/os/ - Online Security

News, techniques and methods for computer network security.

Posting mode: Reply

Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom


Welcome to Online Security the place for internet and computer security, privacy and anonymity.
If you have some helpful tips please feel free to share your ideas. Start a new thread, or contribute to an existing thread.

Expand All Images


Online Security News Endwall 07/07/2016 (Thu) 06:09:23 [Preview] No. 149
See a news article or CVE bug report on an emerging computer security issue and want to share it? Post below.

I will also post links to Hak5 Threatwire videos.
Edited last time by Endwall on 07/07/2016 (Thu) 16:22:47.


Endwall 07/07/2016 (Thu) 06:12:54 [Preview] No. 150 del
ThreatWire
FBI Finishes Clinton Investigation
https://www.youtube.com/watch?v=adMJnI9fnTE
Edited last time by Endwall on 07/19/2016 (Tue) 18:50:46.


Endwall 07/10/2016 (Sun) 21:14:59 [Preview] No. 162 del
Tech Snap Episode 274
Windows Exploit Edition: UEFI firmware bug
http://www.jupitrbroadcasting.com/101026windows-exploit-edition-techsnap-274/

BSD Now Episode 149: A Wild Dexter Appears!
http://www.jupiterbroadcasting.com/10096/a-wild-dexter-appears-bsd-now-149/

Linux Unplugged Episode 152: To .NET or to .NOT?
http://www.jupiterbroadcasting.com/100936/to-net-or-to-not-lup-152/

Coder Radio: Episode 212: Derailing Java
http://www.jupiterbroadcasting.com/100921/derailing-java-cr-212/
Edited last time by Endwall on 07/19/2016 (Tue) 18:54:15.


Endwall 07/13/2016 (Wed) 07:26:28 [Preview] No. 184 del
Threat Wire: Facebook Messenger Gets Encryption!
https://www.youtube.com/watch?v=16_55Yv_PLQ

Note: don't use facebook, or its messenger...

Vice News: State of Surviellance
Edward Snowden and Shane Smith
https://www.youtube.com/watch?v=ucRWyGKBVzo
Edited last time by Endwall on 07/19/2016 (Tue) 18:55:28.


Endwall 07/17/2016 (Sun) 07:40:27 [Preview] No. 197 del
Edited last time by Endwall on 07/19/2016 (Tue) 18:58:36.


Deepdotweb Articles Endwall 07/19/2016 (Tue) 18:44:36 [Preview] No. 206 del
DEEPDOTWEB
http://deepdot35wvmeyd5.onion/

Google is Preparing Chrome for future wave of quantum attacks
http://deepdot35wvmeyd5.onion/2016/07/12/google-preparing-chrome-future-wave-quantum-attacks/

On the 7th, Wired reported that Google pushed a Chrome update to a very small number of users that included a new form of encryption alongside the current elliptic curve factorization...

Mozilla implementing Tor privacy features in Firefox builds
http://deepdot35wvmeyd5.onion/2016/07/10/mozilla-implementing-tor-privacy-features-firefox-builds/

In 2014, The Tor Project announced that they would be forming a partnership with Mozilla, the company most known for the Firefox browser and Thunderbird email client. The two organizations still work in unison, sharing patches, bug fixes, and even high-capacity relays. In recent news, Mozilla fought to have the FBI release information regarding a Tor exploit – one that leaves Tor and Firefox users vulnerable to hacking and other privacy violations. These requests were denied, but that hasn’t stopped Mozilla from continually working to improve the level of privacy Firefox provides.

We were made aware, a few days ago, that the nightly build of Firefox 50 has started integrating features that originated in Tor. While only a handful are available now, it appears several more – potentially huge – changes will be made public in the following weeks...

On Public and Private WiFi, VPNs, Tor, and Virtual Machines
http://deepdot35wvmeyd5.onion/2016/07/15/on-public-and-private-wifi-vpns-tor-and-virtual-machines/

If you require privacy while connected to the internet – and I mean really require it – there is no reason to only make it part of the way to being safe. In the world we live in today, it’s foolish to ever assume you’re completely untraceable. The most we can accomplish is making it as difficult as possible for the tracing to happen...

SSL Is Not a Badge Of Total Security
http://deepdot35wvmeyd5.onion/2016/07/02/ssl-not-badge-total-security/

Although SSL is an encryption protocol (or a security measure in general) to cover up or protect active traffic between a user and a web server, it can’t prevent eavesdropping. In spite of SSL, advance hackers can sniff in on traffic, analyse active traffic, and monitor traffic to steal sensitive information via session hijacking and other forms of web attack....

New Mac Malware Can Take Over The Victim’s Webcam
http://deepdot35wvmeyd5.onion/2016/07/16/new-mac-malware-can-take-victims-webcam/

Malware on Mac is pretty rare compared to Windows and Android, however, recently, a new type was discovered called “OSX/Eleanor-A”. With the OSX/Eleanor-A, even amateur hackers can land devastating attacks to the victims’ systems using the tools of the malware...

Here’s some tips for using Signal as safely as possible
http://deepdot35wvmeyd5.onion/2016/07/07/heres-tips-using-signal-safely-possible/

A few weeks ago, we wrote about how Signal was one of the better encrypted messaging applications for mobile devices. In the article, it was mentioned that no matter how secure you think your platform is – there’s always a weak link. More often than not, user error plays a major key in how weak that link is. An article was published by The Intercept_ yesterday that points out a few extra steps one can take to further protect themselves while using Signal. I’ll run through their list briefly. This list is fairly straightforward, and if you’re not a newcomer to operation security or the ins-and-outs of Signal, this write-up probably won’t provide too much insight....
Edited last time by Endwall on 07/19/2016 (Tue) 19:03:24.


Endwall 07/19/2016 (Tue) 19:29:42 [Preview] No. 208 del
Viceland
CyberWar: The Sony Hack
https://www.youtube.com/watch?v=N_wKr5wClRI
Motherboard: CyberWar: Hacking a Car with Ex-NSA Hacker
https://www.youtube.com/watch?v=MeXfCNwMG64
Motherboard: CyberWar:Patrolling the Networks with Cyber Guards
https://www.youtube.com/watch?v=kBwXygdO4e0
Motherboard: Watch researchers hack a surgical robot
https://www.youtube.com/watch?v=qSgj-foL7ps
Motherboard: CyberWar: America's Elite Hacking Force
https://www.youtube.com/watch?v=aJInc_-1bIA
Motherboard: CyberWar: Interview with pre Snowden Whistleblower
https://www.youtube.com/watch?v=J63Bo_xLYfc
CyberWar: Who is Anonymous (Link not working)
https://www.youtube.com/watch?v=WMqmKHcI38A
Edited last time by Endwall on 07/19/2016 (Tue) 21:00:28.


Endwall 07/22/2016 (Fri) 02:51:47 [Preview] No. 212 del
Viceland
CYBERWAR:The Attribution Problem in Cyber Attacks
Description: Bruce Schneier American Cryptographer Discusses Attack Attribution.
https://www.youtube.com/watch?v=OJ9myAO445w
CYBERWAR: When a Hacker Goes to Jail
Description: English hacker Christopher Weatherhead (NERDO) discusses prosecution and jail for hacking for anonymous.
https://www.youtube.com/watch?v=4-OSQCy0SHs
Edited last time by Endwall on 07/22/2016 (Fri) 02:57:13.


Endwall 07/24/2016 (Sun) 06:31:57 [Preview] No. 214 del
DeepDotWeb
http://deepdot35wvmeyd5.onion/2016/07/23/lucky-green-stops-tor-contribution-will-take-critical-node/
Veteran Tor Contributor Exits, Takes Critical Node Down
Posted by: C. Aliens July 23, 2016 in Featured, News Updates Leave a comment The Tor network is about to lose Tonga, a crucial piece of the onion network that functions as a Bridge Authority, according to announcement on the Tor blog. The announcement was posted by an original Tor contributor known as Lucky Green – who decided the time was right for him to step away from any involvement in the Tor community. Lucky Green has been an important member of Tor’s history from the very beginning. His involvement started before Tor was ever called Tor and before the software we have today ever existed. Not only has he generously contributed time and money, he says in his announcement, but he also runs and maintains essential parts of Tor’s core. The Tonga node is one of these parts.


Anonymous 07/24/2016 (Sun) 07:43:05 [Preview] No. 215 del
>>214
First Jacob A. leave, and now a long time contributor? Shit man, is it time to go i2p?


Anonymous 07/25/2016 (Mon) 17:45:39 [Preview] No. 216 del
>>215

Unfortunately, i2p doesn't really have outproxies. Otherwise it'd be a good idea.


Endwall 07/25/2016 (Mon) 23:14:05 [Preview] No. 217 del
Tech Insider
Watch hackers break into the US power grid
https://www.youtube.com/watch?v=pL9q2lOZ1Fw
Description: A power company in the Midwest hires white hat hackers Red Team Security to test it's defenses.


Anonymous 07/26/2016 (Tue) 00:01:08 [Preview] No. 218 del
>>217
The fuck is wrong with USA? I bet shit like this won't fly in Japan or Hong Kong.


Endwall 07/26/2016 (Tue) 02:36:52 [Preview] No. 219 del
Fusion
Real Future Episode 8
https://www.youtube.com/watch?v=vOLjA_58zwg
Title: What Happens when you dare expert hackers to hack you?


Anonymous 07/27/2016 (Wed) 06:00:13 [Preview] No. 223 del
Threat Wire
Snowden's Radio Interception Warning Device
https://www.youtube.com/watch?v=8-rV5wuZ7_4


Endwall 07/30/2016 (Sat) 01:06:28 [Preview] No. 235 del
Motherboard
How hackers could wirelessly bug your office.
https://www.youtube.com/watch?v=5GnMj5cus4A


Endwall 07/31/2016 (Sun) 21:49:00 [Preview] No. 238 del
Tor to Combat Malicious Node Problem Posted by: C. Aliens July 31, 2016
http://deepdot35wvmeyd5.onion/2016/07/31/tor-combat-malicious-node-problem/

The discovery of over a hundred malicious nodes has prompted the Tor Network to develop a new design which is designed to fight this ongoing problem. Developer Sebastian Hahn assured that code has already been written to address this issue, and that the release date is being determined. The Tor Network has said that the attacks do not unmask the operator behind the hidden service, which the law enforcement community has been trying to accomplish for some time now. Amirali Sanatinia, who is working on his PhD in computer science at Northeastern University, is responsible for this discovery. Alongside his professor at the College of Computer and Information Science, Guevara Noubir; they are set to present their paper next week at DEF CON. The paper, “HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs”, tells of a framework called Honey onions, or HOnions that Sanatinia and Noubir developed that identifies these malicious HSDirs. They two launched the framework in daily, weekly, and monthly runs from Feb. 12 to April 24 and found exactly 110 malicious nodes, most of which were hosted in the US. Others from Germany, France, the Netherlands and the UK were found. They exposed Tor relays wish HSDirs capabilities that have been made to spoof hidden services. Tor estimated that there are currently around 3,000 HSDirs within its network....


Endwall 07/31/2016 (Sun) 22:00:10 [Preview] No. 239 del
Google Beefs Up Linux Kernel Defenses in Android
http://7rmath4ro2of2a42.onion/article.pl?sid=16/07/30/165203
http://www.theregister.co.uk/2016/07/29/google_hardening_androids_linux_kernel/

posted by n1 on Saturday July 30, @03:21PM from the beef-but-no-bacon dept.

Arthur T Knackerbracket has found the following story: Future versions of Android will be more resilient to exploits, thanks to developers' efforts to integrate the latest Linux kernel defenses into the operating system. Android's security model relies heavily on the Linux kernel that sits at its core. As such, Android developers have always been interested in adding new security features that are intended to prevent potentially malicious code from reaching the kernel, which is the most privileged area of the operating system. [...] One new configuration option called CONFIG_DEBUG_RODATA segments the kernel memory into multiple sections and limits how much of this memory is writeable and executable. Attackers need writeable and executable memory pages in order to inject malicious code into them via exploits, and then run that code with kernel privileges. Another config option, called CONFIG_CPU_SW_DOMAIN_PAN, prevents the kernel from directly accessing user space memory, giving attackers even less control over where their exploits can execute code.


Endwall 08/03/2016 (Wed) 04:24:56 [Preview] No. 245 del
Threat Wire
Keyboards Can Be Hacked
https://www.youtube.com/watch?v=gzM8QBiSSuY


Endwall 08/03/2016 (Wed) 04:32:43 [Preview] No. 246 del
VICE NEWS
Thailand's Cyber Wars: Blackout
https://www.youtube.com/watch?v=fCSwNDefJwE
Edited last time by Endwall on 08/03/2016 (Wed) 04:59:00.


Anonymous 08/03/2016 (Wed) 11:19:25 [Preview] No. 248 del
http://rrcc5uuudhh4oz3c.onion/?cmd=topic&id=9224%29

creepypasta fuel, and of course, some immense ramifications pertaining to Online Security


Endwall 08/04/2016 (Thu) 05:08:00 [Preview] No. 249 del
DeepDotWeb
Bitfinex Hacked, $65 Million in Bitcoin Stolen
http://deepdot35wvmeyd5.onion/2016/08/03/bitfinex-hacked-65-million-bitcoin-stolen/
In a message to Bloomberg News, Bitfinex confirmed that hackers took 119,756 bitcoin, or about $65 million at current prices. Bitcoin’s value against the US dollar as of the time of the article, the 3rd of August, has dropped by 13%. Bitfinex said that all trading has been halted, including withdrawals and deposits. As soon as the breach was discovered, everything was shut down. Law enforcement has been brought in, and although the exchange has confirmed that users are missing coins, we are unclear as to what the next step will be. Although both ethereum and USD are held in Bitfinex wallets, a spokesperson says only bitcoin balances were affected by the hack. Fred Ehrsam, co-founder of Coinbase, a cryptocurrency wallet and trading platform, wrote in an e-mail. “Yes — it is a large breach, Bitfinex is a large exchange, so it is a significant short term event, although Bitcoin has shown its resiliency to these sorts of events in the past.” Bitfinex wrote in a blog post: “We will look at various options to address customer losses later in the investigation. We ask for the community’s patience as we unravel the causes and consequences of this breach.” According to http://bitcoincharts.com/, the Hong Kong-based currency exchange, Bitfinex, was the largest for U.S. dollar-denominated transactions during the last month. The Chinese exchange OKCoin, however, was the largest overall with 90 percent of transactions in Yen. CoinDesk shows that more than $1.5 billion has dropped from bitcoin’s capitalization value in a single week. A similar hack was performed in 2014 on the Tokyo-based Mt. Gox – which was, at the time, essentially the one and only bitcoin exchange. Bitcoin prices dropped 30% during the month of the Mt. Gox hack after the company filed for bankruptcy and shut down...


Endwall 08/04/2016 (Thu) 21:44:29 [Preview] No. 250 del
PBS News
More DNC information to come, says WikiLeaks founder
http://www.pbs.org/video/2365816718/


Endwall 08/04/2016 (Thu) 22:26:50 [Preview] No. 251 del
RT RUPTLY
Murder Victim's Phone Unlocked Using 3D Printed Fingerprint Replica
http://www.dailymotion.com/video/x4n1mju_murder-victim-s-phone-unlocked-using-3d-printed-fingerprint-replica_news


Endwall 08/04/2016 (Thu) 22:32:56 [Preview] No. 252 del


Endwall 08/04/2016 (Thu) 22:53:06 [Preview] No. 253 del
Jupiter Broadcasting
Big Int Trouble | BSD Now 153
http://www.jupiterbroadcasting.com/101646/big-int-trouble-bsd-now-153/


Endwall 08/05/2016 (Fri) 07:31:49 [Preview] No. 255 del
VICELAND
Stuxnet the Digital Weapon: CYBERWAR (Trailer)
https://www.youtube.com/watch?v=Z4NZrErJ4vg


Endwall 08/06/2016 (Sat) 04:18:10 [Preview] No. 256 del
DeepDotWeb
Rival Malware Coders Leak Decryption Keys For Chimera Ransomware
http://deepdot35wvmeyd5.onion/2016/08/05/rival-malware-coders-leak-decryption-keys-chimera-ransomware/
Posted by: Black Ink August 5, 2016
The creators of “Petya” and “Mischa” ransomware leaked around 3,500 RSA private keys for the rival software, Chimera. The keys were allegedly from victims’ systems infected by the Chimera ransomware. Mischa’s developers claim earlier this year they got access to big parts of the dev system used by the malware coder team who created Chimera. After the hack, the rival gang obtained the source code for Chimera and integrated some of it into their own ransomware project, according to a Pastebin message. Malwarebytes, an internet security company, already confirmed this fact in their report last month where they said Mischa shares “some components” with Chimera. There’s no official confirmation yet that the leaked RSA keys would actually work in decrypting the files in Chimera-infected systems, however, there’s a big chance that they are legitimate. Malwarebytes researchers made this statement in their blog post: “Checking if the keys are authentic and writing a decryptor will take some time – but if you are a victim of Chimera, please don’t delete your encrypted files, because there is a hope that soon you can get your data back.” Chimera appeared in November, and it differs from other types of ransomware; it threatens the victims to not only encrypt their files if they don’t pay up, but they would upload them to the internet for anybody to see them. This fact has not been confirmed yet, according to tech researchers, this is just an intimidation tactic they use to get more money from the victims. Mischa appeared in May and is usually coming with another ransomware program, Petya, that encrypts the master file table (MFT) of hard disk drives. While Petya’s form of encryption requires admin access, Mischa is used as a backup when the needed privileges cannot be obtained. Mischa acts like most ransomware programs, encrypting files directly. On Tuesday, the coders of Mischa and Petya launched an affiliate system, which could turn their malware combo into ransomware as a service (RaaS) meaning other cybercriminals can sign up to distribute the malicious programs for a percentage of the profits...


Endwall 08/06/2016 (Sat) 04:19:29 [Preview] No. 257 del
DeepDotWeb
New United Arab Emirates Law Makes Using Tor, VPNs, and Proxies Illegal
http://deepdot35wvmeyd5.onion/2016/08/05/new-united-arab-emirates-law-makes-using-tor-vpns-proxies-illegal/
Posted by: C. Aliens August 5, 2016
A new murky law amended by UAE President dictates that people who use any method of personal security to ensure privacy on the internet will be fined or imprisoned. According to Emirates24/7, UAE President His Highness Sheikh Khalifa bin Zayed Al Nahyan has issued a significant number of changes to federal laws and one in particular is considerably concerning. The law in question is an amendment made to Federal Law No. 12/2016 and Federal Law No. 5/2012 on combating information technology crimes. The most relevant change is what follows “Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dh500,000 and not exceeding Dh2,000,000, or either of these two penalties.” In layman’s terms, the new law criminalizes those who use IP-masking technologies like VPNs, proxies, Tor, I2P, or others and risk going to jail, or additional fines between $135,000 and $545,000. The purpose of this law, According to Softpedia, is to keep citizens of the United Arab Emirates from masking their real identity and making it appear as if they were located somewhere across the globe – outside of the UAE. Keeping citizens from masking their IP address helps prevent cybercrime, for one. But secondly, it would both discourage and scare users from using VPNs or proxies for accessing services blocked in the country, such Facebook Messenger, Snapchat, Skype and others Article 2 of the law states that the law shall be published in the Official ‘Gazette’ and shall come into effect the day following publication.


Endwall 08/06/2016 (Sat) 04:38:29 [Preview] No. 258 del
Jupiter Broadcasting
TechSNAP 278
Dangerous Dangling Quotes
http://www.jupiterbroadcasting.com/101686/dangerous-dangling-quotes-techsnap-278/
Description:How to get an SSL certificate for other people’s domains, how to decrypt HTTPS traffic with some javascript & the latest storage reliability report.


Anonymous 08/06/2016 (Sat) 23:09:04 [Preview] No. 259 del
https://news.bitcoin.com/bitcoiners-use-tor-warned/

TOR and VPNs will likely be illegal in the U.S. come 2017. FBI's reach extended globally

https://news.bitcoin.com/bitcoiners-use-tor-warned/


Endwall 08/07/2016 (Sun) 00:02:35 [Preview] No. 261 del
DeepDotWeb
Researcher Writes Script Allowing OnionScan Tool to Mass Scan Deepweb Sites
http://deepdot35wvmeyd5.onion/2016/08/06/onionscan-tool-to-mass-scan-deepweb-sites/
Posted by: C. Aliens August 6, 2016
In April of 2016, a researcher launched a tool called OnionScan that probes darkweb sites for vulnerabilities and security threats. The tool, as we wrote, “lets you scan it automatically for common vulnerabilities and errors that can deanonymize the owner or users.” A new researcher has taken it upon himself to describe, to the public, how to deploy the tool using a Python script to help others scan sites in the same way. The security researcher, Justin Seitz, tasked with helping others use OnionScan published the results of 8,000 site scans using this method. He told Motherboard that this “was to allow others to start more large-scale analyses that are usually too technically difficult for non-technologists to jump into to.” However, the creator of OnionScan is worried about this approach as she fears users of darknet sites could be quickly deanonymized if a large number of people were to use the tool. OnionScan searches for information that could be sensitive in Tor hidden services, characterized by their .onion addresses. Metadata in uploaded images or exposed server status pages are two examples of what the tool hunts for. “When used against multiple targets, it can find shared encryption keys, implying a strong correlation between different sites.” Motherboard found eight illegal sites leaking potentially identifying data about their owners, using the OnionScan tool. An example of what they used OnionScan to find is below: On Mollyworld, a hidden service run by a team of vendors selling MDMA, metadata in an image revealed that the camera used was a NIKON D3100. A site run by vendor Doctor Drugs is being hosted on the same server as another hidden service, called “The Polish Connect,” possibly alluding to the vendor’s location (on other marketplaces, Doctor Drugs lists the dispatch location as the Netherlands). It’s obvious the tool would be beneficial to the public it was designed for but the tool becomes a dangerous weapon in the hands of the law. Darknet venders who run their own sites, such as the well-known Gammagoblin (not an .onion link), run a greater risk of being deanonymized than vendors who sell on the larger markets, such as Alphabay or Dream. The tool, OnionScan, was set up by Sarah Jamie Lewis to search a single onion link at a time. Lewis used the scans in an attempt to help fix the revealed vulnerabilities. To the public, she had not pointed out specific sites or released results but instead only provided brief, yet insightful, summaries of her findings...


Endwall 08/07/2016 (Sun) 06:51:21 [Preview] No. 263 del
Tor 0.2.8.6 is released!
Tue, 02 Aug 2016
https://blog.torproject.org/blog/tor-0286-released
Tor Browser 6.0.3 is released
Tue, 02 Aug 2016
https://blog.torproject.org/blog/tor-browser-603-released


Endwall 08/10/2016 (Wed) 00:11:48 [Preview] No. 265 del
TOR PROJECT
New alpha release: Tor 0.2.9.1-alpha
https://blog.torproject.org/blog/new-alpha-release-tor-0291-alpha

Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development series. It improves our support for hardened builds and compiler warnings, deploys some critical infrastructure for improvements to hidden services, includes a new timing backend that we hope to use for better support for traffic padding, makes it easier for programmers to log unexpected events, and contains other small improvements to security, correctness, and performance. You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures!

http://torsiteyqk5ajx5o.onion/dist/tor-0.2.9.1-alpha.tar.gz
http://torsiteyqk5ajx5o.onion/dist/tor-0.2.9.1-alpha.tar.gz.asc

https://www.torproject.org/dist/tor-0.2.9.1-alpha.tar.gz
https://www.torproject.org/dist/tor-0.2.9.1-alpha.tar.gz.asc


Anonymous 08/10/2016 (Wed) 05:16:56 [Preview] No. 266 del
DeepDotWeb
Research: Websites Can Track Us Online Using Our Device Battery Level
http://deepdot35wvmeyd5.onion/2016/08/09/research-websites-can-track-us-online-using-device-battery-level/
Posted by: C. Aliens August 9, 2016

In 2015, a battery status API was introduced to HTML5 and had already been packaged in Firefox, Opera and Chrome by the end that year. Security researchers were concerned with the potential privacy invasion the API could lead to, but their warning went without raising many eyebrows. A year later, though, an in-depth analysis has proven the battery tracking API can do just that – aggressively track users. The API was released with the aim of helping websites know when to display a ‘low-power-mode’ version of the site or web-app and then disable unnecessary features that drain the most battery. The World Wide Web Consortium (W3C), the organization that oversees the development of the web’s standards, introduced the API in 2012 – but it wasn’t until finalized until 2015. When the W3C initially introduced the HTML5 specification, there were immediate concerns as to the possible blow-back it could have. Since it would allow sites to grab visitor’s battery data without the user’s explicit permission, Lukasz Olejnik published a paper on how much of an invasion this could be. The W3C responded by saying “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.” But the recent 1-million site analysis of the API has finally proven differently. In the privacy-threatening API, 14m combinations, providing a “pseudo-unique identifier” for each device, are offered to the website utilizing the battery tracking code. The Guardian gives a great example of how this could work: “Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with the certainty increasing the longer they stayed connected.” And the 1-million site analysis done by Princeton’s Steven Englehardt and Arvind Narayanan has shown that the API does, in fact, grant sites the ability to do what The Guardian suggests. The two researchers ran a specially modified browser to find sites using the invasive API; specifically, they “found two tracking scripts that used the API to ‘fingerprint’ a specific device, allowing them to continuously identify it across multiple contexts.” They were able to track the scripts used to record battery levels and found them to be incredibly invasive and able to fingerprint devices more easily than many would have assumed...
Edited last time by Endwall on 08/10/2016 (Wed) 05:23:56.


Endwall 08/10/2016 (Wed) 06:29:55 [Preview] No. 267 del
Hak 5 Threat Wire
Bluetooth Smart Locks Can Be Hacked! - Threat Wire
https://www.youtube.com/watch?v=6ngLTRauuJI


Anonymous 08/11/2016 (Thu) 04:26:05 [Preview] No. 269 del
Hak5
Monitor and Benchmark Bandwidth in Linux - Hak5 2024
https://www.youtube.com/watch?v=vrhesofLIcA


Anonymous 08/11/2016 (Thu) 06:32:24 [Preview] No. 270 del
Security Now
Security Now 572: Defcon & Blackhat, Part 1 - Duration: 2:28:07
https://www.youtube.com/watch?v=TkDlUes5HN0
Edited last time by Endwall on 08/11/2016 (Thu) 23:02:07.


Endwall 08/11/2016 (Thu) 22:30:20 [Preview] No. 273 del
SoylentNews
Bungling Microsoft Singlehandedly Proves that Golden Backdoor Keys are a Terrible Idea
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/10/1525217
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/

Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder. These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android. What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys. And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone. Microsoft's misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday. Slip believes Microsoft will find it impossible to undo its leak. [Continues...] [...] People are particularly keen to unlock their ARM-powered Surface fondleslabs and install a new operating system because Microsoft has all but abandoned the platform. Windows RT is essentially Windows 8.x ported to 32-bit ARMv7-compatible processors, and Microsoft has stopped developing it. Mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018. A policy similar to the leaked debug-mode policy can be used to unlock Windows Phone handsets, too, so alternative operating systems can be installed. A policy provision tool for Windows Phone is already available. We expect to hear more about that soon. [...] The Secure Boot policies Microsoft is rushing to revoke can't be used to backdoor conversations or remotely hijack systems, but they remind us that this kind of information rarely stays secret. "This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," Slipstream wrote, addressing the FBI in particular. "Smarter people than me have been telling this to you for so long. It seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released by Microsoft's own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?" The article goes into considerable background on the leaked keys and how you can use them to circumvent Secure Boot. Happy hacking to anyone who has (or can get a good deal on) a Windows RT tablet!


Endwall 08/11/2016 (Thu) 22:32:09 [Preview] No. 274 del
SoylentNews
Thailand Plans to Track All SIM Cards Sold in the Country
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/10/168213
http://www.theregister.co.uk/2016/08/10/thailand_plans_to_track_noncitizens_with_their_sims/

Thailand is considering a proposal to track the location of all SIM cards acquired by foreigners, be they tourists or resident aliens. The plan's been floated as a way to assist law enforcement agencies combat trans-national crime. Thailand borders Cambodia, Laos and Burma, three nations that have reasonably porous borders, seldom score well on measures of incorruptibility or governance and have form as participants in heroin supply chains. [...] The good news is that if your phone roams, you'll be exempt. And with roaming plans now catering to travellers there's a good chance you can bring your phone to Phuket without taking a bath on roaming charges. Resident aliens will be moved to the trackable SIMs. Many such folk move to Thailand to invest or bring expertise to the nation and are unlikely to be happy that their every move is observed. One small upside is that the nation's telecoms regulators aren't entirely sure how to make the tracking work, with cell connection data and GPS both under consideration.


Endwall 08/11/2016 (Thu) 22:33:02 [Preview] No. 275 del
SoylentNews
Australian Census: Hacked or Just Ill-Prepared?
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/11/135225
http://www.bbc.co.uk/news/world-australia-37008173

The Australian census website was shut down by what authorities said was a series of deliberate attacks from overseas hackers. Millions of Australians were prevented from taking part in the national survey on Tuesday night. The Australian Bureau of Statistics (ABS) had boasted only hours before that its website would not crash. The prime minister assured the public that their personal information was not compromised. Debate about privacy concerns has been raised despite assurances from the government that security would not be compromised. Prime Minister Malcolm Turnbull said that public's personal information was safe and and stressed the "unblemished record" of the ABS. "The one thing that is absolutely crystal clear is that there was no penetration of the ABS website," Mr Turnbull said. "What you saw was the denial of service attack or a denial of service attempt which, as you know, is designed to prevent access to a website as opposed to getting into the server behind it. Some of those defences failed, frankly."


Endwall 08/12/2016 (Fri) 00:26:46 [Preview] No. 276 del
Jupiter Broadcasting
The Internet is Dying | TechSNAP 279
http://www.jupiterbroadcasting.com/101941/the-internet-is-dying-techsnap-279/

Myths, Pi’s & Features, oh my! | BSD Now 154
http://www.jupiterbroadcasting.com/101936/myths-pis-features-oh-my-bsd-now-154/


Endwall 08/13/2016 (Sat) 01:26:09 [Preview] No. 277 del
The Smoking Gun
Hacker Publishes List Of Cell Phone Numbers, Private E-Mails For Most House Democrats
http://thesmokinggun.com/buster/democratic-national-committee/guccifer-dccc-hack-645891
After disappearing for a couple of weeks, the hacker “Guccifer 2.0” returned late this afternoon to provide a new headache for Democrats. In a post to his WordPress blog, the vandal--who previously provided nearly 20,000 Democratic National Committee e-mails to Wikileaks--uploaded an Excel file that includes the cell phone numbers and private e-mail addresses of nearly every Democratic member of the House of Representatives. The Excel file also includes similar contact information for hundreds of congressional staff members (chiefs of staff, press secretaries, legislative directors, schedulers) and campaign personnel. In announcing the leak of the document, “Guccifer 2.0” reported that the spreadsheet was stolen during a hack of the Democratic Congressional Campaign Committee. “As you see I wasn’t wasting my time! It was even easier than in the case of the DNC breach,” the hacker wrote. Along with the Excel file, “Guccifer 2.0” also uploaded documents that included the account names and passwords for an assortment of subscription services used by the DCCC, from Lexis-Nexis to Glenn Beck’s web site (password: nutbag). While “Guccifer 2.0” claims to be Romanian and an “unknown hacker with a laptop,” cybersecurity investigators have concluded that he is part of a Russian intelligence operation that has targeted the DNC, Hillary Clinton campaign staffers, and assorted Republicans, including John McCain, Lindsey Graham, and Michele Bachmann. In a message today, the hacker branded the U.S. presidential elections a “farce” that is “being settled behind the scenes as it was with Bernie Sanders.” He added, “I wonder what happened to the true democracy, to the equal opportunities, the things we love the United States for. The big money bags are fighting for power today. They are lying constantly and don’t keep their word. The MSM are producing tons of propaganda hiding the real stuff behind it. But I do believe that people have right to know what’s going on inside the election process in fact.” “Guccifer 2.0” also invited reporters to contact him via Twitter direct message: “Dear journalists, you may send me a DM if you’re interested in exclusive materials from the DCCC, which I have plenty of.” The FBI is investigating the DNC and DCCC hacks along with attempts to compromise the Gmail accounts of Clinton campaign staffers through the use of “spear phishing” e-mails (as detailed in a TSG story published this morning). In a series of e-mail exchanges last month, "Guccifer 2.0" described himself as a committed "hacktivist" and bristled at TSG's portrayal of him as a thief. "Stop calling me the vandal," he wrote. "I'm not a criminal I'm a freedom fighter." While "Guccifer 2.0" claimed to be a foe of "all the illuminati and rich clans which try to rule the governments," cyber investigators theorize that he may actually just be serving as the media liaison for the Russian government hacking teams suspected of breaching the Democratic Party's computer systems.


Endwall 08/14/2016 (Sun) 01:42:36 [Preview] No. 279 del
AP
Nancy Pelosi is flooded with 'sick and obscene' phone calls after 'Russian' hacker posted House Democrats' private numbers
http://www.dailymail.co.uk/news/article-3739253/Pelosi-warns-colleagues-harassing-calls-messages.html


Endwall 08/14/2016 (Sun) 21:16:59 [Preview] No. 280 del
DeepDotWeb
CaliConnect’s Private PGP Key & Account Password Was “asshole209”
http://deepdot35wvmeyd5.onion/2016/08/13/caliconnects-private-pgp-key-account-password-asshole209/
Posted by: C. Aliens August 13, 2016

Although currently free on bail, David Burchard, a.k.a. CaliConnect is now looking at a minimum of 20 counts of drug-related and money laundering charges. His lawyer tells the press that he hasn’t even been able to go through the thousands of discovery pages and is unsure as to how the case will play out. The investigation into Bu/prchard began almost 18 months ago, as of this article (August 2016). It started when he sold over a million USD worth of bitcoin and deposited the money in a personal account. In an affidavit by special agent Matthew Larsen of Homeland Securities Investigations, it’s noted that CaliConnect was the 3rd largest US-based vendor on the Silk Road before it shut down. He managed to sell $1.4 million worth of marijuana and cocaine on the Silk Road alone. After the feds broke up the Silk Road, he went on to make money on other markets, including Agora, Abraxas, and AlphaBay. Sending over a million USD to his personal bank account as an out-of-work father was far from the only aspect of his case that points to questionable opsec. He lived with his wife and three children in a California home that cost $1,350 a month in rent, yet his wife was a stay-at-home mother and Burchard had been ‘out of work’ for 6-7 years. A “2010 Jaguar XF sedan; a Mercedes S63, a 2013 Mercedes, and a 2007 Chevy Tahoe” were seized during the raid of his home. He, using his real name, applied for a trademark on the term “CALI CONNECT” and was found with clothing bearing the same label. Interestingly enough, another marijuana vendor – who was at one point semi-popular –  trademarked the name of his own strain of weed which quickly led to his arrest. According to his Reddit post pointing to his Alphabay profile, the last login he had was March 26, 2016. He was raided in January 2016. One could argue that law enforcement had logged in to his account to gather evidence but at the time of that Reddit post, his last feedback was on the 25th of March. Meaning he had likely been shipping products out within 10 days of that feedback. While not solid evidence, this strongly implies that he continued to sell on the deepweb after he had been raided, knowing he was under investigation. . More recently ars technica discovered that Burchard used “asshole209” as a password for his accounts. The discovery says the password was subpoenaed from a site, possibly Greendot, and the same password was then used to decrypt PGP messages in GPG4USB. The decrypted PGP messages allowed law enforcement to match an undercover “controlled purchase” with CaliConnect’s vendor profile...
Edited last time by Endwall on 08/14/2016 (Sun) 21:22:33.


Endwall 08/14/2016 (Sun) 21:25:43 [Preview] No. 281 del
DeepDotWeb
Researchers Create Deepweb Scanner for Upcoming Cyber Threats
http://deepdot35wvmeyd5.onion/2016/08/13/researchers-create-deepweb-scanner-upcoming-cyber-threats/
Posted by: C. Aliens August 13, 2016
According to Forbes, a team at Arizona State University has developed a machine learning system that actively monitors deepweb traffic for zero-day exploits before they actually happen. In July, the news was covered in articles filled with information on the fully undetectable ransomware, Stampado, that was available to be purchased for only $39. The deepweb is filled with data dumps and the contents of website hacks and as the public grows more aware of the growing threat, so do security researchers.
The Arizona State University team’s approach is somewhat of a groundbreaking measure when it comes to cyberdefense. One of the more current tactics companies employ is to offer bounties for security bugs and exploits. This gives the company an opportunity to silently deal with the issue and provides the hacker an incentive to use the discovery for a less malicious purpose. The exploit bounty usually pays less than what the data such an exploit could provide but some exceptions do exist. Google, for instance, offers up to $20,000 for specific types of intrusions. In a document published by the developers of the software capable of detecting zero-day exploits before day zero, they provide details on how the software is capable of learning and what kind of data it is able to track. For instance, the software currently monitors 27 darknet markets and 21 forums for chatter about upcoming security threats, such as the Dyre Banking Trojan. A classifier is used to find security-relevant terminology and filter out both forum posts and market listings unrelated to cybersecurity. As of the published paper, the team scanned 162,872 forum posts and only 19% were marked by their software. Similarly, 11,991 darknet market advertisements and listings were scanned and only 13% were found relevant...


Endwall 08/14/2016 (Sun) 21:32:37 [Preview] No. 282 del
DeepDotWeb
Netsukuku and GNUnet: Viable Tor Alternatives?
http://deepdot35wvmeyd5.onion/2016/08/14/netsukuku-gnunet-viable-tor-alternatives/
Posted by: Ciphas August 14, 2016

On an earlier Deepdotweb article entitled TOR: Is There a Viable Alternative?, I was intrigued by this quote: “The annoying thing about the DarkNet is that there is no “DarkNet”; instead there are DarkNets, all specific to their particular system.” Not long after I started to become more familiar with Tor, I wondered what other darknets existed out there, and two that I came across were Netsukuku and GNUnet.  Though they may not be as widely used as Tor, I2P, and Freenet (at present), both sounded promising. In with the GNU Unrelated to the older P2P protocol Gnutella, GNUnet is an official GNU project, written in C.  Its topology is essentially that of a mesh network (i.e. radio nodes organized in a mesh topology).  It includes a distributed hash table (DHT); in this case, it’s a randomized version of Kademlia intended for small networks. As opposed to the clearnet, GNUnet uses Uniform Resource Identifiers (URIs), which have not yet been approved by IANA. Unlike Tor, GNUnet cannot be accessed with a browser, because currently, according to the GNUnet FAQ, there is no proxy (as opposed to Freenet’s fproxy, for example).  GNUnet is a P2P framework, which gives it a number of different capabilities. Among these are both anonymous and non-anonymous file sharing, a decentralized and censorship-resistant alternative to DNS, and a system for IPv4-IPv6 protocol translation and tunneling (NAT-PT with DNS-ALG). Contrasted with P2P file-sharing networks like BitTorrent and Ares Galaxy, GNUnet was designed with both security and anonymity in mind as top priorities.  In fact, on their main site, at How does GNUnet compare to other filesharing applications?, they offer a chart summing up the differences between their network and other popular ones. While the chart is an oversimplified explanation, one characteristic that stands out is in the “anonymity” category.  Of the networks listed (like OneSwarm, Napster, FastTrack, and Freenet), only GNUnet and Freenet feature anonymity.  A second chart explains (in a nutshell) how anonymity is achieved between several different networks (including GNUnet, Tor, and I2P).  As compared to others of its type, GNUnet is a medium-latency network, while Tor, I2P, and Freenet are all low-latency networks. Again, these charts don’t really offer a lot of detail; go into the more thorough documentation such as the developer handbook for that. ...

GNUnet’s protocol that allows for such anonymity is called, appropriately, GAP (GNUnet Anonymity Protocol). As with I2P, installing GNUnet is a bit more complex than installing and running Tor.  Tor, more or less, can be downloaded and run without much manual configuration.  GNUnet, on the other hand, requires you to install a number of software packages prior to running the program....

