Hacking Articles - H 2020 1 2 3 4 5 6 7 8 9 Hacking List - H 2021 2020 2019 2018 0 1 Hacking blog Hacking blog
Yahoo is going to confirm the data breach that exposed 200 Million Yahoo accounts
22.9.2016 securityaffairs Hacking
It’s a question of hours, security experts believe Yahoo will confirm the massive data breach that exposed at least 200 Million Yahoo accounts.
Yahoo is ready to confirm a massive data breach that affected its service that has exposed several hundred million user accounts.
“Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts.” reported the website recode.net.
“While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious.”
In August, the notorious hacker Peace advertised 200 Million Yahoo accounts on Dark Web, and the company is aware of the sale.
Peace offered for sale the 200 million of Yahoo account credentials (from “2012 most likely,”) on The Real Deal black marketplace. Yahoo was informed of the events and launched an internal investigation avoiding public comment on the case. The hacker was offering the data leak for 3 bitcoins (roughly $1,800 at the time of the disclosure).
While the Yahoo security team was investigating the incident, the company suggested its customers to use strong passwords, one for each web service they use, and enable two-factor authentication when it is available.
Security experts believe its question of hours before the Yahoo will publicly confirm the data breach that caused at least the exposure of 200 million of Yahoo account credentials.
Of course, the news will have a significant impact on the company because the hackers attacked the core service of the IT giant. Analysts speculate a possible interference with the announced $4.8 billion sale of the company to Verizon.
Warning — You Can't Install Linux On Microsoft Signature Edition PCs from Lenovo
21.9.2016 thehackernews Hacking
In past few months, Microsoft opened the source code of a lot of its projects, convincing people that the company loves Linux.
But a new report shows that Microsoft is not really a big supporter of Linux.
Microsoft has banned Linux on some Windows 10 powered Signature Edition PCs, which provides the cleanest Windows experience on the market.
Signature Edition PCs are different from other systems because it is carefully and meticulously configured by Microsoft to run Windows 10 with no bloatware, paid promotional web shortcuts, or other pre-installed apps, for providing better performance.
But besides bloatware and other pre-installed apps, Microsoft won't allow you to install Linux (or any operating system) on it.
This news is not a rumor as a Reddit user BaronHK reported that he found it impossible to install Linux on the Signature Edition Lenovo Yoga 900 ISK2 UltraBook because Microsoft has locked the SSD in a proprietary RAID mode that can only be read by Windows.
When contacted Lenovo, the company confirmed that it had signed an agreement with Microsoft to make this happen.
"This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft," a Lenovo employee responded to a comment made by BaronHK about the issue.
Lenovo laptops that are not allowing its users to install Linux include the aforementioned Yoga 900 ISK2, the Yoga 900S, as well as the Yoga 710S.
Some have suggested that the issue that prevents Linux from being installed could be Microsoft decision, while others believe that the issue could be related to how the systems have been configured by Lenovo.
For now, all which is clear is that, if you own a Lenovo Signature Edition laptop, you can not install Linux on it.
Microsoft and Lenovo still have to officially comment on this possible restriction configured for Signature Edition PCs.
Car Hacking – Chinese hacker team remotely hacked Tesla Model S
20.9.2016 securityaffairs Hacking
A group of security researchers from the Chinese firm Tencent have found a series of flaws that can be exploited to remotely hack a Tesla Model S.
Security experts at the Keen Lab at Chinese firm Tencent have found a series of vulnerabilities that can be exploited by a remote attacker to hack an unmodified Tesla Model S.
The researchers demonstrated that it is possible to hack the Tesla Model S while it is parked or if it is on the move.
The team published a Video PoC of the hack that shows how to take the control of the sunroof, of the position of the seats, of the turn signals, and the door locking system.
The most scaring part of the hack is when the car is on the move, the hackers were able to activate the brakes from 12 miles, activate the windshield wipers, fold the side view mirrors, and open the trunk.
“With several months of in-depth research on Tesla Cars, we have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode. It is worth to note that we used an unmodified car with latest firmware to demonstrate the attack.” the researchers explained in a blog post.
The researchers are the first team of hackers that is able to compromise CAN Bus to remote control Tesla cars by exploiting a series of flaws.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers said. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.” continues the post.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected. Keen Security Lab would like to send out this reminder to all Tesla car owners:”
The experts were able to identify a specific Tesla Model S and hack it while the owner is searching for nearby charging stations.
The team reported the issues to Tesla Motors that in turn awarded $10,000 them under the Bugcrowd-hosted bug bounty program.
Tesla has verified the presence of the vulnerabilities and is currently working to fix them. The company will not recall any Tesla Model S because it is able to push out firmware updates over-the-air.
Car hacking is a scaring reality, when deal with this specific kind of attacks we cannot avoid mentioning the hack demonstrated by the popular hackers Charlie Miller and Chris Valasek, who have managed to control remotely a Fiat Chrysler connected car.
Almost every car maker is currently working to make its connected car secure by adding specific countermeasures.
Hacking Facebook pages? Hackers demonstrated how to do it in 10 secs
18.9.2016 securityaffairs Hacking
Hacking Facebook – An Indian researcher discovered a critical vulnerability in the Facebook business manager that could be exploited to hack any Page.
The Indian security researcher Arun Sureshkumar reported a critical vulnerability in the Facebook business manager that could be exploited by attackers to hack any Facebook page.
The Business Manager is the component that allows businesses to share and control access to assets on Facebook, including Pages and Ad accounts.
Facebook Business Manager also allows administrators to share access to Pages and ad accounts without being friends with coworkers on Facebook.
Before analyze the technique devised by the researcher let me introduce you the concept of Insecure Direct Object Reference.
According to the definition provided by the OWASP project, the Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, an attacker can bypass authorization and access resources in the system directly.
“Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.” reads the OWASP.
Sureshkumar exploited an IDOR vulnerability in the Facebook Business Manager that allowed him to take over any Facebook page in less than 10 seconds.
Sureshkumar used his Facebook business account (ID =907970555981524) to add a partner. He used as a partner a test account with ID 991079870975788.
The hacker used Burp Suite to capture the request using Burp Suite, the tool allowed him to modify the request.
Below the request published by the hacker in a blog post:
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1
Host: business.facebook.com
Connection: close
Content-Length: 436
Origin: https://business.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6
parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733
What about hacking Facebook? How?
He changed the ‘asset id’ value with the one of the target page to hack, and also interchanged the ‘parent_business_id’ value with ‘agency_id’. He also changed the role value to ‘MANAGER’.
parent_business_id= 991079870975788
agency_id= 907970555981524
asset_id =190313461381022
role= MANAGER
With this simple trick, Sureshkumar demonstrated that hacking Facebook Pages was possible. He obtained admin rights on the business page.
Sureshkumar also published a video PoC of the attack.
The security expert reported the flaw to Facebook on August 29, 2016. Facebook investigated the problem and discovered also another flaw in its platform.
The giant of the social networks awarded Sureshkumar with 16,000 USD as part of its bug bounty program.
Colin Powell’s emails leaked online. He calls Trump ‘National Disgrace’
15.9.2016 securityaffairs Hacking
A new batch of Colin Powell’s emails was leaked online by Russian hackers. Powel criticized both Presidential candidates, Trump and Clinton.
Powell’s emails sent in a couple of years have been published on the website DC Leaks in a section protected by a password that was available only to select news outlets. The Powell’s e-mails belong to a new batch not included in the Powell dump leaked a few years ago.
The emails report Powell’s correspondence with his strict collaborators, his team at a speakers bureau and journalists over a period of 26 months.
The emails, that span from June 2014 to the last month, includes the severe Powell’s comments on presidential candidates, Donald Trump and Hillary Clinton.
The data leakage was attributed to a group of Russian state-sponsored hackers, known as APT28 or Fancy Bear. The group is the same that recently leaked US athletics’ medical records stolen from the World Anti-Doping Agency.
According to an investigation conducted by researchers at security firm ThreatConnect, the hackers are linked to the Kremlin.
colin-powells-emails
Powell told the The New York Times that the leaked messages are authentic.
“An aide to Mr. Powell confirmed the hack and said, “They are his emails.”.”
Powell was highly critical of many politicians, in one of the hacked email, he calls Trump ‘National Disgrace and an international pariah.’
A message, dated June 23, 2016, was sent by Colin Powell to former Secretary of State Condoleezza Rice reads:
“if Donald were to somehow win, by the end of the first week in office he’d be saying ‘What the hell did I get myself into?'”
Colin Powell also criticized the Hilary Clinton’s campaign and the way she managed the theft of her emails.
“I would rather not have to vote for her, although she is a friend I respect,” Powell wrote. “A 70-year person with a long track record, unbridled ambition, greedy, not transformational, with a husband still d—ing bimbos at home (according to the NYP).”
The Clinton campaign’s “email ploy this week didn’t work and she once again looks shifty if not a liar,” Powell wrote on August 20 to someone he worked with at the White House. “Trump folks having fun with her.”
In a separate leaked email exchange reported by NBC News, Powell also criticized aides to Hillary Clinton for their attempts to involve him in the case of the theft of her email due the use of a private email server when she served as Secretary of State.
In other emails reported by BuzzFeed News, Colin Powell accuses Trump of having embraced a “racist” movement when he publicly questioned the validity of President Obama’s birth certificate.
“Yup, the whole birther movement was racist,” Mr. Powell wrote in an email to a former aide, according to BuzzFeed. “That’s what the 99% believe. When Trump couldn’t keep that up he said he also wanted to see if the certificate noted that he was a Muslim. As I have said before, ‘What if he was?’ Muslims are born as Americans everyday.” Reported the NYT.
It’s still not clear how the hackers have compromised the Powell’s Gmail account in order to steal the messages.
Some experts argued that Powell’s Gmail account was hacked because he shared the same login credentials with a web service that was compromised in the past. Colin Powell’s Gmail credentials were also used to access DropBox and this data are contained in Dropbox dump recently leaked online.
Colin Powell’s emails have been leaked a few months after the mysterious hacker Guccifer 2.0 hacked the Democratic National Committee. Powell’s e-mails were published on a password-protected portion of DC Leaks that was available only to select news outlets. So far, there have been no definitive reports on precisely how the messages were obtained by DC Leaks.
Periscope Skimming, a new ATM threat spotted in the US
14.9.2016 securityaffairs Hacking
Secret Service warns of Periscope Skimming probes, it the first time that law enforcement discovered attacks against ATMs conducted with these devices.
The US Secret Service is warning banks and ATM vendors about a new ATM skimmer technology, the so-called ‘periscope skimming.’ The device is composed of a skimming probe that crooks connect to the ATM’s internal circuit board in order to steal card data.
The popular cyber security expert Brian Krebs published the images of the periscope skimming, the photos show the wires protruding from the periscope.
As explained by Krebs this is the first time that the periscope skimming is spotted by law enforcement in the US. The police have already discovered two installations of the periscope skimming in the country, the first one on August 19 in Greenwich, Connecticut, the second one on September 3 in Pennsylvania
“According to a non-public alert released to bank industry sources by a financial crimes task force in Connecticut, this is thought to be the first time periscope skimming devices have been detected in the United States.” wrote Brian Krebs in a blog post.
The new periscope skimming is able to store up to 32,000 payment card numbers, once installed on the ATM, it has a power autonomy up to 14 days.
In both installations case analyzed by the law enforcement, the cyber criminals had access to the insides of the cash machines (referred to as “top-hat” entry) by using a key, then they installed two devices connecting them by wiring.
One of the devices is the periscope skimming probe that is installed through a pre-existing hole on the frame of the motorized card reader. The probe connects the pad to the circuit board.
The second device is the so-called “skimming control device,” it is directly connected to the skimming probe and is composed of the battery source and data storage unit.
“The probe is set in place to connect to the circuit board and directly onto the pad that transfers cardholder data stored on the magnetic stripe on the backs of customer payment cards. The probe is then held in place with fast-drying superglue to the card reader frame.” wrote Krebs.
“According to the Secret Service, the only visible part of this skimming device once the top-hat is opened will be the wire extending from the periscope probe that leads to the second part of this skimmer — called a “skimming control device.” “
Authorities believe the samples of periscope skimming probes recently discovered are just prototypes, in fact, they lack hidden cameras or other methods of capturing bank customer’s PINs at the ATMs.
Krebs sustains that the incidence of such skimming scams will not decrease as more banks begin adopting chip-based payment cards. Most banks and financial institutions will continue to rely on the magnetic stripe to use the new generation of cards. It is likely that banks will continue to use the magnetic stripe at the ATM to check the correct insertion of the card in the slot of the cash machine.
“The principal reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time. As long as the cardholder’s data remains stored on a chip card’s magnetic stripe, thieves will continue building and placing these types of skimmers.” explained Krebs.
How to avoid such kind of attacks?
Users have to avoid using ATMs that may be easier to access from the top-hat, try to use cash machine installed in the wall at a bank and do not use ATMs located in not protected places.
The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
14.9.2016 securityaffairs Hacking
The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS
Why waiting for researchers and bug hunters to know vulnerabilities in your products, when you can just throw a contest for that.
Google has launched its own Android hacking contest with the first prize winner receiving $200,000 in cash.
That's a Hefty Sum!
The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild.
The competition, dubbed 'The Project Zero Prize,' is being run by Google’s Project Zero, a team of security researchers dedicated to documenting critical bugs and making the web a safer place for everyone.
What's the Requirements?
Starting Tuesday and ending on March 14, 2017, the contest will only award cash prizes to contestants who can successfully hack any version of Android Nougat on Nexus 5X and 6P devices.
However, the catch here is that Google wants you to hack the devices knowing only the devices' phone numbers and email addresses.
For working of their exploits, contestants are allowed to trick a user into open an email in Gmail or an SMS text message in Messenger, but no other user interaction beyond this is allowed.
So, if you want to participate in 'The Project Zero Prize' contest, you are advised to focus on flaws or bug chains that would allow you to perform Remote Code Execution (RCE) on multiple Android devices.
"Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests," Project Zero security researcher Natalie Silvanovich said in a blog post while announcing the competition.
Therefore, the company has taken this initiative to run its own hacking contest in search of severe Android security vulnerabilities.
Contest Cash Prizes
First Prize: worth $200,000 USD will be awarded to the first winning entry.
Second Prize: worth $100,000 USD will be awarded to the second winning entry.
Third Prize: At least $50,000 USD will be awarded to additional winning entries.
Besides cash prizes, winners will also be invited to write a short technical report describing their entry, which will then be posted on the Project Zero Blog.
For more details about the contest, you can check out the Project Zero Security Contest Official Rules.
2 Israeli teens arrested for allegedly running the vDoS booter
13.9.2016 securityaffairs Hacking
The Israeli law enforcement arrested two youngsters suspected of operating the infamous vDoS booter.
Israeli authorities have arrested two alleged operators of a DDoS service, named vDOS, as the result of an investigation conducted by the FBI.
The popular security investigator Brian Krebs reported that the duo behind the vDOS booter service had earned more than $600,000 in the past two years. It has been estimated that the service was used to launch 150,000 DDoS attacks, its customers can rent it for a price that ranges between $20 and $200 per month. According to the experts, the vDOS booter has been active around since 2012.
“vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.” wrote Krebs in its analysis.
The security expert investigated the vDOS booter after he obtained its database in July 2016. The database was leaked after the booter service was hacked. Data included in the archive points to two young men in Israel as the masterminds of the service. He discovered that other young hackers, mostly from the US attack service, were involved as support services.
Krebs analyzed configuration files and real IP addresses that suggested the involvement of two Israeli nationals, Itay Huri and Yarden Bidani, who used the aliases P1st and AppleJ4ck. The Krebs’ website was hit by a DDoS attack that peaked at nearly 140 Gbps, just after the popular expert disclosed his findings on the suspects.
While Krebs was disclosing the findings of his analysis, Israeli media reported the arrest of the young men under indication of the FBI.
The Israeli law enforcement arrested the two alleged owners of vDoS and placed them under house arrest for 10 days banning them using the Internet and any telecom equipment for 30 days.
The duo recently published a technical paper on DDoS attacks on the website of Israeli company Digital Whisper, the Twitter account he was using reports vDoS as his personal website.
The vDOS website (vdos-s.com) is now offline. ù
Here's How Hackers Can Disrupt '911' Emergency System and Put Your Life at Risk
13.9.2016 thehackernews Hacking
What would it take for hackers to significantly disrupt the US' 911 emergency call system?
It only takes 6,000 Smartphones.
Yes, you heard it right!
According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.
The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.
However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.
Where does the Problem Lies?
Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller's identifiers.
In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller's identity or whether the caller is subscribers to the mobile network.
These identifiers could be a phone's International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.
How can Attackers Carry Out such Attacks?
All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:
By infecting smartphones with malware, or
By buying the smartphones needed to launch the TDoS attack.
The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.
The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.
"Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally," the team notes in the paper.
Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.
This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.
Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina's 911 network and attacked it instead.
The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.
How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.
However, researchers suggest some countermeasures that can mitigate such attacks, which includes:
Storing IMEIs and other unique identifiers in a phone's trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
Implementing a mandatory "Call Firewall" on mobile devices to block DDoS activities like frequent 911 calls.
Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.
For in-depth and detailed information about the attack and possible mitigation procedures for US authorities, you can head on to the research paper [PDF] titled, '9-1-1 DDoS: Threat, Analysis and Mitigation.'
How to Hack Smart Bluetooth Locks and IoT Devices — Check this Out
13.9.2016 thehackernews Hacking
Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.
As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.
Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth!
DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit.
This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them.
Obviously, we had to go and take a look at the Bluetooth lock hack, and we are not the only ones.
There were articles in a number of security and general tech sites about how vulnerable some of these locks are – a shocking 75% of them could be hacked relatively easily, and one reported to have great security could actually be broken into with a screwdriver.
The locks were from companies like BlueLock, Kwikset, Noke, August, BitLock, and QuickLock.
How to Hack a Bluetooth Lock:
How to Hack a Bluetooth Lock
There have been a number of different researchers who have tackled this problem, but Anthony Rose and Ben Ramsay out of Merculite Security did a great job of thoroughly going through a significant number of them, documenting the hacks and contacting the manufacturers.
Look for plaintext passwords: Many of the locks had passwords but were simply transmitting them in plaintext. Anyone with a decent Bluetooth sniffer like Ubertooth and some effort has just owned your password
Replay the signal: OK, great you’ve built in awesome encryption and I can't possibly hope to read and decrypt the signal you just sent to that lock. But I just capture and replay what you just sent, and the door opens wide.
Man in the Middle: Here I am, using one of the many Man in the Middle tools to sit in the middle of your connection and control everything you're transmitting to the device. There's *definitely* no way I could change what you’re transmitting (say, to keep the deadbolt from hearing a "lock" command).
The great news is that we found a video of Zero_Chaos and Granolocks at Pwnie Express that show all of this stuff in action and tools you can actually use to detect these hacks in action.
Locks are not the only Bluetooth devices shown to be vulnerable. Here’s a quick list of just some of the devices that have already been found vulnerable:
Cars
Teakettles and coffee machines
Medical devices (including implanted ones)
Fitness trackers
This news should be worrying for people who have invested in a cheap Bluetooth lock for their convenience, and such attacks could be a real problem just waiting to happen.
Hacking wannabe hackers: watch out Facebook Hacker Tools!
13.9.2016 securityaffairs Hacking
Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.
Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.
The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.
Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.
Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.
Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.
Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.
Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.
Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.
A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.
“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”
In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.
It is important to educate employees in a correct and safe use of social media even in the workspace.
Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.
The adoption of cloud security solution could also help to mitigate the risk of attacks.
Over 33 Million QIP.ru accounts hacked compromised in an old data breach
9.9.2016 securityaffairs Hacking
Another old and huge data breach was reported to LeakedSource, more than 33 million QIP records from 2011 have been compromised.
Once again we are here to discuss a data breach, the victim is the Russian instant messaging service Quiet Internet Pager (QIP.ru.). According to the breach notification service LeakedSource, the leaked dump includes details of more than 33 Million users and the data breach dates back to June 2011.
LeakedSource @LeakedSource
Another old mega breach added: 33 million QIP.ru records from 2011. Search yourself on #LeakedSource at https://www.leakedsource.com/
04:56 - 9 Set 2016
4 4 Retweet 4 4 Mi piace
Records belonging to 33,383,392 Quiet Internet Pager (QIP) were disclosed by the same hacker that recently that leaked tens of millions of accounts stolen from several popular services, including the Russian web portal Rambler, Mail.ru, Last.fm , Dota ,L inkedIn , Myspace, and VerticalScope.
Security experts from HEROIC who have analyzed the leaked confirmed that records include email addresses, usernames, and passwords in plain text.
The experts believe the archive dates back to 2009-2011, a close look at the compromised accounts reveals that one of three is associated with Mail.Ru email addresses, followed by Yandex (2.5 million), Rambler (2 million) and Gmail (925,000).
Also in this case, Top passwords are 123456, 123123, 111111 and 123456789.
Two alleged members of Crackas With Attitude group arrested for hacking US Gov Officials
9.9.2016 securityaffairs Hacking
U.S. authorities have arrested two alleged members of the Crackas With Attitude group involved in dumping details of officials with the FBI and the DHS.
The FBI has identified and arrested two men from North Carolina men that are suspected to be members of the notorious ‘Crackas With Attitude‘ hacker group that dumped details of government agents last year.
The hackers leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
Crackas with Attitude went in the headlines due to the of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.
In October 2015 the group violated the CIA Director’s personal email account and leaked sensitive files including a top-secret application for a security clearance.
In January 2016, a hacker associated with the Crackas With Attitude group has accessed accounts belonging to the director of National Intelligence, James Clapper. The group also broke into the AOL email of the FBI Deputy Director Mark Giuliano.
The two suspects arrested by the authorities are Andrew Otto Boggs (22), of North Wilkesboro, N.C., who went online with the handle “INCURSIO,” and Justin Gray Liverman (24), of Morehead City, who used the handle “D3F4ULT.”
According to a press release by Department of Justice, the two men were arrested on Thursday morning on charges of computer hacking.
“Andrew Otto Boggs, aka “INCURSIO,” 22, of North Wilkesboro, North Carolina, and Justin Gray Liverman, aka “D3F4ULT,” 24, of Morehead City, North Carolina, were arrested today on charges related to their alleged roles in the computer hacking of several senior U.S. government officials and U.S. government computer systems.” reads the press release.
“According to charging documents filed with the court, Boggs and Liverman conspired with members of a hacking group that called itself “Crackas With Attitude.” From about October 2015 to February 2016, the group used “social engineering” hacking techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior U.S. government officials, their families, and several U.S. government computer systems. “
In February, British police and the FBI arrested a 16-year-old British teenager suspected of being a member of the dreaded group.
“In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts,” reads the press release.According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.
The two men will have their initial appearances at the federal courthouse in Alexandria next week in front of U.S. Magistrate Judge Theresa Carroll Buchanan.
Oh, It's On Sale! USB Kill to Destroy any Computer within Seconds
9.9.2016 thehackernews Hacking
Remember Killer USB stick?
A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.
Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.
A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.
How does USB Kill 2.0 work?
As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.
The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.
"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."
"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."
When And For Whom USB KILL Would Be Useful?
USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.
It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.
However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.
Video Demonstration
You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.
The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.
However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.
Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.
While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."
USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.
FBI Arrests Two Hackers Who Hacked US Spy Chief, FBI and CIA Director
9.9.2016 thehackernews Hacking
US authorities have arrested two North Carolina men on charges that they were part of the notorious hacking group "Crackas With Attitude."
Crackas with Attitude is the group of hackers who allegedly was behind a series of audacious and embarrassing hacks that targeted personal email accounts of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.
Andrew Otto Boggs, 22, of North Wilkesboro, N.C., who allegedly used the handle "INCURSIO," and Justin Gray Liverman, 24, of Morehead City, who known online as "D3F4ULT," were arrested on Thursday morning on charges related to their alleged roles in the computer hacking, according to a press release by Department of Justice.
A 16-year-old British teenager suspected of being part of the group was arrested in February by the FBI and British police.
Although court documents did not name the victims, the hacking group had allegedly:
Hacked into the AOL email of CIA director John Brennan and released personal details.
Hacked into the personal emails and phone accounts of the US spy chief James Clapper.
Broke into the AOL email of the FBI Deputy Director Mark Giuliano.
Cracka also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
"In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts," reads the press release.
According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.
Boggs and Liverman will be extradited next week to the Eastern District of Virginia, where federal prosecutors have spent months building a case against Crackas With Attitude.
Here’s How to Hack Windows/Mac OS X Login Password (When Locked)
7.9.2016 thehackernews Hacking
A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.
In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
How does the Attack Work?
You might be wondering: Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.
The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.
You can watch the video demonstration below that shows Fuller's attack in action.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.
Fuller tested the attack with two USB Ethernet dongles: the USB Armory and the Hak5 Turtle. For more detailed explanation, you can head on to his blog post.
Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
7.9.2016 thehackernews Hacking
Russia's Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked
Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru.
Rambler.ru, also known as Russia's Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.
The copy of the hacked database obtained by the breach notification website LeakedSource contained details of 98,167,935 Rambler.ru users that were originally stolen on 17 February 2012, but went unreported.
The leaked user records in the database included usernames, email addresses, ICQ numbers (IM chat service), social account details, passwords and some internal data, the data breach indexing site said in a blog post.
The data breach was reported by the same hacker using the daykalif@xmpp.jp Jabber ID who handed LeakedSource over 43.5 Million user records from another 2012 hack suffered by the Last.fm music streaming service.
According to LeakedSource, none of the passwords were hashed, meaning the company stored its user's password in an unencrypted plain text format that could allow the company as well as hackers to see passwords easily.
This is something similar to the VK.com breach, in which 171 Million users’ accounts were taken from the Russian social networking site, where passwords were also stored in plaintext format, without any hashing or salting.
Again, as expected, the most common passwords used by Rambler.ru users, includes "asdasd," "123456," "000000," "654321," "123321," or "123123."
LeakedSource has added the data into its database; so Rambler.ru users can check if they have been compromised by searching their account at Leaked Source’s search engine.
Rambler.ru is the latest victim to join the list of "Mega-Breaches" revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox, were exposed online.
Rambler has yet to respond to the incident.
The Bottom Line:
Users are advised to change their passwords for Rambler.ru account as well as other online accounts immediately, especially those using the same passwords.
Moreover, I always encourage users to make use of password managers that create strong and complex passwords for different websites as well as remember them on your behalf.
I have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.
Porn Brazzersforum hacked, nearly 800,000 Brazzers Accounts Exposed
6.9.2016 securityaffairs Hacking
A data breach affected a the Brazzersforum resulting in the exposure of 800,000 accounts of the popular porn site Brazzers.
Another week starts with a data breach, roughly 800,000 accounts of the porn site Brazzers have been compromised. The data breach affected a separate forum, anyway, Brazzers users who never signed up to the forum may have been impacted.
The news was reported by Motherboard who received the dump from the data breach monitoring website Vigilante.pw. The leaked archive includes 928,072 records, 790,724 distinct email addresses, usernames and passwords in plaintext.
Motherboard journalists were supported by the popular security expert Troy Hunt to verify the authenticity of the leaked details, he confirmed a number of their details from the data dump belong to Brazzers users.
“This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.” explained Matt Stevens, a company spokesman.
The company downgraded the extension of the data breach explaining that only a small portion of users were impacted.
“That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum‘ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users,” Stevens added.
There is a strange particular emerged in the story, Motherboard contacted two Brazzers users to verify the authenticity of their data, both confirmed the genuinity of the records, but said that they had not accessed the Brazzersforum.
The forum allows Brazzers users to discuss porn content or to suggest new scenarios for future productions.
Brazzer forum runs the vBulletin, one of the most popular platforms for web forums. Old vBulletin versions are affected by several vulnerabilities easy to exploit, it is likely that hackers exploited one of them to steal the records.
At the time of writing, Brazzersforum is under maintenance.
Brazzers forum data breach
In response to the data breach Brazzers banned all the inactive accounts present in the dump.
“Note that the data provided contains many duplicates and non-functional accounts. We banned all non-active accounts in that list in case those usernames and passwords are re-used in the future,” Matt Stevens, public relations manager from Brazzers, told Motherboard.
“Brazzers takes the privacy and safety of its users very seriously,”
Evidence on hacks of the US State Election Systems suggest Russian origin
6.9.2016 securityaffairs Hacking
Researchers have found links between the attacks on US state election systems and campaigns managed by alleged Russian state-sponsored hackers.
Security experts at threat intelligence firm ThreatConnect have conducted an analysis on the IP addresses listed in the flash alert issued in August by the FBI that warned about two cyber attacks against the election systems in two U.S. states.
The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers violated the databases of two state election systems for this reason the FBI issued the flash alert to election officials across the country inviting them to adopt security measured to protect their computer systems.
“The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility ofcyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.”reported Yahoo News that obtained a copy of the “flash” alert.
The FBI alert contains technical details about the attacks, including the IP addresses involved in the both attacks that have been analyzed by ThreatConnect.
The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums. Some of the IPs are owned by the FortUnix Networks firm that was known to the security experts because its infrastructure was exploited by attackers that hit in December the Ukrainian power grid with the Black Energy malware.
The experts revealed that one of them was used in the past in spear-phishing campaigns that targeted the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.
“However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spear phishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi.” states the analysis published by ThreatConnect”As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.”
The phishing campaigns mentioned in the analysis exploited an open source phishing framework named Phishing Frenzy, the security experts managed to hack into the control panel of the system used by the phishers and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.
Out of the 113 total emails, 48 of them are malicious messages targeting Gmail accounts, while the rest were specifically designed to look like an email from an organization of interest for the victims.
16 of the malicious email used to target AK Party officials were also included in the WikiLeaks dump of nearly 300,000 AK Party emails disclosed in July.
The experts from ThreatConnect discovered some connections to a Russian threat actor, alleged linked to the Government of Moscow. One of the domains hosting the phishing content was registered with an email address associated with a domain known to be used by the infamous APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy).
Below the evidence collected by experts at ThreatConnect that suggest the involvement of the Russian Government, “but do not prove” it:
Six of the eight IP addresses belong to a Russian-owned hosting service
5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015
Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks
The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).
Enjoy the analysis.
Leakedsource breach notification service reported two Bitcoin Data Breaches
4.9.2016 securityaffairs Hacking
Now LeakedSource disclosed details from two Bitcoin data breaches that affected the bitcoin exchange BTC-E.com and the discussion forum Bitcointalk.org.
The data breach notification service LeakedSource is becoming familiar to my readers, recently it reported the data breach suffered by many IT services, including Last.fm and DropBox, both occurred in 2012. Now LeakedSource disclosed details from two Bitcoin data breaches that affected the Bitcoin sector, the incident were suffered by the bitcoin exchange BTC-E.com and the bitcoin discussion forum Bitcointalk.org.
The incident occurred at the Bitcointalk.org was disclosed in May when the servers of the forum were compromised by attackers.
Segui
BitcoinTalk @bitcointalk
Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall.
03:14 - 22 Maggio 2015
227 227 Retweet 84 84 Mi piace
“The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised.” was reported on Reddit by the theymos user.”The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.”
“each password has a 12-byte unique salt. The passwords are hashed with 7500 rounds of SHA-256.” he added.
LeakedSource reported that 499,593 user details were stolen in the incident, the leaked records include usernames, passwords, emails, birthdays, secret questions, hashed secret answers and some other internal data.
91% of passwords were hashed with sha256crypt, the experts explained that and that it would take about a year to crack an estimated 60-70% of them.
9% were hashed with MD5 and all were protected with the same salt value, LeakedSource has already cracked approximately 68% of those.
bitcoin
More mysterious was the BTC-E.com incident, it is possible that hackers also compromised some users’ wallets stealing bitcoins.
Despite the LeakedSource’s notification, there is no news about incidents occurred to BTC-E customers.
In January 2016 the Financial Underground Kingdom blog reported that the exchange has suffered one hack without effects for its customers, it is likely the data leaked by LeakedSource are related that incident.
“During years of existance [BTC-E] had just 1 hack after which the owners paid all the debt to users.”
It isn’t clear whether that hack and the data disclosure made by LeakedSource refer to the same incident. LeakedSource reported that that BTC-E.com was hacked in October 2013 and 568,355 users were impacted.
The passwords were protected with an unknown hashing method, making the “passwords completely uncrackable although that may change.”
Hacker Who Hacked Official Linux Kernel Website Arrested in Florida
3.9.2016 thehackernews Hacking
Around five years after unknown hackers gained unauthorized access to multiple kernel.org servers used to maintain and distribute the Linux operating system kernel, police have arrested a South Florida computer programmer for carrying out the attack.
Donald Ryan Austin, a 27-year-old programmer from of El Portal, Florida, was charged Thursday with hacking servers belonging to the Linux Kernel Organization (kernel.org) and the Linux Foundation in 2011, the Department of Justice announced on Thursday.
The Linux Kernel Organization runs kernel.org servers for distributing the Linux operating system kernel, which is the heart of the operating system, whereas the Linux Foundation is a separate group that supports kernel.org.
According to an indictment [PDF] unsealed by federal prosecutors on Monday, Austin managed to steal login credentials of one of the Linux Kernel Organization system administrators in 2011 and used them to install a hard-to-detect malware backdoor, dubbed Phalanx, on servers belonging to the organization.
But what made the breach much significant? It's the open-source operating system that's being used by Millions of corporate and government networks worldwide.
Using the Phalanx malware, Austin allegedly installed Ebury – a Trojan designed for Linux, FreeBSD or Solaris hacking – on a number of servers run by the Linux groups, which helped him gain access to the login credentials of people using the servers.
Austin allegedly infected Linux servers, including "Odin1," "Zeus1," and "Pub3," which were leased by the Linux Foundation for operating kernel.org. He also hacked the personal email server of Linux Kernel Organization’s founder Peter Anvin.
Austin is also accused of allegedly using his unauthorized admin privileges to insert messages into the system that would display when the servers restarted.
According to prosecutors, Austin's motive for the intrusion was to gain early access to Linux software builds distributed through the www.kernel.org website.
Bad Luck! Hacker Arrested while Breaking Traffic Rules
This security breach forced the Linux Foundation to shut down kernel.org completely while a malware infection was cleared up, and rebuild several of its servers. Miami Shores Police stopped Austin while breaking traffic rules on August 28 and then arrested after identified as a suspect in 2011 case.
Austin is charged with 4 counts of "intentional transmission causing damage to a protected computer." He was released from jail on a bond of $50,000 provided by the family of his girlfriend.
Judge has ordered Austin to stay away from the Internet, computers, and every type of social media or e-mail services, due to his "substance abuse history."
Austin is scheduled to appear in San Francisco federal court on September 21 before the Honorable Sallie Kim, and if found guilty, he faces a possible sentence of 40 years in prison as well as $2 Million in fines.
Spotify resets users’ passwords due to data breaches suffered by other firms
1.9.2016 securityaffeirs Hacking
In response to the numerous data breaches suffered by other services, the music streaming service Spotify forced a password reset for a number of users.
In the last months, numerous IT companies suffered a major data breach, including Dropbox, LinkedIn, MySpace, VK.com, and Tumblr. The criminal underground is flooded by login credentials from the above services that offered for sales by hackers.
These credentials could be used by hackers to target other services online and take over users’accounts, this is possible because users’ bad habit to share same usernames and passwords among different web services.
spotify
In response to the amazing string of data breaches, the music streaming service Spotify decided to force a password reset for a number of users. The company clarified that the measure was taken in response to the incident occurred to other firms and are not related to any problem occurred in its systems.
To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password.” states a message sent via email to its users on Wednesday reads.
“Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure,”
Spotify allows users to easily create a new password by simply clicking on a link.
In April, hundreds of Spotify account credentials appeared online on the website Pastebin, the information includes emails, usernames, passwords, account type and other details.
The popular Swedish streaming service denied any data breach and confirmed that its systems weren’t compromised by hackers. The company confirmed that it “has not been hacked” and its “user records are secure.”
“Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.” states Spotify.
According to the Techcrunch media agency, the company security team proactively resets hacked passwords, meanwhile, a number of users are also reported problems with their accounts.
Saudi government facilities hit by cyber attacks, Saudi cyber experts convened
31.8.2016 securityaffeairs Hacking
Saudi government facilities have been hit cyber attacks, the Government is investigating with the support of Saudi cyber experts.
Saudi government facilities have been targeted by major cyber attacks, in response, the Government has convened a group of cyber experts to examine the events.
According to the Saudi Press Agency, Saudi cyber experts held urgent talks on Tuesday after the cyber attack “in recent weeks targeted government institutions and vital installations in the kingdom.”
At the time I was writing there is no information about targeted agencies neither the alleged threat actor behind the cyber attacks against Saudi infrastructure.
FILE- In this Monday, Oct. 6, 2003 file photo, Saudi Arabian capital Riyadh with the 'Kingdom Tower' photographed through a window of the 'Al-Faislia Tower' in the Saudi Arabian capital Riyadh. Saudi Arabia�s stock exchange has opened up to direct foreign investment for the first time. The decision to open up the Tadawul stock exchange on Monday comes at a crucial time for Saudi Arabia, whose revenue has taken a hit from the plunge in oil prices over the past year. The kingdom is the world�s largest exporter of crude. (AP Photo/Markus Schreiber, File)
(AP Photo/Markus Schreiber, File)
The Saudi cyber security experts were involved in the investigation and according to the Saudi Press Agency, the kingdom’s Cybersecurity Centre “held an urgent workshop with a number of parties” to discuss the results of its investigations.
The attacks were launched from abroad, attackers targeted Saudi websites with a spyware to steal sensitive information from the targets.
This isn’t the first time that Saudi websites were hit by cyber attacks, in June hackers attacked a major Saudi newspaper and gained its control to publish fake news.
The Saudi cyber experts analyzed the attacks and proposed the necessary countermeasures to defeat the threat and protect the information targeted by the hackers.
Experts exposed the “necessary procedures to fix and to protect those sites”, reported the Saudi Press Agency.
The most clamorous attack against Saudi government facilities occurred in 2012 when a virus infected 30,000 workstations of one of the world’s largest energy companies, the Saudi Aramco.
Minecraft World Map data breach, 71,000 accounts leaked online
31.8.2016 securityaffeairs Hacking
The popular security expert Troy Hunt reported some 71,000 user accounts and IP addresses have been leaked from the website Minecraft World Map.
Another data breach affects the gaming industry, this time, 71,000 Minecraft World Map accounts has been leaked online after the ‘hack.’
Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map.
The Minecraft World Map site is very popular withing the Minecraft gaming community, gamers can use the web property to share the worlds they have built.
The popular security expert reported Troy Hunt reported the data dumps that include 71,000 user accounts and IP addresses.
Segui
Have I been pwned? @haveibeenpwned
New breach: Minecraft World Map had 71k user accounts hacked in Jan. 55% were already in @haveibeenpwned https://haveibeenpwned.com
03:30 - 29 Ago 2016
35 35 Retweet 13 13 Mi piace
Exposed records include email addresses, IP address data, login credentials for the popular site Minecraft World Map, Troy Hunt clarified that passwords included in the dumps were salted and hashed.
A rapid check allowed the Australian expert to verify that more than half of the compromised accounts were already listed in its online service haveibeenpwned.com that allows users to discover if they have an account that has been compromised in a data breach.
According to the experts, the website Minecraft World Map was breached in January 2016, but the incident was not publicly reported.
“In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.
Compromised data: Email addresses, IP addresses, Passwords, Usernames” Hunt wrote on his website.
Users have to reset their passwords on the Minecraft World Map and on any other website that shares the same login credentials.
This is the last incident occurred in the gaming industry disclosed online, recently security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, many of them belonging to gamers on mail.ru.
Giving a close look to the compromised mail.ru accounts they belong from CFire, parapa.mail.ru (ParaPa Dance City game), and tanks.mail.ru (Ground War: Tank game).
FBI flash alert says foreign hackers compromised state election systems
31.8.2016 securityaffeairs Hacking
The FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.
The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers penetrated the databases of two state election systems in the last weeks, in response, the FBI issued a “flash” alert to election officials across the country inviting them to adopt security measured to protect their computer systems.
“The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.” reported Yahoo News that obtained a copy of the “flash” alert.
The alert does not provide details about the states that suffered the attacks, but according to Yahoo News, sources familiar with the document say it refers voter registration databases in Arizona and Illinois.
US authorities fear possible cyber attacks launched by nation-state actors like Russians that could have serious consequences on the result of the next Presidential Election.
The Homeland Security Secretary Jeh Johnson had a conference call with state election officials on Aug. 15 to offer all the necessary support to secure state election systems.
The DHS will provide cybersecurity experts to scan the voting systems searching for vulnerabilities that could be exploited by hackers.
“The government is offering to help states protect the Nov. 8 U.S. election from hacking or other tampering, in the face of allegations by Republican Party presidential candidate Donald Trump that the system is open to fraud.” reported the Reuters.
“Homeland Security Secretary Jeh Johnson told state officials in a phone call on Monday that federal cyber security experts could scan for vulnerabilities in voting systems and provide other resources to help protect against infiltration, his office said in a statement.”
Back to the FBI flash alert, titled “Targeting Activity Against State Board of Election Systems,” it was labeled as restricted for “NEED TO KNOW recipients.”
The warning confirms that the bureau was investigating cyber intrusions against two state election websites that occurred recently that lead to the exfiltration of voter registration data.
The FBI alert contains technical details about the attacks, including IP addresses involved in the both attacks.
“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert reads. “Attempts should not be made to touch or ping the IP addresses directly.”
The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums.
Menzel, the Illinois election official, confirmed that FBI is investigating a possible link to the Democratic National Committee hack and the attacks against the two state election systems.
Dropbox Hacked — More Than 68 Million Account Details Leaked Online
31.8.2016 thehackernews Hacking
Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.
Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users.
However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase, Motherboard found around 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users.
An unnamed Dropbox employee verified the legitimacy of the data.
Out of 68 Million, almost 32 Million passwords are secured using the strong hashing function "BCrypt," making difficult for hackers to obtain users' actual passwords, while the rest of the passwords are hashed with the SHA-1 hashing algorithm.
These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox.
"We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Dropbox initially disclosed the data breach in 2012, notifying users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn't disclose that the hackers were able to pilfer passwords too.
But earlier this week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials was obtained in 2012 data breach that may soon be seen on the Dark Web marketplace, prompting them to change their password if they hadn't changed since mid-2012.
"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," the company wrote. "Our analysis suggests that the credentials relate to an incident we disclosed around that time."
Dropbox is the latest to join the list of "Mega-Breaches," that revealed this summer, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on Dark Web.
The takeaway:
Change your passwords for Dropbox as well as other online accounts immediately, especially if you use the same password for multiple websites.
Also use a good password manager to create complex passwords for different sites as well as remember them. We have listed some best password managers that could help you understand the importance of password manager and choose one according to your requirement.
The son of a Russian lawmaker could face up to 40 years in the jail for hacking
30.8.2016 securityaffeairs Hacking
Roman Seleznev (32), the son of the Russian lawmaker and Russian Parliament member Valery Seleznev was convicted of stealing 2.9 Million credit card numbers
Roman Seleznev (32), the son of one of the most notorious Russian lawmaker and Russian Parliament member Valery Seleznev has been convicted in the US of hacking businesses and stealing 2.9 million US credit card numbers using Point-of-Sale (POS) malware
“A federal jury today convicted a Vladivostok, Russia, man of 38 counts related to his scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. ” reads the announcement published by the DoJ.
According to the Department of Justice, the hacking scheme defrauded banks of more than $169 Million. The stolen credit card data were offered for sale on multiple “carding” websites.
“Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses.” continues the note published by the DoJ.
Attacks-as-a-Service-cybercrime
Seleznev, who was using the online moniker ‘Track2‘ was convicted in a Washington court on Thursday of 38 charges related to stolen credit card details, which includes:
Ten counts of Wire Fraud
Nine counts of obtaining information from a Protected Computer
Nine counts of possession of 15 Unauthorized Devices
Eight counts of Intentional Damage to a Protected Computer
Two counts of Aggravated Identity Theft
“Roman Valerevich Seleznev, aka Track2, 32, was convicted after an eight-day trial of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft. U.S. District Judge Richard A. Jones of the Western District of Washington scheduled sentencing for Dec. 2, 2016.”
Roman Seleznev, 32, the son of Russian Parliament member Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives, the arrest raised diplomatic tensions between American and Russian authorities.
The prosecution was built starting from data found on his laptop that was seized at the time of the arrest. The PC contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington.
The analysis of the laptop allowed the prosecutors to find additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the hacking scheme.
The prosecution was criticized by the Seleznev’s lawyer, John Henry Browne.
“I don’t know of any case that has allowed such outrageous behavior,” said Browne.
The US DoJ replied that Seleznev “was prosecuted for his conduct not his nationality.”
If convicted, Seleznev could face up to 40 years in the jail, his victims were small businesses and retailers hacked from 2008 to 2014.
Seleznev will be sentenced on December 2.
Shad0wS3C group hacked the Paraguay Secretary of National Emergency
30.8.2016 securityaffeairs Hacking
Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database.
Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE).
“The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few:
Impunity and justice system
Torture and other ill-treatment
Violation of Women’s and girls’ rights
Violation against Human rights defenders”
this is the Shad0wS3C message.
The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up.
The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).
The leaked data also includes details on hundreds website login credentials, with hashed passwords.
Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.
DNC staffers are invited to use ‘Snowden-Approved’ App Signal in response to the hack
29.8.2016 securityaffeirs Hacking
In the aftermath of the DNC hack the staffers were instructed in the use of the popular instant messaging Signal app, also called the “Snowden-approved” app.
The need of privacy is pushing the IT industry in developing secure messaging systems that implement end-to-end encrypted to protect users from prying eyes. Signal is probably the most popular app in this moment.
Signal app comes from Open Whisper Systems and is available for both Androids and iOS devices. If you are looking for the most secure messaging app, you can use Signal and strengthen security in your texts and phone calls. It is free of charge and it encrypts your data.
