com

browsering-check[.]com

browsering-checked[.]com

browsers-checked[.]com

browsers-secure[.]com

browsers-secures[.]com

browser-checked[.]com

browser-secures[.]com

bul174-live[.]com

checking-browser[.]com

check-activities[.]com

check-browser[.]com

check-browsering[.]com

check-browsers[.]com

connected-myaccount[.]com

connect-myaccount[.]com

data-center17[.]website

documents-view[.]com

documents-viewer[.]com

document-viewer[.]com

go2myprofile[.]info

go2profiles[.]info

googledriveservice[.]com

gotolinks[.]top

goto-newmail01[.]pro

idmsa-login[.]com

inbox01-email[.]pro

inbox01-gomail[.]com

inbox01-mails[.]icu

inbox01-mails[.]pro

inbox02-accounts[.]pro

inbox02-mails[.]icu

inbox02-mails[.]pro

inbox03-accounts[.]pro

inbox03-mails[.]icu

inbox03-mails[.]pro

inbox04-accounts[.]pro

inbox04-mails[.]icu

inbox04-mails[.]pro

inbox05-accounts[.]pro

inbox05-mails[.]icu

inbox05-mails[.]pro

inbox06-accounts[.]pro

inbox06-mails[.]pro

inbox07-accounts[.]pro

inbox101-account[.]com

inbox101-accounts[.]com

inbox101-accounts[.]info

inbox101-accounts[.]pro

inbox101-live[.]com

inbox102-account[.]com

inbox102-live[.]com

inbox102-mail[.]pro

inbox103-account[.]com

Inbox103-mail[.]pro

inbox104-accounts[.]pro

inbox105-accounts[.]pro

inbox106-accounts[.]pro

Inbox107-accounts[.]pro

inbox108-accounts[.]pro

inbox109-accounts[.]pro

inbox169-live[.]com

inbox171-live[.]com

inbox171-live[.]pro

inbox172-live[.]com

inbox173-live[.]com

inbox174-live[.]com

inbox-live[.]com

inbox-mail01[.]pro

inbox-mail02[.]pro

inbox-myaccount[.]com

mail01-inbox[.]pro

mail02-inbox[.]com

mail02-inbox[.]pro

mail03-inbox[.]com

mail03-inbox[.]pro

mail04-inbox[.]com

mail04-inbox[.]pro

mail05-inbox[.]pro

mail06-inbox[.]pro

mail07-inbox[.]pro

mail08-inbox[.]pro

mail09-inbox[.]pro

mail10-inbox[.]pro

mail12-inbox[.]pro

mail13-inbox[.]pro

mail14-inbox[.]pro

mail15-inbox[.]pro

mail16-inbox[.]pro

mail17-inbox[.]pro

mail18-inbox[.]pro

mail19-inbox[.]pro

mail20-inbox[.]pro

mail21-inbox[.]pro

mail101-inbox[.]com

mail101-inbox[.]pro

mail103-inbox[.]com

mail103-inbox[.]pro

mail104-inbox[.]com

mail104-inbox[.]pro

mail105-inbox[.]com

mail105-inbox[.]pro

mail106-inbox[.]pro

mail107-inbox[.]pro

mail108-inbox[.]pro

mail109-inbox[.]pro

mail110-inbox[.]pro

mail201-inbox[.]pro

mail-inbox[.]pro

mailings-noreply[.]pro

myaccountes-setting[.]com

myaccountes-settings[.]com

myaccountsetup[.]live

myaccounts-login[.]com

myaccounts-profile[.]com

myaccounts-secuirty[.]com

myaccounts-secures[.]com

myaccounts-settings[.]com

myaccounts-settinq[.]com

myaccounts-settinqes[.]com

myaccounts-transfer[.]com

myaccount-inbox[.]pro

myaccount-logins[.]com

myaccount-redirects[.]com

myaccount-setting[.]com

myaccount-settinges[.]com

myaccount-settings[.]ml

myaccount-setup[.]com

myaccount-setup1[.]com

myaccount-setups[.]com

myaccount-transfer[.]com

myaccount[.]verification-approve[.]com

myaccount[.]verification-approves[.]com

myaccuont-settings[.]com

mysecures-accounts[.]com

mysecure-account[.]com

mysecure-accounts[.]com

newinbox-accounts[.]pro

newinbox01-accounts[.]pro

newinbox01-mails[.]pro

newinbox02-accounts[.]pro

newinbox03-accounts[.]pro

newinbox05-accounts[.]pro

newinbox06-accounts[.]pro

newinbox07-accounts[.]pro

newinbox08-accounts[.]pro

newinbox-account[.]info

newinbox-accounts[.]pro

noreply[.]ac

noreply-accounts[.]site

noreply-mailer[.]pro

noreply-mailers[.]com

noreply-mailers[.]pro

noreply-myaccount[.]com

privacy-myaccount[.]com

privcay-setting[.]com

profile-settings[.]com

recovery-settings[.]info

redirections-login[.]com

redirections-login[.]info

redirection-login[.]com

redirection-logins[.]com

redirects-myaccount[.]com

royalk-uae[.]com

securesmails-alerts[.]pro

secures-applications[.]com

secures-browser[.]com

secures-inbox[.]com

secures-inbox[.]info

secures-settinqes[.]com

secures-transfer[.]com

secures-transfers[.]com

secure-browsre[.]com