Netsuku-d’état Netsukuku, as described on their homepage, “aims to be a mesh network or a peer to peer protocol that generates and sustains itself autonomously.”  While it may have all the trappings of an A.I., the concept behind it is fascinating. Netsukuku is an ad-hoc network designed to handle a substantial number of nodes with the least possible expenditure of CPU and memory resources. The creators intend to generate a network that isn’t dependent on authorities like ISPs, multinational corporations, and governments to stay in operation.  In the same vein, they also intend this network to have far greater privacy and anonymity than the current DNS allows. In their official FAQ, the creators say they chose the name “Netsukuku” because “Netsukuku sounds like ‘network’ in Japanese, and we like Japanese stuff.  Moreover, when the project started, no results could be found for ‘Netsukuku’ on Google.”  Sounds like a good enough reason, doesn’t it? To be clear – Netsukuku isn’t just another P2P network built on top of the Internet (like Tor).  Rather, it’s a physical network, as well as a dynamic routing system intended to handle up to 2^32 nodes without servers or central systems. In the words of the creators, Netsukuku might be called a “scalable ad-hoc network architecture for cheap self-configuring Internets.”  This type of architecture allows for the opportunity to build and maintain a network as large as the Internet without any human interference.  (Picture that for a moment). Netsukuku makes use of a distance vector routing protocol that is thoroughly integrated into the layers of its hierarchical network topology.  In turn, it requires very little memory or computational resources – its whole network routing table can be stored in a few mere kilobytes. Thanks to Netsukuku’s architecture, it’s able to feature several impressive attributes.  According to its documentation: “…a distributed, non-hierarchical, and decentralised system of hostname management; the easy integration of P2P overlay services; an Internet tunneling system that connects nodes which aren’t physically linked; [and] a system which enables full anonymity, hiding the source and destination of packets and encrypting them.” It seems to be in somewhat of a beta phase at present, but it can be downloaded and run on Ubuntu and OpenWRT...


Endwall 08/15/2016 (Mon) 16:13:21 [Preview] No. 288 del
What is WPAD? Why you need to disable this Windows feature immediately
http://www.ibtimes.co.uk/what-wpad-why-you-need-disable-this-windows-feature-immediately-1576150
Security researchers discover huge Windows security flaw that could expose your private data.
By Mary-Ann Russon August 15, 2016 15:06 BST
Security researchers are warning all Windows users to disable the WPAD protocol immediately in order to avoid having their data stolen from online accountsiStock Security researchers are warning that all Windows users need to disable the Web Proxy Auto-Discovery Protocol (WPAD) as it exposes users' online accounts, web searches, and sensitive information even if they are accessing websites over encrypted HTTPS or VPN connections. How to disable WPAD on Windows so hackers can't hijack your computer The Web Proxy Auto-Discovery Protocol (WPAD) was invented in 1999. It enables computers to automatically discover which web proxy they should be using for a specific URL, with the proxy defined in a JavaScript file known as a proxy auto-config (PAC) file. So, if you were to take your Windows laptop out of the office, away from the corporate network, the PC would automatically use WPAD to discover proxies when it connected to a public Wi-Fi hotspot. The protocol is currently supported on all web browsers, as well as the Windows, Mac and Linux operating systems, and iOS and Android, but only Windows has WPAD enabled by default. WPAD exposes all your online services to hackers Although the WPAD protocol is undoubtedly useful, it can easily be hijacked so that hackers can see sensitive information that appears on a user's web browser, and there have been countless problems with the protocol in the past, and fixes have not really solved the problem. Researchers from UK-based Context Information Security (CIS) have found a new problem – WPAD can be hijacked to leak all URLs on a secure HTTPS connection, meaning that hackers could easily steal information from your online accounts like Facebook, Twitter, Gmail and Google Drive, particularly if you routinely keep your accounts logged in on your web browser so that you can instantly access services the next time you turn on your computer. The researchers describe an attack whereby a malicious Javascript and a malicious PAC script enable hackers to access HTTPS URLs and command responses via DNSContext Information Security HTTPS is meant to be encrypted web traffic and is now used by most websites and retailers, so even if there is a rogue web proxy that can hijack the WPAD protocol, the hacker still shouldn't be able to see what a user is doing in their web browser because full HTTPS URLs are hidden. However, according to CSO, researchers Alex Chapman and Paul Stone found that they could create a Python script whereby the PAC file that tries to discover the correct web proxy for the URL is also able to force the computer to check what the exact URL is. And if you can look up the complete HTTPS URL, this means that you can see the hidden authentication tokens and other sensitive parameters, and then use them to login to almost any online service. Chapman and Stone also created another attack, whereby they used a rogue web proxy to redirect victims to fake captive portal pages (for example, the login page you often have to fill in before you're allowed to use a hotel or café's Wi-Fi network). When the user tries to load popular web services like Facebook, Google or Twitter, the captive portal forces the web browser to perform a 302 HTTP redirect on all URLs that can only be accessed once you have authenticated your identity. Using the attack, the researchers were able to expose all of a victim's usernames across multiple services, steal photos from their Facebook account and even look at all email summaries, contact details and reminders in their Google accounts, as well as access all documents stored in the victim's Google Drive. If you want to disable WPAD permanently to prevent your computer being hijacked follow our step-by-step guide.


Endwall 08/15/2016 (Mon) 16:16:35 [Preview] No. 289 del
How to disable WPAD on Windows so hackers can't hijack your computer
http://www.ibtimes.co.uk/how-disable-wpad-windows-so-hackers-cant-hijack-your-computer-1576111


Endwall 08/15/2016 (Mon) 22:45:39 [Preview] No. 290 del
PC WORLD New Zealand
NSA hacked? Top cyber weapons allegedly go up for auction
http://www.pcworld.co.nz/article/605163/nsa-hacked-top-cyber-weapons-allegedly-go-up-auction/?utm_medium=rss&utm_source=taxonomyfeed

An anonymous group claims to have stolen hacking tools that might belong to the National Security Agency and is auctioning them off to the highest bidder. It’s a pretty bold claim, but the hackers have offered sample files, and some security researchers say they appear to contain legitimate exploits. The files were allegedly stolen from the Equation Group, a top cyberespionage team that may have links to the NSA. The Equation Group is known to use some of the most advanced malware and probably helped develop the infamous Stuxnet computer worm, according to security firm Kaspersky Lab. Over the weekend, hackers known as the Shadow Brokers claimed to have stolen the very cyber weapons the group has used. “We auction best files to highest bidder. Auction files better than Stuxnet,” the hackers said in a Tumblr posting using broken English. Samples of the stolen files are dated most recently to 2013, and they do contain coding related to hacking, said Nicholas Weaver, a security researcher at the International Computer Science Institute in California. “It appears to be a large amount of NSA infrastructure for controlling routers and firewalls, including implants, exploits, and other tools,” he said in an email. The exploits specifically target firewall technology from Cisco, Juniper, Fortinet, and Chinese provider Topsec, said Matt Suiche, CEO of cyber security startup Comae Technologies, in a blog post. Although the exploits were poorly coded, “nonetheless, this appears to be legitimate code,” he added. Virginia-based Risk Based Security has also looked at the sample files and said that one of the exploits contains an IP address registered by the U.S. Department of Defense. None of this means that the NSA has been hacked. The Shadow Brokers may have simply come across a compromised system that was hosting the exploits, Risk Based Security said in a blog post. It's also possible the Shadow Brokers are promoting a big scam. Deception-based schemes are very common in hacking, Risk Based Security added. The NSA hasn't acknowledged any ties with Equation Group and on Monday, it didn't respond for comment. Nevertheless, the Shadow Brokers are asking buyers to bid with bitcoin, although the group is offering no guarantees it will hold its own end of the bargain. However, it’s promising to publicly dump all the files for 1 million bitcoins or US$566 million. So far, the group has only received $45 worth in bitcoin, but it's hoping that "wealthy elites" end up trying to buy the stolen files.  In their Tumblr posting, the Shadow Brokers warned that the hacking tools they've stolen could be used on banks to cause havoc.  "If electronic data go bye bye where leave Wealthy Elites?" the group said.


Endwall 08/15/2016 (Mon) 22:54:17 [Preview] No. 291 del
ARS TECHNICA
20 hotels suffer hack costing tens of thousands their credit card information
http://arstechnica.com/security/2016/08/20-hotels-suffer-hack-costing-tens-of-thousands-their-credit-card-information/
Megan Geuss - Aug 15, 2016 6:10 pm UTC

The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—HEI Hotels & Resorts—said this weekend that the payment systems for 20 of its locations had been infected with malware that may have been able to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes. HEI claims that it did not lose control of any customer PINs, as they are not collected by the company’s systems. Further Reading Trump Hotels payment system infected with malware Still, HEI noted on its website that it doesn’t store credit card details either. “We believe that the malware may have accessed payment card information in real-time as it was being inputted into our systems,” the company said. The breach appears to have hit 20 HEI Hotels, and in most cases, the malware appears to have been active from December 2, 2015 to June 21, 2016. In a few cases, hotels may have been affected as early as March 1, 2015. According to a statement on HEI’s website, the malware affected point-of-sale (POS) terminals at the affected properties, but online booking and other online transactions were not affected. Although an HEI representative told Reuters that it’s still unclear how many customers were affected as some may have used credit cards multiple times, thousands and sometimes tens of thousands of transactions occurred at each property during the months before the malware was detected. The malware was able to scrape credit card details from hotel restaurants, spas, and lobby shops. HEI noted on its website that it had contacted law enforcement and began “promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network.” The hotel chain also recommended that recent customers check their credit and debit card transaction histories to guard against fraud. Similar large-scale attacks have hit chain stores such as Target and Home Depot in recent years. Such high-profile hacks have encouraged retail industries in the US to phase magnetic stripe cards out in favor of chip-based credit and debit cards, although rollout of the new system has been spotty as vendors are slow to buy the new terminals to read the chip cards. Magnetic strip cards pass static credit card information to a company’s POS system, leaving that information susceptible to hackers who want to steal it to make duplicate credit cards. Chip-based transactions transmit a dynamic card number that makes it much more difficult to steal card numbers and use them for fraudulent purposes...
Edited last time by Endwall on 08/15/2016 (Mon) 23:07:50.


Endwall 08/15/2016 (Mon) 22:57:06 [Preview] No. 292 del
Kaspersky
TCP Flaw in Linux Extends to 80 Percent of Android Devices
https://threatpost.com/tcp-flaw-in-linux-extends-to-80-percent-of-android-devices/119897/
by Michael Mimoso Follow @mike_mimoso August 15, 2016 , 5:10 pm

Eight out of 10 Android devices are affected by a critical Linux vulnerability disclosed last week that allows attackers to identify hosts communicating over the Transmission Control Protocol (TCP) and either terminate connections or attack traffic. The flaw has been present in the TCP implementation in Linux systems since 2012 (version 3.6 of the kernel), and according to researchers at mobile security company Lookout, 80 percent of Android devices—going back to KitKat—run the same version of the kernel.

The issue was publicly disclosed last week during the USENIX Security Symposium where researchers from the University of California Riverside and the U.S. Army Research Laboratory presented a paper entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.” While an attacker would need to be able to identify both ends of a TCP connection before initiating an attack, successful exploits would not need that attacker to be in a man-in-the-middle position on the network, the researchers said. Lookout security researcher Andrew Blaich said that some other Android vulnerabilities such as Stagefright, Quadrooter or other kernel and driver flaws that are being patched on a monthly may be more severe, but this attack is practical and within reach of hackers...

A patch has been pushed to the Linux kernel, but Lookout said that as of Friday, the latest developer preview of Android Nougat still remains vulnerable, and the Android Open Source Project has yet to receive the patch as well. Android updates are released monthly to carriers and handset makers, and over-the-air security updates for Nexus devices are sent by Google the first of every month. The Cal-Riverside and Army researchers said last week the problem is linked to the introduction of challenge ACK responses and the imposition of a global rate limit on TCP control packets. “At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.” Blaich cautioned that in some instances where connections must be long-lived such as video conferencing or large file-sharing, attackers could take advantage of those scenarios to exploit this bug. Lookout recommends that until a patch is ready, Android users should rely on encrypted communications, in particular, deploy a VPN. For rooted Android devices, Lookout recommends using the sysctl tool to change the value for net.ipv4.tcp_challenge_ack_limit a large value such as 999999999. Blaich said he expects a patch to be ready for the next monthly Android update, which is set for Sept. 1.


Endwall 08/16/2016 (Tue) 02:25:34 [Preview] No. 294 del
The Intercept
In Bungled Spying Operation, NSA Targeted Pro-Democracy Campaigner
https://theintercept.com/2016/08/14/nsa-gcsb-prism-surveillance-fullman-fiji/
Ryan Gallagher, Nicky Hager 2016-08-15T02:11:29+00:00

Tony Fullman is a middle-aged former tax man and a pro-democracy activist. But four years ago, a botched operation launched by New Zealand spies meant he suddenly found himself deemed a potential terrorist — his passport was revoked, his home was raided, and he was placed on a top-secret National Security Agency surveillance list. The extraordinary covert operation, revealed Sunday by Television New Zealand in collaboration with The Intercept, was launched in 2012 after New Zealand authorities believed they had identified a group planning to violently overthrow Fiji’s military regime. IFrame As part of the spy mission, the NSA used its powerful global surveillance apparatus to intercept the emails and Facebook chats of people associated with a Fijian “thumbs up for democracy” campaign. The agency then passed the messages to its New Zealand counterpart, Government Communications Security Bureau, or GCSB. One of the main targets was Fullman, a New Zealand citizen, whose communications were monitored by the NSA after New Zealand authorities, citing secret evidence, accused him of planning an “an act of terrorism” overseas. But it turned out that the claims were baseless — Fullman, then 47, was not involved in any violent plot. He was a long-time public servant and peaceful pro-democracy activist who, like the New Zealand and Australian governments at that time, was opposed to Fiji’s authoritarian military ruler Frank Bainimarama. Details about the surveillance are contained in documents obtained by The Intercept from NSA whistleblower Edward Snowden. More than 190 pages of top-secret NSA logs of intercepted communications dated between May and August 2012 show that the agency used the controversial internet surveillance system PRISM to eavesdrop on Fullman and other Fiji pro-democracy advocates’ Gmail and Facebook messages. Fullman is the first person in the world to be publicly identified as a confirmed PRISM target. At the time of the spying, New Zealand’s surveillance agency was not permitted to monitor New Zealand citizens. Despite this, it worked with the NSA to eavesdrop on Fullman’s communications, which suggests he is one of 88 unnamed New Zealanders who were spied on between 2003 and 2012 in operations that may have been illegal, as revealed in an explosive 2013 New Zealand government report. In response to questions for this story, the NSA declined to address the Fullman case directly. A spokesperson for the agency, Michael Halbig, said in a statement to The Intercept that it “works with a number of partners in meeting its foreign-intelligence mission goals, and those operations comply with U.S. law and with the applicable laws under which those partners operate.” Antony Byers, a spokesperson for New Zealand’s intelligence agencies, said he would not comment “on matters that may or may not be operational.” The country’s spy agencies “operate within the law,” Byers said, adding: “We do not ask partners to do things that would circumvent the law, and New Zealand gets significant value from our international relationships.”...


Endwall 08/16/2016 (Tue) 21:41:53 [Preview] No. 295 del
AP
China's launch of quantum satellite major step in space race
By NOMAAN MERCHANT Aug. 16, 2016 2:16 AM EDT
http://bigstory.ap.org/article/533a4f56ef664f8081a4bbb4aed00f79/chinas-launch-quantum-satellite-major-step-space-race

BEIJING (AP) — China's launch of the first quantum satellite Tuesday will push forward efforts to develop the ability to send communications that can't be penetrated by hackers, experts said. The satellite launched into space from the Jiuquan launch base in northwestern China's Gobi desert will allow Chinese researchers to transmit test messages between Beijing and northwestern China as well as other locations around the world. If the tests are successful, China will take a major step toward building a worldwide network that can send messages that can't be wiretapped or cracked through conventional methods. "It moves the challenge for an eavesdropper to a different domain," said Alexander Ling, principal investigator at the Centre for Quantum Technologies in Singapore. "Lots of people around the world think having secure communications at a quantum level is important. The Europeans, the Americans had the lead, but now the Chinese are showing the way forward." Quantum communications use subatomic particles to securely communicate between two points. A hacker trying to crack the message changes its form in a way that would alert the sender and cause the message to be altered or deleted. Researchers around the world have successfully sent quantum messages by land. But a true satellite-based network would make it possible to send quickly encrypted messages in an instant around the world and open the door to other possible uses of the technology. Cybersecurity has been a major focus in recent years for China, which has pushed regulations aimed at limiting technology imported from the U.S. in the wake of Edward Snowden's revelations of widespread surveillance by the U.S. through the use of American hardware. China has in turn been repeatedly accused by the U.S. of hacking into computer systems to steal commercial secrets and information that could harm American national security. China has rejected claims that it runs a state-sponsored hacking program and says that it is among the leading victims of cybercrime. Quantum messaging could become a major defense against hackers and have applications ranging from military and government communications to online shopping. The biggest challenge, Ling said, is being able to orient the satellite with pinpoint accuracy to a location on Earth where it can send and receive data without being affected by any disturbances in Earth's atmosphere. The results of China's tests will be closely watched by other research teams, he said. "It's very difficult to point the satellite accurately," Ling said. "You're trying to send a beam of light from a satellite that's 500 kilometers (310 miles) above you." Hoi Fung Chau, a professor and quantum communications researcher at Hong Kong University, said that it was too soon to say if the tests will succeed, but added he expected quantum messages by satellite to become the global standard eventually. "The theory is already there, the technology is almost there," he said. "It's just a matter of time." The launch is a major triumph for China, which has spent years researching quantum technology and developing the satellite and other uses for it. China has previously announced the construction of a quantum link between Beijing and Shanghai that would be used by government agencies and banks. Pan Jianwei, chief scientist on the satellite project, was quoted by the official Xinhua News Agency as saying the launch proved China was no longer a follower in information technology, but "one of the leaders guiding future IT achievements."


Endwall 08/16/2016 (Tue) 21:48:44 [Preview] No. 296 del
Foriegn Policy
Shadow Brokers Claim to be Selling NSA Malware, in What Could Be Historic Hack
http://foreignpolicy.com/2016/08/15/shadow-brokers-claim-to-be-selling-nsa-malware-in-what-could-be-historic-hack/
By Elias GrollElias Groll is a staff writer at Foreign Policy, covering cybersecurity, privacy, and intelligence. * August 15, 2016

A mysterious online group calling itself “The Shadow Brokers” is claiming to have penetrated the National Security Agency, stolen some of its malware, and is auctioning off the files to the highest bidder. The authenticity of the files cannot be confirmed but appear to be legitimate, according to security researchers who have studied their content. Their release comes on the heels of a series of disclosures of emails and documents belonging mostly to Democratic officials, but also to Republicans. Security researchers believe those breaches were perpetrated by agents thought to be acting on behalf of Moscow. The NSA did not answer Foreign Policy’s questions about the alleged breach on Monday. But if someone has managed to penetrate the American signals intelligence agency and post its code online for the world to see — and purchase — it would constitute a historic black eye for the agency. “It’s at minimum very interesting; at maximum, hugely damaging,” said Dave Aitel, a former NSA research scientist and now the CEO of the security firm Immunity. “It’ll blow some operations if those haven’t already been blown.” The files posted over the weekend include two sets of files. The hackers have made one set available for free. The other remains encrypted and is the subject of an online auction, payable in bitcoin, the cryptocurrency. That set includes, according to the so-called Shadow Brokers, “the best files.” If they receive at least 1 million bitcoin — the equivalent of at least $550 million — they will post more documents and make them available for free. The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday — BANANAGLEE and JETPLOW — match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage. The Equation Group is a collection of hackers whose activities were first documented by Kaspersky Lab, a Russian cybersecurity firm, last year. Kaspersky connected the activities of the Equation Group, which it called “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques,” to operations carried out by U.S. intelligence. While Kaspersky did not outright attribute the Equation Group to the NSA, security researchers say in private that they believe it is a project of the American signals intelligence unit.  If the leak is a genuine sample of NSA code — which, so far, researchers say is the case — then this month’s season of information warfare has taken yet another bizarre turn. In the span of several weeks, Russian hackers have posted hacked emails and other documents on a mysterious site known as DCLeaks.com. Those same hackers have infiltrated the Democratic National Committee, and then likely fed documents exfiltrated from its servers to WikiLeaks. ...
Edited last time by Endwall on 08/16/2016 (Tue) 22:08:30.


Endwall 08/16/2016 (Tue) 22:17:52 [Preview] No. 297 del
AP
Snowden: Exposure of alleged NSA tools may be warning to US
By RAPHAEL SATTER Aug 16, 2:25 PM EDT
http://hosted.ap.org/dynamic/stories/E/EU_NSA_SURVEILLANCE?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2016-08-16-10-31-50

PARIS (AP) -- The exposure of malicious software purportedly linked to the National Security Agency is likely a message from Moscow, former intelligence worker Edward Snowden said Tuesday, adding a layer of intrigue to a leak that has set the information security world abuzz. Technical experts have spent the past day or so picking apart a suite of tools allegedly stolen from the Equation Group , a powerful squad of hackers which some have tied to the NSA. The tools materialized as part of an internet electronic auction set up by a group calling itself "Shadow Brokers," which has promised to leak more data to whoever puts in a winning bid. In a series of messages posted to Twitter , Snowden suggested the leak was the fruit of a Russian attack on an NSA-controlled server and could be aimed at heading off U.S. retaliation over allegations that the Kremlin is interfering in the U.S. electoral process. "Circumstantial evidence and conventional wisdom indicates Russian responsibility," Snowden said. "This leak is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies. Particularly if any of those operations targeted elections." Snowden didnʼt return messages seeking additional comment. The NSA didnʼt return emails seeking comment on his claim. Messages sent to an address registered by the Shadow Brokers were also not returned. Allegations of Russian subversion have been hotly debated following the hack of the Democratic National Committee, an operation which Democratic politicians, security companies and several outside experts have blamed on the Kremlin. Russian officials have dismissed the claims as paranoid or ridiculous, so the message delivered by Snowden - who resides at an undisclosed location in Moscow under the protection of the Russian government - struck many as significant. Academic Thomas Rid, whose book "Rise of the Machines" traces the earliest known Kremlin-linked computer hacking campaign in the U.S., said Snowdenʼs declaration would likely be interpreted as "shrewd messaging" from Russian intelligence. Matt Suiche, the founder of United Arab Emirates-based cybersecurity startup Comae Technologies, said he and others looking through the data were convinced it came from the NSA. "Thereʼs zero debate so far," he said in a telephone interview.


Endwall 08/16/2016 (Tue) 22:32:50 [Preview] No. 298 del
Motherboard
Email Provider Linked to Alleged NSA Dumps: We Can't Help
https://motherboard.vice.com/read/email-provider-tutanota-linked-to-alleged-nsa-dumps-we-cant-help
Joseph Cox August 16, 2016 // 09:10 AM EST

On Monday, Motherboard reported that a hacker or group of hackers called “The Shadow Brokers” had dumped what it claimed was a cache of NSA hacking tools. In the wake of that rather extraordinary claim, the security community has feverishly compared notes, largely on Twitter, to try to figure out whether the data is legitimate, and what exactly the collection of files contains. One of those researchers was Matt Suiche, the CEO of UAE-based cybersecurity company Comae. In his analysis, he used the Github API to find an email address linked to one of the accounts that published the data. If law enforcement were to dig into this case, then that email account is likely of interest to investigators: perhaps they could find out more about the user’s identity, or their location. But in a conversation with Motherboard, the co-founder of that email service said that it had very little useful data to hand over if requested, or perhaps ordered, to do so. “Under normal circumstances, we can provide no additional data besides the encrypted mailbox,” Matthias Pfau, the co-founder of Germany-based email provider Tutanota told Motherboard in a phone call. Tutanota automatically encrypts the contents of its users' emails, as well as their contact list. An encrypted mailbox may not be all that helpful to investigators, considering they likely can't read the messages. Pfau said the company doesn't usually log IP addresses of its users, meaning that it couldn't tell law enforcement where the user logged in from. “We don't log any IP addresses when we are not forced to do that,” Pfau said. It's different if a judge orders the company to start recording login IP addresses for a particular user, but that process can't be applied retroactively. “This has occurred once during our lifetime, and we have beyond one million users, so this is really something that happens not very often,” he added. “The Shadow Brokers” have said they will release more data upon payment of the audacious sum of 1 million bitcoin (around $568 million). They claim that the data comes from the Equation Group, which is the name given to a group of hackers widely believed to be linked to the NSA. (As an aside, parts of the NSA’s website have been inaccessible since Monday). Of course, the question is whether the US government will pursue this email lead any further. A potential parallel could be the case of shuttered email provider Lavabit. Lavabit's owner Ladar Levison shut down the service in 2013 after the FBI tried to obtain the company's encryption keys. The target of that order was Edward Snowden. Is Tutanota afraid of a similar fate, considering it has just been linked to a dump of alleged files belonging to the NSA? “No, we are not concerned. We are operating from a country with strong privacy laws. Everything we do is in fully aligned with German law,” Pfau told Motherboard in a follow-up email. “We believe in privacy and anonymity as cornerstones of modern democracies. Fantasies of omnipotence and total surveillance are threatening our fundamental rights. That is not acceptable and that is why we stand up and fight for privacy,” he continued. Whoever is behind the Tutanota email account did not respond for a request for comment.


Endwall 08/16/2016 (Tue) 22:35:18 [Preview] No. 299 del
Motherboard
Why Github Removed Links to Alleged NSA Data
https://motherboard.vice.com/read/why-github-removed-links-to-alleged-nsa-data

Joseph Cox August 16, 2016 // 01:25 PM EST

Over the past few days, researchers have pored over dumped data allegedly belonging to a group associated with the NSA. The data, which contains a number of working exploits, was distributed via Dropbox, MEGA, and other file sharing platforms. The files were also linked to from a page on Github, but the company removed it fairly swiftly—despite having hosted plenty of hacked material in the past. It turns out that removal was not due to government pressure, but because the hacker or hackers behind the supposed breach were asking for cash to release more data. “Per our Terms of Service (section A8), we do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question,” Kate Guarente, from Github's communications team, told Motherboard in a statement. Specifically, that section of Github's Terms of Service says, “You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).” “The Shadow Brokers,” the hacker or hackers who released the data, said they would publish more if they were paid the rather extraordinary fee of 1 million bitcoin (approximately $568 million). This attempted fundraiser is presumably the auction or sale of stolen property that the company's statement refers to. Github has previously hosted hacked data, although not for sale. Back in July of last year, someone uploaded parts of the Hacking Team breach onto Github. These included database components for the Italian surveillance company's main product RCS, an exploit repository, and RCS malware for various operating systems. That data is still sat on Github, free for anyone to download. Github's removal doesn’t necessarily affect the spread of this data: the alleged NSA exploits are still available from some sources the site removed links to.


Endwall 08/16/2016 (Tue) 22:37:41 [Preview] No. 300 del
Motherboard
Hack of NSA-Linked Group Signals a Cyber Cold War
https://motherboard.vice.com/read/hack-nsa-linked-equation-group-cyber-cold-war

Lorenzo Franceschi-Bicchierai August 16, 2016 // 01:52 PM EST

Early Saturday morning, a group of hackers calling themselves The Shadow Brokers made a shocking claim: they had hacked an NSA-linked group, and were selling the spy agency’s “cyber weapons” to the highest bidder. In a rambling manifesto, the hackers said their motives for exposing the NSA-linked team known as “Equation Group” were to “make sure Wealthy Elite recognizes the danger cyber weapons.” “This message, our auction, poses to their wealth and control,” the hackers wrote. “If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle?” But despite this bizarre, disjointed statement, security experts see other motives behind the dump of several hacking tools believed to belong to the NSA: whoever is behind it wanted to send a warning message. “This entire thing is a huge middle finger at America“ “This entire thing is a huge middle finger at America, at least that’s how some people would interpret it,” Thomas Rid, a professor in the Department of War Studies at King's College London, told Motherboard. Rid said that The Shadow Brokers’ actions need to be seen in light of all the recent leaks by Guccifer 2.0, a self-defined hacktivist who’s more likely a front for Russian spies, as well as another Russian-linked leaking site, DCLeaks. All these leaks started after the Democratic National Committee and CrowdStrike, a US security firm, publicly accused Russia of hacking into the DNC servers. Edward Snowden, the former NSA contractor who’s now stuck in Russia, made a similar point on Twitter, noting that the leak from The Shadow Brokers is probably a “warning.” So much for that cyber COLD war we were warned about. Jeremiah Grossman August 16, 2016 After the hack on the DNC, the US government, through anonymous officials quoted in national newspapers, blamed Russia for the hack and the subsequent leaks. So the leak of alleged NSA tools, according to Snowden, is a way for Russia to say that if the US can unmask and expose Russian hacking operations, so can Russia do to the US. The hacked NSA server where the hacking tools were found is proof of that. (It’s worth noting that, unlike in the case of Guccifer 2.0, where there were some technical breadcrumbs pointing to Russia, in this case there’s only very circumstantial evidence that The Shadow Brokers are Russian.) And while Snowden was never part of the NSA’s elite hacking team, Tailored Access Operations, which is believed to be the unit that security firms refer to as “Equation Group,” his theory makes sense. If we assume Russia is behind this new leak, as some people close to the intelligence community are, just as it likely is behind all the Guccifer 2.0 leaks, dumping alleged NSA tools online would be a great way to tell the US government: be careful when pointing the finger at us, we can do the same. This, according to Rid, is a “huge provocation” that risks escalating the conflict even more, and likely will prompt a response—although one we might never see or know about. A Cold War-era enemy is playing a very old game, but this time is playing it in public rather than in the shadows. This is a big deal not necessarily because some NSA hacking tools have been stolen, but because they’ve been dumped online for anyone to see. Stealing your enemies’ tools and techniques is pure espionage. That the perpetrators of the heist publicized it is the “far scarier” scenario because it goes beyond mere espionage, as Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, put it. “Whoever stole this data now wants the world to know—and that has much graver implications,” Weaver wrote in an analysis of the leak. “The list of suspects is short: Russia or China. And in the context of the recent conflict between the US and Russia over election interference, safe money is on the former.” In other words, it seems like a Cold War-era enemy is playing a very old game, but this time is playing it in public rather than in the shadows. The consequences of this game are still unknown, and as public, we might never see them. A lot of questions remain unanswered. And while we, as onlookers, can’t know for sure whether Russia is behind this leak, nor whether these are really the NSA’s cyber weapons, the NSA does, and has gotten the message. That’s probably all the hackers wanted.


Endwall 08/16/2016 (Tue) 22:43:59 [Preview] No. 301 del
Motherboard
Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More
https://motherboard.vice.com/read/hackers-hack-nsa-linked-equation-group
Lorenzo Franceschi-Bicchierai August 15, 2016 // 12:32 PM EST

A mysterious hacker or hackers going by the name “The Shadow Brokers” claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files. “Attention government sponsors of cyber warfare and those who profit from it!!!!” the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. “How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame.” The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA. ”We find cyber weapons made by creators of stuxnet, duqu, flame.” The security firm Kaspersky Lab unmasked Equation Group in 2015, billing it as the most advanced hacking group Kaspersky researchers had ever seen. While Kaspersky Lab stopped short of saying it’s the NSA, its researchers laid out extensive evidence pointing to the American spy agency, including a long series of codenames used by the Equation Group and found in top secret NSA documents released by Edward Snowden. The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits. The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies. The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.”...


Endwall 08/16/2016 (Tue) 23:06:57 [Preview] No. 302 del
DeepDotWeb
D.O.J Official Encourages a Hundred Federal Judges to Use Tor
http://deepdot35wvmeyd5.onion/2016/08/16/d-o-j-official-encourages-hundred-federal-judges-use-tor/
Posted by: C. Aliens August 16, 2016

The U.S. government has always appeared to be opposed to Tor due to the nature of illegal activities the software can enable. It appears, though, that certain government officials have no problems vocally endorsing the use of Tor. “That’s not a good way to protect your stuff, because the FBI can go through it like eggshells,” Judge Robert Jenson Bryan says. He disagrees with the DoJ employee’s recommendation. Tor, from the very start, has been intertwined with the U.S. government. Not only did Tor spawn from government researchers but the U.S. has contributed to at least 80% of The Onion Project’s funding for the software. In fact in 2015, Tor opened up crowd-funding to become less reliant on the U.S. government (and of course to allow spending flexibility). In the 1990’s, employees of the United States Naval Research Laboratory created the essence of the Tor we know. Onion routing was developed to protect intelligence data from spying eyes. The Defense Advanced Research Projects Agency picked up the project in the late 90s. After several showcases and an alpha version, the project’s source code was released by the NRL in 2004. The EFF picked up the project and funded the two developers contracted to work on it, Roger Dingledine and Nick Mathewson. Two Boston based programmers contracted by the Pentagon. Government funding became the primary influx of money after 2006. The funding mostly consisted of government funded deals and “pass through” grants. It’s not hard to believe the government completely opposes the software. A perfect example of this is the NSA calling Tor users “extremists.” The connection between the government and Tor being constantly downplayed. However, this isn’t always the case. The director for the Cybercrime Lab at the Department of Justice, Ovie Carroll, told a room full of federal judges to “use the TOR network to protect their personal information on their computers, like work or home computers, against data breaches, and the like,” Judge Robert J. Bryan said in a hearing transcript. Carroll specializes in cyberattacks and combating electronic penetrations. With over 25-years of law enforcement experience, what he says often carries weight. He’s an authoritative presence on the topic at George Washington University as well. Judge Robert Jenson Bryan says “I was surprised to hear him urge the federal judges present,” and continued with “I almost felt like saying, ‘That’s not a good way to protect your stuff, because the FBI can go through it like eggshells.’” Bryan has resided over several cases involving the cybercrime and Tor, including several related to Operation Playpen. One of the most noteworthy is his ruling against the government in evidence obtained by the FBI’s NIT deployment in the US vs. Michaud case. According to data obtained by Motherboard, Judge Bryan is not the only U.S. government official who has endorsed the usage of Tor for privacy. Some of the emails Motherboard was able to access were of a Philadelphia-based FBI computer scientist advocating Tor’s usage to Lebanese officials. Regardless of the way it appears, the U.S. government needs Tor for the purposes the software was designed for. “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent.” If those are the only people using the network.” —Roger Dingledine, co-founder of the Tor Network, 2004
Edited last time by Endwall on 08/16/2016 (Tue) 23:38:09.


Endwall 08/16/2016 (Tue) 23:09:39 [Preview] No. 303 del
DeepDotWeb
OnionDSL Sets Aim on Mass Surveillance
http://deepdot35wvmeyd5.onion/2016/08/16/oniondsl-sets-aim-mass-surveillance/
Posted by: American Guerrilla August 16, 2016
The UK is right around the corner from one of the biggest government surveillance power expansions since Snowden, and one network specialist isn’t going to let that stop him from bringing privacy to the people. Since the current UK Prime Minister, Theresa May championed the Investigatory Powers bill, or the Snooper’s Charter, will create a vast new legal army for mass surveillance for the government of the UK, making the programs discovered by Snowden, in fact legitimate. It also mandates that all Internet Service Providers must keep tabs on what they’re customers are doing online, handing over any of the collected data to law enforcement, per their request. One man, Gareth Llewelyn, has taken it upon himself to fight back. He started building his own ISP that runs on the Tor Network. He wanted to design a system that will make it harder for the new surveillance measures to censor content, and comply with government requests for subscriber information. Early last month at Hacker On Planet Earth, or HOPE, in New York; Llewelyn announced OnionDSL. It is his Tor based system designed specially for this one-man ISP, Brass Horn Communications. Llewelyn’s system prevents him from capturing any logs at all, making customer data invisible; in turn making it impossible for him to turn over any records at all. All a new user would have to do is migrate their connection to Brass Horn, then configure their router or PC to connect to Llewelyn’s Tor bridge. The traffic from the customer would then be bounced throughout the Tor network as usual; turning they’re trip into cyberspace untraceable. The only activity anyone can see is the subscriber’s router using his bridge to gain entry into the Tor network. With this new service, it makes bills like the UK’s Mass Surveillance idea technically impossible. It also combats another legal loophole caused by using the Tor network.
Three different U.S. judges all ruled that the users of Tor should have no expectation to privacy regarding they’re true IP addresses. This came about because they’re idea that in order to connect to the Tor network, one must expose they’re real IP address to the third party machine running the Tor bridge, which helps you move into the Tor network itself. They mean that by using the FBI’s NIT (network investigative technique), the FBI doesn’t need a warrant. The courts in the U.S. have taken it above and beyond, by one judge’s ruling that the FBI doesn’t even need a warrant to hack into anyone’s computer, anywhere. “At the moment, the NIT is only being targeted at people who belong in jail, but as with everything it’s a slippery slope, next they’ll be targeting dark net markets then it’ll be WikiLeaks, etc., etc.,” Llewelyn said in an email after his speech at HOPE. The OnionDSL system allows the subscriber to never have to share his or her IP publicly with anyone because they’re connections are tunneled privately through the ISP’s dedicated Tor bridge. “The judge’s argument is that a normal Tor relay is a third party and you as a normal Tor user have to expose your publicly identifiable/router address to said third party by routing over the internet to connect to that relay. In the OnionDSL model no information about the user is exposed to third parties, and more importantly (as far as that judge’s ruling is concerned) there is no identifiable address to expose,” Llewelyn continued. This Tor based ISP isn’t going to be for everyone, although it does have a couple major limitations. One being that it can only reroute web traffic using the TCP protocol. This means that running games and apps that use other communication standards simply won’t work. Everything is routed through Tor, bandwidth limitations and all other setbacks that come from using Tor would also apply. “As a general use consumer broadband product OnionDSL falls short on many counts, but if taken solely as a dedicated censorship/surveillance busting broadband product then it is pretty damn cool,” Llewelyn also said. He imagines it being used at places with vulnerable connections like libraries, and refugee shelters. Brass Horn Communications doesn’t have any subscribers, yet. He still considers it a more proof of concept plan, to help protest against the surveillance laws. He still thinks that if the UK’s IP bill is signed into law, and if he were to raise enough capital via crowdfunding, he will go ahead and launch it anyway. “I’m not suggesting this is a good idea for everyone. If you say, ‘Hi, I’d like a special internet connection that no one can spy on,’ you will be red flagged,” he concluded.


Endwall 08/16/2016 (Tue) 23:16:12 [Preview] No. 304 del
Motherboard
Wave of Spoofed Encryption Keys Shows Weakness in PGP Implementation
https://motherboard.vice.com/read/wave-of-spoofed-encryption-keys-shows-weakness-in-pgp
Joseph Cox August 16, 2016 // 04:00 PM EST

Don't always trust an encryption key. Someone has generated a host of dodgy PGP keys, and by abusing the inherent weakness in the short identifying code attached to each, has made the keys appear to belong to a series of high profile individuals in the security community. This means that someone trying to communicate with these people, which include developers of the Tor anonymity software, may accidentally use the wrong key, leaving messages potentially open to snooping. Or, at best, recipients will simply not be able to decrypt some of the messages they receive. Many of the keys appear to relate to a 2014 research project, but their reemergence highlights a lingering security concern with PGP, which stands for “pretty good privacy”. On Monday, a post on the unofficial Linux Kernel Mailing List claimed that encryption keys purportedly belonging to Linus Torvalds, the creator of Linux, and Greg Kroah-Hartman, a Linux kernel developer, were instead fake. The post pointed to keys stored on the MIT server, a popular repository where people upload their keys for others to more easily find. The issue revolved around each key's “short ID,” a numerical code that is supposed to uniquely identify every key. In Torvald's case, the short ID of his real key was 00411886. But someone had created a key with exactly the same 8 digit code. “The 32-bit short ID's of pgp are completely useless. They may be ‘convenient’, but they also entirely bypass the whole point of having a nice secure key,” Torvalds told Motherboard in an email. Kroah-Hartman also confirmed to Motherboard that one of the keys apparently belonging to him was fake. Plenty of people list their short ID on their social media profiles, so anyone wanting to get in touch has a relatively easy way to check that whatever key they find is legitimate: If the short ID on the MIT key server is the same as the one on the person's Twitter profile, then you'd think there was a pretty good chance that they were in fact the same key. But, as this case shows, you would be wrong. "This is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent" Isis Lovecruft, a Tor developer, also reported on Tuesday that someone had created a fake key for her, as well as others from the Tor Project. And although it doesn’t seem to be part of this more recent wave of spoofed keys, journalist Glenn Greenwald tweeted a similar experience back in 2014. All of this is possible because generating a key with the same 8 digit code as another is pretty simple. Using a tool called Scallion, a user can quickly cycle through different PGP keys until they create one that they're happy with. This is not a new problem: Back in 2014, German journalist Hanno Boeck covered the issue from DEF CON 22 (Boeck also reported spotting a fake key for himself earlier today). At least some of the reported fake keys were part of the 2014 Evil 32 project which highlighted the dangers of short IDs, explained Eric Swanson, the co-creator of that project, in a comment on Y Combinator on Tuesday. Swanson added that he has generated revocation certificates for each key, meaning they can be marked as “revoked” on the key server. The potential issue here is that if an attacker created a fake key, people started using it, and this attacker had the potential to intercept emails or otherwise access the target’s email account, they might be able to read incoming encrypted messages. Of course, that would need to be a highly resourceful attacker. But, as Boeck pointed out to Motherboard in an email, that is the whole point of PGP and end-to-end encryption: to stop someone who has the ability of interception from reading messages. “So yes, this is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent,” he wrote. However, perhaps the more likely situation is that someone will use the wrong key when trying to send a message, and the recipient won’t be able to read it. Even if someone is pretty vigilant and closely reads the longer, 40 character key fingerprint, another issue is that some PGP programs rely on short IDs for importing keys. “The really bad thing is that the short ID is what you end up often using even with the tools, and there have even been bugs where the tools themselves used the short ID internally despite it not being secure,” Torvalds continued. “No security is ever ‘absolute’. PGP has some very real technical strengths, but I have to say, it has a lot of weaknesses too. The weaknesses tend to be about the UI and usage, not about core algorithms, but with security, that's a big deal,” Torvalds added.