The app is automatically in sync with your address book and this makes it really easy to encrypt your communication with all your contacts. In this way, you do not need special login credentials for accessing the app and initializing its effectiveness.
If you search for Signal on the Internet you will discover that Edward Snowden is probably his most illustrious users and testimonial.
“Use anything by Open Whisper Systems” Snowden says.
signal app
The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app, recently we so the application also in the popular TV series Mr. Robot.
There is no doubt, Signal is the first choice for hackers and security experts … and not only them.
In the aftermath of the Democratic National Committee hack the staffers were instructed in the use of the popular instant messaging app, also called the “Snowden-approved” app.
Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
Segui
Edward Snowden ✔ @Snowden
2015: Even if he revealed unlawful government surveillance, put him in jail!
2016: wait what apps does he use
22:58 - 27 Ago 2016
6.251 6.251 Retweet 10.505 10.505 Mi piace
“Signal, staffers in the meeting were told, was “Snowden-approved.” A week after the meeting at the campaign headquarters, according to two people who have worked with the D.N.C. and the Clinton campaign, an e-mail was sent out instructing staffers where to download the app and how to use it.” reported Vanity Fair.
“Edward Snowden, who famously requires that people place their cell phones in a freezer before he agrees to meet with them in person (the freezer, or fridge, acts as a faraday cage and blocks any N.S.A.-like snooping of people’s whereabouts), has touted the security of Signal numerous times, saying on Twitter, “I use Signal every day.””
Segui
Edward Snowden ✔ @Snowden
Report: Russia hijacking activist accounts via telcos.
Use Signal, and always do this: (http://support.whispersystems.org/hc/en-us/articles/213134107-How-do-I-verify-the-person-I-m-sending-messages-to-is-who-they-say-they-are- …) https://twitter.com/FredericJacobs/status/726128513695109120 …
12:55 - 30 Apr 2016
854 854 Retweet 833 833 Mi piace
A few days after the DNC security breach was publicly disclosed, the DNC staffers received a memo containing detailed instructions on how to download and use the Signal app.
The use of the popular messaging app among DNC staffer is a clear sign of the need of a proper security posture among top political officials and staffer managing sensitive information.
If you want to give a look to the other Secure Messaging Apps on the market, you can read the post I published here.
Shad0wS3C group hacked the Paraguay Secretary of National Emergency
29.8.2016 securityaffeirs Hacking
Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database.
Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE).
“The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few:
Impunity and justice system
Torture and other ill-treatment
Violation of Women’s and girls’ rights
Violation against Human rights defenders”
this is the Shad0wS3C message.
The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up.
The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).
The leaked data also includes details on hundreds website login credentials, with hashed passwords.
Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.
Opera Browser Sync Service Hacked; Users' Data and Saved Passwords Compromised
28.8.2016 thehackernews Hacking
Opera has reset passwords of all users for one of its services after hackers were able to gain access to one of its Cloud servers this week.
Opera Software reported a security breach last night, which affects all users of the sync feature of its web browser.
So, if you’ve been using Opera’s Cloud Sync service, which allows users to synchronize their browser data and settings across multiple platforms, you may have hacked your passwords, login names, and other sensitive data.
Opera confirmed its server breach on Friday, saying the "attack was quickly blocked" but that it "believe some data, including some of [their] sync users’ passwords and account information, such as login names, may have been compromised."
Opera has around 350 Million users across its range products, but around 1.7 Million users using its Sync service had both their synchronized passwords as well as their authentication passwords leaked in the hack.
Since the company has already reset passwords of all of its registered Opera Sync users and emailed them with details, you need not worry about your account.
"Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution," Opera Software explained in a blog post.
Additionally, the company has also informed all Opera Sync users about the security breach and recommended them to change passwords for their Opera Sync accounts as soon as possible. You can obtain a new password for Opera sync using the password resetting page.
The complete details about the intrusion and extent of the breach are yet unknown.
Opera Software encouraged users to reset passwords for any third party websites they may have synced with its service.
However, if you are the one using the same password for multiple sites, you are also advised to change your passwords for those sites manually.
Since we’ve repeatedly seen folks reusing passwords across multiple services with recent high-profile account hacking, you are advised to use a good password manager always to keep a strong, unique password for your online accounts.
We have listed some best password managers that would help you understand the importance of password managers and choose a suitable one according to your requirement.
Megaupload Domains Seized by FBI 'Hijacked' to Host Porn Ads
28.8.2016 thehackernews Hacking
Well, we all know that the FBI has previously hosting porn on the Internet. I still remember the case of PlayPen, the world's largest dark web child pornography site, which was seized by FBI and ran from agency’s own servers to uncover the site's visitors.
Now, one of the most popular sites owned and operated by the FBI has been serving porn as well.
FBI-owned Megaupload.org and several other domains were allegedly serving up ads for "casual sex," "adult cam chat," "adult affair dating," and "live sex cams" and other 18+ entertainment.
Megaupload was once a famous and highly popular site for pirate and copyright contents that agency seized from Kim Dotcom almost five years ago.
Since a criminal case against Dotcom is still pending in the United States, the FBI also retained control over several of the company’s assets, including cash, cars, and over a dozen of Megaupload’s former domain names, including Megastuff.co, Megaworld.mobi, Megaclicks.org, Megaupload.com, and Megavideo.com.
Initially, these Megaupload domains served a banner indicating the federal agents had seized them as part of a criminal investigation, those users who visited the site yesterday were surprised to see soft porn ads, offering links to adult entertainment.
But, How did this Happen?
'Lost control'
Yes, the hijacking of the Megaupload domains was not the result of some sophisticated hack that allowed hackers to serve you soft porn and sex ads, rather the FBI had "lost control" of the domains in the same way it lost control last year.
TorrentFreak suggests the FBI forgot to renew an expired domain, CIRFU.NET, which the feds used for their "name server" to redirect traffic from sites it had seized, and that someone else just purchase it and linked it to the Megaupload domains.
The Federal Bureau of Investigation fell into the same trap last year when the web addresses it seized led people onto to sites peddling porn, fake security software, malware, adware and bogus special offers.
Though the federal authorities reportedly removed the nameservers altogether to fix the issue, the exact identity of who got control of Megaupload.org and its associated sites is not known. However, it is clear that the feds have not learned from their past mistakes.
The FBI has yet to comment on what happened to the domains.
Hacker reveals How He Could have Hacked Multiple Facebook Accounts
27.8.2016 thehackernews Hacking
How to Hack a Facebook Account?
That's possibly the most frequently asked question on the Internet today. Though the solution is hard to find, a white hat hacker has just proven how easy it is to hack multiple Facebook accounts with some basic computer skills.
Your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Gurkirat Singh from California recently discovered a loophole in Facebook's password reset mechanism that could have given hackers complete access to the victim's Facebook account, allowing them to view message conversations and payment card details, post anything and do whatever the real account holder can.
The attack vector is simple, though the execution is quite difficult.
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
How to Hack Multiple Facebook Accounts?
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
"I first reported this bug on May 3, 2016, but Facebook didn't believe me such large-scale execution could have been possible. They wanted proof," Gurkirat told The Hacker News. "So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue."
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
Also Read: How to Hack Someones Facebook Account Just by Knowing their Phone Numbers.
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
"I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that," Gurkirat told the Hacker News.
"I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Here's How you can Protect Your Facebook account:
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
With Login Approvals turned ON, Facebook will send you a 6-digit security code via a text message to your registered cell phone if someone tries to log into your Facebook account from a new computer or device or a different web browser.
So, even if your Facebook username and password are entered by an attacker, that 6-digit security code, which has been delivered to your phone, will still be required to log into your account, preventing hackers from accessing your account.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
If your Facebook account is accessed from a remote device, Facebook sends you an email or SMS alert. If that is an unauthorized access, you can quickly follow the steps listed in the email to disable access for that device.
Use Password Manager: It's a general, must-do advice to have a strong, unique password for every online account. We have listed some best password managers that would help you understand the importance of password manager and choose a suitable one, according to your requirement.
Hacker reveals How He Could have Hacked Multiple Facebook Accounts
27.8.2016 thehackernews Hacking
How to Hack a Facebook Account?
That's possibly the most frequently asked question on the Internet today. Though the solution is hard to find, a white hat hacker has just proven how easy it is to hack multiple Facebook accounts with some basic computer skills.
Your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Gurkirat Singh from California recently discovered a loophole in Facebook's password reset mechanism that could have given hackers complete access to the victim's Facebook account, allowing them to view message conversations and payment card details, post anything and do whatever the real account holder can.
The attack vector is simple, though the execution is quite difficult.
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
How to Hack Multiple Facebook Accounts?
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
"I first reported this bug on May 3, 2016, but Facebook didn't believe me such large-scale execution could have been possible. They wanted proof," Gurkirat told The Hacker News. "So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue."
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
Also Read: How to Hack Someones Facebook Account Just by Knowing their Phone Numbers.
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
"I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that," Gurkirat told the Hacker News.
"I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Here's How you can Protect Your Facebook account:
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
With Login Approvals turned ON, Facebook will send you a 6-digit security code via a text message to your registered cell phone if someone tries to log into your Facebook account from a new computer or device or a different web browser.
So, even if your Facebook username and password are entered by an attacker, that 6-digit security code, which has been delivered to your phone, will still be required to log into your account, preventing hackers from accessing your account.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
If your Facebook account is accessed from a remote device, Facebook sends you an email or SMS alert. If that is an unauthorized access, you can quickly follow the steps listed in the email to disable access for that device.
Use Password Manager: It's a general, must-do advice to have a strong, unique password for every online account. We have listed some best password managers that would help you understand the importance of password manager and choose a suitable one, according to your requirement.
Secret data on DCNS Scorpene submarines leaked online, it could be a disaster.
27.8.2016 thehackernews Hacking
The Australian newspaper published over 22,000 secret documents on six DCNS Scorpene submarines that are being built in India.
According to The Australian, Indian authorities is investigating a security breach that affected the French Submarine Firm DCNS, which is 35 percent owned by Thales.
The investigation started after more than 22,000 pages related to six DCNS Scorpene submarines being built in India were leaked.
“DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene.This serious matter is thoroughly investigated by the proper French national authorities for Defense Security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.” reads the press information published by the company.
The journalists at The Australian had reviewed over 4,450 pages on the Scorpene’s underwater sensors, over 4,300 pages on its combat systems, 4,200 pages of data on above-water sensors.
The DCNS claimed it was the victim of economic cyber espionage, a DCNS spokeswoman told Reuters that the security breach could have a dramatic impact on the company due to the exposure of sensitive information related the collaboration of the company with some governments.
“Asked if the leak could affect other contracts, a company spokeswoman said it had come against a difficult commercial backdrop and that corporate espionage could be to blame.” reported the Reuters. “Competition is getting tougher and tougher, and all means can be used in this context,” she said. “There is India, Australia and other prospects, and other countries could raise legitimate questions over DCNS. It’s part of the tools in economic warfare.”
The Australian newspaper published some 22,400 documents containing technical details of six DCNS Scorpene submarines that are being built at a shipyard in Mumbai, India.
“I understand there has been a case of hacking,” Indian Defence Minister Manohar Parrikar told reporters. “We will find out what has happened.”
The DCNS Scorpene submarines are technological jewels, the documents include highly sensitive details of the submarine including manuals and models of the boat’s antennae.
This new generation of submarines has significant intelligence-gathering capabilities, is it equipped with advanced combat systems and high-tech devices for communication.
As anticipated the leaked documents also include secret information related the activities conducted by the French firm with various governments. The leaked files include secret information on sea trials that the Malaysian Navy is conducting with its fleet of DCNS Scorpene submarines. Some documents are related to business information with Chile and Russia, in the first case the company provided radar systems for some Chilean frigates, meanwhile the Russian government received amphibious assault vessels.
In a brief statement, the DCNS said it is aware of the leak on the Indian Scorpenes and noted that the appropriate French authorities are currently investigating the breach. “This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.”
The Australian hasn’t revealed the source of the documents but confirmed that the security breach could have serious repercussions on a $38 billion project that the DCNS is currently negotiating with the Australian government.
Epic Games Forum Hacked, Once Again — Over 800,000 Gamers' Data Stolen
23.8.2016 thehackernews Hacking
If you are a fan of Unreal Tournament from Epic Games or ever have participated in discussions on the online forums run by Epic Games, you possibly need to change your forum password as soon as possible.
It seems the Unreal Engine and its creators, Epic Games' forums have recently been compromised by an unknown hacker or a group of hackers, who have stolen more than 800,000 forum accounts with over half a Million from the Unreal Engine's forums alone.
The hackers get their hands on the forum accounts by exploiting a known vulnerability resided in an outdated version of the vBulletin forum software, which allowed them to get access to the full database.
Epic believes registration information that includes usernames, scrambled passwords, email addresses, dates of birth, IP addresses, and date of joining, may have been obtained in the attack.
"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext," announcement on the Unreal Engine forum website reads.
However, ZDNet reports "their full history of posts and comments including private messages, and other user activity data from both sets of forums" have also been compromised.
Most of the stolen passwords are scrambled that can not be cracked easily, but hackers could exploit other stolen data to send phishing messages to forum members' email addresses in an effort to infect their systems with ransomware or other malicious software.
Epic Game Players at Risk
Moreover, there is bad news for players of Infinity Blade, UDK, Gears of War, and older Unreal Tournament games, as hackers may have compromised their salted hashed passwords, along with their email addresses and other data entered into the forums.
At the time of writing, the Epic Games' forum and Unreal Engine forums both appeared to be down.
So, users are advised to change their passwords for the forum accounts as soon as possible and keep a longer and stronger one this time and change passwords for other online services, especially if you use the same password for multiple sites.
You can use a good password manager that allows you to create complex passwords for different sites and remember them for you.
We have listed some best password managers that could help you understand the importance of password manager and help you choose a suitable one, according to your requirement.
LeakedSource, a search engine site that indexes leaked login credentials from data breaches, has added the breached data from the Epic Games' forums into its database, which includes the password hashes to allow its users to search for their stolen data.
BHU Wi-Fi router, it is really too easy to hack these network devices
22.8.2016 securityaffairs Hacking
A security expert analyzed a BHU Wi-Fi router and found that it is easy to hack by an unauthenticated attacker that can access sensitive information.
Tao Sauvage, an expert from IOActive, has analyzed a BHU Wi-Fi router that he purchased during a travel. The BHU Wi-Fi router appears like a surveillance box, but according to the analysis of the experts, it is affected by multiple vulnerabilities.
BHU Wi-Fi router
The network device is completely pwnable by an unauthenticated attacker that can access sensitive information.
The expert also explained that the BHU Wi-Fi router comes with hidden users, SSH enabled by default and a hardcoded root password … not so bad for an attacker, what do you think about?
Last scaring discovery about the Chinese-made router is that it injects a third-party JavaScript file into all users’ HTTP traffic.
“The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” wrote Sauvage.”
Sauvage has exploited the UART debug pins to extract the firmware and analyzed it, it has found multiple security vulnerabilities.
The expert noticed that the CGI script running everything reveals the session ID of the admin cookie, this means that it could easily hijacked by an attacker that obtains admin privileges.
The BHU Wi-Fi router includes a hard-coded SID, 700000000000000, an attacker can get access to “all authenticated features” by presenting it to the router.
Once presented the above SID to the device, it revealed the hidden user dms:3.
“So far, we have three possible ways to gain admin access to the router’s administrative web interface:
Provide any SID cookie value
Read the system logs and use the listed admin SID cookie values
Use the hardcoded hidden 700000000000000 SID cookie value
” explained Sauvage.
It is incredible, the BHU Wi-Fi router is full of security holes, the researchers also discovered that the device fails to perform XML address value sanitization, this allows an attacker to carry out an OS command injection. Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like
The router could be used by attackers to eavesdrop on the device traffic using a command-line packet analyzer like tcpdump or to hijack it for other malicious purposes.
“At this point, we can do anything:
Eavesdrop the traffic on the router using tcpdump
Modify the configuration to redirect traffic wherever we want
Insert a persistent backdoor
Brick the device by removing critical files on the router “.
I invite you to give a look to the analysis published by IOActive, it is amazing the number of issues affecting this specific device, and probably many others suffer the same problems.
Lets hope the Chinese manufactured that designed the device, the BHU Networks Technology Co., is now aware how insecure is its router.
Don’t forget that the many powerful botnets leverages on compromised SOHO devices.
Is security enabling or compromising productivity?
20.8.2016 netsecurity Hacking
While most organizations fundamentally believe connecting people to the best technology is vital to business productivity, many struggle to achieve agility due to traditional on-premise security mindsets, according to an Okta survey of 300 IT and security professionals.
Failing to adapt and upgrade security tools is putting organizations at risk. 65% of respondents think that a data breach will happen within the next 12 months if they do not upgrade legacy security solutions in time.
“In order to be more productive, organizations worldwide are investing in cloud and mobile technologies, enabling their staff to work from virtually anywhere. But this isn’t enough to ensure true agility. As organizations become increasingly connected, the traditional idea of the enterprise network boundary is vanishing and businesses need to prioritise strong security,” said David Baker, CSO at Okta. “To successfully navigate the new perimeter and avoid compromising on security and productivity, IT leaders need to adopt tools that span traditional company and network boundaries and enable agility across the organization.”
Organizations are unsure if security is enabling or compromising productivity and agility
When asked if security measures compromised or enabled productivity in their organization, respondents’ opinions were mixed. Just over half (52%) said that their current security solutions compromise productivity, while 48% believe their security measures enable the organization to adopt best of breed solutions that enable productivity and agility.
Visibility into application usage is limited
Okta’s research shows that 85% of IT leaders suffer from a lack of insight over who has access to applications within their organization. Even more worrying, 80% of respondents pointed to weak passwords or weak access controls as a security issue.
Investing in new mobile, automation, and cloud technologies is paying dividends for organizations
92% of respondents believe their organization could do more to integrate and support cloud applications into their infrastructure and systems. This reveals a massive opportunity for IT teams to further drive agility and productivity, and the chance to drive this percentage down.
Warning — Bitcoin Users Could Be Targeted by State-Sponsored Hackers
20.8.2016 thehackernews Hacking
Another day, another bad news for Bitcoin users.
A leading Bitcoin information site is warning users that an upcoming version of the Blockchain consolidation software and Bitcoin wallets could most likely be targeted by "state-sponsored attackers."
Recently, one of the world's most popular cryptocurrency exchanges, Bitfinex, suffered a major hack that resulted in a loss of around $72 Million worth of Bitcoins.
Now, Bitcoin.org, the website that hosts downloads for Bitcoin Core, posted a message on its website on Wednesday warning users that the next version of the Bitcoin Core wallet, one of the most popular bitcoin wallets used to store bitcoins, might be replaced with a malicious version of the software offered by government-backed hackers.
Specifically, Chinese bitcoin users and services are encouraged to be vigilant "due to the origin of the attackers."
Bitcoin.org doesn't believe it has sufficient resources to defend against the attack. However, the website did not reveal the name of the country planning the attack.
The Warning Message from the Bitcoin.org site reads:
"Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state-sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website."
"In such a situation, not being careful before you download [the software] could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network."
Also Read: Bitcoin Exchange Offers $3.5 Million Reward for Information of Stolen Bitcoins.
In such cases, it is likely that hackers will try to hijack and replace the official binary files used to run Bitcoin software on mining pools, either:
By compromising the Bitcoin.org official site
By conducting a man-in-the-middle attack to fake a cryptographic certificate that would allow hackers to intercept victim’s encrypted HTTPS connection and replace the legitimate download with a malicious one, tricking users into installing a malicious version of the Bitcoin software.
However, Bitcoin Core developer Eric Lombrozo told The Reg that "there's absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state-sponsored attackers that we know of at this point."
"Perhaps certain sites where people download the binaries could end up getting compromised, but let's not unnecessarily spread paranoia about the Bitcoin Core binaries themselves."
Verify Signatures and Hashes
As a countermeasure, users are recommended to verify the Signature securely and hashes of Bitcoin Core binaries that are cryptographically signed with a key before running Bitcoin Core binaries to ensure the binaries are legitimate as being created by the Core developers team.
"We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries," the advisory states.
Moreover, you are advised to download the binaries from the official Bitcoin site only; otherwise, you may end up getting compromised.
Bitcoin.org warns state-sponsored attacks against the Bitcoin Core
19.8.2016 securityaffairs Hacking
The organization that controls the development of the Bitcoin software warns users that nation-state actors may hit the upcoming Bitcoin Core release.
The organization that controls the development of the Bitcoin system, Bitcoin.org, has warned of possible cyber attacks coordinated by nation-state attackers.
Bitcoin Core is the open source client for Bitcoin, the version Bitcoin Core 0.12.1 was released in April and a new one will be soon available (version 0.13.0).
This week, Bitcoin.org published a security notice to inform users that it is possible that the Bitcoin Core 0.13.0 version will be targeted by state-sponsored hackers.
“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state-sponsored attackers.” states the security notice.
“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,”
The organization is warning is a specific way the Chinese Bitcoin community, inviting it to be vigilant and to adopt all the necessary measured to avoid security breaches.
When dealing with a persistent attacker such as a nation-state actor in is necessary a supplementary effort of the entire community due to the abilities of the adversaries.
“In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers,” Bitcoin.org warned.
The Bitcoin.org suggests checking the hashes of Bitcoin Core binaries that are cryptographically signed with a known tkey.
“We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.”
In a thread on the news.ycombinator.com, experts discussed about the fact that bbitcoin.org does not implement HTTP Public Key Pinning (HPKP), this means that any government that controls a CA can generate its own cert for bitcoin.org, hijack the site’s IP and replace this page with their own fingerprint.
China controls the root CA China Internet Network Information Center (CNNIC) whom new certificates were banned last year by Mozilla and Google after one of its intermediate certificates was used to issue fake Google certificates.
Unfortunately, many threat actors are interested in launching cyber attacks against the Bitcoin users.
Recently several Bitcoin exchanges have been hacked, clamorous the security breach suffered by the Asian Bitfinex that led the theft of 120,000 Bitcoin.
The Bitcoin value significantly dropped after the discovery of the breach, it was observed a 20 percent decrease.
The NSA Hack — What, When, Where, How, Who & Why?
18.8.2016 thehackernews Hacking
You might have heard about the recent ongoing drama of NSA hack that has sparked a larger debate on the Internet concerning abilities of US intelligence agencies as well as their own security.
Saturday morning the news broke that a mysterious group of hackers calling themselves "The Shadow Brokers" claimed it hacked an NSA-linked group and released some NSA hacking tools with a promise to sell more private "cyber weapons" to the highest bidder.
The group dumped a bunch of private hacking tools from "Equation Group" – an elite cyber attack unit linked to the NSA – on GitHub and Tumblr.
The Shadow Brokers hacking group has published the leaked data in two parts; one includes many hacking tools designed to inject malware into various servers and another encrypted file containing the "best files" that they made available for sale for 1 Million Bitcoins.
However, GitHub deleted the files from its page, not due to any government pressure, but because the hackers were demanding cash to release more data and the company's policy don't allow the auction or sale of stolen property on its source code management platform.
NSA Hack Raises a Few Important Question? The leak of advanced hacking tools allegedly stolen from the Equation Group has raised few questions in everyone's mind:
Is Equation Group an elite cyber attack unit linked to the NSA?
Are the Equation Group Hack and leaked exploits legitimate?
If Legit, Do the advanced hacking tools actually belong to Equation Group?
Who is behind the hack? Russia?
Here's all you need to know about the NSA Hack:
Kaspersky Confirmed: Leaked Hacking Tools Belong to NSA-tied Group
According to a technical report published Tuesday by security firm Kaspersky Lab, the leaked advanced hacking tools contains digital signatures that are identical to those in hacking software and malware previously used by the Equation Group.
"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers said in a blog post.
Over 300 computer files found in the Shadow Brokers archive have a common implementation of RC5 and RC6 encryption algorithms – which has been used extensively by the Equation Group.
Also, the implementation of encryption algorithms is identical to the RC5 and RC6 code in the Equation Group malware.
"There are more than 300 files in the Shadow Brokers' archive which implement this specific variation of RC6 in 24 other forms," the researcher wrote. "The chances of all these being fakes or engineered is highly unlikely."
"The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers' leak are related to the malware from the Equation group."
Here's the comparison of the older Equation RC6 code and the code from the new leak, which shows that they have identical functionally and share rare specific traits in their implementation:
Kaspersky Lab previously linked Equation Group to the NSA, describing it as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades."
The security firm also claimed Equation Group to be behind a variety of malware types, including Stuxnet and Flame, which are associated with cyber attacks launched by the United States.
Former NSA Personnel also Confirms the Authenticity of Leaked Data
Now, adding more proofs to the possibility and making the speculations stronger, some ex-NSA insiders say the leaked hacking tools are legitimate and linked to the NSA.
One former NSA employee who worked in its special hacking division, Tailored Access Operations (TAO), told the Washington Post that "without a doubt, they're the keys to the kingdom."
"The stuff you are talking about would undermine the security of a lot of major government and corporate networks both here and abroad," said the former TAO employee, who asked Post to remain anonymous.
Moreover, another former TAO employee who also saw the leaked file said, "From what I saw, there was no doubt in my mind that it was legitimate."
So, after Kaspersky Labs analysis and former-TAO employees statements, it is clear that the leaked NSA hacking tools are legitimate.
Hack Or An Inside Job?
Moreover, it has also been speculated that the NSA hack could be an insider’s job, as concluded by Matt Suiche, founder of UAE-based security startup after he discussed this incident with a former NSA TAO employee.
"The repository containing the NSA TAO Toolkit is stored on a physically segregated network which does not touch the internet and has no reason to (remember it's a toolkit repository)," Suiche wrote in a blog post.
"There is no reason for those files to have ever been on a staging server in the first place unless someone did it on purpose. The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source."
Experts and Snowden suggest Russia is behind the NSA Hack
nsa-hack-russia-snowden
Most cyber security experts, as well as former NSA contractor and whistleblower Edward Snowden, believes Russia to be behind the NSA hack.
In past few weeks, WikiLeaks and an unknown hacker using an alias Guccifer 2.0 have published a large number of documents came from the breach of the Democratic National Committee (DNC) and another separate hack of the Democratic Congressional Campaign Committee (DCCC).
Several officials from US intelligence agencies and security companies have pointed fingers towards Russia for the recent Democratic hacks, though Russia has denied any involvement.
"The Federal Bureau of Investigation and U.S. intelligence agencies have been studying the Democratic hacks, and several officials have signaled it was almost certainly carried out by Russian-affiliated hackers," the WSJ reports. "Russia has denied any involvement, but several cybersecurity companies have also released reports tying the breach to Russian hackers."
Now, both Snowden and Dave Aitel, a security expert who spent 6 years as an NSA security scientist, are speculating that the latest leak by the Shadow Brokers is in response to growing tensions between the United States and Russia over the Democratic groups' hacks.
In a stream of tweets yesterday, Snowden said the hack is likely of Russian origin, tweeting "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."
Here's the combined statement by Snowden:
"Circumstantial evidence and conventional wisdom indicate Russian responsibility. Here's why that is significant:
This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."
Following Snowden tweets, Aitel also published a blog post, saying Russia is the most likely suspect behind the Democratic hacks as well as the latest leak of the NSA spying tools.
Apart from speculation, Wikileaks, which previously made it clear to harm Hillary Clinton's chances from becoming US President, also said it already own the "auction" files from the Shadow Brokers and will publish them in "due course," though the tweet has since been deleted.
Still, many questions remain unanswered — who is the Shadow Brokers, how the group broke into Equation Group and stole their private hacking tools and malware, and is the group really willing to bid the auction files for 1 Million Bitcoins or is it just a distraction?
Internet Traffic Hijacking Linux Flaw Affects 80% of Android Devices
16.8.2016 thehackernews Hacking
An estimated 80 percent of Android smartphones and tablets running Android 4.4 KitKat and higher are vulnerable to a recently disclosed Linux kernel flaw that allows hackers to terminate connections, spy on unencrypted traffic or inject malware into the parties' communications.
Even the latest Android Nougat Preview is considered to be vulnerable.
The security flaw was first appeared in the implementation of the TCP protocol in all Linux systems deployed since 2012 (version 3.6 and above of the Linux OS kernel) and the Linux Foundation has already patched the Linux kernel on July 11, 2016.
However, the vulnerability (CVE-2016-5696) is now affecting a large portion of the Android ecosystem.
According to a blog post published Monday by mobile security firm Lookout, the Linux flaw is present in Android version 4.4 KitKat and all future releases, including the latest developer preview of Android Nougat.
Around 1.4 BILLLLLION Android Devices Affected
This means that 80% of all Android devices in use today, which is nearly 1.4 Billion devices, are vulnerable to attacks, enabling hackers to spy on your communications without even compromising your network via man-in-the-middle-attack.
However, the good news is that the Linux vulnerability is complicated and difficult to exploit, but the risk is there especially for targeted attacks.
"While a man-in-the-middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack," Lookout stated in the blog post.
Windows and Macs are not affected by the vulnerability.
According to Google, engineers are already aware of the vulnerability and are "taking the appropriate actions" to fix the issue, a Google representative told Ars Technica. So, it is likely that a patch for Android will arrive soon.
Temporary Mitigation:
Make sure your Internet traffic is encrypted: Apps you use and Websites you visit should employ HTTPS.
Use a Virtual Private Network (VPN).
To know more about the Linux kernel flaw and its mitigation, you can head on to our post, titled "Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely."
NSA's Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online
15.8.2016 thehackernews Hacking
It seems like the NSA has been HACKED!
An unknown hacker or a group of hackers just claimed to have hacked into "Equation Group" -- a cyber-attack group allegedly associated with the United States intelligence organization NSA -- and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.
Not just this, the hackers, calling themselves "The Shadow Brokers," are also asking for 1 Million Bitcoins (around $568 Million) in an auction to release the 'best' cyber weapons and more files.
I know, it is really hard to believe, but some cybersecurity experts who have been examining the leak data, exploits and hacking tools, believe it to be legitimate.
Widely believed to be part of the NSA, Equation Group was described as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades," according to a report published by security firm Kaspersky in 2015.
Equation Group was also linked to previous infamous Regin and Stuxnet attacks, allegedly the United States sponsored hacks, though the link was never absolutely proven.
Two days back, The Shadow Brokers released some files, which it claimed came from the Equation Group, on Github (deleted) and Tumblr.
Exploits for American & Chinese Firewalls Leaked:
The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.
According to the leaked files, Chinese company 'Topsec' was also an Equation Group target.
The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like "BANANAGLEE" and "EPICBANANA."
"We follow Equation Group traffic," says the Shadow Broker. "We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is.
"I haven't tested the exploits, but they definitely look like legitimate exploits," Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.
NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware
While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.
"If this is a hoax, the perpetrators put a huge amount of effort in," security researcher The Grugq told Motherboard. "The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use."
However, if NSA has successfully been hacked, the hack would be a highly critical cyber security incident.
CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS
11.8.2016 netsecurity Hacking
compression oracle attacksThe HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical.
In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page that contains a CSRF token and echoes an attacker’s message.
This type of attack is not new, it was originally proposed by John Kelsey in 2002, then practically demonstrated by Juliano Rizzo and Thai Duong as CRIME in 2012 at ekoparty. CRIME worked by exploiting TLS compression on messages sent from the client to the server. This technique required a man-in-the-middle position.
In March 2013 at Black Hat EU, Tal Be’ery presented an extension of CRIME called TIME that introduced two new enhancements:
1. Using CRIME for server-to-client messages.
2. Exploiting TCP window sizes to allow the attack to take place without a man-in-the-middle position.
Later in 2013 at Black Hat USA, Angelo Prado, Neal Harris and Yoel Gluck presented BREACH, an attack that reproduced enhancement 1. from the TIME attack.
BREACH got more press than TIME did, and was generally much more well-known in the infosec community (for example, the Wikipedia article on CRIME mentions BREACH but not TIME).
The HEIST presentation in 2016 re-introduced the forgotten enhancement 2. from TIME, but used a slightly different technique (the Fetch API, which did not exist in 2013), and applied the attack in a novel way to HTTP/2 (also did not exist in 2013).
It turns out that each of these presentations introduced something that was previously discovered as if it were new.
1. The original CRIME presentation described the server-to-client attack that was presented as new in both TIME and BREACH. Note: the BREACH team retroactively added references to TIME and the original CRIME slides that introduced the attack in the final version of their paper.
2. TIME described the TCP window timing side-channel that was re-discovered in HEIST.
In conclusion, it’s hard to find truly original ideas in information security. When presenting results that build on previous research, it occasionally happens that other people may have found the same results. The information security community should try to be as thorough as possible when researching prior art and crediting existing research.
This ATM Hack Allows Crooks to Steal Money From Chip-and-Pin Cards
5.8.2016 thehackernews Hacking
Forget about security! It turns out that the Chip-and-PIN cards are just as easy to clone as magnetic stripe cards.
It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.
We have been told that EMV (Europay, MasterCard and Visa) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.
But, it turns out to be just a myth.
A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.
The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [PDF]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.
Here's How the Hack Work
The hack requires two processes to be performed.
First, the criminals need to add a small device known as a Shimmer to a point-of-sale (POS) machine (here, ATM's card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.
The shimmer sits between the victim's chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.
The criminals then use a smartphone to download this stolen data and recreate the victim's card in an ATM, instructing it to eject cash constantly.
Tod Beardsley, a security research manager for Rapid7, told the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.
"It's really just a card that is capable of impersonating a chip," Beardsley said. "It's not cloning."
The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.
Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.
Phineas Fisher hacked a bank to support anti-capitalists in the Rojava region
20.5.2016 Hacking
Phineas Fisher, the notorious Hacking Team hacker, stole $10,000 from a bank and donated the equivalent in Bitcoin to Kurdish anticapitalists in Rojava.
Phineas Fisher (@GammaGroupPR), revealed on Reddit that he breached a bank and turned the stolen money to a Kurdish anti-capitalists that operate in the Rojava autonomous region. The region in located in the north of the Syria, near to the territories controlled by the ISIL. The hacker did not reveal the name of the breached financial institution nor provided details of the cyber heist.
Phineas Fisher explained that it is quite easy to steal money from the bank, he cited the Carbanak group, but took the distance from the motivation of the Russian criminal crew. Phineas Fisher is a hacker, not a thief, he hasn’t financial motivation, he follows his own ideals.
“Banks are being robbed more than ever, it’s just done differently these days.” he explained. The money did come from robbing a bank. As I said in an earlier comment, bank robbing is more viable than ever, it’s just done differently these days. There’s a reason in the last hacking guide I wrote (spanish original english translation) I spoke in favor of expropriating money from banks, said you used to need a gun but can now do it from bed with a laptop in hand, and linked a technical report on the Carbanak group. Not that I’m a fan of Russian gangsters robbing banks so they can buy luxury cars or whatever, but there’s a lot to learn from their methods.
Phineas Fisher became very popular in the security industry because he is the hacker that breached the surveillance firms Hacking Team and the surveillance company Gamma International.
He is coherent with his thoughts about surveillance and the support offered by IT companies to totalitarian regimes, for this reason, he decided to target them and interfere with their “dirty” affairs.
The enemies of freedom are Phineas Fisher enemies.
Now the popular hacker has donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been launched by the members of the Rojava’s economic committee. described by Fisher as “one of the most inspiring revolutionary projects in the world.”
Fisher defined the campaign as “one of the most inspiring revolutionary projects in the world.”
The campaign aims to help the local population and that are oppressed by the ISIL and treated by nearby governments. The project is ambitious and has a long list of goals, including the organizations of training in the neighborhood centers and schools, the production of educational material (pamphlets, short films) about the need to separate waste, the establishment of facilities for processing the waste and making fertilizer.
This is the list of things this people needs.
2 trucks: $45000
Small bulldozer: $35000
Pool for liquid fertilizer: $500
Machine: $1500
Plastic buckets for waste: $2000
Structure: $3000
Thermometer: $50
Big plastic canvas: $2500
Worker clothes: $300
Scale: $500
Airsystem: $500
Hangar: $40000
Material: $33000
Mixer: $15000
Other: $10000
9 workers: $10800
Phineas Fisher hack bank
Some experts already verified the Bitcoin transaction made by Phineas Fisher, THN of one of them
“When deeply investigated, it was found that the Rojava Plan’s Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.” reported the THN.
“You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public,” Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by “Hack Back!”
John McAfee and his crew claim to have hacked a WhatsApp Message, But …
20.5.2016 Hacking
The popular security expert John McAfee and a team of four hackers demonstrated that is is possible to read WhatsApp message.
The cybersecurity expert John McAfee and four hackers demonstrated that is is possible to read a WhatsApp message even if it is encrypted. The hacker crew used their servers located in a remote section in the mountains of Colorado
McAfee reported the success to the Cybersecurity Ventures and shared the details of the clamorous hack.
The hacked message was exchanged between two researchers located at the New York City headquarters office of the digital forensics firm LIFARS. The researchers used two brand new Android phones running a tiny app written by McAfee and his colleagues.
Cybersecurity Ventures reported the message was sent at 2:45pm EST in New York, and the hackers read it in Colorado one minute later. Wait, but WhatsApp implements end-to-end encryption. How is it possible?
hacked whatsapp message
McAfee explained that the problem doesn’t affect WhatsApp but the Android OS that is affected by a serious design flaw. The exploitation of the vulnerability allowed McAfee’s team to take full control of the information managed by the mobile device.
We have no information about the components of the team, we only know that one of them is Chris Roberts, a security researcher that in May 2015 announced via Twitter that he was able to hack the flight he was on. Roberts was arrested by the FBI, the experts claimed he had burrowed through the aircraft’s onboard entertainment system to gain control over critical systems of the airplane.
“I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done” said McAfee, commenting the successfully hack of the WhatsApp message. “The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?”
Experts from LIFARS who analyzed the mobile phones reported the presence of “malware traces,” a memo issued by the CEO Ondrej Krehel confirms the smartphones have been infected by a spyware app that allowed hackers to log keystrokes. According to Krehel, the hackers haven’t rooted the device in order to exploit the flaw, more information will be disclosed after that McAfee and his team will discuss the flaw with Google, and I believe it is important to highlight that McAfee is doing this not for money.
“McAfee said he is open to dialogue with Google and WhatsApp in order to help remedy the vulnerability, and there would be no cost for his services. “This in no way was done for financial gain. This was my obligation to my tribe” said McAfee.” continues Cybersecurity Ventures.
Are you a SnapChat user? Bad news also for you, McAfee confirmed that similar problems have been noticed also with other messaging apps.
Hacker Steals Money from Bank and Donates $11,000 to Anti-ISIS Group
20.5.2016 Hacking
Meet this Robin Hood Hacker:
Phineas Fisher, who breached Hacking Team last year, revealed on Reddit Wednesday that he hacked a bank and donated the money to Kurdish anti-capitalists in Rojava autonomous region in northern Syria that borders territory held by the ISIS (Islamic State militant group).
Fisher, also known as "Hack Back" and "@GammaGroupPR," claimed responsibility for both the Hacking Team and Gamma Group data breaches.
The vigilant hacker donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been set up by members of the Rojava’s economic committee, described by Fisher as "one of the most inspiring revolutionary projects in the world."
Also Read: Here's How Hackers Stole $80 Million from Bangladesh Bank
The funds donated to the campaign came from a bank heist, though the hacker neither revealed the name of the bank nor provided any further details of the bank heist.
When deeply investigated, it was found that the Rojava Plan's Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.
"You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public," Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by "Hack Back!"
Also Read: 25 Line Exploit Code that could let anyone steal $25 Billion from a Bank
Fisher on Reddit even urged another hacker to set up ATM skimming campaigns or rob banks and then donate all the money to the Rojava campaign in order to help the cause.
Hackers target the campaigns of presidential contenders
19.5.2016 Hacking
The US Director of National Intelligence James Clapper revealed that attackers are targeting the campaigns of US presidential contenders.
At the end of 2015, I published a post titled “2016 Cyber Security Predictions,” one of my prediction is related the rise of cyber attacks related to the US elections.
“Social media are a primary communication method for politicians, the online activity will be intense in the period before the elections and cyber criminals and nation-state actors will try to exploit the event to launch cyber-attacks.” I wrote in the post.
According to the US Director of National Intelligence James Clapper, hackers are targeting the campaigns of Democratic and Republican presidential contenders.
“We already have some indications of that,” he explained during a discussion at the Bipartisan Policy Center in Washington. “I anticipate that as the campaign intensifies, we are probably going to have more of it.”
presidential contenders
The US authorities are aware that threat actors are targeting the US politicians, the Department of Homeland Security and the FBI are issuing multiple warnings to educate them in assuming a proper security posture and avoid being hacked.
“There is a long-standing practice of briefing each of the candidates once they are officially designated, and that shifts in to a higher gear in terms of details after the president-elect is known,” Clapper said.
Clapper confirmed that the US intelligence gathered evidence of several hacking campaigns targeting the campaigns of presidential contenders with different motivations (e.g. cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, hacktivism, financial motivation).
“We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations — from philosophical differences to espionage,” said the FBI spokesman Brian Hale.
He also reported that the attacks ranged from “from defacements to intrusions.” According to US Intelligence, its experts tracked intrusions by foreign intelligence services into the campaigns for president back in 2008.
According to Clapper, the two candidates would receive “exactly the same” briefings that will be filed to avoid any interference with the programs of the candidates.
“We’ve been doing this for many years, it’s not designed to shape anybody’s worldview,” Clapper addedworldview,” Clapper added
Cyber spies from Suckfly group hacked organizations in India
19.5.2016 Hacking
A crew of cyber spies named Suckfly group is targeting organizations in India, it conducted long-term espionage campaigns against entities in the country.
A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country.
Symantec did not disclose the names of the targeted organizations, it only revealed that the list of the victims includes one of India’s largest financial institutions, a top five IT firm, two government organizations, another a large e-commerce company, and the Indian business unit of a US healthcare company.
In March 2016, experts from Symantec, discovered Suckfly targeting South Korean organizations, the hackers were searching for digital certificates to steal. Later the group launched long-term espionage campaigns against organizations across the world, most of them located in India.
“In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations.” states a blog post published by Symantec. “These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.”
The principal weapon in the arsenal of the Suckfly group is the a backdoor called Nidiran that leverage Windows known vulnerabilities to compromise the targets and move laterally within the corporate network.
The experts noticed that the group spent a significant effort to compromise an Indian government department that installs network software for other ministries and departments.
Symantec analyzed the tactics, techniques, and procedures (TTPs) of the hacker group profiling the modus operandi of the attackers. The hackers use to identify employees in the target organization trying to compromise their systems, likely through a spear-phishing attack.
Once inside the target network, the hackers search for other targets to compromise by using hacking tools to move laterally and escalate privileges.
The nature of the targets, the TTPs of the Suckfly group and the working days in which the group is active (The group operates from Monday to Friday) led the experts into believing that it is a nation-state actor.
“These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. This activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized group.” states Symantec.
Who is behind the Suckfly group?
It is hard to link the Suckfly group to a specific Government, Symantec highlighted that its targets have been India, South Korea, Saudi Arabia, and India.
Giving a look to the C&C infrastructure used by the group, we can notice that several domains were registered by users with the addresses of the Russian email service provider Yandex. Of course, this information alone gives us no added value for the attribution, the unique certainly is that the hackers will continue their campaign in the next months.
“The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly’s operations.” states Symantec.
Hacker puts up 167 Million LinkedIn Passwords for Sale
18.5.2016 Hacking
LinkedIn's 2012 data breach was much worse than anybody first thought.
In 2012, LinkedIn suffered a massive data breach in which more than 6 Million users accounts login details, including encrypted passwords, were posted online by a Russian hacker.
Now, it turns out that it was not just 6 Million users who got their login details stolen.
Latest reports emerged that the 2012's LinkedIn data breach may have resulted in the online sale of sensitive account information, including emails and passwords, of about 117 Million LinkedIn users.
Almost after 4 years, a hacker under the nickname "Peace" is offering for sale what he/she claims to be the database of 167 Million emails and hashed passwords, which included 117 Million already cracked passwords, belonging to LinkedIn users.
The hacker, who is selling the stolen data on the illegal Dark Web marketplace "The Real Deal" for 5 Bitcoins (roughly $2,200), has spoken to Motherboard, confirming these logins come from the 2012 data breach.
Since the passwords have been initially encrypted with the SHA1 algorithm, with "no salt," it just took 'LeakedSource', the paid search engine for hacked data, 72 hours to crack roughly 90% of the passwords.
Troy Hunt, an independent researcher who operates "Have I Been Pwned?" site, reached out to a number of the victims who confirmed to Hunt that the leaked credentials were legitimate.
The whole incident proved that LinkedIn stored your passwords in an insecure way and that the company did not make it known exactly how widespread the data breach was at the time.
In response to this incident, a LinkedIn spokesperson informs that the company is investigating the matter.
In 2015, Linkedin also agreed to settle a class-action lawsuit over 2012's security breach by paying a total of $1.25 million to victims in the U.S, means $50 to each of them.
According to the lawsuit, the company violated its privacy policy and an agreement with premium subscribers that promised it would keep their personal information safe.
However, now new reports suggest that a total 167 Million LinkedIn accounts were breached, instead of just 6 million.
Assuming, if at least 30% of hacked LinkedIn Accounts belongs to Americans, then the company has to pay more than $15 Million.
Meanwhile, I recommend you to change your passwords (and keep a longer and stronger one this time) and enable two-factor authentication for your LinkedIn accounts as soon as possible. Also, do the same for other online accounts if you are using same passwords on multiple sites.
Hacker Interviews – Speaking with GhostShell
18.5.2016 Hacking
GhostShell is back and I had the opportunity to interview him. It is important to understand the thoughts and opinion of talented minds like GhostShell.
Yesterday I reported the news of the return of one of the most popular hacker, Ghost Shell who exposed data from 32 companies and launched a new campaign to punish negligent network administrators.
Who is GhostShell? It is too simple to label it as a hacker or hacktivist … I decided to go behind the scene and reach him for an interview. … I decided to go behind the scene and reach him for an interview.
