Protect Credit Union Assets from Sophisticated Hackers

Today’s criminals have moved beyond ransomware and malware.

Protect Credit Union Assets from Sophisticated Hackers

From left: Tim Evans, chief of strategy; Don McLamb, Director of Engineering; and Rob Johnston, CEO.

Financial institutions are prime targets for cybercriminals looking to gain access to volumes of consumers’ personal data and money.

In 2017, the U.S. experienced 1,579 data breaches, 8.5% of which involved financial services companies such as credit unions, banks, investment firms, and credit card companies.

Credit unions face considerable challenges protecting sensitive personal and financial data from breaches. As nonprofit entities, they tend to have lean information technology (IT) teams and reduced technology budgets.

While credit unions may have smaller IT staff and budgets than larger banks, collectively they serve more than 100 million members and have assets of roughly $1.4 trillion.

To support their business, credit unions rely upon complex IT infrastructures with hundreds of connected devices transmitting large volumes of sensitive data. In addition to defending against intruders, credit unions must implement security controls to meet security compliance requirements.

It’s no surprise hackers find credit unions attractive.

Hackers realize that legacy security tools can’t properly protect today’s dynamic infrastructures. Firewalls and penetration testing alone can no longer keep sensitive data and assets safe.

Today’s hackers have moved beyond ransomware and malware, and have identified new methods for infiltrating networks to steal employees’ identities, and then use those identities  to roam the network—without  the network owners even knowing of  their presence.

Fileless attacks are becoming their weapon of choice. They don’t require any payload, and they are harder to detect than traditional malware-based threats.

Credit unions looking to outsmart hackers and ease the burden of compliance need to reassess their security strategies and identify the right blend of people, technologies, and programs necessary to protect themselves and their members.

To outsmart the bad guys, some credit unions are looking at advanced detection technologies that leverage machine learning and artificial intelligence.

Machines capable of cognitive functions, such as anomaly detection and classification, have superior processing power and continuously scan huge volumes of data to identify risks.

Today’s cybersecurity technology

Technology is revolutionizing the way credit unions secure enterprise assets and ensure PCI DSS (Payment Card Industry Data Security Standards) compliance. Today’s solution must be a cloud-delivered SaaS [software as a service] solution that protects against internal and external malicious actors.

A perfect Security Information & Event Management (SIEM) replacement or augmentation platform uses artificial intelligence, machine learning, and pattern recognition to monitor an organization’s network 24/7 to detect changes in user behaviors. It provides real-time visibility and analysis of the activities of every identity within the enterprise.

Creating a heuristic baseline of user activity by analyzing behavior, it identifies   potentially malicious activity and sends a warning to the administrator, providing details about the questionable event before the threat becomes critical.

PCI compliance

Credit unions also need a platform that helps manage the security and confidentiality of member information by monitoring systems and activities to detect attempted and actual attacks on, or intrusions into, member information systems.

Appropriate technology solutions help manage the complexity of a constantly changing IT environment and provide insight into what sensitive data is being accessed by every account on the network.

Visualize privilege across your network

Managing user privilege across multiple groups is a challenge. User rights that are assigned to a group are applied to all members of the group while they remain members.

If a user is a member of multiple groups, the user’s rights are cumulative, meaning that user has more than one set of rights and privileges. Failure to routinely audit privilege and groups can result in misuse of privilege and unauthorized access to sensitive files.

SIEM-like technology automates the process for managing user privilege, ensuring account privilege status is up to date and accurate.

Cyber hunting

The Adlumin Platform is revolutionizing how credit unions secure sensitive data and intellectual property while achieving their compliance objectives. Adlumin provides a virtual machine-learning team of four to five personnel that hunts networks 24/7 for anomalous behavior.

This eliminates the need for credit unions to hire a single person.

TIMOTHY EVANSJ.D., L.L.M., is co-founder/senior vice president and chief of strategy for Adlumin Inc.

Password Safety and Complexity to Protect Your Accounts

By James Warnken

“The most used password in the world is 123456”

A simple password like this is cracked in a matter of just a few seconds. Whereas, if your password contains one capital letter, lower case letters, and numbers it may take a few hours to crack. The most complex passwords take weeks to crack and they include everything above including randomly placed special characters within the password. Keep this in mind when renewing or creating passwords to ensure accounts and information are secured by complex and strong passwords.

Before delving into how to construct a complex and secure password, we must first understand how hackers are stealing and breaking passwords in just minutes and clicks.

There are 5 ways hackers steal and break passwords to be mindful of:

  1. Mass Password Theft-This form of theft is done solely using a program and exploiting files within websites that contain username and password credentials. A hacker uses a software that scans websites that store and create lists of user credentials and once found the hacker has full access to do with the information as they please. One interesting fact is that a computer does not have to be connected to wifi or even turned on for this to happen. This theft is done by a server basis which means websites with autofill passwords enabled and weak security are a prime target for this form of password theft.