Endwall 08/16/2016 (Tue) 23:18:21 [Preview] No. 305 del
Motherboard
How Cyberattacks on Critical Infrastructure Could Cause Real-Life Disasters
https://motherboard.vice.com/read/how-cyberattacks-on-critical-infrastructure-could-cause-real-life-disasters
Lorenzo Franceschi-Bicchierai August 16, 2016 // 05:41 PM EST

In October 11, 2012, then Secretary of Defense Leon Panetta warned of the impending dangers of a digital Pearl Harbor, a cyberattack that targeted critical infrastructure and caused real, physical damage. Since then, others have sounded the alarm bells of a cyberattack on infrastructure. Yet, other than the Stuxnet attack on an Iranian nuclear power plant, and a blackout enabled by a malware infection in Ukraine, there are very few examples of cyberattacks whose effects have spilled beyond the digital world. Security experts seem to agree that the threat is real—though highly misunderstood—and yet squirrels cause far more problems to the energy grid than hackers. But the fact that infrastructure attacks don’t seem to happen very often doesn’t mean they are not possible. Critical infrastructure, many agree, is highly vulnerable. “It is remarkably easy to just mess with the temperature someplace in a natural gas plant and catch the entire plant on fire,” Meredith Patterson, a information security expert, said. We tried to figure out what are the real risks of a “cyber Pearl Harbor” attack, and made a water bottle explode in the process, in this week’s CYBERWAR episode. You can watch it on VICELAND on Tuesday, at 10:30 PM ET.


Endwall 08/16/2016 (Tue) 23:24:23 [Preview] No. 306 del
Motherboard
How the Government Is Waging Crypto War 2.0
https://motherboard.vice.com/read/encryption-debate-the-end-of-end-to-end
Daniel Oberhaus August 10, 2016 // 11:40 AM EST
On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik entered the Inland Regional Center in San Bernardino, California and opened fire on the attendees of a holiday party underway inside. After four minutes of shooting, the married couple fled the scene and left 19 dead in their wake. At the time, it was the deadliest act of terrorism in the United States since 9/11. Farook and Malik were both killed in a shootout with authorities later that day, and in the weeks that followed the tragedy, it became apparent that this act of terrorism was an inciting incident in the renewal of another war which began over 20 years ago. This war, however, is only tangentially related to religiously motivated terrorism. Rather, its frontline combatants are programmers and hackers, the battlefield is cyberspace and the munitions are lines of code. It is Crypto War 2.0, and its outcome will affect every internet user on Earth, for better or worse.THE FIRST CRYPTO WAR What you are about to see was considered to be a highly dangerous and easily accessible weapon in the early 1990s. It was classed as a munition by the US government, and its traffic across borders was regulated in the same manner as hand grenades and tanks. It looked like this: It may not look like much, but putting these three lines of code on the internet without a permit technically made you an illicit arms dealer under the International Traffic of Arms Regulations (but in a bizarre twist, putting it on a t-shirt or in a book was totally chill). The script is an RSA signature coded in the PERL programming language and was used early on in the development of Pretty Good Privacy (PGP), a method of digitally encrypting messages. Although the first crypto war is rooted in export regulations established at the height of the Cold War with the development of the Data Encryption Standard for use by commercial and military entities, the effects of these crypto regulations didn’t become apparent until 1991. This was the year that the software engineer Phil Zimmerman wrote his PGP program and began disseminating it on the internet, making public key encryption widely available for the first time. As the US News reported in 1995, the feds came after Zimmerman for violating regulations relating to export of munitions because his software had been exported out of the country on the internet. The first crypto war had begun. “The government's fear was that if we didn't regulate this [RSA implementation], it would allow the bad guys to have perfect security,” said Nate Cardozo, a senior attorney at the Electronic Frontier Foundation, during a presentation at DEF CON last weekend. Around the same time that the feds were trying to prosecute Zimmerman, two other major battles of the first crypto war were being fought. The first was being waged by Netscape Communications, the company responsible for the first widely used web browser, Netscape Navigator. The company was working on developing its SSL encryption protocol to ensure security on its networks, which would eventually lead to the HTTPS web encryption standard used today. But Netscape had a problem: It was in the business of supplying access to the global internet, but the United States’ ITAR regulations meant that it couldn’t export its full, 128-bit SSL encryption protocol outside the US and Canada. So they created a significantly less secure 40-bit encryption protocol that was legal to provide to non-US citizens. "The government is not stupid. They know there is no way of keeping strong crypto out of the hands of people who are determined to get it." Yet as Cardozo pointed out, Netscape’s dual standard did little beside highlight the absurdity of the US government’s attempt to regulate encryption. In 1995 there was no way to block Netscape users based on the geographical location of their IP address, which meant that when you logged on to Netscape Navigator, you were presented with a choice between the US/Canada 128-bit SSL version of Netscape or the International 40-bit version. The choice was made by clicking a radio button for either version. There was no way to verify whether or not you were actually in the US when you selected the 128-bit protocol—it was just as accessible to someone in the Kremlin as it was to someone in Kansas. In other words, Netscape was in the business of exporting munitions around the globe...


Endwall 08/16/2016 (Tue) 23:28:57 [Preview] No. 307 del
Motherboard
Quantum Computing Just Grew Way the Hell Up
https://motherboard.vice.com/read/quantum-computing-just-grew-up
Michael Byrne August 3, 2016 // 01:00 PM EST

On Wednesday, researchers at the Joint Quantum Institute at the University of Maryland unveiled a first-of-its-kind fully programmable and reconfigurable quantum computer. The five-qubit machine, which is described in the journal Nature, represents a dramatic step toward general-purpose quantum computing—and, with it, an upending of what we can even consider to be computable. It's often remarked rather abstractly that the rather abstract power of future quantum computers will nuke our most fundamental layer of digital security by virtue of their very existence. How will they do this? By being very powerful, goes the nigh-universal pop science answer. A very powerful computer, of the sort that has never been seen before, may use that great power to factor numbers much more quickly than could be accomplished using even non-quantum supercomputers. The RSA algorithm, which guards most of our digital data, is based on not being able to do this. The mechanism behind this RSA crippling has had a name since 1994, one year before the very first quantum logic gate had even been realized at a NIST laboratory in Boulder, Colorado. It's called Shor's algorithm, and is a method of factoring very large whole numbers using quantum hardware. Like many quantum algorithms, it relies on a mathematical operation known as the quantum Fourier transform (QFT), which decomposes a given quantum state into its constituent parts. The QFT was one of three algorithms that Shantanu Debnath and his team at the Joint Quantum Institute successfully implemented using their quantum computing module. While currently limited to just five qubits, the group's computer could potentially be scaled up to as many as 100 qubits, and, moreover, could be linked to other computers (hence the modularity), possibly by using photon channels. Linkages of these modules would constitute larger and larger quantum machines.Debnath and co.'s quantum computer is based on trapped ions, or atoms that have either a positive or negative charge. This charge is manipulated such that the ions can be shoved around using magnetic fields—here, they're arranged into a line. The tight arrangement means that the ions wind up acting like particles in a crystal, which means that it's possible to get them all vibrating coherently. Getting all of the ions humming in just the right way results in quantum entanglement, a scenario in which the particles, from certain perspectives, become indistinguishable. So, the entangled particles are all sharing the same state and, as such, wind up acting like mirrors of each other. Entanglement in such a line-based arrangement has the helpful property of not needing to be passed from neighboring particle to neighboring particle...
Edited last time by Endwall on 08/17/2016 (Wed) 03:37:09.


Endwall 08/17/2016 (Wed) 03:25:35 [Preview] No. 309 del
Hak 5
Millions of Volkswagen Vehicles Hacked! - Threat Wire
https://www.youtube.com/watch?v=bZW6x6edr_U


Endwall 08/17/2016 (Wed) 04:24:21 [Preview] No. 310 del
Computer Security Online
High-end banking malware hits Brazil
Maria Korolov Aug 16, 2016 11:45 AM PT
http://www.csoonline.com/article/3107999/cyber-attacks-espionage/high-end-banking-malware-hits-brazil.html
In the past two weeks, IBM's X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda targeting Brazilian financial institutions, according to a new report

Brazil just can't catch a break. We've already seen flesh-eating bacteria in the water, athletes getting robbed on the streets, and police officers holding up a "welcome to hell" sign at the airport. Plus a wide variety of cybercrime, including phishing attacks and credit card skimming machines. Now the criminals are getting even more sophisticated. In the past two weeks, IBM's X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda, according to a new report. "This is considered sophisticated malware, and this kind of sophistication is not typical for Brazil," said Limor Kessem, executive security advisor for IBM Security. "This is definitely a step up from what we usually see in Brazil." MORE ON CSO: How to spot a phishing email Brazilian malware is typically scripts or browser extensions, not a complex modular software product like Zeus, she said. The way that it works is that both strains of malware target Brazilian computer users, then wait for the users to access their online banking or payments accounts. They then intercept the communications, modify the websites, steal credentials, and redirect the payments. It is likely that the attackers are based in Brazil or have local partners, she said. The malware communicates back to central command-and-control servers to download customized configuration files, she explained. In these two cases, the files have been customized to attack three major Brazilian banks and a Brazilian payment system, as well as one bank in Colombia. Adding a new banking target requires the the attackers create a social engineering injection that precisely mimics a bank's look and feel and requires an understanding of the bank's authentication methods. "They are able to manipulate what the persons sees when they visit the page," Kessem said. "For example, in addition to a login and password, they might also ask for a Social Security number and their mother's maiden name." This is where local knowledge comes in handy. "In the past, a lot of times, cybercriminals going after countries where they don't speak the language would have a lot of spelling mistakes, and that would be a sign that something isn't right," she said. "Now that they collaborate with people who are local, they have more of an ability to say the right things in the right way, and have more knowledge of how that bank works and have a better chance of defrauding accounts." As a result, adding a new target becomes fairly easy, she said. All the criminals have to do is modify the configuration file. "It's fairly easy to do and criminals can do that at any time." The core source is the same for both Panda and Sphinx, and both are based on the Zeus source code that was leaked in 2011 and has become a popular base for commercial malware sold on underground boards, she said. Zeus Panda is extremely localized, she said. In addition to local banks, it targets a supermarket that delivers food, a police agency, and a Bitcoin exchange. The Bitcoin exchange is probably being used to help the criminals launder their ill-gotten gains, Kessem suggested. Zeus Sphinx targets Brazilian banks as well, but also goes after the popular Boleto Bancário payment platform, which allows users to go online and send money orders. Sphinx first emerged a year ago, first attacking banks in Australia and the U.K. Kessem did not have any data about how much financial damage these attackers are causing Brazil. In 2014, however, RSA issued a report that a Boleto malware fraud ring had compromised nearly $4 billion worth of transactions over the previous two years. IBM currently monitors 270 million endpoints worldwide, Kessem said. After spotting the malware, the company notified the targeted institutions and local law enforcement authorities. She declined to name the specific institutions targeted by the malware.


Endwall 08/17/2016 (Wed) 19:30:46 [Preview] No. 311 del
NEOWIN
Malware-ridden spam email allegedly contains video of Hillary Clinton meeting ISIS leader
http://www.neowin.net/news/malware-ridden-spam-email-allegedly-contains-video-of-hillary-clinton-meeting-isis-leader?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20neowin-main%20%28Neowin%20News%29

Clickbait is one classic technique we find in news stories all over the internet to induce curiosity or shock among readers, which will result in a clickthrough. It has been deemed as something very effective; even Facebook is announcing plans to cut back on such headlines in the future. Cybercriminals also know this very well, which is why a new email scam utilizing it is out in the wild, starring U.S. presidential candidate Hillary Clinton. A spam email is being spread recently, which allegedly contains a video clip of Clinton meeting with the leader of the terrorist group ISIS. It contains the subject line "Clinton Deal ISIS Leader caught on Video," which would obviously pique the curiosity of someone who has received the email, especially those in the United States.The text inside the email states that the presidential candidate was seen exchanging money with the leader, and then tells the recipient "you can decide on who to vote." However, in reality, the message does not contain any video file. Instead, it has a .ZIP file, which according to Symantec, contains a malicious Java file which when opened infects the recipient with a Java remote access Trojan (RAT) dubbed as 'Backdoor.Adwind.' It also has other two .VBS files, which can reportedly detect which antivirus and firewall software the victim is utilizing. Adwind will then attempt to connect to windows8pc.space, which is its Command and Control (C&C) server. This server is responsible for downloading and executing more malicious files on the victim's computer. According to Symantec's analysis, the Trojan not only can open a back door on the infected machine, but it can also steal information from the victim. It can also reportedly affect not only Windows machines, but Linux, Mac OS X, and Android devices. With these kinds of attacks going on, we advise readers to become very careful with any email they ever come across with, as they could contain malware and other software that could compromise the computer's safety, as well as the owner's identity. Clickbait emails such as the one mentioned are programmed to be regarded as a 'must-see,' especially for those who are not very familiar with such tactics of spammers and cybercriminals.


Endwall 08/17/2016 (Wed) 19:32:31 [Preview] No. 312 del
Deep Dot Web
Morocco Bans Skype, WhatsApp, in VoIP Crackdown by State ISP
http://deepdot35wvmeyd5.onion/2016/08/17/morocco-bans-skype-whatsapp-voip-crackdown-state-isp/
Posted by: D. Hume August 17, 2016
After first being announced in January, Morocco began enforcing its ban of “Voice over IP”, or “VoIP,” on mobile devices, in a move that prevents conventional Moroccan smartphone users from using popular video call programs like Skype, WhatsApp, Viber, and more. The northern African kingdom’s telecom regulatory body, Agence Nationale de Réglementation des Télécommunications, said in a statement that “Telephony [sic] services can only be provided by those who hold an official telecommunications licence [sic]…Free telephony [sic] on internet protocol does not fulfil these conditions…” This decision has proved a boon to internet service provider Maroc Telecom, which controls 40% of Morocco’s telecom market.  According to The Africa Report, Marco Telecom’s reported a 16% rise in net income in Q1 2016, to $1.6 billion. In light of the ban, however, some users are turning to Dark Web solutions. Many users have opted to use Betternet, a local VPN service, to get around the ban via proxy.  Additionally, mobile users have downloaded TOR onto their phones, specifically the Orbot app and the Orfox browser, both of which are free, open-source, and available on the google play store for Android. This follows a similar move in The Gambia in 2013, when the Public Utilities Regulatory Authority banned Skype from internet cafés.


Endwall 08/17/2016 (Wed) 19:36:49 [Preview] No. 313 del
ARS TECHNICA
Stealing bitcoins with badges: How Silk Road’s dirty cops got caught
http://tornews3zbdhuan5.onion/newspage/32526/

Cyrus Farivar and Joe Mullin - Aug 17, 2016 10:00 am UTC DEA Special Agent Carl Force wanted his money—real cash, not just numbers on a screen—and he wanted it fast. It was October 2013, and Force had spent the past couple of years working on a Baltimore-based task force investigating the darknet's biggest drug site, Silk Road. During that time, he'd also carefully cultivated several lucrative side projects all connected to Bitcoin, the digital currency Force was convinced would make him rich. One of those schemes had been ripping off the man who ran Silk Road, "Dread Pirate Roberts." That plan was now falling apart. As it turns out, the largest online drug market in history had been run by a 29-year-old named Ross Ulbricht, who wasn’t as safe behind his screen as he imagined he was. Ulbricht had been arrested earlier that month in the San Francisco Public Library by federal agents who had their guns drawn. Now government prosecutors were sifting through a mountain of evidence, and Force could only guess at how big it was. The FBI got around the encryption of Ulbricht’s Samsung Z700 laptop with a street-level tactic: two agents distracted him while a third grabbed the open laptop out of his hands as Ulbricht was working. The kingpin had literally been caught red-handed, tapping commands to his Silk Road subordinates up until the moment he was cuffed. Force had been treating Ulbricht like his personal Bitcoin ATM for several months by this point, attempting to extort DPR one day and wrangling Bitcoin bribes for fake information the next. Force didn’t want to be holding those bitcoins anymore. He opened an account with Bitstamp, a Slovenia-based Bitcoin exchange where he thought he’d be able to turn coins into cash quickly and quietly. But when Force opened Bitstamp account #557042 on October 12, 2013, it sealed his fate. He'd tricked Ulbricht into paying him more than 1,200 bitcoins (a cache worth more than $700,000 today). Trying to launder those ill-gotten gains through Bitstamp was about as poor a choice as Force could make—only the agent couldn’t have known this at the time...


Endwall 08/17/2016 (Wed) 19:42:01 [Preview] No. 314 del
Nakedsecurity
VeraCrypt disk encryption team claims “emails intercepted”
https://nakedsecurity.sophos.com/2016/08/17/veracrypt-disk-encryption-team-claims-emails-intercepted/

Remember TrueCrypt? It was a popular and widely-used encryption toolkit similar to Microsoft’s BitLocker and Apple’s FileVault. The idea is that by encrypting and decrypting data at the operating system level, just before every chunk is written to disk and immediately after it’s read back in, you can’t accidentally miss anything. Your operating system and temporary files are scrambled; leftover fragments of deleted files are scrambled too; even sectors on the disk that are blank are encrypted so you can’t tell they’re empty. That’s known as FDE, short for full-disk encryption, and it’s a very handy way of reducing the risk of data leakage if a crook runs off with your laptop, or you leave it in a taxi. With FDE, it’s no longer possible just to put your hard disk into another computer, or boot up from a recovery CD, and look through the files...

Just this week, however, the Open Source Technology Improvement Fund (OSTIF), which gives financial support to VeraCrypt, has released an announcement cloaked in almost as much mystery as the posting that terminated TrueCrypt in 2013: We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared. This suggests that outside actors are attempting to listen in on and/or interfere with the audit process. We are setting up alternate means of encrypted communications in order to move forward with the audit project. Interestingly, the article announcing the “breach” is explicitly titled OSTIF, QuarksLab, and VeraCrypt E-mails are Being Intercepted, although in this case, it looks as though the emails are being destroyed. You’d think that an outside actor who wanted to snoop on what you are up to would intercept non-destructively, by looking at the messages but letting them go anyway. After all, deleting the messages doesn’t serve much point: firstly, it draws attention to the problem; and secondly, it doesn’t really prevent the messages from getting through, because the senders can just transmit them again...


Endwall 08/18/2016 (Thu) 00:45:36 [Preview] No. 315 del
ARS TECHNICA
Cisco confirms NSA-linked zeroday targeted its firewalls for years
http://tornews3zbdhuan5.onion/newspage/32850/
http://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-for-years/

Dan Goodin - Aug 17, 2016 10:35 pm UTC Cisco Systems has confirmed that recently-leaked malware tied to the National Security Agency exploited a high-severity vulnerability that had gone undetected for years in every supported version of the company's Adaptive Security Appliance firewall. Further ReadingConfirmed: hacking tool leak came from “omnipotent” NSA-tied groupThe previously unknown flaw makes it possible for remote attackers who have already gained a foothold in a targeted network to gain full control over a firewall, Cisco warned in an advisory published Wednesday. The bug poses a significant risk because it allows attackers to monitor and control all data passing through a vulnerable network. To exploit the vulnerability, an attacker must control a computer already authorized to access the firewall or the firewall must have been misconfigured to omit this standard safeguard. "It's still a critical vulnerability even though it requires access to the internal or management network, as once exploited it gives the attacker the opportunity to monitor all network traffic," Mustafa Al-Bassam, a security researcher, told Ars. "I wouldn't imagine it would be difficult for the NSA to get access to a device in a large company's internal network, especially if it was a datacenter." Further ReadingHow “omnipotent” hackers tied to NSA hid for 14 years—and were found at lastThe vulnerability, which Cisco rated as "high," is all the more menacing given the release over the weekend of hacking tools that have been all but definitively linked to Equation Group, an elite hacking team with ties to the NSA that remained hidden for more than 14 years. With the release of professionally developed code that exploits the Cisco vulnerability, attacks can now be carried out by a much larger base of hackers. The weaponized attack exploited a vulnerability residing in Cisco's implementation of the Simple Network Management Protocol. The exploit was the engine behind "ExtraBacon," one of 15 distinct pieces of attack code included in the still-mysterious leak from last weekend. A blog post from Tuesday demonstrated how ExtraBacon allowed an unauthenticated person to take control of Adaptive Security Appliance firewalls. Cisco's confirmation now suggests that people within the US government have known of the risk since at least 2013 and allowed it to persist. Cisco has yet to actually patch the vulnerability, which is indexed as CVE-2016-6366. Instead, the company is releasing signatures that can detect the exploits and stop them before they allow an attacker to seize control of vulnerable networks. Another workaround is to disable SNMP altogether. A Cisco representative said the company will release a patch in the near future...


Endwall 08/18/2016 (Thu) 22:43:52 [Preview] No. 320 del
Ars Technica
PowerShell is Microsoft’s latest open source release, coming to Linux, OS X
http://tornews3zbdhuan5.onion/newspage/33145/
http://arstechnica.com/information-technology/2016/08/powershell-is-microsofts-latest-open-source-release-coming-to-linux-os-x/
Peter Bright - Aug 18, 2016 3:52 pm UTC Microsoft today released its PowerShell scripting language and command-line shell as open source. The project joins .NET and the Chakra JavaScript engine as an MIT-licensed open source project hosted on GitHub. Alpha version prebuilt packages of the open source version are available for CentOS, Ubuntu, and OS X, in addition, of course, to Windows. Additional platforms are promised in the future. Announcing the release, Microsoft's Jeffrey Snover described the impetus for the move: customers liked the use of PowerShell for management, remote control, and configuration but didn't like that it was Windows-only. To address this concern, Microsoft first had to bring .NET, and then PowerShell itself, to Linux and other platforms. Snover says that PowerShell will be extended so that remote scripting can natively use ssh as its transport instead of Windows remoting. Longer term, this move should mean that Windows' and Azure's management tools such as Operations Management Suite and Desired State Configuration will have much greater reach, allowing a common set of tools and skills to reach a far greater range of systems.


Endwall 08/18/2016 (Thu) 23:36:34 [Preview] No. 322 del
Montreal’s ARC4DIA Cyber Defense platform impresses at U.S. military exercises
http://www.cantechletter.com/2016/08/montreals-arc4dia-cyber-defense-platform-impresses-u-s-military-exercises/

August 18, 2016 By Terry Dawes
Montreal company ARC4DIA Cyber Defense has put its proprietary platform, SNOW, to the test at two recent invite-only U.S. military exercises, Red Flag from July 11-29 at Nellis Air Force Base in Nevada, and Cyber Flag from June 20-30 at Suffolk, Virginia, resulting in the platform being obtained and used within a range of U.S. military agencies. These two military exercises bring together the “best of the best” in the cyber security industry from across the U.S. and allied nations to participate in full spectrum simulated military training and operations. “We are honoured to have been selected to participate in these large scale military events and to showcase the value of SNOW and its unique offerings,” says ARC4DIA CEO Pierre Roberge. “SNOW was well received at both events and delivered on all fronts. We are thrilled with the positive results, which we believe is a testament to the product, and its unparalleled ability to outperform the rest.” Cyber attacks obviously occur at incredible speeds without any warning. ARC4DIA’s proprietary heuristics platform works with the active oversight of the company’s experts, who have previous experience with global military, national security agencies, government, and academic institutions, to not only prevent or mitigate the attack, but also to provide insight into the attacker’s identity and motivations. ARC4DIA can work with the client to craft misinformation flowing back to the attacker, and work to lure them into leaving a digital trail, exposing them to positive attribution and potential future prosecution. Presented as a host-based managed hunt solution, SNOW combines a proprietary technology with security analysis, offering endpoint protection against Advanced Persistent Threats (APTs). Juniper Research projects that cybercriminal data breaches will cost businesses US$2.1 trillion globally by 2019, almost four times the estimated cost of breaches in 2015. Privately held ARC4DIA Cyber Defense, founded in 2010, specializes in combating a sophisticated form of APT cyber attacks, and protects more than $40 billion dollars in assets globally for government agencies, as well as mid to large scale enterprises in a variety of sectors. With headquarters in Montreal, ARC4DIA also has offices in Vilnius, New York and London. In May, ARC4DIA presented at NATO’s 8th International Conference on Cyber Conflict (CyCon), to an audience consisting of more than 500 stakeholders in cyber defense industries, including prime ministers, heads of state, and national security teams, while also participating as experts on panel discussions.


Endwall 08/18/2016 (Thu) 23:39:23 [Preview] No. 323 del
Krebs on Security
Malware Infected All Eddie Bauer Stores in U.S., Canada
http://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stores-in-u-s-canada/
Aug 16
Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after KrebsOnSecurity first notified the clothier about a possible intrusion at stores nationwide.
On July 5, 2016, KrebsOnSecurity reached out to Bellevue, Wash., based Eddie Bauer after hearing from several sources who work in fighting fraud at U.S. financial institutions. All of those sources said they’d identified a pattern of fraud on customer cards that had just one thing in common: They were all recently used at some of Eddie Bauer’s 350+ locations the U.S. The sources said the fraud appeared to stretch back to at least January 2016. A spokesperson for Eddie Bauer at the time said the company was grateful for the outreach but that it hadn’t heard any fraud complaints from banks or from the credit card associations. Earlier today, however, an outside public relations firm circled back on behalf of Eddie Bauer. That person told me Eddie Bauer — working with the FBI and an outside computer forensics firm — had detected and removed card-stealing malware from cash registers at all of its locations in the United States and Canada. The retailer says it believes the malware was capable of capturing credit and debit card numbers from customer transactions made at all 350 Eddie Bauer stores in the United States and Canada between January 2, 2016 to July 17, 2016. The company emphasized that this breach did not impact purchases made at the company’s online store eddiebauer.com. “While not all transactions during this period were affected, out of an abundance of caution, Eddie Bauer is offering identity protection services to all customers who made purchases or returns during this period,” the company said in a press release issued directly after the markets closed in the U.S. today. Given the volume of point-0f-sale malware attacks on retailers and hospitality firms in recent months, it would be nice if each one of these breach disclosures didn’t look and sound exactly the same. For example, in addition to offering customers the predictable and irrelevant credit monitoring services topped with bland assurances that the “security of our customers’ information is a top priority,” breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used. That way, other companies could use the information to find out if they are similarly victimized and to stop the bleeding of customer card data as quickly as possible. Eddie Bauer’s spokespeople say the company has no intention of publishing these so-called “indicators of compromise,” but emphasized that Eddie Bauer worked closely with the FBI and outside security experts. For more on the importance of IOCs in helping to detect and ultimately stymie cybercrime, check out last Saturday’s story about IOCs released by Visa in connection with the recent intrusion at Oracle’s MICROS point-of-sale unit. And for the record, I have no information connecting this breach or any other recent POS malware attack with the breach at Oracle’s MICROS unit.


Endwall 08/18/2016 (Thu) 23:45:51 [Preview] No. 324 del
InfoSecurity Magazine
Bitcoin Targeted by State-Sponsored Attackers
http://www.infosecurity-magazine.com/news/bitcoin-targeted-by-statesponsored/
Tara Seals US/North America News Reporter, Infosecurity Magazine
Bitcoin is warning users that it is likely being targeted by state-sponsored attackers. The virtual currency also said that it doesn’t have adequate protections against such an onslaught, which it thinks is aimed at the binaries for the upcoming release of Bitcoin Core, its optimized wallet software. As such, users are open to robbery. “As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this caliber,” the organization said in a website notice. “We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.” Bitcoin Core is programmed to decide which block chain contains valid transactions. The users of Bitcoin Core only accept transactions for that block chain. The idea is to improve security through decentralization—users each individually run their own Bitcoin Core full nodes, and each of those full nodes separately follows the exact same rules to decide which block chain is valid. The individual software instances follow identical rules to evaluate identical blocks and come to identical conclusions about which block chains are valid. The end goal is to allow users to accept only valid bitcoins, enforcing Bitcoin’s rules against even the most powerful miners. Bitcoin Core users also get better security for their bitcoins, privacy features not available in other wallets, and a choice of user interfaces. That said, it would appear that compromise is not out of the question given the big guns being used by nation-state attackers. “Not being careful before you download binaries could cause you to lose all your coins,” the site said. “This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.” The hashes of Bitcoin Core binaries are cryptographically signed with a key, which Bitcoin recommends that all users download. Users should also securely verify the signature and hashes before running any Bitcoin Core binaries.


Endwall 08/18/2016 (Thu) 23:47:00 [Preview] No. 325 del
TrustedSec
TrustedSec Security Podcast Episode 52 – Paul Asadoorian from Security Weekly, Bad Air, Azure, Cisco, Clinton Foundation
https://www.trustedsec.com/august-2016/tsp-episode-52-show-notes/
https://www.trustedsec.com/podcasts/trustedsec-security-podcast-episode-52.mp3
XML Page https://www.trustedsec.com/podcasts/trustedsecsecuritypodcast.xml
Edited last time by Endwall on 08/18/2016 (Thu) 23:49:37.


Endwall 08/19/2016 (Fri) 00:03:03 [Preview] No. 326 del
Soylent News
U.S. Set to Hand Off Control of the Internet
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/18/0230232
posted by cmn32480 on Thursday August 18, @04:12AM

In less than two months the U.S. Department of Commerce will hand over control of the Internet to international authorities: The department will finalize the transition effective Oct. 1, Assistant Secretary Lawrence Strickling wrote on Tuesday, barring what he called "any significant impediment." The move means the Internet Assigned Numbers Authority, which is responsible for interpreting numerical addresses on the Web to a readable language, will move from U.S. control to the Internet Corporation for Assigned Names and Numbers, a multistakeholder body based in Los Angeles that includes countries such as China and Russia. The move is not without its critics. In a letter to Commerce Secretary Penny Pritzker penned last week and signed by Republican senators Ted Cruz of Texas, James Lankford of Oklahoma, and Mike Lee of Utah, they stated: "The proposal will significantly increase the power of foreign governments over the Internet, expand ICANN's historical core mission by creating a gateway to content regulation, and embolden [its] leadership to act without any real accountability." [...] "We have uncovered that ICANN's Beijing office is actually located within the same building as the Cyberspace Administration of China, which is the central agency within the Chinese government's censorship regime," the trio wrote, noting that some of the American companies involved with the transition process had already "shown a willingness to acquiesce" to Chinese demands that they assist with blocking content in the country.


Endwall 08/19/2016 (Fri) 00:06:32 [Preview] No. 327 del
Soylent News
Running a DNSSec Responder? Make Sure It Doesn't Help the Black Hats
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/18/0657237
posted by janrinok on Thursday August 18, @01:45PM
Arthur T Knackerbracket has found the following story: Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks. That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack. The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address. [...] Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query. Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.


Endwall 08/19/2016 (Fri) 02:07:53 [Preview] No. 328 del


Endwall 08/19/2016 (Fri) 07:28:34 [Preview] No. 330 del
Open Sources
Did the NSA Have the Ability to Extract VPN Keys from Cisco PIX Firewalls?
http://opensources.info/did-the-nsa-have-the-ability-to-extract-vpn-keys-from-cisco-pix-firewalls/
An analysis of the BENIGNCERTAIN exploit included in The Shadow Brokers data dump reveals that the Equation Group, a cyber-espionage group that many have linked with the NSA, had the ability to crack open Cisco PIX firewalls and extract VPN and RSA private key and other sensitive configuration details. Over the weekend, a person, or group, named The Shadow Brokers dumped online a trove of data they said they stole from a server hosting the malware used in a live operation by the Equation Group. The hackers are now selling this data to the highest bidder in an anonymous Bitcoin auction. Lots of firewall-cracking exploits included in the data dump So people take them seriously and to prove the legitimacy of their claims, the group leaked a series of exploits, most of them aimed at hacking enterprise-grade firewalls. Among these were exploits such as EPICBANANA, JETPLOW, and EXTRABACON, that targeted Cisco ASA devices. Other exploits like ESCALATEPLOWMAN targeted WatchGuard firewalls, while EGREGIOUSBLUNDER targeted Fortinet devices. Mustafa Al-Bassam, aka tFlow, co-founder of the LulzSec hacking crew, now a legitimate white hat researcher, says that one of the overlooked exploits is BENIGNCERTAIN. Looking at the NSA’s past hacking tools The reason why many security vendors and researchers ignored this exploit is because it targets Cisco PIX firewalls, a line of products that has reached its end of life. While other security researchers were looking into seeing what exploits still worked today, Al-Bassam and security researcher Hector Martin were analyzing the older exploits, to understand what the NSA was capable of doing in the past, when targeting old-gen devices. They discovered that the BENIGNCERTAIN exploit targeted Cisco PIX versions 5.2(9) to 6.3(4), and used three files to put together an exploitation chain that dumped the device’s memory using malformed Internet Key Exchange (IKE) packets. “The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information,” Al-Bassam writes in his analysis. Below is how a memory dump would look like, and the type of data the Equation Group would receive...


Endwall 08/19/2016 (Fri) 08:08:46 [Preview] No. 332 del
Hak 5
DEF CON 24: Bluetooth Sniffing, Black Badges, DEF CON DarkNet and More! - Hak5 2025
https://www.youtube.com/watch?v=ThmNcuK5Efc
Edited last time by Endwall on 08/21/2016 (Sun) 05:53:25.


Endwall 08/19/2016 (Fri) 08:09:30 [Preview] No. 333 del
Security Now
Security Now 573: Memory & Micro Kernels
https://www.youtube.com/watch?v=sjXZitLTwyg


Endwall 08/19/2016 (Fri) 23:22:22 [Preview] No. 335 del
US Army to Add NSA Network to Intelligence Processing Facility; Lee Wyman Comments
http://www.executivegov.com/2016/08/us-army-to-add-nsa-network-to-intelligence-processing-facility-lee-wyman-comments/
Jane Edwards August 19, 2016
A partnership within the U.S. Army has started to update the service branch’s intelligence processing facility to add another classified network designed to facilitate intelligence collection and reporting operations, the Army said Wednesday. The service branch’s Communications-Electronics Research, Development and Engineering Center has collaborated with the Distributed Common Ground System-Army to equip the latest version of the DCGS-A Intelligence Processing Center 2 with the National Security Agency network. Lee Wyman, DCGS-A operations specialist and project lead for IPC-2, said the NSANet seeks to provide brigade command team, corps and division commanders with mobile servers. The NSANet would be in addition to the IPC-2’s existing Joint Worldwide Intelligence Communications System and Secret Internet Protocol Router Network. Wyman also noted that the IPC-2 is situated in a shelter and is linked to a high-mobility multipurpose wheeled vehicle. CERDEC’s command, control, communications, computers, intelligence, surveillance and reconnaissance prototype integration facility performs engineering and integration work on the new IPC-2 and expects to finish the initial prototype in fiscal 2017. CERDEC’s C4ISR PIF and DCGS-A will conduct a weight and physicality test of the latest IPC-2 in September and transition the facility into full rate production at the Tobyhanna Army Depot once the prototype is completed. Other modifications to the shelter include the integration of a soldier workstation, installation of an Improved Environmental Control Unit and addition of a power entry panel.


Endwall 08/19/2016 (Fri) 23:24:33 [Preview] No. 336 del
ZDNET
Snowden documents confirm that leaked hacking tools belong to NSA
http://www.zdnet.com/article/snowden-documents-confirm-that-leaked-hacking-tools-belong-to-nsa/
By Zack Whittaker for Zero Day | August 19, 2016 -- 14:51 GMT (15:51 BST)
(Image: file photo) A newly released document from the cache of documents leaked by whistleblower Edward Snowden appear to confirm that hacking tools leaked earlier this week belong to the National Security Agency. A group that goes by the name of "Shadow Brokers" published a number of malware and tools used by a hacking organization known as the "Equation Group." The Shadow Brokers described the malware as "cyber weapons" that were used by the NSA to conduct surveillance. US government pushed tech firms to hand over source code If source code gets into the wrong hands, the damage would be incalculable. * Read More The Intercept, which still has a copy of unreported Snowden documents, reported Friday on what it believes is the smoking gun that connects the two. One of top-secret slide decks used by the intelligence agency instructs NSA hackers to track how they use one of the malware "weapons" using a 16-character string. That string, "ace02468bdf13579," was found in a number of leaked programs, including one dubbed SECONDDATE, which is described as a tool "designed to intercept web requests and redirect browsers on target computers to an NSA web server." We put in a question to an NSA spokesperson, but didn't hear back at the time of writing. (In the unlikely event that this changes, we'll update the piece.) What remains unknown is how the Shadow Brokers came about the malware dump in the first place. These are highly-effective, specialized malware programs designed to penetrate some of the best firewalls and networking equipment in the world. Cisco and Fortinet, which both confirmed their products are affected by the malware, have already begun patching their appliances and technology. Granted it wouldn't be the first leak at the NSA in recent history. Snowden, who was the source of the most significant leak in the past decade, himself hypothesized on Twitter that the "hack of an NSA malware staging server is not unprecedented." Snowden too hinted that Russia, where he currently lives in exile, may have been behind the leak. "This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast," he said. Looks like we're already there.


Endwall 08/19/2016 (Fri) 23:28:09 [Preview] No. 337 del
Security Affairs
Iran investigates possible cyber attacks behind a string Oil Industry incidents
http://securityaffairs.co/wordpress/50415/security/iran-cyber-attacks-fires.html
August 19, 2016 By Pierluigi Paganini
Iran ’s cyberspace security authorities are investigating a string of fires in the country oil and gas facilities. Incidents or cyber sabotage? Once again, something of strange is happening in Iran, the Government of Teheran is investigating a recent string of incidents occurred in critical infrastructure in the country. The Iran’s Supreme National Cyberspace Council is investigating whether the oil and petrochemical fires were caused by cyber attacks, authorities fears that nation state actors may have launched an attack similar to Stuxnet. The first incident occurred on July 6, in the Bouali petrochemical plant on the Persian Gulf coast, a couple of days after the fire was put out, a liquefied gas pipeline exploded in the Marun Oil and Gas Production Company, unfortunately, a worker died. On July 29 another fire occurred at the Bisotoon petrochemical plant. The incidents were originally blamed on human error but after another explosion of a gas pipeline near Gonaveh the Iranian Petroleum Ministry started an investigation to understand the real cause of the anomalous string of incidents. “The Iranian Petroleum Ministry, in charge of all of the affected sites denied the plants were sabotaged and the Iranian oil minister Bijan Namdar Zanganeh said the fires and explosions were due to technical faults and human error.” reported the Time.com “However when an explosion in a gas pipeline near Gonaveh, which killed a worker, and another fire in the Imam Khomeini petrochemical plant, occurred within hours of each other on Aug. 6, the ministry refused to comment until after investigations.“ Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, confirmed that a team of investigators will work on the case trying to understand if the incidents are linked and if they were caused by a cyber attack.“Abolhassan Firouzabadi, secretary of Iran’s Supreme National Cyberspace Council, says a team of experts will look at the possibility of cyberattacks as being a cause, Press TV reported on Sunday. Special teams will be sent to the afflicted sites to study the possibility of cyber systems having a role in the recent fires, he said.” reported the Tehran Times. According to SCMagazine.com, Idan Udi Edry, CEO at Nation-E, speculates that the evidence leads experts into believing that the incidents being caused by a cyberattack. “One indicator is that some of these attacks took place within hours of each other – some people may chalk this up to coincidence, but the fact that several of these incidences took place within a few weeks gives us reason to believe an attacker learned how to successfully implement a cyberattack on Iran’s oil and gas facilities, then continued to keep doing so on larger scales,” he told SCMagazine.com in an email. This string of incidents raises the debate on the security of critical infrastructure and the dangers of cyber attack. We all have in mind what has happened in 2010, when the systems at the Natanz nuclear facility were hit with the Stuxnet malware.