GhostShell Tweet
I believe it is important to understand the thoughts and opinion of talented minds like GhostShell. Hackers have their codes, their experiences, their growth paths, knowledge of which is crucial for people who actually live cyber security.
Let me thank GhostShell for his availability, I really appreciated it.
Enjoy the Interview!
What are your motivations? Why do you hack?
I have plenty of reasons for hacking. For starters I’m a hacktivist so my public hacks and leaks are politically
motivated. The reasons vary for each of them. In the past they’ve been focused on topics such as the educational sector or the abuse of governments towards its people in places like Russia or China. Other times they were more aimed at the authorities in the US for arresting other fellow hackers across the world. Or even widespread corruption in other parts of the world, like Africa.
Behind the scene, I take pleasure in exploring the internet without any restrictions or anyone judging me for it.
To be able to explore any part of this new and ever-changing world to your heart’s desire gives you a brief taste of true freedom. Like a cold breeze in a hot summer day, short but memorable.
What is your technical background and are you an IT professional?
Can’t really say that I have an official (technical) background in this industry. Everything that I know or can do I’ve studied and learned on my own. In fact, when I first appeared on the scene, it was just me with a twitter account and zero followers. I literally had no friends or contacts. The reason why I even bring this up is to prove that you don’t need any sort of professional help from a private class course or governmental training to learn about cybersecurity. Anyone with a bit of curiosity and determination can pursue any topic out there associated with this field.
Some of the topics that I have been attracted to over the years have ranged from general pen testing, general programming in various languages, cryptology – cryptography although with a bigger focus on cryptanalysis, since code breakers are almost non-existent nowadays. Infiltrating and extracting private data is one thing but what happens when you stumble upon encrypted data? Being a regular MD5 password cracker with rainbow tables just doesn’t cut it anymore. Hackers have to evolve and adapt in parallel with this ever-changing environment.
As an exclusive tidbit of information that I would like to share is that I have a presence in plenty of other industries, not just this one. I have been a game developer for years, both as a game programmer and designer. Or a theory hardware hacker in robotics, mostly engaged in breadboard simulation and light programming. But also involved in other non-IT industries.
I cannot really mention more or even go into too many details. As mentioned before, earlier this year in my outing, the moment you release any sort of private information about yourself or others it no longer becomes yours but everyone else’s. However, if there’s someone out there interested in cybersecurity and wants to learn how to pen test then they should start by looking up every single tutorial on the open net.
Most of the information, exploits, step-by-step tutorials can all be found online. Places like OWASP are pretty cool for beginners to read more on the different types of attacks out there and pretty much every source of freely available information, from blogs to online videos, can help tremendously, especially when you’re a newcomer.
Newcomers should never feel discouraged in their pursuit for knowledge. Regardless of what any and every paid troll or ignorant researcher may label us as, take pride in the knowledge you have accumulated so far and make way to acquire even more. For me, when it comes to cybersecurity, hacking is basically coding and security testing. People, especially outsiders or the usual upper-class middle-aged men from the west that are part of this industry, are too bent on name branding everything/everyone and micromanaging the cultural aspect of things. My only advice to them would be less judging, more security testing.
What was your greatest challenge?
My greatest challenge for me was holding back from the systematic destruction of every single person from the industry working on my case. This started back at the beginning of 2013 when I took my first break because of them and has lasted up until this very day. I have been aware of the people assigned to my case since the start, from the federal agents to the private companies aiding them. In 2013, I was prepared to leak all their identities and point fingers at all the exact honeypots from the scene where hackers are herded and actively entrapped, but I held back.
To put someone’s identity and life on display for the world to judge and critique while you laugh at their own misfortune is something that the authorities do for a living.
I wasn’t about to become the same medieval animal as them.
What was your greatest hacking challenge?
I don’t really have a specific target in mind but I’m pretty sure that the most difficult and equally irritating cyberspace for me was South Africa’s slow connections, poorly configured encodings on the site, and overall tricky measures incorporated into their systems made my campaign there one of the worst hacker experiences I’ve ever had.
I suppose that’s me complimenting their cyberspace since they made me feel like I was stuck in quicksand while pen testing their domains. Props.
Another challenging territory to attack is China. The slow connections play a huge role here as well, add to that the new and unique encodings never seen before in western networks all the while you’re trying to map out a hermit cyberspace that houses a solid population of over 500 million netizens and you end up with quite a handful of things to worry about. There are more than half a billion users there but realistically how many people on Twitter can name at least 10 websites from mainland China? The ignorance and lack of information in the west will one day end up in our own downfall.
What scares you the most on the internet?
People. People scare me. Especially those with even a shred of power at their disposal that are incapable of suppressing their urges from abusing it.
I have the knowledge to make and break this digital reality yet you don’t see me actively taking down websites, altering server data or leaking compromising information about any individual such as up to date banking information or private medical records. Even in this recent leak dubbed Light Hacktivism where I’ve strayed a bit away from that, the few examples given were either outdated/expired credentials or redacted medical data that had nothing to do in general with a patient but with the establishment itself. That’s a courtesy that you don’t see all too often around here, considering how a lot of this information is available en mass on the internet, unprotected for anyone to see.
I can’t claim all the higher moral ground here either since I also have my faults and failures but they don’t even come close to those of grown ass men working for or with governments to both surveil and entrap children and young people. It makes me sick to my stomach to witness federal agencies parading around 15 year olds through the press, branding them criminals or terrorists simply because they were curious to test a network’s security or naive enough to fall into another one of the usual generic entrapments.
What would you change about the cybersecurity industry and why?
You mean apart from the medieval practices of using children and young people as escape goats for an industry that basically exploits them? How many times have we seen news about the end of days on the internet?
Companies overreacting to our hacks while peddling their own broken products, the feds entrapping us with whatever is politically trendy, all the while the bystanders sit on the fence calling us criminals or terrorists that need to be put behind bars.
If I had to pick a set of topics that need everyone’s attention in the near future, it would be these:
The changing of federal practices when it comes to official investigations of hackers, especially hacktivists.The psychological trauma of being constantly obfuscated, being surveilled and misinformed for years is far greater than any of the people working on the scene could think. Paranoia, insomnia, depression, panic attacks, various other disorders end up causing a permanent scar on our minds, even after we’ve been caught and reintegrated back into society.
The on-going exploitation of children and young hackers by the corporations has to end. How much money have they all made off our backs? How many customers did they acquire after pointing their fingers in our direction and claiming that the cyberarrmagedon is upon us and that the only salvation is through their software? I can’t even call these people businessmen but rather a new digital form of religious fanatics, piggy-back riding on our infamy.
The cybersecurity industry needs more women. And I’m not talking about chicks that rock the chair in marketing, public relations, recruiting, and accounting or as secretaries. I’m talking about actual cybersecurity experts.
How many women do you know that are hackers or pen testers? What about as networking architects? Data mining experts?
Hacktivists? If anyone out there can name 5 of them from each of those categories then you’ve just won the internet but if you can’t even name 1 or 2 without looking it up then you know we have a problem. A diverse industry leads to a diverse set of ideas, which leads to more innovative creations. That much is a no brainer to anyone. Let’s try to make a change for the better. Together.
A serious talk about the future of cybersecurity. And here I mean less the software and more the people. Because at the end of the day the people are the ones that make up the industry. We should talk more often about the sensitive problems we’re facing, like drugs abuse or alcohol. We have been pointing it out in the past but we never really came to any conclusion. Can we do something about it? Can we help prevent hackers and security professionals from becoming drug addicts or alcoholics? Maybe we need a support group for them. Maybe we need to stop being so judgmental and more understanding when bringing up the subject. Maybe that’s how we prevent certain disasters.
Maybe it’s all linked to those three other points above.
Why did you agree to this interview? You’re usually reserved in giving them so why give one now?
Because I respect you as a journalist. You’re one of the original team of independent people that have reported on the hacker scene since before I even arrived. You’ve reported on my projects and activities from the very beginning and I wanted to thank you for it. Same goes for all the other infosecurity enthusiast. You guys have no idea how amazing it is to have journalists that report on our activities while sitting at the same level as us. It helps bridge that gap between hacker and journalist. After the Hacker Team journo list was formed I thought things were going to change and some hacker activities obfuscated but I’m glad that things have remained the same.
We all need down-to-earth journalists that can do their job of reporting on real-time news and for that I’m thankful.
Hacker finds flaws that could let anyone steal $25 Billion from a Bank
18.5.2016 Hacking
A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Also Read: Hackers Stole $80 Million from Bangladesh Bank.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list," Prakash wrote in his blog post.
"It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)."
Stealing Money from Anyone Else's Account
bank-hacking-news
If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account, reported by Motherboard.
"I tested [the hack] with a bunch of accounts belonging to my family. Few of those accounts don't even have net banking or mobile banking activated," Prakash added. "And it all worked like a charm."
However, instead of taking advantage of these bugs, Prakash responsibly emailed the bank on November 13, 2015, and within few days, bank’s deputy general manager informed him that the security flaws had been fixed, without rewarding him with a bug bounty, that's unfair.
1 Million Computers Hacked for making big Money from Adsense
18.5.2016 Hacking
A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy.
Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign.
For those unaware, Botnets are networks of computers infected with malware designed to take control of the infected system without the owner's knowledge, potentially being used for launching distributed denial-of-service (DDoS) attacks against websites.
The malware in question is known as Redirector.Paco that alone has infected over 900,000 machines around the world since its release in 2014.
The Redirector.Paco Trojan infects users when they download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, KMSPico, Connectify, or Stardock Start8.
Once infected, Paco modifies the computer's local registry keys and adds two new entries disguised as "Adobe Flash Update" and "Adobe Flash Scheduler," to make sure the malware starts after every computer boot-up process.
Besides this, the malware drops JavaScript files that downloads and implements a PAC (Proxy Auto Configuration) file that hijacks all Web traffic, ensuring traffic routes through an attacker-controlled server.
Search Engine Display Fake Results even Over HTTPS
Paco then sniffs all Web traffic originating from the infected computer and looks for queries made over popular search engines like Google, Bing, or Yahoo! and replace the actual results with fake Web pages, mimicking their real User Interface.
The botnet has the ability to redirect search engine results even when the results are served over encrypted HTTPS connections. To do so, the malware uses a free root certificate ‒ DO_NOT_TRUST_FiddlerRoot ‒ that avoid your browser showing HTTPS errors.
"The goal is to help cyber-criminals earn money from the AdSense program," Bitdefender's Alexandra Gheorghe said in a blog post. "Google's AdSense for Search program places contextually relevant ads on Custom Search Engine's search results pages and shares a portion of its advertising revenue with AdSense partners."
Although the malware tries to make the search results look authentic, some markers can raise suspicions, like messages showing "Waiting for proxy tunnel" or "Downloading proxy script" in the status bar of your web browser.
Additionally, the search engine takes longer than usual to load results, and the typical yellow 'O' characters in Google above the page numbers are not displayed, according to researchers.
The security firm says that majority of victims are from India, Malaysia, Greece, the United States, Italy, Pakistan, Brazil, and Algeria.
However, to avoid these kinds of cyber threats, following standard security measures could save your ass, such as keep your system and antivirus up-to-date, and always keep an eye on warning that says something is not right with your computer.
Watson Is Getting Ready from IBM to Deal with Hackers
18.5.2016 Hacking
IBM has targeted hackers, bringing Watson (its computer brain) in the game, with the help of eight prominent US universities
IBM’s computer brain, or else Watson, has been known to multitask, already involved in fighting cancer and cooking and so many other things. Right now, the focus of IBM has been placed towards dealing with hackers and therefore a whole campaign has got ready for educating Watson accordingly. In specific, Watson for Cybersecurity is the new project launched by IBM, including the participation of eight universities for offering their knowledge to Watson. The target is of course cybercrime!
Since there is a lot to take in, the primary educational goal is to process about 15,000 documents on a monthly basis. All the documents will be related to cyber security, so as for Watson to develop a deep and thorough understanding of the terms used and the concepts involved. Even though the contribution of the universities is going to be crucial at first, eventually Watson will be properly educated towards processing everything on its own.
ibm watson
Apparently, in the long run the goal of IBM is to have a powerful ally that will handle a gigantic volume of data related to cyber security. As a result, Watson is going to be super-efficient in dealing with any threats emerging and coming up with the perfect solutions to all similar problems. Due to the fact that there are quite a few false positives in the alerts sent over to tech specialists, it is extremely difficult to address the threats and either classify them as serious or ignore them. Watson will be able to do that, unlike humans.
Instead of replacing the tech specialists, Watson is going to provide exceptional knowledge and invaluable help to them. With the help of Watson in dealing with excessive quantities of data and with the personalized look of the experts, cyber security will be proven exquisitely effective! Rather than just blocking the threat, they will be able to prevent similar threats coming up in the future. This is definitely precious, especially in the delicate environment of cyberspace.
Among the universities laying a helping hand in this ambitious, optimistic scheme, we find MIT (Massachusetts Institute of Technology), New York University and California State Polytechnic University Pomona. Good luck to IBM and its computer brain!
Ukrainian Hacker Admits Stealing Corporate Press Releases for $30 Million Profit
17.5.2016 Hacking
A 28-year-old Ukrainian hacker has pleaded guilty in the United States to stealing unpublished news releases and using that non-public information in illegal trading to generate more than $30 Million (£20.8 Million) in illicit profits.
Vadym Iermolovych, 28, admitted Monday that he worked with two other Ukrainian hackers to hack into computer networks at PR Newswire, Marketwired and Business Wire, and steal 150,000 press releases to gain the advantage in the stock market.
The defendants then used nearly 800 of those stolen news releases to make trades before the publication of the information, exploiting a time gap ranging from hours to 3 days.
The trades would occur in "extremely short windows of time between when the hackers illegally accessed and shared the [news] releases and when the press releases were disseminated to the public by the Newswires, usually shortly after the close of the markets," said the Department of Justice in a press release.
Thirty-two people have been charged in connection with the global scheme to hack into services that distribute corporate news releases and then rapidly pass the stolen information to stock market traders in the US, resulting in more than $100 Million of profit.
The group hacked the computer networks of Marketwired LP, PR Newswire Association LLC, and Business Wire between February 2010 and August 2014 using phishing and SQL injection techniques, the Justice Department says.
The group traded the stolen information with the companies including Align Technology, Caterpillar, Hewlett Packard, Home Depot, Panera Bread and Verisign.
Iermolovych was initially arrested in November 2014 on credit card fraud and computer hacking-related charges, the U.S. Attorney Paul Fishman in New Jersey said.
Iermolovych has pleaded guilty to up to three charges including conspiracy to commit computer hacking, conspiracy to commit wire fraud, and aggravated identity theft.
The other accused Ukrainian hackers include Oleksandr Ieremenko and Ivan Turchynov.
Iermolovych will be sentenced on August 22 in Newark, New Jersey and could face up to 20 years in jail.
GhostShell is back and exposed data from 32 companies hacked through Open FTP
17.5.2016 Hacking
GhostShell is back, it exposed data from 32 companies and launched a new campaign to punish negligent network administrators.
The popular hacker crew GhostShell is back and is launching a new campaign to sensitize administrators to the importance of a proper security posture, but he’s doing it in his own way.
GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.
Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.
In March 2016, G.Razvan Eugen (24) claimed to be the founder of the popular collective Team GhostShell.
Now the dreaded collective is back and leaked data \, their system administrators left FTP directories open. In some cases, the GhostShell hackers exploited poor FTP configuration as the entry point in the target networks and then to move laterally compromising other systems.
GhostShell leaked dumped data online from the following 32 organizations:
The leaked data contains several types of information, including credit card details, user name and email combinations some with and without encryption. Experts at Risk Security Based firm who analyzed the leaked data have found 1,181 unique email addresses from 521 different providers.
“The Light Hacktivism leak is a similar style and format as to what we have seen in the past from Razvan. It is comprised of data collected from 30 unique sites and contains varying types of data including credit card details, user name and email combinations some with and without encryption. All together, we have detected 1,181 unique email addresses from 521 different providers. A large portion of the affected sites appear to be data from educational institutions which have been open on the Internet for some time.” wrote RSB.
The hackers leaked the data online end left the following message on Pastebin, at the time I was writing the post has been removed by the administrator of the service.
“This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry.
I’ve comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others. Since I wanted to clear and taken serious about this I have leaked some credit cards information, however it is recently expired, however I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there.
Never underestimate the most simple vulnerabilities out there as they often time end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.
Millions of people at risk everyday due to sheer laziness and incompetence.”
It seems that the group has the intention to hit more targets in the short period and their negligent admins.
Stay Tuned …
The popular crime forum Nulled.io pwned by hackers
17.5.2016 Hacking
The popular crime forum Nulled.io has suffered a serious security breach that exposed personal details of more than 500K users and their activities.
Nulled.io is a popular crime forum with roughly 500,000 users that but and sell any kind of product and services and share information regarding illegal practices.
According to the Risk Based Security, last week the Nulled.io forum has suffered a security breached that exposed details of its members and more than 800,000 personal messages exchanged by the users of the hacker forum.
“Last week a well known “hacker” forum became victim to the fast growing list of over 1,076 data breaches that have occurred so far in 2016. The Nulled.IO forum was compromised and data was leaked on May 6th consisting of a 1.3GB tar.gz compressed archive which when expanded is a 9.45GB SQL file named db.sql.” reported Risk Based Security.
On May 6, the attackers leaked a 1.3Gb compressed archive containing a 9.45Gb database that included the details of more than 536,000 user accounts (usernames, hashed passwords, registration dates, email addresses, and IP addresses).
The popular cyber security expert Troy Hunt has already added the stolen account credentials to the Have I Been Pwned service.
Follow
Have I been pwned? @haveibeenpwned
New breach: Nulled cracking forum had 599k email addresses exposed last week. 25% were already in @haveibeenpwned https://haveibeenpwned.com/
2:12 PM - 9 May 2016
24 24 Retweets 15 15 likes
The hackers also leaked thousands of purchase records and invoices.
“If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” continues the post.
The experts that analyzed the archive noticed the presence of a table containing personal details of VIP users.
The archive includes detailed information about transactions completed by VIP users, including their PayPal email addresses.
“Further we find API credentials for 3 payment gateways (Paypal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member id and ip addresses, and 256 user donation records that are able to be matched to the user with member id.” continues the post.
The experts from Risk Based Security several email addresses belonging to government across the world, including United States, Jordan, and Brazil.
At the time I was writing it is still unknown who is behind the attack neither how the hackers breached the Nulled.io crime forum that is powered by the IP.Board forum framework. Experts speculate that the attackers might have exploited a flaw in the IP.Board forum software.
Experts at Sucuri reported multiple attacks against IP.Board forums leveraging on the ImageMagick flaw.
Follow
Daniel Cid @danielcid
In addtiion to vBulletin, seeing a few #ImageTragick attempts against "app=members&module=profile§ion=photo&do=save" on IP.Board
5:47 AM - 9 May 2016
3 3 Retweets 2 2 likes
Daniel Cid, founder and CTO of Web security firm Sucuri, noted last week that IP.Board forums had been targeted in attacks exploiting a recently disclosed ImageMagick flaw.
Currently the Nulled.io crime forum is down.
Nulled io data breach
Hacker claims to have full access to Pornhub and already sold it
16.5.2016 Hacking
A 19-year-old hacker who goes by the name Revolver claims to have breached into Pornhub server and already sold the access for $1,000.
It happened during the weekend, a researcher using the 1×0123 Twitter account announced the availability of a shell access to a subdomain on Pornhub and offered it for $1,000.
The figure is obviously ridiculous when you consider the high traffic that daily reach the server, more than 2.1 million visits per hour.
View image on Twitter
View image on Twitter
Follow
1x0123 @1x0123
#pornhub command injection + shell on subdomain + src for sale
xmpp : revolver@rows.io
1:08 AM - 15 May 2016
151 151 Retweets 157 157 likes
In order to prove the access to the Pornhub platform, 1×0123 posted on Twitter a couple of pictures. The researchers explained to have compromised the server by exploiting uploading a shell by exploiting a flaw in the mechanism used to upload the picture in the user profile.
Once the shell is uploaded on the server it is possible to have full control over the environment.
Salted Hash reached 1×0123 who confirmed that he had sold access to three people.
“2 guys with shell, 1 guy for a command injection script,” he told Salted Hash.
“Pornhub contacted Revolver for more information. He offered to share those details, and help patch the vulnerability that allowed such access, for total cost of $5,000 USD. It isn’t clear if the adult entertainment giant agreed to those terms.” states Salted Hash.
1×0123 hasn’t provided further information on the hack, he only stated the vulnerability affecting the user profile isn’t the ImageMagick flaw recently disclosed.
A Pornhub spokesperson confirmed the presence of the shell that appears to be on a non-production server and confirmed the company is currently investigating the issue.
1×0123 is a known in the security industry, he offered a similar access to the LA Times website in April after he exploited a vulnerability in the Advanced XML Reader WordPress plugin.
During the same period, he revealed to have found an SQL injection flaw on one of the servers of Mossack Fonseca (a custom online payment system called Orion House).
In March, he designed a website called VNC Roulette that displayed screenshots of random hackable computers.
On April 10, 2016, Edward Snowden publicly thanked 1×0123 for reporting a vulnerability in Piwik to the Freedom of the Press Foundation.
On May 9, Pornhub announced a bounty program through HackerOne with a maximum bounty set at $25K.
“The public launch of Pornhub’s Bug Bounty Program follows a private, invite-only beta program that the adult entertainment site ran last year, which compensated participants for helping to identify and fix about two dozen bugs. ” states the announcement.
Unfortunately for Pornhub, 1×0123 has a bad opinion of the bounty program has he confirmed in the following statement published on Twitter.
“i don’t report vulnerabilities anymore go underground or go away ” reads the Tweet.
OpIcarus: Anonymous crusade against the sick banking industry
15.5.2016 Hacking
Anonymous alongside with BannedOffline and Ghost Squad crews are resuming the OpIcarus targeting banking websites around the world.
Hackers of the Anonymous collective alongside with Ghost Squad and BannedOffline continued their attacks on the banks worldwide under the campaign named OpIcarus.
The Operation OpIcarus was resumed in March 2016, both Anonymous and Ghost Squad launched several attacks on financial institutions worldwide, including the bank of Greece, HSBC, Bank of England, Dutch Central Bank, , Central Bank of Bosnia and Herzegovina, the central bank of Cyprus, and Central Bank of Guernsey and Maldives Monetary Authority (Central bank and banking regulator), and Turkish Banks.
After a temporary suspension of the attack, the hacktivists are back and hit the websites of banks in South Korea, Jordan, Montenegro and Monegasque.
“OpIcarus will continue,” announced Anonymous
The hackers launched a series of DDoS attacks that shut down the websites of the Central Bank of Jordan, Central bank of South Korea and Bank of Compagnie, Monegasque.
The HackRead.com reached one of the attackers and reported the following statement:
“Montenegro is at the heart of elite political corruption. Most of the ISIS/ISIL terrorist group looted money flows through Jordanian banks and South Korea is pretty much a US army base in the Asia-Pacific. Sites are staying offline for much longer periods now as more people are joining in the Operation. All targets so far have been central banks and no innocent people were harmed. We aim to keep it that way. OpIcarus will continue.”
A couple of days ago, Hackers claimed to have taken down the Bank of England’s internal email server as part of an operation dubbed ‘OpIcarus.’
Hackers affiliated with Anonymous also claimed to have hit several international banks last week, including the Federal Reserve Bank of Boston, the central banks of Sweden, National Reserve Bank of Tonga, and Myanmar and Laos.
The hacktivist “S1ege,” who is an alleged member of the Ghost Squad crew, claimed responsibility for the attacks announcing ” an online revolution” to retaliate against the “elite banking cartels putting the world in a perpetual state of chaos.”
A hacker compromised several Reddit accounts to prove it needs 2FA
14.5.2016 Hacking
A mysterious hacker is responsible for a mass Reddit defacement of 70 subreddits, he wants to demonstrate the lack of security of the popular platform.
Someone is creating the panic on Reddits, a mysterious user behind the name TehBVM (@TehBVM) claims to have already popped more than 100 Reddit subreddits. The user already targeted subreddits related to Battlefield One game, Marvel Studios, Star Wars, How to Hack, and Game of Thrones, he also defaced popular subreddits like TIFU (today I f**ked up).
The hacker spent the last weeks hijacking Reddit moderator accounts and defacing their subreddit pages, changing cover images and CSS.
Which is the motivation behind the defacements?
Apparently, TehBVM is doing it partly to demonstrate the lack of security posture of Reddit, the hacker hasn’t disclosed personal information belonging to the Reddit users.
“Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones,/r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.”
TehBVM did not explain how he compromised the Reddit accounts the unique certainly seems to be that he hasn’t launched a brute force attack against the platform. It is likely that the hacker is using login credentials related to other data breaches with the hope that users have shared it among multiple online services.
TehBVM is also offering moderator account credentials on the hacked subreddits.
Clearly this kind of incidents could be simply avoided by introducing a two-factor authentication mechanism.
Reddit has already planned the introduction of the 2FA feature, but it is still to develop a beta.
The lack of a strong authentication method was already exploited in the past by hackers, in 2013 other subreddits have been popped in similar circumstances.
VIDEO – RedTeam Hackers Crack Businesses’ Security
14.5.2016 Hacking
A few days ago group of white hat hackers from RedTeam traveled to the Midwest to test the systems of a major power company and breach it with Social Engineering.
RedTeam Security is a group of ethical hackers who specialize in offensive security, believing that the best defense is a good offense. We wrote about their initiative and the recent hack of the Midwest power company.
social engineering RedTeam hackers
Now the hackers shared a video that documents their attack …. enjoy it!
Hacker reports Vulnerability in Mr. Robot Season 2 Website
12.5.2016 Hacking
Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on Wednesday 13th of July 2016.
However, the new promotional website for season two of Mr. Robot has recently patched a security flaw that could have easily allowed a hacker to target millions of fans of the show.
A White Hat hacker going by the alias Zemnmez discovered a Cross-Site Scripting (XSS) vulnerability in Mr. Robot website on Tuesday, the same day Mr. Robot launched a promo for its second series.
The second season of the television show had already received praise from both critics and viewers for its relatively accurate portrayal of cyber security and hacking, something other cyber crime movies and shows have failed at badly.
The new series also features a surprising yet welcome guest: President Barack Obama, who is giving a speech about a cyber threat faced by the nation.
The flaw Zemnmez discovered on the show's website could have given him the ability to perform many malicious tasks, but being a white hat, the hacker responsibly reported the XSS flaw to Sam Esmail, the creator of Mr. Robot series, Forbes reported.
USA Network’s owner NBC Universal confirmed that the website was patched late Tuesday night, hours after Zemnmez reported the flaw.
According to Zemnmez, the flaw could allow an attacker to inject malicious Javascript to steal user information, including Facebook data that Mr. Robot website visitors enter to participate in its quiz.
"A threat actor with XSS on whoismrrobot.com could [have used] the XSS to inject Javascript, which inherits the ability to read Facebook information from the fsociety game," Zemnmez told Forbes. "This could be done mostly silently if correctly engineered with a short popup window."
Also, the flaw could also be exploited using some simple social engineering technique like phishing to get site victims to click on a malicious link that executes the Javascript code, enabling attackers to steal Facebook user's real name, email address, photos and pictures they are tagged in, Zemnmez added.
Seoul blames North Korea for hacking a South Korean defense contractor
11.5.2016 Hacking
Is the North Korea behind the hack of a South Korean defense contractor? The officials announced an investigation into the security incident.
There is a constant tension between South Korea and the North, now the Government of Seoul is accusing Pyongyang for a cyber attack that in April last hit a navy defence contractor, the Hanjin Heavy Industries & Construction Co. On the other side, the North Korea denies any involvement and sustains that attribution is political.
The local media agency Yonhap reported that the government of Seoul suspects the involvement of the North Korean cyber army.
“After identifying signs that Hanjin Heavy Industries may have been hacked on April 20, the Defense Security Command is currently leading a security investigation into whether any military secrets were leaked and whether North Korea was involved,” states the Yonhap citing unnamed officials.
The Hanjin Heavy Industries & Construction Co provides naval vessels and amphibious assault vehicles (e.g. ROKS Dokdo) to the South Korea.
North Korea vs south
Anyway, the Officials confirmed that there is no concrete evidence proving the involvement of NK hackers.
“North Korea could have been involved, but we are not absolutely sure at this stage,” confirmed the official.
Salted Hash reported that his sources close to active IR investigations hypothesized the involvement of a notorious APT, the Lazarus Group. The Lazarus Group is believed to be behind the Sony Pictures hack and multiple security breaches suffered companies in South Korea.
South Korean companies in the defence industry are privileged targets for hackers, in November unknown hackers hit the contractor LIG Nex1 and the Agency for Defense Development. Government investigators suspect that the attackers were interested in the project of the AESA radar.
In September 2013, experts at Kaspersky discovered the espionage activity conducted by another group of hackers dubbed Icefog, an APT specialized in “hit and run” attacks against very specific targets, including several industrial and high-tech organizations in South Korea and Japan.
North Korea holds an impressive army of cyber warriors, with over 6,000 sophisticated professionals. The cyber army is trained and operates in an isolated department called Bureau 121.
“When it comes to cyber-attacks, few groups are as notorious as North Korea’s Bureau 121, which has operated since the late nineties. Most security researchers agree that the group operates out of China. Specifically, in the basement of a restaurant, rated highly on TripAdvisor for its tremendous Korean food.” reported the BBC.
North Korea has the highest percentage of military personnel in relation to population, it has approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budget of the country.
Hackers Crack Businesses’ Security Using Social Engineering
10.5.2016 Hacking
A group of white hackers from RedTeam traveled to the Midwest to test the systems of a major power company and breach it with Social Engineering.
RedTeam Security is a group of ethical hackers who specialize in offensive security, believing that the best defense is a good offense. Engaging in social engineering, in addition to penetration testing, RedTeam tests the effectiveness of a business’s security controls before hackers have the opportunity to do so.
Social engineering is the act of manipulating people into relinquishing confidential information. Webroot explains that, “criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).”
According to Paul Szoldra, writing for Tech Insider:
“‘Social engineering is also referred to as people hacking,’ says Jeremiah Talamantes, president and founder of RedTeam Security. Though social engineering over the phone is less risky, in-person contact can be rather fruitful as RedTeam’s efforts showed. The team was hired to test the physical and virtual security of eight different locations and they gained useful information, or in one case, full access, just through this method.”
Source Tech Insider
Szoldra recently made his way to the Midwest to shadow the RedTeam Security professionals as they tested the security of a major power company, using social engineering.
Pretending to be The IT Guy – RedTeam’s first test involved an attempt to gain access to the network server room at one of the company’s branches. If that could be accomplished, the next step would be to install hardware that called back to them over the internet. Alternatively, they could simply take over workstations in the building.
RedTeam director Ryan Manship emphasizes the important role that confidence plays in the successful outcome of a mission such as this. Presenting yourself with the right pretext–having a legitimate reason for being where you are–is critical, according to Manship.
As it turns out, he wasn’t even asked for ID. The secretary accepted Manship’s fabrication, which cleverly included the first name of one of the company’s network administrators.
A supervisor, however, found the carefully crafted story a bit suspect and did ask for identification. Manship claimed to not have his ID on him. At that point, according to Szoldra, the supervisor, “made a phone call to an IT manager — the person who actually hired Manship and RedTeam to test them — and handed him the phone. The jig was up.”
Two College Students With a Big Project – The second attempt at social engineering was more successful. RedTeam had come up with a plan to shoot video and photos inside an office location in order to become familiar with the environment. They also wanted to try to retrieve data from an employee RFID badge that would unlock office doors. Ideally, a door to a server room could be unlocked. Just the day before, RedTeam consultant Kurt Muhl contacted the office pretending to be a college student from a technical college. He explained that he was working on a class project on renewable energy and was interested in interviewing someone. Muhl got a call back and was able to set up an appointment for the next day. This second endeavor went off without a hitch.
Szoldra writes that, “it was all smoke and mirrors, of course; a way for Muhl to build rapport so he could get what he really came for: Bill’s access badge.
Muhl brought along what looked like a laptop case to carry his notepad, but what was really inside the black bag was a device to scan anyone’s RFID badge who happened to come within two to three feet of it and store it in memory, so the hacker team could clone it for later use.”
Patrick Engebretson, author of The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy illuminates the preparation needed in order to pull feats like this off: “If I had to chop down a tree, I’d spend the first four of them sharpening my axe.”
Researchers hack WhatsApp accounts through SS7 protocol
10.5.2016 Hacking
White Hackers from Positive Technologies demonstrate how to exploit SS7 protocol to impersonate WhatsApp and Telegram users and act on their behalf.
Both WhatsApp and Telegram messaging services have implemented the end-to-end encryption for chats in order to protect the privacy of their users and improve their security.
Is it enough to keep prying eyes far from them?
No, according to a recent research conducted by Positive Technologies, hackers can impersonate victims and reply to both WhatsApp and Telegram chat messages.
Hackers can exploit the Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another are needed for routing calls and text messages between several networks.
The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).
Experts from Positive Technologies discovered that hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.
The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signalling. This means that hackers exploit the SS7 to compromise the verification mechanism and take over the victim’s account and impersonate him.
As explained by the experts, the most worrisome aspect of the story is that hacker does not need high-skills or a sophisticated equipment for such attack.
The hackers from the Positive Technologies used a common Linux distro and a publicly available SDK for their tests.
“An intruder doesn’t need sophisticated equipment. Positive Technologies used a popular Linux based computer and a publicly available SDK for generating SS7 packets. + After performing an initial attack using SS7 commands, the intruder is able to execute additional attacks using the same methods.” states the paper from Positive Technologies (at the time I’m writing the main company website is down, I found it on the .ru website). “For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages, commit fraud, etc. + Attacks are based on legitimate SS7 messages. Therefore, you cannot simply filter messages as it may have a negative impact on the overall quality of service”
Attacks relying on SS7 vulnerabilities could have serious consequences, many threat actors could exploit flaws in the signalling protocol to determining subscriber location, tapping calls, intercepting SMS, disrupt communication services … and takeover instant messaging accounts.
“If telecom and network operators protect their core telecom networks, it will improve the security of customers, but that’s not going to happen over night. Service providers such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure,” said Alex Mathews, technical manager EMEA of Positive Technologies.
Researcher arrested and charged for hacking elections websites
10.5.2016 Hacking
The security expert David Levin was arrested and charged after discovering serious security flaws on a couple of election websites in Florida.
The security researcher David Levin, the owner of Vanguard Cybersecurity, was arrested and charged after discovering serious security flaws on a couple of elections websites in Florida.
In December Levin discovered that the elections website of Lee County was affected by an SQL injection vulnerability that allowed access to credentials stored in plain text. The expert also analyzed the Florida Division of Elections website discovering security vulnerabilities.
At this point, the researcher reported the issue to a supervisor of elections candidate, in January he made a video PoC of the SQL injection flaw that allowed him to access the credentials stored in the back-end of the elections website and then reported the issue to the Supervisor of Elections Office.
Unfortunately, the authorities arrested David Levin of Estero for unauthorized access of Lee County and state elections websites. He was released on a $15,000 bond after a few hours.
“The Florida Department of Law Enforcementaccused the 31-year-old Estero man of hacking into the state elections website Jan. 4 and Jan. 31. He hacked into the Lee County elections website Dec. 19.” reads the news-press.com website.
The Florida Department of Law Enforcement confirmed that the expert exploited on a SQL Injection flaw in order to compromise the election website.
He hacked into the state elections website two times in January and one into the Lee County elections site in December.
“An SQL (Structured Query Language) is a code injection technique used to attack data-driven applications. An SQL injection enables an individual to obtain secure information, such as usernames and passwords, from vulnerable sources.”
Levin was released by the police on a $15,000 bond after a few hours.
It is hilarious, Levin thought he was doing the right thing, but authorities had a different opinion about his activities.
Hackers can break into a facility by spending $700 on Amazon or eBay
9.5.2016 Hacking
Hackers demonstrated to the Tech Insider how to break into any office by purchasing from Amazon and eBay $700 worth of electronic parts to clone access cards.Breaking into a company could be very easy and cheap for hackers, it could be sufficient to buy from Amazon and eBay $700 worth of parts. “We watched a team of hackers ‘fully compromise’ a power company in less than 24 hours” reads the Tech Insider.
“Standing outside the main office of a power company in the Midwest, a hacker known as metrofader pulls an employee’s electronic badge out of his pocket and waves it at an outside sensor. The door unlocks, even though it’s a fake card made with data stolen earlier that day.“
According to the researchers from RedTeam Security, hackers could purchase a $350 device available on both from Amazon or eBay to bypass access control systems based on employee ID badges by manufacturing counterfeit access cards.
The experts explained to journalists at Tech Insider that it is very easy to clone an access card belonging to any employee without stealing employee personal information.
Source Tech Insider
Matt Grandy from the RedTeam firm explained that they used a particular device that costs just $350 while visiting a target company.
“[We] got the big, long range reader from Amazon,” RedTeam Security consultant Matt Grandy said. “They’re also all over on eBay.” “They’re also all over on eBay.”
A hacker from the firm pretended to visit a company by posing as a student who requested a tour, he carried the device in a laptop bag that. The device is able to intercept the unencrypted communication between an employee access card and the access control systems used to open/close the doors.
The RFID badge reader offered for sale on Amazon and eBay is able to capture access card data up to three feet away and writes it on a microSD card.
The attacker just needs to be in the proximity of a known employee while he is using his RFID badge.
The attacker can then write the access data captured by the device on a fake employee badge, the operation is very simple by using a second device dubbed Proxmark that cost $300.
The fake badge could be used to access the target company.
“RedTeam exploited a well-known issue with RFID, or radio-frequency identification, which is a common method many organizations use to give employees access to facilities. Employees typically hold up their RFID-coded badges to an electronic reader outside a door, which then tells the door, “Hey, let this person in.“” states the Tech Insider. “The problem is that much of the time, that data is sent in the clear without encryption, giving hackers an opportunity to snatch the data right off an employee’s card so they can clone it for their own purposes.”
Of course, in order to improve the physical security, it is possible to encrypt data, another good measure to adopt to protect access cards are the RFID-blocking sleeves.
Hacker Interviews – The hacker: zurael sTz
8.5.2016 Hacking
This is the first of a series of “Hacker Interviews” that will aim to help us get a better understanding of the motivations and techniques of the hackers.
The information security industry spends time and effort not only to stop hackers but also to understand and simulate them. Vulnerability assessments and penetration tests are specially designed to understand what a criminal hacker could do. Security Affairs is one of the leading information security news sources on the internet and has decided to contribute to the collective effort in understanding the criminal hacker. This is the first of a series of “Hacker Interviews” that will hopefully help us get a better understanding of the motivations and techniques of the hackers. Please feel free to send us an email if there are any particular hacker or attack technique you’d like us to investigate.
The mail starts with “Hello, My name is zurael sTz”.
@zurael_sTz is one of the many Twitter accounts that publish their latest hacks. We have been following this account for sometime and have noticed it’s very typical of the politically motivated hacker profile. He hacks target mostly Palestinian websites with occasionally a Libyan or Egyptian site.
Another trait of this account is its use of the same technique. We usually face 3 different kind of hackers categorized based on their skill levels as “simple”, “smart” and “advanced”. The largest group is the “simple” attacker. A group that is very crowded as this is where “script kiddies” are. They have limited technical knowledge and rarely target their attacks. The second group we call “smart” is very close to this account. Members of this group are generally good in one specific attack and can target their attacks. @brutelogic would be a good example for a smart attacker who has mastered XSS (Cross Site Scripting) attacks and Zurael almost exclusively uses SQL injections. This focus on a specific attack technique, while having its limitations, makes this group more dangerous for government agencies and companies worldwide. In the last group are “advanced” attackers where we see APT gangs.
Seeing an opportunity to better understand what motivates the “smart” attacker we have sent Zurael a series of questions.
What are the motivations?
I like my job, I keep the security of Israeli citizens against attacks #opIsrael
Success, it’s one of the motivations to continue saving the citizens of Israel Online
What was your greatest challenge?
I broke into the website of the Palestinian Wafa news agency
I broke into the Palestinian Health Office in
I started to find radio Jenin
Etc. The list is long, and now, the breaking and entering into the Syrian Ministry of Transport (details coming soon)
What was your largest hack?
It’s complicated. Mainly large companies, Bank of Palestine, but will not talk about it so as not to risk.
Are you an IT professional?
I was a military role, now I work in a small company
How do you choose your targets?
Who harms the State of Israel, will not be immune to attack my
What are the tools you use?
I usually do not use any software
How do you find your targets?
I’m a guy purpose (a) and finds error and penetrates sql injection manually
The answers above show that the hacker isn’t motivated by personal gain or money but rather politically. The targets are probably chosen based on their locations (or domain) and on the presence of an exploitable SQL injection vulnerability.
There are two main lessons we can learn from the answers given by the hacker.
First, every website is under attack. One reaction I often from my customers who aren’t government or financial institution is “no body who attack us anyway”. The fact that you are not a defense industry company doesn’t make you immune to attacks. Opportunistic hackers looking for a specific vulnerability wouldn’t hesitate to exploit it if they found it on your systems. Also, your domain name (.ps, .co.il, .pk, .ru, etc.) might be enough to attract hackers.
The second important lesson is that we should rethink our understanding of cybrwar. Images of the U.S. Cyber Command, the Israeli Unit 8200, the Chinese Specialized Military Network Warfare Forces or the Iranian Cyber Defense Command come to mind anywhere we hear the words “cyberwar”. This misrepresentation usually leads to the false belief that our corporate networks are free from any potential politically motivated attacks. However, as seen from the above profile, any individual or civil group can chose to act based on what they believe is in the interest of their country. Which would make us victims of a politically motivated attack without being part of any political conflict.
Guccifer admits the hack of Hillary Clinton ’s private email server
6.5.2016 Hacking
Marcel Lehel Lazar also known as Guccifer has admitted the hack of the Hillary Clinton ‘s private email server occurred in 2013.
A Romanian hacker has claimed it was ‘easy’ to gain access to Hillary Clinton ’s email server. Marcel Lehel Lazar, who goes by ‘Guccifer’, recently had a series of interviews with Fox and NBC News outlets, providing some details concerning his ability to hack the Clinton email server.
Lazar is currently sitting in a Virginia jail, being held for the hacking of email accounts of senior political members and Clinton friend, Sidney Blumenthal. It was Clinton’s connection with Blumenthal that enabled Lazar to access the Clinton server.
Lazar first got into Blumenthal’s AOL email, in March 2013, through detailed Internet research to help him guess Blumenthal’s security question. From Blumenthal’s email, Lazar was then able to track emails based on IP headers and ultimately gain access to the Clinton email server.
Lazar described the server to NBC News (from a Bucharest jail cell) as, ‘an open orchid on the Internet’ where he was able to find ‘hundreds of folders’. While he says he only accessed the server twice, he claims to have obtained 2-gigabytes of information. He has thus far refused to provide any of the emails to which he gained access. Of the 2-gigabytes of information, he has told Fox News they are hidden because they are ‘too hot’ and ‘a matter of national security’.
It has been of concern about who has had access to the Clinton email server. Lazar has said he was able to see ‘up to 10,…, IPs from other parts of the world.’ Research into emails during Clinton’s time as Secretary of State has already shown approximately 2,200 emails that contained classified information, with some identified as “Top Secret”.
Lazar has been extradited from Romania to face nine federal counts of hacking. He has pleaded not guilty and faces a September 12th trial, though he is willing to cooperate with government officials. The Hillary Clinton presidential campaign camp has noted that Lazar is a criminal and there is ‘absolutely no basis to believe the claims’. They also added the details he has given of the ‘server are inaccurate’.
Hacker is Selling 272 Million Email Passwords for Just $1
5.5.2016 Hacking
A massive database of 272 million emails and passwords for popular email services, including Gmail, Microsoft, and Yahoo, are being offered for sale on the Dark Web for less than $1, media reports.
An anonymous Russian hacker, who goes by the moniker "the Collector," was first spotted by cybersecurity firm Hold Security advertising 1.17 Billion user records for email accounts on a dark web forum.
The stolen credentials apparently came from some of the world’s biggest email providers, including Gmail, Yahoo, Microsoft and Russia’s Mail.ru.
When security analysts at Hold Security reached out to the hacker and began negotiating for the dataset to verify the authenticity of those records, the hacker only asked for 50 Rubles (less than a buck) in return of the complete dump.
However, it seems that there is actually nothing to worry about.
Hold Security CEO Alex Holden said that a large number of those 1.17 Billion accounts credentials turned out to be duplicate and that only 272 Million records were unique.
According to the report, the mostly compromised credentials, 57 Million, belong to Russia’s leading email provider Mail.ru, followed by 40 Million Yahoo accounts, Microsoft 33 Million Hotmail accounts and 24 million Gmail accounts.
Of those 272 Million records analyzed by Hold Security, around 42.5 Million were credentials that the company has not seen traded on the Dark Web before.
In fact, the initial checks by Mail.ru found no active combinations of user names and passwords that match their existing email accounts, a Mail.ru spokesperson told Reuters.
Just last week, PwnedList, a website with the largest database of stolen credentials that allows users to check if a data breach had compromised their emails account, has been hit by hackers.
More than 866 million account credentials collected and indexed from 101,000 data breaches were leaked online due to a vulnerability on PwnedList's website.
Isis hackers claim to have infiltrated the UK Ministry of Defence
5.5.2016 Hacking
Pro-ISIS hackers belonging to the Islamic State Hacking Division group brag they have planted a mole at the heart of British Intelligence.
Last week pro-ISIS hacker group who is calling itself the Islamic State Hacking Division has published a “Kill list” of dozens of American military personnel purportedly involved in drone strikes against the IS in Syria and Iraq.
ISIS
The hackers leaked online personal details of more than 70 US personnel.
“Kill them wherever they are, knock on their doors and behead them, stab them, shoot them in the face or bomb them.”
The intelligence experts that analyzed the Kill list published by the Islamic State Hacking Division confirmed that its content has been gathered from publicly available sources and isn’t the result of any security breach.