  1. Wi-fi Traffic Monitoring- This form of password and credential theft often goes undetected, this is not often given a second thought. When visiting public places that offer free WIFI that require a sign in with an email are often where this takes place. A hacker sits within that network and once an email address is entered they then can monitor and record information from any site or programs visited while on the free public network. For example, say you are on a public network checking your social media accounts, if a hacker is monitoring the network once you enter your password to login the hacker now has the needed credentials to access the account.


  1. Trial and Error Theft- Although less practical for hackers, this method is still relevant and used with today’s technology. This method is exactly as it sounds. Hackers know that most people use significant words, phrases, or dates when setting passwords so just by guessing and performing trial and error a password can be cracked. For example, it is common for people to use their date of birth in some form within their password, this information is easy for someone to get ahold of and use when trying to guess a password.

There are two forms of phishing attacks


  1. Fake Websites- Everyone gets obvious spam emails, but what about the ones that seem legitimate and very important. Some hackers have been known to set up websites that mimic official sites that then send spam emails that seem real. This is one effective way hackers steal credentials without much work beyond the setup phases. The email usually seems very important and provides a link that will help resolve whatever issues is claimed to be occurring. Once the username and password have been entered the hacker has the information that then can be used to log into the actual account and do whatever they wish. These are very hard to spot and many times are never given a second thought. If this occurs and may be a problem that could be happening do not log in through the link provided in the email. Go to the official website and login there.


  1. Key Logging-This form of phishing is very common and usually is very easy to spot. Hackers send emails that attempt to catch the receivers attention through various ways that aims to drive them to clicking on a link attached to the email. If the link is opened it may seem that nothing bad has happened which is true from a general view. However, on the back end, the email will inject code into the device and begins tracking and recording information. Such codes track keys and information within files that are then used to breech, crack, and steal passwords, credentials, and sensitive information. One rule of thumb is if it seems to good to be true, it more than likely is.


Now that we know how hackers get our passwords, what can we do to stop them?

Here are 6 tips to making your password complex and impossible to crack.


  1. Password Length-The longer a password is, the most complex it is and harder it is to be cracked and stolen. Most websites require a minimum of 6 characters, but in reality, 8 should be the minimum characters used. Never use the minimum characters required but instead make passwords lengthy and use variations of uppercase, lowercase, numbers, and symbols to ensure passwords are complex.


  1. Password Variety- This may seem very simple but it is key to making password complex. Instead of using the usual variation of first name, last name, and date of birth, try switching things up and using quotes and phrases. These are much harder for hackers to guess or replicate. Use a set of words or phrases that have no direct attachment to you personally. To make the password more complex than that, use variations of this by substituting words in or out, or rearrange words so that it may not make much sense to anyone but you.


  1. Using the Full Keyboard- When it comes to creating a solid password we all typically use letters and numbers, but utilizing the entire keyboard will make passwords more complex and harder for hackers to crack. Using special character such as ‘’!’’ or ‘’#’’ are always a good idea along with other special characters. It is also key to not have characters, numbers, and symbols in a generic pattern. Mixing things up and replacing a character with numbers and arranging them in a unique pattern will ensure your password is complex and uncrackable.


  1. Variations across accounts- When it comes to logging in to accounts, many people fall into the thinking “’I want my password to be easy to remember’’ so consequently the same password is used across multiple or all accounts. This is very risky and makes all accounts vulnerable to attacks. Instead of using the same exact password, create variations of the password such as replacing letters with numbers or making characters capital or lowercase. Simple variations can protect accounts and add to their complexity making it harder for the attackers to steal.


  1. Avoid Common Passwords- When it comes to password complexity and making the job of a hacker harder, this tip is the easiest and can be impactful. Avoid using the famous ‘’123456’’ or ‘’qwerty’’ and any others that just seem too easy to guess. Also, it is important to keep in mind if it is something that sticks out on the keyboard, it is more than likely to easy and simple of a password. A simple password would be your initials and birthday where a more complex password may be the month you were born followed by middle name (capitalize one random letter) followed by a special symbol concluded with the day you were born.


  1. ` Renewing passwords- Passwords that have been the same for long periods of time are more vulnerable than ones changed from time to time. Best practices suggest a password should be reset and changed at least once every 3 months. Changing passwords will help out in both securing from future attacks but also for attacks that may have happened that were undetected. For example, a hacker could have login credentials and be hiding and monitoring data and information, but with regular password reset the hacker would be locked out and all access they had would no longer be available. In most cases stale passwords or passwords that have not been reset for long periods of time are the prime target for hackers that can grant them access often without anyone ever even knowing they are in.