Endwall 08/19/2016 (Fri) 23:29:14 [Preview] No. 338 del
Cisco confirms Shadow Brokers vulnerabilities are real
http://www.itpro.co.uk/security/27114/cisco-confirms-shadow-brokers-vulnerabilities-are-real
Rhiannon Williams 19 Aug, 2016
Concerns are rising over the security and integrity of NSA data Cisco has confirmed two exploits in a cache of "cyber weapons" are legitimate, prompting fears over the security of NSA data. A group calling itself Shadow Brokers claimed it had cracked into an NSA-associated hacking group earlier this week, alleging it was auctioning off a collection of malware files belonging to NSA-linked cyber attack group Equation Group. The confirmation follows speculation Russia was responsible for the hack, though there is little evidence to prove this is the case. The files, described as "cyber weapons", are being auctioned off by the group for bitcoin. Shadow Brokers says it could release the code to the files for free if it passes its target of one million bitcoins. The amount is equivalent to one fifteenth of the total amount of bitcoin in circulation, according to Kaspersky. The security company said it had a high degree of confidence that the Shadow Brokers' tools are related to the Equation Group, and that the chances they are faked are "highly unlikely". Whistle-blower organisation WikiLeaks said it had obtained its own copy of the archive, which it plans to release "in due course". Edward Snowden has suggested the breach is a warning that if the US accuses Russia of hacking into the Democratic National Party (DNC) and leaking private documents, it will leak confidential US cyber intelligence in response. "I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack," he tweeted. "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server ... that could have significant foreign policy consequences."


Endwall 08/19/2016 (Fri) 23:30:37 [Preview] No. 339 del
Rex Linux Trojan Can Launch DDoS Attacks, Lock Websites, Mine for Cryptocurrency
http://news.softpedia.com/news/rex-linux-trojan-can-launch-ddos-attacks-lock-websites-mine-for-cryptocurrency-507486.shtml
Aug 19, 2016 16:40 GMT · By Catalinn Cimpanu ·
What initially looked like a string of Drupal sites infected with ransomware (that didn't work properly) now looks like a professional cybercrime operation that relies on a self-propagating Linux trojan to create a botnet with various capabilities. Last May, in a Softpedia exclusive, Stu Gorton, CEO and Co-Founder of Forkbombus Labs, revealed the existence of a new type of ransomware that targeted Drupal websites. That particular ransomware wasn't really that effective, and webmasters could easily go around it and restore their old websites. Mr. Gorton didn't share all the details with Softpedia at that particular point in time, saying there was still much to analyze about that particular piece of malware that was written in Go and used CVE-2014-3704 to hijack Drupal websites. According to new research released by Stormshield and Dr.Web, that malware, which calls itself "Rex," has received many updates in the last three months since we first reported on it. Crooks use the Rex trojan for DDoS-for-Bitcoin extortions The current version of the malware is still written in Go and has far more capabilities than it did in May. The trojan can infect a lot more CMS platforms than before, it works via an advanced P2P-based botnet, it can launch DDoS attacks, it can mine for crypto-currency on infected hosts, and can self-propagate to other vulnerable servers or devices on the local network. Furthermore, the crooks behind this malware have used it to threaten other webmasters with DDoS attacks unless a ransom fee was paid in Bitcoin. This StackExchange support request includes a version of the ransom note, also pictured below.
DDoS extortion email sent by the crooks These ransom emails pretend to be from the Armada Collective gang, but nobody can validate this claim, and crooks may just be using the group's name to boost the validity of their claims. The Armada Collective gang is a group of cyber-criminals that are famous for launching DDoS attacks unless a target pays a ransom. The group received a lot of attention in the international media and googling their name reveals their reputation and past attacks. Trojan can infect Drupal, WordPress, and Magento sites On the technical site, the trojan still uses the CVE-2014-3704 Drupalgeddon vulnerability to infect Drupal sites. This is an SQL injection flaw that allows the trojan to create an admin account through which it can control the CMS. Rex tries to lock some website pages, but as mentioned before, its ransomware capabilities are very weak. Rex also targets WordPress sites, but it doesn't lock the sites, or show a ransom note, only running the rest of its malicious features. For WordPress sites, the trojan tries to take advantage of security vulnerabilities in plugins such as WooCommerce, Robo Gallery, Rev Slider, WP-squirrel, Site Import, Brandfolder, Issuu Panel, and Gwolle Guestbook. Magento sites are targeted as well, via the Shoplift RCE bugs (CVE-2015-1397, CVE-2015-1398, and CVE-2015-1399), which allow crooks access to create an admin account and control the underlying web server. Other platforms targeted by Rex include Exagrid, Apache Jetspeed, and AirOS home routers, which the trojan targets during its initial infection process, or when it tries to replicate and self-propagate, after infecting the initial host. Rex bots talk via a versatile and adaptable P2P system All infected web servers are added to a decentralized P2P botnet built using the Kademlia Go library that allows developers to create apps that talk to each other via the Bittorrent DHT protocol. P2P botnets are notorious for being hard to take down. Necurs, one of the world's largest cybercrime botnets used to distribute the Dridex banking trojan and the Locky ransomware, also uses a P2P system. Additionally, Dr.Web researchers say they've identified Rex code that can also be used to send out spam messages. As it stands today, the versatile Rex Linux trojan is a very lucrative malware, allowing crooks to earn money via Bitcoin mining, DDoS extortion, renting DDoS attacks, spam distribution, and website defacements (in case that weak Drupal ransomware actually fools anybody, which we doubt).


Endwall 08/19/2016 (Fri) 23:32:58 [Preview] No. 340 del
A new LOCKY ransomware campaign targets the healthcare
http://opensources.info/a-new-locky-ransomware-campaign-targets-the-healthcare-2/
Aug 19, 2016
Malware researchers at FireEye security firm have spotted a new Locky ransomware campaign mainly targeting the healthcare sector. Security experts from FireEye have spotted a Locky ransomware campaign mainly targeting the healthcare sector, Telecom and Transportation industries. Attackers launched a massive phishing campaign to deliver the threat. The campaign bit organizations worldwide, mostly in the US, Japan, South Korea. Threat actors behind this Locky campaign leveraged on DOCM FORMAT email attachments to deliver the ransomware, instead Javascript based downloaders. “From our trend analysis, Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems.” reads the report published by FireEye. “These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.” The researchers believe crooks are investing to compromise systems maximizing their efforts. Another interesting trend reported by FireEye is the pause in the distribution of the Dridex banking Trojan through the same channel. Experts noticed many similarities in the macro code used by Attackers in three distinct Locky campaigns running on Aug. 9, Aug. 11 and Aug. 15.


Endwall 08/19/2016 (Fri) 23:38:16 [Preview] No. 341 del
Softopedia
New Snowden Documents Links Shadow Brokers Leak to Official NSA Hacking Tools
http://news.softpedia.com/news/new-snowden-documents-links-shadow-brokers-leak-to-official-nsa-hacking-tools-507488.shtml
Aug 19, 2016 18:30 GMT · By Catalin Cimpanu
This particular exploit was used in Pakistan and Lebanon
The Intercept has published today new Snowden documents that reveal an official connection between official NSA cyber-weapons and the malware dumped by The Shadow Brokers. The documents are internal NSA operations manuals that describe how CNE (Computer Network Exploitation) tools must be used. The document which The Intercept received from Snowden a few years back but never published describes a hacking system called BADDECISION. Leaked exploit was part of a bigger hacking system The BADDECISION system is made up of the FOXACID server, the SECONDDATE exploit, and the BLINDDATE field operations software, among other things. The SECONDDATE exploit is a tool that works at the network level by intercepting web requests and redirecting them to the FOXACID server, where the user is infected with the desired malware. According to procedures described in the operations manual (page 28), NSA employees must use IDs to tag victims sent to the FOXACID server via different exploits. The document reveals that SECONDDATE's ID is ace02468bdf13579. This very same ID was found in 14 different files in the files named SECONDDATE included in the Shadow Brokers leak. NSA used exploit in Pakistan and Lebanon Furthermore, other documents revealed that the NSA used a system called BLINDDATE to automate SECONDDATE attacks on Wi-Fi networks in the field. BLINDDATE is a hardware system running custom software that can launch MitM (man-in-the-middle) attacks leveraging SECONDDATE, HAPPY HOUR, NITESTAND, and others. The equipment is used in the field, in the range of an enemy's wireless network. BLINDDATE is a laptop with a giant antenna, which can also be mounted on drones, and redirect a Wi-Fi network's web traffic to the NSA FOXACID server. According to Snowden documents leaked in 2013, BLINDDATE was used to spy on Pakistan's National Telecommunications Corporation’s (NTC) VIP Division and on Lebanon's major ISPs. These campaigns provided the NSA with information on Pakistan’s Green Line communications network, Pakistan's civilian and military leadership, and on Hizballah's Unit 1800 activities. Before The Intercept linked the Shadow Brokers leak with actual NSA cyber-weapons, Kaspersky researchers tied the malware in the group's data dump to tools used by the Equation Group cyber-espionage APT, believed to be linked to the NSA.


Endwall 08/19/2016 (Fri) 23:41:59 [Preview] No. 342 del
InfoWorld
Poorly configured DNSSEC servers at root of DDoS attacks
http://www.infoworld.com/article/3109581/security/poorly-configured-dnssec-servers-at-root-of-ddos-attacks.html
InfoWorld | Aug 19, 2016
Administrators who have configured their domains to use DNSSEC: Good job! But congratulations may be premature if the domain hasn't been correctly set up. Attackers can abuse improperly configured DNSSEC (Domain Name System Security Extensions) domains to launch denial-of-service attacks. The DNS acts as a phone book for the Internet, translating IP addresses into human-readable addresses. However, the wide-open nature of DNS leaves it susceptible to DNS hijacking and DNS cache poisoning attacks to redirect users to a different address than where they intended to go.DNSSEC is a series of digital signatures intended to protect DNS entries from being modified. Done properly, DNSSEC provides authentication and verification. Done improperly, attackers can loop the domain into a botnet to launch DDoS amplification and reflection attacks, according to the latest research from Neustar, a network security company providing anti-DDoS services. "DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack," said Neustar's Joe Loveless. "If DNSSEC is not properly secured, it can be exploited, weaponized, and ultimately used to create massive DDoS attacks In a study of more than 1,300 DNSSEC-protected domains, 80 percent could be used in such an attack, Neustar found. The attacks rely on the fact that the size of the ANY response from a DNSSEC-signed domain is significantly larger than the ANY response from a non-DNSSEC domain because of the accompanying digital signature and key exchange information. The ANY request is larger than a normal server request because it asks the server to provide all information about a domain, including the mail server MX records and IP addresses. Armed with a script and a botnet, attackers can trick nameservers into reflecting DNSSEC responses to the target IP address in a DDoS attack. A DNSSEC reflection attack could transform an 80-byte query into a 2,313-byte response, capable of knocking networks offline. The biggest response the researchers received from a DNSSEC-protected server was 17,377 bytes. The number of DNS reflection and amplification DDoS attacks abusing DNSSEC-configured domains have been growing. Neustar said the overall number of attacks using multiple vectors, which probe defenses until they succeed, is on the rise, and more than half of these multivector attacks involve reflection attacks. Internet security company Akamai observed a similar pattern, as it found 400 DNS reflection/amplification DDoS attacks abusing a single DNSSEC domain in the fourth quarter of 2015. The domain was used in DDoS attacks against customers in multiple verticals, suggesting the domain had been included into a DDoS-for-hire service. "As with other DNS reflection attacks, malicious actors continue to use open DNS resolvers for their own purpose -- effectively using these resolvers as a shared botnet," Akamai wrote in its quarterly State of the Internet Security report back in February. The problem isn't with DNSSEC or its functionality, but rather how it's administered and deployed. DNSSEC is the best way to combat DNS hijacking, but the complexity of the signatures increases the possibility of administrators making mistakes. DNS is already susceptible to amplification attacks because there aren't a lot of ways to weed out fake traffic sources. "DNSSEC prevents the manipulation of DNS record responses where a malicious actor could potentially send users to its own site. This extra security offered by DNSSEC comes at a price as attackers can leverage the larger domain sizes for DNS amplification attacks," Akamai said in its report. To prevent a DNSSEC attack, configure DNSSEC correctly on the domain so that it cannot be used to amplify DNS reflection attacks. That's easier said than done. DNSSEC adoption has been slow, but progress is being made. Administrators should check with their service providers to make sure their digital signatures are valid and test deployments regularly. While blocking DNS traffic from certain domains is certainly an option, it's not one most organizations would be comfortable with as it could block legitimate users and queries. Neustar recommends DNS providers not respond to ANY requests at all. Other filtering systems to detect abuse -- such as looking for patterns of high activity from specific domains -- should also be in place. Fixing DNSSEC won't end these types of attacks, as there are plenty of other protocols that can be used in amplification and reflection attacks, but it can cut down on the current batch. As long as there are systems generating traffic with spoofed IP addresses and networks allowing such traffic, reflection-amplification DDoS attacks will continue. Efforts to dismantle botnets, and prevent systems from joining botnets in the first place, will put a dent in the number of DDoS attacks. In addition, administrators should make sure they have anti-DDoS mechanisms in place, such as preventing source IP spoofing in a network, closing an open resolver, and rate limiting.


Endwall 08/19/2016 (Fri) 23:43:44 [Preview] No. 343 del
Open Sources
New Brazilian Banking Trojan Uses Windows PowerShell Utility
http://opensources.info/new-brazilian-banking-trojan-uses-windows-powershell-utility/
Aug 19, 2016
Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said. Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication. Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%599D.tmp599E.ps1” is cued. This is an attempt to bypass PowerShell execution policies, Assolini said. The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server. The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March. That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.


Endwall 08/19/2016 (Fri) 23:45:05 [Preview] No. 344 del
Massive Cyberattack Aimed at Flooding .Gov Email Inboxes With Subscription Requests
http://www.circleid.com/posts/20160819_massive_cyberattack_aimed_at_flooding_dot_gov_email_inboxes/
"Massive Email Bombs Target .Gov Addresses," Brian Krebs writes in Krebs on Security: "Over the weekend, unknown assailants launched a massive cyber attack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists. According to experts, the attack — designed to render the targeted inboxes useless for a period of time — was successful largely thanks to the staggering number of email newsletters that don't take the basic step of validating new signup requests." — Steve Linford, CEO of Spamhaus further explanis: "This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. The attack undoubtably also hit lists which used Captcha in addition to COI and thus did not even proceed to COI (those list admins deserve some sort of community ‘hi 5’ award, since one can imagine how hard it is to convince one’s management to implement COI let alone put Captcha in front of it). The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses." — Krebs was also the target of this subscription attack and writes about it based on his first-hand experience: "At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless." — Laura Atkins in her report on the incident on Monday said, "this should be a major wakeup call for ESPs and senders." ... "Internet harassment seems to be a bigger and bigger issue. I don’t know if it’s because people are being more open about harassment or if it’s actually more common. In either case, it is the responsibility of networks to minimize the harassment. If your network is a conduit for harassment, you need to do something to stop it."


Endwall 08/21/2016 (Sun) 00:35:34 [Preview] No. 347 del
Motherboard
Lorenzo Franceschi-Bicchierai March 29, 2016 // 07:00 AM EST
More Than 14,000 College Printers in the US Are Open to Hackers
Last week, the notorious hacker and troll Andrew Auernheimer showed just how easy it is to use insecure internet-connected printers to spread hateful racist propaganda. The hacker, also known as Weev, said he used two lines of code to make 20,000 printers, many in colleges and universities, spit out an anti-semitic flyer all over the United States. His exploit quickly made the rounds on social media and local news outlets, showing the staff at American schools that they need to make sure their printers aren’t set up in a way that lets anyone, from anywhere in the world, abuse them. “Printer security is basically a joke...and it's the elephant on the network.” Days after the first reports of the incident, a few seem to have gotten the message. But as of Monday afternoon, there are still more than 14,000 printers in colleges and universities in the US that are completely open to hackers, according to a search on Shodan, a search engine for internet-connected devices. While this might be seen as good news, it’s probably too little too late. And it’s not like colleges and universities had not been warned before.Almost 10 years ago, security researcher Adrian Crenshaw noted that many printers were programmed to accept any printing job sent over the internet to their port 9100 (the same port Auernheimer exploited). Also, just two years ago, Shawn Merdinger, another security researcher, encouraged universities and colleges to remove their printers from the public internet in a talk at a security conference for higher education institutions. At the time of his talk, Merdinger said there were more than 38,000 vulnerable printers on the internet. “I'm only surprised this hasn't happened sooner,” Merdinger told me in an email. “Printer security is basically a joke...and it's the elephant on the network.” And if you think all a hacker can do with these open devices is print flyers, think again. As former NSA researcher Dave Aitel noted on Twitter, Auernheimer could have sent an update to the printer’s firmware with a similar command to the one he used last week, bricking the printers.


Endwall 08/21/2016 (Sun) 00:43:46 [Preview] No. 348 del
Motherboard
Researcher Grabs VPN Password With Tool From NSA Dump
http://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-with-tool-from-nsa-dump
Joseph Cox August 19, 2016 // 07:00 AM EST

Cisco has already warned customers about two exploits found in the NSA-linked data recently dumped by hackers calling themselves The Shadow Brokers. Now, researchers have uncovered another attack included in the cache, which they claim allows the extraction of VPN passwords from certain Cisco products—meaning hackers could snoop on encrypted traffic. Security researcher Mustafa Al-Bassam first documented the hacking tool, which uses the codename BENIGNCERTAIN, in a blog post published Thursday. He coined the attack “PixPocket” after the hardware the tool targets: Cisco PIX, a popular, albeit now outdated, firewall and VPN appliance. Corporations or government departments might use these devices to allow only authorised users onto their network. Based on his analysis of the code, Al-Bassam writes that the tool works by sending a packet to the target machine that makes it dump some of its memory. Included in that dump is the VPN’s authentication password, which is used to log into the device. "With access to the preshared key, they could decrypt any traffic" Brian Waters, another security researcher, tested BENIGNCERTAIN on his own hardware and managed to obtain the VPN's password, also known as a preshared key. On Friday, he tweeted a message of the output from his test, which revealed his test password of “password123” among a list of two other possibilities. I can confirm that BENIGNCERTAIN works against real hardware @XORcat @GossiTheDog @musalbas @marcan42 @msuiche pic.twitter.com/81gAmeHNlL — Brian H₂O's (@int10h) August 19, 2016 “I was able to pop out a VPN password from the ‘outside’ interface. Meaning the one that would be connected to the internet,” Waters told Motherboard in a Twitter message. “To me this is verified,” Al-Bassam told Motherboard in an online chat. “It's proof that in a VPN that uses authentication with preshared keys, the NSA could have remotely sent a packet to that VPN from an outside Internet IP (unlike the other exploits which require internal access), and grabbed the preshared key […] With access to the preshared key, they could decrypt any traffic,” he added. Once they’ve accessed the network, an attacker might then be able to snoop on a target organisation’s traffic and spy on its users. According to Al-Bassam, the tool references PIX versions 5.2(9) up to 6.3(4). However, Brian Waters said he carried out his test on hardware running the 6.3(5) version, implying that the attack may work on other versions of PIX than those listed in the tool's code. Both Al-Bassam and Maksym Zaitsev, another researcher who has been looking into BENIGNCERTAIN, believe that the attack is likely capable of extracting private encryption keys from VPNs as well, which is another, more robust way of authenticating access. Waters was unable to test that however. #EquationGroup seems to be capable of extracting #Cryptography keys from #Cisco VPNs, up to 4096 bits RSA pic.twitter.com/0Fy08KdR6a — Maksym Zaitsev (@cryptolok) August 18, 2016 Cisco officially stopped selling PIX products back in 2009. it is unclear if anyone has used this attack in the wild, or who still uses PIX products today. Kevin Beaumont, another researcher who has been digging through The Shadow Brokers dump, claimed that one of the UK government’s biggest IT contractors still uses a PIX VPN. On Thursday, after Al-Bassam had published his analysis, but before Waters had verified the attack, Cisco spokesperson Yvonne Malmgren told Motherboard in an email that the company’s security team “continues the process of investigating all aspects of the exploits that were released, including the one you mention. As noted, if something new is found that our customers need to be aware of and respond to, we will share it through our established disclosure processes.”


Endwall 08/21/2016 (Sun) 01:00:02 [Preview] No. 349 del
SOFTEPDIA
Anonymous Created Special DDoS Tool Just for the #OpOlympicHacking Attacks
http://news.softpedia.com/news/anonymous-created-special-ddos-tool-just-for-the-opolympichacking-attacks-507500.shtml
Aug 20, 2016 21:25 GMT · By Catalin Cimpanu
Tool used to automate attacks against five major targets

Members of the Anonymous hacker collective have created a custom tool that allows them and any person to launch DDoS attacks at five built-in targets. The tool was released to aid the group in its recent hacktivism campaign named #OpOlympicHacking, which started at the beginning of the month, just in time for the Rio Olympic Games. The tool is a Windows executable that launches a window with six buttons, as pictured below this article. The first five buttons are for attacking five built-in targets, while the sixth is for stopping the attacks. The tool can be used only for #OpOlympicHacking attacks The five targets are the official Rio 2016 Olympics website, the Brazil 2016 government portal, the Brazil Olympic Committee website, the government portal for the city of Rio de Janeiro, and the website for Brazil's Sports Ministry. These are only a few of the targets Anonymous hackers included in a list of they uploaded online when they announced #OpOlympicHacking at the start of the month. The DDoS tool is offered online as a free download called "opolympddos." Softpedia has discovered links to this tool on Twitter. At the time of writing, the links are dead, so we couldn't check and see if the DDoS tool came with other malware built-in. Users should not download and run this tool because (1) they would be carrying out an illegal activity; (2) they would be exposing themselves to possible malware infections. Users need Tor before using the tool According to security researchers from RSA, the tool is a mashup of VB, Python, and .NET scripts packaged into a Windows executable. Researchers say that users that install this tool are told to install Tor as well, to hide their real IP. Launching "opolympddos" executes out a Layer 7 DoS attack. "This is achieved by creating persistent connections and sending HTTP requests with random data and user-agents," the RSA team explained. Compared to other Anonymous ops, the #OpOlympicHacking campaign can be considered a success, bringing a lot of attention to its cause via high-profile hacks.


Endwall 08/21/2016 (Sun) 01:02:02 [Preview] No. 350 del
OpenSources
US hacked NTC to spy on Pakistan military, political leadership: Snowden documents
http://opensources.info/us-hacked-ntc-to-spy-on-pakistan-military-political-leadership-snowden-documents-2/

The United States hacked into targets in the Pakistan’s National Telecommunications Corporation (NTC) to spy on the country’s political and military leadership, documents released by former National Security Agency contractor Edward Snowden confirm. According to a report by online news site The Intercept, the previously unpublished documents released by Snowden confirm that some of the NSA’s top-secret code has been leaked or hacked. The Intercept’s editors include journalists that worked with Snowden to publicise his notorious 2013 NSA leak revealing the extent of government snooping on private data. In the latest leak of top-secret documents, Snowden has given The Intercept a classified draft NSA manual on how to implant the SECONDDATE malware – malicious code that is used to monitor or control someone else’s computer, the website said. The draft NSA manual contains instructions to NSA operators telling them to use a specific string of characters associated with the SECONDDATE malware program. According to The New York Times, much of the code was created to peer through the computer firewalls of foreign powers. Such access would enable the NSA to plant malware in rivals’ systems and monitor – or even attack – their networks. Now, according to The Intercept report which sheds lights on the NSA’s broader surveillance and infection network, SECONDDATE was also used to spy on Pakistan. “There are at least two documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation boasts of successful attacks against computer systems in both Pakistan and Lebanon,” said The Intercept report. “In the first, NSA hackers used SECONDDATE to breach ‘targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,’ which contained documents pertaining to ‘the backbone of Pakistan’s Green Line communications network’ used by ‘civilian and military leadership’,” said the report. According to report, SECONDDATE is just one method used by the NSA to hack into target computer systems and networks. Another document in the cache released by Snowden today describe how the NSA used software other than SECONDDATE to repeatedly attack and hack into computer systems in Pakistan.


Endwall 08/21/2016 (Sun) 05:47:00 [Preview] No. 351 del
Hak5
HAKtip
Linux Terminal 201: Getting Started with Vi - HakTip 0147
https://www.youtube.com/watch?v=kI2naD_9WKg


Endwall 08/21/2016 (Sun) 09:19:15 [Preview] No. 352 del
Security Affairs
Bitcoins move from the seized SilkRoad wallet to the ShadowBrokers
http://securityaffairs.co/wordpress/50462/intelligence/silkroad-bitcoin-shadowbrokers.html
A security expert noticed strange transactions from the Bitcoin wallet of the SilkRoad (now in the hands of Feds) to the ShadowBrokers ‘ wallet. I was surfing the Internet searching for interesting data about the ShadowBrokers group that leaked exploits and hacking tools belonging to the NSA Equation Group. I have found a very intriguing analysis of the popular security researcher krypt3ia that has analyzed the Bitcoin transactions linked to the #ShadowBrokers account. It seems that the account is receiving small amounts of money (at about $990.00 a couple of days ago), but the real surprise is that some of the payments are coming from the seized Silk Road bitcoins and account.
Hey, wait a moment, the Silk Road Bitcoin are under the control of the FBI after the seizure of the popular black market. krypt3ia decided to investigate the overall transactions and discovered that also the US Marshall service was involved in the transfers. “So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.” wrote krypt3ia in a blog post. Analyzing the transactions the expert noticed transactions of 0,001337 BTC for the for ShadowBrokers.
We are aware that Silk Road coins are in the hands of the US GOV, but someone is sending ShadowBrokers fractions of them. “What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?” added the experts. At this point, the researcher invited readers to analyze transactions involving all the accounts that passed money to Bitcoin Wallets used by the Government and that were used to transfer money to the ShadowBrokers. At the time I’m writing the ShadowBroker wallet was involved in 41 transactions for a total of 1.738 BTC, and the highest bidder is of 1.5 bitcoin, or around $850.


Endwall 08/22/2016 (Mon) 05:33:57 [Preview] No. 353 del
ISIS Noobs Share ‘How To Hack’ Tutorials Online
http://www.vocativ.com/351739/isis-kali-linux/
By Gilad Shiloach with Mor Turgeman Aug 19, 2016 at 2:28 PM ET
A member of al-Minbar, an active and influential online forum frequented by ISIS sympathizers, is offering an online course on hacking tools with the aim of teaching supporters how to “hack American and European security sites” and creating a group of cyber soldiers affiliated with the terror organization. But this is likely to be simply the latest in a series hapless attempts by ISIS affiliates to threaten cyber warfare on the West, to little effect. The online course is focused on Kali Linux, an open-source Linux distribution, which is a type of operating system based on Linux, that includes hundreds of penetration-testing programs, which are designed to help identify vulnerabilities in a computer network or app. It is being promoted by a prominent member of the ISIS-sympathetic forum, who goes by the username Ayam Fath Baghdad, which translates to “the days of the conquest of Baghdad.” “As-salamu alaykum, my brothers, the members of al-Minbar, and those who are registered for the course on Kali Linux. Please gather in the section tonight at 9 p.m., Mecca time, in order to take a class,” he on Wednesday night, in Arabic. In a 20-page thread, this user interacts with at least other 25 members in the forum, all of whom express interest in taking the course and becoming hackers affiliated with the terror group. The course is based upon several Arabic-language YouTube tutorials, which have been uploaded by a non-ISIS affiliated account. Online tutorials on Kali Linux use are plentiful and freely available from a variety of online sources. To supplement the YouTube videos, Ayam Fath Baghdad offers advice on the use of the OS. “Kali Linux is known as the ‘go-to’ for black [hat] and white [hat] hackers alike,” Omri Moyal, VP Research at Minerva Labs, an Israeli cybersecurity company, told Vocativ over email. “It is widely promoted and educated in underground forums and anonymous chat rooms, and the combination of its pre-installed, ready-to-use, powerful tools make it extremely dangerous in the wrong hands,” he adds. “As we have heard that ISIS are declaring that they will move to operate in the cyber domain, it is very natural that they will go to this tool.” But there’s likely no cause for immediate concern. Moyal analyzed portions of the forum thread, including screenshots uploaded by the “students” and responses by the course’s teacher, and explained that the contents were “very, very basic material,” adding, “I can’t say anything about the teacher but the students are complete noobs.” According to his analysis, the would-be hackers “have problems with the very basic commands and also are not looking for the solution themselves, something a good hacker must be able to learn and do.” Moyal stressed the importance of the sophistication of the hacker themselves over the tools at their disposal, which, like Kali Linux, are typically readily available. He explained that while “the capabilities of Kali Linux are unlimited, it’s a tool box. The question is, ‘What are the skills of the person behind the keyboard?'” One of the methods presented in the course is an SQL injection, which according to Moyal, “has the capabilities of extracting data from those databases. It is commonly used to deface websites and steal credentials.” Moyal explains that similar tool was used by a Saudi hacker to steal thousands of credit card data from a unencrypted online database a few years ago. However, substantial technical know-how and experience is necessary for a hack of this nature. The goal of this online course is a grand finale in which students will conduct “join[t] attacks [by] the graduated members” and the group will create an ISIS-sympathetic hacking organization “along the lines of the United Cyber Caliphate (UCC),” referring to an online coalition of four ISIS-sympathetic, so-called hacking groups that was formed in late 2015. At that time, ISIS supporters created a channel on the encrypted-chat app Telegram dedicated for “publishing courses of hacking and programming languages for the supporters of the Caliphate on the Internet.”...


Endwall 08/23/2016 (Tue) 05:53:20 [Preview] No. 361 del
Stolen NSA hacking tools reportedly on sale for $8000
http://opensources.info/stolen-nsa-hacking-tools-reportedly-on-sale-for-8000-2/
It’s been a rough week for the NSA, to say the least. Last week, a group of hackers collectively known as The Shadow Brokers allegedly stole and released a treasure trove of NSA hacking tools and exploits. What’s more, the group promised to release even more weapons from the NSA’s cyber arsenal for the right price. While the initial leak was met with skepticism, researchers and security experts who examined the leak subsequently confirmed that the leaked exploits were very much real. “It definitely looks like a toolkit used by the NSA,” French computer researcher Matt Suiche said after taking a look at the code. As if that weren’t bad enough, now comes word that The Shadow Brokers may not be the only hackers who hold the keys to the NSA’s cache of advanced hacking tools and exploits. DON’T MISS: Samsung’s best phone yet might have some quality issues that can’t be fixed Late on Sunday night, a hacker with the Twitter handle 1×0123 indicated that he was willing to sell the aforementioned hacking tools for $8,000. Speaking to Gizmodo, the hacker also said that he’d be willing to provide screenshots to verify his claims for $1,000. Interestingly, 1×0123 didn’t come to possess these files by hacking the NSA, but allegedly by stealing them from the Shadow Brokers. It’s unclear how the hacker supposedly stole the hacks and he refused to explain beyond saying “traded some exploits for access to a private escrow and stole the tar file.” This could mean a variety of things, but it seems like he’s indicating that he tricked the Shadow Brokers, the group that originally claimed to have accessed the NSA tools, and stole the .tar file containing the exploits. Again, we don’t have a way to confirm this is true but this hacker has hacked and sold his exploits in the past. Notably, 1×0123 is not some fly by night Twitter account with no track record to speak of. On the contrary, 1×0123 is a self-identified “underground researcher” who has been behind a number of big name exploits in the past, including a hack of Fidelity National Information Services. It’s also worth noting that famed NSA whistleblower Edward Snowden gave 1×0123 some praise on Twitter just a few months ago.


Endwall 08/23/2016 (Tue) 08:37:56 [Preview] No. 362 del
Hacker's claims met with flat denials and skepticism by most of the security industry
http://www.csoonline.com/article/3109936/security/hackers-say-leaked-nsa-tools-came-from-contractor-at-redseal.html
Steve Ragan — Senior Staff Writer, CSO
CSO | Aug 19, 2016 7:33 PM PT
On Friday, messages posted to Pastebin and Tumblr allege the recently leaked NSA files came from a contractor working a red team engagement for RedSeal, a company that offers a security analytics platform that can assess a given network's resiliency to attack. In addition, the hackers claim the intention was to disclose the tools this year during DEF CON. Salted Hash reached out to the press team at DEF CON, as well as RedSeal. In a statement, RedSeal would only confirm they are an In-Q-Tel portfolio company. The company also denied any knowledge of red team assessments against their products by In-Q-Tel or contractors working with In-Q-Tel. Sourcesclose to DEF CON also say the claims in the published letter aren't real.
At this point, it's best to take the claims posted to Pastebin and Tumblr with a grain of salt. The note and subsequent blog post from "Brother Spartacus" and "13 Johns" says that an individual known as "Dark Lord" – reported to be a skilled hardware engineer – was working an In-Q-Tel contract to assess the security of RedSeal products. This red team engagement used a C&C server as a staging point for the leaked NSA tools. When "Dark Lord" walked off the job, they did so with a copy of the tools that were placed on the C&C server. Given how RedSeal products work, attacking routers and other network devices with the leaked NSA code makes sense if you're wanted to prove the RedSeal will detect such incidents. The company has even used the Shadow Broker incident as a means to promote themselves this week. However, there is a split between the claims on the blog and the Pastebin note. The blog claims the test was to harden RedSeal software, while the note says the test was aimed at RedSeal products. It isn't clear how the leaked tools could be used to assess the RedSeal platform directly. Moreover, the Pastebin post claims to be from DEF CON, and says the annual hacker gathering was approached in July with details surrounding the Shadow Brokers leak. The note says that "Brother Spartacus" approached DEF CON with details about the code theft, with the intention to disclose the incident during this year's show. "The individual self reported they had walked off an In-Q-Tel contract with RedSeal. They had took the Malware pack from a CNC server that was set-up to test RedSeal products. The individual was not well versed in software and could not point out any zero day threats. We decided to not push the person forward to public Defcon leaders. (sic)" As mentioned, sources close to DEF CON deny this letter is legitimate. This was suspected early on due to the tone of the message, the description of "Brother Spartacus," as well as the fact that DEF CON is misspelled. (Normal communications from DEF CON use the proper branding.) At this point, it's clear the Pastebin and Tumblr posts are some sort of hoax. However, there has been a lot of coverage of the Shadow Brokers leak this week, so this is just one more log on the fire. Recap: On Wednesday, Motherboard published a story citing former NSA staffers who feel the leak didn't happen because of a hack. Instead, they feel the incident is the work of a single individual with insider access. Those thoughts somewhat align with the claims posted on Friday, as a contractor would be considered an insider. In addition, security researcher Mustafa Al-Bassam posted a solid examination of the leaked tools and what they do.


Endwall 08/24/2016 (Wed) 02:33:35 [Preview] No. 364 del
Hak 5
NSA Hack Speculation - Threat Wire
https://www.youtube.com/watch?v=qzmHnTQh0OE


Endwall 08/24/2016 (Wed) 02:53:43 [Preview] No. 365 del
Jupiter Broadcasting
Tech Talk Today
Internet for your Things | TTT 257
http://www.jupiterbroadcasting.com/102416/internet-for-your-things-ttt-257/


Endwall 08/24/2016 (Wed) 02:56:01 [Preview] No. 366 del
VICE NEWS
Former CIA head Michael Hayden on why he won't endorse Trump or Clinton
https://www.youtube.com/watch?v=zVNZluO6Jhg
Apokelypse: Violence, crime, and death connected to Pokemon Go
https://www.youtube.com/watch?v=DeikEYjUXbk


Endwall 08/24/2016 (Wed) 03:31:08 [Preview] No. 367 del
ABC
Feds Investigate Hack of The New York Times, Suspect Russian Operatives Are to Blame
http://abcnews.go.com/US/feds-investigate-hack-york-times-suspect-russian-operatives/story?id=41599825
Federal authorities are investigating a series of cyberattacks on The New York Times and other U.S. media organizations, and they believe those web-based assaults were "probably" carried out by the same Russian hackers who recently infiltrated Democratic organizations, a source familiar with the probe told ABC News. The intrusions were discovered in recent months, and it's unclear exactly why the hackers would have targeted news outlets. Journalists, however, routinely interact with countless officials across the U.S. government as part of their jobs. ABC News was unable to determine what other news outlets, aside from The New York Times, were hit. CNN first reported the intrusions and subsequent investigation. The New York Times said its Moscow bureau was targeted, but noted no "internal systems" were breached. "We are constantly monitoring our systems with the latest available intelligence and tools. We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised," the Times said in a statement on Tuesday evening. For months, the FBI has been investigating what appear to be coordinated cyberattacks on Democratic organizations, with the hacking of the Democratic National Committee being the most damaging so far. Top Intel Official Tells Americans to End 'Hyperventilation' Over DNC Hack but Calls Breach Potentially 'Serious' Not only did the hack apparently allow cyber operatives to steal opposition research on Republican nominee Donald Trump, but many suspect it led to the theft of internal messages that showed efforts by DNC officials to undermine Democratic presidential candidate Bernie Sanders during the primary season. After those damaging emails were publicly released by WikiLeaks, Florida Rep. Debbie Wasserman Schultz stepped down as DNC chairwoman. The FBI declined to comment for this article. Asked last month whether Russia might have intentions to undermine the U.S. political process, James Clapper, the nation’s top intelligence official, said Russian officials “believe we’re trying to influence political developments in Russia, we’re trying to affect change, and so their natural response is to retaliate and do unto us as they think we've done to them." Speaking at the annual Aspen Security Forum in Aspen, Colorado, Clapper said Russian President Vladimir Putin is "paranoid" about the potential for revolutions in Russia, "and of course they see a U.S. conspiracy behind every bush, and ascribe far more impact than we’re actually guilty of." Referring to cyber warfare, Clapper said it is not "terribly different than what went on during the heyday of the Cold War," just with different tools and "a different modality." And, he said, the U.S. intelligence community is now "at war" with Russia, conducting operations every hour of every day against Russia and other adversaries. Nevertheless, Clapper said he's "taken aback a bit by ... the hyperventilation over" the hack of the DNC, adding in a sarcastic tone, "I'm shocked somebody did some hacking. That’s never happened before." The American people "just need to accept" that cyber threats and computer-based attacks are a major long-term challenge facing the United States, and he said Americans should "not be quite so excitable when we have yet another instance of it."


#YcYLSH 08/24/2016 (Wed) 03:39:42 [Preview] No. 368 del
Is Snowden dead?

Also, you should look at jimstone.is occasionally.


Endwall 08/24/2016 (Wed) 03:40:25 [Preview] No. 369 del
Linux.Rex.1, a new Linux Trojan the creates a P2P Botnet
http://www.itsecuritynews.info/linux-rex-1-a-new-linux-trojan-the-creates-a-p2p-botnet/
23. August 2016
Security researchers discovered a new Linux Trojan dubbed Linux.Rex.1 that is capable of self-spreading and create a peer-to-peer botnet. A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn. Security researchers from the firm Dr. Web have discovered […]


Endwall 08/24/2016 (Wed) 03:42:03 [Preview] No. 370 del
ZDNET
France, Germany push for access to encrypted messages after wave of terror attacks
By Zack Whittaker for Zero Day | August 23, 2016 -- 21:12 GMT (22:12 BST)
http://www.zdnet.com/article/france-germany-push-for-access-to-encrypted-messages-after-wave-of-terror-attacks/
France and Germany are to ask the EU for new powers that could see state intelligence agencies compel makers of mobile messaging services to turn over encrypted content. The two member states have both numerous suffered terrorist attacks in the past year and a half, with hundreds killed by the so-called Islamic State group, but argue that their intelligence agencies are struggling to intercept messages from criminals and suspected terrorists.Many mobile messaging providers, like WhatsApp, Apple's iMessage, and Telegram, all provide end-to-end encrypted messaging to thwart spying by both hackers and governments alike. Many other sites and services -- including Facebook -- have followed suit by pushing for strong encryption to ensure government spies can't access a person's messages. Reuters reported Tuesday that French interior minister Bernard Cazeneuve wants the European Commission to draft a law that would oblige companies to turn over data. "It's a central issue in the fight against terrorism," Cazeneuve told reporters last week. "Exchanges carried out via applications like Telegram must be identified and used in the course of judicial proceedings," he added. But Cazeneuve's initiative, echoing similar US and British efforts to install "backdoors" for in encryption for governments and law enforcement agencies, effectively undermining its very point, has long been criticized by privacy and security experts, who argue that there's no feasible way to guarantee that hackers won't be able to exploit the same access. The request for a review falls just short calls for an all-out ban. Earlier this year, one prominent French politician called for fines and ban on services that are unable to turn over encrypted communications. The European Commission said it "welcomed" the initiatives between the two countries, but said that data protection laws are already under review. But the executive body may face internal pressure to dismiss the idea of undermining the effectiveness encryption. Only a few weeks ago, the European data protection supervisor said that nation states should be forbidden from trying to decrypt encrypted communications, or install backdoors. In a report, the supervisor said that end-to-end encryption to be "encouraged, and when necessary, mandated." European authorities have been particularly aggrieved by reports of mass surveillance by the US government, which were brought to light three years ago by the Edward Snowden files. The transatlantic pact that allowed the free flow of data between the two continents was later suspended by a top European court in the wake of the disclosures. A new pact was agreed upon earlier this year.