The hackers of the Islamic State Hacking Division claimed to have infiltrated a mole in Britain’s Ministry of Defence and threatened to publish “secret intelligence” information.
“In our next leak we may even disclose secret intelligence the Islamic State has just received from a source the brothers in the UK have spent some time acquiring from the Ministry of Defence in London as we slowly and secretly infiltrate England and the USA online and off.” states a tweet published by the group.
“While we don’t comment on cyber threats, Britain is a world leader in cyber security and we are investing more than ever before in the UK’s capabilities to protect our national interest. Our increasing defence budget means that we can stay ahead of our adversaries in cyberspace while also investing in conventional capabilities.” said a Ministry of Defence spokesperson.
A Pentagon spokesperson, the major Adrian Rankine-Galloway, explained that the US intelligence is adopting the necessary measures to protect its staff.
“We are aware that Isil [Isis] and other terrorist organisations have periodically purported to release personal information on US service members and military members of our coalition partners involved in operations against Isil. We take proactive measures to protect our service members and their families and keep them apprised of changes to the security situation.” said major Adrian Rankine-Galloway. “We will not comment on the authenticity of the information in question, and this will have no effect on operations against Isil,”
According to the Sun, the Intelligence experts fear a possible attack against the UK, information circulating on the Internet reports the terror group could use Ireland as a base of operations to hit the Britain.
Members of the ISIS could launch plots against Britain exploiting lax border controls in Ireland, The Telegraph cited the declaration of an unnamed minister that confirmed it is easy to cross the border from the Republic.
Source The Mirror UK
“There is an issue to do with the open border because if you can get into southern Ireland you have got border-free access in to the UK.” explained the minister. “So someone could come from abroad or be radicalised in Ireland and move easily across the border in to the UK.”
272 Million login credentials found in the criminal underground
5.5.2016 Hacking
Hundreds of millions of hacked login credentials for email accounts and other websites are available in the Russian criminal underworld.
Security researchers at the Hold Security firm have discovered a young Russian hacker claiming to have acquired 1.17 billion stolen credential records.
Alex Hold, the founder and chief information security officer at Hold Security, explained he shocked when he verified that huge volume of stolen login credentials obtained by the hacker, is composed of more than 272.3 million stolen accounts.
The huge quantity of login credentials appears to be the cumulative results of many different security breaches.
The Reuters news agency discovered that the huge archive of stolen login credentials includes 57 million of mail.ru accounts.
“Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.” reported the Reuters. “The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.
The archive also includes tens of millions Yahoo Mail credentials, Microsoft Hotmail accounts, and Gmail email accounts.
“Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.”
A Microsoft spokesman confirmed the authenticity of the stolen login credentials, Yahoo and Google did not respond to requests for comment.
Thousands of credentials appear to belong employees of some of the largest US companies, including banks and retail firms.
The majority of stolen login credentials was already traded in the criminal underground, but 42.5 million credentials have not been seen in the underworld before.
“This kid from a small town in Russia,” writes Holden, “collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials – 15% of the total, that we have never seen before.”
This is one of the biggest stashes of stolen login credentials discovered in the recent years. On august 2014, experts at Hold Security discovered the biggest database of stolen user names and passwords and email addresses, the news was reported by The New York Times that hired an independent security expert who verified the authenticity of stolen data.
The U.S.-based Internet security company have discovered the amazing amount of data, nearly 1.2Billion credentials and half a billion email addresses, that is considered the single biggest amount of stolen Internet identity information ever collected. The experts believe that the data was collected from the numerous data breaches occurred all over the world in the last months and that hit around 420,000 websites.
Qatar National Bank Declares Systems ‘Fully Secure’ Sequel To Cyber-attack
4.5.2016 Hacking
Following the recent security breach suffered by the Qatar National Bank has assured that its systems are “fully secure”.
Sequel to a recent cyber-attack that led to a large chunk of files purportedly stolen from the financial institution’s systems being dumped online, Qatar National Bank has assured that its systems are “fully secure”.
The bank asserted in a statement published to its website on Sunday, that the said cyber-attack incident will have zilch financial impact on its customers.
The leaked data said to total about 1.5 Gigabyte, comprises about 15,000 files was dumped at Cryptome and other sources, and initially disseminated via Twitter employing several twitter accounts that tweeted a global-files.net link to news organizations, journalists amongst others. The data stored in folders, includes banking information such as: QNB user profiles, photographs, phone numbers, payment card details, email and physical addresses, banking information, payment card details, email addresses and passwords of clients. Some of the names are said to be linked to government organizations, including intelligence agencies, in Qatar and other countries. One of the folders contained information on media company ‘Al Jazeera’.
Qatar National Bank claims some of the leaked information was pulled from “non-QNB sources”. According to the bank, “while some of the data recently released in the public domain may be accurate, much of it was constructed and contains a mixture of information from the attack as well as other non-QNB sources, such as personal data from social media channels,” it’s statement read. The statement goes further to say, “we believe the nature of this incident is fundamentally an attempted attack on QNB Group’s reputation and not specifically targeted at our customers,”.
“All our customers’ accounts are secure, and as always, we encourage customers to be vigilant, taking the usual precautions of frequently changing their usernames and passwords through QNB Group internet banking.”
Qatar National Bank (QNB) was established in 1964 as the country’s first Qatari-owned commercial bank. The bank reported profits of about $787 million for the first quarter of year 2016.
This reported breach at Qatar National Bank (QNB) comes within weeks that Bangladesh’s central bank announced that cybercriminals stole over $100 million from one of its accounts at the Federal Reserve Bank of New York during a cyber-heist. Though the bank was able to recover some of the money, but $81 million that were transferred to the Philippines remain missing.
Experts at BAE Systems, a renowned British defense, security and aerospace firm revealed a while ago that the Bangladesh central bank cyber-attackers seem to have deployed custom-made malware which enabled them to channel fraudulent transfers without being spotted.
The aforementioned incidents underscore the global proliferation of cyber-attacks and the need for organizations to ramp up their cybersecurity measures. A cliché says there are two kinds of organizations – those cognizant they have been hacked and those that are yet to find out. Which category does your organization belong to?
Russian Hacker Who Stole From Banks Ordered to Pay $7 Million
3.5.2016 Hacking
A Russian man who spent about 3 years behind bars in the United States has been spared further prison time but ordered to pay $7 Million to cover damages he caused to banks using a vicious computer virus.
Nikita Vladimirovich Kuzmin was arrested in 2010 and imprisoned in August 2011 for developing a sophisticated computer malware called Gozi and infecting more than 1 million computers worldwide, causing tens of millions of dollars in losses.
Kuzmin was sentenced Monday to the 37 months he has already served in custody, and ordered to pay $7 Million that authorities have identified as the damages incurred by two banks, one located in the U.S. and the other in Europe, Reuters reported.
Kuzmin received a lighter sentence due to his "substantial assistance" in the investigation that resulted in the conviction of Latvian national Deniss Calovskis as well as the arrest of Romanian Mihai Ionut Paunescu, who is awaiting extradition to the United States.
However, prosecutors say the scale of Kuzmin crime is far bigger than the damages identified so far.
According to Prosecutor Nicole Friedlander, Kuzmin was motivated by greed and spent all the stolen money on luxury sports cars and "extravagant travel and entertainment in Europe and Russia."
Kuzmin and two others created and rented the Gozi malware out for $500 a week to cyber criminals who used the malware to steal tens of millions of dollars from bank accounts.
"In renting the malware to others, Kuzmin made it widely accessible to criminals, in other words, to criminals who do not or need not have sophisticated computer science skills like Kuzmin and his Gozi co-creators," U.S. Attorney Preet Bharara said. "From this perspective, Kuzmin's crime is particularly significant."
The malicious code allowed Kuzmin to control all the compromised computers remotely as a Botnet, enabling him to install additional code further on infected systems to steal data and access banks accounts.
The Gozi malware was first identified by security researchers in 2007. The virus infected a victim's computer through a document, like a PDF file, which looked normal but when opened installed Gozi on victim's computer to secretly collect user’s bank accounts details.
Security experts later discovered that the virus infected at least 40,000 computers in the United States, including more than 160 computers belonging to the National Aeronautics and Space Administration (NASA).
Gozi also infected computers in Germany, France, Poland, Italy, Turkey, Finland, and the United Kingdom.
Hackers can exploit flaws in Samsung Smart Home to access your house
3.5.2016 Vulnerebility Hacking
Security researchers have discovered multiple flaws in the Samsung Smart Home automation system that could be exploited by remote attackers.
Security researchers from the University of Michigan have discovered multiple flaws affecting the Samsung Smart Home automation system that could be exploited by remote attackers for several attacks, including making keys for connecting front door locks.
The experts evaluated the platform’s security design and coupled that with the analysis of 499 SmartThings apps (aka SmartApps) and 132 device handlers using static code analysis tools that we built.
SmartThings implement a privilege separation model, but two intrinsic design flaws lead to significant overprivilege in SmartApps.
The SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes.
“Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device.” the researchers wrote in a paper “Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes.”
In the second attack scenario, the researchers exploited a design flaw in the SmartThings framework by creating a proof-of-concept app that requested only privileges to monitor the battery reserves, but that in reality was able to steal the lock codes from the devices.
The experts devised several proof-of-concept exploits including the ones against the Samsung SmartThings IoT platform.
The exploits leverage on two design flaws in the SmartThings framework. The key findings of the analysis are:
“All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism,” added the researchers. “The attack vectors are not specific to a particular device and are broadly applicable.”
The researchers published the following proof-of-concept attacks:
secretly planted door lock codes;
stole existing door lock codes;
disabled vacation mode of the home;
trigger a fake fire alarm.
The most dangerous attack was dubbed by researchers “backdoor pin code injection attack,” it consists of a remote lock-picking attack that could give hackers access to users’ homes.
The attacked can send to the victim a specifically crafted HTTPS link in order to obtain the OAuth token that the app and SmartThings platform relied on to authenticate the users.
When the victim provided his credentials, a flaw in the app allowed the link to redirect them to a website managed by the hackers, the attackers operate on behalf of the victim.So far, Samsung has provided no details on plans to fix it.
At the time I was writing, Samsung hasn’t planned yet to fix the issues in the Smart Home automation system.
Anyway, users should think twice before connecting critical components to such kind of platforms.
Car Hackers Could Face Life In Prison. That's Insane!
2.5.2016 Hacking
Yes, you heard it right.
You can now end up your whole life behind bars if you intentionally hack into a vehicle's electronic system or exploit its internal flaws.
Car Hacking is a hot topic. Today, many automobiles companies are offering cars that run mostly on the drive-by-wire system, which means the majority of functions are electronically controlled, from instrument cluster to steering, brakes, and accelerator.
No doubt these auto-control electronic systems improve your driving experience, but at the same time also increase the risk of getting hacked.
Previous research demonstrated hackers capabilities to hijack a car remotely and control its steering, brakes and transmission, and to disable car's crucial functions like airbags by exploiting security bugs affecting significant automobiles.
Messing with Cars can Cost You
Keeping these risks in mind, the Michigan state Senate has proposed two bills which, if passed into law, will introduce life sentences in prison for people who hack into cars’ electronic systems.
These are the first of several legislations on car hacking that the Michigan Senate is taking up, according to reports by Automotive News.
If it becomes law, the bills will be a felony for a person to "intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, impair, damage, alter or gain unauthorized control of the motor vehicle."
The move comes over a month after the Federal Bureau of Investigation issued a public service announcement to warn people about the dangers of car hacking.
Though the proposed bills are an attempt to shorten the risks of digital attacks on connected vehicles, it could discourage security researchers and white hat hackers from finding potentially critical vulnerabilities in vehicle systems.
The proposal, Senate Bills 927 and 928, has been sent to the Senate's judiciary committee. Sen. Mike Kowall, the prime sponsor of the bills, said that the idea here is to be proactive on the car hacking issues and "try to keep up with technology," instead of waiting for something bad to happen.
"I hope that we never have to use it," Kowall said. "That is why the penalties are what they are. The potential for severe injury and death are pretty high."
The recall of 1.4 million Fiat Chrysler car models in 2015 proved that car hacking is real and worse than any major hacking theft targeting banks or financial institution, because:
The money could be recovered, but not the Lives.
Doubts about a draft anti car hacking law
2.5.2016 Hacking
Doubts about a couple of draft anti car hacking laws, they could create serious problems with innocent drivers and cyber security experts.
Car hacking is a scaring reality, modern vehicles use a huge quantity of connected components that could be easily compromised knowing the communication protocol used by principal vendors.
The interest in car hacking gained a high profile last summer when the popular hackers Miller and Valasek hackers remotely hacked a Jeep Cherokee SUV on a St. Louis highway on behalf of the Wired magazine. The hackers exploited security vulnerabilities in the wireless vehicle systems that automakers hope eventually will allow vehicles to communicate with each other.
The car vendor recalled 1.4 million vehicles for a software upgrade after the security duo disclosed the results of their experiment.
Two state senators in Michigan, Mike Kowall (R-White Lake) and Ken Horn (R-Frankenmuth), have proposed a law framework (SENATE BILL No. 927, SENATE BILL No. 928) that addresses car hacking with laws that promise life imprisonment for hackers.
Ironically also security researchers that investigate car hacking techniques stand outlaw.
The two draft bills state that anyone who repeatedly attempts to “intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle,” is committing a crime and risks the jail.
“I hope that we never have to use it,” said Kowall. “That’s why the penalties are what they are. The potential for severe injury and death are pretty high.”
Charlie Miller expressed his doubts about the new law and highlighted the problems it would cause to the security community.
The law forbids any manipulation of car firmware, even by the car owners.
There is no doubt about the necessity to carefully address cyber security issues in the automotive industry, but let me hope that in the future the experts from the cyber security industry will work together to approach the technical aspects of a law framework that will cover the car hacking.
Canadian Gold-Mining firm Goldcorp hacked
2.5.2016 Hacking
Canadian Gold-Mining Company Goldcorp suffered a major data breach, 14.8 GB Data Stolen, the hackers plan to release more data dumps soon.
The Canadian gold-mining firm Goldcorp suffered a major data breach, attackers have stolen online a 14.8 GB archive.
The archive includes company’s employees’ data (career data, titles, email addresses, location information, private telephone number, work phone number, compensation rates of 2014), the hackers leaked online sample data by publishing a document on Pastebin and a URL address to a full torrent download.
The archive also includes 2016 budget information and international contacts, network information, and recovery processes.
According to the hackers the data dump includes the following info:
T4’s, W2’s, other payroll information
Contract agreements with other companies
Bank accounts, wire transfers, marketable securities
Budget documents from 2012 – 2016
Employee network information, logins/passwords
International contact list
IT Procedures, Disaster Recover, VMWare recovery procedures
Employee passport scans.
Progress reports
SAP Data
Treasury reports
According to The Daily Dot, the data appear authentic and the archive contains most, if not all, of the above records.
“The Daily Dot was able to verify that the names and titles correspond with current employees of Goldcorp. A PDF included in the dump shows the expired passport of a Goldcorp executive. The name and photo on the passport correspond with the man’s LinkedIn profile.” states the article published by the The Daily Dot.
The Daily Dot contacted Goldcorp to report the alleged data breach and an employee of the company said they were already aware of the incident.
“Goldcorp confirmed today that the company’s network has been compromised and is working to determine the full scope and impact of the incident. The appropriate authorities have been notified,” a Goldcorp spokesperson said in an email to the Daily Dot. “The company’s internal IT security team has been working with leading independent IT security firms to rapidly gather facts, provide information to affected employees and ensure a robust action plan is in place, including immediate preventative modifications to its IT processes and increased network security protocols.”
The hackers plan to release more dumps in the incoming days as reported in the message published on PasteBit.
“[S]everal more data dumps are being prepared. [T]he next dump will include 14 months of company-wide emails, emails containing some good old fashion corporate racism, sexism, and greed.”
Did you buy on AlphaBay?Someone may have accessed your info
1.5.2016 Hacking
A security vulnerability in AlphaBay, one the most popular black markets, could expose private messages and data of its users.
One of the most popular black marketplaces, the AlphaBay, is affected by a serious flaw that could expose the private messages of its users. One year ago the operators behind the black market launched a fully automatic credit card shop and enforced two-factor authentication for all its sellers.
Last week, AlphaBay launched an API that allows its users to pull details from their accounts without logging. Unfortunately, the mechanism was affected by a serious issue that allowed an attacker to obtain the private messages of any user.
The access to private messages could reveal sensitive information sales and negotiations conducted by users, in some cases might provide details for their identification.
The alarm was triggered by a user on Reddit that reported the dangerous bug, he also published several messages sent by AlphaBay users.
The new API feature allows to fully control their messages, check their balance, withdraw funds, and check their orders and sales.
The user also claimed to have had access to the physical address of same users from the messages because they hadn’t encrypted the messages.
“So I enabled the API and turns out when I query my messages I get someone else’s in return, mixed with my own messages,” stated the user.
“congrats for finding the messages bug. you can view messages of any user by just changing the message id. if they don’t fix this quick enough i could just scrape every PM” was the reply of another Reddit user.
“Only the minority of messages are encrypted with PGP. This is the reason you ALWAYS encrypt all comms with a vendor, because of stuff like this,” aboutthednm wrote, adding that he had also seen moderator communications.
In order to access the messages the attacker has to enable API on his account, use the API to retrieve the PrivateMessaage and simply change the message id, as reported below:
/api.php?apikey=ENTER_YOUR_API_KEY_HERE&module=messages&id=ENTER_ANY_NUMBER_TO_VIEW_USERS_MESSAGES
The Reddit user alphabaysupport confirmed the existence of the security issue and user that has discovered the bug will be awarded for its discovery.
“Sorry to break the party, the vulnerability has been patched. Only conversations from 1 to 13,500 (out of 1,067,682) were read, which is around 1.5%, and were all over a year old,” the account wrote. “This was indeed a serious problem, but got caught on time.” (Some message IDs in the screenshots posted by aboutthednm go far beyond that number, such as 77,232, and the user said that message ID 1,067,440 was the latest that they got to download.)”
Joseph Cox from MotherBoard obtained further information from an AlphaBay manager on encrypted chat. The manager of the black market confirmed that a single API key was used to scrape the data. Likely only 1 or 2 people have accessed the data.
The manager explained that only old messages were accessed by the people. Others are concerned that law enforcement may have quickly exploited the vulnerability to access a wealth of messages.
What about the law enforcement has exploited the bug?
Hacker HighSchool for teens: talking with Pete Herzog
1.5.2016 Hacking
An interview with Pete Herzog, the co-founder and Managing Director of ISECOM, about the Hacker Highschool (HHS) initiative.
Today’s teens are in a world with major communication and productivity channels open to them and they don’t have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the main reason for Hacker Highschool (HHS).
Hacker Highschool
The school is an ever-growing collection of lessons written to the teen audience and covering specific subjects that are timely, interesting, and important for teens. In Hacker Highschool you will find lessons on utilizing Internet resources safely such as web privacy, chat, mobile computing, and social networks. Each Hacker Highschool lesson is designed as self-contained learning, no teacher required. Why? Because hacking is about discovery and that needs to be learned, not taught. The lessons are all technically correct, promote good moral behavior, resourcefulness, technical know-how, and empathy. All lessons work with a free “live
Why? Because hacking is about discovery and that needs to be learned, not taught. The lessons are all technically correct, promote good moral behavior, resourcefulness, technical know-how, and empathy.
All lessons work with a free “live linux” CD which will boot off any PC with a CD-rom drive to perform the lessons. HHS is a great supplement to student course work or as part of after-school and club activities.
But what about the projects and the aim of it? I’ve been talking with Pete Herzog, who is the co-founder and Managing Director of ISECOM, a security research non-profit focused on innovation. In 2003, Mr. Herzog co-founded the Hacker Highschool project to create open source lessons in security awareness and the hacker spirit of resourcefulness and self-teaching to teens. Besides being the first cybersecurity curriculum for teens, it’s also the first to focus on the psychology of how teens think and learn to be most effective. Currently, HHS is in its second release cycle, can be found in many repositories across the Internet, and is downloaded about 250.000 times a month. Pete is also noted speaker and writer on trust, security, and hacking and provides security coaching for various types of clients to help them learn how to make their products, services, and lives more secure.
Do you can use and explain with 3 keywords to describe who is a hacker?
A hacker is resourceful, curious, and always learning. Hacking is a method of problem solving that combines resourcefulness, logic, creativity, and study. Hacker Highschool helps teens learn hacking as a method to figure out how things work (such as with the Scientific Method) and to further learn by doing. Hacking is usefully applied in nearly all fields as it builds upon what is known to create new things, foods, designs, etc. When applied to computers and networks, it also teaches safety and security in a world quickly drowning in information where to be safer teens today need to know the facts from the fraud, the real from the fake, and the bad from the good.
How and when is the idea of school born? Which is the main mission and strategy?
I have to say it’s SCARY how companies are abusing young children as part of the public that they encourage and trick into uploading more and more of their private lives to become part of the marketing and consumer machine. Combine that with online predators and criminals and you quickly see that kids are not using technology- they are being USED by it. And unfortunately, the parents and teachers who are to keep them safe are either in the same trouble or clueless what to do. So the only realistic way to handle this is to unleash the curiosity and daring that all teens have so they can protect themselves. And that is our mission. We started the school in 2003 when I realized that when teaching the OPST (www.opst.org) for a couple of years that college students did better than seasoned security professionals on the hands-on exams. We realized it was because college students didn’t have to unlearn many bad habits that the professionals had which gave them more time to practice. So we knew if we could reach young people before they could learn any bad security habits then they could really learn to protect themselves online. That’s how we knew Hacker Highschool had to be more than teaching cybersecurity, it had to make sure that young people had the right set of skills to take advantage of all that technology without themselves being used by it. It just so happens these are also skills needed today to be great cybersecurity professionals, ensuring them a safe future in whatever they do.
In your opinion which kind of skills need to be developed and implement in the security sector to protect us from cyber criminals?
There are too many parrots and not enough pirates in security. That means we need those willing to do the work to be secure and not the ones who will repeat what somebody else wrote on a checklist. This “parroting” happens because without the fundamentals, security seems really impossible. But since there’s a misunderstanding of what the fundamentals are in cyber security, people are just getting the wrong information. It’s not about what products you need to use or even what checklist you need to follow which, sadly, you can get a degree or certified on all levels for both of those. Because that won’t make you secure. People need to understand where security comes from, know how to analyze an attack surface and how to match the right security controls to the right interactions. Those are the fundamentals and will make you secure.
In particular, what can we say about the next generations of cybersecurity experts and fighters considering that everybody says that there is a big lack of competence and specialized figures and experts?
Some industry groups have decided that cybersecurity was a specific profession which meant suddenly we could count the number of people graduating with cybersecurity degrees and getting specific cybersecurity certifications. Which also meant, since had hadn’t previously existed before, suddenly we don’t have enough of them! But is that really true or just how what we’re counting them? Ask yourself where did the first ones come from then, the ones who are teaching the cybersecurity professionals before we had anyone called cybersecurity professionals? They were people who learned IT and understood the security fundamentals. My point is that we don’t need more cybersecurity experts, just more experts who can apply the security fundamentals in their chosen field of expertise.
What about the future of the project and the goals to achieve your mission?
Our organization ISECOM was founded on open source and so for us it was an obvious choice to continue Hacker Highschool in this way. Information sharing is a cornerstone of education and progress, we assure that the information is always freely available for those who want to grab it and read it. Then in order to pay for the project we re-package the information in other ways like books, seminars, and videos which we then sell. This assures we can keep the project alive and improving while also assuring that the next generations we reach will be empowered to keep themselves and the rest of us safe. Currently, the lessons are written by a small, core group and edited by an even smaller group. Sometimes we get bodies of original security writing donated to us by the author who allows us to re-purpose it into the lessons. Translations are handled by volunteers and managed by the core group. We do not keep data on who are using the lessons or where. We have some anecdotal evidence from people who contact us and say they used it or they heard of it being used somewhere. What’s important is that people know it’s there, free, and open-source for anyone to use.
Last year we came a few weeks away from shutting down the project due to lack of money and capable volunteers. But we really didn’t want it to close. So instead we re-invested heavily in it again from our own pockets to try to make it fully sustainable with www.isecomacademy.com which brings high-quality videos of the lessons to classrooms and home schoolers around the world.
Analyzing Cyber Capabilities of the ISIS
30.4.2016 Hacking
The data intelligence firm Flashpoint has published an interesting report that explore the cyber capabilities of the ISIS radical group.
In the last days of April, Flashpoint a global leader in Deep and Dark Web data and intelligence published a report that is dedicated to the analysis of cyber capabilities of the ISIS with the title of “Hacking for ISIS: The Emergent Cyber Threat Landscape.“
ISIS cyber capabilities report
Hacking attacks in support of the Islamic State have piqued the attention of the world and escalate the publicity of the terror group. In spite of the launched hacking attacks, the overall capabilities are neither advanced nor do they demonstrate sophisticated targeting.
During the past two years that ISIS has been growing, at least five different pro-ISIS hacking group launched cyber-attacks in favor of the Islamic State.
According to techworm, on April 4, 2016, Cyber Caliphate Army (CCA), ISIS’s main hacking unit, and other pro-ISIS groups like the Sons Caliphate Army (SCA) and Kalacnikov.TN (KTN) merged and formed The United Cyber Caliphate (UCC). These pro-ISIS activities are still poorly organized and likely under-resourced and have not been neither officially acknowledged nor claimed by ISIS itself.
Most of the claimed attacks by the pro-ISIS hackers are beginner level and opportunistic such as exploiting known vulnerabilities to compromise websites. These pro-ISIS actors have launched attacks chiefly on government, banking, and media targets, so far, but researchers at Flashpoint expect as growing to maturity, they keep targeting financial institution.
The IS is not explicitly attempted to recruit sophisticated hackers, but its followers can broaden their knowledge and skills through hacking courses, tools, and guidance available in Deep & Dark Web forums. Pro-ISIS cyber actors are likely to download hacking tools from publicly available sources while also utilizing both off-the-shelf and custom malware.
On Monday, the UCC published a new kill list featuring 43 names linked to the U.S. State Department, the DHS, and other federal agencies on the messaging app Telegram, Vocativ reported.
Whilst the current cyber capabilities of the IS are not sophisticated, it won’t remain the same and could change quickly. “There is clear evidence that they are growing in number, coalescing in rank, and zooming in on American and other Western targets,” Alkhouri told SecurityWeek.
The report published by Flashpoint can be downloaded from their website through the link below:
https://www.flashpoint-intel.com/home/assets/Media/Flashpoint_HackingForISIS_April2016.pdf
US Supreme court allows FBI hacking computers located worldwide
29.4.2016 Hacking
The US Supreme Court has approved amendments to Rule 41 that allows judges issue search warrants for hack into computers located worldwide.
The US Supreme Court has approved amendments to Rule 41, which now let U.S. judges issue search warrants for hacking into computers located also outside their jurisdiction.
Under the original Rule 41, a judge can only authorize the FBI to hack into computers in the same jurisdiction.
The rule change was approved despite the opposition from civil liberties groups such as the American Civil Liberties Union and Access Now, it is curious that the U.S. Justice Department has described the modification as a minor change.
A U.S. Justice Department spokesman clarified that the change did not authorize any new authorities not already permitted by law.
U.S. Chief Justice John Roberts transmitted the rules to Congress that can decide to apply modifications or totally reject it until December 1st. If the Congress doesn’t express any judgment of the rules, they would take effect automatically.
The U.S. Justice Department explained that the changes have been introduced to modernize the criminal code for the digital age as reported by the Reuters.
“The U.S. Justice Department, which has pushed for the rule change since 2013, has described it as a minor modification needed to modernize the criminal code for the digital age, and has said it would not permit searches or seizures that are not already legal.” states the Reuters.
Clearly the new Rules expand the Federal Bureau of Investigation’s ability to conduct hacking campaigns on computer systems located everywhere in the world.
Rule 41 google fbi 2
We have to consider that unfortunately the Congress rarely has rejected amendments to the rules.
According to the Democratic Senator Ron Wyden of Oregon, the modification to the rule will have “significant consequences for Americans’ privacy.”
“Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” Wyden said.
A Justice Department spokesman confirmed that the new rules are the response of the authorities to the increasingly use of “anonymizing” technologies made by threat actors.
Just yesterday we discussed a revelation emerged in an investigation conducted by the Daily Dot related to the development of a custom malware to unmask Tor users.
According to the Daily Dot, Matt Edman is the cyber security expert and former employee of the Tor Project that helped the FBI to hack and de-anonymize Tor users in several court cases, including the clamorous Operation Torpedo and Silk Road.users.
U.S. Supreme Court allows the FBI to Hack any Computer in the World
29.4.2016 Hacking
The US Supreme Court has approved amendments to Rule 41, which now gives judges the authority to issue search warrants, not only for computers located in their jurisdiction but also outside their jurisdiction.
Under the original Rule 41, let’s say, a New York judge can only authorize the FBI to hack into a suspect's computer in New York.
But the amended rule would now make it easier for the FBI to hack into any computer or network, literally anywhere in the world.
The Federal Bureau of Investigation (FBI) can now Hack your computers anywhere, anytime.
The FBI appeared to have been granted powers to hack any computer legally across the country, and perhaps anywhere in the world, with just a single search warrant authorized by any United States judge.
The U.S. Supreme Court approved yesterday a change in Rule 41 of the Federal Rules of Criminal Procedure that would let U.S. judges issue warrants for remote access to electronic devices outside their jurisdiction.
"These amendments will have significant consequences for Americans' privacy and the scope of the government's powers to conduct remote surveillance and searches of electronic devices," Democratic Senator Ron Wyden of Oregon said in a statement Thursday.
"Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of cybercrime."
If Congress doesn't act, the changes to the Rule 41 will take immediate effect in December despite opposition from technology giants and civil liberties groups who believes the changes would expand the FBI's power to conduct mass hacks on computer networks.
The tech giants and civil liberties groups like the American Civil Liberties Union (ACLU) say the change also could run afoul of the American Constitution's protections against inappropriate searches and seizures.
However, while proposing the rule change in 2014, the U.S. Department of Justice described it as a small modification required to modernize the criminal code for the digital age, saying the changes wouldn't permit searches that aren't already legal.
The FBI Now Can Legally Hack TOR Users
Previously, under the Rule 41, magistrate judges could not approve search warrants to remotely hack or access computers outside their jurisdiction.
But with the rule change, magistrate judges could now issue orders to search or seize computers and electronic devices outside their local authority if the target's location is unknown or if the target is using anonymity software like TOR.
More than a Million of Internet users make use of TOR anonymity software to browse the Web just to hide their actual identity for entirely legitimate reasons, in addition to criminals who use TOR to hide their locations.
Recently, the court threw out evidence that the FBI brought by hacking the members of the child pornography site PlayPen on the TOR network using its so-called Network Investigative Technique (NIT), explaining the feds violated Rule 41's territorial restrictions.
This rule change would prevent something like that from happening, opening doors for the FBI to legally hack any computer in any country.
The Congress has time until 1 December 2016 to reject changes or make more changes to Rule 41, after which the amended version of the rule will take effect.
PLATINUM Hackers Hijack Windows Hotpatching to Stay Hidden
28.4.2016 Hacking
The Microsoft’s Windows Defender Advanced Threat Hunting team detected that a cyber espionage group of hackers, known as PLATINUM, has found a way to turn the Windows's Hotpatching technique (a way of updating the operating system without requiring a restart) to hide its malware from Antivirus products.
PLATINUM group has been active since 2009 and launching large-scale attacks against governmental organizations, intelligence agencies, defense institutes and telecommunication providers in South and Southeast Asia.
Practically speaking, the most important thing for a sophisticated APT hacker and a cyber-espionage group is to remain undetected for the longest possible period.
Well, that's exactly what an APT (Advanced Persistent Threat) group has achieved.
The Microsoft’s Windows Defender Advanced Threat Hunting team has discovered that an APT group, dubbed Platinum, has been spying on high-profile targets by abusing a "novel" technique called Hotpatching.
Introduced in Windows Server 2003, the Hotpatching feature allows Microsoft to upgrade applications or the operating system in the running system without having to reboot the computer by inserting the new, updated code into a server.
The Platinum hacking group has often used the spear-phishing technique to penetrate initially the targeted networks, used numerous zero-day vulnerabilities in attacks, and has taken many efforts to hide its attacks.
The latest report released by Microsoft said the Platinum group abused the Windows’ hotpatching feature, allowing it to inject malicious code into running processes without having to reboot the server and then later hide backdoors and other malware from installed antivirus solution.
"If the tool fails to inject code using hot patching, it reverts to attempting the other more common code injection techniques into common Windows processes, primarily targeting winlogon.exe, lsass.exe, and svchost.exe," Microsoft said in its report.
The hotpatching technique works against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7. Platinum abused the technique in real-world attacks to hide its efforts from analysis.
The group has been using the Hotpatching technique to install the Dipsing, Adbupd and JPIN backdoors on networks belonging to governmental organizations, including defense organizations, intelligence agencies, diplomats and Internet Service Providers (ISPs) and then to steal sensitive data.
The goal of the attacks doesn’t appear to have been immediate financial gain; rather the Platinum APT group is up to a broader economic espionage campaign using stolen information.
The group has been targeting countries in South and Southeast Asia since at least 2009, with Malaysia being its biggest victim, following Indonesia, China, and India.
Though the Platinum group is still active, there is still a way for organizations and companies to avoid infection.
Microsoft's security experts explain that the hotpatching technique requires admin-level permissions, so the threat actors are sending spear-phishing emails that come with boobytrapped Office documents to infect each target.
Garage4hackers – An open Information Security Community. w00t! w00t!
26.4.2016 Hacking
Who are we?
Garage4hackers is one of the oldest open information security community for Information Security enthusiast and aspirants on the internet. We started off as an Orkut Community “Hackers Garage” back in 2007 and today we have more than 6K members sharing knowledge across various fields of infosec.
“Our mission is to spread Infosec education for free to the masses.”
We connect newbies, security researchers, Experts, and evangelist. Every member of our community is highly interactive, approachable and ensures helping other information security aspirants by providing viable resources, spreading best security practices and promoting research-based activities.
Knowledge sharing is unlimited among all our members and therefore we end up discussing on a wide range of Information Security topics which includes Vulnerability Assessment and Penetration Testing of Web Application, Mobile Application, Wireless and Bluetooth hacking, Computer Forensics and Incident Handling, Physical Security and Social Engineering, Cloud Security and sometimes, Meanest hack, Exploitation techniques, Browser fuzzing, Botnet, Malware and Root-kits Analysis, Reverse Engineering and much more.
Some of our achievements.
We are Family of around 6k+ users, 8k+ posts with more than 32k unique visitors on our forum. More than 20k viewers on YouTube from 20+ countries. Our core member had reported 40+ Best Bug Bounty to vendors including Google, Facebook, Yahoo and so on. 30+ CVE’s for web browsers such as Chrome, Internet Explorer, Firefox & Safari. We do Information Security research on unique areas such as Biometric Systems, Physical Locks, Cable TV Networks, Data-cards, Drones, Threat detection using Cloud-based Machine Learning Technology and so on. We believe in the open source culture and some of our core members had contributed towards the open source community, The project list follows :
SHIVA : Spam Honeypot with Intelligent Virtual Analyzer.
Sandy : Opensource Exploit Analysis Framework.
lisa.py : An Exploit Dev Swiss Army Knife.
We build our own tools and scripts for various testing techniques and vulnerability exploitation. We release them on our garage for free.
Garage4hackers Initiatives.
Ranchoddas Webcast Series.
Ranchoddas webcast is dedicated to bringing together the best in Information Security Research and Infosec enthusiasts. Each of our webcast includes high-level industry speakers and researchers speaking on latest cutting edge topics. This initiative aims to provide knowledge and relevant advice which our viewers can take away and implement in the workplace for further personal development. Our webcasts are absolutely free and open to all. Our aim is to make knowledge free to use, reuse or redistribute without any restriction. Below are some of our webcast conducted in the past.
Browser Crash/Exploit Analysis by David Rude II
Powershell for post exploitation by Nikhil Mittal
Reverse Engineering by Gynvael Coldwind
Breaking PHP-based Cross-Site Scripting Protection Mechanisms In The Wild by Ashar Javed
In the DOM- no one will hear you scream By Mario Heiderich
Demystifying SSRF/XSPA Vulnerabilities by Riyaz Walikar
Shellcodes for ARM: Your Pills Don’t Work on Me, x86 by Svetlana Gaivoronski
Cooking an APT in a paranoid way by Lorenzo Martínez
Drive It Like You Hacked It by Samy Kamkar
Automated Mobile Application Security by Ajin Abraham
Register now! for our upcoming webcast on Bypassing Modern WAF’s Exemplified At XSS by Rafay Baloch
Question & Answers portal.
Your security audit issues! Having any problem understanding a malware or detecting it! or Vulnerability you are not able to understand or any type of security-related problems put it on the board for the discussion among like-minded professionals.
Q&A portal for the open discussion and sharing of ideas and problems arising in accomplishing those ideas.
Not only limited to this, This portal can help bridge the gap for the curious security professionals across the industry and provide them with an open discussion platform to seek solutions specific to their problems arising while performing any type of information security research.
Join our Open Question and Answer community.
Garage4hackers relief donation
Kashmir Flood Relief donation.
In September 2014 Kashmir, India was hit by a severe flood. The death toll rose to 200+. Huge damage was done to the state. One of our Garage member Rashid Bhat is from Kashmir, India. We were able to raise Rs. 1 Lac from our Members. The money we had raised were used to buy Medicines, Blankets, Food and other emergency amenities. Rashid himself had gone to Kashmir with the aids. Garage4hackers had then started a new challenge for the hacker community wherein they would participate in bug bounty program and donate that money for relief program. We got an overwhelming response from the community.
Chennai Flood Relief donation.
In December 2015 Chennai, India received heavy rainfall over a huge period of time resulted in a flood. Thousands of residents were fleeing out of the city. A lot of people had lost their home & means of livelihood. We were again successful in collecting relief funds. Garage4hackers member Eberly and Amol personally went to Chennai to deliver the relief materials collected.
Join us in our mission to hack to secure and spread free Information Security knowledge across the globe.
Facebook : https://www.facebook.com/Garage4Hackers
Twitter : @garage4hackers
Youtube : https://www.youtube.com/channel/UCDqagqREZlmJitWco-yPtvw
MongoDB DB containing 93.4 million Mexican voter records open online
23.4.2016 Hacking
The security expert Chris Vickery discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
Once again a MongoDB poorly configurated exposed million records, once again data of voters are left accessible online. This time, the popular researcher Chris Vickery has discovered on Amazon’s AWS online a 132 GB database containing 93.4 million Mexican voter records. The archive went online for at least eight days after Vickery discovered it.
The bad news is that the database was set for a public access since September 2015.
Another element to consider is that Under Mexican law, voters’ data are classified as “strictly confidential” and their unauthorized extraction could be punished with a penalty of up to 12 years in prison.
Vickery, who worked with Salted Hash and Databreaches.net, discovered the MongoDB archive on April 14, but as he explained, it was difficult to track down the responsible for the accidental leaks despite he reported the issue to the U.S. State Department and to the Mexican Embassy.
“There was no password or authentication of any sort required. It was configured purely for public access. Why? I have no clue.” states the post published by Chris Vickery.
“After reporting the situation to the US State Department, DHS, the Mexican Embassy in Washington, the Mexican Instituto Nacional Electoral (INE), and Amazon, the database was finally taken offline April 22nd, 2016.”
Giving a close look at the records in the archive, the expert discovered it contains all of the information that Mexican citizens need for their government-issued photo IDs that allow them to vote.
The records include the voter’s name, home address, birthdate, national identification numbers, and other info.
The Mexican Elections Commissioner has confirmed the authenticity of the information included in the archive.
Despite the database was pulled offline earlier this morning, it isn’t clear who accessed it.
“The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” said Vickery.
The last time data was available online it was in the hands of a US company.
“Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” said Vickery.
Vickery explained that in 2003, data broker ChoicePoint was commissioned by the U.S. government to obtain more than 65 million records on registered Mexican voters, and six million drivers in Mexico City.
Healthcare Industry Tops List of Hacker Targets: More than 100 Million Medical Records Compromised in 2015
21.4.2016 Hacking
According to a research conducted by IBM the healthcare industry was a privileged target of cybercriminals last year, more than 100M Records Compromised.
The healthcare industry was the number one target of cybercriminals in 2015, new research indicates. Previously, the banking industry held the top position.
In 2015, more than 100 million healthcare records were compromised, according to IBM’s “2016 Cyber Security Intelligence Index.” It is based on data collected between January 1, 2015 and December 13, 2015 and from more than 8,000 client devices in over 100 countries.
The Independent reports that “five of the eight largest healthcare security breaches since the beginning of 2010, with more than one million records compromised, took place during the first six month of 2015.”
Healthcare records are a veritable jackpot for cybercriminals, providing them access to credit card data, Social Security numbers, employment information and medical history records. These can be used in the commission of fraud and identity theft. The following is just one example of the impact of medical records having been hacked:
“Martin Borrett, CTO IBM Security Europe, explained how much damage stolen health data can cause and why it is such a target for theft.
‘We had a situation with a colleague from IBM in the US. John Kuhn, a senior security threat researcher, had to show hospital staff his stomach to prove he did not have a scar from the surgery they had charged him for.
John’s medical records had been stolen, and sold to someone else who had used them to have the surgery, leaving him with a $20,000 bill.’”
Another disturbing element of the findings for 2015 is that approximately 60 per cent of cyber-attacks were conducted by “insiders.”
The top five industries targeted by hackers:
Healthcare
Manufacturing
Financial Services
Government
Transportation
Healthcare Industry MedicalData-breach
Ransomware attacks on hospitals have been in the news frequently of late, having occurred in California, Indiana, Kentucky, and Maryland. Because of the nature of the business of hospitals, hospital personnel is coerced into a rushed decision-making process in order to recover their systems and avoid disruption of patient care.
Why has healthcare become such an appealing target?
Healthcare has never been a secure industry. With the onset of health information technology, many new vendors neglected taking security measures so that they could launch their products as quickly as possible. Subsequently, burgeoning digital healthcare institutions were left vulnerable to cyberattacks.
Lives are at stake. Ransomware has been effective for cybercriminals because healthcare is time-sensitive. It is often not feasible for healthcare practitioners and patients to wait until a solution can be found that would allow them to avoid paying the ransom.
Healthcare data is lucrative. Social Security numbers, medical histories, insurance provider information, patient medications and other data can yield large profits for cybercriminals.
Application-heavy environments are ripe for attacks. “This in itself is not a security risk or problem, but more diverse systems … [may] require them to use old systems,” says Mike Hanley, director of Duo Labs.
The healthcare industry continues to use out-of-date, legacy systems. Eighty-two percent persist in using obsolete technology, including unsupported versions of Internet Explorer.
Relating computer security to the health-conscious practices healthcare providers have in place, Hanley said: “[It’s about] getting back to the basics, user education, security hygiene.”
Anonymous presented OnionIRC, a chat service in the Dark Web
20.4.2016 Hacking
Anonymous announced OnionIRC, a new chatroom in the DarkWeb dedicated to teaching hacking and coding techniques and encryption mechanisms.
Anonymous, the most popular collective of hacktivists, has announced a new chatroom in the DarkWeb dedicated to teaching its sympathizers hacking and coding techniques and encryption mechanisms.
Anonymous used one of its Twitter accounts to spread the news, the chat service, named as OnionIRCm is hosted on the TorNetwork. Anyone that wants to get in touch with Anonymous members could access it.
Anonymous also published a video on YouTube announcing the chatroom and the service it offers.
In a video posted online, the group outlined the intentions of the chatroom.
“The OnionIRC is designed to allow for full anonymity and we welcome all to use it as a hub for all Anonymous operations, general free speech or any project or group concerned about privacy and looking to build a strong community,” stated the computerised voice now typical of Anonymous video messages.
“We also intend to strengthen our ranks and arm the current and coming generations of internet activists with education. Our plan is to provide classrooms where, on a scheduled basis, ‘teachers’ can give lessons on any number of subjects. This includes but is not limited to: security culture, various hacking tutorials, history lessons and promoting how to properly utilise encryption and anonymity software.”
The colleagues at HackRead first reported the Anonymous OnionIRC service and verified that it is still a project in its infancy that needs to be improved, and that has even scanty following.
“Just a few hours later, we checked the new service from Anonymous and to our amusement, there were only 20 people present in the room and out of the 20 just 3 to 4 users had an idea about the new service or even Anon ops. So uninformed were these clueless users in the chat room that they were learning about newly heard terms such as hacking.” states HackRead.
“The organizer, however, tried his best to teach them as comprehensively as possible. The organizer, appearing in the chat room as “Butts,” stated in an open chat session this Tuesday that:
“I wouldn’t expect there to be any planned lessons taught for a bit here.Things are just starting off and we want to see how things go for a bit, hopefully, build a bit of a user base, and then we’ll kick it off with some awesome in-house presentations.””
Internet users that want to access it can follow the procedere available on this link, it is very easy to access, users just need the IRC Client Hexchat and the Tor Browser.
Hackers spied on a US Congressman’s communication abusing the SS7 protocol
19.4.2016 Hacking
Security experts eavesdropped and geographic tracked a US Congressman only using his phone number by abusing the SS7 protocol.
Hackers eavesdropped and geographic tracked a US Congressman only using his phone number. Security experts will be no surprised, I wrote many articles on the topic explaining that security flaws in the SS7 protocol could be exploited by an attacker to spy on private phone calls, record them and monitor target’s movements.
In this case, the activity was authorized by the US Representative Ted Lieu in order to demonstrate how much we are vulnerable. The findings were shared by a broadcast Sunday night by 60 Minutes.
Once again the name of the German security expert Karsten Nohl is in the headlines, he is the hacker that was able to record any call made to or from the mobile device used by the US Representative and to track his location in real-time.
“First it’s really creepy,” the US Representative said. “And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank.”