Having all this in mind, let us see some examples of PCI compliance regulations regarding passwords.


  • Passwords must be reset every 90 days
  • Require a minimum password length of 7 characters
  • Passwords must contain numerical and alphabetical characters
  • New passwords cannot be the same as the old password
  • Temporary locking of account after 6 failed attempts
  • Idle timeout after 15 minutes

Be sure to check the full list of regulations as well as others within your industry to ensure both compliance and protection.

U.S. More Vulnerable To Weaponized Cyberattacks Than You Think

Experts on a panel at SXSW warn major hacking onslaughts of our infrastructure, personal data, and businesses are coming—and we’re not ready.

[Photos: Wokandapix/Pixabay; Flickr user Shinji Abe]

Until Americans get more serious about cybersecurity, the United States remains extraordinarily vulnerable to attacks from enemy nations–and even individual hackers–on our electric grid, hospitals, infrastructure, and companies large and small.

That was the sobering takeaway from the War Games: From Battlefield to Ballot Box panel of experts at South by Southwest Friday.

Representatives from the federal government, security firms, and private investors painted a bleak picture of the current state of our digital safety considering hackers’ increased ferocity in recent years.

“When I first got into cyber, it was a game for nation-states,” says Robert Johnston, the CEO of Adlumin, and the cyber sleuth who detected the Russian hacking of the Democratic National Committee. “Only nation-states would play at this level… The barriers to entry were so high, the knowledge you needed was so high. In today’s day and age, that’s not the case.”

Today, says the former Marine, who also led efforts to counter Russian cyberattacks against the U.S. Joint Chiefs of Staff, software has made it easy for even the smallest countries, or even private hackers, to carry out dangerous attacks.

Software has made it so easy, says Ann Cox, a program manager in the Department of Homeland Security’s Cyber Security Division, that bad actors can easily and cheaply buy tools with relatively simple graphical interfaces on the Dark Web. “Anyone who has an interest in doing malicious things, there’s a very low barrier to entry,” Cox says. It’ll cost “only a few hundred dollars.”

And while we might worry about the impacts of things like Russian hacks on national institutions, Cox says even these small hackers are now regularly carrying out coordinated shutdowns of things like 911 call centers by overwhelming them with phone calls.

A major bottleneck in efforts to thwart cyberattacks is complacency. While many companies and people may know the precautions they should implement to protect their systems, few do. Things as basic as regularly updating operating systems, using antivirus software, and two-factor authentication are not being done.

Even if everyone used best practices, it would still leave us vulnerable to between 10% and 20% of attacks, say Cox, and that’s a big reason few have foreseen the scale of the kinds of intrusions that have taken place, the rate at which they’re expanding.

To illustrate just how much worse things are, she detailed how in 2015 her agency launched a program to fight against distributed denial of service attacks and set a goal of being able to handle anything up to a 1,000 TB/second attack against a mid-size company. The program manager in charge of the effort got grief, she said, because few imagined such an attack was possible.

But a year later, the Mirai Botnet brought networks down across the U.S. by exceeding that level, and just within the last three weeks, she says, there have been two attacks that set records for scale. “Because of the way malware is evolving,” Cox says, “if they hit 2 TB/second, or 3 TB/second, we really don’t have a way to protect against that.”

And, we should be prepared for that to happen in the next two to three years, she adds.

While it seems like there are potentially insurmountable technical issues now, a bigger problem may be that a country like the United States has few viable deterrents to keep belligerents from hacking into our systems. Johnston pointed out that when it comes to the nuclear race, we’ve always relied on the concept of mutually-assured-destruction to avoid catastrophe. And in conventional warfare, few countries can withstand American military might that is capable of parking multiple carrier groups off an enemy shore in 18 hours.

But in cyberwarfare, the playing field levels out quick. “At any given time,” Johnston says, “any country can launch” a cyberattack. And while the U.S. certainly can mount its own, there is little we can do to prevent retaliation that’s as bad, or even worse.

He says that economic sanctions and diplomacy have proven to be the most effective deterrents, but that they’re only successful some of the time–when there’s relative economic parity between nations, such as Obama’s efforts to rein in Chinese hacking.

Such efforts won’t work with every country, Johnston says. For example, we’ve already had sanctions in place against North Korea for decades and that country continues its sub rosa cyberwarfare.

Americans probably need to accept that we’re in for a rough future, warns Johnston.  He points to Russia, which has not been deterred from cyberattacking the U.S. despite past sanctions and the threat of new ones that President Donald Trump never implemented.

Russia has too many ways to retaliate against U.S. counterpunches—such as shutting off natural gas supplies. “You can’t pick on a big boy on the block,” Johnston says. “You have to find another way.”