secure-settinqes[.]com

security-settinges[.]com

securtiy-settings[.]com

services-securtiy[.]com

settings-secuity[.]com

setting-privcay[.]com

settinqs-myaccount[.]com

settinq-myaccounts[.]com

thx-me[.]website

transfer-click[.]com

transfer-clicks[.]com

truecaller[.]services

urllink[.]xyz

verifications-approve[.]com

verification-approve[.]com

verification-approves[.]com

xn--mxamya0a[.]ccn

yahoo[.]llc


This article was originally published by Amnesty International on December 18th 2018. It was republished, with permission, under a Creative Commons BY-NC-ND 4.0 International License, in accordance with the Terms & Conditions of Amnesty International | Formatting Edits and Tweets added/embedded by Rogue Media Labs

US Department of Justice Indicts Chinese Aviation Spies & Their Team of Hackers

In a press release made available to the public on October 30th, 2018, the United States Department of Justice announced the indictment of various members of Chinese Intelligence and their team of hackers. The indictment officially names two Chinese officers; Zha Rong and Chai Meng, 5 of their co-conspirators; Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi – alleged to have carried out hacking operations on behalf of them, along with three others; Tian Xi, Gu Gen and Li Xiao.

From January 2010 to May 2015, the team is alleged to have carried out repeated hacking operations against various US and internationally based businesses with the intention of obtaining,”among other data, intellectual property and confidential business information, including information related to a turbofan engine used in commercial airliners.” Their actions are primarily tied to active hacking attempts against and intellectual property theft of several European and US based aviation companies and parts manufacturers, 13 in total. Included in the US states effected by the theft/breach are Arizona, Massachusetts, California and Oregon.

According to the official indictment filed in the Southern District of California provided below, working under the direction of Zha Rong and Chai Meng, the Chinese hackers listed above “attempted a series of intrusions in order to facilitate intrusions and steal non-public commercial and other data.” Alleging that, to do this, “the hackers used a range of techniques, including spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies own websites as ‘watering holes’ to compromise website visitors’ computers, and domain hijacking through the compromise of domain registrars.” Perhaps most importantly, these hacks were successful.

View Full Indictment from DOJ:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/11/indictment_zhang_et_al_0.pdf”]

Email Security Strategies

Before we begin, you can have the most advanced cyber security practices and anti-virus in place but if you do not have a strong enough password to secure your devices or online accounts, all your security measures might as well be useless. As I have already explained in a previous tutorial, more people are hacked as a result of weak passwords than any other single factor. With that established, the 2nd most common way to hack someone is through their email inboxes or accounts – just ask Hillary Clinton, John Podesta, John Brennan and the DNC about that. Make no mistake, if some of the worlds most powerful people can have their personal emails hacked, so can you. This is also why learning how to practice better email habits should be of the upmost importance for you heading into the future.

What To Avoid & How Email Hacks are Pulled Off:

While browsing through your email account(s), never open a single email or click on any link(s) from a sender you do not know personally. It might seem harmless, but the simple act of curiously opening an email or clicking on a link within an email can open Malware or register and transmit the IP Address of the device you are using to the sender of that email or link.