While SR Labs had permission to carry out the surveillance, there’s nothing stopping malicious hackers from doing the same thing.
Also in this case, the hackers exploited the SS7 protocol, aka Signalling System No. 7.
SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.
Exactly one year ago, Channel Nine’s 60 Minutes has revealed the existence of a security hole in modern telecommunication systems that could be exploited by cyber criminals to listen in on phone conversations and read text messages.
The program explained that Nohl’s team, who is based in Berlin, were able to intercept data and geo-track every mobile user by exploiting a flaw in the SS7 signalling system.
The security issue in the SS7 signaling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.
ss7 protocol surveillance
Besides allowing telecommunication companies to query the location of phones on other carriers’ networks, the SS7 protocol allows them to route calls and text messages through a proxy before reaching the legitimate destination. But you know very well that a proxy could allow an attacker to spoof the identity of the victims.
“The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.” reports The Washington Post.
The SS7 is widely adopted, it is currently used by more than 800 telecommunication companies around the world. The security experts know very well that the SS7 protocol allows sharing individuals’ subscriber data with any other entity implementing the same protocol.
This means that if a hacker is able to access the network is able to access a wealth of subscriber’s information.
The SS7 protocol is also used by telecommunication companies to offer a number of services to various industries. For example, telecommunication companies use the SS7 to offer banks a service that allows them to confirm the presence of a customer’s phone in a specific country to authorize its transaction avoiding fraudulent activities.
“As long as you have SS7 access, it’s extremely easy,” Les Goldsmith, a researcher from security firm ESD explained to Ars. “Any one of the telcos that has a roaming agreement with the target network can access the phone.” Goldsmith presented his study on the SS7 security at the last RSA conference in San Francisco.
The majority of the telecommunication companies intends to replace the SS7 protocol for more secure one, the Diameter, but they will maintain the backward-compatibility with the SS7 continuing to expose mobile users to the risk of hack.
According to 60 Minutes, intelligence agencies like the NSA exploit the SS7 protocol for their surveillance activities.
Lieu sharply criticized US agencies that may have turned a blind eye to such vulnerabilities.
“The people who knew about this flaw should be fired,” he said. “You cannot have 300 and some million Americans, and really the global citizenry, be at risk of having their phone conversations intercepted with a known flaw simply because some intelligence agencies might get some data. That is not acceptable.” said Lieu.
Hackers can spy on your calls and track location, using just your phone number
19.4.2016 Hacking
The famous ‘60 Minutes’ television show shocked some viewers Sunday evening when a team of German hackers demonstrated how they hacked into an iPhone used by U.S. Congressman, then recorded his phone calls and tracked his movement through Los Angeles.
Hackers leverage a security flaw in SS7 (Signalling System Seven) protocol that allows hackers to track phone locations, listen in on calls and text messages.
The global telecom network SS7 is still vulnerable to several security flaws that could let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale, despite the most advanced encryption used by cellular networks.
All one need is the target's phone number to track him/her anywhere on the planet and even eavesdrop on the conversations.
SS7 or Signalling System Number 7 is a telephony signaling protocol used by more than 800 telecommunication operators around the world to exchange information with one another, cross-carrier billing, enabling roaming, and other features.
Hackers Hacked into US Congressman's Smartphone
With US Congressman Ted Lieu's permission for a piece broadcast Sunday night by 60 Minutes, Karsten Nohl of German Security Research Labs was able to hack into his iPhone, record phone call made from his phone to a reporter, and track his precise location in real-time.
During the phone call about the cell phone hacking, Lieu said: "First, it's really creepy, and second, it makes me angry."
"Last year, the President of the United States called me on my phone, and we discussed some issues," he added. "So if hackers were listening in, they'd know that phone conversation, and that is immensely troubling."
What's more awful is that the designing flaws in SS7 have been in circulation since 2014, when the same German researchers' team alerted the world to it. Some flaws were patched, but few apparently remain or intentionally left, as some observers argue, for governments to snoop on its targets.
The major problem with SS7 is that if any one of the telecom operators is hacked or employs a rogue admin, a large scale of information, including voice calls, text messages, billing information, relaying metadata and subscriber data, is wide open to interception.
The weakness affects all phones, whether it's iOS, Android, or whatever, and is a major security issue. Although the network operators are unwilling or unable to patch the hole, there is little the smartphone users can do.
How Can You Avoid this Hack?
The best mitigation is to use communication apps – that offers "end-to-end encryption" to encrypt your data before it leaves your smartphone – over your phone's standard calling feature.
Lieu, who sits on House subcommittees for information technology and national security, also argues for Strong Encryption that, according to the Federal Bureau of Investigation (FBI), make it harder to solve crimes.
Lieu strongly criticized the United States agencies, if any, that may have ignored such serious vulnerabilities that affect Billions of cellular customers.
"The people who knew about this flaw [or flaws] should be fired," Lieu said on the show. "You can't have 300-some Million Americans—and really, right, the global citizenry — be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data."
Few of such apps that are popular and offers end-to-end encryption are Signal, WhatsApp, and Apple's iMessage service that keep users communications safe from prying eyes and ears.
IBM warns a spike in the number of PHP C99 Webshell Attacks
19.4.2016 Hacking
IBM Security has warned the WordPress community about a spike in the number of attacks leveraging a specific variant of the PHP C99 Webshell.
Security experts at IBM reported a spike in the number of cyber attacks pushing a variant of the popular C99 webshell in February and March, a 45 percent increase compared to the previous period. The C99 variant used in the attacks is currently detected by 37 of 56 antivirus software.
The experts noticed a common URL and file name, pagat.txt, in the attacks. The file includes an obfuscated PHP script, the attackers hide in this way a malicious code used to bypass the Web application firewall (WAF) that may be used to protect the website.
When the script is executed on the target system, an email is sent back to the attacker notifying that the server has been compromised.
Below the GET request observed in the attacks:
hxxp://www.victim.com/wp-content/themes/twentythirteen/pagat.txt.
Googling the pagat.txt file it is possible to have an idea of the number of compromised machines.
The C99 webshell installed on the server could be accessed from a browser and used to launch shell commands on the target. The attacker can use it to perform several actions, including the upload of malicious payloads.
“Most of the time, these webshell entry points result from vulnerabilities in third-party plugins (which we know often don’t undergo any security review during development) or an unpatched bug in the parent application. In fact, according to IBM X-Force, the largest percentage of CMS vulnerabilities are found in plugins or modules written by third parties.” reported IBM.
The researcher discovered that the specific variant of the C99 webshell used in the recent attacks is the same used by the Indonesian hacker Hmei7, that defaced more than 150,000 websites from all across the world.
In order to protect your website ensure that your WordPress installation is not affected by known vulnerabilities, install security plugins, and change default settings.
Europol and Italian Carabinieri an international ATM Skimming network
18.4.2016 Hacking
The Italian law enforcement corp Carabinieri and the Europol have dismantled an international criminal group responsible for large-scale ATM skimming.
Last Week, the Italian law enforcement corp Carabinieri, in a joint operation with the Europol, has dismantled an international criminal group responsible for large-scale ATM skimming, forgery of documents and money laundering. The operation was codenamed “PLUTO,” the gang used a consolidated scheme to monetize its efforts, the criminals compromised ATMs in different EU Member States (Italy, Denmark and the UK) in order to steal card data and clone them. The cloned payment cards were used to withdraw large amounts of cash from ATMs outside the European Union (Indonesia and Belize).
The “cloned” cards were mainly used alongside with fake documents to purchase clothing and electronic equipment (mobile phones, computers, etc.) and resold them in the criminal underground.
On 14 April 2016, the Carabinieri announced to have identified and arrested the members of the organisations, most of them are Romanian nationals, that used sophisticated ATM skimming to compromise ATMs across Europe.
It has been estimated that the gang has stolen at least EUR 1.2 million.
16 individuals were arrested in Italy where the police have conducted numerous searches seizing the equipment used by the gang. The agents have found Micro camera bars, card readers, magnetic strip readers and writers, computers, phones and flash drives, and of course plastic cards.
“Organised criminal groups are always looking for new global opportunities to make money, especially in the criminal market of payment fraud. Operations such as this highlight the importance of using Europol’s secure tools for exchanging intelligence and for coordinating the crucial operational stages involved in complex international cases. The resounding success of such an operation is not the first nor will it be the last, as police officers and prosecutors, alongside EC3, continue in their tireless endeavours to make payment transactions safer for customers throughout Europe and beyond.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).
The investigation started in 2014, the Europol, provided a determinant analytical and forensic support to the Italian colleagues, a cooperation that allowed the police to identify and arrest the members of the gang.
The information collected during the investigation was also shared with other law enforcement agencies in Europe and overseas.
“Europol’s European Cybercrime Centre (EC3) initiated the case in 2014 and supported the involved law enforcement authorities in their efforts to identify the suspects. Operational meetings were held at Europol’s headquarters in The Hague and EC3 provided analytical and forensic support throughout the investigation including the deployment of a mobile office during the final action day to assist the Italian authorities.” states the official announcement published by the Europol.
Journalist Matthew Keys gets 2-Year Prison term for helping Anonymous Hackers
14.4.2016 Hacking
Former Reuters journalist Matthew Keys, who was convicted last year of helping the Anonymous group of hackers, has been sentenced to 24 months in prison for computer hacking charges.
Keys was found guilty last year in October of giving Anonymous login credentials that allowed the group to deface the Los Angeles Times, a Tribune Media-owned newspaper, back in 2013.
After leaving the job at Tribune Company-owned Sacramento KTXL Fox 40 in 2010, Keys posted login credentials for the company's content management system (CMS) on a chatroom where hacking collective Anonymous planned out their operations.
The hacking collective then logged into the CMS and defaced an LA Times article that remained defaced for about 40 minutes before a journalist noticed and changed it back – though Keys still denies all allegations.
Keys faced a possible sentence of up to 25 years for three counts of hacking charges under the Computer Fraud and Abuse Act.
Although the US Attorney General's office recommended a 5-year sentence, Keys has been condemned to two years in jail that will be followed by 2 years of supervised release.
Keys is set to surrender on June 15, 2016. After sentencing, Keys went on Twitter and wrote: "When we do appeal, we're not only going to work to reverse the conviction, but try to change this absurd computer law, as best we can."
In a blog post published on Medium, Keys also said that he was innocent and that the charges against him are "baseless, absurd and entirely wrong." He also said he is committed to journalism no matter what happens.
"Whatever happens today, I hope I am able to continue serving the public with important stories of interest," Keys wrote. "Journalism is all I am good at, and I am not exactly sure what I will do if I am not able to do it anymore."
The Keys' case has drawn wide scale attention of media as he served as a deputy social media editor at Reuters. After he had been charged with the hacking crime in March 2013, Keys was released by Reuters from his position.
Mapping the Dark Web searching for illegal content
11.4.2016 Hacking
Recently the intelligence firms Intelliagg and Darksum have issued an interesting report on the Dark Web and related mapping.
We have discussed several times about Deep Web and Dark Web, discussing the reason why the hidden part of the web is even more dangerous.
However the darknets aren’t a prerogative of criminal organizations, a good portion of the content it host is legal as demonstrated by a recent global survey commissioned by the Centre for International Governance Innovation (CIGI).
The research demonstrates that 71% consider necessary the shut down of the dark net (36% strongly/35% somewhat), likely because the hidden part of the web is associated in the headlines with criminal activities.
Another interesting result emerged from the research is that citizens in some countries are much more likely than others to believe the “dark net” should be shut down. Indonesia (85%) and India (82%) lead the ranking, followed by Mexico (80%), China (79%), Egypt (79%). Bringing up the rear are Kenya (61%), South Korea (61%) and Sweden (61%).
It is not clear in fact if people interviewed were made aware of the legal usage of dark net before answering the question.
The Dark Web is a place crowded of cyber criminals and hackers that host the most popular black markets, but it a serious mistake to forgot that it is also a precious environment for journalists, activists, whistleblowers and political dissidents that escape from the censorship and repression.
Many experts ask me if there is a way to discover the real proportions between illegal and legal contents in the dark web, and I always explain that it depends on the sample that we use for the elaboration of the statistics.
Recently the intelligence firms Intelliagg and Darksum have issued an interesting report that tried to provide a reply to the above question. The researchers involved in the study focused their analysis on the Tor network that represent a significant portion of the dark web,but not its totality.
The experts used a spider software to crawl the Tor network and collect the information used in the study.
“We compiled our census of the dark web using the Darksum ‘collection software’, a ‘spider’ or software application that crawls through the web following links in order to compile an index of its pages, and Intelliagg’s ‘machine-learning intelligence classification system’ – complex algorithms that are ‘trained’ by humans then sent off to classify data automatically.” states the report.
“Our classification system was ‘trained’ using data that had been classified manually from 1,000 sites on the dark web. It proceeded to classify the remaining data automatically without human supervision. This automated method proved to be 94% as accurate as it would have been had this process been entirely done by hand, meaning that nine times out of 10 our algorithms came to the same conclusion as an experienced analyst”
The experts run their spiders two weeks in February 2016 focusing their analysis on selected dark web services, including pornography, fake documentation services, drugs, carding sites, financial fraud sites, weapons, blogs.
According to the experts, the Tor network is currently composed of approximately 30,000 distinct .onion addresses that result active.
The spiders accessed websites in a total of 32 different languages, the vast majority of information on the hidden services network is in English, followed by German and Chinese.
Of the 29,532 .onion identified during the sampling period, only 46% percent could be accessed, the remaining part is related to C&C infrastructure used to manage botnet, file-sharing applications or chat clients.
“A total of 29,532 ‘.onion’ addresses were identified during the sampling period. Of these, fewer than half were accessible at some point during this period. The remaining 54% (which were not analysed further) were probably only up on the dark web for a very short period of time. This could be for many reasons: commonly that they were addresses relating to ‘command and control’ servers used to manage malicious software, chat clients, or file-sharing applications” continues the study.
The real surprise is related to the hidden services automatically analyzed by the experts, 48% can be classified as illegal under UK and US law. By analyzing manually a separate sample composed of 1,000 hidden services the experts found about 68% of the content to be illegal.
Below the percentages of content associated with each category.
Let me suggest to give a look to the report.
Cyber Justice Team claims a massive Data Leak from the Syrian Gov
10.4.2016 Hacking
The Cyber Justice Team claims a massive Data Leak from the Syrian Government, more than 43 GB of Data available Online
The hacker group named Cyber Justice Team leaked 10 GB of compressed data (when decompressed are over 43 GB of data) from several Syrian government and private companies.
The group claimed to have hacked Linux server belonging to the Syrian regulatory commission for IT services, the Syrian National Agency for Network Services.
The group has uploaded the files to the MEGA file hosting service and announced the data hack on PasteBin and also published the password of the breached server.
Is it a fresh dump?
According to security experts from Risk Based Security (RBS) who analyzed the archive most of the leaked information comes from past data breaches.
“The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks,” states a blog post published by RBS. “Further analysis confirmed our initial suspicions.”
The data dump contains 38,768 folders, it includes 274,477 files from 55 different website domains, belonging to government agencies and private companies.
The vast majority of files in the data dump were default Plesk files, Joomla!, and Cportal (phpnuke-cms) setups. The attackers may have exploited known vulnerabilities in outdated software.
“That said, our analysis shows the data appears to originate from nans.gov.sy, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being .gov.sy: 2 .org.sy; 1 com.sy and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria.” states the RBS.
The hacker group of the Cyber Justice Team is an opponent of both the Syrian Government and the IS, both oppressors of the Syrian people.
For more details on the data dump give a look to the report published by Risk Based Security (RBS).
No Password Required! 135 Million Modems Open to Remote Factory Reset
9.4.2016 Hacking
More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access.
The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141, used in Millions of US households.
Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his "exploit" after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.
The Bug is quite silly: No Username and Password Protection.
Arris does not provide any password authentication set up on the modem’s user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password.
This issue allows a local attacker to 'Restart Cable Modem' from the 'Configuration page' of the administrative interface at http://192.168.100.1/, as shown. This is nothing but a Denial of Service (DoS) attack.
Bingo! By clicking 'Restart Cable Modem' manually will disable victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet.
However, three minutes of no Internet connectivity is bearable, but the same administrative panel provides an option to Factory Reset the modem as well i.e. wipe out modem's configuration and settings.
If an attacker clicks this option, your modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. Though, sometimes you need to call your Internet Service Provider (ISP) to reactivate the modem.
How to Perform DOS Attack Remotely?
David revealed that an attacker can also reset your modem remotely, as the application doesn't verify whether the reboot or reset the modem command comes from the UI interface or an external source.
This remote attack is known as a Cross-Site Request Forgery (CSRF) attack that allows an attacker to use social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src="http://malicious_url/"> tag could call any of the following URLs:
http://192.168.100.1/reset.htm (for restart)
http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
"Did you know that a web browser does not care whether an 'image' file is really an image?," Longenecker explains. "Causing a modem to reboot is as simple as including an 'image' in any other web page you might happen to open."
"Of course, it is not a real image, but the web browser does not know that until it requests the file from the modem IP address – which of course causes the modem to reboot."
Are the flaws easy to Patch?
However, these flaws are easily patchable that only requires Arris to create a firmware update such that:
The UI requires authentication (username and password) before allowing someone to reboot or reset the modem.
The UI validates that a request originated from the application and not from an external source.
However, the bad news is that there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, even if Arris releases a fix, you would need to wait for your ISPs to apply the fix and push the update to you.
Arris has recently addressed the flaws with a firmware update.
"We are in the process of working with our Service Provider customers to make this release available to subscribers," said the company's spokesperson.
"There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. This issue affects a subset of the ARRIS SURFboard devices."
Anonymous Philippines hacked the COMELEC. It is the biggest government related data breach
7.4.2016 Hacking
Anonymous Philippines hacked the COMELEC database, the incident exposed records of more than 55 million voters, it is the biggest gov-related data breach.
A few days ago I reported the news on the availability online of a database containing data of more than 50 million Turkish citizens, now IT security community is discussing another clamorous data breach occurred in the Philippine where a massive data breach have exposed the records of more than 55 million voters. The data breach occurred a few weeks before the national elections in the Philippines, scheduled for 9 May.
A couple of weeks ago, on 27 March 2016, Anonymous Philippines has hacked the Philippines’ Commission on Elections (COMELEC) website, they defaced it, but a second hacker collective, LulzSec Pilipinas has published online the entire database of the COMELEC.
Anonymous Philippines warned COMELEC to improve the security of the vote-counting machines.
Anonymous Philippines data breach
In a first time, COMELEC officials downplayed the data breach declaring that no sensitive information was compromised.
“I want to emphasise that the database in our website is accessible to the public,” declared the Comelec spokesperson James Jimene.“There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” he added.
The archive is full of sensitive data, including personal and passport information and fingerprint data, and unfortunately, not all the records were encrypted.
LulzSec Pilipinas released 16 databases from the Comelec website for a total number of 355 tables.
“Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines’ Commission on Elections (COMELEC). ” reported Trend Micro who is investigating the case.
“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.”
This is the biggest government-related data breach,it exposed more than double of the number of records exposed in the US government’s Office of Personnel Management (OPM) hack that resulted in 21.5 million people being exposed to an unknown party.
And now …
More than 55 million voters are exposed to the risk of cyber attack. Cyber criminals and state-sponsored hackers can use the information to carry on a wide range of malicious activities, including scams, espionage campaigns and extortion. In previous cases of
“In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more.” concluded TrendMicro.
Silk Road 2.0 Dark-Web Admin Pleads Guilty
5.4.2016 Hacking
An admin of Silk Road 2, named Brian Farrell, who helped maintain the notorious dark web site by providing customer and technical support, approving and suspending vendors, and promoting staff members, has pleaded guilty and could face 8 years in prison.
The 28-year-old man, who used the moniker "DoctorClu," had been accused last year of being the right-hand to the creator of Silk Road 2.0, the copycat website inspired by the notorious online illegal drug marketplace.
Silk Road 2.0 was shuttered in November 2014 after its creator Blake Benthall aka "Defcon" was arrested whose own criminal case is pending in federal court in New York.
Silk Road has been described as "one of the most extensive, sophisticated, and widely-used illegal marketplaces on the internet today."
According to the Department of Justice, Silk Road 2.0 had generated "sales of at least approximately $8 Million in the United States currency per month" since it began in November 2013.
In a March court filing [PDF], Farrell admitted that not only was he the site administrator, but he also served as "informal spokesman" for Defcon.
Farrell also admitted that he led a Denial-of-Service (DoS) attack on Tor Market, a competitor to the Silk Road 2.0.
Farrell may Face 8 Years in Prison and up to $5,000,000 in Fine
Last month, Farrell pleaded guilty to one count of distribution of cocaine, heroin, and methamphetamine that carries a minimum 5 years sentence in prison and a fine of up to $5,000,000.
Although both Farrell's lawyers and prosecutors have agreed to recommend a sentence of 8 years, the judge is allowed to impose a tougher sentence if he chooses, according to the plea agreement.
By comparison, Ross Ulbricht, the creator of original Silk Road, was convicted of running the notorious site and sentenced in 2015 to a dual life sentence.
Farrell was arrested in Seattle in January 2015. At the same month, when federal agents asked Farrell if he could help them identify other top people involved with Silk Road 2.0, Farrell responded by saying, "You are not going to find much of a bigger fish than me."
In February 2016, US District Judge denied Farrell's motion to compel disclosure of the method federal investigators used to find him out.
However, later the judge confirmed that Carnegie Mellon University researchers from its Software Engineering Institute were hired by the Federal Bureau of Investigation (FBI) to research breaking into Tor network back in 2014.
Though the Tor Project Director Roger Dingledine accused the Feds of paying the CMU, at least, $1 Million to disclose the technique they'd discovered to unmask Tor users, the FBI denied the claims.
Farrell is due to be sentenced in federal court in Seattle on June 3, 2016.
Hacking connected lightbulbs to breach Air-Gapped networks
3.4.2016 Hacking
Two of security researchers have shown how hackers can target connected lightbulbs to exfiltrate sensitive data from Air-Gapped networks.
Two of security researchers from the Weizmann Institute have shown how hackers can target connected lightbulbs to steal sensitive data from Air-Gapped networks.
The two researchers are Adi Shamir, the popular co-inventor of the RSA algorithm, and PHD student Eyal Ronen.
The experts highlighted that for both devices, the communications between the controllers and the lightbulbs were not encrypted allowing them to analyze communication protocol.
The hacking technique relies on modulate light pulses in two commercial bulbs, a Philips Hue and a LimitlessLED, to transfer data up to 100 meters away.
If the attackers are able to access the network hosting connected lightbulbs they can hack into them exploiting the lack of authentication and generate light signals that are unobservable to the human eye.
“All they needed was to subtly modulate light pulses in two bulbs on the market to convey data to a telescope up to 100 meters away, or have them create a strobe effect to bring on seizures. Both attacks were possible because authentication on the lightbulbs – a Philips Hue and a LimitlessLED – were found wanting, allowing anyone who could locate the devices to send commands.” wrote Thomas Fox-Brewster on Forbes.
The two experts presented their work at the IEEE Privacy and Security Symposium in Germany last week. In the case of the LimitlessLED, hackers that successfully access them can sniff the traffic and syphon an unencrypted Wi-Fi password used to connect to the bulb.
The Philips Hue lightbulbs are not affected by security bugs, but anyway hackers can exploit their abilities to manage the intensity of the light with 256 brightness levels.
The hardware used to carry out the attack is composed of a laptop, a TAOS TC3200 Color light-to-frequency converter, an Arduino tiny computer and a telescope, the overall cost of the equipment is less than $1,000.
The experts deployed a controller, connected to a PC running a malware, where the lightbulb was installed.
A telescope focused on the bulb was used to capture the rises and falls in the frequency of the light emitted from the lightbulbs and turn them to the Arduino.
The laptop is used to process bulk information gathered from the Arduino, the researchers explained their technique could allow to leak more than 10KB per day through the connected lightbulbs.
The technique could be effective to exfiltrate private encryption keys and passwords from an “air-gapped” network.
The experts also highlighted that hackers can control the light intensity to “create strobes in the most sensitive frequencies,” creating a shocking effect.
“Such an attack could be directed at hospitals, schools and other public buildings using connected LEDs,” the paper read.
The research conducted by the experts confirms the necessity of a “security by design” approach for all the devices belonging to the Internet of Things.
“I think it’s a very big problem, not just with the specific attack we’ve shown with the lights. We should speak about how we do security in IoT,” Ronen said to Forbes. “The main issue [in the lightbulbs] is that there are not enough security measures.”
The website of the Hungarian Government temporarily shut by cyberattack
3.4.2016 Hacking
Officials confirmed that the Hungarian government website came under attack from outside the country. The access to many websites was blocked.
The Hungarian Government announced that its computer network was targeted by a major cyber attack that temporarily blocked the access to several websites.
The attacks hit the main Hungarian government website and many other sites, including the one belonging to the Hungarian Academy of Sciences.
According to the Hungarian official, the cyber attacks were launched by threat actors from outside the country.
Hungarian Government website
Government experts revealed that more than more than 62,000 cyber attacks have hit its systems in a single day.
The Hungarian Interior Ministry declared that Government experts had been able to restore access to the affected websites.
As usually happens in these cases, the attribution of the attack is very hard.
At the time I was writing there aren’t other news of the attacks.
Do hackers have hacked election to make Peña Nieto President?
2.4.2016 Hacking
A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.
The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’
The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.
The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.
“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.
Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”
The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.
“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”
“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.
Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.
The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.
They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.
“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.
Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.
Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.
Which is the Peña Nieto’s position?
The Office of the President issued the following statement:
“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”
Remotely unlock doors exploiting a flaw in HID Door Controllers
2.4.2016 Hacking
Experts from Trend Micro have discovered a serious flaw in HID door controllers that could be remotely exploited by hackers to open the doors.
Security experts at Trend Micro have discovered a serious flaw in door controllers developed by the HID access control systems manufacturer that could be exploited by hackers to send one malicious UDP request to a door and automatically unlock it and/or deactivate the alarm if the door has that feature enabled.
HID door controllers have the appearance of a black box that is located next to securitized doors. Users can swipe their card to open the door, once the door is unlocked the LED turns green.
Some HID door controllers also offer the possibility to connect the devices to a local network in order to allow system administrators to manage them.
The expert Ricky “HeadlessZeke” Lawshae from Trend Micro discovered that the models of door controllers VertX and Edge are affected by a design flaw in their management protocol.
The experts discovered that HID door controllers run a special daemon dubbed discoveryd, which listens on port 4070 for UDP packets that carry on instruction for the door controllers
“HID’s two flagship lines of door controllers are theirVertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. ” states TrendMicro.
“A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”).”
The expert also discovered another security issue related to the above service that also implements a debugging function that allows a remote administrator to instruct HID door controllers to blink its LED for a number of times.
The admin can instruct a specific controller to blink by sending a “command_blink_on” command with the door’s ID. The researcher noticed that by appending a Linux command after the ID, wrapped in backticks, the device will execute it due to improper input sanitization.
In response to a blink command, the Discoveryd service builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program passing the number of blink as an argument.
“A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device.”
The attacker can exploit The system() call, which runs with root privileges, to instruct the door controllers to execute a generic command with one single UDP packet.
If you use the HID door controllers, you need to urgently download the latest firmware versions.
The dangerous interaction between Russian and Brazilian cyber criminal underground
1.4.2016 Hacking
Kaspersky has analyzed the interaction between the Russian and Brazilian criminal underground communities revealing a dangerous interaction.
In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (Russia, Brazil, North America, Japan, China, Germany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.
Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.
The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kits, ATM or PoS malware and also hacking services.
The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.
“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.
The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.
“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.
The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.
Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.
Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).
The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.
“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.
“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.
“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”
I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.
Do hackers have hacked election to make Peña Nieto President?
1.4.2016 Hacking
A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.
The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’
The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.
Enrique Pena Nieto
The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.
“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.
Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”
The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.
“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”
“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.
Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.
The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.
They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.
“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.
Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.
Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.
Which is the Peña Nieto’s position?
The Office of the President issued the following statement:
“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”
6 Charged for Hacking Lottery Terminals to Produce More Winning Tickets
28.3.2016 Hacking
Police have arrested and charged six people with crimes linked to hacking Connecticut state lottery terminals in order to produce more winning tickets than usual.
Prosecutors say all the six suspects are either owners or employees of retail stores that produced a much higher number of winning tickets than the state average, according to the Hartford Courant.
Suspects Hacked Lottery Terminal
The alleged group set up machines to process a flood of tickets at once that caused a temporary display freeze, allowing operators to see which of the tickets about to be dispensed would be winning tickets, cancel the duff ones, and print the good ones.
The hack appears to have exploited some software weaknesses in lottery terminals that not only caused ticket requests to be delayed but also allowed operators to know ahead of time whether a given request would produce a winning ticket.
The actual culprit, in this case, was a game dubbed "5 Card Cash."
The alleged suspects manipulated automated ticket dispensers to run off 5 Card Cash game that consists of tickets a user can buy, on which playing cards are printed.
If 5 cards form a winning poker hand, then the buyer can cash the tickets based on the hand they received.
Authorities Suspended 5 Card .Cash Lottery Game
Authorities had already suspended the 5 Card Cash lottery game in Connecticut past November after discovering that the game was generating more winning tickets than its winning range parameters should have technically permitted.
The six suspects are:
Vikas Patel, 32, from Windsor
Pranav Patel, 32, from Bloomfield
Sedat Kurutan from Naugatuck
Moinuddin Saiyed from Norwalk
Prakuni Patel from Wallingford
Rahul Gandhi from Wallingford
Pranav Patel and Vikas Patel were arrested on Friday, March 19 while the rests took into custody between February 29 and March 7.
The charges filed against Vikas and Pranav include first-degree felony counts of larceny and computer crime as well as felony rigging a game charges. Both of them have been bailed on $25,000 bonds each and are scheduled to appear in court on Monday.
Investigators for the Department of Consumer Protection and the Connecticut Lottery say that many clerks were abusing lottery tickets to fetch out more winning tickets that they would later cash in for themselves, and that more arrests may be made in the future.
VNC Roulette, a web roulette for random easy to hack PCs
27.3.2016 Hacking
The VNC Roulette service is exposing on the Internet thousands of computer systems using insecure and easy to hack VNC connections.
CCTV surveillance cameras, medical equipment, electricity generators, desktops, home alarm equipment and many other systems are not properly protected and open on the Internet.
Now a website named VNC Roulette is offering a ransom access to these computer systems through the VNC software.
VNC is a very popular application that allows remote access and control of desktops over the networks. A lot of people simply use it to remotely access their computer placed elsewhere. Crucially, though, these connections should be secured with passwords and encryption.
The problem is that many VNC connections are not secured with passwords and encryption, allowing the access of criminals and hackers.
The newborn VNC Roulette website is taking screenshots insecure VNC connections, it has already gathered imaged from about 550 systems open on the Internet. It is disconcerting to see people’s privacy violated is no simple way, VNC Roulette reveals users browsing Facebook, accessing personal email accounts, or accessing a SCADA system.
The snaps were taken since 2015, some of them were taken this month and are still up and running.
After the media have covered VNC Roulette, it went off line, but yesterday the service reappeared online.
Below some samples shared online by El Reg.
An X-ray machine in in Nevada, US:
A store’s CCTV system in China:
VNC Roulette demonstrates the importance to properly secure any connection to a system exposed over the Internet. It is very easy for hackers to gain access to systems like the ones captured by the VNC Roulette services.
Don’t waste time, implement a proper authentication to your systems, use strong passwords, only accept connections from certain IP addresses and of course tunnel VNC connections with SSH.
Don’t forget also that crooks have many other ways to locate vulnerable machine over the internet, like the search engines Shodan and Censys.
#OpBrussells Anonymous ‘s revenge on ISIS after Brussels attacks
24.3.2016 Hacking
#opBrussels – Anonymous has published a new video threatening revenge on the ISIS organization in response to the tragic events in Brussels.
Anonymous has published a video threatening revenge on the IS after the tragic events in Brussels.
The video shows a spokesman of the hacker collective vowed to track down the members of the radical group online.
Anonymous is calling an action to find information on ISIS members online, disclose any information regarding their identity, steal their Bitcoins, and destroy their propaganda online by hacking the websites and the social media account used by the terrorists.
The masked man in the video announced a new operation dubbed #opbrussels and #opbelgium against the Islamic State and its online activities.
“Most of you know that Belgium was hit by terrorists on 22nd of March, 2016. Our freedom is once again under attack, this can’t continue,” said the man in the video presenting the #OpBrusselles.
“We will keep hacking their websites, shutting down their Twitter accounts, and stealing their bitcoins. To the supporters of Daesh [IS, formerly ISIS/ISIL]: we will track you down, we will find you, we are everywhere and we are more than you can imagine. Be afraid.”
Anonymous vowed to “strike back against” Islamic State, they announced they said they won’t “rest as long as terrorists continue their actions around the world.”
Anonymous said that the ISIS killed innocent people in a cowardly attack, the group is calling for a global action against the terrorism online.
[terrorists killed] “innocent civilians in Belgium they hit everybody in Europe” and that’s why the hacktivists have to “fight back.” They added they invite all people to battle terrorism.
“But you don’t have to hack them. If you stand up against discrimination in your country you harm them much more than by hacking their websites. The Islamic state can’t recruit Muslims in Europe if they are accepted and included in the society.”
#opbrussels Anonymous vs ISIS
Anonymous launched a similar initiative after the Paris attacks, recently members of the group have published a video claiming they “fought daily against terrorism” and “silenced thousands of Twitter accounts directly linked to ISIS” since November.
“We severely punished Daesh on the darknet, hacked their electronic portfolio, and stole money from the terrorists. We have laid siege to your propaganda websites, tested them with our cyber-attacks.”
Anonymous has hacked several social media accounts belonging to the ISIS, leaked their information, and defaced IS-supporting websites.
Chinese hacker admitted hacking US Defense contractors
24.3.2016 Hacking
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors.
A Chinese national pleaded guilty yesterday, March 23, on charges with hacking trade secrets from US defense contractors. The man, Su Bin (also known as Stephen Su and Stephen Subin), 50, had been charged in a 2014 indictment with hacking into the computer networks of US defense contractors, including the Boing. The hackers aimed to steal blueprints and intellectual property for the F-22 and F-35 fighter jets and C-17 transport aircraft. In January 2015, Edward Snowden revealed China stole designs for the US-built F-35 Fighter jet hacking computer systems at US Defense contractors, and provides details also a counter-intelligence operation run by the NSA.
According to Snowden, the US Intelligence was aware that Chinese cyber spies have stolen “many terabytes of data” about the design of Australia’s Lockheed Martin F-35 Lightning II JSF. The details of the operation are described in a set of top secret documents published by the Der Spiegel magazine.
Chinese hackers have allegedly stolen as much as 50 terabytes of data from the US Defense contractors, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gasses and the method the jet uses to track targets.
The purpose of the Chinese Government is to acquire intellectual property on advanced technologies, benefiting Chinese companies on the market and narrowed the gap in the research of advanced technological solution. Military experts speculated that the stolen blueprints could help the country to develop a new generation of advanced aircraft fighter, so-called “fifth-generation” fighters.
In 2014, according to a US criminal complaint, computers of Boeing and other military contractors have been hacked to steal intellectual property and trade secrets on transport aircraft. The initial attacks against Boeing likely occurred between Jan 14th and March 20th, 2010. The complaint is dated June 27th and was disclosed on July 2015, it describes how the attackers have spied on Boeing computer networks for a year, and then have compromised systems of the principal US Defense contractors to steal intellectual property. According to the information disclosed, the hackers were mainly interested in the C-17 military transport.
The US law enforcement agencies accused Su Bin, a Chinese businessman residing in Canada, of supporting two countrymen in the organization of cyber attacks on Boeing systems to collect information about the C-17 and other military programs.
Chinese hacker admitted hacking US Defense contractors
The criminal complaint revealed that Su Bin with two unnamed co-conspirators, identified as UC1 and UC2, were collecting technical information related to components and performance of the C-17 transport and Lockheed Martin’s F-22 and F-35 fighter jets. During the period related the first attacks against Boeing, Su Bin was operating in the United States, as confirmed by FBI Special Agent Noel Neeman in the complaint.
Su Bin was arrested on June 2014 month in Canada, Neeman revealed that an email attachment sent by UC1 claims the Chinese hackers exfiltrated 65 gigabytes of data over a couple of years, including information on the C-17 transport from Boeing systems. The FBI agent collected evidence of data theft from Boeing systems, but there is no proof that the data that the stolen information was classified. The email provides also information related to the huge effort spent by hackers to compromise the Boeing system, the document details the architecture of the internal network of Boeing, which includes 18 domains, 10,000 PC and a “huge quantities” of defense appliances.
“Through painstaking labor and slow groping, we finally discovered C-17 strategic transport aircraft-related materials stored in the secret network,” the document says.
He was sent to the United States in February 2016.
The hackers described the difficulties to breach the system avoid detection system deployed by Boeing.
“From breaking into its internal network to obtaining intelligence, we repeatedly skipped around in its internal network to make it harder to detect reconnaissance, and we also skipped around at suitable times in countries outside the U.S. In the process of skipping, we were supported by a prodigious quantity of tools, routes and servers, which also ensured the smooth landing of intelligence data.” states the report.
The complaint did not provide any description on how hackers have stolen information about the Lockheed Martin jet fighters.
Another document issued by the FBI described the communications between UC1 and UC2, which states that the Chinese hackers successfully acquired information about US military project by establishing hot points in the U.S., France, Japan and Hong Kong. This last document, according to the complaint, reveals that the subjects have received about $1 million to build a team and infrastructure outside of China, the investigators are working to understand who has funded the entire operation.
Now in a plea agreement filed in a California federal court, Su admitted to conspiring with two unnamed persons in China from October 2008 to March 2014 to hack network of US contractors and steal “sensitive military information and to export that information illegally from the United States to China.”
The Court documents did not provide details on who operated the cyber espionage campaign, but security and intelligence experts believe that Su was working for the Chinese Government.
“Su Bin admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive military data, including data relating to military aircraft that are indispensable in keeping our military personnel safe,” said Assistant Attorney General John Carlin.
“This plea sends a strong message that stealing from the United States and our companies has a significant cost; we can and will find these criminals and bring them to justice.”
Sentencing was set for July 13, when Su faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
The US government will issue a final ruling on the case on July 13. The Chinese man faces a maximum penalty of five years in prison and a monetary fine of $250,000 or twice the gross gain from the offense.
Who Viewed Your Profile on Instagram? Obviously, Hackers!
22.3.2016 Hacking
Are you curious about who viewed your profile on Instagram?
This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.
But, should we believe them?
Is there really some kind of way out to know who viewed your Instagram profile?
The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.
But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.
Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.
Who-Viewed-Me-on-Instagram
The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.
Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.
The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:
Show you up to most recent 100 lists for your Instagram profile.
Display your friend list in order, who cares your profile most with your profile interaction.
But in reality…
The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.
Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.
Here's How an App Can Hack Your Instagram Accounts
Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.
Users will simply provide their critical data, including their credentials, without knowing its actual consequences.
Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.
Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.
The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.
Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.
At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.
who-viewed-my-profile-on-Instagram
It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.
But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.
Here's How to Protect Yourself
If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.
So if you have already fallen victim to this scam, hurry up!
Uninstall the apps mentioned above from your smartphone if you have one.
Change your Instagram password immediately.
For better security, enable two-factor authentication on your Instagram account.
Who viewed your Instagram account? And who stole your password?
22.3.2016 Zdroj: Kaspersky Hacking
Mobile applications have become one of the most efficient attack vectors, and one of the favorite methods of cybercriminals is the abuse of popular applications. Maybe you would think twice before installing any application that asks for the credentials you use to connect to your social networks, email accounts or cloud storage services?
Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. David Layer-Reiss from Peppersoft, a mobile development company from Germany who discovered this threat, provided a good analysis on his blog.
This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram.
In fact, it’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services.
The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.
This isn’t the first time that this has happened. Last year we published some blog posts outlining where attackers had used malicious applications or email campaigns. Either to steal the user’s credentials – Stealing to the sound of music; or just to get access to user information – Fraudsters can have rights, too; sometimes using popular applications as a cover – Del phishing al acceso persistente (Spanish).
This kind of strategy is very successful. In this particular case, the Android version of this application alone was installed on more than 100K devices with more than 20K reviews, most of them saying that you have to pay in order for it to work correctly.
As with Google Play, we can also find some users in the App Store complaining about problems after installing this app.
It is interesting that this application was able to pass the Apple security checks and was published without any problem, even though its controls are more restrictive, without mentioning that apparently this developer already had a history of having published a malicious application before.
Attack vector
This attack installs JavaScript code into the Submit button on the Instagram login page as soon as the page has finished loading.
This code gets the content of the input fields named “username” and “password” and stores it in the local variable named “str” with the pattern “<username>,-UPPA-,<password>”. After that, it calls the function “processHTML” which stores the collected data in a class variable.
Other information is also collected from the user’s device and sent to the C&C via a POST request.
The value of the parameter “hash” is the data shown in the image above plus the Instagram username and password. This value is encrypted with AES 128 and then encoded with base64. The encryption key is generated from the ID generated by the server.
Do you want to know who viewed your Instagram account? How about your password?
The iOS version also uses AES 128 but the block cipher mode used is CBC instead of ECB.
Consequently, it uses as Initialization Vector (IV) the string “IOS123SECRETKEYS”.
Once opened it forces the user to login to Instagram.
After that the username and password are sent to the server, as well as some metadata.
Since we have the ID, we can decrypt the content by using a modified version of the Java code published by David. We just need to modify the crypto class initialization
By inputting the content of the “hash” parameter, we can decrypt the data send and find out with information has been sent to the server. As expected, the Instagram username and password is also included in this list.
The username and password will later be used to post spam messages to the user’s Instagram account.
The threats mentioned in this blog post are detected by Kaspersky Lab products as HEUR:Trojan-Spy.AndroidOS.Instealy.a and HEUR:Trojan-Spy.IphoneOS.Instealy.a.
Conclusion
Mobile environments are one of the best targets for cybercriminals; they usually have access to email accounts, social networks, contacts and even the places you have visited.
The use of social networking is one of the best ways to distribute malicious content. We have to be aware of unknown applications that promise something that isn’t provided by the service that we are using. Usually, if the feature does not exist on the service website, it will be hard for third-party software to provide it.
Coming soon, Denmark’s intelligence presents the Danish Hacker Academy
21.3.2016 Hacking
The Danish intelligence agency PET (Politiets Efterretningstjeneste) plans to start its Danish hacker academy to fight threat actors in the cyberspace.
Denmark’s PET (Politiets Efterretningstjeneste), the country’s intelligence agency, announced last week plans to create a government ‘hacker academy’ in response to the need to improve country cyber security.
The Danish hacker academy is a hacking school that will train black hat hackers for offensive and defensive purposes starting from August 1, 2016.
The Danish security and intelligence service PET will recruit talented IT nerds interested in supporting the activities of the Danish Government in the cyber space. The PET is worried by the militarization of the cyberspace state, foreign governments could use cyber tools for offensive purpose aimed to cyber espionage and sabotage.
The Danish intelligence also plans to train its cyber army against terrorist organisations online.
The Danish Government has launched a media campaign using the following the slogan:
“Have you got what it takes to become a member of a secret elite unit?”
Danish hacker academy
Lars Findsen, the head of PET, is confident that Government experts could support the growth of talented nerds.
“This is not about fully-capable hackers – hopefully, there are not many of those out there, anyways – but about people who have the basic skills we can build on,” Findsen told Politiken.
The Danish hacker academy provides a training program includes three modules spread across four and a half months.
The first one is a basic module on the network and computer security, the second one is a module on defensive hacking, and the training closes teaching offensive hacking techniques to the participants.
The Danish hacker academy will be located in Copenhagen, but its location is still a mystery, all the participants that will successfully complete the training will be enrolled in PET’s Computer Network Exploitation team. But beware, only a privileged few will be selected annually.
“The selection process will be supervised by psychologists and PET’s own IT specialists and is based on the same recruitment process used for the elite commando frogman corps of the Royal Danish Navy.” states a post published by the PET online.
“Officially termed ‘network retrieval‘, in reality the recruits would be helping PET with cyber espionage against foreign powers, writes Politiken – a type of activity that would normally get you sent to prison.“
The experts at PET have no doubt, the Danish hacker academy will provide hacking excellences, high-skilled hackers that will form a new cyber army operating abroad and inside the country.
Hacking Tesla Model S, too much noise around a great research
21.3.2016 Hacking
Last week at the CeBIT the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures.
Last week at the CeBIT conference held in Hanover, the Lookout’s Co-Founder and CTO Kevin Mahaffey talked about hacking Tesla Model S providing indications on possible countermeasures. Unfortunately, many security professionals provided highlighted that Mahaffey has forgotten to mention half of his team, looking like he was taking the credit to himself.
These type of work made by researchers should be seen as “doing the world a service” since researchers are making cars more secure, of course, they are hacking them, but they are also finding solutions to the problems.
Tesla, besides having great cars, have also great policies that ensure that the car security is a company high priority, for this reason, they are encouraging the hacker community to hack their vehicles and disclose vulnerabilities they would find.
The reason why Kevin Mahaffey and Marc Rogers focused in hacking Tesla models, is that the company is making new model, build from scratch, and these type of cars will be common everywhere in the near future.
Even if everything made by Kevin and his team looks easy, it took them many years of research to get to the point in the presentation that they can “control” the Model S.
In the las year Kevin and Marc gave made a presentation at the DEFCON conference, the findings of their research helped Tesla to discover problems in his cars and contributed to improve the image of the company that is perceived by the experts as a research-friendly company.
Coming back to the presentation in CeBIT on hacking Tesla, many people took the title “Why I Hacked the Tesla Model S” and focused in the “I” part, looking like Kevin Mahaffey was pushing all the credit to himself.
CSO tried to reach Marc Rogers to talk about this problem, but Rogers declined to comment. No one at Lookout was aware of any problem related to the presentation or presentation title, and when the issue came to their attention, they blamed CeBIT.