Daniel Terdiman is a San Francisco-based technology journalist with nearly 20 years of experience. A veteran of CNET and VentureBeat, Daniel has also written for Wired, The New York Times, Time, and many other publications.




Kelly Sheridan

Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance — which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.

Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don’t need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.

Yet businesses still aren’t paying attention.

“Our focus in this industry is still on traditional attack vectors we’ve been dealing with for most of our careers,” says Heath Renfrow, CISO at Leo Cyber Security.

It’s time for businesses to take a closer look at how these threats work, how they can be detected, why they’re predicted to grow, and the steps they can take to protect themselves.

The Evolution of Modern Fileless Attacks

Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.

“What’s different about today is not the fact of fileless — both Code Red and Slammer used this — it’s the fact that the bulk of the attack chain, the steps of the attack, are all fileless,” she says. “If they do involve a payload it often looks legitimate and therefore, it’s very hard to detect.”

The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.

“Within a network, what’s breaking the backs of organizations is the theft of usernames and passwords,” he explains. “It’s not the malware that’s doing the trick.”

Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.

All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they’re not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.

Why You’re Vulnerable

Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can’t monitor their full ecosystem. Many are “drowning in data” and are unable to bring account and user activity into a single place for analysis.

“If they can’t track it, they can’t understand which accounts have access to what,” Johnston explains. “They have no way to visualize, and no way to track and scale, all of these different identities that don’t always line up to a human.”

The challenge escalates when employees don’t adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.

Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.

“What hackers are doing is trying to get into personal accounts, and using that to get into corporate,” Buduri explains. Many threat actors target low-level employees with the idea that once they’re in, they can monitor email activity to learn the addresses of high-ranking workers.

Poised to Grow

Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking “significantly increases the risk to the infrastructure,” he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.

Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. “Think about a cloud environment,” he says. “How much insight does a CISO have into who’s logging in and where?” Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned — legitimate creds within attackers’ reach.

While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. “The sad reality is we’re seeing an increase in the number of destructive attacks that are being leveraged,” she points out.

What Can You Do About It?

Protecting against phishing starts with employee education. “Trick them, test them, teach them,” says Lovejoy. “The goal is to immunize enough people so the disease can’t take hold.” Employees should also have a means to report activity they feel is suspicious.

“Always enact the policy ‘If you see something, say something,'” she adds.

On top of this, businesses should take a close look at activity in their ecosystems.

“One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure,” says Renfrow. “It was eye-opening … we had more credentials running through our infrastructure than we had people.”

After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine’s infrastructure, he says automation was necessary for this.

He advises organizations to go back to the “old-school” method of looking at their traditional identity and access management. From there, if they’re mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.

“I think it would be eye-opening for any organization,” Renfrow says.

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say

In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software, and hid its existence from the FBI, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could compromise law enforcement computer systems.

Posted on 

BuzzFeed News; Getty Images

The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.

The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.

In recent years, Russian hackers have gained access to everything from the Democratic National Committee’s email servers to the systems of nuclear power companies to the unclassified computers of the Joint Chiefs of Staff, according to US authorities.

The headquarters of the Russian cybersecurity company Kaspersky Lab.

Sergei Savostyanov / Sergei Savostyanov/TASS

The headquarters of the Russian cybersecurity company Kaspersky Lab.

This September, the Department of Homeland Security ordered all federal agencies to stop using products made by the Moscow-based company Kaspersky Lab, including its popular antivirus software, and media outlets reportedthat Russian hackers had exploited it to steal sensitive information on US intelligence programs. The department later clarified that the order didn’t apply to “Kaspersky code embedded in the products of other companies.” The company’s founder, Eugene V. Kaspersky, has denied any involvement in or knowledge of the hack.

The Russian company whose code ended up in the FBI’s fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service — the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of US targets.

“The fact that there were connections to the FSB would make me nervous to use this software.”

Cybersecurity experts said the danger of using the Russian-made code couldn’t be assessed without examining the code itself. But “the fact that there were connections to the FSB would make me nervous to use this software,” said Tim Evans, who worked as director of operational policy for the National Security Agency’s elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin.

The FBI’s overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau’s use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

In hopes of winning the FBI contract, the Safran subsidiary Sagem Sécurité, later renamedMorpho, licensed the Papillon technology to boost the performance of its own fingerprint-recognition software, the whistleblowers said. Both of them worked for Morpho: Philippe Desbois was the former CEO of the company’s operations in Russia, and Georges Hala worked for Morpho’s business development team in Russia.

Sagem presented a new biometric passport in 2007.

Jean-Paul Ney / Getty Images

Sagem presented a new biometric passport in 2007.