Endwall 08/24/2016 (Wed) 03:44:19 [Preview] No. 371 del
Russian hackers suspected in hack of New York Times, others
Newspaper says its Moscow bureau was the target of a cybersecurity breach but that there's no evidence hackers were successful. by Steven Musil @stevenmusil August 23, 20164:44 PM PDT
http://www.cnet.com/news/russian-hackers-suspected-in-hack-of-new-york-times-others/
Russian hackers are suspected of being behind a cyberattack on The New York Times and other media outlets. Getty Images The FBI suspects cybersecurity breaches targeting reporters at The New York Times and other news agencies were carried out by hackers working for Russian intelligence, CNN reported Monday. "Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said," according to CNN. In a follow-up report, The New York Times reported late Monday that its Moscow bureau was the target of an attempted cyberattack earlier this month. The Times did not immediately respond to a request for comment but said in its report that there was no evidence hackers succeeded in penetrating the newspaper's cyberdefenses. "We are constantly monitoring our systems with the latest available intelligence and tools," Eileen Murphy, a spokeswoman for the Times, said in the report. "We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised." Neither the FBI nor the Russian embassy immediately responded to a request for comment. News of the hack attempt comes amid allegations that hackers working for the Russian government broke into the Democratic National Committee's computer network, gaining access to emails and chat transcripts, as well as opposition research on Republican presidential candidate Donald Trump. US-based news agencies have become popular targets for hack attempts in recent years. In 2013, The Washington Post reported that its servers had been breached for the second time in three years, giving hackers access to employee usernames and passwords.


Anonymous 08/24/2016 (Wed) 05:09:22 [Preview] No. 373 del
https://www.hillaryclinton.com/
viewsource:
<!DOCTYPE html> <!-- HHHHHH →→HHHH HHHHHH →→→→HH HHHHHH →→→→→→→ →→→→→→→→→→→→→→→→→→→→→→ Git out the vote! →→→→→→→→→→→→→→→→→→→→→→→→ Join the only 18 month, nationally televised hackathon. →→→→→→→→→→→→→→→→→→→→→→ https://boards.greenhouse.io/hillaryforamerica HHHHHH →→→→→→→ HHHHHH →→→→HH HHHHHH →→HHHH --> <html lang="en"> <head>


Endwall 08/24/2016 (Wed) 05:30:33 [Preview] No. 374 del
>>368
I briefly looked into this. He's most probably still alive from what I've seen. He's been tweeting non stop for the last couple of days.

https://twitter.com/snowden?lang=en

Recent Videos:
Its only getting better
https://www.youtube.com/watch?v=ysCQfx-UEpA

The evidence for dead was very weak, the evidence for alive is very strong. We'll know for sure at his next teleconference.


Endwall 08/24/2016 (Wed) 17:36:39 [Preview] No. 378 del
Daily Mail
Sickening hack attack on Leslie Jones: Hacker steals nude photos of SNL star and posts them on her website with racist memes and copies of her driving license
http://www.dailymail.co.uk/news/article-3756748/Hacker-defiles-Leslie-Jones-website-racist-posts-nude-photos-SNL-star.html
* A hacker posted nude photos and personal information on Leslie Jones' website on Wednesday  * The website was taken down just after noon ET * The SNL star has yet to issue a public statement on the hack  * Jones became the target for racist online trolling earlier this year  
By Ashley Collman For Dailymail.com Published: 15:57 GMT, 24 August 2016 | Updated: 17:23 GMT, 24 August 2016
SNL comedian Leslie Jones has had her personal website hacked.  Nude photos of the actress were posted on her website Wednesday morning, alongside copies of her driver's license and passport. The hacker also posted a video in tribute to the gorilla Harambe, a racist dig at African-American Jones.
Leslie Jones has had her website hacked. The SNL star pictured above at the August 3 premiere of War Dogs in New York  Also released in the attack were several selfies of Jones with famous celebrities including Rihanna, Kanye West, Kim Kardashian and 50 Cent.  TMZ reports that the hacker accessed the personal photos and information by hacking Jones' Cloud storage or iPhone.   Shortly after noon ET on Wednesday, JustLeslie.com was taken down by hosting website Tumblr. Jones has yet to publicly comment on the hack....Jones' website was taken down shortly after noon ET on Wednesday, following the hack The 48-year-old funny woman has been the target of racist online trolling ever since the new Ghostbusters reboot came out earlier this summer.  Twitter went to far as to ban one of Jones' trolls, as well as delete some of the nastier comments made about her on the website when she complained last month. Internet trolls didn't like it when Jones complained about fashion designers refusing to work with her on a dress for the Ghostbusters premiere earlier this summer. Jones pictured above in a dress Christian Siriano made for her at the last minute The company's CEO Jack Dorsey explained that they don't ban people 'for expressing their thoughts' but that 'targeted abuse and inciting abuse against people' is not allowed. In an interview about the internet abuse on Late Night with Seth Meyers, Jones said: 'What's scary about the whole thing is that the insults didn't hurt me. Unfortunately I'm used to the insults. But what scared me was the injustice of a gang of people jumping against you for such a sick cause.' In the lead up to Ghostbusters' release, Jones complained that several fashion designers had refused to make a dress for her for the film's premiere. 'It’s so funny how there are no designers wanting to help me with a premiere dress for movie,' she tweeted on June 28. 'Hmmmm that will change and I remember everything.' After the drama made headlines, designer Christian Siriano created a custom red gown for Jones.


Endwall 08/24/2016 (Wed) 17:46:23 [Preview] No. 379 del
Security Affairs
The Equation Group’s exploit ExtraBacon works on newer Cisco ASA
http://securityaffairs.co/wordpress/50586/breaking-news/nsa-extrabacon-exploit.html
August 24, 2016 By Pierluigi Paganini
Security experts have improved the ExtraBacon exploit included in the NSA Equation Group arsenal to hack newer version of CISCO ASA appliance. The data dump leaked online by ShadowBrokers is a treasure for security experts and hackers that are analyzing every tool it contains. Cisco and Fortinet have confirmed their network appliance are vulnerable to the exploits listed in the leaked dump. Recently security researchers tested the BENIGNCERTAIN tool included in the precious archive belonging to the NSA Equation Group that allows attackers to extract VPN passwords from certain Cisco devices. Now the Hungary-based security consultancy SilentSignal has focused his analysis on another exploit that could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA). We successfully ported EXTRABACON to ASA 9.2(4) #ShadowBrokers #Cisco pic.twitter.com/UPG6yq9Km2 — SilentSignal (@SilentSignalHU) 23 agosto 2016 The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought. Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).An attacker who has already gained a foothold in a targeted network could use the zero-day exploit to take full control of a firewall. In an e-mail sent to ArsTechnica, SilentSignal researcher Balint Varga-Perke wrote: “We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions. Turns out it is very easy, that implies two things: * The leaked code is not as poor quality as some might suggest * The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy” Experts from the IT vendor Juniper also confirmed that one of the exploits in the Equation Group archive could be used to hack the Juniper NetScreen firewalls, they also confirmed that are conduction further investigation on the exploit. The tool codenamed FEEDTROUGH and ZESTYLEAK could be used by attackers to target Juniper Netscreen firewalls, the company is investigating their efficiency. “As part of our analysis of these (Equation Group) files, we identified an attack against NetScreen devices running ScreenOS,” explained the company incident response director Derrick Scholl. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.” “We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”


Endwall 08/24/2016 (Wed) 17:49:43 [Preview] No. 380 del
Tech Week Europe
Security Researchers Discover First Twitter-Controlled Botnet
Ben Sullivan, August 24, 2016, 4:21 pm
http://www.techweekeurope.co.uk/security/cyberwar/first-twitter-controlled-botnet-discovered-196739
Twitoor, uncovered by ESET, can plague Android devices with malicious malware The first ever Twitter-controlled botnet has been discovered by security experts at ESET, who claim the backdoor is downloading malware onto infected Android devices. Twitoor is a backdoor that is able to install dodgy malware and has been active for around a month, said ESET. Porn and MMS While the app isn’t listed on the official Android app store, it spreads to users by SMS and malicious URLs, impersonating porn players or MMS applications.ESET said that on launch, the app masks its presence and checks the phone’s Twitter account for commands from a control server, acting as part of a botnet. When commands are received, it can download more malicious apps. “Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” said Lukáš Štefanko, the ESET malware researcher who discovered the malicious app. As malware that takes down devices to form botnets needs to receive instructions, that communication channel is vital to their survival, said ESET. And to make the Twitoor botnet’s communication more resilient, botnet designers encrypted their messages and used innovative means for communication, among them the use of social networks, said ESET. “These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” said Štefanko. Other non-traditional means of controlling Android bots have already been found in blogs or cloud messaging systems, said ESET, but Twitoor is the first Twitter-based bot malware, according to Štefanko. “In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks”, states ESET’s researcher. Twitoor has been found downloading versions of mobile banking malware. However, the botnet operators can start distributing other malware, including ransomware, at any time, warned Štefanko. “Twitoor serves as another example of how cybercriminals keep on innovating their business,” Stefanko continues. “The takeaway? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices.”


Endwall 08/24/2016 (Wed) 23:58:54 [Preview] No. 381 del
ARS TECHNICA
HTTPS and OpenVPN face new attack that can decrypt secret cookies
http://tornews3zbdhuan5.onion/newspage/35462/
http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/
Ars Technica, Aug. 24, 2016 Dan Goodin - Aug 24, 2016 3:45 pm UTC Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet's HTTPS traffic and could affect about 600 of the Internet's most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in. The attack isn't particularly easy to carry out because it requires an attacker to have the ability to monitor traffic passing between the end user and one of the vulnerable websites and to also control JavaScript on a webpage loaded by the user's browser. The latter must be done either by actively manipulating an HTTP response on the wire or by hosting a malicious website that the user is tricked into visiting. The JavaScript then spends the next 38 hours collecting about 785GB worth of data to decrypt the cookie, which allows the attacker to log into the visitor's account from another browser. A related attack against OpenVPN requires 18 hours and 705GB of data to recover a 16-byte authentication token. Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously. They are calling on developers to stop using legacy 64-bit block-ciphers. For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish. Ciphers with larger block sizes, such as AES, are immune to the attack. Further ReadingNew attack steals SSNs, e-mail addresses, and more from HTTPS pages"It is well-known in the cryptographic community that a short block size makes a block cipher vulnerable to birthday attacks, even if the[re] are no cryptographic attacks against the block cipher itself," the researchers wrote in a blog post explaining the attacks. "We observe that such attacks have now become practical for the common usage of 64-bit block ciphers in popular protocols like TLS and OpenVPN." A birthday attack is a type of cryptographic exploit that is based on the mathematical principle known as the birthday paradox. It holds that in a room of 23 randomly selected people, there is a 50-percent chance two of them will share the same birthday, and there's a 99.9 percent chance when the number is increased to 70 people. The same principle can be used by cryptographers to find so-called collisions, in which the output of two chunks of encrypted text is the same. Collisions, in turn, easily return the plaintext. By collecting hundreds of gigabytes worth of HTTPS or VPN data and carefully analyzing it, the attackers are able to recover the sensitive cookie. In response to the new attack, which the researchers have dubbed Sweet32, OpenVPN developers on Tuesday released a new version of the program that actively discourages the use of 64-bit ciphers. OpenSSL maintainers, meanwhile, said in a blog post that they plan to disable Triple DES in version 1.1.0, which they expect to release on Thursday. In versions 1.0.2 and 1.0.1, they downgraded Triple DES from the "high" to "medium," a change that increases the chances that safer ciphers are used to encrypt data traveling between servers and end users. The precise cipher choice is made dynamically and is based on a menu of options supported by both parties. While stripping Triple DES out of all versions would be the safest course, it also would leave some people unable to browse certain HTTPS sites altogether. "When you have a large installed base, it is hard to move forward in a way that will please everyone," Rich Salz, a senior architect at Akamai Technologies and a member of the OpenSSL developer team, wrote. "Leaving triple-DES in 'DEFAULT' for 1.0.x and removing it from 1.1.0 is admittedly a compromise. We hope the changes above make sense, and even if you disagree and you run a server, you can explicitly protect your users through configuration." Browser makers are also in the process of making changes that prioritize safer ciphers over Triple DES. Further ReadingGone in 30 seconds: New attack plucks secrets from HTTPS-protected pagesThe Sweet32 attack will be presented in October at the 23rd ACM Conference on Computer and Communications Security. While the time and data-collection requirements present a significant barrier, it works as described on sites that support Triple DES and allow long-lived HTTPS connections. As of May, about 600 websites in the Alexa 100,000 were identified, including those mentioned at the beginning of this article. Karthikeyan Bhargavan and Gaëtan Leurent—the researchers behind Sweet32—estimate that about 1 percent of the Internet's HTTPS traffic is vulnerable. OpenSSL team member Viktor Dukhovni summed things up well in an e-mail. "We're not making a fuss about the 3DES issue, and rating it 'LOW," Dukhovni wrote. "The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES." You must login or create an account to comment.


Endwall 08/25/2016 (Thu) 00:05:42 [Preview] No. 382 del
ARS TECHNICA
Military submarine maker springs leak after “hack”—India, Oz hit dive alarm
http://tornews3zbdhuan5.onion/newspage/35463/
http://arstechnica.com/security/2016/08/military-submarine-maker-leak-dcns-suspected-hack/
Jennifer Baker (UK) - Aug 24, 2016 3:21 pm UTC A massive leak of documents on India’s new military submarines from French shipbuilder DCNS is the result of a hack, the country's defence minister said on Wednesday. Manohar Parrikar claimed, according to local reports, that the entire designs of its Scorpene submarines hadn't been disclosed. “First step is to identify if its related to us, and anyway its not all 100 percent leak,” he was quoted as saying. The documents were made public by The Australian on Tuesday, which described the breach as an “Edward Snowden-sized leak.” A DCNS spokesperson told Ars: “DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene. This serious matter is thoroughly investigated by the proper French national authorities for defence security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.” Although the 22,000-page cache of documents date from 2011, they give very detailed technical information about the combat capability of the Scorpene vessels, which are currently in use in Malaysia and Chile. India signed the £2.6 billion deal for six of the boats in 2005—they are to be built in conjunction with an Indian government-owned Mumbai shipbuilder—and Brazil is due to deploy the vessels in 2018. Such sensitive information in the wrong hands would have huge ramifications for national security in all four countries. “It appears that the source of leak is from overseas and not in India,” Parrikar said, vowing to investigate further. Australia is also very concerned. Earlier this year, DCNS won an AUS$50 billion contract—the country’s largest-ever defence deal—to build a new submarine fleet. The French group saw off bids from Germany’s ThyssenKrupp AG and a Japanese-government consortium of Mitsubishi Heavy Industries and Kawasaki Heavy Industries. Details about the Australian contract, expected to run into the 2050s, weren't disclosed in the leak. But it has raised concerns about the data security of the defence project. The country's prime minister Malcolm Turnbull said the leak was a reminder of the importance of cyber security, but claimed that Australia, where the 4,500-tonne Shortfin Barracuda submarines will be built, has “high security standards”—an assertion called into question in the recent census debacle. This post originated on Ars Technica UK You must login or create an account to comment.


Endwall 08/25/2016 (Thu) 00:13:59 [Preview] No. 383 del
Open Sources
Word Games: What the NSA Means by “Targeted” Surveillance Under Section 702
http://opensources.info/word-games-what-the-nsa-means-by-targeted-surveillance-under-section-702/
Aug 24, 2016
We all know that the NSA uses word games to hide and downplay its activities. Words like “collect,” “conversations,” “communications” and even “surveillance” have suffered tortured definitions that create confusion rather than clarity. There’s another one to watch: “targeted” v. “mass” surveillance. Since 2008, the NSA has seized tens of billions of Internet communications. It uses the Upstream and PRISM programs—which the government claims are authorized under Section 702 of the FISA Amendments Act—to collect hundreds of millions of those communications each year. The scope is breathtaking, including the ongoing seizure and searching of communications flowing through key Internet backbone junctures,[1]the searching of communications held by service providers like Google and Facebook, and, according to the government’s own investigators, the retention of significantly more than 250 million Internet communications per year.[2] Yet somehow, the NSA and its defenders still try to pass 702 surveillance off as “targeted surveillance,” asserting that it is incorrect when EFF and many others call it “mass surveillance.” Our answer: if “mass surveillance” includes the collection of the content of hundreds of millions of communications annually and the real-time search of billions more, then the PRISM and Upstream programs under Section 702 fully satisfy that definition. This word game is important because Section 702 is set to expire in December 2017. EFF and our colleagues who banded together to stop the Section 215 telephone records surveillance are gathering our strength for this next step in reining in the NSA. At the same time, the government spin doctors are trying to avoid careful examination by convincing Congress and the American people that this is just “targeted” surveillance and doesn’t impact innocent people. Section 702 Surveillance: PRISM and Upstream PRISM and Upstream surveillance are two types of surveillance that the government admits that it conducts under Section 702 of the FISA Amendments Act, passed in 2008. Each kind of surveillance gives the U.S. government access to vast quantities of Internet communications.[3] Upstream gives the NSA access to communications flowing through the fiber-optic Internet backbone cables within the United States.[4] This happens because the NSA, with the help of telecommunications companies like AT&T, makes wholesale copies of the communications streams passing through certain fiber-optic backbone cables. Upstream is at issue in EFF’s Jewel v. NSA case. PRISM gives the government access to communications in the possession of third-party Internet service providers, such as Google, Yahoo, or Facebook. Less is known about how PRISM actually works, something Congress should shine some light on between now and December 2017.[5] Note that those two programs existed prior to 2008—they were just done under a shifting set of legal theories and authorities.[6] EFF has had evidence of the Upstream program from whistleblower Mark Klein since 2006, and we have been suing to stop it ever since...


Endwall 08/25/2016 (Thu) 03:52:44 [Preview] No. 387 del
Deep Dot Web
Police Push For a Law Requiring Canadians to Give Up Their Passwords
http://deepdot35wvmeyd5.onion/2016/08/24/police-push-law-requiring-canadians-give-passwords/
Posted by: C. Aliens August 24, 2016
At the organization’s annual news conference on the 16th of August, The Canadian Association of Chiefs of Police (CACP) passed a resolution that calls for a law allowing the police to force people to provide law enforcement with their computer passwords. CTV spoke with RCMP Assistant Commissioner Joe Oliver after the conference where he explained that under current Canadian laws, the police have no way to legally compel users to hand over passwords. The resolution passed by the CACP is part of an effort to allow law enforcement to catch up with the digital age. “The victims in the digital space are real,” Oliver said. “Canada’s law and policing capabilities must keep pace with the evolution of technology.” The resolution was intentionally passed during a time when the federal government began a study on cybersecurity to find a way to balance online freedoms with the police’s ability to enforce the law. The study will run until the 15th of October. As pointed out by Motherboard, the CACP posted a report on “the challenges of gathering electronic evidence” as a backboard for the resolution, implying that the decision is influenced by recent events such as Apple’s refusal to unlock an iPhone for the FBI. Oliver told CTV that since police tensions are being raised around the globe, new measures are being sought out to make their job easier. One example of this is CACP pushing for police to be able to easily obtain information from cellphone carriers, such as names and addresses of subscribers in real-time. Although the invasive ruling would require permission from a judge before an individual would need to provide law enforcement with his password, advocates for civil liberties have expressed their explicit disapproval. Michael Vonn, policy director for the BC Civil Liberties Association, when questioned by journalists gave a further explanation. “To say this is deeply problematic is to understate the matter,” he said. “We have all kinds of laws that do not compel people to incriminate themselves or even speak.” Since Canada has laws in place to allow people to keep their privacy through silence and choose not to reveal any information, Vonn says the resolution’s proposed law would not fit in Canada’s legal landscape. It would be “tricky constitutionally,” he added. A lawyer for the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa questions whether or not the proposal would be constitutional. “It’s rare to force people to help police investigate themselves, and for good reason,” Tamir Israel writes. “It shifts the focus of criminal condemnation away from actual criminal activity and onto compliance. So if an individual legitimately objects to handing over their password, that alone makes them criminal.” Vonn added that while this is what the Chiefs of Police do, the law should not be in violation of people’s civil liberties.
http://www.ctvnews.ca/canada/police-chiefs-want-law-compelling-people-to-reveal-passwords-1.3030790?hootPostID=3d0770fc68b61c08f414f48b088ef55e


Endwall 08/25/2016 (Thu) 04:20:21 [Preview] No. 388 del
AP
US intelligence still sorting out NSA hack
https://www.yahoo.com/tech/us-intelligence-still-sorting-purported-225513205.html
August 24, 2016
YORBA LINDA, Calif. (AP) — The U.S. is still probing the extent of a recent cyber leak of what purports to be hacking tools used by the National Security Agency, the nation's top intelligence official said Wednesday. "We are still sorting this out," James Clapper, director of national intelligence, said at an event at the Nixon Presidential Library and Museum in Yorba Linda, California. "It's still under investigation," Clapper said. "We don't know exactly the full extent — or the understanding — of exactly what happened." The tool kit consists of malicious software intended to tamper with firewalls, the electronic defenses protecting computer networks. The leak has set the information security world atwitter — and sent major companies rushing to update their defenses. The rogue programs appear to date back to 2013 and have whimsical names like EXTRABACON or POLARSNEEZE. Three of them — JETPLOW, FEEDTROUGH and BANANAGLEE — have previously appeared in an NSA compendium of top secret cyber surveillance tools. The documents have been leaked by a group calling itself the "Shadow Brokers," although many have floated the possibility of Russian involvement. CIA Director John Brennan, who appeared with Clapper at the event, called cyber threats the most serious issue facing the nation. "This administration, the intelligence community is focused like a laser on this and I would say the next administration really needs to take this up early on as probably the most important issue they have to grapple with," Brennan said.


Endwall 08/25/2016 (Thu) 04:33:42 [Preview] No. 389 del
France and Germany against encrypted messaging apps
http://www.ehackingnews.com/2016/08/france-and-germany-against-encrypted.html
Wednesday, August 24, 2016
France and Germany are pushing for a common rule in Europe for the encrypted messaging apps such as Telegram to help governments in monitoring communications between the extremists. According to the Privacy advocates, encryption is essential for online security,especially in banking transactions. Whereas, security experts argues that encrypted apps are increasingly used by extremists to hide their location, coordinate operations and trade weapons and sex slaves. Interior Minister Bernard Cazeneuve said "French authorities have detained three people this month with "clear attack plans," but police need better tools to eavesdrop on encrypted text conversations utilizing the kinds of powers used to wiretap phones." He and German Interior Minister Thomas de Maiziere are insisting on a ban on encrypted services.However, Cazeneuve said instead of banning the app, they should work with companies to ensure they can't be abused by militants. In a joint proposal released on Tuesday, "Encrypted communications among terrorists constitute a challenge during investigations.Solutions must be found to enable effective investigation ... while at the same time protecting the digital privacy of citizens by ensuring the availability of strong encryption." There were no specific solutions, but the leaders want to discuss encryption next month during a summit in Bratislava, Slovakia. On the other hand, Telegram wrote on its website that they blocked terrorist-related public channels but doesn't intervene in private chats.


Anonymous 08/25/2016 (Thu) 07:56:08 [Preview] No. 390 del
HAK 5
DEF CON 24: Warwalking at DEF CON, Semaphor, Mousejack and Keysniffer - Hak5 2026
https://www.youtube.com/watch?v=2j3DnGUvStU


Endwall 08/25/2016 (Thu) 17:49:32 [Preview] No. 392 del
Australian Broadcasting Corp
Cyber War
By Linton Besser and Poppy Stockell
Monday 29th August 2016
http://www.abc.net.au/4corners/stories/2016/08/25/4526527.htm

Cyber War: How hackers are threatening everything from your bank account to the nation's secrets. In a room, deep inside a Las Vegas hotel, the world's best hackers are gathering. "You have to go into a backroom... there you're going to find about a dozen teams playing against each other, no more than a hundred people. These are really the world's cyber elite." Artificial Intelligence developer They're here to compete against each other and they're being watched by cyber warfare agencies the world over, not for prosecution, but for recruitment. They have the skills needed to wage espionage and warfare in the modern age. On Monday night Four Corners takes you into the world of cyber hacking, where the weapon of choice is computer code. "In WWII we bombed and destroyed the electrical infrastructure of our enemies. Now we have the ability through a cyber attack to just shut the grid down." Former CIA Director Michael Hayden Featuring an interview with the former head of the CIA and the NSA, Michael Hayden, he explains how the intelligence business has changed with young hackers parachuted into sensitive operational activities. "Right ok, take out the power grid... Red Team power is going down, what I want you to look at now, do as much damage as you can." Australian Cyber Trainer We take you into the cutting edge facility where Australian soldiers are being trained in the arts of cyber warfare - where their computer skills can be used to shut down a power grid or cut off a city's water supply. "The Australian Government knows it needs to protect these things... and will continue to strive to stay ahead of whatever the threat environment is." Australian Govt Cyber Adviser And will reveal the strategic Australian companies and institutions that have found themselves hacked. "They're so deep inside our network it's like we had someone sitting over our shoulder for anything we did." IT manager It's not just nation states that are in the hacking business, it's also criminals, and as the program demonstrates, it's frighteningly easy to hack our lives. If you have a smart phone, if you use internet banking, if you store your information "in the cloud" then you are at risk. "Cybercrime poses one of the greatest challenges to law enforcement this century. No longer do we have that individual who carries a firearm and wears a balaclava to disguise their identity. It's a lot more profitable and a lot easier for someone to pick up a laptop, sit in the comfort of their lounge room behind the anonymity of the internet and take the bank for millions of dollars." Australian Police Officer Cyber War, reported by Linton Besser and presented by Sarah Ferguson, goes to air on Monday 29th August at 8.30pm EDT. It is replayed on Tuesday 30th August at 10.00am and Wednesday 31st at 11pm. It can also be seen on ABC News 24 on Saturday at 8.00pm AEST, ABC iview and at abc.net.au/4corners.
Edited last time by Endwall on 08/25/2016 (Thu) 18:38:01.


Endwall 08/25/2016 (Thu) 18:23:16 [Preview] No. 393 del
ARS TECHNICA
Apple releases iOS 9.3.5 with “an important security update”
Andrew Cunningham Aug 25, 2016 5:21 pm UTC
Just a few weeks after posting iOS 9.3.4 to fix a jailbreaking-related bug, Apple has released iOS 9.3.5 to all supported iPhones and iPads. The update provides an "important security update" and comes just a few weeks before the expected release of iOS 10, which is currently pretty far along in the developer/public beta process. Apple's security release notes say that three bugs have been fixed, two in the iOS kernel and one in WebKit. The bugs were discovered by Citizen Lab and Lookout, the latter of which posted more information in a blog post. Lookout collectively calls the three zero-day vulnerabilities "Trident," and says that they could allow an victim's personal data to be accessed after opening a link sent in a text message. Trident infects a user's phone "invisibly and silently, such that victims do not know they’ve been compromised." We'll have more information about the vulnerability in a forthcoming article. The update is available now for everything that runs iOS 9: the iPhone 4S and newer; iPad 2 and newer; all iPad Minis and iPad Pros; and the fifth- and sixth-generation iPod Touches.


Endwall 08/25/2016 (Thu) 18:24:24 [Preview] No. 394 del
E hacking news
Cisco begins patching of leaked shadowbrokers attack
hursday, August 25, 2016
http://www.ehackingnews.com/2016/08/cisco-begins-patching-of-leaked.html
Enterprise-grade Cisco firewalls began the process of patching a zero-day vulnerability in its Adaptive Security Appliance (ASA) software exposed in the ShadowBrokers data dump. Researchers at Silent Signal in Hungary yesterday tweeted they had ported the EXTRABACON attack to ASA version 9.2(4), which was released a year ago. The firm expanded the attack range of the ExtraBacon Cisco hack hole revealed as part of the Shadow Brokers cache of National Security Agency-linked exploits and tools. The research after the attack confirmed that the Equation Group exploit for version 8.4(4) of the firewall appliance did indeed provide remote unauthenticated access over SSH or telnet. The attack was included in a 300 MB file download made freely available by the ShadowBrokers that also included exploits, implants and other attacks against Juniper, WatchGuard, Topsec and Fortinet firewalls and networking gear. Researchers confirmed that there was a connection between ShadowBrokers dump and Equation Group exploits. The exploit was restricted to versions 8.4 (4) and earlier of ASA boxes and has now been expanded to 9.2 (4). Users on affected versions of 7.2, 8.0 and 8.7 are requested to upgrade soon to 9.1.7 (9) or later. Newer versions that are also implicated—9.1 through 9.6—are expected to be updated in the next two days. “We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days,” Cisco’s Omar Santos said on Wednesday (August 24) in an updated advisory. Cisco and Fortinet have confirmed their kit is affected by exploits listed in data cache which included some 300 files circulated online. The vulnerability lies in the SNMP code in ASA that could allow an attacker to crash the affected system or remotely execute arbitrary code. The attacks can eventually be modified to target any version. The affected ASA software, Cisco said, runs in a number of its products including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 4100 Series, Cisco Firepower 9300 ASA Security Module, Cisco Firepower Threat Defense Software, Cisco Firewall Services Module (FWSM), and Cisco Industrial Security Appliance 3000 Cisco PIX Firewalls. Prior to yesterday’s patches, Cisco had provided its customers with IPS and Snort signatures that detect the vulnerability. The ShadowBrokers data dump happened more than a week ago when the group claimed to have hacked the Equation Group, which is widely believed to be connected to the NSA.


Endwall 08/25/2016 (Thu) 18:26:01 [Preview] No. 395 del
ITProPortal
Experts calling for password abolition following Mail.ru breach
http://www.itproportal.com/news/experts-calling-for-password-abolition-following-mailru-breach
By Sead Fadilpašić
Russian internet giant Mail.ru has been hacked once again, and some 25 million accounts associated with forums run by the company have been compromised.

Russian internet giant Mail.ru has been hacked once again, and some 25 million accounts associated with forums run by the company have been compromised. Among the data that was stolen are usernames, passwords (easily crackable, according to CloudLink), email addresses, phone numbers, birthdays and IP addresses. Security firm CloudLink says theft of this kind of data is worrying, especially with IP addresses involved, as hackers could find a person’s real life address. For the security company, this is yet another proof we need to move away from passwords and into more modern solutions: “Given the severity and regularity of data breaches, it’s clear that passwords are now unsustainable. This latest hack has just added to the long list of large data breaches amongst organisations including Apple, LinkedIn, MySpace, Tumblr and Citrix, yet companies are still risking their client’s security by using passwords,” says Gideon Wilkins, VP of Sales and Marketing at Secure Cloudlink. “The system is flawed and as the appetite for stolen data continues to grow, these breaches will persist unless the IT industry finds a better way of protecting data.” Wilkins says that it doesn’t even matter how well-crafted the password is. If the company handling it doesn’t encrypt it, everything is pointless. “The most concerning angle of this breach is the fact that people’s location may have been exposed, which adds a physical risk on top of the digital element. Even if an individual picks a highly complex password to make it ‘strong’, when a website is hacked, and the website doesn’t encrypt passwords then personal details as well as other high-risk data can still be compromised. Even if passwords are stored in an encrypted format, they can still be stolen and the encryption cracked.” “We have changed the approach and changed the game, the faster a no-password solution is embraced, the less data breaches we will see and the safer user’s data will become,” concludes Wilkins.


Endwall 08/25/2016 (Thu) 18:28:45 [Preview] No. 396 del
IT NEWS
Linux at 25: Linus Torvalds on the evolution and future of Linux
http://www.infoworld.com/article/3109150/linux/linux-at-25-linus-torvalds-on-the-evolution-and-future-of-linux.html

By Paul Venezia
The last time I had the occasion to interview Linus Torvalds, it was 2004, and version 2.6 of the Linux kernel had been recently released. I was working on a feature titled “Linux v2.6 scales the enterprise.” The opening sentence was “If commercial Unix vendors weren’t already worried about Linux, they should be now.” How prophetic those words turned out to be. More than 12 years later -- several lifetimes in the computing world -- Linux can be found in every corner of the tech world. What started as a one-man project now involves thousands of developers. On this, its 25th anniversary, I once again reached out to Torvalds to see whether he had time to answer some questions regarding Linux’s origins and evolution, the pulse of Linux’s current development community, and how he sees operating systems and hardware changing in the future. He graciously agreed. The following interview offers Torvalds’ take on the future of x86, changes to kernel development, Linux containers, and how shifts in computing and competing OS upgrade models might affect Linux down the line. Linux’s origins were in low-resource environments, and coding practices were necessarily lean. That’s not the case today in most use cases. How do you think that has affected development practices for the kernel or operating systems in general? I think your premise is incorrect: Linux's origins were definitely not all that low-resource. The 386 was just about the beefiest machine you could buy as a workstation at the time, and while 4MB or 8MB of RAM sounds ridiculously constrained today, and you'd say "necessarily lean," at the time it didn't feel that way at all. So I felt like I had memory and resources to spare even back 25 years ago and not at all constrained by hardware. And hardware kept getting better, so as Linux grew -- and, perhaps more importantly, as the workloads you could use Linux for grew -- we still didn't feel very constrained by hardware resources. From a development angle, I don't think things have changed all that much. If anything, I think that these days when people are trying to put Linux in some really tiny embedded environments (IoT), we actually have developers today that feel more constrained than kernel developers felt 25 years ago. It sounds odd, since those IoT devices tend to be more powerful than that original 386 I started on, but we've grown (a lot) and people’s expectations have grown, too...
Edited last time by Endwall on 08/25/2016 (Thu) 18:33:16.


Endwall 08/25/2016 (Thu) 18:39:51 [Preview] No. 397 del
Nextgov
All the Ways Your Wi-Fi Router Can Spy on You
http://www.nextgov.com/cybersecurity/2016/08/all-ways-your-wi-fi-router-can-spy-you/131039/
City dwellers spend nearly every moment of every day awash in Wi-Fi signals. Homes, streets, businesses and office buildings are constantly blasting wireless signals every which way for the benefit of nearby phones, tablets, laptops, wearables and other connected paraphernalia. When those devices connect to a router, they send requests for information—a weather forecast, the latest sports scores, a news article—and, in turn, receive that data, all over the air. As it communicates with the devices, the router is also gathering information about how its signals are traveling through the air, and whether they’re being disrupted by obstacles or interference. With that data, the router can make small adjustments to communicate more reliably with the devices it’s connected to. But it can also be used to monitor humans—and in surprisingly detailed ways. As people move through a space with a Wi-Fi signal, their bodies affect it, absorbing some waves and reflecting others in various directions. By analyzing the exact ways a Wi-Fi signal is altered when a human moves through it, researchers can “see” what someone writes with their finger in the air, identify a particular person by the way they walk, and even read a person’s lips with startling accuracy—in some cases even if a router isn’t in the same room as the person performing the actions. Several recent experiments have focused on using Wi-Fi signals to identify people, either based on their body shape or the specific way they tend to move. Earlier this month, a group of computer-science researchers at Northwestern Polytechnical University in China posted a paper to an online archive of scientific research, detailing a system that can accurately identify humans as they walk through a door nine times out of 10. The system must first be trained: It has to learn individuals’ body shapes so it can identify them later. After memorizing body shapes, the system, which the researchers named FreeSense, watches for people walking across its line of sight. If it’s told the next passerby will be one of two people, the system can correctly identify which it is 95 percent of the time. If it’s choosing between six people, it identifies the right one 89 percent of the time. The researchers proposed using their technology in a smart-home setting: If the router senses one person’s entry into a room, it could communicate with other connected devices—lights, appliances, window shades—to customize the room to that person’s preferences. FreeSense mirrored another Wi-Fi-based identification system a group of researchers from Australia and the U.K. presented at a conference earlier this year. Their system, Wi-Fi ID, focused on gait as a way to identify people from among a small group. It achieved 93 percent accuracy when choosing among two people, and 77 percent when choosing from among six. Eventually, the researchers wrote, the system could become accurate enough it could sound an alarm if an unrecognized intruder entered. Something in the way? No problem. A pair of MIT researchers wrote in 2013 they could use a router to detect the number of humans in a room and identify some basic arm gestures, even through a wall. They could tell how many people were in a room from behind a solid wooden door, a 6-inch hollow wall supported by steel beams, or an 8-inch concrete wall—and detect messages drawn in the air from a distance of five meters (but still in another room) with 100 percent accuracy. (Using more precise sensors, the same MIT researchers went on to develop systems that can distinguish between different people standing behind walls, and remotely monitor breathing and heart rates with 99 percent accuracy. President Obama got a glimpse of the latter technology during last year’s White House Demo Day in the form of Emerald, a device geared toward elderly people that can detect physical activity and falls throughout an entire home. The device even tries to predict falls before they happen by monitoring a person’s movement patterns.) Beyond human identification and general gesture recognition, Wi-Fi signals can be used to discern even the slightest of movements with extreme precision. A system called “WiKey” presented at a conference last year could tell what keys a user was pressing on a keyboard by monitoring minute finger movements. Once trained, WiKey could recognize a sentence as it was typed with 93.5 percent accuracy—all using nothing but a commercially available router and some custom code created by the researchers. And a group of researchers led by a Berkeley Ph.D. student presented technology at a 2014 conference that could “hear” what people were saying by analyzing the distortions and reflections in Wi-Fi signals created by their moving mouths. The system could determine which words from a list of lip-readable vocabulary were being said with 91 percent accuracy when one person was speaking, and 74 percent accuracy when three people were speaking at the same time. Many researchers presented their Wi-Fi sensing technology as a way to preserve privacy while still capturing important data. Instead of using cameras to monitor a space—recording and preserving everything that happens in detail—a router-based system could detect movements or actions without intruding too much, they said. I asked the lead researcher behind WiKey, Kamran Ali, whether his technology could be used to secretly steal sensitive data. Ali said the system only works in controlled environments and with rigorous training. “So, it is not a big privacy concern for now, no worries there,” wrote Ali, a Ph.D. student at Michigan State University, in an email. But as Wi-Fi “vision” evolves, it may become more adaptable and need less training. And if a hacker is able to gain access to a router and install a WiKey-like software package—or trick a user into connecting to a malicious router—he or she can try to eavesdrop on what’s being typed nearby without the user ever knowing. Because all of these ideas piggyback on one of the most ubiquitous wireless signals, they’re ripe for wide distribution once they’re refined, without the need for any new or expensive equipment. Routers could soon keep kids and older adults safe, log daily activities, or make a smart home run more smoothly—but, if invaded by a malicious hacker, they could also be turned into incredibly sophisticated hubs for monitoring and surveillance.