In an e-mail a spokesperson of Lookout said:
“disappointing that CeBIT positioned Kevin and Marc’s research in such a way that excluded recognition of Marc’s extremely hard work.”
“It was absolutely a collaboration between the two of them and Kevin does make that clear in his CeBIT presentation,”
And if you see that presentation you know it’s true, at a certain point kevin says:
“Why did I undertake this research? It was myself Kevin Mahaffey and my research partner Marc Rogers, we’ve been working on this project for several years…”
In addition, Kevin showed a photo of Marc during the process of stopping the Model S.
In another e-mail exchange with CSO, Kevin says he offered an apology and stated that he feels terrible that Rogers would feel slighted by the incident.
Lookout says they were “caught the misleading title, and apologize failing to do so. “ and already asked CeBIT to correct the article/presentation.
Let me suggest see the interesting presentation made at the Cebit conference.
Hackers brought down the websites of principal Swedish Newspapers
21.3.2016 Hacking
The online editions of principal Swedish newspapers were knocked out for several hours by a cyber attack during the weekend.
The websites if a Swedish were shut down in the weekend due to an “extremely dangerous and serious” cyber attack.
The websites hit by the hackers are the Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, Dagens Industri, Sydsvenskan and Helsingborgs Dagblad. The website went down on Saturday evening from about 19:00 GMT until about 22:00 GMT.
The news was confirmed by the head of the Swedish Media Publishers’ Association, Jeanette Gustafsdotter, in an interview with the Swedish news agency TT.
“To threaten access to news coverage is a threat to democracy,” she said.
At the time I was writing no one has claimed responsibility for the cyber attack and there are no details about the attacks. Experts speculate that threat actors coordinated a distributed denial-of-services (DDoS) attacks against the websites of the Swedish media agencies.
Immediately before the attacks a Twitter account posted the following messages:
“The following days attacks against the Swedish government and media spreading false propaganda will be targeted” tweeted @_notJ.
“This is what happends when you spread false propaganda. Aftonbladet.se #offline @Aftonbladet” states another Tweet.
The Swedish Police and the intelligence are investigating the case. According to several sources on the Internet, the attacks originated from Russia.
Security Researcher Goes Missing, Who Investigated Bangladesh Bank Hack
20.3.2016 Hacking
Tanvir Hassan Zoha, a 34-year-old security researcher, who spoke to media on the $81 Million Bangladesh Bank cyber theft, has gone missing since Wednesday night, just days after accusing Bangladesh's central bank officials of negligence.
Zoha was investigating a recent cyber attack on Bangladesh's central bank that let hackers stole $81 Million from the banks' Federal Reserve bank account.
Though the hackers tried to steal $1 Billion from the bank, a simple typo prevented the full heist.
During his investigation, Zoha believed the Hackers, who are still unknown, had installed Malware on the bank's computer systems few weeks before the heist that allowed them to obtain credentials needed for payment transfers.
With the help of those credentials, the unknown hackers transferred large sums from Bangladesh's United States account to fraudulent accounts based in the Philippines and Sri Lanka.
However, at the same time, Zoha accused senior officials at Bangladesh central bank of gross negligence and weak security procedures that eventually facilitated the largest bank heist in the country.
The Central bank's governor Atiur Rahman, along with two of his deputy governors, had to quit his job over the scandal, hugely embarrassing the government and raising alarm over the security of Bangladesh's foreign exchange reserves of over US$27 Billion.
However, when the investigation was still going on, Zoha disappeared Wednesday night, while coming home with one of his friends, according to sources close to Zoha's family.
While speaking to media in the wake of the massive cyber attack, Zoha identified himself as the ICT (Information and Communication Technology) Division's cyber security expert who had worked with various government agencies in the past.
Soon after Zoha's disappearance, the government officials put out a statement but did not provide more details besides the fact that they opened an investigation.
Zoha's family members suspect that the comments Zoha made about the carelessness of bank’s officials on the Bank heist to the press on March 11 are the cause of his disappearance.
Hackers stole data from the Swiss People’s Party
20.3.2016 Hacking
The Swiss People’s Party confirmed that they have been the target of hackers who have stolen the personal data of over 50,000 individuals.
A group of hackers, which calls itself NSHC, claims to have hacked the Switzerland’s largest party, the conservative Swiss People’s Party (SVP), and stolen the personal data of over 50,000 individuals.
The cracked archive includes the names and email addresses of Swiss People’s Party supporters.
The NSHC have hacked the Swiss People’s Party to raise awareness about Switzerland’s lack of protection against cyber attacks.
Representatives of the Swiss People’s Party confirmed to 20 Minuten daily that the systems of the party were hit by a cyber attack but.
“Apparently it’s hackers succeeded in the database of svp.ch penetrate and gain access to various data, including e-mail addresses. A group that calls itself NSHC and understood as ‘Grey Hats’ has, the editors received from inside-channels.ch she wanted to show the attack, that Switzerland is not sufficiently protected against cyber attacks.” reported the website inside-it.ch.
According to the inside-it.ch website, the NSHC hacker group also launched DDoS against several Swiss online shops and the Swiss Federal Railways website (SBB) this week.
“The Swiss Federal Railways website was hard to access on Monday afternoon for about an hour and in the evening for around one and a half hours due to a DDoS attack,” Swiss Federal Railways spokesman Daniele Pallecchi told to the Swiss news agency.
According to Pascal Lamia, the head of the government’s Reporting and Analysis Center for Information Assurance (also known as MELANI), the attack on the Swiss People’s Party is not linked with cyber attacks recently observed against small enterprises and online shops.
“There is no connection with the chopped SVP sites including the DDoS attacks on web shops,” said Lamia.
The experts at MELANI confirmed to have no news about the NSHC group.
MELANI suggests people and businesses to check whether their email addresses have been hacked though an online tool available at https://www.checktool.ch.
Anonymous claims to leak Trump ’s personal info under #OpWhiteRose
19.3.2016 Hacking
The Anonymous Hacker collective claims to publish Donald Trump’s personal information, including Social Security Number and addresses.
Alleged members of the Anonymous collective have leaked Donald Trump’s already public “private” phone numbers and other information online. The hackers have leaked also addresses, including the one of the Palm Beach residence in Florida, and social security number as part of the anti-Trump operation dubbed #OpWhiteRose.
Anonymous called the new campaign #OpWhiteRose, after a non-violent resistance group in Nazi Germany.
anonymous vs Donald Trump Operation WhiteRose
Rumors online confirm that members of Anonymous have data dumped Trump’s sensitive information, including detailed information about the Trump’s personal agent (Tracy Brennan) and legal representatives (Manatt Phelps & Phillips), whose phone numbers have now “gained publicity.”
“These are provided for informational purposes only,” states an Anonymous spokesman in a video published by the collective. “… That might be able to assist you all in independently investigating this would-be dictator.”
Analyzing the leaked data it is possible to note that released information was already publicly available, the Trump’s private phone number was shared by the presidential candidate in August on Twitter.
This week, Anonymous declared total war on Trump and his campaign, the hacker collective plans to coordinate a series of attacks on Trump’s web sites starting April 1, the April Fool’s Day.
“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”
“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said the Anonymous spokesman.
“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
A few weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.
The hacktivist group first threatened Trump with war in December, when he said he would look to ban all Muslims from entering the United States.
The data were published on Pastebit.
SCADA hacking – Hackers with ability to cut the power is a real threat
19.3.2016 Hacking
The Ukranian power blackout has demonstrated the worrying effects of the SCADA hacking, other countries like UK fear similar attacks.
All the warnings from security experts throughout the years have unfortunately been disregarded, when it comes to the hackers’ threats in strategical spots, such as that of power generation. As a result, hackers have acted according to their own agenda and they have taken the world by storm.
As a result, hackers have acted according to their own agenda and they have taken the world by storm. On 23 December 2015, Ukraine suffered from an overall power blackout and that caused great distress to the people. Prykarpattyaoblenergo lost more than 30 substations, causing havoc in return. And the most frustrating thing of them all: the power stations have not yet been completely fixed. The reason is that the malware used by hackers in Ukraine for the power outing erased key files.
What does this say about security online?
The reason is that the malware used by hackers in Ukraine for the power outing erased key files. What does this say about security online?
The malware used is called “Killdisk” and was the outcome of a well-organized effort to gain control over the computers of the stations. Files appeared to the people working for the power company, attached by their “friends” – making it easier for them to open. Instead of files sent by their friends, the malware was installed into the computers and caused all these grave consequences.
On the bright side, this must have taken a lot of time and therefore, it is not the main tactic used by hackers in similar cases. However, it is always possible to happen again!
The bad news is that there are alternative ways for hackers to get inside similar systems, according to Sergey Gordeychik, who helps with Scada Strangelove, the community of experts working on discovering the faults of ICS systems.
“We can discover more than 80,000 different kinds of ICS systems connected to the internet directly,” Gordeychik told the BBC.
As a result, the ICS systems do not have the power to defend themselves against an attack. This is really frustrating, as there are ways for them to enhance online security and avoid these phenomena. The purpose of Scada Strangelove, according to Mr. Gordeychik, aims at changing that:
“The main idea is to raise awareness and to force vendors to create more secure-by-design systems.”
UK infrastructure is being scrutinized by Crest these days, trying to identify such potential threats online. According to what Ian Glover from Crest said:
“The single biggest vulnerability is connecting poorly protected corporate IT to operational technologies,” and so this is where they have focused on. “It’s much easier to exploit the corporate IT because there are so many tools you can download and use to do that,”
Of course, the aim of every security researcher out there in the UK is to enhance online security and raise awareness on such a threatening phenomenon that could blow up the structure of a whole country within minutes. Although there is a reasonable ground of worrying about what can happen in case of SCADA hacking, proper capability and intent can lead to sufficient defense against hacking threats for the UK and the world – hopefully!
How to Make $100,000? Just Hack Google Chromebook
19.3.2016 Hacking
Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.
Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.
So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.
How to Earn $100,000 from Google
The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.
The Top bug bounty will be payable to the first person – the one who executes a 'persistent compromise' of the Chromebook while the machine is in Guest Mode.
In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.
Moreover, the hack must still work even when the system is reset.
"Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode," the Google Security Blog reads.
"Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we're putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool."
Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.
Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.
So Keep Hunting, Keep Earning!
Anonymous claims they Hacked Donald Trump ...Really?
18.3.2016 Hacking
The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN).
Donald Trump
SSN: 086-38-5955
DOB: 06/14/1946
Phone Number: 212-832-2000
Cell/Mobile Phone Number: (917) 756-8000
The hacktivist group has declared war against Trump under a campaign with the hashtag #OpWhiteRose.
The White Rose Society was a non-violent resistance group in Nazi, Germany and was known for its anti-Nazi pamphlets and graffiti during World War II.
Anonymous posted a YouTube video Thursday afternoon in which a man in a Guy Fawkes mask says:
"Donald Trump has set his ambitions on the White House in order to promote an agenda of fascism and xenophobia as well as the religious persecution of Muslims through totalitarian policies.
He has proposed targeting family members of suspected terrorists for assassination, even while acknowledging they are innocent. It would only lead to more violence from those whose families were killed by the Trump regime.
Donald Trump is an enemy of the constitution and the natural rights it enshrines. We call on all of you and millions of others to take action against Donald Trump."
The hacker collective group also released what it claimed was Trump's personal details, including cell phone number and Social Security number.
Besides his personal details, the group also released Trump’s public information including his birth date, children’s names, and company address in addition to the identities of his agent and lawyer.
However, most of the information provided by Anonymous has been circulating on the Internet since at least late last year, including his New York cell phone number and an address on 5th Avenue in Manhattan.
In response to the video, Trump's campaign has issued the following statement:
"The government and law enforcement authorities are seeking the arrest of the people responsible for attempting to illegally hack Mr. Trump's accounts and telephone information."
Soon after posting the video, Anonymous issued a follow-up tweet, saying "Seems to be outdated information, take it with a grain of salt."
This is not the first time the group has declared war against Trump. Last December, Anonymous declared war against Trump following his radical speech stating he wanted to ban Muslims from entering the United States.
Man behind The Fappening case charged with hacking celebrity accounts
17.3.2016 Hacking
Pennsylvania man behind the Fappening case Charged with hacking Apple and Google e-Mail accounts belonging to more than 100 people.
The culprit of the popular Fappening case may have a name, the US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.
In September 2014, the FBI started an investigation after iCloud accounts of celebrities were hacked by unknowns that have stolen their pictures.
Immediately Apple denied that its iCloud platform was breached, instead, it explained that hackers obtained the images by hacking victims. A few days later, the consumer tech giant also announced that it would
A few days later, Apple announced the implementation of new features to improve the security of the iCloud service.
The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.
“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.
Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.
The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.
The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.
“After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos, according to his plea agreement. In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.” continues the press release.
The case will be transferred from Los Angeles to Harrisburg in the Middle District of Pennsylvania, where Collins lives.
Collins will face a statutory maximum sentence of five years in federal prison, but the man reached an agreement for a recommendation of a prison term of 18 months.
“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said.
Other hackers have been already charged for hacking celebrities’ email accounts, in December 2015, Alonzo Knowles, aka “Jeff Moxey,” has been charged after allegedly hacking into the email accounts belonging to 130 celebrities stealing personal information, movie scripts and sex tapes.
'The Fappening' Hacker Reveals How He Stole Nude Pics of Over 100 Celebrities
16.3.2016 Hacking
Almost one and a half years ago after the massive leakage of celebrities' nude photographs — famous as "The Fappening" or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result.
The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, including Jennifer Lawrence and Kim Kardashian, and leaked their nude photos onto 4chan.
Social Engineering Helped Hacker Stole Celebs' Nude Pics
Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that…
The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering, in the form of Phishing Attacks.
Yes, The Fappening scandal was the result of Social Engineering tricks, while we believed that Apple's iCloud services had targeted under brute-force password hacking attacks.
At the time when the celebrities' nude images were circulating online, Apple denied that its iCloud service was hacked and claimed that the hacks were more likely to be a phishing scam. So this was actually the case.
Collins was engaged in Phishing schemes between November 2012 and September 2014, when he hijacked more than 100 celebs' accounts using fake emails disguised as official notifications from Google and Apple, asking victims for their usernames and passwords.
Hacker Used iBrute to Download iCloud Backups
Once done, Collins then used this information to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and in most cases used specialized 'brute force' software program iBrute to illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.
Collins admitted only to hacking celebrities accounts, but not to uploading their naked photos online.
However this does not mean Collins did not leak those photographs, but the hacker negotiated a lighter guilty plea, allowing United States authorities to close the investigation faster.
Collins has not been sentenced yet but faces a maximum sentence of 5 years in prison for his crime, along with fines of up to $250,000. However, according to a plea agreement, the prosecution will recommend the judge an 18-month prison sentence.
Dear Donald Trump Anonymous plans to destroy your campaign starting April 1
16.3.2016 Hacking
Anonymous has declared war on Donald Trump, the hacking collective will start a new powerful campaign starting April 1.
The hacktivists have already expressed their disappointment on the presidential candidate’s controversial campaign rhetoric that resulted in a series of a series of attacks.
The attack against Trump started in 2015 when Anonymous defaced the website Trump.com with a tribute to Jon Stewart.
“Mr Stewart, we at @TelecomixCanada would like to take this opportunity to thank you for the many happy years of quality journalism and entertainment you and your team have undertaken at Comedy Central,” reads a letter on Trump’s site.
In December, the reprisal became more intense following the Donald Trump’s call for a sweeping ban on Muslims entering the United States soil. Trump’s declaration raised the protest around the world from politicians, hacktivists, to ordinary citizens.
anonymous Donald Trump 2
Anonymous has joint in the protest, declaring war against the presidential candidate, the hackers published a video message announced their operation against the campaign of the US billionaire.
“Donald Trump, it has come to our attention that you want to ban all Muslims to enter the United States. This policy is going to have a huge impact. This is what ISIS wants. The more Muslims feel sad, the more ISIS feels that they can recruit them. Donald Trump, think twice before you speak anything. You have been warned, Donald Trump.” states the Video Message.
The group officially launched the #OpTrump hacking campaign against Donald Trump, a DDoS attack hit the website for New York City’s Trump Towers and the website remained offline for hours.
Now Anonymous has announced a new initiative against Donald Trump and his campaign, the collective plans to coordinate a series of attacks on its websites starting April 1.
The group announced its re-engagement of “OpTrump” in a video message, the collective wants to synchronize the efforts of the numerous collectives against Donald Trump and his electioneering organization.
The Anonymous spokesman in the video motivated the planned attacks as a response to the Donald Trump’s “appalling actions and ideas” in conducting the presidential campaign.
“We have been watching you for a long time and what we’ve seen is deeply disturbing. You don’t stand for anything but your personal greed and power.”
“This is a call to arms. Shut down his websites, research and expose what he doesn’t want the public to know. We need you to dismantle his campaign and sabotage his brand.”“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
“We need to dismantle his campaign and sabotage his brand,” said Athe nonymous spokesman.
Of course, Trump is aware that is a target and hired experts to protect his campaign.
We have to consider that today Internet is the privileged instrument of politicians and any kind of interference with online activities of the candidates could have unpredictable effects on the final voters’ decision.
A couple of weeks ago, alleged members of the Anonymous group hacked the Donald Trump ‘s voicemails. Journalist at Gawker received an email by the hackers containing recordings from Donald Trump ‘s voicemail inbox.
Let’s see what will happen.
Crooks expoit Oman websites in typosquatting attacks
15.3.2016 Hacking
According to experts at EndPoint security firm, crooks are buying many .om domains to carry on typosquatting attacks.
Crooks are buying many .om domains to carry on typosquatting attacks. According to experts at EndPoint security firm, crooks are buying many .om domains with the purpose to fool clumsy users that mistype .om instead of .com .
Security researchers say that the .om domain from the country Oman are being exploited in typosquatting attacks and that more than 300 domains were bought and are using US company names, like Citibank, Dell, Macys and Gmail.
“Our research revealed that there is at least one major .om typosquatting campaign targeting many of the world’s largest organizations. It has already targeted over 300 well-known organizations, including Netflix, and given the spike in activity in February, is likely to only attempt to expand its reach in March.” states the blog post published by the security firm.
Mac OS X users are being targeted to be fooled by the typosquatting campaign and trick them to install malware, when they mistype a website and end up in a page where a fake Adobe Flash update pops up, and the user is tempted to install “flash” update, but in fact its installing the Genieo, an advertising component.
“[the victim] mistyped the domain “www.netflix.com” as “netflix.om” in his browser, accidentally dropping the “c” in “.com”. He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully.” continues the the post. “His browser was immediately redirected several times, and eventually landed on a “Flash Updater” page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups. “
Genieo is an adware / malware that usually poses as an Adobe Flash update, as a said previously, once the person clicks on it, it will drop an OS X DMG container. Once clicked on the DMG file, Genieo will install an extension in various supported browsers.
In the case of a Windows, user who visits one of the websites used by typosquatters , they will be redirect to an ad network where they are inundate with ads, like surveys, free electronics, antivirus products, and so on, all leading the user to download and execute something.
“Destination web pages will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an antivirus suite that leads to further headaches and intrusive advertising,” Dufresne from Endgame told to Threatpost:
“We haven’t seen this escalate beyond typosquatters pushing the well-known Genieo malware and ad networks,”
“But given the volumes of misdirected traffic to .om, this could be used as an effective tool to distribute much more serious threats,”
In the investigation conducted by Endgame, 334 .om sites were analyzed, and looking to the registration pattern, 15 different hosting providers were used and many of the websites are hosted in providers located in New Jersey.
“Very unsurprisingly, the software stack on these servers was uniform,” said Duffresne, and he also added that many of the servers behind the domains have unpatched vulnerabilities meaning that they could allow remote access:
“These hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served,”
The problem is that .om domain is country code top-level domain, also called ccTLD, this means that ccTLDs are not related with an internet corporation for Assigned Names and Numbers and disputes need to be solved by using local laws of Omar.
I strongly suggest you pay attention when typing the URL of a specific website, unfortunately, a great number of .om websites are already used by crooks for illegal activities.
If you are interested of the entire list of suspicious domains give a look here.
Here's How Hackers Stole $80 Million from Bangladesh Bank
15.3.2016 Hacking
The recent cyber attack on Bangladesh's central bank that let hackers stole over $80 Million from the institutes' Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank's computer systems.
Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh's central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.
The criminal group was able to steal a total value of about $81 Million from the Federal Reserve's Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.
However, the question was still there:
How the Hackers managed to transfer $80 Million without leaving any Trace?
Security researchers from FireEye's Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.
Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank's computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.
Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.
The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank's computer.
The investigators suspect the hack could have exploited a "zero-day" flaw as they are unknown to vendors as well.
After this, the hackers were able to steal the Bangladesh Bank's credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.
"SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank," Belgium-based SWIFT said in a statement Friday. "SWIFT's core messaging services were not impacted by the issue and continued to work as normal."
Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank's security protection was not robust enough to prevent the hack.
The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.
Anti-DDoS Firm Staminus HACKED! Customers Data Leaked
14.3.2016 Hacking
Staminus Communications – a California-based hosting and DDoS (Distributed Denial of Service) protection company – is recovering a massive data breach after hackers broke down into its servers and leaked personal and sensitive details of its customers.
Though the company acknowledged that there was a problem in a message posted to Twitter on Thursday morning, it did not specify a data breach.
Staminus's website went offline at 8 am Eastern Time on Thursday, and on Friday afternoon, a representative said in a Twitter post that "a rare event cascaded across multiple routers in a system-wide event, making our backbone unavailable."
What type of information?
The dump of information on Staminus' systems includes:
Customer usernames
Hashed passwords
E-mail addresses
Customer real names
Customer credit card data in plain text
Customer support tickets
Server logs data
Chat logs
Source code of some of the company's services including Intreppid
Staminus' main database
Database of one of Staminus' clients, the Ku Klux Klan (KKK)
The data was posted on the Internet Friday morning, and some Staminus customers who wish to remain anonymous confirmed that their data was part of the leaked data dump.
However, the company says it does not store or collect its customers' Social Security numbers (SSNs) or tax IDs, so they are safe from the data breach.
What happened?
The Staminus data breach occurred after hackers infiltrated the company's server backbone, seized control of Staminus' routers and then reset them to factory settings, which effectively brought down the company's entire network.
The hackers also stole the company's database and dumped it online. Links to downloads of the internal Staminus data were published in a file sarcastically headlined, "TIPS WHEN RUNNING A SECURITY COMPANY," detailing the security holes (given below) found during the data breach:
Use one root password for all the boxes
Expose PDU's [power distribution units in server racks] to WAN with telnet auth
Never patch, upgrade or audit the stack
Disregard PDO [PHP Data Objects] as inconvenient
Hedge entire business on security theatre
Store full credit card info in plaintext
Write all code with wreckless abandon
How many customers affected?
Although the total number of victims has not been known yet, Forbes reported that the data breach included at least 15 gigabytes worth of data belonging to Staminus.
Security researcher Nathan Malcolm from Sinthetic Labs told the publication that he analysed the data dump and found unencrypted credit card numbers, expiry dates and CVVs for as many as 1,971 Staminus customers.
What was the motive for the breach?
Potential motives for hacking Staminus are quite easy to figure out.
Staminus' clients include the white supremacist group Ku Klux Klan (www.kkk.com). The company also hosts several IRC (Internet Relay Chat) channels for large-scale DDoS attack services, Krebs noted.
What was the company's response?
Staminus CEO Matt Mahvi published the following statement on the Staminus website (which again went offline), confirming the data breach.
"We can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password."
Staminus' website came back online and believed to be wiped clean, but at the time of writing the website is still unavailable.
What victims should do?
Staminus customers are recommended to review their credit card statements carefully and to report any unauthorized bank transactions.
Meanwhile, Staminus has also advised its customers to reset all their account passwords once the service is fully operational once again.
The leader of the Team GhostShell collective revealed his identity
14.3.2016 Hacking
G.Razvan Eugen is a 24 year-old Romanian that claims to be the founder of the collective Team GhostShell that hacked numerous entities worldwide.
Do you remember the notorious Team GhostShell hacking crew?
GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.
Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.
Now the TheNextWeb was approached by a man claiming to be the leader of the popular hacker collective. The man used the name ‘White Fox’ and a generic Yahoo email address.
The moniker White Fox is not new, in 2012, GhostShell Team claimed responsibility for a number of attacks conducted under the operation dubbed #ProjectWhiteFox.
The hackers leaked roughly 1.6 million records and accounts from a wide range of companies operating in different sectors such as aerospace, nanotechnology, banking, law, military, education and government. Below the list of the targets hacked by the hacktivits:
The European Space Agency
NASA’s Engineers: Center for Advanced Engineering
Federal Reserve
The Pentagon
Credit Union National Association (CUNA)
Crestwood Technology Group – CTG123
Bigelow Aerospace
California Manufacturers & Technology Association – CMTA.net
Aerospace Suppliers
World Airport Transfers
General Dynamics Defense Systems – GD-OtsCanada
Zero-Max – Manufacturer of parts
MicroController Shop
Jp Chem eData
Human Security Gateway
NanoConference
Hamamatsu
HMI CronPowder
Defense Contractor for the Pentagon – DPAtitle3
Business Consultancy dealing mostly with military personnel – Drum Cussac
Institute of makers of explosives – IME
Texas Bankers
After a first contact, the journalist Emil Protalinski was added by the man to an email list that included other cyber security journalists from principal online magazines.
Then the man revealed his true identity, his name is G.Razvan Eugen, a 24 year-old Romanian and he claims to be the founder of the Team GhostShell
Eugen demonstrated to be a member of the Team GhostShell by providing evidence of access to the Pastebin account used by the hacking group, the same used by the official GhostShell Twitter account (@TeamGhostBin) to leak stolen data before it was suspended by Twitter.
Eugen also gave information about the private @DeadMellox Twitter account he had been using to communicate for several years and other email accounts he used while was leading the group.
“Overall, we can’t with 100 percent certainty say that Eugen’s claims are correct, and that he is indeed GhostShell, but the case is pretty compelling.” wrote the TNW
“I just want to own up to my actions, face them head on and hope for the best. What I really want is to continue being part of this industry. Cybersecurity is something that I enjoy to the fullest even with all the drama that it brings and legal troubles.
In return I hope other hackers and hacktivists take inspiration from this example and try to better themselves. Just because you’ve explored parts of the internet and protested about things that were important to you doesn’t mean you should be afraid and constantly paranoid of the people around you.” Eugen told to the journalist.
Eugen added that “[other Team GhostShell members] were never directly involved in the main projects/leaks. 99 percent of them are from me.”
The Eugen coming out is very risky, he risks several years in prison … let’s see what will happen.
Hacking mechanic’s workshop to infect cars
14.3.2016 Hacking
Hacking mechanic’s workshop to infect cars, this is the concept behind a new attack technique devised by the hacker Craig Smith.
It might seem far-fetched, it looks like the hacker Craig Smith was able to design a malicious code that could infect computers used in the mechanic’s workworkshop, and these machines can later start infecting other vehicles that are going for service.
Craig Smith is the founder of the Open Garages, a Vehicle Research Labs (VRL) focused around understanding the increasingly complex vehicle systems. He spends a lot of his time, warning car makers that there is a need to open up their software to owners, to allow them to modify their cars, he is also a member of the I Am The Calvary initiative.
During 2015, Craig Smith presented the world a proof-of-concept code that allows an attacker to infect the car with a malware that could be used also to compromise the computers at the repair workshops. Smith continued to work on his own attack and now the malware used in his proof-of concept was improved in terms of machine learning capabilities. The expert claims that now an attacker without a deep knowledge could use the malware and launch successfully attacks.
“These (mechanics) tool have the codes to read and write firmware and if it is compromised by a malicious car it can modify the firmware of other cars that come in afterwards,” Smith told Vulture South at the Nullcon security conference in Goa, India, as reported by El-Reg.
“There are easier ways to compromise a car dealership – shoddy wifi, whatever – but this is the kind of thing that needs to be considered by anyone making these tools.”
How does the malware work?
The malware uses a learning mode, to monitor traffic between the Workshop’s computer and the car, and finds out potential modules. Modules where the diagnosis tool was able to contact with success are in blue, and all the findings are saved to a .ini file, alongside with the captured packets.
“It sorts through all the complex stuff for you and just highlights the packets and as a a researcher that is really useful.”
After the learning mode, the malware can switch to the attack mode, and starts fuzzing the information got in the learning mode,
“Everything is point and click up to this point so if there’s a crash you’re going to have to go and figure out what caused it,”.
Even if many details are missing, we can understand that this proof-of-concept if applied to the real word, can be create a lot of damaged if in the wrong hands.
Car makers need to do a bigger effort in allowing hackers to work with them towards understanding their software, and in my opinion maybe even allowing a restrict group of security professions to have full access to cars maker’s software to assess it and find security vulnerability before black hat do it.
Typos stopped hackers stealing $1bn from Federal Reserve Bangladesh account
13.3.2016 Hacking
Hackers who allegedly infiltrated the Federal Reserve Bangladesh’s account were attempting to steal almost $1 billion, but typos thwarted the plan.
This week the principal news agencies shared the news of the hack of the Bangladesh account at the Federal Reserve Bank of New York.
The Bangladesh’s Finance Minister Abul Maal Abdul Muhith accused the U.S. Federal Reserve of the theft of at least $81 million stolen from the Bangladesh’s account. The Government of the Bangladesh is threatening the US for a legal fight to retrieve the funds, explained Muhith in a press conference held in Dhaka on Tuesday.
The central bank of Bangladesh declared the funds had been stolen from an account by hackers, the experts had traced some of the missing funds in the Philippines.
In reality the hackers tried to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.
The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.
“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.
“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.
The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.
Federal reserve New York hack
The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.
While the central bank of Bangladesh is blaming Chinese hackers, the Fed is denying the security breach of security took place.
On Monday, a spokeswoman for the US Federal Reserve Bank of New York confirmed there was no evidence of a security breach, neither that the Bangladesh Bank account had been hacked.
Currently, the US Fed and the Bangladesh Government are still investigating the incident.
The Federal Reserve Bank of New York wrote still continues to deny any evidence of attempts to hack into the Federal Reserve systems:
How a Typo Stopped Hackers from Stealing $1 Billion from Bank
12.3.2016 Hacking
Typos are really embarrassing, but this time it saved the Bangladesh Central Bank and the New York Federal Reserve by preventing a nearly $1 Billion (£700 Million) heist.
Last month, some unknown hackers broke into Bangladesh's central bank, obtained credentials needed for payment transfers and then transfer large sums to fraudulent accounts based in the Philippines and Sri Lanka. But…
A single spelling mistake in an online bank transfer instruction prevented the full theft, according to Reuters.
Here’s what actually was happened:
Nearly three dozen requests hit the Federal Reserve Bank of New York on 5 February using the Bangladesh Bank's SWIFT code, out of which four resulted in successful transfers, for a total value of about $81 million.
However, when the hackers attempted to make their fifth transfer of $20 Million to a Sri Lankan non-governmental organization called the Shalika Foundation, they made a typo by attempting a transfer to the Shalika "Fandation."
Staff at Deutsche Bank, which was involved in routing funds, spotted this spell error and got asked the Bangladeshis for clarification on the typo. The Bangladesh bank then canceled the remaining transfers.
The Federal Reserve Bank of New York also queried the Bangladesh central bank after spotting the large number of transfer of funds to private accounts at around the same time.
The hackers, who are still unknown, had been attempting to steal a further $850 Million from the Bangladesh government’s reserve account, but typo in the requests prevented the full theft.
The $81 Million of transfer that was successfully made has not been recovered, but the typo saved the Bangladeshis because if all the fund transfers were made successfully thieves would have made off with $950 Million.
The attack happened between February 4 and 5 and originated from outside the country. Moreover, the hackers are still unknown and officials said there is not much hope of catching them.
Meanwhile, the Bangladesh central bank says the Federal Reserve should have stop the transactions. The bank is planning to file a lawsuit against the Federal Reserve in order to recover some of the funds that were lost.
ISPs Sell Your Data to Advertisers, But FCC has a Plan to Protect Privacy
12.3.2016 Hacking
FCC wants ISPs to get customer permission before sharing personal data
The Federal Communication Commission (FCC) has put forward a proposal that aims to protect Internet user's privacy.
The proposal [pdf] will regulate the amount of customers’ online data the Internet Service Providers (ISPs) are able to collect and sell to the advertising companies.
Currently, there is no particular rule by law covering broadband providers and customer privacy, and if adopted, this would be the first privacy rule for ISPs.
The FCC already governs how phone companies can use and resell customer data, and the Chairman Tom Wheeler believes similar rules should be applied to ISPs.
Is Your ISP Tracking Your Web Surfing and Selling Data to Advertisers?
Your complete Internet traffic passes through your Internet Service Provider, which gives it the ability to access to vast and potentially lucrative amount of your web-browsing activity.
If you are using a mobile phone, your ISP can also track your physical location throughout the day in real time.
ISPs are using Deep packet inspection to stealthily gather and store information about their customers’ surfing habits – including:
Search queries
Web sites visited
Information entered
What apps they use
…and then later Advertising companies serve advertisements based on those behaviors.
The proposed set of rules include a requirement that ISPs clearly disclose what data they collect on their users, and share that collected data with other companies for advertisements, marketing or other purposes.
The rules will not prohibit ISPs from using the personal data they collect from their users, "only that since it is your information, you should decide whether they can do so," FCC Chairman Tom Wheeler wrote. "This isn’t about prohibition; it’s about permission."
The proposed rules will be debated during the FCC's March 31 meeting, and if approved would go out for public comment.
The proposal would create some of the strongest privacy regulations and give consumers control over how ISPs can use their data.
ISIS – Disclosed thousands of files reporting the identity of 22,000 Jihadis
10.3.2016 Hacking
A former ISIS member has stolen and disclosed thousands of documents reporting the identity of 22,000 Jihadis and other important information.
Thousands of documents reporting the identity of 22,000 Jihadis are handed to Sky News by a former member of the ISIS radical organisation. The documents contain 22,000 names, addresses, telephone numbers and family contacts of ISIS members.
Sky News has obtained a memory stick containing the files that were stolen from the head of Islamic State’s internal security police. The man who stole the memory stick was a former Free Syrian Army convert to Islamic State who calls himself Abu Hamed.
“Disillusioned with the Islamic State leadership, he says it has now been taken over by former soldiers from the Iraqi Baath party of Saddam Hussein.” states SkyNews.
The journalists met him in a secret location in Turkey, the man revealed that the IS was giving up on its headquarters in Raqqa and moving into the central deserts of Syria and ultimately Iraq.
The list of the ISIS members includes militants from more than 51 countries, including the UK. The document is a sort of IS registration form composed of 23 questions that wannabe members had to fill with their personal information.
There are many previously unknown European jihadis in the documents, as well as IS members from the Middle East, North Africa, United States and Canada.
Many names are already known to the Western Intelligence, anyway the presence of the documents online is very important for different reasons. It is essential to understand who really, and how, has obtained the documents.
One of the documents, titled “Martyrs,” includes a list of members ready to carry out suicide attacks, these terrorists have been already trained for such kind of operations.
We cannot exclude that they could be also part of a diversionary strategy of the IS group.
“Abdel Bary, a 26-year-old from London joined in 2013 after visiting Libya, Egypt and Turkey. He is designated as a fighter but is better known in the UK as a rap artist. His whereabouts are unknown. Another jihadi named in the documents, now dead after being targeted in a drone strike, is Junaid Hussain, the head of Islamic State’s media wing who along with his wife former punk Sally Jones, plotted attacks in the UK. Her whereabouts are unknown.” states the post published by SkyNews.
“Reyaad Khan from Cardiff, who also entered in 2013, is also among those found among the registration forms. He was well known for appearing in a highly produced Islamic State propaganda video. He was later killed.”
SkyNews confirmed that many jihadis passed through a series of jihadi “hotspots,” including Yemen, Sudan, Tunisia, Libya, Pakistan and Afghanistan. In any cases, they were able to enter the territory controlled by the IS, join the fights and return home.
The documents are a mine of information for the intelligence, they include many telephone numbers likely belonging to the family members and the jihadis.
The man that disclosed the documents sustains that today the IS has no rules, he doesn’t share the ideology that today is animating the group, so decided to quit the ISIS. He also made another shocking revelation, according to Abu Hamed the ISIS organisation is secretly working with The Kurdish YPG and the Syrian Government to persecute the Syrian opposition.
Also the news portal Zaman Al Wasl (zamanalwsl.net) claimed to have in exclusive 1736 documents revealing ISIS jihadists personal data, it also published it.
“Two thirds of ISIS manpower are from Saudi Arabia, Tunisia, Morocco and Egypt. 25% of ISIS fighters are Saudis, the data disclosed. While Turkish fighters are taking the lead among ISIS foreign fighters, French fighters come next. Syrians are just 1.7 % of the total number of fighters. The Iraqis make 1.2. ” states the Zaman Al Wasl that analyzed the documents it obtained.
Hacker Reveals How to Hack Any Facebook Account
8.3.2016 Hacking Social Site
how-to-hack-facebook-account
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find the way to hack into someone Facebook account, but a Facebook user just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Hacker arrested for ATM Skimming escaped from Prison
8.3.2016 Hacking
Hacker arrested for ATM Skimming escaped Prison
A Romanian card skimmer arrested for being part of an international cybercrime group that used malware to plunder US$217,000 from ATMs has escaped from a Bucharest prison on Sunday morning (6th March).
Renato Marius Tulli, 34, was being held at Police Precinct 19 in Bucharest, the capital of Romania, after being arrested together with 7 other suspects as part of a joint Europol, Eurojust, and DIICOT investigation on January 5, 2016.
Tulli was part of a criminal gang specialized in robbing NCR-based ATMs.
According to the federal authorities, the gang allegedly used a piece of malware, dubbed Tyupkin, to conduct what's known as Jackpotting attack and made Millions by infecting ATMs across Europe and beyond.
Using Tyupkin malware, the criminals were able to empty cash from infected ATMs by issuing commands through the ATM's pin pad.
Authorities announced on Monday that Tulli escaped with Grosy Gostel, 38, a man held for robbery charges, while both of them and other prisoners were out in the precinct's yard taking their daily outdoor break, local media report.
Though Police caught Gostel, ATM malware man Tulli remains on the run.
The ATM hacker and robber managed to cut a hole in the police precinct's fence and then jumped an outer fence at the police station without being noticed by the two officers that were keeping watch.
The 2 Police officers that were on duty that day are now investigated on charges of negligence.
Tulli and his criminal gang raided ATMs between December 2014 and October 2015 in countries including Romania, Hungary, Spain, the Czech Republic, and Russia. Europol estimates the group caused damages to banks of around US$217,000 (€200,000).
Tyupkin malware the gang used has been upgraded in recent months. The malware is now dubbed as GreenDispenser and is being used to target ATMs across Mexico.
'Guccifer,' who Hacked former President, to be extradited to the US
8.3.2016 Hacking
Upon the request of US authorities, Marcel Lazar Lehel, well known as Guccifer, has finally been approved to extradite to the United States to face Computer Intrusion and Identity Theft Charges for 18 months.
Guccifer is an infamous Romanian hacker who was arrested in Romania for hacking into the emails and social networking accounts of numerous high profile the US and Romanian Politicians.
Romania's top court has approved a request by US authorities to extradite Guccifer to the United States, a source within Romania's DIICOT anti-organized crime and terrorism unit told Reuters.
Guccifer's well known political targets included:
Bill Clinton (Former President)
Hillary Clinton (U.S Presidential Candidate)
George W. Bush (Former U.S. President)
Colin Powell (former U.S. Secretary)
George Maior (chief of the Romanian Intelligence Service)
John Tenet (State Director of Central Intelligence for the United States CIA)
Richard Armitage (Republican politician)
Lisa Murkowski (U.S. Senator and former Secret Service Agent) and many more.
Guccifer rose into the popularity in 2013 after hacking into the email account of George W. Bush and leaking Bush's personal photographs and artwork, including two self-portraits: one in the shower and one in the bathtub.
The same hacker was responsible to crack into the AOL Account of Bush’s Sister, Dorothy Bush Koch and targeted a number of high-profile celebrities, including Nicole Kidman, Comedian Steve Martin, Actor Leonardo DiCaprio, Actress Mariel Hemingway, 'Sex and the City' author Candace Bushnell, Biographer Kitty Kelley, released some of Hillary Clinton's private emails and many more.
The 42-year-old hacker had also claimed that Bush was a member of Ku Klux Klan – a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
This intensified leakage had caused many repercussions on many topics like the romantic relationships between Colin Powell and Corina Cretu (Romanian Politician), even though both denied the statement.
If you want to explore more about the Guccifer Leaks, you may visit the site named 'The Smoking Gun' to which he published the leaked contents (don't expect a Wikileaks model).
Guccifer was serving as a Taxi Driver when Romania's DIICOT anti-organized crime and terrorism unit arrested him. He kickstarted his career as a Hacker at the age of 35.
According to his wife, Guccifer did most of his hacking from the quiet Sâmbãteni, which is located in the Draculan Village Transylvania.
Guccifer was sentenced for intrusion charges to popular profiles by the Romanian court to four years in jail in 2014 "with the aim of getting ... confidential data" and is serving another three-year term for other offences.
Expert discovered how to hack any Facebook account
8.3.2016 Social Site Hacking
A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.
The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.
“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.
The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.
The user then submits the code to access his FB account and reset the password.
Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.
Prakash tried to perform the same operation on the Facebook beta pages, beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.
The vulnerable request illustrated by the researcher is:
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed Prakash to set a new password for any Facebook user.
Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.
Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:
Real pirates used hacking techniques to raid a shipping company
4.3.2016 Hacking
Real pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks. Technology meets Piracy.
The technology is enlarging our surface of attack in a dramatic way, every company in every industry is potentially a target. Let’s discuss today of a singular case that demonstrates it, pirates have hacked into a shipping company to locate valuable cargo before hijacking vessels in targeted attacks.
The criminal organisation breached the content management system (CMS) of the unnamed shipping company to determinate the exact position of containers having the most valuable cargo.
This is a considerable advantage for the traditional piracy, in the past criminals had patrol boats using scanners to locate the precious commodities. By obtaining the location of the valuable cargo, it makes easier and faster hijacking the vessels.
The case was also reported in the Verizon’s Data Breach Digest addendum report.
“However, in recent months, the pirates had changed their tactics somewhat, and in a manner that the victim found extremely disconcerting. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy.” states the report.
In the specific case, the hackers made a number of OPSEC mistakes that exposed their identity to the investigators, for example, they failed to protect the traffic to the compromised server.
HMAS Melbourne's boarding party intercepts a suspected pirate boat. *** Local Caption *** Royal Australian Navy ship, HMAS Melbourne operating off the coast of Somalia, intercepted suspected pirates as part of a Combined Task Force 151 tasking for Combined Maritime Forces on 15 October 2013.
“One of the first mistakes made by the threat actors was failing to enable SSL on the web shell. As such, all the commands were sent over the internet in plain text. This allowed us to write code to extract these commands from the full packet capture (FPC) data. We were ultimately able to recover every command the threat actors issued, which painted a very clear picture. These threat actors, while given points for creativity, were clearly not highly skilled. For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.” continues the report.
The shipping company, once discovered the cyber attacks, secured its servers and improved the operational security of its systems.
Piracy is a very widespread phenomenon in some areas of the world, the use of technology can definitely make the most complex activities of prevention and contrast.
There are numerous cases related to the collaboration between ordinary crime and hacking crews, I remember an episode occurred in 2013 when an investigation of a cyber-attack on the Belgian port of Antwerp allowed law enforcement to discover that drug traffickers recruited hackers to hack IT systems that controlled the movement and location of the containers.
“Police carried out a series of raids in Belgium and Holland earlier this year, seizing computer-hacking equipment as well as large quantities of cocaine and heroin, guns and a suitcase full of cash. Fifteen people are currently awaiting trial in the two countries. Mr Wainwright says the alleged plot demonstrates how the internet is being used as a “freelance marketplace” in which drug trafficking groups recruit hackers to help them carry out cyber-attacks “to order”. “[The case] is an example of how organized crime is becoming more enterprising, especially online,” he says.
The Europol official confirmed that organized crime groups were paying for hackers involved in criminal activities. The profitable collaboration started at least in 2011, Dutch-based trafficking group hid cocaine and heroin among legitimate cargoes, including timber and bananas shipped in containers from South America. The role of hackers based in Belgium was to infiltrate computer networks in at least two companies operating in the port of Antwerp to access secure data giving them the location and security details of containers.
US starts cyber operations against the ISIL in Mosul
4.3.2016 Hacking
Senior Pentagon officials on Monday revealed the military’s first use of cyber warfare operations against the ISIL terrorist group.
The US military has started launching cyber attacks against members of the terrorist organization ISIS as part of the operation conducted to take back the Iraqi city of Mosul.
The US military is using cyber tools to contrast the ISIS troops in the area, interfering members’ operation and communication.
“By encircling and taking this town, we are also working to sever the last major artery between Raqqa and Mosul, an operation critical to dissecting ISIL’s parent tumor into two parts in Iraq and Syria. At the same time, we’re bombing ISIL’s banks as well as oil wells they’ve taken over or coerced others into operating on their behalf. We’re also using cyber tools to disrupt ISIL’s ability to operate and communicate over the virtual battlefield.” announced the Defense Secretary Ash Carter at a Monday Pentagon press briefing. that U.S. forces are using cyber tools to disrupt ISIS’s ability to operate and communicate over the virtual battlefield.
According to Carter, the goal of the cyber operations is the disruption of the ISIL‘s command and control, particularly in Syria.
” I think you’re referring to our use of cyber which we have talked about generally. In the counter-ISIL campaign in — particularly in Syria to interrupt, disrupt ISIL’s command and control, to cause them to lose confidence in their networks, to overload their network so that they can’t function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy.” added Carter.
“So this is something that’s new in this war, not something you would’ve seen back in the Gulf War, but it’s an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place.”
The US Government has already started the cyber operations that the US Cyber Command is carrying out.