BuzzFeed News reviewed an unsigned copy of the licensing agreement between the French and Russian companies, which both men said they had obtained while working for Morpho; it is dated July 2, 2008 — a year before the company beat out some of the world’s largest biometric firms, including an American competitor, to secure the FBI business. It grants Sagem Sécurité the right to incorporate the Papillon code into the French company’s software and to sell the finished product as its own technology. It also stipulates that Papillon would provide updates and improvements during the five-year period that ended on the last day of 2013. In return, Sagem Sécurité agreed to pay an initial fee of roughly 3.8 million euros — equivalent to almost $6 million at the time — plus annual fees.

Got a tip? You can email To learn how to reach us securely, go to

The contract, which is also referenced in court documents, says that to Papillon’s knowledge its software does not contain any “undisclosed ‘back door,’ ‘time bomb,’ ‘drop dead,’ or other software routine designed to disable the software automatically with the passage of time or under the positive control of any person” or any “virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data.”

The contract reviewed by BuzzFeed News also contains a section titled “Publicity” that says, “The parties agree to keep strictly confidential and not to disclose by any means to any third party the existence and the contents of this Agreement.”

Desbois — who has filed a whistleblower lawsuit in US federal court accusing Safran of fraudulently collecting about $1 billion from federal, state, and local agencies — said at least three high-level company officials stressed to him on multiple occasions that the existence of the agreement needed to remain a closely held secret. Disclosure, he said he was told, might jeopardize contracts in the US market, which the company coveted.

“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm.’”

“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm,’” he recalled

Neither Desbois nor Hala was personally involved in the integration of Papillon code into the French company’s products or the sale of the software to the FBI, but both said they had conversations with engineers who did work on the integration. Desbois said multiple company officials told him that the technology sold to the FBI contained the Papillon algorithm.

“You know the word omertà?” Desbois said, referencing the Mafia code of silence made famous by the movie The Godfather. “It was always the intonation like we have done something bad that is a secret between us and that we should not repeat it to anybody.”

Sagem demonstrated a new biometric passport in 2007.

Jean-Paul Ney / Getty Images

Sagem demonstrated a new biometric passport in 2007.

“Deep collaboration”

In promotional material and on its website, Papillon boasts of its work with Russia’s Ministry of Internal Affairs, which oversees police and immigration agencies, among others, and is run by a longtime police official who was appointed to the post in 2012 by President Vladimir Putin. The products that Papillon sells “are created with the instructional assistance” of the ministry, and the company is “closely cooperating with the Ministry of the Interior, Ministry of Defense and Ministry of Justice of Russia,” according to company publications. A Russian government website says that the Internal Affairs Ministry “renders methodic assistance” to Papillon.

“Papillon is not an independent company,” said Hala, one of the whistleblowers. “Papillon was an emanation of the Internal Affairs Ministry, so Papillon was always under the control of the ministry.”

Papillon’s deputy director for marketing, Ivan Shapshal, disputed that. “We are fully a private company,” he said. “Do we do special tasks for the intelligence agencies of Russia? No, there is no reason for us to do this. It is just a risk. It does not help us make money.”

Among the Russian agencies that use the company’s fingerprint-recognition technology is the FSB. “Year by year,” one Papillon publication says, “the company expands its cooperation with” the FSB, as well as Russian agencies in charge of immigration, customs, and drug control. Other clients include the governments of Turkey, Kazakhstan, Serbia, and Albania.

“We will be happy to be close to any security agency in the world for money.”

Shapshal said his company’s fingerprint-recognition technology helps Russian police solve roughly 100,000 cases per year. “If our software can help police solve more crimes, we are happy to be ‘very close’ to them, as you say,” he said. “We will be happy to be close to any security agency in the world for money.”

Papillon’s founder and director is Pavel Zaitsev, who worked as an engineer and programmer at Russian military installations from 1985 to 1991, according to a biography published with an article he wrote for a trade publication. Many of the company’s staffers, a Russian government website says, “gained experience working at the plants of Military-Industrial Establishment in Miass” — the city in the Ural Mountains where the company later established its headquarters.

Hala said there was “deep collaboration” between Papillon and the FSB. “It’s not a secret,” he said. Hala said he attended multiple meetings involving Russian government officials and Papillon executives in which FSB officials expressed strong support for Papillon and “controlled absolutely the discussion.”

The Internal Affairs Ministry, the FSB, and the Russian Embassy in Washington, DC, did not respond to requests for comment.

Neither the FBI nor any of the companies involved denied directly that the fingerprint software used by the bureau contains Russian code.

The FBI declined to answer repeated questions about the software but said in a statement, “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”

Safran declined to respond to questions about its actions as owner of the subsidiary that provided the software to the FBI, noting that it has since sold that subsidiary. But in legal filings, Safran has not denied the existence of the contract to license the Russian code, instead arguing that the allegations of fraudulent sales were not specific enough and that the company was not legally responsible for the actions of its subsidiary.Safran sold the subsidiary this year to a US private-equity firm, which renamed the company Idemia. An Idemia spokesperson said the fingerprint-recognition technology was “almost entirely developed and manufactured in France or in the United States” but that two software components contained source code developed “by other companies.”