When a hacker sends compromising emails or links to your personal inbox it is a technique known as “Phishing,” and it is perhaps the most common form of cyber-attack you will ever encounter. I am willing to bet that everyone whom has ever owned an email account has seen a phishing scheme at one point or another in their lifetime, whether they were even aware of it or not. This is also why it is important to not just leave your email out in the open for all the world to see, or blindly pass it around to so many pages across the internet – especially if you have something to lose.

Believe it or not, there are even free and public services which allow any person to secretly attach a program to any given link or email they send, which automatically transmits data such as your IP Address as soon as you open it. This type of program also reveals things like the time of day you clicked the link, the type of browser you were using and how long you kept the window open. This is also what is referred to as a “trap-link.” The most common of which comes in the form of an “IP-logger,” which automatically registers the data of any device that clicks on it. While this might sound extremely complicated or foreign to you, again, regardless of the legality of it all, there are actually multiple free services, platforms and tools available on the internet for people to do just this.

Needless to say, always use caution and judgement when clicking on any links in your inbox, online chat, message or social media network alike – especially from people/sources/senders you do not know or have never done business with directly.

Separate Your Inboxes:

A good practice is to also use separate accounts for different purposes. For example, use a separate email account for your online banking and/or business than you would use for family, friends, or subscribing to magazines. This ensures that if one account is ever breached or compromised, not every aspect of your life gets compromised along with it. Additionally, use separate passwords for separate accounts and always reserve your strongest passwords for your most important accounts. You should also utilize two-factor authentication whenever and wherever possible.

If you are a website domain owner, or own multiple email accounts, you can also secure your personal or business inbox behind a mail forwarding service through your domains DNS settings or an alternative service provider. Selecting this option will allow you to pass out an email address without actually revealing the true end destination where those emails will be sent, essentially turning the mail forwarding address into an “alias” or “proxy” for your real account.

If you would like to learn more about alternative/encrypted email service providers, as well as why you should consider making the switch to them, please utilize the following link: https://roguesecuritylabs.ltd/making-the-switch-to-encrypted-emails/

If you need help learning how to read, write and remember stronger passwords to secure your online accounts, please utilize the following link: https://roguesecuritylabs.ltd/how-to-write-un-hackable-passwords/

Securing Social Media Accounts

As always, strong password protection is the number one priority for securing social media accounts. This includes using your phone to enable two factor authentication (2FA) for them. Due to the simple fact that social accounts usually hold far less important data/information than emails, I am willing to bet anything that close to 100% of all hacks against your social accounts will be deterred if you simply enable 2FA for them. It is also a widely known fact that more social accounts are compromised as a result of weak passwords than any other single factor.

Password Security Guide + 2FA: https://roguesecuritylabs.ltd/how-to-write-un-hackable-passwords/

While using your social media accounts, just as with emails, never open a message from or click on links by users, senders or accounts you do not know personally, were not expecting to hear from or haven’t done business with in the past. As I have already with emails, hackers can phish your social media accounts all the same. Moreover, it is actually much easier for a hacker to uncover your “IP Address” through something like Facebook Messenger than it is through email. This can also be done without you clicking on any individual hyperlink. For example, you can find someone’s IP when engaging them on Facebook by using a simple sequence of “cmd commands” – which are freely available on every Windows device.

Like your mother always told you, never talk to strangers – especially online 😉

You can add an extra layer of security to your accounts by preventing them from being “indexed” by search engines and web crawlers. This can be accomplished by making small changes to your account settings. By default, the largest social media platforms are all designed to connect to search engines like Google, Bing or Yahoo, in order to make social networking more accessible and convenient for everyone. However, allowing your account to be indexed means that theoretically anyone in the world could search for and find your account if they really wanted. Whereas if you disable your account from being indexed then the only people you personally give your account information to will know where to find it.

To do this, simply go under your accounts setting, scroll to Privacy Settings and uncheck the “Public Search Results” box. This will remove your profile’s page from Google, Bing, and Yahoo search returns. This is also a security practice instructed to Federal Employees and members of the US Defense Department.