“we’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically.” said Joint Chiefs Chairman General Joseph Dunford.
“And frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”
Hack the Pentagon — US Government Challenges Hackers to Break its Security
3.3.2016 Hacking
The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge.
Dubbed "Hack the Pentagon," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD.
The bug bounty program will begin in April 2016, and the participants could win money (cash rewards) as well as recognition for their work, DoD says.
While announcing 'Hack the Pentagon' initiative during a conference, DoD said only "Vetted Hackers" can participate in the Bug Bounty program, which means the candidates need to undergo a Background Check after registration and before finding vulnerabilities in its systems.
Moreover, candidates would be given a Predetermined Department Systems (might be real system alike) for a specific time period of the competition to access it.
So, don’t be confuse that the DoD will serve a critical piece of its infrastructure to hackers for disruption, rather the hackers will be allowed to target a predetermined system that is not part of its critical operations.
However, the Department of Defense has not yet confirmed what bounty would be provided to hackers upon a successful penetration of its network or web pages.
Why DoD launches a Bug Bounty program?
Department of Defence currently manages 488 websites related to everything from the 111th Attack Wing, several military units to Yellow Ribbon Reintegration Program.
According to Chris Lynch, Director of Defense Digital Service that’s actually behind the "Hack the Pentagon" initiative:
"Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."
But, Here's the Actual Reason You Need to Know:
The hackers, foreign and internal criminals, are actively targeting government departments and critical infrastructure that could reveal national secrets.
Last year’s massive security breach in the United States Office of Personnel Management (OPM) revealed the private information of over 21.5 Million US government employees.
Just last month, an unknown hacker released personal details of at least 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Almost three years ago, the Pentagon said the Chinese government had conducted cyber attacks on the several United States diplomatic, economic as well as defense industry networks.
Therefore, the real purpose of launching dedicated bug bounty program for hackers could be a government initiative to identify vulnerabilities in its infrastructure that may expose any endangered state secrets.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack The Pentagon would also be an exercise for the federal authorities to boost up the security measures and counter the cyber attacks.
Instead of usual self-conducting Security Audit by the DoD internals itself, the new initiative would provide an opportunity for the fresh brains outside the Pentagon to challenge DoD infrastructure and enhance the security measures.
US DoD invites a restricted number of hackers to Hack the Pentagon
2.3.2016 Hacking
Hack the Pentagon – DoD would invite outside hackers to test the cybersecurity of some public US Defense Department resources as part of a pilot initiative.
Which is the best way to discover security vulnerabilities affecting a computer system? Ask a group of hackers to test it. This is the concept behind a bounty program, an organization can hire hackers to test the system and ethically disclose the flaw, receiving a reward. Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google and Microsoft. Facebook, for example, has already paid more than $3 million since 2011, when its bug bounty program was launched.
And what about if I tell you that the organization in question is the pentagon? Yes, it is true, ‘Hack the Pentagon’ is the initiative launched by the US Government, the first ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.
If the Pentagon will financial reward the hacker, it would be the first government-funded bug bounty initiative in the world.
“The Pentagon said on Wednesday it would invite vetted outside hackers to test the cybersecurity of some public U.S. Defense Department websites as part of a pilot project next month, in the first-ever such program offered by the federal government.”
“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” that are conducted by big U.S. companies, including United Continental Holdings Inc to discover gaps in the security of their networks.” states the Reuters.
At time I was writing the bounty program has not been announced, until today, the Pentagon already uses its own internal security experts (so-called “red teams”) to test its networks, but openness to external hackers could give a major impetus in finding vulnerabilities in government systems, allowing to find new security holes.
The Hack the Pentagon initiative is welcome within the US government, in this way the expert at the Pentagon will be able to identify security issues before hackers can exploit them, with a significant improvement in term of cyber security.
“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.
According to the Reuters, the participants will have to be US citizens and submit to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.
The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015, meant to “improve the Department’s technological agility and solve its most complex IT problems.”
In October 2015, Current and former members of the department’s cyber wing of the US Army, Captain Michael Weigand and Captain Rock Stevens, published a paper urging a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. The project aimed to establish a central program for disclosing software vulnerabilities on military systems.
The military experts highlighted how essential aspects of the software lifecycle, like patch management and penetration testing are very difficult to carry on these environments. The systems used in the US Army are exposed by an absence of centralized patch management and penetration testing are not allowed due to the nature of the systems.
They call for a radical change, including the introduction of bug bounties, today internal experts who discovered vulnerabilities have no incentive to report the flaw are no obliged to disclose it, the post refers this bad habit as a “do nothing” culture.
In the paper published on the Cyber Defense Review website, the duo proposed the creation of an Army Vulnerability Response Program (AVRP), a bug bounty program run by the US military.
The Army Vulnerability Response Program (AVRP) platforms proposed by the military expert have to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.
“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.
The creation of a bug bounty program is an urgency for the US Government, it comes after the numerous successfully attacks suffered by US entities, including OPM, the White House, and The State Department.
DarkHotel hackers are back targeting Chinese Telecom
2.3.2016 Hacking
The DarkHotel APT group is back and it is targeting executives at telecommunications companies in China and North Korea.
According to threat intelligence start-up ThreatBook, the DarkHotel APT group is targeting executives at telecommunications companies in China and North Korea.
The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The experts discovered that the hacking campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.
The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.
Experts at ThreatBook dubbed the new campaign DarkHotel Operation 8651, the hackers have already compromised at least one organization by using spear phishing emails.
The spear phishing messages came with malicious documents attached, typically a crafted SWF file embedded as a downloadable link in a Word document.
The DarkHotel hackers exploited the Adobe Flash vulnerability CVE-2015-8651, patched by Adobe on Dec. 28 with an out-of-band patch.
The attackers disguise the malicious code a component of the OpenSSL library. Experts noticed that the malware implements a number of anti-detection measures, including anti-sandbox and just-in-time decryption.
To better understand the DarkHotel group, let me provide you further details emerged by an update provided by Kaspersky Lab in August 2015. Kaspersky confirmed that the organizations targeted by the DarkHotel APT in 2015 were located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Darkhotel relied on phishing emails containing links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.
“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.
The DarkHotel APT used obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, in August security experts discovered new variants of the malicious HTA files.
“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.
The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case the attackers used a signed downloaders developed to detect known antivirus solutions.
The spear-phishing emails used by the Darkhotel group in the past contain .rar archives that appeared to include a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.
Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.
According to the experts at Kaspersky, the APT group appears to be Korean speaker.
FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"
2.3.2016 Hacking
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?
Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday.
The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama.
The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone belonged to San Bernardino shooter Syed Farook.
FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone.
Comey: Encryption is a Long-Term Threat to Law Enforcement
Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an unlocked iPhone.
The judge suggested that the government’s interpretation of the All Writs Act – the same 1789 law the FBI is invoking in the San Bernardino case to compel Apple to write a backdoor – would weaken the separation of powers as well as trample on the United States Constitution itself.
Comey, who portrayed Encryption as a long-term threat to the law enforcement because it lets criminals "go dark," said:
"Slippery slope arguments are always attractive, but I suppose you could say, 'Well, Apple's engineers have this in their head, what if they're kidnapped and forced to write software?' That's where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments."
By making this comment, Comey wants to highlight that Apple is capable of creating a backdoor to unlock the iPhone's encryption, a fact Apple has admitted.
It seems that certain Apple engineers are guided on what to do if they're kidnapped, and according to a source with knowledge of Apple's security practices, the engineers are told to "go along with the demands and do whatever is necessary to survive."
Simply "Do whatever they ask. No heroes."
Apple: Can not Weaken Security of All of Our Products
Apple General Counsel Bruce Sewell, who was also prepared with his testimony, argued how a court order could compel the company to circumvent its own encryption technology in an effort to get at the contents of an iPhone.
The FBI wants Apple to write a backdoored version of iOS that would help the feds circumvent iPhone's security measures. Apple countered that doing so would not only undermine the security of all its products, but also set a troubling example for the tech industry.
Swell said, "Building that software tool would not affect just one iPhone. It would weaken the security for all of them."
Apple Working on Unhackable iPhones
This kidnapping issue could also be resolved soon, as Apple is working on an unbreakable iPhone that even the company can not hack.
In addition, the company has also hired Frederic Jacobs, one of the key developers of World's most secure, encrypted messaging app Signal in order to enhance its iPhone security that even it can not break.
If this is not enough, Apple is also working on encrypting iCloud backups that only the account owner would have access, eliminating either way for the FBI or hackers that could expose its users data.
A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role
28.2.2016 Hacking
A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.
In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.
According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.
Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.
The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.
The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.
The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.
“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.
“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”
“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”
The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.
“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”
Securing Hospitals from hackers that can put lives in dangers
27.2.2016 Hacking
Securing Hospitals is a report issued by Independent Security Evaluators that demonstrates how hackers can hack hospitals putting lives in danger.
A group of experts from the Independent Security Evaluators research team have tested the security of hospital networks, demonstrating how it is possible to gain access to critical medical equipment in attacks they say could put lives in danger.
The study was led by healthcare head Geoff Gentry, the results of the test conducted are reported in an interesting paper titled “Securing Hospitals.”
The experts demonstrated that such kind of cyber attacks could put lives in danger, for example hacking patient monitors is possible to display false information which could result in medical responses that injure or kill patients.
They security researchers examined 12 healthcare facilities, two data centres, two web applications, and a couple of live medical devices that could be hacked remotely by threat actors.
“The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. ” states the report.
The 71-page document is one of the most interesting study on the level of security of hospitals and the analysis of the resilience of medical devices to cyber attacks.
In the report is detailed a typical attack scenario where a foreign group could launch a cyber attack against the patients of the medical structure triggering vulnerabilities in passive medical devices.
The experts targeted an externally facing web server exploiting its vulnerabilities to gain control of the machine, once inside the network the attackers moved laterally searching for vulnerable devices to compromise.
“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals, and disabling the alarm,” the team says in the paper.
“This attack would have been possible against all medical devices … likely preventing assistance and resulting in the death or serious injury of patients.”
“The attack scenario is harrowing: Diligently executed, many human lives could be at stake, and extrapolating this problem to other hospitals is even more worrisome.”
Patient data could be easily stolen by attackers, attackers for example can exploit a cross-site scripting flaw inside a web application.
The experts dedicated a specific session of their test to cyber attacks relying on USB drives that could be used by hackers as bait. In one of the tests, the team of researchers dropped 18 infected sticks around hospitals, the malware present on the USB sticks allowed them to harvest information from terminals and establish a backdoor inside the systems.
In one case the attackers successfully breached the hospital drug dispensary service.
“At the time of this reporting, we are working to demonstrate that an attack against the particular dispensary is possible, meaning that anyone who can connect to the dispensary can then get access to the configuration interface and manipulate what the device believes it has to be its inventory. If this medication were then given to a patient, it would likely harm or kill the patient.” said the hackers.
The researchers also dedicated great attention to physical security, the team analyzed the presence of exposed hardware device ports and open computers operating in patient rooms, too easy to hack.
“The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance,” states the report.
“[It] illustrates our greatest fear: patient health remains extremely vulnerable. One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.”
The experts concluded that networks in the Hospitals are often insecure, in many cases the organizations lack of security policies and never audit their systems exposing patients to risk of cyber attacks.
“We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more,” researcher Ted Harrington says. “These vulnerabilities are a result of systemic business failures.”
The findings demonstrate that patient health remains extremely vulnerable to cyber attack.
Gemalto Breach Level Index report 2015, what are hackers looking for?
27.2.2016 Hacking
2015 Gemalto Breach Level Index report confirmed the increased interest of threat actors in Government and healthcare data.
As per the security firm Gemalto, Government and healthcare have overwhelmed the retail area as most-focused for information breaks.
An aggregate of 1,673 information ruptures prompted 707 million information records being traded off worldwide amid 2015, as indicated by the most recent release of Gemalto Breach Level Index report.
Not all ruptures are just as genuine and the quantity of records revealed is stand out metric. The Gemalto Breach Level Index report endeavors to perceive this by appointing a seriousness score to every rupture (security breach) in view of elements including the sort of information and the quantity of records traded off, the wellspring of the break, and regardless of whether the information was encoded. The philosophy expects to recognize aggravations from high effect mega breaks.
More than 3.6 billion information records have been uncovered following 2013, when Gemalto started benchmarking freely unveiled information breaks. In 2015, vindictive outcasts (ie, programmers) were the main wellspring of these ruptures, representing 964, or 58 percent of breaks and 38 percent of records being compromised. Exposure or coincidental of data records represented 36 percent of all records.
According to the Gemalto Breach Level Index report, the quantity of state-supported assaults represented only 2% of the data breach incidents being reported, yet the quantity of records bargained as an aftereffect of those assaults made up 15 percent of all records uncovered.
The lopsided effect of a little number of breaks is halfway clarified by the high effect rupture at the United States Office of Personnel Management (OPM), which uncovered the individual points of interest of different government workers and released all way of “sensitive” data from historical verifications and related archives. Noxious insiders represented 14 percent of all the data ruptures and only 7% of the traded off (compromised) records.
Regarding geographic areas, 59 per cent reported break mishaps happened in the United States. Europe represented twelve percent of general rupture occurrences, trailed by the Asia Pacific locale at 8%.
Identity theft issue remained the essential kind of break, representing 53 per cent of the data ruptures and 40 percent of all records that were compromised.
Sector of Government represented 43 percent of the compromised/traded off information records, a five-fold increment more than 2014 because of a few substantial information ruptures in the United States and Turkey, and sixteen percent of all the information/data breaks. Healthcare area represented 19 percent of the aggregate records being compromised and 23 percent of all information/data breaks.
By complexity, the retail area saw the quantity of stolen information records dropping 93 per cent year-on-year, so it represented only six percent of stolen records and 10 percent of the aggregate number of ruptures in 2015.
This is in expansive part in light of the fact that 2014 was an especially unpleasant year for data information breaks in the retail division, with issues at Home Depot and others skewing numbers towards the stratosphere. The financial administrations segment likewise saw an almost 99 percent drop, speaking to only 0.1 per cent of the traded off/compromised data records and 15 percent of the aggregate number of ruptures.
They are not attempting to split your ledger – and that is terrible news for you
Criminal programmers in the course of the most recent year or so have moved their concentrate far from conventional card misrepresentation and towards taking individual data in the facilitation of the identity fraud/theft. This change is terrible news for both buyers and organizations alike, as indicated by Gemalto.
Chief technology officer for data protection and Vice President at Gemalto, Jason Hart said,
“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks” . “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.”
As organizations and gadgets gather continually expanding measures of client data and as purchasers’ online advanced exercises turn out to be more different and productive, more information about what they do, who they are and what they like is at danger to be stolen from the organizations that store their information.
He added, “If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with”.
The DoD funded the Carnegie Mellon University’s research on Tor Hacking
26.2.2016 Hacking
A judge has confirmed that US Departement of Defense funded the Carnegie Mellon University to conduct research on the Tor hacking.
In November 2015, the researchers at the Tor Project publicly accused the FBI of paying the experts at the Carnegie Mellon University to deanonymize Tor users.
The experts at the Tor Project collected information about the attack technique elaborated in 2014 by Carnegie Mellon researchers on the popular anonymizing system.
In January 2014, the attackers used more than 100 Tor relays in an attempt to deanonymize suspects. Fortunately the researchers at the Tor Project removed from the network in in July 2014.
The Director of the Tor Project Roger Dingledine accused the FBI of commissioning to the Carnegie Mellon boffins a study on methods to de-anonymize Tor users. The FBI has paid at least $1 million track Tor users and to reveal their IP addresses as part of a large criminal investigation.
“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten’s analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/
We have been told that the payment to CMU was at least $1 million.” reads a blog post published by the Tor Project.
The FBI has paid at least $1 million to the researchers to find a way to de-anonymize users under investigations of law enforcement.
The research was funded by the Department of Defense (DoD) and the FBI obtained the information on alleged criminals after serving a subpoena to Carnegie Mellon’s Software Engineering Institute (SEI).
This means that the SEI research was funded by the DoD and not by the FBI.
Court documents confirmed that the experts at the Carnegie Mellon university had helped the law enforcement to de-anonymize suspects.
The evidence of the collaborations between the FBI and the Carnegie Mellon University has emerged also in a stand trial in federal court in Seattle in November 2015. The court was discussing the case of Brian Farrell, an alleged Silk Road 2 lieutenant, under investigation of the law enforcement that discovered his IP addresses belong to the suspect. A new filing in Farrell’s case states that a “university-based research institute” supported the investigation and helped the feds to de-anonymize Farrell.
According to a Homeland Security search warrant, between January 2014 and July 2014 a “source of information” provided law enforcement “with particular IP addresses” that had accessed the vendor side of Silk Road 2.
The Farrell’s advocates filed a motion asking the prosecution to provide further information on the involvement of the Carnegie Mellon researchers in the investigation and the hacking technique used to de-anonymize suspects.
The response of a federal judge was negative, the magistrate denied the motion this week explaining that authorities had not violated the Fourth Amendment rights identifying the suspects via their IP addresses.
“SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. “
The judge confirmed that the identity of the suspects was identified by exploiting security vulnerabilities in the Tor network.
The Carnegie Mellon University always denied having received money for their research.
Judge Confirms Government Paid CMU Scientists to Hack Tor Users for FBI
25.2.2016 Hacking
Everything is now crystal clear:
The security researchers from Carnegie Mellon University (CMU) were hired by the federal officials to discover a technique that could help the FBI Unmask Tor users and Reveal their IP addresses as part of a criminal investigation.
Yes, a federal judge in Washington has recently confirmed that the computer scientists at CMU's Software Engineering Institute (SEI) were indeed behind a hack of the TOR project in 2014, according to court documents [PDF] filed Tuesday.
In November 2015, The Hacker News reported that Tor Project Director Roger Dingledine accused the Federal Bureau of Investigation (FBI) of paying the CMU, at least, $1 Million for providing information that led to the criminal suspects identification on the Dark Web.
After this news had broken, the FBI denied the claims, saying "The allegation that we paid [CMU] $1 Million to hack into TOR is inaccurate."
Meanwhile, the CMU also published a press release, saying the university had been subpoenaed for the IP addresses it obtained during its research.
The revelation came out as part of the ongoing case against Brian Richard Farrell, an alleged Silk Road 2 lieutenant who was arrested in January 2014. It has emerged that the federal officials recruited a "university-based research institute" that was running systems on the Tor network to help authorities uncover the identity of Farrell.
University Researchers Helped FBI Hack TOR
Now, a recent filing in one of the affected criminal cases has confirmed both the name of the "university-based research institute" and the existence of a subpoena.
Some earlier allegations by the TOR project seem to be wrong. The research was funded by the Department of Defense, which was later subpoenaed by the FBI.
Here's what the Tuesday court order, by US District Judge Richard Jones, filed in the case of Farrell reads:
"The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) when SEI was conducting research on the Tor network which was funded by the Department of Defense (DOD)."
"Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU."
Farrell is charged with conspiracy to distribute drugs like cocaine, heroin, and methamphetamine through the Silk Road 2.0 dark web marketplace.
$1.73 Billion to UnMask TOR Users?
Last summer, the DoD renewed a contract worth over $1.73 Billion with the SEI, which according to CMU, is the only federally funded research center that focus on "software-related security and engineering issues."
Carnegie Mellon University's SEI came under suspicion for the TOR hack due to the sudden cancellation of the talk from SEI researchers Michael McCord and Alexander Volynkin on de-anonymizing Tor users at Black Hat 2014 hacking conference.
More details on the matter are still unclear, but the judge confirmed few facts about the TOR and stated that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
Remotely hacking a Nissan LEAF via vulnerable APIs
25.2.2016 Hacking
The security expert Troy Hunt discovered that it is possible to remotely control features of a Nissan Leaf via API.
The popular security expert Troy Hunt discovered a security vulnerability affecting the API implemented by Nissan to manage the LEAF cars from a mobile device. Other experts have confirmed the existence of the flaw, the vulnerability had been discussed publicly on a French-language forum since December.The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
The vulnerability could be exploited by hackers to remotely manage some features of the popular electric car.
Nissan provided both Android and iOS applications to remotely manage the vehicle from a mobile device.
Hunt was at a workshop held Norway when one of his students owning a Nissan LEAF reported that the app for iOS was using only the Vehicle Identification Number (VIN) to authenticate users. The knowledge of the Nissan LEAF’s VIN could allow attackers to control air conditioning and access driving data, including power consumption and travel distance.
The analysis of the API revealed the possibility to access them without any kind of authentication.
Hunt conducted a series of tests with the support of the researchers Scott Helme that demonstrated how to take control of the vehicle remotely. An attacker could exploit the flaw to turn on the AC of a parked car draining its battery, but the Australian expert Troy Hunt confirmed that it is not possible to remotely control the engine neither lock or unlock the vehicle.
How to obtain a target’s VIN?
Hunt explained that all the Nissan LEAF vehicles he analyzed have the same VIN, except for the last five digits. An attacker can try all possible combinations of these digits to send commands to the vehicle.
Hunt reported the issue to Nissan on January 23, but a vulnerability is still unpatched. Waiting for the fix, users can disable the service from the configuration menu.
Operation Blockbuster revealed the Lazarus Group Activities
25.2.2016 Hacking
The Operation BlockBuster Coalition has disclosed the results of its investigation on the activities of the Lazarus Group that is believed to be behind the Sony Pictures hack.
State-sponsored hackers allegedly behind the Sony Pictures hack have been linked to other security breach suffered by a number of companies in South Korea.
The FBI blamed the North Korea, the Bureau released the findings of its investigation that indicated the involvement of the Government of Pyongyang in the Sony Hack.
“As a result of our investigation, and in close collaboration with other US Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said Friday in a statement.
The US law enforcement suspect the involvement of the North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.
Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. According to Kaspersky the hacking crew has been active since at least 2009 and is still operating undercover.
Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.
The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.
The Lazarus Group ’s arsenal includes the Destover wiper malware, the same used against the systems of the Sony Pictures Entertainment.
“The group deployed multiple malware families throughout the years, including malware associated with Operation Troy and DarkSeoul, the Hangman malware (2014-2015) and Wild Positron / Duuzer (2015). The group is known for spearphishing attacks, which include CVE-2015-6585, which was a zero-day vulnerability at the time of discovery.” states a report published on SecureList.
Researchers at Kaspersky Lab revealed that the Lazarus Group’s malware is mostly custom-tailored and appears highly sophisticated.
The activity of the Lazarus Group surged in 2014 and 2015, the experts of the firm composing the Operation Blockbuster team noticed a number of similarities across a number of attacks worldwide.
The researchers discovered that malware used in the attacks linked to the Lazarus Group reused several components, including at least six user-agents.
“Studying multiple coding quirks within any given malware variant actually revealed these to be coding conventions implemented across both different malware families as well as entirely new samples. A simple example of code reuse is the networking functionality that includes a half-dozen hard-coded user-agents with the misspelling ‘Mozillar’ instead of Mozilla.” states the post.
The experts also noticed other similarities in the modus operandi of the threat actors, such as the use of BAT files to delete malware pieces after infections and the password reuse in the malware droppers.
“These BAT files are generated on the fly and, while they serve their purpose of eliminating initial infection traces, they ironically double as a great way to identify the malware itself by honing in on the path-placeholder strings that generate the randomly-named BAT files on the infected systems,” Kaspersky Lab said in its report. “A high-confidence indicator of correlation is the reuse of a shared password across malware droppers used to drop different malware variants. The droppers all kept their payloads within a password-protected ZIP under the resource name ‘MYRES’. The dropper contains the hardcoded password ‘!1234567890 dghtdhtrhgfjnui$%^^&fdt‘ making it trivially easy for an analyst to reach the payload. “
The researchers confirmed that the group is still active and is currently working to new weapons to add to its arsenal.
How to Hack a Computer from 100 Meters by Hijacking its Wireless Mouse or Keyboard
24.2.2016 Hacking
No matter how secure you think your computer might be, something malicious can always happen. As a Computer is an open book with right tools and talent.
The same is proved by a group of security researchers by hacking into a computer with no internet, and no Bluetooth devices.
Yes, it is possible for attackers to Hack Your Computer through non-Bluetooth devices such as your wireless mouse and keyboard and install Malware or Rootkit onto your machine.
That innocent-looking tiny dongle plugged into your USB port to transmit data between your wireless mouse, and the computer is not as innocent as it pretends to be.
What's the Vulnerability?
Security researchers from the Internet of things security firm Bastille have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP and Lenovo are…
…vulnerable to so-called MouseJack attacks, leaving Billions of computers vulnerable to hackers.
The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.
The connection between the tiny dongle and the mouse is not encrypted; thus, the dongle would accept any seemingly valid command.
How to Hijack Wireless Mouse and Hack Computer?
Wireless mice and keyboards communicate via radio frequency with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.
While most wireless keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing or hijacking of the device.
However, the mice tested by Bastille did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse and install malware on victim's PC.
With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.
The hacker can, therefore, send packets that generate keystrokes instead of mouse clicks, allowing the hacker to direct your computer to a malicious server or website in mere seconds.
During their tests, researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds. They tested several mice from Logitech, Lenovo, and Dell that operate over 2.4GHz wireless communications.
Video Demonstration of MouseJack Attack
Who are Affected?
The following is the list of the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws:
Logitech
Dell
HP
Lenovo
Microsoft
Gigabyte
AmazonBasics
Billions of PC users with wireless dongles from any of the above manufacturers are at risk of MouseJack flaw. Even Apple Macintosh and Linux machine users also could be vulnerable to the attack.
These mice are separate from Bluetooth mice that are not affected by this security issue.
Many Wireless Devices will Never Receive any Patch
The researchers have already reported the security issue to all the seven manufacturers, but as of today, only Logitech has released a firmware update that blocks MouseJack attacks.
However, there are a wide number of cheaper mice that don't have updatable firmware, due to which all of them will remain vulnerable forever, which could be a major issue in business environments where peripherals are often utilized for several years before being replaced.
Although Lenovo, HP, Amazon, and Gigabyte did not comment, a Dell spokesperson advised the users of the KM714 keyboard and mouse combo to get the Logitech firmware patch via Dell Tech Support and the KM632 Combo users to replace their devices.
Here's the list of affected devices, so if you are using one of them, it might be time to check for updates, and if not available, replace your existing peripheral.
For more in-depth knowledge, you can refer this white paper explaining technical details.
Anonymous hacked the France’s Ministry of Defense portal CIMD (Centre d’Identification des Materiels de la Defense)
24.2.2016 Hacking
Anonymous hacked the CIMD portal managed by the France’s Ministry of Defense to protest against French foreign arms trade operations.
The Anonymous collective has hacked one of the websites managed by the France’s Ministry of Defense, the CIMD (Centre d’Identification des Materiels de la Defense). The hacktivists accessed the database and leaked it online to protest against the country’s foreign arms trade operations.
Anonymous accuses the French Government of selling weapons to repressive regimes like the Saudi Arabia. The France authorities are also responsible accused by Anonymous of using surveillance and hacking tools, as demonstrated by the documents leaked by Wikileaks following the hack of the surveillance firm Hacking Team.
The incident was disclosed on February 22 by Anonymous, the users were
A “Our web portal will be temporarily unavailable due to maintenance actions” message was displayed to the users of the CIMD portal.
Hackers leaked online the database dump containing sensitive information, including army supplier data and partners information, alongside with login and FTP credentials and PHP sessions.
The archive includes usernames paired with cleartext passwords.
As proof of the hack, Anonymous also leaked the pictures of the CIMD admin panel, experts that visioned the images speculate the web portal was running a dated CMS.
“As a side note, after testing the vast majority of CMSs listed in Softpedia’s Webscripts section, I can say that the army’s portal looks like a very old content management platform, if not one custom made just for France’s Ministry of Defense.” wrote Catalin Cimpanu in a blog post published by Softpedia.
Anonymous highlighted the presence of a series of press articles in the CIMD archive that report the foreign arms trade operations of the French Government.
Anonymous also shared the link to report published by Amnesty International in 2012 that listed France as the world’s second largest arms trader.
Below the links to the leaked data
Operation Dust Storm, hackers Target Japanese Critical Infrastructure
24.2.2016 Hacking
Japanese commercial and critical infrastructure organizations have been targeted a long-running campaign dubbed Operation Dust Storm.
Security firm Cylance have uncovered a long-running hacking campaign dubbed ‘Operation Dust Storm’ targeting commercial and critical infrastructure organizations in Japan.
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
Experts believe that the group is well-organized and well-funded, a circumstance that lead the researchers to speculate the involvement of a nation-state actor.
The researchers at Cylance revealed that the threat actors started focusing on Japanese organizations since 2015, they hackers breached networks of Japanese organizations in the electricity generation, oil and natural gas, transportation, finance, and construction industries.
The list of victims includes an automaker, the Japanese subsidiary of a South Korean electric utility firm, and an oil and gas company.
The hackers demonstrated the availability of unique backdoors and zero-day exploits in their arsenal, used to launch watering holes and spear phishing attacks. In a number of attacks conducted in May 2015, the group also used several Android backdoors against targets in South Korea and Japan.
Fortunately the attacks launched by the group behind Operation Dust Storm were not sophisticated. The researchers spotted the group in 2011, when the hackers relied on Adobe Flash Player (CVE-2011-0611) and Internet Explorer (CVE-2011-1255) zero-day vulnerabilities to deliver a strain of malware dubbed Misdat.
“Very little public information was available throughout 2010 on this threat, despite the group’s primary backdoor gaining some level of prominence in targeted Asian attacks” states the report published by Cylance “It wasn’t until June 2011 that Operation Dust Storm started to garner some notoriety from a series of attacks which leveraged an unpatched Internet Explorer 8 vulnerability, CVE-2011-1255, to gain a foothold into victim networks. “
In October 2011, the hackers targeted gathering intelligence about the Libyan crisis following the death of Muammar Gaddafi. In 2012, the group leveraged the Internet Explorer zero-day (CVE-2012-1889) for their cyber espionage campaigns.
Experts at Cylance noticed a significant reduction of the Operation Dust Storm in March 2013, after the publication of the Mandiant’s analysis of the Chinese APT group dubbed APT1.
In February 2014 the group behind Operation Dust Storm appeared again, it launched a series of attacks leveraging a new Internet Explorer zero-day exploit (CVE-2014-0322) used in watering hole attacks.
The researchers at Cylance have no doubts, the attacks against Japanese critical infrastructure will rapidly increase in the future.
“However, our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future.” Cylance concluded.
Russian Nation-state hackers intensify operations in Syria
23.2.2016 Hacking
According to security experts Russian nation-state hackers are behind cyber espionage campaigns against opposition groups and NGOs in Syria.
Russia is behind a cyber espionage campaign against Syrian opposition groups and NGOs, the Kremlin wants to conduct a PSYOP to influence the sentiment of the country on the humanitarian crisis as a diversionary action for its military operations in the area.
The Russian hackers target most active human rights organizations and aid groups in the country, including the Syrian Observatory of Human Rights.
The experts have found many similarities with other operations conducted by Russian nation-state actors that operated for example during the Ukrainian crisis.
Hackers used malware to compromise the targeted organizations and spread disinformation from victims’ official accounts.
Source BBC
Security experts at FireEye have collected evidence of the activity of Russian nation-state hackers against Syrian organizations. Richard Turner, head of Middle East and Europe at FireEye revealed that the hacking activity of Russian entities had been intensifying since the start of the year.
“APT 28 and other Russian groups are now really focusing their attention on the collection of data on Syrian groups, particularly those focused on human rights and the monitoring of Russian military activity,” explained Turner. “It’s a very significant operation.” “Clearly this is to enable them to respond politically . . . to target [the groups] for information warfare and to have an impact on the conflict itself,”
The Financial Times reported the a discussion with two senior intelligence officials, that sustain the involvement of the Russian FSB in the espionage campaign.
“Details of the Syrian campaign were discussed with two senior intelligence officials, one from Europe and one from a country neighbouring Syria. The operation was large in scale and systematic in nature, one of them said, speaking on condition of anonymity, adding that the campaign was directed by the FSB, Russia’s state security agency.” states a blog post on the Financial Times.
According to the intelligence experts, Russian hackers are also targeting organisations in Turkey managing information related the involvement of the Turkish government in the conflict in Syria. Russian hackers are collecting any kind of information on the Turkish Government due to the worsening of the relationship among the two countries.
Western intelligence fears the evolution of the events in Syria, western politicians believe that Russia is involved in the fight against Isis in the country to support the Bashar al-Assad’s Government against dissident. Many organizations are accusing the Russian forces in the area for attacks against civilian and opponents of the regime.
The experts at FireEye discovered that hackers launched spear-phishing campaign against their targets and also used replicas of legitimate organisations’ websites to track visitors and identify opponents of the Regime.
“It could be for two reasons,” said Jens Monrad, global intelligence liaison at FireEye. “One is to send out false information from those groups, or they could be using their credentials as stepping stones to go on and target other individuals or organisations. It all fits with Russia’s traditional information warfare doctrine.”
NSA Data Center Experiencing 300 Million Hacking Attempts Per Day
22.2.2016 Hacking
Utah State computer systems are experiencing a massive cyber attack on up to 300 Million Hacking attempts per day due to National Security Agency’s (NSA) data center in the state.
Yes, 300,000,000 hacking attempts in a day!
According to the statistical survey, it is evident that the computer systems in the US State of Utah began to experience the hacking attack a few years back, precisely, soon after the NSA revelations by global surveillance whistleblower Edward Snowden.
It is a less-known fact that the NSA has built its new data center near the city of Bluffdale, Utah. However, a couple of years back, when Snowden revealed the presence of the data center, the attacks have constantly been going on.
The PRISM spying program by Big Brothers at NSA might have shifted the attention of hackers for the retaliation against mass-surveillance and flared up this heightened cyber attacks against the spying agency.
According to Utah Commissioner of public safety, Keith Squires, as quoted by KUTV:
"In 2010, my IT director was letting me know that the number of attacks we were averaging a day was between 25,000 to 80,000. We had peaks in the past year or so that were over 300,000,000 a day."
Additionally, advanced weapons systems at Hill Air Force Base and other tech companies in Utah could also be the reason for this fueling cyber attacks.
TECHNICALITIES
The Security officers had identified the sudden influx of IP traffic traced into foreign IP ranges and said the incident would be a model of a botnet attack.
The botnet network scans for the technical glitches in the communication pathways to infect the system, as per its Command and Control (C&C) instructions.
In an attempt to minimize the attacking vector, Utah Security Officer had blocked the IP addresses from China, Russia, and Indonesia.
In the majority of cases, hackers are trying to gain a single access by many tactical ploys that could lead them to land into the NSA mainframes.
As NSA has been alarmed a warning bell; a short note for the hackers
The Big Brother is Watching you…!
FBI must reveal the network investigative technique used to hack more than 1000 computers
22.2.2016 Hacking
The FBI must provide details on the network investigative technique used to hack more than 1000 computers in a case involving child pornography.
In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.
Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”
“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.
Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.
The use of the NIT was also confirmed earlier this year when according to court documents reviewed by Motherboard, the FBI had used it to identify the suspects while surfing on the Tor network.
The network investigative technique (NIT) got the suspects’ real IP address, the MAC address and other pieces of information and sent them to the FBI machines.
In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.
According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.
In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.
The problem is that the FBI used only one warrant to hack computers of unknown suspects all over the world. The defense also argues that the FBI left the child pornography site running in order to be able to do the network investigative technique.
Last month a judge rules that the FBI’s actions did not constitute “outrageous conduct.”, but now a new order got out and obligates the FBI to disclose all the code components used in the network investigative technique.
Michaud’s lawyers were trying to get access to the technique and code used by the FBI since September but it wasn’t until January that Vlad Tsyrklevitch (the defense’s consulted expert) received the discovery.
Tsyrklevitch now argues that the provided code was incomplete, missing several parts. Part of the missing code is the one that identifies Michaud PC. Tsyrklevitch also claimed that part of the code missing is the exploit used to break into machines.
“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” Michaud’s lawyers wrote,
It is not the first time that judges requested FBI to disclose the code used in hacking operations. In 2012, a case called Operation Torpedo the FBI disclosed the details a Metasploit module used for their investigation.
Wired revealed that the law enforcement relied on the popular Metasploit framework to first de-anonymize operators of child porn websites in the Tor network.
“Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.” states the reportpublished by Wired.
The Operation Tornado was revealed when the FBI seized three child porn sites on Tor based in Nebraska. The FBI, authorized by a special search warrant crafted by Justice Department lawyers in Washington, DC, delivered the tracking Flash code do de-anonymous visitors. The operation allowed the FBI to identify at least 25 users in the US and many others in foreign countries.
There is no doubt, cases like this one will be even more frequent and it’s possible that in the future more court order will obligate to disclose all the information about a “target”.
Anonymous took down several government websites of Saudi Arabia
22.2.2016 Hacking
Anonymous launched a series of cyber attacks against government websites of Saudi Arabia to protest the execution of 47 people, including Mr. Sheikh Nimr Al Nimr.
The Anonymous collective is conducting a hacking campaign against the Saudi Arabian Government to protest executions of 47 people.
On January 2nd, the Government announced the executions on terrorism charges, among the victims also Sheikh Nimr Al Nimr and a convicted al-Qaeda leader Faris al-Zahrani.
The executions raised the tension between Saudi Arabia and Iran, but the events also triggered the Anonymous response.
The attacks launched by Anonymous are executed as part of the operations #OpSaudi and #OpNimr.
The #OpNimr campaign was launched in September 2015 to protest continuous violations of human rights. Anonymous targeted Saudi websites is in response to the death sentence handed down to 17-year-old Mohammed al-Nimr.
Ali al-Nimr was sentenced to death on 27 May 2014, when he was only 17 years old, for taking part in demonstrations against the government, attacking the security forces, possessing a machine-gun and armed robbery.
The man is also accused of using a BlackBerry to encourage people to join the protest.
As explained by Amnesty International the Government has based its judgment on confessions extorted under torture. Members of Anonymous have started their campaign calling for Nimr’s release, the hacktivists added that he had been denied a lawyer and confirmed the tortures.
The series of cyber attacks that recently targeted the Saudi Arabian Government shut down the official website of the Ministry of Defense, the Royal Air Force, Saudi Ministry of Education and the Saudi Press Association, the Saudi Defense ministry website, the Saudi Customs Service, the Saudi Mistry of Finances, the Saudi Ombudsman’s Office and the General Passports Service.
The websites have been already restored.
Warning! — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
21.2.2016 Hacking
Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!
Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.
Here's why:
Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and replaced the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.
Who are affected?
As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.
The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.
However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.
What had Happened?
Hackers believed to have accessed the underlying server via the team's WordPress blog and then got shell access to www-data.
From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP: 5.104.175.212), the investigative team discovered.
The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.
Hackers vs. Linux Mint SysAdmins
However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.
Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire linuxmint.com domain offline to prevent the ISO images from spreading to its users.
The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers' motive behind the hack is not clear yet.
"What we don't know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this," Lefebvre added.
Hackers Selling Linux Mint Website's Database
The hackers are selling the Linux Mint full website's database for a just $85, which shows a sign of their lack of knowledge.
The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.
Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers' lack of experience.
Here's How to Protect your Linux Machine
Users with the ISO image can check its signature in an effort to make sure it is valid.
To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre's blog post.
If found infected, users are advised to follow these steps:
Take the computer offline.
Backup all your personal data.
Reinstall the operating system (with a clean ISO) or format the partition.
Change passwords for sensitive websites and emails.
You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.
Utah systems experiences 300k hacking attacks a day due to the presence of the NSA Data Center
21.2.2016 Hacking
The representatives of the Utah State confirmed that their systems experiences 300,000 hacking attacks a day due to the presence of the NSA Data Center.
The Utah state computer systems experience 300 million hacking attacks a day due to the presence of the NSA data center in the state.
The Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, is the mammoth data storage facility built by the NSA to store data gathered by the US intelligence. The official mission of the center is classified, the plant is located at Camp Williams near Bluffdale, Utah.
NSA data center 's Utah Data Center in Bluffdale, Utah, Thursday, June 6, 2013. The government is secretly collecting the telephone records of millions of U.S. customers of Verizon under a top-secret court order, according to the chairwoman of the Senate Intelligence Committee. The Obama administration is defending the National Security Agency's need to collect such records, but critics are calling it a huge over-reach. (AP Photo/Rick Bowmer)
Edward Snowden revealed the project was initially known as the Massive Data Repository within NSA, but was renamed to Mission Data Repository.
NSA Utah Data Center Lightweight Security for Sparse Staff Unlike HQ Bloat
40°25’36.59″ N 111°55’57.92″ W pic.twitter.com/sdlLO0eJC5
— Cryptome (@Cryptomeorg) 20 Febbraio 2016
The presence of the data center is an element of attraction for the hackers as explained by the experts at the Utah Commissioner of Public Safety, that confirmed a significant increase in the number of cyber attacks over the years.
“In 2010, my IT director was letting me know that the number of attacks we were averaging a day were between 25,000 to 80,000,” said Keith Squires, Utah Commissioner of Public Safety. “We had peaks in the past year or so that were over 300,000,000 a day.”
Hackers use botnets to scan the state’s computer systems, searching for vulnerable systems.
“Although other states were seeing increases, most were not seeing anything like we were,” Squires said. “We didn’t realize it at first, but my opinion is in that same time, Utah was getting a lot of notoriety for the NSA facility that was being built here.”
The number of cyber attacks against computer systems of other US states has increased in the last years, but the trend observed for state of the Utah is singular.
“The dynamics of Utah have changed,” the State of Utah’s Information Security Director told KUTV.
The systems of the states belong to government entities and tech companies working in the intelligence and cyber security industries, for this reason hackers consider them a privileged target.
The journalists at 2News interviewed Neil Wyler, a former punk hacker, now a cyber security expert and consultant, asking him how hackers operate to compromise government entities.
Wyler explained that hackers can potentially target any system to find a way to penetrate US government system.
“To illustrate, he used a hypothetical example of a business that hackers could not penetrate, but they knew employees of the company liked to eat at a pizza place down the street. So the hackers infiltrated the pizza business website, spread pizza coupons at the firm that was their real target — encouraging workers to download a corrupted pizza “menu” — only to allow the hackers to troll the real target’s computers.” states Wyler.
Squires highlighted the strong security posture of critical infrastructure in the state, NSA facility such as the airport were designed to ensure a high-level of security with “totally separate” networks.
But let me add that security is an instantaneous concept, what is safe now at this time, it might not be in a few seconds.
Linux Mint was hacked, website served malicious ISO on Saturday
21.2.2016 Hacking
The Linux Mint website had been hacked, on Saturday, intruders were able to compromise it and serve malicious ISO of Linux Mint 17.3 Cinnamon edition.
The Linux Mint website had been hacked, on Saturday 20th, February, intruders were able to compromise the website serving malicious ISO of Linux Mint 17.3 Cinnamon edition.
The disconcerting announcement was made by Clement Lefebvre, the head of the Linux Mint project. Lefebvre explained that the webLinux Mint website had been compromised and that the hackers used it to distribute a malicious ISO of Linux Mint 17.3 Cinnamon edition.
“I’m sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below. What happened?
Beware of hacked ISOs if you downloaded Linux Mint on February 20th! https://t.co/cexMF2USWS
— Linux Mint (@Linux_Mint) 21 Febbraio 2016
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.” wrote Clement Lefebvre.
Users that downloaded the Linux Mint 17.3 Cinnamon edition prior to Saturday, or any other version/flavour (including Mint 17.3 Cinnamon via torrent or direct HTTP link), are not affected.
The operators behind the website of the Linux distribution have sanitized it.
Lefebvre urges the users to check the MD5 digest of the downloaded ISOs in order to discover any modification to the legitimate software.
“If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).” continues the post.
Below the list of valid signatures:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
“If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
If you have an infected ISO delete it, trash discs used to burn the ISO, and format USB sticks where the ISO was burnt.
If you have installed Linux Mint from an infected ISO follow these steps:
Take the computer offline.
Backup personal data.
Reinstall the OS (with a clean ISO) or format the partition.
And change passwords to sites you used – especially email accounts.
Who is behind the attack?
The hacked ISOs are hosted on a server with the IP 5.104.175.212 and the backdoor connects to the absentvodka.com domain.
The IP and the domain used in the attack lead to 3 people located in Sofia, Bulgaria. It is not clear the roles in the attack..
“What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.” added Clement Lefebvre.
Project Cumulus – Tracking fake phished credentials leaked to Dark Web
21.2.2016 Hacking
Project Cumulus – A group of experts at Bitglass used watermarks to track data through the Dark Web and discover how far do phished credentials get.
In April 2015, a group of experts at Bitglass used watermarks to track data through the Deep Web and discover how far does it get after a data breach. The experts discovered that the countries historically associated with cyber criminals activities such as Russia, China and Brazil, were the principal access points for the identity data.
Now the same group of experts published the results of a second research, dubbed Project Cumulus “Where’s Your Data”, aiming to track fake personal data across the Internet.
The researchers created a fake identity for employees of a ghostly retail bank, along with a functional web portal for the financial institution, and a Google Drive account. The experts also associated the identities with real credit-card data, then leaked “phished” Google Apps credentials to the Dark Web and tracked the activity on these accounts.
The results were intriguing, the leaked data were accessed in 30 countries across six continents in just two weeks.
Leaked data were viewed more than 1,000 times and downloaded 47 times, in just 24 hours the experts observed three Google Drive login attempts and five bank login attempts. Within 48 hours of the initial leak, files were downloaded, and the account was viewed hundreds of times over the course of a month, with many hackers successfully accessing the victim’s other online accounts.
“over 1400 hackers viewed the credentials” states the report. “1 in 10 hackers who viewed the credentials attempted to log into the bank web portal” “A torrent of activity resulted within hours of leaking the credentials,
with over 1400 visits from over 30 countries recorded between the Dark Web postings and the bank web portal.”
In 36 percent of the cases, hackers successfully accessed the victim’s other online accounts, 94 percent of hackers who accessed the Google Drive discovered the victim’s other online accounts and attempted to log into the bank’s web portal.