The spokesperson, Céline Stierlé, refused to name those companies.

“We don’t comment on such things because we cannot confirm or deny.”

More broadly, she said the whistleblowers’ claims “are old allegations that are not supported by facts and that have been rejected by federal and state authorities and by the courts,” referring to the lawsuit filed by Desbois, one of the former employees who spoke with BuzzFeed News.

This year, a federal judge dismissed the case but did not evaluate the merits of most of the allegations. Instead, the judge focused on technical issues, finding that the suit hadn’t alleged enough specifics about, for example, when and how fraudulent claims for payment may have been submitted to the government. Also, the judge wrote, any false claims would have been submitted by a subsidiary that was not named as a defendant in the case — and the parent companies that were named couldn’t necessarily be held legally responsible. The case is on appeal.

As for the Russian company, Papillon, executive Shapshal responded to a question about the contract giving the French company rights to its code by saying, “We don’t comment on such things because we cannot confirm or deny.”

But he insisted that the company’s code did not include any vulnerabilities, saying that if anyone were to check “then you will see there is no back door.”

A Safran Group building in France.

Regis Duvignau / Reuters

A Safran Group building in France.

“Weigh carefully the risks”

As the FBI evaluated the companies vying to provide the fingerprint-recognition software in 2009, the possibility that the contract might go to a company subject to influence by a foreign government, even an ally, unsettled some members of Congress. The part-ownership of Safran by the French government prompted a letter to then-FBI director Robert Mueller from former Rep. John Kline of Minnesota, a Republican member of the House Intelligence Committee.

“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat to the US government,” Kline wrote. “I urge the FBI to assess whether any domestic companies are capable of this work and weigh carefully the risks versus the benefits of granting a foreign government access to this sensitive data.”

“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat.

An FBI spokesman at the time said that the bureau “assesses all risks and vulnerabilities associated with any foreign influence or security concerns for vendors under consideration for contracts, including subcontracts, with the FBI.”

Later that year, the FBI and Lockheed Martin — the primary contractor in charge of incorporating various vendors’ products into the bureau’s system — announced the selection of a Morpho subsidiary, MorphoTrak. Among the competitors not chosen was the US company Cogent Systems.

A Lockheed Martin spokesman refused to discuss the contracting process and said the company had divested its unit responsible for the FBI program. A representative for Leidos, which is now the project’s primary contractor, declined to comment.

Desbois’s whistleblower lawsuit alleges that a US-based MorphoTrak engineer named Frank Barret was aware of the Papillon deal and led a team that helped prepare the software for use by the FBI. On the front step of his home in California, Barret refused to read and respond to the allegations in the complaint but said, “Everything I’ve said to the investigators, everything I’ve said in this trial, is true.” Asked to clarify, he closed his front door. When BuzzFeed News followed up the next day, Barret threatened to call the police.

Both Desbois and Hala said they discovered the existence of the agreement licensing the Russian company’s code after they questioned their bosses’ instructions not to compete with Papillon for certain contracts. It was then, they said, that company officials explained that the two companies had an unwritten agreement not to encroach on each other’s business in certain countries — an arrangement that violates antitrust laws, the whistleblower claim alleges. Desbois and Hala said that they obtained a copy of the licensing agreement because they wanted to see for themselves whether it spelled out the terms of the noncompete pact; it did not.

Papillon executive Shapshal declined to comment on the antitrust allegations. Idemia spokesperson Stierlé said that “this allegation, like the others, was part of the litigation” and that “it too was found to be deficient and lacking in even the most basic level of detail and was rejected by the court.” The judge found that the whistleblower suit did not provide specifics on who falsely certified to the US government that the company hadn’t violated antitrust laws, or when and how this had occurred.

Desbois’s whistleblower lawsuit accuses Safran of defrauding the US government out of about $1 billion, and if the suit is successful he stands to collect millions. Hala is not involved in the case. Both Desbois and Hala said they left Morpho voluntarily and on good terms.

Inside the FBI's background check center.

The Washington Post / Getty Images

Inside the FBI’s background check center.

 The federal government so far has declined to intervene in the lawsuit, as it has the option to do in whistleblower suits alleging fraudulent claims for payment. In court filings, however, Justice Department lawyers noted that this wasn’t necessarily an indication that the case lacked merit, and they preserved their right to step in later. The complaint also accuses the defendants of misrepresenting the fingerprint technology in sales to the government of California; lawyers for the state also have declined to intervene.