Endwall 08/25/2016 (Thu) 18:44:54 [Preview] No. 398 del
Sensor Tech
Open-Source Ransomware Based on Hidden Tear and EDA2 on the Loose
http://sensorstechforum.com/open-source-ransomware-based-hidden-tear-eda2-loose/
August 25, 2016 by Milena Dimitrova+
Open-source ransomware is a real issue which is continuously evolving. Over the past few weeks, researchers have caught three open-source crypto virus strains, based on Hidden Tear and EDA2. What all of the three strains have in common is that they all look for files related to web servers and databases. This could easily mean that the ransomware viruses are specifically
Three Ransomware Strains Based on Open-Source Code Detected in the Wild Interestingly, Hidden Tear and EDA2 are widely accepted as the first open-source ransomware coded for educational purposes. This idea quickly turned out to be fishy, as it didn’t take long for cyber criminals to exploit the code for malicious operations. As pointed out by TrendMicro researchers: RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware http://sensorstechforum.com/magic-the-open-source-ransomware-that-emerged-from-github/ (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery. It’s not hard to guess why open-source ransomware is becoming so popular among crooks – it offers the ease and convenience of not having to be tech-savvy. What is more, before the source codes of Hidden Tear and EDA2 were taken down, they were publicly available long enough for cyber criminals to modify the code according to their needs. Not only are cyber criminals using open-source code but they are also using elements from pop culture. For example, RANSOM_KAOTEAR.A is built on the Hidden Tear code, uses the filename kaoTalk.exe and includes KakaoTalk icon. KakaoTalk is a popular messaging app in South Korea with 49.1 million active users globally. Another example here is the POGOTEAR or PokemonGo ransomware. The ransomware was found in the wild by the malware researcher Michael Gillespie. It is thought that the virus might still be in development or could be tweaked more in the near future, but it looks nasty enough from now. The PokemonGO ransomware places the .locked file extension on each of the encrypted files. After that process is complete, the file هام جدا.txt is placed on the desktop, containing the ransom instructions. The name of the file is translated as “very important”. Read More about PokemonGo Ransomware Let’s not forget FSociety ransomware (RANSOM_CRYPTEAR.SMILA) which is an EDA2-based ransomware and is “inspired” by the hacker group in the Mr.Robot. http://sensorstechforum.com/mr-robot-season-2-hacks-exploits-fsociety-cryptowall/ Fsociety ransomware is based on the EDA2 ransomware project which is an open source ransomware code uploaded online and created by Utku Sen. Since then, many variants of the EDA2 project have popped up, because all it takes is someone who knows coding to take this source code and design own version of ransomware, just like Fsociety ransomware variant is.
What Else Do KaoTear, POGOTEAR, and Fsociety Ransomware Share? TrendMicro researchers point out that these three ransomware cases have other striking similarities. They target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd. As mentioned in the beginning, some of these file extensions (such as XML, PHP, and ASPX) are related to web servers which points to attacks targeting businesses. Moreover, all three ransomware search for SQL and MDB files, associated with databases. […] POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server. Since it uses a private IP, the information sent stays within the organization’s network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%. If the said folder is not found, FSociety does not encrypt any files.
The Dangers of Open-Source, Educational Malware Open-source ransomware has raised a red flag in the cyber security community. Hidden Tear and EDA2 were both exploited by cyber crooks who used the public source code, modified it and attacked users. Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes. The moral here is that cyber security researchers have to address the possible risks and consequences of developing educational malware. Leaving the source-code in the public space available to anyone has proven to be a bad idea. Instead, researchers should distribute these only to credible recipients through secure channels. Before releasing anything to the public, researchers need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands, TrendMicro concludes.


Endwall 08/25/2016 (Thu) 19:19:15 [Preview] No. 399 del
Cisco Updates ASA Software to fix the Equation Group’s EXTRABACON exploit
August 25, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50618/security/cisco-fixed-extrabacon-exploit.html
Cisco has started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online. Security firms and IT giants are analyzing the huge archive leaked by the Shadow Brokers crew after the hack of the NSA-linked Equation Group. We reported that some of the exploits included in the archive are effective against CISCO, Fortinet, and Juniper network appliance. For example, the BENIGNCERTAIN tool included in the NSA data dump could be exploited by remote attackers to extract VPN passwords from certain Cisco devices, meanwhile the EXTRABACON was analyzed by the Hungary-based security consultancy SilentSignal to hack into the newer models of Cisco’s Adaptive Security Appliance (ASA). The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The CVE-2016-6366 flaw affects Cisco’s ASA appliances, both firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls.
The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software. “A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO. “The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.” Cisco promptly analyzed the exploits and released the necessary patches. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11). The remaining versions will be fixed by the IT giant in the upcoming days, anyway, the company provided a detailed description of the workarounds to implement as a temporary solution. The company will not issue any patch for no longer supported devices, including firewall modules and PIX firewalls.


Anonymous 08/25/2016 (Thu) 19:23:41 [Preview] No. 400 del
Spying on Canadian Phone Calls and Emails by Canadian SIGINT Agency Has Risen Dramatically
http://www.matthewaid.com/post/149457819696/spying-on-canadian-phone-calls-and-emails-by
August 25, 2016 Federal spies suddenly intercepting 26 times more Canadian phone calls and communications Ian MacLeod Ottawa Citizen August 24, 2016 OTTAWA — Interception of Canadians’ private communications by the federal electronic spy agency increased 26-fold last year, for reasons authorities won’t fully explain. And despite commitments between Canada and its intelligence-sharing allies to respect the privacy of each nation’s citizens, the volume of information on Canadians collected by allied intelligence agencies and informally shared with Canada’s spies has grown to the point that it now requires a formal mechanism to cope with all the data. At least one intelligence expert is concerned the change sidesteps the spirit of Canadian privacy laws. Details are contained in the latest annual report by the independent, external oversight organization that reviews activities of the Canadian Security Establishment (CSE), Ottawa’s super-secret foreign signals intelligence agency. Quietly tabled in Parliament July 20, the report concludes CSE’s 2015-16 activities were lawful. But the watchdog Office of the Commissioner of the Communications Security Establishment notes CSE intercepted 342 private communications in 2014-15, compared to just 13 for the previous year. By law, CSE can only target communications of foreign entities outside Canada. If one end of that communication is in Canada, making it a “private communication,” it requires a written authorization from the minister of national defence, responsible for the CSE, and only if it is essential for “international affairs, defence or security.” There also must be “satisfactory measures” to protect the privacy of any Canadian citizens, including permanent residents and corporations, inadvertently caught up in the intercept. Otherwise, the CSE is not allowed to target Canadians at home or abroad. Commissioner Jean-Pierre Plouffe, a retired Quebec superior court judge, reports he is satisfied all the intercepts of Canadians’ communications last year were unintentional, essential to international affairs, defence or security, backed by ministerial authorizations and legal. There’s always been this concern about how much do our careful privacy laws get sidestepped by having allies do this stuff But Plouffe’s explanation for the 26-fold jump is not so straightforward: “This was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted,” he writes. Asked to clarify, his office Wednesday declined, saying it is bound by the Security of Information Act and, “to say more could reveal CSE operational capabilities.” CSE, too, declined to elaborate. “To protect our capabilities and ensure that they remain effective, CSE cannot provide any additional information,” agency spokesman Ryan Foreman said in a statement. Bill Robinson, a respected and unofficial CSE watchdog who hosts the Lux Ex Umbra blog site, said: “CSE has tremendous control over what the commissioner can in fact say because of its classification/declassification power. They can reduce it to total gibberish.” Robinson speculates CSE may have targeted social media conversations between individuals and counted each separate message in the string as a private communication. A small number of online conversations could be responsible for the rather large total. More concerning, he said, is the increasing practice of U.S., British, Australian and New Zealand security intelligence agencies who, along with Canada, make up the Five Eyes intelligence-sharing network, giving information collected on Canadians to the Canadian Security Intelligence Service (CSIS), the country’s domestic security intelligence guardians. Plouffe’s report says prior to February 2015, the process for such allied reporting to CSIS was “manual” and did not involve CSE. But, “to help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. “To this end, CSIS requested CSE assistance … to establish a mechanism for CSIS to receive and handle these reports via CSE’s established channels.” Robinson believes the change is evidence of just how systematic the clandestine collection of Canadians’ information by the allies has become. Authorities used to claim “that ‘we don’t really do that’. And then it was, ‘yeah, but it’s in exceptional cases’, and then it became, ‘well, we’re doing this for terrorism’ (and certain general crimes), so it’s pretty much going to be all the time,” said Robinson. “There’s always been this concern about how much do our careful privacy laws get sidestepped by having allies do this stuff instead, and the answer has always been, ‘we don’t really do that, we have these agreements’ and so on. “We’re seeing how that gets chipped away.”


Endwall 08/25/2016 (Thu) 19:29:45 [Preview] No. 402 del
Business Insider
A hacker claims he has more leaked NSA files to view — If you can solve this puzzle
http://www.businessinsider.com/hacker-nsa-files-2016-8

Paul Szoldra/Business Insider A hacker named 1x0123 claims he has the other half of the recently-leaked NSA hacking toolkit for sale — but samples of the dataset are only available if you can figure out his cryptographic puzzle. On Sunday, the hacker posted on Twitter that he was selling the entire archive of files for $8,000, seemingly undercutting the mysterious "Shadow Brokers" hacking group that leaked one-half of the archive last week at various file-sharing websites with claims of an "auction" for the rest. It appears that 1x0123 is indeed a hacker who has found and sold security vulnerabilities in the past. Even ex-NSA contractor Edward Snowden praised him in April for finding an issue on the Freedom of the Press website. But it's not clear whether the hacker really has the other half of the NSA archive, nor is it clear where he could have obtained it. It's entirely possible this is an elaborate troll and the encrypted archive 1x0123 is offering contains nothing more than a Rickroll. Still, he's been dropping many hints over the past few days of how to access it.  Here's the first hint, which includes an encrypted web address, directory listing, and file name: #NSAHack pic.twitter.com/xAkvQ7FJ3p — 1x0123 (@1x0123) August 22, 2016 This is what he posted as a screenshot of the supposed directory structure of the files, though it should be noted that these can easily be faked. #NSA focused on browser exploits to gain access to machines, pic.twitter.com/M4GB62977P — 1x0123 (@1x0123) August 22, 2016 Then on Tuesday, he posted another hint. This time, it was a screenshot of the supposed .onion site — only accessible via the Tor browser — with the full address redacted. 2 people where able to solve the puzzle i posted, NSA exploits dump are ready for download 901028736451 need more ? pic.twitter.com/enZa7sAl5X — 1x0123 (@1x0123) August 24, 2016 There are a few things we can discern from what 1x0123 has revealed so far: The site hosting the files is an .onion link and the revealed file name — "EQ_exploits_Fullpack.zip" in the screenshot probably helps in decrypting the letters in the original message. Further, the browser title of "ng crypto" is telling, indicating the software the hacker used to encrypt his message. This hasn't really helped us much in figuring it out, but if you get it, please let us know. After 1x0123 posted his claim, Business Insider reached out to ask for a sample of the data to confirm it was legitimate. Instead, the hacker said the data could not be shared until it's sold, and he added that he does not talk to journalists. Still, we noted that 1x0123 had spoken with Gizmodo reporter William Turton. 1x0123 claimed he did not share anything with Turton since he didn't pay him, and hinted that we could get a sample if we paid around $500 to $1000. We declined. "Money is the key to write an execlusive (sic) article," 1x0123 told Business Insider. If the crypto puzzle game doesn't work out, we'll just have to wait for WikiLeaks to release the rest, which it also claims to have. "We had already obtained the archive of NSA cyber weapons released earlier today," its official Twitter account wrote on Aug. 15. "And will release our own pristine copy in due course."


Endwall 08/25/2016 (Thu) 19:45:07 [Preview] No. 403 del
The National Security Agency has no idea how a rogue hacking group leaked its exploits
http://www.ibtimes.co.uk/national-security-agency-has-no-idea-how-rogue-hacking-group-leaked-its-exploits-1578046
A group called The Shadow Brokers leaked NSA exploit kits online on 13 August.
By Jason Murdock August 25, 2016 15:44 BST

The National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, January 29, 2010.Saul Loeb/AFP/Getty Images The US intelligence community is still attempting to figure out how a hacking group called the Shadow Brokers was able to obtain and leak a slew of NSA computer exploits used to circumvent security of routers and firewalls, top officials have admitted. "We are still sorting this out," said James Clapper, director of national intelligence, at an event at the Nixon Presidential Library on 24 August. As reported by AP, he added: "It's still under investigation. We don't know exactly the full extent – or the understanding – of exactly what happened." In what amounted to the first official comment on the hack, it's clear the US government is still attempting to find out the true scope of the embarrassing blunder. The leaked toolkits, reportedly from 2013, contained NSA surveillance and infiltration exploits that relied upon previously unknown zero-day vulnerabilities. The Shadow Brokers, the hacking group with suspected ties to Russian intelligence, released the files on 13 August. The group, which claimed to have obtained them from the NSA-linked 'Equation Group', published one file as proof of legitimacy and put the remaining one up for 'auction' for a massive 1m bitcoin – equivalent to over $550m (£416m). Many of the exploits – such as Bananaglee and Zestyleak – were eventually confirmed to be real by previously unreleased Edward Snowden documents published by The Intercept. Following this, multiple US firms – including Cisco, Fortinet and Juniper – were forced to rush out security patches and warnings to their customers. Now, cybersecurity researchers are calling on the NSA and the US government to disclose more information about the troubling leak of tools that were never meant to see the light of day. "It now safe to say that the 'Equation Group' leak by Shadow Brokers is real and consists of a genuine trove of NSA tools used to hack firewalls," said Nicholas Weaver, a senior computer security researcher at the International Computer Science Institute in California. "The leaked code references known programs, uses a particularly unusual RC6 and cruddy crypto techniques previously associated with NSA implants," he added, writing on Lawfare. "The whole episode raises a host of oversight questions. How and why did NSA lose 280MB of top secret attack tools, including multiple zero day exploits and un-obfuscated implants?" Weaver said that tough questions now been to be asked of the NSA, including when it became aware of the breach, why it didn't contact the vulnerable technology firms and if it has identified the source of the breach. "Certainly somewhere there's been a substantial screw up," he said. "Congress should not let the agency off the hook, good security systems should make things difficult to fail."
A computer workstation bears the National Security Agency (NSA) logoPAUL J. RICHARDS/AFP/Getty Images Speaking with IBTimes UK, Douglas Crawford, a cybersecurity expert at BestVPN, a firm that analyses the mounting number of virtual private network products on the market, said it was a concern – but not a surprise – to see the NSA exploiting US technology firms. "The affected companies – Cisco, Juniper and Fortinet, are all high-profile US brands," he said. "That their products were directly targeted by the NSA demonstrates that the security agency has gone rogue, and is acting against the best interests of the country whose job it is to serve." He continued: "The only way for the NSA to help restore confidence in US security products would be to adopt a policy of transparency. "Critically, international encryption standards should be developed as open source projects that can be independently audited, and NIST – which by its own admission works closely with the NSA – certification should be replaced with certification by a transparent and international body of independent experts. Is this likely to happen? The phrase 'snowball's chance in hell' comes to mind." Now, the US intelligence officials have said its probe will continue. John Brennan, the director of the CIA, who appeared alongside Clapper at the Nixon Presidential Library event, added that cybersecurity is now viewed as one of the most serious issues facing the US. "This administration, the intelligence community is focused like a laser on this and I would say the next administration really needs to take this up early on as probably the most important issue they have to grapple with," he said.


Endwall 08/25/2016 (Thu) 19:50:21 [Preview] No. 404 del
Keystroke Recognition Uses Wi-Fi Signals To Snoop
https://threatpost.com/keystroke-recognition-uses-wi-fi-signals-to-snoop/120135/
by Tom Spring August 25, 2016 , 2:19 pm
A group of academic researchers have figured out how to use off-the-shelf computer equipment and a standard Wi-Fi connection to sniff out keystrokes coming from someone typing on a keyboard nearby. The keystroke recognition technology, called WiKey, isn’t perfect, but is impressive with a reported 97.5 percent accuracy under a controlled environment. WiKey is similar to other types of motion and gesture detection technologies such as Intel’s RealSense. But what makes WiKey unique is that instead of recognizing hand gestures and body movement, it can pick up micro-movements as small as keystrokes.

The research, conducted by Michigan State University and China’s Nanjing University, relies 100 percent on the 802.11n/ac Wi-Fi protocol and uses a TP-Link WR1043ND WiFi router ($43) and a Lenovo X200 laptop ($200). Using the above equipment, researchers were able to use the Wi-Fi signal’s Channel State Information values to detect movements within a given environment. Channel State Information (CSI) in the past has been used to detect macro movements such as the presence of someone in a room, or hand or arm movements. A variation of this technology called WiHear was even developed to detect movements of a mouth with the ability to detect nearly a dozen different syllables spoken by a test subject. But WiKey takes WiHear lip reading to an entirely new level by detecting finger, hand, and keyboard key movements. The researchers see the WiKey technology as a theoretic attack vector, but they also see WiKey with applications that go beyond attacks. “The techniques proposed in this paper can be used for several HCI (human computer interaction) applications. Examples include zoom-in, zoom-out, scrolling, sliding, and rotating gestures for operating personal computers, gesture recognition for gaming consoles, in-home gesture recognition for operating various household devices, and applications such as writing and drawing in the air,” wrote co-authors of the scientific research (PDF) Kamran Ali, Alex X. Liu, Wei Wang and Muhammad Shahzad. To capture keystrokes, or micro-movements, isn’t easy. Under a controlled environment, which doesn’t include a lot of movement such as people walking around or multiple people sitting close to one another using a laptop, researchers are able to detect even the slightest variations in wireless channel activities. Along with that data researchers also factor in wealth of information including signal strength, where the keyboard is located and what, where and why is interference occurring. In order to collect micro-movement data using Wi-Fi, researchers use the router’s MIMO channels. MIMO is a wireless term used to refer to a router’s ability to use multiple antennas between a sender (router) and receiver (WNIC) that pass more than one data signal simultaneously of the same radio channel. The researchers explain: “Each MIMO channel between each transmit-receive antenna pair of a transmitter and receiver comprises of multiple subcarriers. These WiFi devices continuously monitor the state of the wireless channel to effectively perform transmit power allocations and rate adaptations for each individual MIMO stream such that the available capacity of the wireless channel is maximally utilized. These devices quantify the state of the channel in terms of CSI values. The CSI values essentially characterize the Channel Frequency Response for each subcarrier between each transmit-receive antenna pair.” If that didn’t sound challenging enough, next researchers have to filter out radio noise (frequency changes) and environmental movements not related to typing. Then, even after noise is removed, there are other considerations researchers needed to factor such as the time it takes to press a key. By associating values based on the above culling of data researchers assigned number values to each keystroke (as seen below) based on individual typists. Average values of features extracted from keystrokes of keys a-z collected from users. Under the most ideal controlled circumstances where test subjects were limited to type only one a half-dozen different sentences and typing one key every one second the researchers achieved 97.5 percent accuracy. That controlled environment also didn’t include real-world scenarios such as people walking around in the same room and typing on additional laptops. In what researchers call a real-world scenario WiKey drops to an average keystroke recognition accuracy of 77.5 percent. “WiKey requires many samples per key from each user which may be difficult to obtain in real life attack scenarios. Still, there exist ways through which an attacker can obtain the training data. For example, an attacker can start an online chat session with a person sitting near him and record CSI values while chatting with him,” researchers wrote. Researchers point out that this level of accuracy might be all that’s needed sniff out a password typed into a laptop. Other than being used in a potential attack, researchers hope WiKey can have a variety of non-attack applications such as gesture recognition. “We have shown that our technique works in controlled environments (using commodity hardware), and in future we plan to address the problem of mitigating the effects of more harsh wireless environments by building on our micro-gesture extraction and recognition techniques proposed in this paper,” the researchers wrote.


Endwall 08/26/2016 (Fri) 06:51:33 [Preview] No. 418 del
Open Sources
Attorney: US-Russia Tensions Led to Seleznev&#39;s Kidnapping by US Forces
http://opensources.info/attorney-us-russia-tensions-led-to-seleznev39s-kidnapping-by-us-forces-2/
Aug 26, 2016
SEATTLE (Sputnik) – “We wouldn’t be here if he was a Canadian,” John Henry Browne, Seleznev’s attorney, told journalists on Thursday, explaining “I think because of strained relations between the US and Russia, which I don’t agree with personally at all, the kidnapping of other people that the United States has done has involved terrorists…It’s the first time I’ve ever known of anyone with an identity theft case.” Browne also recalled news reports of a cyber attack on the US Democratic National Committee, an incident that also reflected the current relations between the United States and Russia, according to Seleznev’s lawyer. “I think they were trying to say those were Russians. That’s kind of explains my comment about the Canadian,” Browne said. On Thursday, Seleznev was found guilty by a jury panel at a US court of cybercrimes. Seleznev, 32, who is the son of Russian parliament member Valery Seleznev, was charged with 38 counts of bank fraud, hacking into secured computer networks, possession of illegal hacking devices as well as aggravated identity theft. According to US prosecutors, Seleznev hacked into retail point-of-sale systems and installed malware in order to steal over a million credit card numbers from businesses between October 2009 and October 2013. In July 2014, US forces detained Seleznev in the Maldives, transferred him to Guam before bringing him to Seattle. Russian authorities have branded the detention of Seleznev by the United States as kidnapping.


Anonymous 08/26/2016 (Fri) 18:04:24 [Preview] No. 421 del
Son Of Russian Parliament Member Convicted Of Hacking
http://nationalcybersecurity.com/son-russian-parliament-member-convicted-hacking/
Date August 26, 2016
Roman Seleznev, also known as “Track2,” has been convicted on charges that he conspired to hack into U.S. businesses as part of a plot to steal and sell credit card numbers. The hack is estimated to have cost upwards of $169 million. The son of a Russian parliament member, Seleznev was found guilty on 38 of 40 charges brought against him. Those counts included wire fraud and intentional damage to a protected computer. The case hinges on hacks that took place from Oct. 2009 to Oct. 2013. During that time, Seleznev hacked into retail point-of-sale systems and installed malware to steal credit card numbers from businesses. Pizza restaurants in Washington State were a particular favorite target. The trial lasted eight days. And while that may seem short, the trial concluded a decade-long investigation by the U.S. Secret Service. Seleznev was only able to be tried in the U.S. when he was caught in the Maldives before he was able to return from a vacation. Seleznev and various Russian officials have accused the Secret Service of kidnapping him to trial. He is now facing a mandatory minimum of four years in prison, according to his lawyer, John Henry Browne. Browne intends to appeal the case on the grounds that the trial itself is predicated on an illegal arrest and that prosecutors were able to submit evidence from a corrupted laptop. “I don’t know of any case that has allowed such outrageous behavior,” Browne said. Outrageous or not, prosecutors managed to convince a jury that Seleznev was behind the theft and resale of over 2.9 million credit card numbers. His adventures in the U.S. legal system are not quite complete; he still faces separate charges pending in federal courts in Nevada and Georgia.


Endwall 08/26/2016 (Fri) 18:11:45 [Preview] No. 422 del
Security Affairs
Apple fixed Zero-Days flaws exploited by nation-state spyware
August 26, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50641/mobile-2/apple-fixed-zero-days.html
Apple issued emergency iOS updates to patch three Zero-Days exploited by a government spyware in an high-sophisticated attack. Apple has released the iOS 9.3.5 update for its mobile devices (iPhones and iPads). The security updates address three zero-day vulnerabilities exploited by nation-state actors to spy on activists. Security experts have spotted a strain of spyware targeting the iPhone used by a notorious UAE human rights defender, Ahmed Mansoor. Apple labeled the update “important,” inviting users to update their devices to protect them from malicious codes that exploit the three flaws. Malware researchers believe that the Israeli surveillance NSO Group has developed a malware that has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists. The software developed by the company secretly tracks a target’s mobile phone,it exploits the zero-day flaws tracking the device location, access mobile data including contacts, texts, calls logs, emails and record surrounding rumors through the microphone. Apple has patched the three vulnerabilities just ten days after the security experts from Citizen Lab and Lookout reported them to the company. Experts from Lookout identified the targeted attack as Pegasus as explained in a detailed blog post. “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.” states the blog post published by Lookout., the three zero-day flaws, dubbed ” The three zero-day vulnerabilities, dubbed “Trident,” exploited in the attack are: * CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. * CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. * CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. Mansoor, who won the ‘Martin Ennals Award’ in the United Arab Emirates, received a text message on his iPhone on August 10. The message was sent from an unknown number. Mansoor found the message very suspicious and forwarded the message to Bill Marczak, researcher at the Citizen Lab that conducted a joint investigation with mobile security firm Lookout. The message embedded a link to a high-sophisticated spyware the was designer to exploit the flaws fixed by Apple.


Endwall 08/26/2016 (Fri) 18:45:34 [Preview] No. 424 del
Schneir on Security
The NSA Is Hoarding Vulnerabilities
https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html
The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the Internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe. On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the Internet. Near as we experts can tell, the NSA network itself wasn't hacked; what probably happened was that a "staging server" for NSA cyberweapons -- that is, a server the NSA was making use of to mask its surveillance activities -- was hacked in 2013. The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?" Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee -- or other high-profile data breaches -- the Russians will expose NSA exploits in turn. But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and "exploit code" that can be deployed against common Internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper -- systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now. All of them are examples of the NSA -- despite what it and other representatives of the US government say -- prioritizing its ability to conduct surveillance over our security. Here's one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls' security. Cisco hasn't sold these firewalls since 2009, but they're still in use today. Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes. Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard "zero days" the term used by security experts for vulnerabilities unknown to software vendors. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use). Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn't stockpile zero-days (except for the same narrow exemption). An official statement from the White House in 2014 said the same thing. The Shadow Brokers data shows this is not true. The NSA hoards vulnerabilities. Hoarding zero-day vulnerabilities is a bad idea. It means that we're all less secure. When Edward Snowden exposed many of the NSA's surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. Inside the US government, the system of figuring out what to do with individual vulnerabilities is called the Vulnerabilities Equities Process (VEP). It's an inter-agency process, and it's complicated...


Endwall 08/26/2016 (Fri) 18:48:54 [Preview] No. 425 del
Russia says Chinese hackers are getting more aggressive
http://nationalcybersecurity.com/russia-says-chinese-hackers-getting-aggressive/
While the Whttp://www.unian.info/world/1487689-bloomberg-russia-says-chinese-hackers-are-getting-more-aggressive.htmlest sees Russia as a cyber predator, hackers in the East increasingly view it as prey, according to online security company Kaspersky Lab, which says there’s been a sharp spike in attacks from China, according to Bloomberg. Cases of Chinese hacking of Russian industries including defense, nuclear, and aviation rose almost threefold to 194 in the first seven months of this year from 72 in the whole of 2015, according to Alexander Gostev, the Moscow-based company’s chief security expert, Bloomberg wrote. Proofpoint, a California-based cyber security company, also reported an increase in Chinese attacks on Russia. The hacking is going on “despite the officially promoted friendship between Russia and China and accords on cyber security, cooperation and non-aggression” between the two governments, Gostev said in an interview. “I don’t see them working.” President Vladimir Putin is seeking to boost economic and military ties with China, which he calls Russia’s “strategic partner,” amid tensions with the U.S. and Europe over the conflict in Ukraine. He and Chinese President Xi Jinping signed more than 30 cooperation deals including in energy, transport infrastructure and rocket production at a summit in Beijing in June, where Xi said he wanted the two countries to be “friends forever.” Computer hacking allegations have strained relations with the U.S. after the FBI was said to have high confidence that Russian intelligence was behind attacks on Democratic Party groups that led to the release of stolen e-mails just before Hillary Clinton’s nomination last month for the presidential elections. Russia’s denied any involvement. Republican contender Donald Trump urged Russia to find “30,000 e-mails that are missing” from a private server Clinton used as secretary of state, though he later said he was being sarcastic. Cyber Espionage Activity against Russia increased after Xi and U.S. President Barack Obama signed an agreement promising not to engage in economic cyber espionage in September last year, Gostev said. Computer security company FireEye Inc. said in a June report that attacks against the U.S. from known Chinese hacking groups with a connection to state interests have fallen substantially over the past year. Russia and China signed an information-security agreement pledging not to attack each other in May last year. “The Chinese track record of cybersecurity cooperation shows that Beijing isn’t always keen on implementing agreements fully,” Oleg Demidov, cybersecurity expert at Moscow’s PIR Center, a think tank on global security issues, said by e-mail. This is particularly true when the agreements concern China’s “strategic and military interests,” he said. The state-run Cyber Administration of China didn’t respond to a fax seeking comment on hacking attacks. China has repeatedly accused the U.S. of making groundless accusations of state involvement in hacking. Security Threat Chinese malware used against Russia includes more than 50 families of trojan viruses that attacked 35 companies and institutions this year, Kaspersky estimated. Among them were seven military enterprises specializing in missiles, radar and naval technology, five government ministries, four aviation businesses and two companies involved in the nuclear industry, Gostev said. “Almost every entity in Russia’s defense industry has been attacked recently by Chinese groups” and “clearly” lost information, he said. He declined to name specific bodies that were attacked, citing Kaspersky’s client confidentiality policy. The number of attacks on organizations is likely much higher than reported, since only 10% of Kaspersky’s corporate clients exchange data on hacking with its security network, he said. The Russian Defense Ministry and the Federal Security Service (FSB) are formulating measures against NetTraveler, a trojan linked to China, that is being used to spy on weapons manufacturers and threatens national security, SC Magazine reported in June, citing Defense Ministry sources that it didn’t identify. Tanks, Helicopters State-run tank manufacturer, Uralvagonzavod, and Russian Helicopters were among entities attacked, according to the magazine. Neither the companies nor the FSB responded to e-mailed questions seeking comment. Putin’s aide on information security, Andrei Krutskikh, also didn’t reply to e-mailed questions. While it isn’t possible to attribute hacking definitively to Chinese authorities, attacks are most likely either sponsored or approved by state bodies and in some cases are conducted by military hackers, Gostev said. They focus on cyber espionage, not financial hacking, he said.


Endwall 08/26/2016 (Fri) 18:59:49 [Preview] No. 426 del
KUWAITI GOVERNMENT STAFFER ARRESTED FOR ROLE IN ISIS CYBER WING
http://nationalcybersecurity.com/kuwaiti-government-staffer-arrested-role-isis-cyber-wing/
August 26, 2016
Kuwaiti police have detained a government worker on suspicion of proliferating the ideology of the Islamic State militant group (ISIS), the interior ministry said late Thursday. The suspect, identified as 26-year-old Kuwaiti national Othman Zain Nayef, had “used his office and computer to spread the extremist ideology of the so-called Daesh terrorist organization,” the ministry said in a statement, using an Arabic term for ISIS. Nayef has allegedly confessed to being a member of ISIS’s “electronic army,” in which he played a role in its hacking operations at the heart of the Kuwaiti government, according to the ministry, as quoted by the Kuwaiti state news agency KUNA. He admitted to hacking official websites “in friendly and sister states,” AFP news agency reported. ISIS’s aims are helped by a web of sympathizers who have carried out low-level cyber attacks on online targets linked to enemies of the radical Islamist group. One notable attack included the hacking of U.S. Central Command’s Twitter and YouTube accounts. In recent months, one of the group’s affiliated cyber-wings has released a series of hit lists intended to spread fear among the U.S. population. In May, ISIS’s cyber-wing dumped the details of 3,000 New Yorkers, mostly from Brooklyn, forcing the NYPD and FBI to inform all of those included on the list. It then released the names of 800 members of the Arkansas Library Association, another apparently low-level target whose personal data the group was able to breach and circulate. Kuwait has found itself to be an ISIS target. Last month, Kuwaiti authorities said they had intercepted three ISIS cells that were planning attacks in the country, particularly against an interior ministry target and a Shiite mosque. In June 2015, ISIS claimed responsibility for a suicide bombing at a Shiite mosque in Kuwait City during a Ramadan prayer service, killing 26 worshippers. It represented the worst-ever attack in the Gulf state.


Endwall 08/27/2016 (Sat) 06:48:41 [Preview] No. 429 del
Soylent News
25-Core "Piton" SPARC CPU Unveiled by Princeton University
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/26/151250
posted by janrinok on Saturday August 27, @02:42AM
Princeton University researchers presented a 25-core "manycore" CPU at the Hot Chips conference: It was a week for chip launches with the Hot Chips conference setting the stage for the unveiling of the IBM Power9 processor (report forthcoming) and a custom ARM-based 64-core CPU from Chinese firm Phytium Technology. A 25-core academic manycore processor out of Princeton University also made its debut from the Silicon Valley event. [...] "With Piton, we really sat down and rethought computer architecture in order to build a chip specifically for data centers and the cloud," said David Wentzlaff, a Princeton assistant professor of electrical engineering and associated faculty in the Department of Computer Science in an official announcement. "The chip we've made is among the largest chips ever built in academia and it shows how servers could run far more efficiently and cheaply." Piton is based on the SPARC V9 64-bit ISA and supports Debian Linux. After being designed in early 2015, Piton was taped-out in IBM's 32nm SOI process. The 6×6 millimeter die has more than 460 million transistors. The silicon has been tested in the lab and is working, according to the research team. The design is open source (open, DOI: 10.1145/2954679.2872414) (DX). More information here.

http://parallel.princeton.edu/papers/openpiton-asplos16.pdf


Endwall 08/27/2016 (Sat) 06:52:06 [Preview] No. 430 del
New microchip demonstrates efficiency and scalable design
Posted August 23, 2016; 01:30 p.m. by Adam Hadhazy for the Office of Engineering Communications
https://www.princeton.edu/main/news/archive/S47/19/67G69/index.xml?section=topstories
http://parallel.princeton.edu/piton/

Princeton University researchers have developed a new computer chip that promises to boost the performance of data centers that lie at the core of numerous online services such as email and social media. The chip — called "Piton" after the metal spikes driven by rock climbers into mountainsides to aid in their ascent — was presented Aug. 23 at Hot Chips, a symposium on high-performance chips held in Cupertino, California. Data centers — essentially giant warehouses packed with computer servers — support cloud-based services such as Gmail and Facebook, as well as store the staggeringly voluminous content available via the internet. Yet the computer chips at the heart of the biggest servers that route and process information often differ little from the chips in smaller servers or everyday personal computers.

Princeton University researchers have developed a new computer chip called "Piton" (above) — after the metal spikes driven by rock climbers into mountainsides to aid in their ascent — that was designed specifically for massive computing systems. The chip could substantially increase processing speed while slashing energy usage, and is scalable, meaning that thousands of chips containing millions of independent processors can be connected into a single system. It was presented Aug. 23 at Hot Chips, a symposium on high-performance chips held in Cupertino, California. (Photo by David Wentzlaff, Department of Electrical Engineering) The Princeton researchers designed their chip specifically for massive computing systems. Piton could substantially increase processing speed while slashing energy usage. The chip architecture is scalable — designs can be built that go from a dozen to several thousand cores, which are the independent processors that carry out the instructions in a computer program. Also, the architecture enables thousands of chips to be connected into a single system containing millions of cores. "With Piton, we really sat down and rethought computer architecture in order to build a chip specifically for data centers and the cloud," said David Wentzlaff, a Princeton assistant professor of electrical engineering and associated faculty in the Department of Computer Science. "The chip we've made is among the largest chips ever built in academia and it shows how servers could run far more efficiently and cheaply." The unveiling of Piton is a culmination of years of effort by Wentzlaff and his students. Michael McKeown, Wentzlaff's graduate student, will present at Hot Chips. Mohammad Shahrad, a graduate student in Wentzlaff's Princeton Parallel Group, said that creating "a physical piece of hardware in an academic setting is a rare and very special opportunity for computer architects." The current version of the Piton chip measures 6 millimeters by 6 millimeters. The chip has more than 460 million transistors, each of which are as small as 32 nanometers — too small to be seen by anything but an electron microscope. The bulk of these transistors are contained in 25 cores. Most personal computer chips have four or eight cores. In general, more cores mean faster processing times, so long as software ably exploits the hardware's available cores to run operations in parallel. Therefore, computer manufacturers have turned to multi-core chips to squeeze further gains out of conventional approaches to computer hardware. In recent years companies and academic institutions have produced chips with many dozens of cores — but the readily scalable architecture of Piton can enable thousands of cores on a single chip with half a billion cores in the data center, Wentzlaff said. "What we have with Piton is really a prototype for future commercial server systems that could take advantage of a tremendous number of cores to speed up processing," Wentzlaff said.  The Piton chip's design focuses on exploiting commonality among programs running simultaneously on the same chip. One method to do this is called execution drafting. It works very much like the drafting in bicycle racing, when cyclists conserve energy by riding behind a lead rider who cuts through the air, creating a slipstream...

Princeton researchers have made its design open source and thus available to the public and fellow researchers
http://www.openpiton.org/


#OlT8DL 08/27/2016 (Sat) 07:31:20 [Preview] No. 431 del
https://medium.com/@jeffreycarr/can-facts-slow-the-dnc-breach-runaway-train-lets-try-14040ac68a55#.a11nrsppx

tl;dr, Jeffery Carr says: OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor.

I honestly think that blame on Russia is a lie.


Endwall 08/27/2016 (Sat) 08:27:40 [Preview] No. 432 del
>>431

Good article.

If anyone else sees a relevant article, feel free to post a link and a description, or a short excerpt (paragraph) from the article with the link. Thanks.


Endwall 08/27/2016 (Sat) 08:39:09 [Preview] No. 433 del
Security Now
Security Now 574: Routers & Micro Kernels
https://www.youtube.com/watch?v=lSikecV9SvQ


Endwall 08/27/2016 (Sat) 08:42:31 [Preview] No. 434 del
DEF CON
DEF CON 24 - Marc Newlin - MouseJack: Injecting Keystrokes into Wireless Mice
https://www.youtube.com/watch?v=00A36VABIA4


Endwall 08/27/2016 (Sat) 08:52:07 [Preview] No. 435 del
Blackhat
Numchecker: A System Approach for Kernel Rootkit Detection - Duration: 52 minutes.
https://www.youtube.com/watch?v=TgMsMwsfoQ0
HEIST: HTTP Encrypted Information can be Stolen Through TCP-Windows - Duration: 49 minutes.
https://www.youtube.com/watch?v=GwQsu8dGSeA
HTTP Cookie Hijacking in the Wild: Security and Privacy Implications - Duration: 46 minutes.
https://www.youtube.com/watch?v=jYcx7WtbB0A
Behind the Scenes of iOS Security - Duration: 51 minutes.
https://www.youtube.com/watch?v=BLGFriOKz6U


Endwall 08/27/2016 (Sat) 09:01:25 [Preview] No. 436 del
Multivariate Solutions To Emerging Passive DNS Challenges - Duration: 58 minutes.
https://www.youtube.com/watch?v=LrLK4zWRWAA
The Tactical Application Security Program: Getting Stuff Done - Duration: 57 minutes.
https://www.youtube.com/watch?v=4S0mT9QFWeo
The Security Wolf of Wall Street: Fighting Crime With High-Frequency Classification and... - Duration: 57 minutes.
https://www.youtube.com/watch?v=ZIV3gaPHTw4
Automated Detection of Firefox Extension-Reuse Vulnerabilities - Duration: 57 minutes.
https://www.youtube.com/watch?v=s9TcgKLhreY
Su-A-Cyder: Homebrewing Malware for IOS Like a BO$$! - Duration: 2 hours, 38 minutes.
https://www.youtube.com/watch?v=utoNiNBmcW0
The Kitchen's Finally Burned Down: DLP Security Bakeoff - Duration: 53 minutes.
https://www.youtube.com/watch?v=9-906rJ2HXA
Automated Dynamic Fireware Analysis At Scale: A Case Study on Embedded Web Interfaces - Duration: 1 hour, 8 minutes.
https://www.youtube.com/watch?v=x-JcudXCvC0
Android Commercial Spyware Disease and Medication - Duration: 28 minutes.
https://www.youtube.com/watch?v=iwUNe0hh8h0
PLC-Blaster: A worm Living Solely In The PLC - Duration: 55 minutes.
https://www.youtube.com/watch?v=NNAKaAKRUow
Hacking a Professional Drone - Duration: 27 minutes.
https://www.youtube.com/watch?v=JRVb-xE1zTI
Cantact: An Open Tool for Automative Exploitation - Duration: 54 minutes.
https://www.youtube.com/watch?v=HzDW8ptMkDk
DSCOMPROMISED: A Windows DSC Attack Framework - Duration: 59 minutes.
https://www.youtube.com/watch?v=MWnTg3cQ_mo
A New CVE-2015-0057 Exploit Technology - Duration: 51 minutes.
https://www.youtube.com/watch?v=ZG_PElDTe98
Enterprise Apps: Bypassing the IOS Gatekeeper - Duration: 36 minutes.
https://www.youtube.com/watch?v=m4_vAlkyqRc
Rapid Radio Reversing - Duration: 1 hour.
https://www.youtube.com/watch?v=8kIxlMIGctc
Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation - Duration: 45 minutes.
https://www.youtube.com/watch?v=VGmvx2B5qdo
Let's See What's Out There - Mapping the Wireless IOT - Duration: 48 minutes.
https://www.youtube.com/watch?v=75xU6PMd00o
Never Trust Your Inputs: Causing 'Catastrophic Physical Consequences' From The Sensor... - Duration: 53 minutes.
https://www.youtube.com/watch?v=0BHmoxAw-sA
Hey, Your Parcel Looks Bad - Fuzzing and Exploiting Parcel -Ization Vulnerabilties in Android - Duration: 35 minutes.
https://www.youtube.com/watch?v=I1JR_LriyDQ
Incident Response @ Scale-Building a Next Generation SOC - Duration: 16 minutes.
https://www.youtube.com/watch?v=kYCJXwBaZR4
I'm Not a Human: Breaking the Google Recaptcha - Duration: 28 minutes.
https://www.youtube.com/watch?v=8iMU9HbJ7Wo
Locknote: Conclusions and Key Takeaways from Black Hat Asia 2016 - Duration: 51 minutes.
https://www.youtube.com/watch?v=B7V0Ld40Auk


Endwall 08/28/2016 (Sun) 00:59:23 [Preview] No. 437 del
Opera warns Opera Sync users of possible security breach
http://securityaffairs.co/wordpress/50690/data-breach/opera-sync-security-breach.html
August 27, 2016 By Pierluigi Paganini
The Norwegian company warned the users that the Opera Sync service of a possible security breach that might have exposed their data. On Friday, Opera, published a security alert to warn its users that the Opera Sync service might have been breached. In response to the alleged incident, Opera forced a password reset for all Sync users that were informed via mail of suspicious activity with their accounts. “Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.” states the security advisory. Opera clarified that passwords in the system used for authentication are hashed and salted with per-user salts, however, the company hasn’t provided any information about the hashing process for the authentication passwords. “Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.” continues the advisory.
The company informed users to have promptly blocked the attacks, its experts are investigating the incident. Internal security staff  believes that some users’ data, including login credentials, may have been compromised. The company reset all Opera Sync account passwords and sent emails suggesting them to change any third-party passwords that were synchronized with the service. According to Opera, 1.7 million users could be impacted by the Sync security breach, less than 0.5% of the total Opera user base of 350 million people. As usual, Opera Sync users that share their credentials among multiple sites are advised to change their passwords for those sites as soon as possible.