The Project Cumulus revealed that 68 percent of hackers accessed Google Drive and bank portal accounts from the Tor network in order to anonymize their identity online.
“One dark web community member encouraged novice hackers to use Tor in conjunction with a VPN service
purchased using cryptocurrency, warning that any missteps could lead to prosecution under the Computer Fraud and Misuse Act.” continues the report.
The researchers at Bitglass noticed that most of the visitors of the web portal that did not use the Tor network were from Russia (34.85%), United States (15.67%), China (3.5%), Japan (2%).
The Project Cumulus demonstrates the importance of adopting a proper security posture in protecting our data, it highlights the dangers of reusing login credentials and shows how quickly phished credentials can spread, exposing sensitive data.
15-year-old Teenage Hacker Arrested Over FBI Computer Hack
19.2.2016 Hacking
Another 15-year-old teenager got arrested from the land of cakes, Scotland, by British Police for breaking into the FBI Systems on 16th February.
Under the Britain’s anti-hacking law, Computer Misuse Act 1990, the boy has been arrested for his role in hacking and unauthorized access to the digital material.
Federal Agents had fled to Glasgow in an attempt to carry out a raid on his home before proceeding with the boy's arrest.
"He has since been released and is the subject of a report to the procurator fiscal," a Police Spokesman told a Scottish journal.
As with the present scenario, reports say that the boy could be extradited to the United States to face the Intrusion and hacking charges.
Second Member of the Hacking Group Arrested
The suspect is believed to be an active member of the notorious hacking group called "Crackas with Attitude" aka "CWA", Motherboard confirms.
Another member of the same group got arrested from the United Kingdom last week. The 16-year-old British teenager was suspected of hacking into the CIA and the FBI confidential.
The hacktivist group "Cracka with Attitude" is behind a series of hacks on the United States government and its high-level officials, including:
Leaked the personal and sensitive details of tens of thousands of FBI agents and the US Department of Homeland Security (DHS) employees.
Hacked into AOL emails of CIA director John Brennan.
Hacked into the personal phone accounts and emails of the US spy chief James Clapper.
Broke into AOL emails of the FBI Deputy Director Mark Giuliano.
Last Member of Hacking Group Left
Cracka-with-Attitude
Additionally, it is assumed that only one more member (with a pseudonym "Thwarting Exploits") has been left in the CWA group to get busted, as this got evident from his tweet finalizing the fact that it is a the third member of the group.
Nowadays, the amateurish approach of teenage hackers are hunting down the world's greatest Crime solvers such as FBI and CIA.
The busted cyber criminals are liable to spend their rest of the life behind bars. The cyber laws are strict enough; that it would eat up your whole life years and even beyond your lifetime sometimes.
How Just Opening an MS Word Doc Can Hijack Every File On Your System
19.2.2016 Hacking
If you receive a mail masquerading as a company's invoice and containing a Microsoft Word file, think twice before clicking on it.
Doing so could cripple your system and could lead to a catastrophic destruction.
Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the victims into installing a deadly ransomware, dubbed "Locky," into their systems.
So if you find .locky extension files on your network shares, Congratulations! You are infected and left with just two solutions: Rebuild your PC from scratch or Pay the ransom.
Locky ransomware is spreading at the rate of 4000 new infections per hour, which means approximately 100,000 new infections per day.
Microsoft MACROS are Back
It is hard to digest the fact that, in this 2016, even a single MS Word document could compromise your system by enabling 'Macros.'
This is where the point to appreciate hacker's sheer brilliance of tactics.
phishing-email-Locky Ransomware
Locky ransomware is being distributed via Microsoft 365 or Outlook in the form of an Invoice email attachment (Word File that embeds vicious macro functions).
The concept of macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
Now macros are back, as cyber criminals discover a new way to get internet users to open Microsoft Office documents, especially Word files that allow macros to run automatically.
How Does Locky Work?
locky-ransomware-derypt
Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states "enable macros".
Here comes the bad part:
Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.
Once encrypted, the ransomware malware displays a message that instructs infected victims to download TOR and visit the attacker's website for further instructions and payments.
Locky ransomware asks victims to pay between 0.5 and 2 Bitcoins ($208 to $800) in order to get the decryption key.
One of the interesting note on Locky is that it is being translated into many languages, which heighten its attack beyond English boundaries to maximize the digital casualties.
Locky Encrypts Even Your Network-Based Backup Files
The new ransomware also has the capability to encrypt your network-based backup files. So it's time for you to keep you sensitive and important files in a third party storage as a backup plan in order to evade future-ransomware infections.
A researcher named Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus.
To check the impact of Locky, Kevin successfully intercepted the Locky traffic yesterday and realized that the cryptovirus is spreading out rapidly in the wild.
"I estimate by the end of the day well over 100,000 new endpoints will be infected with Locky, making this a genuine major cybersecurity incident — 3 days in, approximately a quarter of Million PCs will be infected," Kevin said in a blog post.
One hour of infection Statistics:
locky-ransomware
Among the highly impacted countries include Germany, Netherlands, United States, Croatia, Mali, Saudi Arabia, Mexico, Poland, Argentina and Serbia.
Comodo Internet Security opened your PC to attackers
19.2.2016 Hacking
Comodo Internet Security, in the default configuration, installs an application called GeekBuddy that also installs a VNC server enabled by default.
The hackers of the Google Project Zero Team have found another serious security issue in the Comodo’s protection software, it is a VNC server enabled by default with a password easy to guess. It is the second problem discovered in Comodo solution in less than a month, a few days ago the Google expert Tavis Ormandy discovered a significant flaw in the Chromodo browser. The browser, in fact, has ‘Same Origin Policy’ (SOP) disabled by default, a setting that exposes users at risk.
Every time users install one of the Comodo solutions (Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security) on a Windows PC a program called GeekBuddy is installed too. This application is used by Comodo to carry out remote technical support on the machine.
The GeekBuddy software installs a VNC server enabled by default and having admin-level privileges. The VNC server open to the local network and is not protected by any authentication mechanism.
Technically, an attacker could gain full control over the computer running the Comodo system.
“Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client).” wrote Jeremy Brown in a blog post published on Packet Storm Security.
Users can fix the issue by enabling password protection, but according to Ormandy the passwords were predictable.
“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solve” explained Ormandy.
The password is easy to extract from the Windows Registry, the operation could be executed by any logged-in user or by a malware running on the machine.
Ormandy also explained how to calculate the password by using the Win calc.exe.
This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe:
This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:
$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption SerialNumber Signature TotalTracks
VMware, VMware Virtual S SCSI Disk Device -135723213 1997160
$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8
7d4612e5
$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -
I'm using vncdotool from here:
https://github.com/sibson/vncdotool
(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)
Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):
$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
osInstanceId REG_SZ 7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3
Ormandy reported the issue to Comodo on January 19, on February 10 the company released a fix in the version 4.25.380415.167 of GeekBuddy.
Tens of thousands of DVRs exposed on Internet with Hardcoded Passwords
19.2.2016 Hacking
According to a report published by Risk Based Security more than tens of thousands of DVRs are exposed on the Internet with a hardcoded password.
According to a report published by Risk Based Security (RBS), the firmware of DVRs manufactured by China-based Zhuhai RaySharp contains hardcoded credentials that could be used by a remote hacker to gain control of the devices.
“DVRs based on the Zhuhai RaySharp DVR firmware provide a webbased management interface for users to manage the device, view feeds from connected surveillance cameras, and use the PTZ (PanTiltZoom) controls. It was found that the interface contains hardcoded credentials that allow anyone to easily access the device. ” states the report.
The digital video recorders include a web interface that allows users to manage the devices, access the recorded video, and control surveillance cameras.
The access to the devices is very simple, they are all configured with the same username “root” and the password “519070.”
There are more than tens of thousands of digital video recorders (DVRs) exposed on the Internet, security experts at Risk Based Security used Shodan revealed that there are between 36,000 and 46,000 DVRs accessible from the web, most of them located in the US.
The security issue is much more extended, according to the experts many other vendors worldwide (i.e. Defender, Lorex, KGuard Security, König, Swann, and COP USA) commercialize digital video recorders using firmware affected by this vulnerability (CVE-2015-8286).
Experts at Risk Based Security reported the vulnerability to the US-CERT in September 2015 that notified all affected vendors in October. Some vendors are working to their own patches but many of them still haven’t solved the problem and RaySharp has yet to release a fix.
The problem affecting DVRs is quite common for IoT devices, poorly configured devices expose them to cyber attacks.
Hollywood Hospital Pays $17,000 Ransom to Hacker for Unlocking Medical Records
18.2.2016 Hacking
Ransomware has seriously turned on to a noxious game of Hackers to get paid effortlessly.
Once again the heat was felt by the Los Angeles-based Presbyterian Medical Center when a group of hackers had sealed all its sensitive files and demanded $17,000 USD to regain the access to those compromised data.
The devastation of the compromised files can be pitched as:
Compromised emails
Lockout Electronic Medical Record System [EMR]
Encrypted patient data
Unable to carry CT Scans of the admitted patients
Ferried risky patients to nearby hospitals
...and much more unexplained outcomes.
The hospital had confirmed that the Ransomware malware had hit its core heart a week before, potentially affecting the situation to grow much worse.
Hospital End up Paying $17,000
As the situation was grown out of wild, the hospital paid 40 Bitcoins (Roughly US $17,000) to the Ransomware Criminals to resume their medical operations after gaining the decryption keys.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," the hospital CEO Allen Stefanek said in a letter.
All the electronic medical system were restored back soon after unlocking the encrypted file locks.
The Ransomware had stolen the nights of many network administrators, as they would be often blamed to fight up this nasty threat; instead of blaming staffs who click the illegit links in their e-mail.
The FBI Advises Victims to Just Pay the Ransom
Last year, even the FBI advised paying off the Ransom amount to the ransomware criminals as they had not come up with any other alternatives.
Several companies had got webbed in the Ransomware business including a US Police Department that paid US $750 to ransomware criminals three years back.
Criminals often demand the ransom in BTC (their intelligent move) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.
So until and unless a permanent solution evolves, users are requested not to click malicious or suspected links sent via an unknown person.
The frequent payment to Ransomware encourages the hackers in the dark to stash the cash and develop a more enticing framework for the next target.
But affecting a medical system is a heinous crime as hospitals are acting as a bridge between life and heaven.
Anonymous leaked 18GB of data belonging to the Turkish national police
18.2.2016 Hacking
Members of the Anonymous group have stolen 18GB worth of data belonging to Turkey’s national police force and leaked it online.
The group of hacktivists Anonymous has just released roughly 18GB of sensitive data belonging to the Turkey’s national police.
The hackers have accessed the database of the Turkish General Directorate of Security (EGM) and leaked the archive on file sharing websites.
Anonymous targeted the Turkish authorities to protest against widespread corruption within the Turkish government.
“Hey Turkey, I have something to show you tomorrow. See, if you fight your citizens, they will bite back. #standby.” states a tweet posted on Sunday by the account @CthulhuSec
anonymous hacked turkish government
The same account shared a link to precious archive a day after the fist tweet, “Enjoy responsibly” stated the message.
anonymous hacked turkish government 2
The link shared points to a page including the links to the archive and the following message:
“I have been asked to release the following files by ROR[RG], who is responsible for collecting them.
The material was taken from the EGM which is the Turkey National Police.
The source has had persistent access to various parts of the Turkish Government infrastructure for the past 2 years and
in light of various government abuses in the past few months, has decided to take action against corruption by releasing this.” reports the page.
The access to the 17.8 GB data requires “some knowledge of databases”:
“As with everything I share, I do not make any claims for the data. However, please note you may require some knowledge
of databases to be able to properly extrapolate information from this data set. If anyone can make a more accessible
version for the less technically inclined, ping it over to me and I will add it here.”
Anonymous already targeted the Turkish Government, in December 2015 it launched a number of cyberattacks on the Turkey’s internet, forcing the nation to shut down thousands of websites.
The Turkish authorities haven’t commented the incident.
Researcher hacks medical devices and the whole hospital with ease
18.2.2016 Hacking
Sergey Lozhkin, a security expert at Kaspersky Lab demonstratd how it is easy for hackers to compromise medical devices and critical healthcare infrastructure.
The ascent in the Internet of Things (IoT) has left gadgets more associated, yet much of the time more vulnerable, than at any other time. From auto hacking to digital assaults against the vitality area, it has never been more essential for producers and IT groups to have a ‘security-first’ disposition.
Yet in spite of a precarious ascent in fruitful hacks, security is regularly disregarded. In a recent study as a feature of the recently held Security Analyst Summit in Spain, Sergey Lozhkin, a senior cyber specialist at security firm Kaspersky Lab, has turned his attention on doctor’s facilities to exhibit how simple it truly is for an online attacker to bargain critical medicinal infrastructure.
“If something goes wrong with medical equipment, if someone hacked a device that helps a doctor to identify an illness, if someone could affect this data a healthy person could be treated as an ill person or the opposite,” He said. “If someone affects the results of for example, MRI, it could be really rough.”, adding further.
In his discussion, Lozhkin laid out how he could hack into the clinic’s system effortlessly – and consent – in the wake of discovering vulnerable restorative gadgets recorded on Shodan.
“I decided that this is a critical area and I wanted to research it. I decided to look on the internet, I found the hospital, tested the WiFi network and finally I was able to connect to an MRI device and find personal information and [flaws] in the architecture. It was scary because it was really easy” He explained. “The initial vector was the WiFi network, the network was not really as secure as it should be in such a place where you keep medical data.”
Shodan is a platform used to sweep open ports on the web and is frequently utilized by cyber security researchers to reveal critical infrastructures that ought to be better ensured. In reality, the ‘internet searcher’ nature of Shodan frequently courts’ discussions for connecting to open gadgets such as webcams and, in the latest case, the baby monitors.
“[Shodan] can get some answers concerning the equipment and programming associated [to the internet] and in the event that you know, for instance, what input a MRI or laser or cardiology gadget gives when you interface with its port, you can go to Shodan and discover about several of these gadgets and on the off chance that you know a weakness you can hack every one of them,” the Kaspersky analyst cautioned.
“For this situation it was simple. Therapeutic gadgets are still shaky, I can see it. A few makers truly secure them however some [developers] are pondering web security in second or third place.”
Investigating the eventual fate of IoT, Lozhkin included: “I think lots of people from both sides, the white-hat security researchers and the bad guys, are deeply researching this area – car hacking, connected cars, medical devices, everything. For cyber criminals it could be a big market.”
Most as of late, an inward crisis was announced at a noteworthy US doctor’s facility in Los Angeles taking after an across the board ransomware-style cyberattack that left staff not able to get to fundamental patient information.
Instagram Adds Two-Step Verification to Prevent Account from being Hacked
17.2.2016 Hacking
Hijacking an online account is not a complicated procedure, not at least in 2016.
Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users.
It is impossible to make your online accounts hack-proof, but you can make them less vulnerable.
Then what you can do to protect yourselves from hackers?
Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on.
But, what would you do if a hacker had somehow managed to access your accounts’ passwords?
Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.
Hence the concept of Two-Factor Authentication (2FA) born out!
Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.
2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.
2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).
Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.
Better late than Never:
However, the decision to roll out 2FA feature could be criticized as it's parent company Facebook had already implemented it five years back.
The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.
But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.
Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.
Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.
To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.
Iranian hackers compromised former IDF chief’s computer
15.2.2016 Hacking
According to Israel’s Channel 10 Iranian hackers succeeded in gaining access last year to the computer database of a retired Israeli army chief of staff.
Many reports published by security firms warn of the increasing threat represented by Iranian hackers. US and Israeli organizations represent a privileged target for these hackers, last year they used stolen private pictures of IDF’s women soldiers to breach Israeli military server.
According to a report published by the Israel’s Channel 10, hundreds of Israel’s current and former top security officials have been targeted by Iranian hackers.
The report reveals that Iranian hackers compromised computers of 1800 key figures worldwide, most of them from Israel including a former Israeli Army chief-of-staff.
The report speculated the involvement of the hackers belonging to the Iran’s Revolutionary Guards. Experts at the Israeli security firm Check Point Software Technologies promptly identified and blocked the attacks.
The Israeli experts also identified one of the Iranian hackers, Yasser Balachi, that accidentally displayed his email ID. Check Point’s head of security services Ron Davidson, confirmed that the man is a member of an organized group.
“Balachi said that he had not operated on his own initiative but for another cyber organization that commissioned the work,” said Ron Davidson.
Yet it is unclear even now what was the actual extent of the damage and what kind of information did they steal.
It is not clear which is the impact of the attack and which information was exposed.
Iranian hackers are becoming even more aggressive, in November computers at the US State Department and other government employees were targeted by them. The experts linked the attackers with the Iranian Revolutionary Guard, according to investigators the Facebook and e-mail accounts of US State Department officials focused on Iran were compromised to gather data about US-Iranian dual citizens in Iran and about the arrest of an Iranian-American businessman in Tehran in October.
The hackers have taken over social media accounts of junior State Department staff to launch a spear phishing campaign on the employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.
Check Point experts confirmed that the Iranian hackers launched spear phishing attacks against their targets with the intent to infect them with spyware.
In December, a report published by Symantec revealed that Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.
The researchers identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.
There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).
In June, experts at Clear Sky spotted a number of cyber-attacks launched from the Iran and targeting Israeli organizations and other entities in the Middle East.
Security experts at ClearSky uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.
The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.
Who is behind the Thamar Reservoir campaign?
According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:
Attacks conducted using the Gholee malware, which we discovered.
Attacks reported by Trend Micro in Operation Woolen-Goldfish.
Attacks conducted by the Ajax Security Team as documented by FireEye.
Attacks seen during Newscaster as documented by iSight.
No doubts, Iranian hackers will continue to launch cyber espionage campaigns likely with most advanced malware.
Man charged of Laundering $19.6 Million earned with PBX system hacking
15.2.2016 Hacking
Pakistani citizen Muhammad Sohail Qasmani admits laundering Millions from massive computer hacking and telecommunications fraud scheme.
A Pakistani citizen, Muhammad Sohail Qasmani (47) admitted laundering millions of dollars as part of a massive international computer hacking and telecommunications fraud scheme.
The man worked for a hacking crew that targeted US companies by hacking into their PBX systems.
The organization composed by hackers in Bangkok and Pakhistan targeted American firms identifying live phone extensions that weren’t assigned to a user, the operation was allegedly run by Noor Aziz, 53, from Karachi.
The hackers used these extensions to dial premium-rate phone lines they managed, the gang had reaped more than $50m from its victims.
Muhammad Sohail Qasmani laundered US$19.6M and transmitted money to roughly 650 individuals over four years, the prosecutors sustain that the fraud scheme was a highly professional and well organized.
The man set up 650 bank accounts in ten different countries, the accounts were used to collect the money coming from fraudulent phone lines. The man then forwarded the funds to the other hackers, keeping his commission.
Qasmani was arrested by the FBI on December 22, 2014, when he entered in the US, if convicted, the man risks a maximum sentence of 20 years in jail and a $250,000 fine.
“Thanks to the hard work of the prosecutors and agents on this case, Qasmani acknowledged his role in an international scheme that hijacked the telephone networks of US companies and ran up millions in bogus charges,” said the US Attorney Paul Fishman.
“Today, he admitted moving over $19 million in illicit proceeds across 10 countries and ensuring the dialers and hackers who perpetuated the scheme received their cut.” “The successful investigation of Qasmani is a testament to the dedication, hard work, and commitment of the men and women of the FBI, the Enforcement and Removal Operations of the U.S. Customs and Border Protection, and the State Department,”
While Qasmani will be sentenced in May, Aziz is still at large but present in the FBI’s Most Wanted list.
US Intelligence confirms the ISIS used chemical weapons
12.2.2016 Hacking
According to Fox News, the Director of National Intelligence confirmed to the Senate that the Islamic State has used chemical weapons.
In December, a European Parliament report warned that the ISIS organization has already smuggled CBRN material into the EU, the risk of WMD attacks is real.
The intelligence experts speculate the IS has recruited experts with chemistry, physics and computer science degrees to wage attacks with weapons of mass destruction.
“ISIS actually has already acquired the knowledge, and in some cases the human expertise, that would allow it to use CBRN materials as weapons of terror.” said Wolfgang Rudischhauser, Director of the Weapons of Mass Destruction Non-Proliferation Centre at NATO.
The shocking revelation is included in a report of the European Parliament that confirm the ISIS “may be planning to try to use internationally banned weapons of mass destruction in future attacks.”
According to Fox News, the Director of National Intelligence James Clapper confirmed to the Senate on Tuesday that the Islamic State has used weapons of mass destruction (WMDs).
The Islamic State group has used chemical weapons on the battlefield, Clapper did not provide info where WDMs had been used, but he confirmed that in many cases members of the ISIS have used the threaded weapons.
“(The Syrian government) has used chemicals against the opposition on multiple occasions since Syria joined the Chemical Weapons Convention. ISIL has also used toxic chemicals in Iraq and Syria, including the blister agent sulfur mustard,” he stated.
Fox News already published images and videos demonstrating the member of the ISIS were testing chemical weapons. The images showed burns and blistering on
“Photos taken by the Kurds in northern Iraq last summer and fall and reviewed by Fox News show burns and blistering on the skin that a source on the ground there said are consistent with the use of chemical agents. The agents were described as “odorless, colorless and absorbed through the clothing,” causing burns or illness hours later.” wrote FoxNews.
This is the first official confirmation from the US intelligence community that members of the Islamic State have used WMDs. The fear of a possible attack in Europe or US is high, a chemical weapon deployed in a city could kill thousands of unarmed citizens.
isis chemical weapons
“The perceived success of attacks by homegrown violent extremists in Europe and North America, such as those in Chattanooga and San Bernardino, might motivate others to replicate opportunistic attacks with little or no warning, diminishing our ability to detect terrorist operational planning and readiness,” he stated.
The availability of Chemical weapons definitely raises the level of danger of the threat from the radical group.
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure
10.2.2016 Hacking
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure
The same "Vigilante-style Hacker," who previously hacked more than 10,000 routers to make them more secure, has once again made headlines by compromising more than 70,000 home routers and apparently forcing their owners to make them secure against flaws and weak passwords.
Just like the infamous hacking group Lizard Squad, the group of white hat hackers, dubbed the White Team, is building up a sizeable botnet consisting of hundreds of thousands of home routers, but for a good purpose.
Lizard Squad, the same group responsible for Sony PlayStation Network and Microsoft Xbox Live outages, uses their botnets to launch DDoS (Distributed Denial of Service) attacks against target websites to flood them with traffic and knock them offline.
Hacking Routers to Make them More Secure
Challenged by Lizard Squad's maliocus work, the White Team of vigilante hackers built their own peer-to-peer botnet that infects routers to close off vulnerabilities, such as:
Weak default passwords
DNS poisoning
Unauthorised access (backdoor)
Disabled firewalls
Their malware, dubbed "Linux.Wifatch" a.k.a "Wifatch" that has been used by the team since last year continues to be updated and has been open-sourced on Github.
The malware, first discovered in November 2014 by an independent malware researcher "Loot Myself" and analysed by Symantec last year, now includes more programs to remove other malicious software and backdoors already on the system.
The White Team has access to around 70,000 devices, according to Symantec, who is continuously watching over the team's botnet.
Good Malware to Fight Bad Malware
Lizard Squad sizable botnet contained somewhere between 120,000 and 150,000 bots, a Lizard spokesperson told Forbes, claiming that their botnet includes not just home routers and PCs, but smart refrigerators, smart TVs and other smart home devices as well.
The White Team aims at hacking and protecting between 150,000 and 200,000 devices from Lizard Squad attacks, thereby removing the rogue gang from people's homes.
However, the team of vigilante hackers face some hurdles, especially when working with the Wifatch malware, which is often too big to install on smaller routers.
"The goal is to use (most) of the 60,000 nodes we have to connect to the hundreds of thousands of boxes that are too small for our normal disinfector and disinfect them remotely," the hacker collective told the publication over encrypted email.
Since there are so many vulnerable devices that can be hacked with little or no effort, these vigilante hackers aren't answer to this widespread problem. They can only help minimize the issue.
The White Team is not the only team of vigilante hackers trying to secure the Internet. Just last week, a hacker replaced a malware with antivirus software. An anonymous hacker was found replacing Dridex, the most active banking malware, with the copies of Avira security software.
Are you searching for a Facebook Hacking Tool? Be careful!
10.2.2016 Hacking
Security Experts at ESET security firm discovered a new variant of a known trojan disguised as a Facebook Hacking Tool.
Security researchers at ESET have published an interesting post about a new Facebook hacking tool. I receive every week dozen emails requesting me instruction to hack Facebook accounts.
The hacking tool recently discovered is not able to support you in this hard task, instead it could expose users that download it to serious risks.
But Beware of any software that promises you to hack any Facebook account, it could be very dangerous to launch it.
The tool reported by THN is dubbed Remtasu, it is available online as a Facebook hacking tool, but in reality, it is a trojan that could infect Windows systems.
The trojan is a well-known threat that is circulating for a long on the Internet, now crooks have found a differed way to spread it.
Cyber criminals are disguising it as a software to take over any Facebook account and steal Facebook credentials.
The tool contains a Keylogger module that could be used to that can steal users login credentials. Typically a user searching for a Facebook hacking tool finds the malicious application on direct download websites.
Once a user visits one of these websites, the dangerous Win32/Remtasu.Y malware automatically gets downloaded and executed on victim’s machine.”Although these files are from the same family as those witnessed last year, the way they are being spread is different. We are no longer seeing propagation through e-mail. They are instead coming from direct download sites. Once a user downloads and executes the file, their data is compromised.” states a blog post published by ESET.
The Remtasu trojan is able to capture keystrokes and access information from the clipboard, every information collected on the infected system is stored locally in a data file and then sent to an FTP server.
The system gain persistence in the infected system by saving its copy in a folder that it also creates within the system32 folder.
“As is to be expected in this type of threat, the virus always seeks a way to remain on the computer even when the victim reboots their system or attempts to find the threat in the list of active processes.” continues the post.
“In this case, the malware replicates itself, saving the copy in a folder that it also creates within the system32 folder. The new InstallDir folder remains hidden inside the system files, making it difficult for users to access.”
The campaign based on the fake Facebook Hacking Tool mainly infected users from Colombia, Turkey, and Thailand.
Hacker Leaks Info of 30,000 FBI and DHS Employees
9.2.2016 Hacking
An unknown hacker who promised to release the personal information on government employees has dump online a list of nearly 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.
Though the authenticity of the information has not been verified, at least, some of the leaked data appears to be legitimate.
Here's What the Hacker Leaked:
The hacker leaked first round of data belonging to roughly 9,000 DHS employees on Sunday, which was followed by the release of 20,000 FBI agents information on Monday.
The hacker, who goes on Twitter by the username of @DotGovs, published the supposed data on an encrypted text-sharing website, including:
Names
Job titles
Phone numbers
Email addresses
The Reason Behind the Hack
The message at the top of the data dump includes the hashtag "#FreePalestine" and reads "Long Live Palestine, Long Live Gaza: This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer."
The above message shows the support to Palestine, which could be the motivation behind the hack.
Although it's unclear how much of the hacked data may have been publicly available, the hacker told Motherboard that he had downloaded 200GB of data, out of 1TB total available to him.
If this comes true, the information that has been leaked so far would just be a small percentage of what the hacker has in its box.
How the Hacker did it?
The hacker claimed to have compromised US Department of Justice (DoJ) email account and gained access to the department's Intranet. Then he allegedly downloaded the information of over 20,000 FBI officers, roughly 9,000 DHS employees and an undisclosed number of DoJ staffers.
The hacker also claimed to have some military emails and credit card numbers belonging to federal employees but provided neither proof nor indication that he intended to release them too.
In October, a teenage hacker who goes by "Cracka" carried out a similar hack and targeted several high-profile government employees, including the CIA director John Brennan, the US spy chief James Clapper, the FBI Deputy Director Mark Giuliano, and others.
However, not all hacks are as vast and serious as that of the US Office of Personnel Management (OPM), in which over 21.5 Million government employees were exposed.
DoJ Downplayed the Impact of Hacking
"This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information," a DOJ spokesman said in a statement to the Guardian.
The hacked data posted anonymously on an encrypted Cryptobin website was reviewed by the Guardian, which found that some of the data from the DHS list are outdated, and some listed individuals have not worked for DHS in years.
Others are criticizing the US government for its failure to protect its sensitive data, especially after the embarrassing and damaging OPM hack that exposed personal details on millions of government employees.
Global and Modern Terrorism/Cyber Terrorism
9.2.2016 Hacking
In the following brief I will describe kinetic plot based modern terrorism/Cyber-terrorism and religious affiliations.
Both Jihadist and Non-Jihadist, organized crime associations, data and statistics to show that Radical Muslim Terrorism is the most prominent form in America today.
Modern terrorism and cyberterrorism display the use of violence and threats to intimidate or coerce, normally for political purposes. The state of fear and submission produced by terrorism is known as terrorization. Both are found underlying in espionage, targeted penetrated breaches and kinetic plots. I will outline and compare the plots based on past history.
A brief history according to James Clapper, Director of National Intelligence; in 2011 alone there were over 13,000 reported attacks. This is a 45-year period of data collection, in which 288 plots led to 611 arrests. In 2016, there were a total of 75 people arrested in 43 plots.
From January 2015 to December of 2015 there were 23 plots of Cyber Terrorism reported and 43 people arrested in 189 plots of terrorism with 454 arrests. Out of 44 plots like Boston, where a kinetic plot was tried and successful; Salafist plots totaled 99%, Non-Jihadist- 3% 14 are Jihadist and led to between 900-1,000 active investigations. Out of 35 plots 70% led to arrest. Out of the targets most are Islamic Driven by Terrorist Radicalization noted by James Comey FBI Director.
Here are some results of terrorism related events following 9/11 and the window of opportunity that it created. There were 288 plots following 9/11 and 170 of those were kinetic plots on the homeland. A whopping 59% of these plots led to arrest.
The Islamic extremists plots equaled 90%, 86 were Jihadist and led to 167 investigations. Out of the 167 investigations 8 were successful plots that reached fruition. Out of the 167 investigated, 78 were interdicted, resulting in 37 murders, and 49 injuries. The Islamic state produced 10-11% splinter groups, 5% women, and 7% bad girls.
In regard to Non-Islamic there were 84 plots resulting in 228 investigations. Out of the 228, 25 kinetic plots on the homeland were successful. There were a total of 59 plots interdicted resulting in 77 deaths and 60 injuries caused by crazy white people.
Official ISIS/ISIL terrorism involved 76 plots from 2014-2016. ISIS produced 60% of these and 18 were on US soil. 26 of these attacks produced violence and 26 were kinetic plots. 14% of total attacks were originating from ISIS. One example is Emanuel Luthchman who tried to capture, bomb, and behead Merchants Grill patrons on New Year’s in New York the name of ISIS. In addition, 4 marines were killed in Tennessee by Isis bred Shiite prisoners and 14 were recently slain in the San Bernardino attacks which were insider attacks.
terrorism isis
Global Terrorism is on the rise in greater numbers than US soil, 17 were killed in the Paris attack. 21 Coptic Christians were murdered on the Libyan Coast. In Tunisia, 137 were killed in a Yemen Mosque. In Kuwait, 39 French and Tunisians were killed at a beach resort. Another 27 killed in a Shiite Mosques and many others remain unreported.
On US Soil, 4 marines were killed in Tennessee, In Akron, OH Terrence Joseph McNeil plots to kill100 US service Members, a terrorist stabbed 5 in Mencer, CA.
In the Federal Spectrum, Government contracts and private sector breach is on the rise. Economic espionage has increased at an alarming rate from 1945-2010. There were 200 arrest were made, 90 in Washington DC Metro area, 40% New York State. Much of these attacks resulted in economic loss from the Chinese. There were 4 confirmed plots in California in 2015. Internationally there were 3 major plots, resulting in a total of 9 indictments which were focused on technology transfer in Government Trade Secrets focused on Corporate Espionage.
This is becoming more and more of the normal trend, instead of the old fashioned classic terrorism through traditional bombings. This modern day terrorism is focused on intellectual theft, theft of personally identifiable information that could lead to easy coercing and manipulation of the person in control of the property. It is focused on theft of trade secrets from the inside out; corporate cyber espionage.
Insider attack history includes the terrorist attacks on London in 2005 which came from their own British Citizens. The Boston Marathon attack was carried out by US citizens and the Paris attacks by French Citizens.
US Cyber Command Commander Admiral Mike Rogers noted that the breach of 22 million records from OPM was simply a part of China’s huge data spying ring from Beijing. The records collected were of those with extensive background checks related to (TSSCI) Top Secret Compartmented Information security clearances. This data will likely lead to identification of spies in China and interruption of their activities.
Big Data Analytics made it possible for large bulk data stolen to be scanned for vital information such as Personally Identifiable Information. PII consists of health, medical, dental, birth, marriage, and or death records leading to next of kin or blood relative threat or coercement.
The pertinent PII; Social Security numbers, mother’s maiden name and or health records can be used and tailored for an intelligence perspective and gain pertinent life details about said individuals or for social engineering and manipulation of said data to alter the individual’s original identity and recruited as double agent and or dual spy.
In an attempt to protect the persons identified in the breach, OPM has transferred the personal data on cleared individuals to the Pentagon. They will take over the monitoring and background to create a secure environment for future individual data security. The annual fiscal cost is estimated at $600,000.00.
In contrast, (then and now) with the recent cross over to Cyber Espionage and Global Terrorism manifestation in Going Dark. Some other terms are rogue, and under the radar through hidden applications and data. These new tactics are through apps which can be download through various applications to the cell phone which cannot be traced by government authorities. Espionage related actions totaled 781, over a span of 20 years in which 565 or 21% Russian and 155 cases confirmed China Based Espionage with many diverted cases through proxy hopping.
The Government cannot gain access to the encrypted communications in applications such as WhatsApp, Snap Chat, Confide, and Signal, just to name a few. The latest encryption methods disappear in a matter of seconds after the message is displayed preventing duplication of said message.
Some popular platforms are gaming platforms which can be used to send encrypted messages under false names. These are used to send and receive plots and plans for attacks. Some other targets through Cyber espionage and hacking are to gain access to PII, Personally Identifiable Information through social media, Twitter, LinkedIn, Face Book, and Dark Mafia, to gather intelligence and or compromise personal data.
In comparison, modern terrorism and cyber terrorism has manifest itself primarily through Islamic radical terrorism in various forms. It comes in many names and under various headings. The primary target is to kill the infidel: (anyone not bowing to the name of Allah). Often times the youth and the weak are recruited as targets for ISIS and ISIL because of their desire to fit in and a need to be a part of something. They are targeted to convert to Islam and radicalized via the internet.
In summary, Terrorism and modern Cyber Terrorism will not go away. This is history repeating itself. Just as many years ago Protestants fought against Catholics, now Christianity fights Muslim. In 2014, 2.6% of terrorism victims lived in Western Countries. This is likely to get worse before it gets better. There is not one easy way to combat terrorism as you see it comes in now in your hand-set, head-set, at your finger-tips. Be wise with your choices as it may come knocking at your door.
Hackers leaked DHS staff records, 200GB of files are in their hands
8.2.2016 Hacking
A hacker accessed an employee’s email account at the Department of Justice and stole 200GB of files including records of 9,000 DHS staffers and 20,000 FBI employees.
Yesterday, the data related a Department of Homeland Security (DHS) staff directory were leaked online, a Twitter account shared the link to an archive containing 9,355 names.
The responsible for the data leakage first contacted Motherboard to share the precious archive.
Each record of the DHS Staff Directory includes name, title, email address, and phone number.
Going deep in the archive it is possible to note that it includes information of DHS security specialists, program analysts, InfoSec and IT and also 100 employees with a title “Intelligence”.
The same Twitter account has announced later the imminent release of an additional data dump containing 20,000 FBI employees.
DHS firewall
Are the records authentic?
Motherboard that obtained the archive reached the operations center of the FBI, and in one case the individual who pick up the phone presented himself with the same name associated with that number in the archive. A similar circumstance occurred with a DHS employee, Motherboard so confirmed that the information is legit.
Which is the source of data?
According to Motherboard, a hacker accessed an employee’s email account at the Department of Justice. As proof, the hacker sent the email message to Motherboard’s contributor Joseph Cox directly from the compromised account.
“A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned.” wrote Cox in a blog post.
“The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.”
The hacker first tried to use the compromised credentials to access a DOJ staff portal, but without success, then he called the department directly and obtained the access through social engineering techniques.
The hacker accessed the DoJ intranet where the database is hosted, then he downloaded around the, out of 1TB that he had access to.
“I HAD access to it, I couldn’t take all of the 1TB,” the hacker told to MotherBoard.
The hackers confirmed his intention to release the rest of the data in the near future.Which is the motivation behind the attack?
It is not clear at the moment why the hacker released the archive, surely it’s not financially motivated. The hacker only left the following message when has leaked the data-
“This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer…” which are the verses of “Long Live Palestine”
The only certainty right now is that similar incidents are becoming too frequent, apparently the government staff is not properly trained on the main cyber threats or the hacking technique. Similar incidents show the lack of knowledge on the most basic security measures.
Whenever a hacker leaks so sensitive data, I think the number of his peers who had access to the same information with the intent to use them in other attacks or resell them, perhaps to a foreign government.
Reuse of login credentials put more than 20M Alibaba accounts at risk
8.2.2016 Hacking
The reuse of login credentials on Taobao exposed more than 20 million accounts on Alibaba’s websites to attacks.
According to the state media reports, hackers have targeted over 20 million active accounts on Alibaba Group’s Taobao e-commerce website using Alibaba’s own cloud computing service.
The Chinese Giant detected the attack in “the first instance” and responded requesting users to change their passwords.
According to a report published on a website managed by the Ministry of Public Security, hackers behind the attack obtained a database of 99 million usernames and passwords from a number of websites.
The hackers used the Alibaba’s cloud computing platform in the attempt to use the stolen credentials with the Taobao platform.
The hackers discovered that 20.59 million of the 99 million usernames, were shared among different websites, including the e-commerce platform of the Chinese Giant.
20.59 million represents about five percent of annual active buyers on Chinese retail marketplaces.
Alibaba Taobao 2
‘A spokesman from Alibaba confirmed that hackers rented the cloud computing service to launch the attack, but highlighted that there are no security issues affecting the company’s platform.
“Alibaba’s system was never breached,” the spokesman declared.
The hackers started to test the stolen credentials in mid-October and were discovered in November, when experts at Chinese company discovered the unauthorized accesses reported the case to police.
According to the ministry website, Alibaba discovered and blocked the majority of login attempts.
The experts discovered that the compromised accounts were used in various fraudulent activities. The hackers used them to raise Taobao sellers’ rankings placing fake orders, a mechanism known as ‘brushing’.
The incident once again raises the importance of a proper security posture for Internet users, the bad habit of sharing same login credentials among several web services is one of the main causes of security breaches.
MIT Develops Hack-Proof RFID Chip — Here's How It Works
6.2.2016 Hacking
MIT Develops Hack-Proof RFID Chip
Do you know about RFID chips and how many you are carrying at this moment?
Today, RFID chips are built-in all sorts of items, including your credit cards, travel swipe cards, library books, grocery store cards, security tags, implanted medical records, passports and even the access cards provided by companies.
But, What actually is an RFID chip?
Radio frequency identification (RFID) is a small electronic device consisting of a chip on which data can be encoded, and an antenna used to transmit that data. It is typically used for short-distance communication of information.
However, there is concern that these RFID chips could easily be hacked, and the information on these chips could easily be stolen by hackers. After all, they don't even require physical access to these chips in order to get data from it.
The good news is:
Researchers at MIT have developed a new way that prevents RFID chips from hacking.
Although the information on RFID chip is protected with a secret cryptographic key that could thwart a casual data thief, skilled RFID hackers have repeatedly used "Side Channel Attacks" to steal information from these chips easily.
Side Channel Attacks:
The 'side-channel attacks' are designed to extract the secret cryptographic key from a system by analyzing the pattern of memory utilization or fluctuations in power usage.
Also Read: This $10 Device Can Clone RFID-equipped Access Cards Easily
However, side-channel attacks only leak a little amount of information for each repetition of a cryptographic algorithm, so a hacker need to run the attack many numbers of times to get a complete secret key.
Power Glitch Attacks:
One way to prevent side channel attacks is to rotate the private key frequently after each transaction with the help of a random-number generator, but a skilled hacker can overcome this with a so-called "Power Glitch Attack."
Repeatedly cutting the RFID chip's power just before it changes the secret cryptographic key is known as power glitch attack.
By using this method, hackers can render the above strategy ineffective and run the same side-channel attack thousands of times, with the same key, in order to get the pattern and fetch the information from the RFID chip.
Here's How MIT Hack-Proof RFID Chip Works:
The new RFID chip developed by MIT researchers and manufactured by Texas Instruments is designed to block power glitch attacks, which is virtually impossible to hack by any current means, researchers claimed.
The new hack-proof RFID chip can resist power-glitch attacks by having:
An on-board power supply that is "virtually impossible to cut."
Non-volatile memory cells that store computations the chip is working on, even if there's a power cut.
This results in resuming of computation once the power gets restored.
"If that computation was an update of the secret key, it would complete the update before responding to a query from the scanner," the researchers wrote in a press release. "Power-glitch attacks won't work."
To achieve this, the new chip takes advantage of a material called Ferroelectric crystals that consist of molecules arranged into a lattice form where positive and negative charges naturally separate.
Also Read: Hacker Implants NFC Chip In His Hand To Hack Android Phones
These ferroelectric crystals can operate as a capacitor for storing power, producing computer memory that retains data even when powered off.
The research team claims that if this high-security RFID chip hits mainstream adoption, it could help prevent contactless card details from being stolen, potentially preventing credit card frauds.
However, nothing is unhackable today, so calling something "hack-proof" or "virtually impossible to hack" doesn't make sense. As hackers nowadays are so skilled that even devices that are designed on the top of security features aren't immune to hacks.
However, new technologies, like this RFID chip, that take the security of users to the next level are always a good idea and importantly required to secure the world.
Former DoE worker was hacking to steal nuclear secrets and resell them
4.2.2016 Hacking
A former Department of Energy (DoE) employee, Charles Harvey Eccleston [62], has been charged with trying to steal and sell nuclear secrets to foreign governments.
A former employee at the Department of Energy (DoE), Charles Harvey Eccleston [62], has pleaded guilty of cyber espionage. The man attempted to infect al least 80 colleagues at the DOE spreading a malware with the intent to gain control of the victims’ machines.
The man was operating to open the door to foreign hackers, allowing them to exfiltrate sensitive information related to nuclear weapons.
According to the US Department of Justice, Eccleston attempted unauthorized access and intentional damage to a protected computer.
“Charles Harvey Eccleston, 62, a former employee of the U.S. Department of Energy (DOE) and the U.S. Nuclear Regulatory Commission (NRC), pleaded guilty today to a federal offense stemming from an attempted e-mail “spear-phishing” attack in January 2015 that targeted dozens of DOE employee e-mail accounts.” reads the statement issued by officials with the US Department of Justice.
Eccleston worked for both the DOE and the US Nuclear Regulatory Commission, his deep knowledge of the environment allowed him to run surgical attacks against current employees. The employees received a highly targeted spear-phishing e-mails likely containing malicious links.
The man tried to resell information about his colleagues to foreign governments, prosecutors confirmed the case was discovered in 2013, after Eccleston visited an unnamed foreign embassy in Manila, Philippines and offered for sale more than 5,000 e-mail addresses of internal employees (i.e. Officials, engineers, and employees of a US government agency).
The agents from the FBI collected evidence on the man’s intent posing as embassy employees. The man was also offering the access to agency systems to advantage espionage activities.
doe
The man used emails that pretended to be sent by the organizations behind conferences related to nuclear energy.
“Thereafter, Eccleston met and corresponded with FBI undercover employees who were posing as representatives of the foreign country. During a meeting on Nov. 7, 2013, he showed one of the undercover employees a list of approximately 5,000 e-mail addresses that he said belonged to NRC employees. He offered to sell the information for $23,000 and said it could be used to insert a virus onto NRC computers, which could allow the foreign country access to agency information or could be used to otherwise shut down the NRC’s servers.”states the press release.” The undercover employee agreed to purchase a thumb drive containing approximately 1,200 e-mail addresses of NRC employees; an analysis later determined that these e-mail addresses were publicly available. The undercover employee provided Eccleston with $5,000 in exchange for the e-mail addresses and an additional $2,000 for travel expenses.”
“Over the next several months, Eccleston corresponded regularly by e-mail with the undercover employees. A follow-up meeting with a second undercover employee took place on June 24, 2014, in which Eccleston was paid $2,000 to cover travel-related expenses. During this meeting, Eccleston discussed having a list of 30,000 e-mail accounts of DOE employees. He offered to design and send spear-phishing e-mails that could be used in a cyber-attack to damage the computer systems used by his former employer.”
The FBI undercover agents provided a link to Eccleston to include in the malicious email. The man believed the link was pointing to a malicious domain used to serve a malware, instead, it was harmless. Altogether, the defendant sent the e-mail he believed to be infected to approximately 80 DOE employees located at various facilities throughout the country, including offices and laboratories associated with nuclear materials.
Eccleston was fired from the NRC in 2010 for unknown reason, and went to Davos City in the Philippines in 2011.
“Combating cyber-based threats to our national assets is one of our highest priorities,” Assistant Attorney General for National Security John P. Carlin said in a statement.
“We must continue to evolve our efforts and capabilities to confront cyber enabled threats and aggressively detect, disrupt and deter them.”
Eccleston was detained by Philippine law enforcement on March 27, and on Friday he will have the a court appearance on at the U.S. District Court of the District of Columbia.
According to the Justice Department, the man will remain detained until a hearing scheduled for May 20.
This type of crime provides a penalty of up to 10 years and financial penalties, but because the Eccleston age and previous records, according to the advisory federal sentencing guidelines, the former DOE worker likely to receive a prison term of 24 to 30 months and a fine of up to $95,000.