The FBI contract is now a centerpiece in much of MorphoTrak’s marketing material. In 2011, the FBI said the new fingerprint-recognition software significantly increased both the speed and accuracy of matches, boosting the latter from 92% to more than 99.6%.

“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales.”

“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales,” said former employee Stephane Guichard, who led a US-based team that implemented and maintained the fingerprint-matching software for state and local agencies that had purchased it but was not involved in the software’s development or the FBI contract.

Guichard and two other former MorphoTrak employees who worked on government contracts in the US said they didn’t know about the licensing agreement with Papillon, and they expressed surprise that their former employer would use Russian technology. “Personally, it would have concerned me a little bit,” said Phillip Moore, who worked as an account manager and sales manager. It would have raised “basic trust issues with what they would supply us,” he said.

By the end of 2013, as the final stage of the FBI project phase-in became operational, Morpho reported that the US market accounted for more than a third of its roughly $2 billion in revenues.

Safran recently announced that it planned to refocus solely on aerospace and defense, and, earlier this year, it sold Morpho, which had recently been renamed Safran Identity & Security, to the US private-equity firm Advent International, with the French government investment bank Bpifrance also taking a stake. The reported price was about $2.5 billion.

The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department. Through its subsidiaries, Idemia is a powerful lobbying force in Washington, and it is currently fighting to kill legislation that would endanger its status as the sole provider of fingerprint services for the TSA PreCheck program. ●

Chris Hamby is an investigative reporter for BuzzFeed News and is based in Washington, D.C. He won the 2014 Pulitzer Prize for Investigative Reporting and was a finalist for the 2017 Pulitzer Prize for International Reporting.

Contact Chris Hamby at

Got a confidential tip? Submit it here.

BY Tishin Donkersley

According to a recent survey by Norton, 94 percent of users on the internet think they can spot phishing emails. Unfortunately, they couldn’t be more wrong.

The fact is that hackers are becoming savvier when it comes to finding personal information and tricking not only you, but your friends into providing more.

Jere L. Simpson, CEO and founder of Arlington-based KITEWIRE said these days hackers are using social engineering to nab your personal information and use it for mining information, gaining account access and blackmail.

“Social engineering is the easiest method to breach accounts. Your best friend, date of birth and mother’s maiden name are extremely easy to find on Facebook. Criminals will duplicate one of your friend’s accounts using the same photo and private message you that they created two accounts for business and friends in order to gain access to your information.” Jere said.

Once cyber criminals gather enough information about a person/owner of a company, then they go to work in figuring out details to breach the network.

Colonel Timothy Evans (Ret), cofounder and vice president of strategy of Arlington-based Adlumin said, “Health care data is the most valuable because it provides enough information for an intruder to apply for credit, loans, etc. without the individual even knowing that someone else has applied for credit in their name.


“Once the intruder steals legitimate credentials, they can move freely throughout the network without setting off any alerts. Their next task is to escalate their privileges to administrator so they can move about the network freely.”

Then you’re really screwed.

For a small startup or business owner, dishing out tons of cash for a high performing network server and IT consultant isn’t a reality when you’re bootstrapping. However, our cyber experts have some advice and inexpensive ways to protect your data from potential threats.

Let’s Start With the Facebook Feed

Taking photos at work to show off the team, work environment or the latest coffee machine is great, but you need to consider what is in the background of your photos, and if are you unintentionally posting personal or confidential information.

“Be extremely careful what information is put on social media. Look for information that is in the background of photos like screen or paper information. Latergram as many photos as you can instead of posting them in the moment,” Jere said.

Don’t Open The Flood Gates

Reducing the number of people who have administrative access to files, a network, etc. can decrease chances for a breach.

“Probably the key for a small company is to limit the user’s authority on its network to conducting activities that a general user should do. In other words, do not make everyone on the network an administrator, they do not need that authority,” Timothy said.

It’s also a good idea to have monitor logs to understand who is accessing certain files and online tools.

“Ensure that your users are doing what their logs say they are doing. If the system says that you used a USB drive to download gigabytes of information, the follow-up question is, did you do that. There are free tools that you can use to check your own logs to ensure that the actions that are being taken on your network. At a minimum, a small company should audit the company’s privileged access users to ensure that their activities are in line with their duties and actual activities,” Timothy said.

instagram social media, facebook

Newbie Doesn’t Get the Keys to the Kingdom

While founders want to trust that every tech employee is honest, Jere said it’s not a bad idea to gradually ease them into full access of the network. Most importantly, change your network password often enough to avoid any potential problems.

“Don’t give every new tech SaaS access to your calendar, email, contacts, drive, location etc. Also, use a formula for your passwords so that each password is unique and you can always figure it out…and never write it down.” Jere said.

Yes, You Must Change the Passwords

Changing your passwords is the oldest, yet most important, advice any cyber expert can offer you, because it works, so do it. Also, our experts want you and your employees to stop sending your username and password over the network, email or communication tools like Slack.