Endwall 08/28/2016 (Sun) 01:27:26 [Preview] No. 438 del
NSA Whistleblowers: NSA Hack Was Likely An Inside Job
http://www.washingtonsblog.com/2016/08/nsa-whistleblower-nsa-hack-likely-inside-job.html
Posted on August 26, 2016 by WashingtonsBlog
The mainstream press is accusing Russia of being behind the release of information on NSA hacking tools. Washington’s Blog asked the highest-level NSA whistleblower in history, William Binney – the NSA executive who created the agency’s mass surveillance program for digital information, who served as the senior technical director within the agency, who managed six thousand NSA employees, the 36-year NSA veteran widely regarded as a “legend” within the agency and the NSA’s best-ever analyst and code-breaker, who mapped out the Soviet command-and-control structure before anyone else knew how, and so predicted Soviet invasions before they happened (“in the 1970s, he decrypted the Soviet Union’s command system, which provided the US and its allies with real-time surveillance of all Soviet troop movements and Russian atomic weapons”) – what he thinks of such claims. Binney told us: The probability is that an insider provided the data. I say this because the NSA net is a closed net that is continuously encrypted.  Which would mean, that if someone wanted to hack into the NSA network they would not only have to know weaknesses in the network/firewalls/tables and passwords but also be able to penetrate the encryption. So, my bet is that it is an insider.  In my opinion, if the Russians had these files, they would use them not leak them or any part of them to the world. Similarly, former NSA employee, producer for ABC’s World News Tonight, and long-time reporter on the NSA James Bamford notes: If Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination. A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us. * The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained. Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents. So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations. In December 2013, another highly secret NSA document quietly became public. It was a top secret TAO catalog of NSA hacking tools. Known as the Advanced Network Technology (ANT) catalog, it consisted of 50 pages of extensive pictures, diagrams and descriptions of tools for every kind of hack, mostly targeted at devices manufactured by U.S. companies, including Apple, Cisco, Dell and many others. Like the hacking tools, the catalog used similar codenames. * In 2014, I spent three days in Moscow with Snowden for a magazine assignment and a PBS documentary. During our on-the-record conversations, he would not talk about the ANT catalog, perhaps not wanting to bring attention to another possible NSA whistleblower. I was, however, given unrestricted access to his cache of documents. These included both the entire British, or GCHQ, files and the entire NSA files. But going through this archive using a sophisticated digital search tool, I could not find a single reference to the ANT catalog. This confirmed for me that it had likely been released by a second leaker. And if that person could have downloaded and removed the catalog of hacking tools, it’s also likely he or she could have also downloaded and removed the digital tools now being leaked. And Motherboard reports: “My colleagues and I are fairly certain that this was no hack, or group for that matter,” the former NSA employee told Motherboard. “This ‘Shadow Brokers’ character is one guy, an insider employee.” The source, who asked to remain anonymous, said that it’d be much easier for an insider to obtain the data that The Shadow Brokers put online rather than someone else, even Russia, remotely stealing it. He argued that “naming convention of the file directories, as well as some of the scripts in the dump are only accessible internally,” and that “there is no reason” for those files to be on a server someone could hack. He claimed that these sorts of files are on a physically separated network that doesn’t touch the internet; an air-gap. * “We are 99.9 percent sure that Russia has nothing to do with this and even though all this speculation is more sensational in the media, the insider theory should not be dismissed,” the source added. “We think it is the most plausible.” * Another former NSA source, who was contacted independently and spoke on


Endwall 08/28/2016 (Sun) 01:54:44 [Preview] No. 439 del
Cyber Espionage: Project Sauron Malware Found Stealing Sensitive Data from 30 Government Networks Worldwide after Five Years Undetected
Aug 10, 2016 10:04 AM EDT By Anita Valencia, UniversityHerald Reporter
http://www.universityherald.com/articles/36890/20160810/cyber-espionage-project-sauron-malware-found-stealing-sensitive-data-from-30-government-networks-worldwide-after-five-years-undetected.htm
The Eye of Sauron in J.R.R Tolkiens' Lord of The Rings is known for its vast far-sight. It has inspired a group of hacker who created undetected malware called Project Sauron which has been hidden in servers of many networks, stealing data for five years.A group named Strider is reportedly responsible for Project Sauron malware that hid inside the database of 30 government organizations in Rwanda, Russia and Iran. According to Kaspersky Lab, the malware was found in scientific, military, government, and financial companies in those countries. America's Symantec Corporation who also detected the malware in China and Belgium, revealed that the platform used advanced system which would not likely to happen without any active help of state-sponsored group. Project Sauron malware uses unique operations with no similar pattern Furthermore, the experts from both companies discovered that the malware has been present since 2011 at least. Crafted in Binary Large Objects, it is untrackable with an antivirus given the unique codes. Kaspersky who described the issue as 'just a tiny tip of the iceberg', stated that the creator of this malware clearly knows that experts would look for patterns. Hence, even when experts have discovered an infection, they are not likely to discover a new one due to how the software was written. How Project Sauron works Researchers explained that Project Sauron works as sleeper cells in the targeted servers. It displays no activity while waiting for the commands, Arstechnica wrote. Project Sauron can't be viewed by Windows OS. It can collect data even without any internet connection because it uses virtual system USB storage drives. Computers infected with the malware 'think' that it is an approved system. What's more impressive is that it still works even when the data-loss prevention software is installed to block unknown USB drives. Kaspersky Lab explained in Securelist website, that the malware creator has a 'high interest in communication encryption software' used by these organizations. It is able to steal encryption keys and documents of the infected computer and even from USB sticks attached to it.


Endwall 08/28/2016 (Sun) 02:01:25 [Preview] No. 440 del
Reuters
Chinese man arrested in Hong Kong over FACC cyber attack in Austria
https://www.yahoo.com/news/chinese-man-arrested-hong-kong-over-facc-cyber-080435319--finance.html
VIENNA (Reuters) - A Chinese citizen has been arrested in Hong Kong in connection with a cyber attack that cost Austrian aerospace parts maker FACC 42 million euros ($47.39 million), Austrian police said on Friday. FACC fired its chief executive and chief financial officer after the attack, which involved hoax emails asking an employee to transfer money for a fake acquisition project - a kind of scam known as a "fake president incident". FACC's customers include Airbus and Boeing. A 32-year-old man, who was an authorised signatory of a Hong Kong-based firm that received around 4 million euros from FACC, was arrested on July 1 on suspicion of money laundering, a spokesman for Austria's Federal Office for Crime said. Such attacks, also known as "business email compromise", involve thieves gaining access to legitimate email accounts inside a company – often those of top executives – to carry out unauthorized transfers of funds. The technique, which relies on simple trickery or more sophisticated computer intrusions, typically targets businesses working with international suppliers that regularly perform wire transfers. A spokesman for FACC said the company was working on getting back 10 million euros which had been found and frozen on accounts in different countries around the world. These 10 million euros are not included in the 42 million euro hit the group has already booked. The spokesman declined to give details on the arrest or the location of the accounts. In June, the U.S. Federal Bureau of Investigation (FBI) said identified losses from this scam totalled $3.1 billion and had risen by 1,300 percent in the past 18 months. Such scams have been reported by 22,143 victims in all 50 U.S. states and in 100 countries around the world. The FBI said reports indicate that fraudulent transfers have been made to 79 countries with the majority going to Asian banks located in China and Hong Kong. Another tool for fraud, "ransomware", which has received much media attention over the past year, refers to malicious software that thieves use to blocks access to a computer until a ransom is paid. Security experts say the two trends are the fastest growing cyber security threats to businesses worldwide. FBI report: https://www.ic3.gov/media/2016/160614.aspx


Endwall 08/28/2016 (Sun) 02:05:26 [Preview] No. 441 del
Irish Times
The cyber hack that could swing the US election
http://www.irishtimes.com/news/world/us/the-cyber-hack-that-could-swing-the-us-election-1.2769852
‘The bizarre has almost become the norm in US politics this past year’
Is there anything that might cause Donald Trump to win the US presidential election? That’s the question political pundits are asking obsessively these days as the main parties’ campaigns take increasingly unpredictable turns. A month ago Trump was almost level with Hillary Clinton in the polls but, since then, a series of gaffes has caused his numbers to slide. This week, for example, an IBT poll suggests Clinton now has a 12-point lead. While this might indicate that the Democrats are cruising for victory, the election has been so uncertain in recent months that nobody dares take anything for granted. So what might suddenly cause momentum to swing again? To my mind, there are at least three factors to watch. The most obvious is that Trump himself implements a change of course, becoming much more professional and effective in running his campaign. That is hard to believe right now but the key person to watch is Kellyanne Conway, a pollster recently brought in to serve as campaign manager. Highly respected in Republican circles and regarded as a very effective operator, she might just possibly end up turning the campaign around. A second factor is whether a nasty external shock occurs. Trump, after all, is a candidate whose campaign is built on stoking up fear, in the mould of former president Richard Nixon. If, God forbid, a big terrorist attack occurs - or something else that causes panic - this might play into Trump’s hands, particularly if his campaign had already shifted momentum under Conway. However, there is a third possibility that has gained less attention: cyber hacking. This summer, the Democratic National Committee revealed it had suffered a cyber attack and that many confidential internal documents had been stolen. CrowdStrike, the cyber security group employed by the DNC, said the culprits were Russia’s intelligence services.
This was denied by Moscow, but backed up by other cyber security groups such as Mandiant and Fidelis Cybersecurity. This is a bizarre turn of events, by any standards, not least because some 20,000 internal DNC emails have now been released via WikiLeaks and a blogging site called Guccifer 2.0. But matters may get worse. CrowdStrike says one Russian hacking group, given the nickname Cozy Bear, was in the DNC system for at least a year. It is unclear what material has been taken but cyber experts believe Cozy Bear holds extensive secret documents, including confidential memos detailing the negative traits of Democratic candidates in this year’s US elections. (It is standard practice for campaign managers to try to assemble all the dirt on their own candidates in advance, so they are prepared in case their opponents try to attack them.) If this is true — like almost everything else in the cyber security sphere, very little can be conclusively proved — it seems that only a small portion of the sensitive material has emerged. So it is possible that the hackers will leak this in the coming months, in a targeted way, trying to cause maximum damage. This week, for example, Guccifer 2.0 leaked data about the tactics that the Democratic Congressional Campaign Committee used in House races in Pennsylvania. This is the first time the hackers have tried to shape momentum in a local race. And if these leaks accelerate, they might stoke up more anti-Clinton feeling, particularly given the separate controversies surrounding Clinton’s personal email server. Or so the gossip goes. On one level, this theory sounds almost fantastical and it is entirely possible that speculation will die away in a few months and that Clinton will romp to victory. But the very fact that Washington is abuzz with these rumours right now illustrates two key points. First, just how strange this current election campaign has become on both sides and, second, the degree to which the bizarre has almost become the norm in US politics this past year. In this election we face a world of James Bond meets Alice in Wonderland, where political boundaries are stealthily shifting, day-by-day. Stand by for more surprises — from Cozy Bear, or anyone else.


Endwall 08/28/2016 (Sun) 18:02:58 [Preview] No. 442 del
RT
Snooping Online: ‘Orwell’ game puts users into shoes of data collection specialist - Duration: 106 seconds.
https://www.youtube.com/watch?v=imuNZlHGC74


Endwall 08/28/2016 (Sun) 18:07:05 [Preview] No. 443 del
Iran says malicious software hit its petrochemical complexes
http://www.israelnationalnews.com/News/News.aspx/217008
Iran detects and removes malicious software from two of its petrochemical complexes.
Iran said on Saturday it has detected and removed malicious software from two of its petrochemical complexes, Reuters reported. The announcement comes after Iran said last week it was investigating whether recent petrochemical fires were caused by cyber attacks. A military official said the malware at the two plants was inactive and had not played a role in the fires. "In periodical inspection of petrochemical units, a type of industrial malware was detected and the necessary defensive measures were taken," Gholamreza Jalali, head of Iran's civilian defense, was quoted as saying by the state news agency IRNA. Iran has in the past been targeted by computer viruses. In 2010, it was attacked with the Stuxnet computer virus, which destroyed Iranian centrifuges that were enriching uranium and was allegedly jointly developed by the United States and Israel. Two years later the country's computer systems were targeted by Flame, a virus far more dangerous than the Stuxnet worm which was described by the Kaspersky Internet security firm as the “most sophisticated cyber-weapon yet unleashed”. Iran later admitted that its oil industry was briefly affected by Flame, but claimed that Iranian experts had detected and defeated the virus. The Islamic Republic's National Cyberspace Council announced last week that it was investigating whether the recent petrochemical fires were triggered by a cyber attack, according to Reuters. But when asked if the fire at Iran's Bu Ali Sina refinery complex last month and other fires this month were caused by the newly-discovered malware, Jalali said, “The discovery of this industrial virus is not related to recent fires."


Endwall 08/28/2016 (Sun) 18:09:55 [Preview] No. 444 del
The Straits Times
Cyber Cold War heats up
http://www.straitstimes.com/opinion/cyber-cold-war-heats-up
Sam Jones Published Aug 28, 2016, 5:00 am SGT
A shadowy group's $677m online 'auction' of a trove of weapons, thought to have been stolen from the National Security Agency, signals an intensifying cyber war between Russia and America.
This is a tale of spies, a US$500 million (S$677 million) cyber arms heist, accusations of an attempt to manipulate a US presidential election and an increasingly menacing digital war being waged between Russia and the West. It begins with a clandestine online group known as The Shadow Brokers. There is no evidence that it existed before Aug 13, when a Twitter account in its name tweeted a handful of leading global news organisations with an unusual announcement: it was conducting a US$500 million auction of cyber weapons. In a show of faith, the group put a selection of its wares - a 4,000-file, 250MB trove - on public display. Security analysts have been racing to go through the list but it is already clear that at least some of what has been revealed so far is real. What is most remarkable, though, is the likely former owner of the Shadow Brokers' cyber bounty: an outfit known as the Equation Group. Equation is an elite hacking unit of the US National Security Agency. The Shadow Brokers claim that the stolen goods are sophisticated cyber weapons used by the NSA. The Shadow Brokers' motivations are not entirely clear. "If this was someone who was financially motivated, this is not what you would do," says security response director Orla Cox at Symantec, a leading cyber security company. Cyber weapons are typically sold over the dark Web, notes Ms Cox, or they are used by hackers who want to remain anonymous. They certainly are not advertised to news outlets. And even the best are not priced in US$500 million bundles.T ILLUSTRATION: CHNG CHOON HIONG For cyber superpowers, insiders say, it is rarely technical limitations that prevent governments from castigating attackers. The problem, an age-old one for spycraft, is that in disclosing what they know, officials may give away how they got it. "It's a false flag. This isn't about money. It's a PR exercise," she says. According to three cyber security companies that declined to be identified, the Shadow Brokers is mostly likely run by Russian intelligence. "There is no digital smoking gun," said one analyst. But the circumstantial evidence is compelling, analysts say. And the list of other potential nation-state actors with the capability, wherewithal and motive is short. "The fact that the Shadow Brokers did not exist before, appeared at this time and are using intelligence that has been saved up until now, suggests this is all part of some deliberate, targeted operation, put together for a particular purpose," says Mr Ewan Lawson, a former cyber warfare officer in Britain's Joint Forces Command and now senior research fellow at Rusi, the think-tank. "That purpose looks like it is to highlight perceived US hypocrisy." Russia, he says, is the obvious perpetrator. Two senior Western intelligence officials say their assessment was evolving but similar: the Shadow Brokers' stunt grew out of Russia's desire to strike back at the US, following accusations that Russian intelligence was behind the hack into the Democratic National Committee's (DNC) servers. That intrusion, and the subsequent leak of embarrassing e-mail, has been interpreted by some as an attempt by Russia to interfere with the US presidential election. The US has yet to respond officially to that hack, even though it knows it to be Russia, according to this narrative. Now, with a piece of Le Carre-esque public signalling between spymasters, Russia's Shadow Brokers gambit has made any such response greatly more complex, the officials suggest. The US and its allies, of course, are hardly innocent of hacking. Regin, a piece of malware used to crack into telecoms networks, hotels and businesses from Belgium to Saudi Arabia - though mainly Russia - is a tool used by the US and Britain, while the Equation Group is among the most virulent and sophisticated hacking operations around. If the warning to Washington was not being telegraphed clearly enough by Moscow, Mr Edward Snowden, the NSA contractor- turned-whistle-blower now living in Russia, spelt it out. "Circumstantial evidence and conventional wisdom indicates Russian responsibility," he wrote in a tweet to his 2.3 million followers. "This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast," he said in another. In the US intelligence community, the assumption is that, at the very least, Mr Snowden is an unwitting agent of Russian intelligence, if not a tool of it. "It's all part of the signalling," says one intelligence official. Mr Jim Lewis, director of strategic technologies at the CSIS think-tank and a former US State Department official, says: "The Russians have had the initiative in this whole thing starting from even before the DNC break-in. "They have the place of honour when it comes to threats to the US in cyber space right now. They've accelerated - they're much less risk-averse and they're much more aggressive." ATTRIBUTION PROBLEMS "Attributing" cyber attacks - or identifying their source - is a thorny issue. For cyber superpowers, insiders say, it is rarely technical limitations that prevent governments from castigating attackers. The problem, an age-old one for spycraft, is that in disclosing what they know, officials may give away how they got it. For agencies like the NSA and Britain's GCHQ, there is a deeply ingrained culture of secrecy surrounding their cyber surveillance work that stretches back to the origins of signals intelligence during World War II. US intelligence knew very quickly that the Chinese were behind the hack of the Office of Personnel Management, announced in June last year, which targeted the records of millions of Americans. But it took time to decide what the appropriate response should be and what kind of effect they wanted from it. Outside the inner circles of the spy world, there is a growing sense that more public attribution is needed to try and put the brakes on a Cyber Cold War that is spiralling out of control. "Up to now, there has been a degree of approaching cyber defence one day at a time," says Rusi's Mr Lawson. "But now it's reached a momentum where people are starting to say we need to start calling people out, making more of an issue about these attacks, because otherwise, how are we ever going to establish any sort of global norms about it?" Publicly identifying attackers can be powerful. Chinese activity against US companies decreased markedly after the US authorities publicly indicted five senior Chinese military officials last year, proving to Beijing that they knew exactly what its hackers were up to - and would respond even more harshly if they continued. But the power of attribution also depends on the adversary. Unlike China, Russia does not depend economically on the US. The Kremlin's hackers are also far stealthier. A particular trend in Russia's hacking operations in the past 18 months, says a senior British cyber security official, has been towards such "false flagging", where attacks are hidden behind proxies. The official points to an attack on the French broadcaster TV5Monde in April last year. The website was defaced with pro-ISIS imagery, but it was the Russians who were responsible, he says. Russia has become much more aggressive in blurring other boundaries too: its cyber operations do not just exfiltrate information, they also sometimes weaponise it. Outright acts of destruction are on the table, too, as was the case when Russia took down the Ukrainian power grid in January. If the tools are new, the techniques may not be. Mr Philip Agee, a former CIA agent, sprang to prominence in the 1970s for publishing a series of salacious books and pamphlets claiming to expose the activities and agents of his former paymasters. He said he was a whistleblower and became a feted figure of the left in the West. But in reality he was carefully directed by the KGB, the Soviet spy agency. Under the Russians' guidance, his output blended genuine US intelligence leaks with outright disinformation concocted by Moscow to suit its own ends. Hundreds of CIA agents were exposed by his activities. The KGB's use of Mr Agee was both an act of disruption and one of manipulation. It boxed in the CIA and affected its decision-making. Moscow ensured genuine agents' names were publicised at times to suit their ends. The Shadow Brokers may be the same trick adapted to the 21st century. Both are textbook examples of what Soviet strategists called reflexive control - a concept that has become resurgent in Russian military planning today. Reflexive control is the practice of shaping an adversary's perceptions. A state might convince an opponent not to retaliate for interfering in an election, for example, by raising the possibility of releasing information about its own tactics. "These are old tactics," says CSIS' Mr Lewis. "The Russians have always been better at this kind of thing than us. But now, they're just able to wield them so much more effectively. They have taken tremendous advantage of the Internet. Information is a weapon."


Endwall 08/28/2016 (Sun) 18:19:49 [Preview] No. 445 del
Softpedia
New RIPPER Malware Suspected Behind Thailand ATM Heists
http://news.softpedia.com/news/new-ripper-malware-suspected-behind-thailand-atm-heists-507676.shtml
FireEye researchers discover new RIPPER ATM malware
Aug 28, 2016 00:20 GMT · By Catalin Cimpanu ·
A new piece of ATM malware may be behind the recent ATM heists that took place in Thailand and possibly Taiwan, security researchers from FireEye have discovered. Earlier this week, Thai authorities reported that crooks managed to steal $378,000 (12 million baht) from ATMs across Thailand. A few minutes before local press reported the heist, FireEye researchers said that cyber-security platform detected a new file uploaded on VirusTotal from an IP address in Thailand that included all the features of ATM malware. FireEye discovers new ATM malware family A subsequent investigation revealed their initial suspicion. What researchers had discovered was a new malware variant that targets ATMs, which they named RIPPER, based on text found inside the malware source code (ATMRIPPER). While this was a never-before-seen malware family, FireEye says they identified multiple components also found in other ATM malware variants such as Padpin (Tyupkin), SUCEFUL, GreenDispenser, and Skimer. It may be possible that the malware was uploaded to VirusTotal either by one of the crooks working on a new version or by Thai investigators who found it on the infected ATMs. FireEye's technical analysis for RIPPER includes many findings that corroborate with ATM heist details reported by local press. RIPPER features coincide with ATM heist press reports The malware included a component that would disable the ATM's network interface whenever needed. Thai press quotes investigators who said the robbed ATMs were taken offline during the heists. RIPPER allows an attacker to control ATMs via a payment card with a special authentication code embedded in its EMV chip. Investigators reported the same thing about the malware found on targeted ATMs. The Thailand attacks only targeted ATMs manufactured by NCR. Authorities suspect that the group behind this attack was also behind an NT$70 million ($2.18 million) ATM heist in Taiwan from July. In that attack, crooks targeted ATMs from Wincor Nixdorf. FireEye says RIPPER includes code to target three specific vendors. The company doesn't mention their names, but this fits in the group's modus operandi. Furthermore, the PE compile timestamp from the malware uploaded this week on VirusTotal is July 10, 2016, two days before the attacks in Taiwan. RIPPER steals features from other ATM malware strains FireEye researchers note that RIPPER's component that reads or ejects cards on demand is very similar to the one found in SUCEFUL while the technique of using custom-made master EMV cards is borrowed from Skimer. They add that the ability to disable the local network connection resembles that of Padpin (Tyupkin) and the "sdelete" secure self-deletion module is similar to the one found in GreenDispenser. "In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical," FireEye researcher Daniel Regalado explains. "This speaks to the formidable nature of the thieves."


Endwall 08/28/2016 (Sun) 18:24:40 [Preview] No. 446 del
CBC News
How a $64M hack changed the fate of Ethereum, Bitcoin's closest competitor
Cryptocurrency alternative to bitcoin was co-founded by 19-year-old Canadian-Russian in 2015
By Jonathan Ore, CBC News Posted: Aug 28, 2016 9:00 AM ET Last Updated: Aug 28, 2016 11:07 AM ET
http://www.cbc.ca/news/technology/ethereum-hack-blockchain-fork-bitcoin-1.3719009
Picture this: A thief steals millions of dollars by hacking into an investment fund. What if you could just hit the undo button and get that money back? That was the dilemma that the creators of Ethereum, an upstart digital currency platform, recently faced. Founded in 2015 by a group of researchers led by Russian-Canadian Vitalik Buterin — then only 19 years old — its currency, ether, is the second-most valuable digital currency after bitcoin. But the currency suffered a blow recently after a hacker siphoned $64 million worth of ether from investors. In the wake of the hack, Buterin decided to turn back the clock through a software update and reset the entire system to its previous state — i.e., before the hack. The reset created a so-called hard fork, which split Ethereum into two parallel systems. Buterin assumed most users would move to the reset platform, but the fork proved divisive and a small group of users continued using the old system, dubbing it Ethereum Classic and arguing Buterin had no right to reset the platform. That has confused cryptocurrency investors and cast a pall over the future of Ethereum. It also opened up a rift between the currency's creators, who were the ones to alter the code and render the stolen currency null and void, and dissenters who argued against any intervention — even in the face of an Ocean's Eleven-style heist. Smart contracts While bitcoin is the best-known cryptocurrency, there are, in fact, hundreds of digital, decentralized payment systems that issue and trade digital currencies online. Each operates on a blockchain, a digital ledger that keeps track of all transactions in transparent, peer-to-peer fashion. While bitcoin did away with paper currency and a central banking authority, more complex transactions, such as setting up regular coupon payments on a bond, might still require the assistance of a lawyer or other third party. Ethereum eliminates this need by incorporating code that allows transactions to occur through so-called smart contracts, which take automatic effect once mutually agreed-upon conditions have been met."An auction might automatically transfer deeds of ownership to the highest bidder after a certain time has elapsed, or a father's contract might automatically send his son a set amount of money every year on his birthday," explains Business Insider's Rob Price. 'Something that was founded by a 19-year-old university dropout in Toronto … turned into this $1-billion platform.' - Alex Tapscott, technology writer ​Like bitcoin, ether has grown in popularity beyond internet discussion boards and small tech start-ups. Technology and financial companies from Microsoft to Deloitte have taken an interest in it. "Something that was founded by a 19-year-old university dropout in Toronto, Canada, leveraging the resources of developers all over the world, turned into this $1-billion platform," said Alex Tapscott, tech writer and co-author of the book Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World. ​The hack and the fork ​But before long, the digital currency fell victim to an all-too-human problem: theft. In April, a group of Ethereum users launched what is known as a decentralized autonomous organizations, or DAO, essentially a digital venture capital firm powered by ether. DAO members were supposed to vote on future Ethereum-related projects. The DAO raised more than $160 million worth of ether from about 11,000 investors. Some have called it the biggest crowdfunding project ever.Ether units are mined using high-powered computers, much like these computers mining bitcoins in the Bitmain mining farm near Keflavik, Iceland. (Jemima Kelly/Reuters) But on June 17, before anyone could do anything with the DAO, someone found a vulnerability in the DAO's code (much like finding a legal loophole in a sloppily written real-world contract), and siphoned 3.6 million ether from the fund. Ether's value tanked from a high of $27.60 to $18 immediately after the hack. It has since dropped further to $14.The total value stolen, depending on whether you calculate it before or after the hack, ranges from $64 million to $101 million. Ethereum's creators weren't directly responsible for the DAO, but since the amount stolen from it represented 15 per cent of all ether in circulation, they locked the stolen funds in a "child DAO" — a sort of digital escrow — preventing the thief from cashing out.Buterin and his team carried out the hard fork in the blockchain, rolling back the system to a day before the DAO was formed and returning the stolen ether to the original owners. The thief was essentially left with ether unrecognized by the larger community. "Anything to do with the DAO was reverted," Anthony Di Iorio, a co-founder of Ethereum and CEO of Decentral, a Toronto-based bitcoin, told CBC News. "The contract was changed so that people could get their funds out." Ethereum Classic The hard fork was completed on July 20, but to some users, the move was akin to censorship. Instead of using the post-fork currency, a small but vocal minority kept using the old one, which currently trades for about $2. ​To these adherents, "code is law," Di Iorio said. They believe smart contracts should be immutable — even if the intent of changing the code was to restore millions of stolen ether to the rightful owners.Blockchain is the technology behind cryptocurrencies like bitcoin, ether and hundreds of other smaller offshoots and alternative currencies. (BTC Bitcoin/Flickr/Creative Commons) Tapscott calls that aversion to intervention of any kind — even by the platform's own creators — "very naive." "They confuse governance with government, and governance of any kind with authoritarianism," he said. "There are lots of global resources out there that aren't owned or controlled by anyone that have complex governance structures — like the internet."Can Ethereum and Ethereum Classic coexist? Tapscott says the co-existence of two Ethereum chains "causes confusion as to which is the 'real' Ethereum, which is bad for investor and developer confidence." "'The more the merrier' is a fine philosophy for ideologues and traders, but for people who actually want to run or build smart contracts, two chains are a mess," investor Jacob Eliosoff told cryptocurrency news site Coindesk. In a separate op-ed, he argued that if this fragmentation continues, "the technology we love will never reach a wider public." Cryptocurrency users appear to agree, as Ethereum Classic's price plunged more than 23 per cent in the last week, according to Coindesk. The debate around the forking of the Ethereum platform resembles one that raged within the Bitcoin community a few months ago when some Bitcoin developers proposed increasing the size of the blockchain so that the system could process more transactions at a faster rate.Still, Tapscott remains bullish on the future of blockchain technology, regardless of the ultimate fate of ether, bitcoin or any single digital currency. "Ethereum is one tiny fraction of the entire blockchain universe, and the universe is barrelling ahead on all fronts," he said.


Endwall 08/28/2016 (Sun) 18:39:25 [Preview] No. 447 del
Dropbox Urges Users To Change Old Passwords
http://www.ehackingnews.com/2016/08/dropbox-urges-users-to-change-old.html
on Sunday, August 28, 2016
Dropbox has asked its users to change their passwords, if they haven’t done so since the online service’s launch in 2007. This comes as a ‘precautionary measure’ after a spate of hack attacks on an old set of Dropbox credentials in 2012. In July 2012, Dropbox said its investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of of Dropbox accounts. It said it had contacted the users affected to help them protect their accounts. The cloud storage service said that the move isn’t any indication that their accounts were improperly accessed. “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” the company said. “Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.” Dropbox is also recommending that users use two-factor authentication when resetting their passwords. Launched in 2007, Dropbox allows users to store, access and share files easily from a variety of devices. It has accumulated 500 million sign-ups to the service.


Endwall 08/28/2016 (Sun) 18:51:03 [Preview] No. 448 del
Security Affairs
France, Germany calls for European Decryption Law: What’s next?
http://securityaffairs.co/wordpress/50707/laws-and-regulations/france-germany-decryption-law.html
August 28, 2016 By Pierluigi Paganini
Amidst of Apple vs. FBI debacle and successful attempt of a breach at NSA headquarters by a hacker group, a new torch has flamed internationally by France and Germany calling for a European Decryption Law.

Months after the FBI-Apple encryption case standoff in the U.S. and NSA headquarters breach by hackers has started a global debate on encryption between governments and pro-security supporters. On Tuesday, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve, they called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. These propositions by the two ministers were issued based on the incidents of terrorist attacks happened in their countries, and the attackers were said to be using the highly encrypted communications apps. That being said, there is already a directive in practice for national security pointed out by Commission spokesperson Natasha Bertaud. In an email statement to the Fortune she said, “The current data protection directive (which also applies to the so-called over-the-top service providers) allows member states to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences,” she further added that “The new general data protection regulation (which will apply as from 25 May 2018) maintains these restrictions.” In an opinion based statement on encryption, the German minister talked about “good practices” and “innovative ideas” to tackle encryption. Whereas, his fellow French minister stepped the press conference up by specifically naming the Telegram app and criticizing it. Whatsapp and Telegram took their stance by stating that they cannot decrypt the data because of the encryption mechanism where only users have the access to their conversations. Even though a data protection directive is in practice, the explicit agenda upon access to encryption may be to have control over such apps internationally and EU-wide.Giving her opinion on the matter of encryption, in a French editorial Le Monde, Isabelle Falque-Pierrotin, President of the National Commission on Informatics and Liberties, France’s data protection authority. “It is through encryption that we can make a bank transfer safely. It is through encryption that we can store our health data in a shared medical file (DMP) online. It is also thanks to this tool that investigations on “Panama Papers ” were possible. For companies, encryption is now the best protection against economic espionage,” she wrote. Earlier this year in the U.S., over the debate in FBI-Apple encryption suit we saw telecommunication providers backing up Apple and the anti-encryption hardliners such as Senator Lindsey Graham, switching sides in favor of Apple after realizing the technical reality of the case. “I was all with you until I actually started getting briefed by the people in the intel community,” Graham told Attorney General Loretta Lynch during Senate Judiciary Committee hearings. “I will say that I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security.” The strong of the anti-backdoor and pro-encryption opinion came from European Commission Vice-President, Andrus Ansip who supported Apple’s decision for refusing to unblock the iPhone of the terrorist. “Identification systems are based on encryption. I am strongly against having any kind of backdoor to these systems. In Estonia, for example, we have an e-voting system. If people trust an e-banking system, they can also trust an e-voting system. This trust is based on a strong single digital identity guaranteed by the government, which is based on encryption. The question is who will trust this e-voting system if there are some back doors and someone has the keys to manipulate the results. The same goes for the e-banking system.” European Parliament resolution on September 2015 on “human rights and technology” turns out to be in favor of strong encryption. As the debate is heating up, the next step could be the revision of “e-privacy” directive of European Union. Refreshing the memory of may 2016, the EU executive body set out new e-privacy proposal, that would significantly change the telecommunication regulation, to create a “level playing field”  between traditional and online telecommunications services like Skype and Whatsapp. According to the Financial Times quoted documents, the European Commission will further proceed the e-privacy revision and bring Microsoft’s Skype and Facebook’s WhatsApp to same regulatory fold as traditional telecommunication operators and may explicitly ask for decryption orders. That would affect Google, Netflix, Amazon and Apple as well in the EU. There are also some news of possible opinion that French and German governments are running into elections next year, and are using this tactics to strong arm them. The press release has started a global tug of war but there is no easy answer to what’s come next.


Endwall 08/29/2016 (Mon) 07:56:39 [Preview] No. 449 del
A malware was found in Iran petrochemical complexes, but it’s not linked to recent incidents
August 29, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50712/cyber-warfare-2/petrochemical-complexes-malware.html
The head of Iran’s civilian defense confirmed that a malware was found in petrochemical complexes, but it hasn’t caused the fires under investigation.

Last week, I reported the news related to a series of fires at Iranian petrochemical plants. The Iran’s Supreme National Cyberspace Council started an investigation to discover if the incidents at oil and petrochemical fires were caused by cyber attacks. Authorities fear that nation state actors may have launched an attack similar to Stuxnet one. Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, announced that a team of cyber experts will be involved in the investigation to understand if the incidents are linked and if they were caused by cyber attacks.“Abolhassan Firouzabadi, secretary of Iran’s Supreme National Cyberspace Council, says a team of experts will look at the possibility of cyberattacks as being a cause, Press TV reported on Sunday. Special teams will be sent to the afflicted sites to study the possibility of cyber systems having a role in the recent fires, he said.” reported the Tehran Times. Iranian cyber experts have spotted and removed two malware that infected systems at two petrochemical plants. The news was confirmed by a senior military official and reported by Venturebeat.com. “Iran has detected and removed malicious software from two of its petrochemical complexes, a senior military official said on Saturday, after announcing last week it was investigating whether recent petrochemical fires were caused by cyber attacks.” reported by Venturebeat.com. The official also added that the malware was not responsible for the incidents occurred at the petrochemical complexes, the experts discovered that it was inactive and not linked to the fires. “In periodical inspection of petrochemical units, a type of industrial malware was detected and the necessary defensive measures were taken,” Gholamreza Jalali, head of Iran’s civilian defense, said the state news agency IRNA. “the discovery of this industrial virus is not related to recent fires.” As declared by the oil minister, the string of fires in petrochemical complexes was caused by the lack of proper safety measures caused by the cut of the budgets operated by the firms in the energy sector.


Endwall 08/29/2016 (Mon) 22:46:51 [Preview] No. 450 del
After Illinois hack, FBI warns of more attacks on state election board systems
http://tornews3zbdhuan5.onion/newspage/37336/
http://arstechnica.com/security/2016/08/after-illinois-hack-fbi-warns-of-more-attacks-on-state-election-board-systems/
Sean Gallagher - Aug 29, 2016 3:55 pm UTC
Someone using servers in the US, England, Scotland, and the Netherlands stole voter registration from one state's Board of Elections website in June and unsuccessfully attacked another state's elections website in August, according to a restricted "Flash" memorandum sent out by the FBI's Cyber Division. The bureau issued the alert requesting other states check for signs of the same intrusion. The "Flash" memo, obtained by Yahoo News, was published three days after Secretary of Homeland Security Jeh Johnson offered state officials assistance in securing election systems during a conference call. According to Yahoo's Michael Isikoff, government officials told him that the attacks were on voter registration databases in Illinois and Arizona. The Illinois system had to be shut down in July for two weeks after the discovery of an attack; the registration information of as many as 200,000 voters may have been exposed. While saying the Department of Homeland Security was unaware of any specific threat to election systems, Johnson offered states assistance from the National Cybersecurity and Communications Integration Center (NCCIC) "to conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity," a DHS spokesperson said, describing the conference call. "The Election Assistance Commission, NIST, and DOJ are available to offer support and assistance in protecting against cyber attacks." The successful hack of the Illinois system began with a scan of the state election board's site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected "foreign hackers" for the attack. Ars attempted to contact Acunetix for comment, but received no response. The IP addresses listed as sources for the attacks are associated with commercial dedicated and virtual private server hosting companies: US and UK servers provided by King Servers LTD; Fortunix Networks LP, a custom hosting company with servers in Edinburgh; and Liteserver in Tilburg, the Netherlands. The use of virtual private servers (likely purchased with WebMoney, bitcoin, or some other anonymous currency) and off-the-shelf tools doesn't suggest any significant amount of sophistication on the part of the attackers. But state government sites like those affected so far are typically not hardened against attack, so sophistication wouldn't necessarily be required.


Endwall 08/29/2016 (Mon) 22:51:32 [Preview] No. 451 del
CNET
Two state election databases hacked, FBI warns
by Anne Dujmovic @adujmo / August 29, 201611:41 AM PDT
http://www.cnet.com/news/two-state-election-databases-have-been-hacked-fbi-warns/
The FBI is urging state election officials to beef up their computer systems' security in light of two cyberattacks this summer. David Gould, Getty Images The FBI has found evidence that two state election databases were infiltrated this summer by foreign hackers, according to a Yahoo News report Monday. That's led the the agency to urge state election officials throughout the US to strengthen their computer systems' security, the report said. The bureau's cyber division issued the warning on August 18 in a "flash" alert titled "Targeting Activity Against State Board of Election Systems" (PDF). The alert said "the bureau was investigating cyberintrusions against two state election websites this summer, including one that resulted in the 'exfiltration,' or theft, of voter registration data," according to Yahoo News, which obtained a copy of the alert. The warning didn't name the states but sources told Yahoo voter registration databases in Arizona and Illinois were targeted. In Illinois, hackers stole the personal data of up to 200,000 of the state's voters. In Arizona's case, malicious software was found in the system but no data was taken, a state official told Yahoo News. The bureau suggested the two attacks may be linked but did not name the country where they may have originated, the report said. The FBI declined to comment on the specific alert. "The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals." Earlier this month at a press event in Washington, D.C., Homeland Security Secretary Jeh Johnson said the government is concerned cyberattackers could disrupt the November presidential election. He said the government should consider whether elections should be treated as "critical infrastructure." "There's a vital national interest in our election process," he said.