“If you need to give someone a username and password, don’t send both over the same communication,” Jere said. “Calling on the phone or video chat is often the most secure method.”

Did I mention changing the password? Timothy recommends conducting privileged account password resets every 30 days. Seriously.

Employees Can Be Your Superheroes

Your employees can be the first line of defense when it comes to thwarting cyber attacks. Take time to educate them on what to look for if faced with a potential threat.

“Be very unified as a small company that no employee will click on an email link or document received without being sure that the document or link is from a known vendor, partner, or trusted party. This takes a lot of discipline, however, it is the absolute best method to prevent an attack,” Timothy said.


“Talk with your employees and let them know that simple carelessness could result in putting a company out of business.  Breaches of customer data or credit card information will result in damage to the company’s name at a very minimum.”

by Kim Zetter.

Rob Joyce, NSA Hacker Chief said “In the world of advanced persistent threat actors (APT) like the National Security Agency (NSA), credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.”

Advanced Persistent Threats (APTs) are one of the most dangerous and difficult threats to discover and respond to in cybersecurity today. In the past, APTs were only used against nation states and their government agencies in espionage and to gain political intelligence. However, today, APT actors are more prevalent than ever in day-to-day cyber-attacks. The recent attack on the Office of Personnel Management, Target, Anthem Health Care, and the Democratic National Committee (DNC) are just a few examples where millions of records were stolen over a long period of time and the organization that was attacked did not even know there was an adversary in their networks. The DNC dwell time is estimated to be in excess of one (1) year.

APTs most typically involve pre-planning, lateral movement, and remote code execution. They sometimes include brute force attacks. The reality is, even if malware is involved in the ultimate attack, prior to planting malware on your network more than 70% of APTs include substantial reconnaissance of your network and significant lateral movement.

Three Signs that you have an Ongoing APT?

  • Elevated Logons at Night. APTs almost always steal valid credentials, dump passwords, and elevate permissions, then they move laterally throughout your network. Ultimately, they find the data they really want and store it within your network or filtrate it externally. Often, the authenticated credentials look like valid users, but act differently. They move throughout the network, often at night, when the legitimate user is sleeping.
  • Finding Malware (Trojans) – APT actors often install backdoor Trojans within the target network. This way, they can maintain access to your network even if you find their less sophisticated access ports. They also dump passwords just in case their initial credentials are changed by users.
  • Anomalous Data Flows – The final sign is to look for data flows within the internal organization that are different than before. This means that your authenticated users are logging on to systems that they never log onto. It might be servers, servers-toclient or, network-to-network connections. They way to discover this is by watching the disposition of every user account on the network. Geo-locating where logons are occurring will help, since most of your authenticated users logon locally rather than remotely.

What Does an APT Solution Require?

APT actors compromise organizations in minutes but persist for months to years. They can do this because of the defensive and detection tactics that organizations currently use. Detection tactics include Network Device Events, Logging, Network Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Host IDS/IPS, Antivirus, File Integrity Monitoring (FIM) and Whitelisting, and Security Information and Event Management (SIEM).5

  • Logging – Centralized logging is a primary control used by large organizations to detect security incidents and changes on the network. Most organizations however, do not have sufficient personnel, nor resources to search or hunt through petabytes of data to look for anomalies.
  • Network Device Events – Network and Host IDSs/IPSs detect well-known signatures of attacks or unusual patterns in traffic but they also generate lots of false alarms. They do provide lots of useful data about attacks directed at endpoints on the network.
  • Antivirus – While it appears that antivirus is becoming less important over time, it still provides the ability to recognize the well-known signatures that are often used by attackers.

Organizations must have effective tools that increase their detection capabilities, especially when it comes to stolen credentials. Organizations need to be able to know the disposition of each of their users on the network. This is very difficult, if not impossible, to do without automation.

The Solution – You need Adlumin’s Sentry Platform

Sentry Platform analyzes user behavior and continuously monitors the authentication of credentials. It analyzes every user’s behavior on the network and creates a pattern of life for those users utilizing intelligent mathematical algorithms to determine when anomalies occur and what events need to be further investigated. Sentry Platform helps you detect, prioritize, and reduce the time necessary to respond to threats within your network.

Sentry Platform consists of:

  • Detects remote execution of code, user activity and behavior, and lateral movement and adversarial activity.
  • Targeted User & Entity Behavioral Analytic algorithms to discover anomalous user activity.
  • Active Defense capabilities that help you bait and trap the adversary into giving away his position within your network.
  • Responsive dashboard that provides real-time detections and de-tailed visualizations of event sequences across multiple systems.

• An easy software deployment strategy that begins defending your network in minutes with no time for environmental learning.