Endwall 08/29/2016 (Mon) 22:53:17 [Preview] No. 452 del
Election Security Comes Down to Outdated Software
http://www.itbusinessedge.com/blogs/data-security/election-security-comes-down-to-outdated-software.html
Sue Marquette Poremba | Data Security | Posted 29 Aug, 2016
In the spring, I reached out to the last five presidential campaigns standing to ask why cybersecurity wasn’t a top priority in any speeches or policies. I got no response. I wasn’t too surprised by that, considering there hadn’t been any big cybersecurity news – well, nothing that would appear to affect the political landscape. That’s changed, of course, with the hacks into the DNC and the Clinton campaign. Now the FBI is warning that election systems are in jeopardy after election board websites in two states were hacked. As Wired described it: In its warning sent to state-level election boards, the FBI described an attack on at least one of those two election websites as using a technique called SQL injection. It’s a common trick, which works by entering code into an entry field on a website that’s only meant to receive data inputs, triggering commands on the site’s backend and sometimes giving the attacker unintended access to the site’s server. It’s not just a cyberattack that we need to be alert for. A Politico story showed exactly how easy it can be to physically hack elections, as well. A Princeton professor bought a voting machine used in a number of states, and within minutes, he was able to replace a few chips and added his own firmware to the machine that would allow the ballots to be manipulated. Someone with malicious intent, access to the location where machines are stored, and a little cyber-know-how could redirect the course of history. The problem with our voting system is very similar to the cybersecurity problem in many businesses today: The software is outdated and vulnerable. In a white paper released by the Institute for Critical Infrastructure Technology called “Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures,” the authors showed why voting systems are so vulnerable to an attack: Many electronic voting systems have not been patched for almost a decade because officials falsely believe that an airgap equates to security. In 2016, 43 states relied on voting machines that were at least 10 years old and that relied on antiquated proprietary operating systems such as Windows CE, Windows XP, Windows 2000, Linux, and others. Vulnerabilities for these operating systems are widely available for free download on Deepnet. Alternately, some GUI based script kiddies tools can automatically scan for Windows XP and Windows 2000 and exploit known vulnerabilities to deliver malicious payloads. Even if the officials did their due diligence and practiced moderate cyber-hygiene, Microsoft has not released a patch for Windows CE since 2013 or Windows XP since 2014. It sounds a lot like many of the problems that plague the Internet of Things, and businesses aren’t confident about addressing those security risks. Unfortunately, we tend to think about election cybersecurity every four years, during a presidential campaign, despite the fact that elections are conducted at least twice a year in most states, with primaries and general elections. Those of us who think about cybersecurity all the time know the ramifications that poor security efforts can have on a business and consumers. We don’t want poor cybersecurity to dictate the election results, so the question becomes, how do we make cybersecurity a point of discussion and what can be done to work on a fix? We have a little more than two months to figure it out.


Endwall 08/29/2016 (Mon) 22:57:46 [Preview] No. 453 del
New FairWare Ransomware targeting Linux Computers
Lawrence Abrams * August 29, 2016 * 11:27 AM
http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/
A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control. Victims have reported that they first learned about this attack when they discovered their web sites were down. When they logged into their Linux servers, they discovered that the web site folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contains a link to a further ransom note on pastebin. The content of the READ_ME.txt file is: Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files! The ransom note on pastebin requests that the victim pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back. They are also told that they can email fairware@sigaint.org with any questions. The full content of the FairWare ransom note is: YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE Hi, Your server has been infected by a ransomware variant called FAIRWARE. You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked! We are the only ones in the world that can provide your files for you! When your server was hacked, the files were encrypted and sent to a server we control! You can e-mail fairware@sigaint.org for support, but please no stupid questions or time wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as: "can i see files first?" will be ignored. We are business people and treat customers well if you follow what we ask. FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/ HOW TO PAY: You can purchase BITCOINS from many exchanges such as: http://okcoin.com http://coinbase.com http://localbitcoins.com http://kraken.com When you have sent payment, please send e-mail to fairware@sigaint.org with: 1) SERVER IP ADDRESS 2) BTC TRANSACTION ID and we will then give you access to files, you can delete files from us when done Goodbye! At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first.


Endwall 08/29/2016 (Mon) 23:01:38 [Preview] No. 454 del
Government Hackers Have Now Found a Way to Breach iPhone Security
http://www.matthewaid.com/post/149648418136/government-hackers-have-now-found-a-way-to
August 29, 2016 The Cyber Threat: iPhone Software Targeted in Government-Linked Hack Bill Gertz Washington Free Beacon
August 29, 2016 Years ago during lunch with a recently-retired National Security Agency cyber security official, I immediately noticed the former official’s iPhone as he placed it on the table next to his fork. Wow, I thought, if an NSA electronic spook is using an iPhone, those babies must be secure. Days later I traded in my cell phone for an iPhone and have been using them ever since. I endured Apple’s proprietary restrictions, like the inability to change batteries, a company tactic that forces customers to buy a new phone every few years as the battery gradually wears out. So too did I accept the iPhone’s inability to expand its memory. As someone who reports on cyber threats and is not viewed as a favorite reporter by certain foreign governments (and one heavily politicized American one), I decided to accept the limits on Apple handheld devices that today more and more have come to dominate our waking hours. NSA is not alone in adopting the widespread use of Apple devices for better security. Several federal agencies and military services also demand use of iPhones in key locations because of their inherent strong security. There is no question that iPhones are much safer against cyber attacks than other operating systems, like Google’s Android mobile OS. But that is changing. Last week, Apple sent out an urgent notice to all customers to update their iPhone software with a security patch. Security flaws were discovered in the operating system revealing that the cyber threat to iPhones, once the gold standard for handheld security, is reaching new heights. Apple didn’t even know about the latest cyber attack against its software until two security companies discovered what security specialists call “zero day” flaws in the iPhone operating system. Zero days are the coin of the realm for hackers and foreign governments seeking to get into information systems, including computers and smartphones. They’re called zero days because you have zero time to fix the security hole once hackers find them and start using them in attacks. The only solution is to patch the hole after the attacks take place, to limit the data theft or other damage. The security firms Lookout and Toronto-based Citizen Lab found three zero days targeting iOS software that were used against the iPhone 6 of Ahmed Mansoor in early August. Mansoor, a United Arab Emirates-based pro-democracy activist, was sent text messages promising secrets on detainees held in UAE jails if he clicked on a link. He instead contacted the security firms. Electronic analysis showed the malware link was a hacking ploy using the three unknown zero days that researchers traced to an Israeli-based cyber security firm called the NSO Group, reportedly made up of former cyber sleuths from Unit 8200—Israel’s electronic intelligence service. NSO sells a software called Pegasus, an electronic intercept software used by governments. The cyber attack was likely the work of the Emirates’ government that in the past targeted the dissident for harassment. NSO executives aren’t talking. The three-step iPhone hack was set up to cause a targeted victim to click on a fake website that would then use an application capable of downloading sensitive information from the phone’s memory. A third feature was the ability of the hackers to manipulate the hacked iPhone as if it were the owner’s device, or to disrupt its operations by corrupting the memory. “Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” Citizen Lab said. Apple, which posted a third-quarter revenue of $42.4 billion, had little to say about the cyber attack. A company spokesman said the vulnerability was patched immediately after the company was alerted. “We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” the spokesman said. Apple iPhone software remains secure from cyber attacks based on the company’s focus on tightly controlling the software and hardware for both security and commercial reasons. For at least a decade now it used to be that if you were concerned about nefarious cyber bad guys—whether Chinese or Russian hackers or thieves and criminals secretly breaking into your phone, iPhones were the most secure. Statistics show that by comparison, the Apple operating system is far less vulnerable to cyber attack than other systems such as Android. A Nokia security report shows that of the top 20 malware threats to smartphones, 19 affect Google’s Android devices. Only one spyware afflicted iPhones. But it was the first time in years that any malware targeting Apple devices had made it to the top 20 threats, an indication of the trends. “The modern smartphone presents the perfect platform for corporate and personal espionage, information theft, denial of service attacks on businesses and governments, and banking and advertising scams,” the Nokia warns. “It can be used simply as a tool to photograph, film, record audio, scan networks and immediately transmit results to a safe site for analysis.” As smartphones become more and more sophisticated, they are also becoming more and more ubiquitous. Look at any busy street today and it is clear that smartphones are dominating our attention. People are on their handheld devices for phone calls, texts, buying things, transportation, navigation, and a host of other personal activities. Reliance on handhelds will only increase as more and more of the elements surrounding us are computerized, such as cars, kitchens, houses and workplaces. The Apple hack and the discovery of three zero day flaws is a sign that electronic security needs to be increased across the board. Good device security is imperative and important to maintaining privacy and ultimately personal freedom.


Endwall 08/29/2016 (Mon) 23:30:14 [Preview] No. 455 del
Security Affairs
The son of a Russian lawmaker could face up to 40 years in the jail for hacking
http://securityaffairs.co/wordpress/50745/cyber-crime/son-russian-lawmaker-arrested.html
Roman Seleznev (32), the son of the Russian lawmaker and Russian Parliament member Valery Seleznev was convicted of stealing 2.9 Million credit card numbers
Roman Seleznev (32), the son of one of the most notorious Russian lawmaker and Russian Parliament member Valery Seleznev has been convicted in the US of hacking businesses and stealing 2.9 million US credit card numbers using Point-of-Sale (POS) malware “A federal jury today convicted a Vladivostok, Russia, man of 38 counts related to his scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. ” reads the announcement published by the DoJ. According to the Department of Justice, the hacking scheme defrauded banks of more than $169 Million. The stolen credit card data were offered for sale on multiple “carding” websites. “Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses.” continues the note published by the DoJ.
Seleznev, who was using the online moniker ‘Track2‘ was convicted in a Washington court on Thursday of 38 charges related to stolen credit card details, which includes: * Ten counts of Wire Fraud * Nine counts of obtaining information from a Protected Computer * Nine counts of possession of 15 Unauthorized Devices * Eight counts of Intentional Damage to a Protected Computer * Two counts of Aggravated Identity Theft “Roman Valerevich Seleznev, aka Track2, 32, was convicted after an eight-day trial of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.  U.S. District Judge Richard A. Jones of the Western District of Washington scheduled sentencing for Dec. 2, 2016.” Roman Seleznev, 32, the son of Russian Parliament member Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives, the arrest raised diplomatic tensions between American and Russian authorities. The prosecution was built starting from data found on his laptop that was seized at the time of the arrest. The PC contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington. The analysis of the laptop allowed the prosecutors to find additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the hacking scheme. The prosecution was criticized by the Seleznev’s lawyer, John Henry Browne. “I don’t know of any case that has allowed such outrageous behavior,” said Browne. The US DoJ replied that Seleznev “was prosecuted for his conduct not his nationality.” If convicted, Seleznev could face up to 40 years in the jail, his victims were small businesses and retailers hacked from 2008 to 2014. Seleznev will be sentenced on December 2.


Endwall 08/29/2016 (Mon) 23:34:36 [Preview] No. 456 del
Security Affairs
Shad0wS3C group hacked the Paraguay Secretary of National Emergency
http://securityaffairs.co/wordpress/50740/hacktivism/shad0ws3c-hacked-sne.html
Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database. Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE). “The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few: * Impunity and justice system * Torture and other ill-treatment * Violation of Women’s and girls’ rights * Violation against Human rights defenders” this is the Shad0wS3C message.[Picture]The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up. The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).The leaked data also includes details on hundreds website login credentials, with hashed passwords. Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.


Endwall 08/29/2016 (Mon) 23:39:29 [Preview] No. 457 del
ZDnet
Opera resets passwords after sync server hacked
http://www.zdnet.com/article/opera-resets-passwords-after-server-hack/
By Zack Whittaker for Zero Day | August 28, 2016 -- 18:10 GMT (19:10 BST)
But the company won't say how the passwords are stored, which may indicate if they can be unscrambled by an attacker.
Opera has confirmed that a hacker breached one of the company's sync servers, potentially exposing passwords. The Norway-based internet browser maker said in a blog post that it "quickly blocked" an attack on its systems earlier this week, but it admitted that some data was compromised, including "some of our sync users' passwords and account information", such as login names. But the company said it doesn't know the full scope of what was compromised. Opera said that it has reset all the Opera sync account passwords as a precaution. At the time of the attack, more than 1.7 million active users last month used the feature, which allows users to share website passwords across devices. The company confirmed that passwords are hashed and salted -- an industry-standard practice to scramble passwords so that they are unusable -- but didn't provide specifics on how, leaving no clear indication if the passwords can be unscrambled by an attacker. Opera staffer Tarquin Wilton-Jones, who wrote the blog post, said the company will "not divulge exactly how authentication passwords on our systems are prepared for storage", as this would "only help a potential attacker". We sent Opera some questions but did not hear back at the time of writing. If that changes, we'll update the piece.


Endwall 08/29/2016 (Mon) 23:41:00 [Preview] No. 458 del
Hacker Interviews – New World Hackers
http://securityaffairs.co/wordpress/50716/hacking/new-world-hackers-interview.html
August 28, 2016 By Pierluigi Paganini
New World Hackers is one of the most popular groups of hackers, it conducted several hacking campaigns against multiple targets.
Did you conduct several hacking campaigns? Could you tell me more about you and your team? We have been dedicated to operations, such as taking down BBC, Donald Trump, NASA, and XBOX. I started out as just a kid wanting to mess around with a few games, later on, I realized I was more skilled than the average child. I began learning how to program in Python and Ruby. I, later on, became a Certified Network Security Analyst but did not take the offer to work for the Federal Bureau. Could you tell me which his your technical background and when you started hacking? Which are your motivations? My motivation for hacking is the excitement of being able to tell someone a security flaw they may have missed. What was your greatest hacking challenge?  The greatest hack I’ve done would be breaching an entire DNS server which held 30,000 domains back in 2014, sadly I only got the chance to deface about 20 domains and left the rest alone. 70% of all DNS servers around the world are still vulnerable to the 0day till this day. Which was your latest hack? Can you describe me it? The latest series of attacks are against celebrities actually! Our team is observing celebrity websites and we are shocked that most celebrities don’t secure the website nearly 50,000 people visit in an hour. Recently http://Adele.com  was held offline an entire day August 20th during a concert. The page for a short period of time displayed some of her domain login information. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? 4 tools: 1. I would say is a dynamic proxy chain which hides you’re ip. You would rather be safe than sorry. 2. Secondary ICMP range vulnerability  scanner. This tool can be found on TOR and can be used to scan multiple domains at the same time finding XSS vulnerability, but also SQLI vulnerability. 3. Scaled shell, not many people have heard of this. It can’t be erased from a server you have just brute forced, or has been SQL injected, thus allowing you to deface or steal data from the specific web server multiple times. 4. A 0day; 0days can’t be found unless you tell it. Make your own, or buy one. Which are the most interesting hacking communities on the web today, why? Hacking communities nowadays aren’t as common, within our boundaries we would state the Turkish Hackers, Greek Hackers, Ghost Squad Hackers, and Tactical Team Hackers, and Ourmine as far as web security are some of the most interesting groups out there at this point in time. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, participate in hacking attacks against IS, in my former group we use to take down ISIS twitter and facebook accounts and after that I personally took a few down and DDoSed some websites. Where do you find IS people to hack? How do you choose your targets? We did participate in the attacks against the Islamic State back in December, through June we defaced IS propaganda websites and jacked Twitter accounts. I’m going to do a bit of a leak because it isn’t really hacking when you are jacking ISIS Twitter accounts. People located in Saudi Arabia doesn’t need emails to register on Twitter. @ctrlsec on Twitter tweets out vulnerable ISIS accounts every 5 minutes. Since they don’t need an email to register Twitter automatically defaults their email to Gmail, so the email would be twitterhandle@gmail.com. All we have to do is make that email which isn’t valid and recover the account. 30% of Twitter is vulnerable to the 0day, have fun jacking ISIS Twitter accounts! We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Yes, we think a big risk not taking the necessary steps when you are securing your critical infrastructure. The potential threat of hackers is just around the corner.


Endwall 08/29/2016 (Mon) 23:45:04 [Preview] No. 459 del
Australian cyber crime threats: Four Corners investigates how hackers are hacking into our
http://opensources.info/australian-cyber-crime-threats-four-corners-investigates-how-hackers-are-hacking-into-our-2/

Four Corners ?Cyber War?0:29
Cyber security adviser Kevin Mitnick demonstrates how easy it is to hack into a bank account using a fake wifi network. CREDIT: Four Corners, ABC
http://video.news.com.au/News/
ONE of the world’s most infamous, former computer hackers has revealed how easy it is to hack into a bank account, as Australia faces serious cyber threats. In a special report on cyber crime, Four Corners spoke to Kevin Mitnick, who is now a cyber security adviser to top companies. He showed reporter Linton Besser how easy it was to set up a fake Wi-Fi scam, letting him think he was signing into his National Australia Bank account via Telstra Air. “But what he doesn’t know, he’s connecting to my fake access point. And what we’re gonna do is we’re gonna take over his computer,” he said. Mitnick was then able to record all of his keystrokes, including his banking password. “And then what I’m gonna be able to do is steal his passwords, and I’m gonna be able to inject fake updates, so once he installs them we gain full control of his computer system and he’ll never know the better.” Mitnick’s simple hack is just one part of a much larger problem with the growth of cyber crime across Australia and overseas, which is one of the greatest challenges to law enforcement.Kevin Mitnick, who showed viewers how easy it is to hack into someone’s private information. Picture: ABCSource:Supplied Four Corners also revealed that a small Australian satellite company had its computer systems so comprehensively hacked that experts described their network as the most corrupted they’d ever seen. As well, hackers, likely Chinese, had targeted the Defence Science and Technology Organisation and the Bureau of Meteorology. The real target of the Bureau of Meteorology hack was thought to be the Australian Geospatial-Intelligence Organisation which supports defence operations through provision of satellite and other imagery, it said. The firm Newsat, which planned to launch two Australian satellites and build an Australian satellite industry, attracted the attention of foreign hackers, with the Australian Signals Directorate breaking the bad news to company executives. “Our network was, as far as they could see, the most corrupted they’d seen. Period,” the company’s former chief financial officer Michael Hewins told Four Corners. Former Newsat IT manager Daryl Peter said the intruders had been inside their network for maybe two years, which was like someone looking over their shoulder for everything they did. “Newsat had been hacked and not just by teenagers in the basement or anything like that. Whoever was hacking us was very well-funded, very professional, very serious hackers.” A year ago Newsat called in the liquidators and sold off its remaining assets. Although China is alleged to be responsible for much hacking, Australian officials won’t point the finger.“It’s not useful for us to talk about any particular nation states,” said Alastair MacGibbon, special adviser on cyber security to Prime Minister Malcolm Turnbull. A recent cybercrime victim was the Australian Bureau of Statistics which came under attack on census night, prompting it to close down the Census. Mr MacGibbon said that was a denial of service attack which was certainly not of the scale or sophistication that should have caused any significant problems. He said that attack was easily predictable and should have been prevented. His comments come as former Australian government cyber security official Tim Wellsmore told the program it’s not just individuals whose secrets are vulnerable to others. Governments and businesses in Australia are attacked, and there are parts of the internet where access to hacked computer servers is bought and sold. Ex CIA + NSA head @GenMhayden on the secrets of cyber warfare, tonight on #4Corners #cyberwar pic.twitter.com/nI7TIsQPe2 — Sally Neighbour (@neighbour_s) August 29, 2016 Former CIA and NSA Director Michael Hayden said Australia, the US and other friendly similar nations around the world need to protect their data. Four Corners stated it had also been told of significant cyber attacks against Austrade. The program was also taken inside a secure facility at the Australian Defence Force Academy in Canberra, where viewers saw two rival teams compete in a training exercise to shut down each other’s power grid — which could be a real hacker’s target.One of the cyber world’s experts, Washington-based Dmitri Alperovitch, also criticised Australia for not doing enough to warn local industry about online threats. “The reality is that the Australian government is very well aware of these activities but they have not really come out and publicly acknowledged it, they have not done a good job, in my opinion, educating the public about this threat and as a result there’s a sense of complacency oftentimes among industry because they don’t appreciate that even in Australia you can be targeted,” he said. “And China happens to be your biggest trading partner — there’s a lot of reasons why they would be hacking into your industry, to try to steal intellectual property, try to get an advantage in trade negotiations and it’s happening very often and, uh, very little is being done about it.” Mr MacGibbon defended the government, saying they needed more time to develop ongoing conversations about cyber attacks with the Australian public. “You have to give us some time as we work through what can be said, how it can be said to increase the level of engagement,” he said. As for the allegations against China, the Chinese government through its embassy in Canberra told the ABC it has denied it was behind the cyber attacks in Australia, describing the allegations as “nothing but false cliches”.


Endwall 08/30/2016 (Tue) 00:09:16 [Preview] No. 460 del
Extended interview with former CIA director Michael Hayden
https://www.youtube.com/watch?v=Bk9wyATPk3U

Cyber War: Four Corners
https://www.youtube.com/watch?v=-nSVv5dE7Xo


Endwall 08/30/2016 (Tue) 23:18:14 [Preview] No. 462 del
Ars Technica
Officials blame “sophisticated” Russian hackers for voter system attacks
Sean Gallagher - Aug 30, 2016 7:12 pm UTC
The profile of attacks on two state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI. Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack. Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware. The Illinois breach was described in detail by a message to county election officials by Kyle Thomas of the Illinois State Board of Elections. The attack was detected on July 12 and caused the state to revert to paper voter registration for more than a week. The paperless Illinois Voter Registration System (IVRS) was specifically targeted by the attack, Thomas said: On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration. The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application. The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity. We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful. They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. The characterization of the attack on the Illinois system as "highly sophisticated" doesn't necessarily match the techniques described by the FBI Cyber Division's memorandum. As Thomas noted, the attackers used a public, non-secure webpage to gain access—a page that tapped directly into the voter rolls from outside the firewall without any data validation. And as Ars reported yesterday, the vulnerability was discovered by the attackers with software from Acunetix, a security tools firm based in London and Malta, along with other free and open source software—software that is usually used to validate the security of websites rather than break into them. "Acunetix automatically crawls and scans websites and Web applications to identify Web application level vulnerabilities that may then be exploited to gain access to databases and other trusted systems," said Acunetix General Manager Chris Martin in an e-mail to Ars. "The idea behind Acunetix is for a website owner to use it to assess the security posture of its website and Web applications for exploitable code before the bad guys get to do that for their own nefarious aims." Martin said that the Acunetix team had checked the IP addresses mentioned in the FBI report as the source of the attackers' scans and said that they "cannot link those IP addresses to any legitimate installation of Acunetix technology. Unfortunately, as with all successful independent software vendors, Acunetix is pirated, and illegal unlicensed copies are used without authorization." He added that Acunetix is volunteering assistance to the FBI in its investigation. For what it's worth, voter registration rolls in Illinois are public records, supplied widely to campaigns and other organizations for direct-mail campaigns. And after the attack, passwords were reset on the IVRS—with a new password policy requiring a minimum of eight characters, at least one being non-alphanumeric.


Endwall 08/30/2016 (Tue) 23:23:51 [Preview] No. 463 del
Security Affairs
Saudi government facilities hit by cyber attacks, Saudi cyber experts convened
http://securityaffairs.co/wordpress/50795/cyber-crime/saudi-cyber-experts.html
August 30, 2016 By Pierluigi Paganini
Saudi government facilities have been hit cyber attacks, the Government is investigating with the support of Saudi cyber experts.
Saudi government facilities have been targeted by major cyber attacks, in response, the Government has convened a group of cyber experts to examine the events. According to the Saudi Press Agency, Saudi cyber experts held urgent talks on Tuesday after the cyber attack “in recent weeks targeted government institutions and vital installations in the kingdom.” At the time I was writing there is no information about targeted agencies neither the alleged threat actor behind the cyber attacks against Saudi infrastructure.
The Saudi cyber security experts were involved in the investigation and according to the Saudi Press Agency, the kingdom’s Cybersecurity Centre “held an urgent workshop with a number of parties” to discuss the results of its investigations. The attacks were launched from abroad, attackers targeted Saudi websites with a spyware to steal sensitive information from the targets. This isn’t the first time that Saudi websites were hit by cyber attacks, in June hackers attacked a major Saudi newspaper and gained its control to publish fake news. The Saudi cyber experts analyzed the attacks and proposed the necessary countermeasures to defeat the threat and protect the information targeted by the hackers. Experts exposed the “necessary procedures to fix and to protect those sites”, reported the Saudi Press Agency. The most clamorous attack against Saudi government facilities occurred in 2012 when a virus infected 30,000 workstations of one of the world’s largest energy companies, the Saudi Aramco.


Endwall 08/31/2016 (Wed) 00:17:17 [Preview] No. 464 del
Security Affairs
The RIPPER malware linked to the recent ATM attacks in Thailand
http://securityaffairs.co/wordpress/50763/breaking-news/atm-ripper-malware.html
August 30, 2016 By Pierluigi Paganini
Experts from FireEye  who analyzed the RIPPER malware believe it was used by crooks in the recent wave of cyber attacks against ATM in Thailand.
Earlier this month a malware was used by a criminal organization to steal 12 million baht from ATMs in Thailand. According to FireEye, the malware was uploaded for the first time to the online scanning service VirusTotal on Aug. 23, 2016. The malicious code was uploaded from an IP address in Thailand a few minutes the cyber heist was reported by media. Experts from FireEye who analyzed the malware, dubbed RIPPER because researchers found the “ATMRIPPER” name in the sample, revealed that it implemented techniques not seen before. Hackers belonging to a cybercrime gang from Eastern Europe have stolen over 12 Million Baht (approximately US$346,000) from a 21 ATMs in Thailand. The Central Bank of Thailand (BoT) has issued a warning to all the banks operating in the country about security vulnerabilities that plague roughly 10,000 ATMs. It seems that hackers exploited such flaws to steal cash from the ATMs. The same gang was involved in similar attacks against top eight banks in Taiwan. In Taiwan, the thieves have stolen NT$70 Million ($2.2 Million) in cash forcing the banks to shut down hundreds of their cash machines. The warning issued by the Central Bank of Thailand follows the decision of the Government Savings Bank (GSB) to shut down roughly 3,000 ATMs of its 7,000 machines in response to a recent wave of attacks that targeted its machines. According to FireEye, the RIPPER malware borrows multiple features from other ATM malware: * Targets the same ATM brand. * The technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin),SUCEFUL and GreenDispenser. * Similar to SUCEFUL, it is able to control the Card Reader device to Read or Eject the card on demand. * Can disable the local network interface, similar to capabilities of the Padpin family. * Uses the “sdelete” secure deletion tool, similar to GreenDispenser, to remove forensic evidence. * Enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor. The RIPPER malware also implements new features, for example, it was designed to target three of the main ATM Vendors worldwide, which is a first. The RIPPER malware interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip, with this mechanism crooks authenticate themselves to the cash machine. This mechanism is uncommon, the Skimmer use this method too. In order to gain persistence, the RIPPER malware uses either a standalone service or masquerade itself as a legitimate ATM process. When the RIPPER is installed as a service, it first killk the process “dbackup.exe”, then replaces it with its binary, then it installs the persistent service “DBackup Service.” “RIPPER can stop or start the “DBackup Service” with the following arguments: “service start” or “service stop” RIPPER also supports the following command line switches: /autorun: Will Sleep for 10 minutes and then run in the background, waiting for interaction. /install: RIPPER will replace the ATM software running on the ATM as follows: Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows “taskkill” tool. RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion.” continues FireEye. When RIPPER malware is executed without any parameters, it performs a series of actions, such as connecting with the local peripherals (i.e. Cash Dispenser, Card Reader, and the Pinpad). Then the threat detects a card with a malicious EMV chip it starts a timer to allow a crook  to control the ATM via the Pinpad. The crooks can perform multiple malicious actions, including clear logs and shut down the ATM local network interface. Back to the Thailand attacks, below are reported similarities between the RIPPER malware and the malicious code used by the gang.


Endwall 08/31/2016 (Wed) 00:19:41 [Preview] No. 465 del
Australian Government Computer Networks Breached In Cyber Attacks As Experts Warn Of Espionage Threat
http://www.pireport.org/articles/2016/08/29/australian-government-computer-networks-breached-cyber-attacks-experts-warn
Submitted by PIR Editor on Mon, 08/29/2016 - 12:30
Intelligence sources say they suspect the attackers in these cases were sponsored by China
By Linton Besser, Jake Sturmer and Ben Sveen MELBOURNE, Australia (Radio Australia, August 29, 2016) – Sensitive Australian Government and corporate computer networks — including those holding highly confidential plans for a privately financed geostationary communications satellite — have been penetrated by sophisticated cyber attacks, a Four Corners investigation has established. Austrade and the Defence Department's elite research division, now named the Defence Science Technology Group, both suffered significant cyber infiltrations in the past five years by hackers based in China. Intelligence sources say they suspect the attackers in these cases were sponsored by Beijing. Four Corners has also confirmed Newsat Ltd, an Australian satellite company whose assets were sold off last year after the company went into administration, was so comprehensively infiltrated three years ago that its entire network had to be rebuilt in secret. But these incidents, revealed for the first time, are only a fraction of the cyber attacks being waged against Australian governments and companies. The Prime Minister's cyber security adviser, Alastair MacGibbon, told the program the Australian Government was "attacked on a daily basis". "We don't talk about all the breaches that occur," he said. Former Central Intelligence Agency boss Michael Hayden, who also served for six years as the head of the US electronic spying division, the National Security Agency (NSA), said both Australia and the US had to harden up their defences and "protect their data" from foreign cyber attacks. "It is what adult nation states do to one another," he said. "What my dad told me when I came home beat up from a fight once when I was about 10 years old: 'Quit crying, act like a man and defend yourself'.'" A spokesman for the Chinese Embassy in Canberra denied China had conducted any cyber espionage against Australian interests, calling such allegations "totally groundless" and "false cliches". "Like other countries, China suffers from serious cyber attacks and is one of the major victims of hacking attacks in the world," he said. Defence assets may have been target in BoM hack Four Corners has also been given fresh details about the high-profile hack of the Bureau of Meteorology (BoM), which was officially confirmed by Mr Turnbull earlier this year. Government and industry sources said the true targets for the cyber attack may have been defence assets linked to the BoM and its vast data-collection capabilities. One was the Australian Geospatial-Intelligence Organisation, an intelligence agency within the Department of Defence which provides highly detailed mapping information for military and espionage purposes. The other was the Jindalee Operational Radar Network (JORN), a high-tech over-the-horizon radar run by the Royal Australian Air Force. JORN provides 24-hour military surveillance of the northern and western approaches to Australia but also assists in civilian weather forecasting. Four Corners was told the cyber attack failed to reach into these networks, and that it was "sandboxed", or contained within the BoM. Intelligence sources confirmed the attack was attributed to China, which was again denied by Beijing. Mr MacGibbon said he did not know what the intention was of the people who compromised the system. "I would say to you that people who compromise systems will usually try to find a way to move laterally through it. If that means through a third party that's what they'll try to do," he said. The Australian Signals Directorate (ASD) has conducted detailed investigations into the cyber intrusion, but its boss, Dr Paul Taloni, declined to comment. A former high-ranking intelligence officer told Four Corners the Defence Department itself had significant, unresolved, cyber-security issues and had "to look at itself". He confirmed that in about 2011 the Defence Science Technology Organisation had been successfully hacked by China-sponsored hackers, but declined to provide any further details citing national security concerns. A spokesman for the Defence Science Technology Group said: "Defence policy is to not comment on matters of national security." Sensitive information 'stolen for profit' Mr Hayden said, however, China's efforts against Australia had been primarily focused on "the theft of information, and really by and large the theft of information for commercial profit", activities which he said go beyond acceptable state-on-state espionage.   The Newsat attack by China-based hackers may be a case in point. "Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn't a fair fight for us," Newsat's former IT manager Daryl Peter said. While the company carried communications for resources and fossil fuel companies, as well as the US military's campaign in Afghanistan, Mr Peter said the real target for the cyber infiltration was its plans for a Lockheed Martin-designed satellite dubbed Jabiru-1. "A company like Lockheed Martin, they have restrictions on the countries where they can build their satellites," he said. "So a country like China being able to get a hold of confidential design plans would be very beneficial for them because it's not something they would see or be able to have access to." Mr Peter was first told about the hack of the company in 2013 at a top-level meeting with ASD. The issue had come to a head because of Newsat's advanced plans to employ a restricted encryption tool for use with the new satellite designed by the US Government's NSA. ASD refused to release the tool to Newsat until it tackled the sophisticated cyber intrusion, with intelligence officials telling the company its networks were "the most corrupted" they had seen. "They actually said to us that we were the worst," Mr Peter said. "What came out of that meeting was we had a serious breach on our network and it wasn't just for a small period of time, they'd been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it's like we had someone sitting over our shoulder for anything we did." To rid the network of the infestation, Mr Peter had to build a parallel network in secret so as to not tip off the hackers that had been identified. That work took almost a year and cost the better part of $1 million. Mr MacGibbon said the revelations were no surprise. "I can't say which particular nation state would get involved in getting into a telecommunications system but I can understand why a nation state would," he said. "If you wanted to listen to someone's communications that's probably a good place to start." Austrade regularly challenged by security issues Australia's trade and investment commission, Austrade, has had persistent problems with cyber security, Four Corners has learned. The discovery of a major infestation in the Austrade network was made during work that began in 2013 within the department to develop a new data centre and a redesigned IT infrastructure. In March 2014, the agency's cyber security regime underwent an ASD-designed security assessment required because Austrade not only carries sensitive communications but works closely with the Department of Foreign Affairs and Trade. An intelligence community figure said the tests resulted in a "series of red flags". He said the infiltration was "covering the network". Austrade brought in UXC Saltbush, a cyber security contractor, to investigate its networks and put mitigation works in place to prevent future breaches A former high-ranking intelligence official said the Austrade breach followed a previous problem in 2011, which was a textbook example of a "successful [and] deeper penetration". Jim Dickins, an Austrade spokesman, said the organisation "faces ongoing and fluid challenges to its information technology security". "Austrade has worked with the Australian Signals Directorate on occasion to contain and eradicate threats but is unable to comment on specific instances. Mitigation strategies developed on those occasions are applied on an ongoing basis." The intelligence community figure said the problems had still not been entirely addressed because of the high cost of a comprehensive network-wide security upgrade, but Mr Dickins denied there were any "significant" persistent issues. "Austrade is not currently dealing with any significant threats or breaches of its network," he said. A third intelligence source told Four Corners that "Austrade is inherently vulnerable" because of its international footprint and reliance on locally-employed staff. "People are getting breached all the time," he said.


Endwall 08/31/2016 (Wed) 00:36:24 [Preview] No. 466 del
Hacker News
Two US State Election Systems Hacked to Steal Voter Databases — FBI Warns
http://thehackernews.com/2016/08/election-system-hack.html
Monday, August 29, 2016 Mohit Kumar
A group of unknown hackers or an individual hacker may have breached voter registration databases for election systems in at least two US states, according to the FBI, who found evidence during an investigation this month. Although any intrusion in the state voting system has not been reported, the FBI is currently investigating the cyberattacks on the official websites for voter registration system in both Illinois and Arizona, said Yahoo News. The FBI's Cyber Division released a "Flash Alert" to election offices and officials across the United States, asking them to watch out for any potential intrusions and take better security precautions. "In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website," the FBI alert reads. "The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor." The SQL injection attack on Illinois state board website took place in late July, which brought down the state’s voter registration for ten days and siphoned off data on as many as 200,000 registered voters. However, the Arizona attack was less significant, as the hackers were not able to discover any potential loophole using a vulnerability scanning tool, which could have allowed them to steal any data successfully. In the wake of these attacks, the FBI also advised ‘Board of Elections’ of all States to investigate their server logs and determine whether any similar SQL injection, privilege escalation attempts, or directory enumeration activity has occurred. Last December, a misconfigured 300GB of the database also resulted in the exposure of around 191 Million US Voter records, including their full names, home addresses, unique voter IDs, date of births and phone numbers. Why Blame Russia, Always? There's No Evidence Yet The attacks against the state election boards came weeks after the DNC hack that leaked embarrassing emails about the party, leading to the resignation of DNC (Democratic National Committee) Chairwoman Debbie Wasserman Schultz. Some security experts and law enforcement agencies raised concerns about politically motivated hacking, pointing finger over the Russian state-sponsored hackers in an attempt to damage Hillary Clinton’s presidential campaign. Although the FBI does not attribute the recent attacks to any particular hacking group or country, Yahoo News links the attacks to Russia on the basis of IP addresses involved. However, those IP addresses that the FBI said were associated with the attacks belong to a Russian VPN service, which does not conclude that the Russians are behind the attacks. It's believed that the hacks were carried out to disturb the election process either by altering voting totals in the database or by modifying the voter registration page. Script-Kiddie Move Reveals Everything: But, by scanning the website with a vulnerability scanner and downloading the whole database, the ‘script-kiddies’ itself made a rod for their own back, which indicates that neither they are sophisticated state-sponsored hackers, nor they had any intention to influence the election covertly. Neither the Illinois nor Arizona board of elections have responded to these hack attempts.


Endwall 08/31/2016 (Wed) 00:53:59 [Preview] No. 467 del
Kaspersky
Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool
Woburn, MA, August 30, 2016 – At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity the Lurk group has been involved in. According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs. For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online – TeslaCrypt and others. Angler was also used to propagate the Neverquest banking Trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group. As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs. Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of outsourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay. “We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” - and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking Trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide,” explained Ruslan Stoyanov, head of computer incident investigations. The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks. All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts. Read more about how Kaspersky Lab researched the activity of the Lurk group over five years in an article by Ruslan Stoyanov on Securelist.com. About Kaspersky Lab Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.


Endwall 08/31/2016 (Wed) 00:59:49 [Preview] No. 468 del
Security Affairs
The Network of NewSat satellite telco firm was the ‘most corrupted’ of ever
http://securityaffairs.co/wordpress/50685/intelligence/newsat-satellite-hacked.html
August 29, 2016 By Pierluigi Paganini
The Network of NewSat satellite firm was the ‘most corrupted’ of ever, it was hacked by foreign hackers and it had interception kit in its data centre.
The story demonstrates the high interest of spy agencies in hacking communication systems. Once upon a time, the Australian satellite company was deeply hacked by cyber spies that completely corrupted its network. The  company is not out of the business, its assets were sold off last year after it went into administration. According to a former staffer that has spoken on condition of anonymity to the Australian Broadcasting Corporation, it was ‘the most corrupted’ network the nation’s intelligence had encountered. According to the ABC broadcast, the news of the hack was already reported in 2013, when the company reported the security breach to the Australian Signals Directorate. The Chinese nation-state hackers made the organization “the most corrupted network [the Directorate had ever seen”, the ABC reports. Former Central Intelligence Agency Chief Michael Hayden declared that the China’s efforts against Australia aimed at “the theft of information, and really by and large the theft of information for commercial profit.” According to the official hackers were interested in sensitive information such as the plans for a Lockheed Martin-designed satellite dubbed Jabiru-1. “Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn’t a fair fight for us,” Newsat’s former IT manager Daryl Peter said. The issue had come to the headlines because the Newsat company was planning to install a restricted encryption tool to allows the NSA to spy on satellite communications, so it notified its intent to the ASD. The Australian Signals Directorate refused to release the encryption tool to Newsat until it was able to eradicate the intruders from its systems. intelligence officials replied to the company telling its networks were “the most corrupted” they had seen.Australian satellite company Newsat Ltd was forced to rebuild its entire network in secret. (Four Corners) Intelligence officials who examined the Newsat infrastructure confirmed it was “the most corrupted” they had seen. “They actually said to us that we were the worst,” Mr Peter said. “What came out of that meeting was we had a serious breach on our network and it wasn’t just for a small period of time, they’d been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it’s like we had someone sitting over our shoulder for anything we did.” According to the anonymous source that has revealed the story to the ABC, the Newsat network was completely rebuilt. Anyway the NewSat company installed an Australian Government communications interception system in its data centre, but the Australian Government had refused to deploy the restricted NSA encryption tool due to the security breach it discovered. “They (NewSat) had a lot of dealings with Middle East organisations,” the source said. Let me suggest reading a detailed analysis published by the ABC’s Four Corners that confirms Australian Government computer networks were breached by hackers.


Endwall 08/31/2016 (Wed) 01:08:46 [Preview] No. 470 del
Security Affairs
Minecraft World Map data breach, 71,000 accounts leaked online
http://securityaffairs.co/wordpress/50771/data-breach/minecraft-world-map-hack.html
The popular security expert Troy Hunt reported some 71,000 user accounts and IP addresses have been leaked from the website Minecraft World Map.
Another data breach affects the gaming industry, this time, 71,000 Minecraft World Map accounts has been leaked online after the ‘hack.’ Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map. The Minecraft World Map site is very popular withing the Minecraft gaming community, gamers can use the web property to share the worlds they have built. The popular security expert reported Troy Hunt reported the data dumps that include 71,000 user accounts and IP addresses. New breach: Minecraft World Map had 71k user accounts hacked in Jan. 55% were already in @haveibeenpwned https://t.co/hv1u9SmRVj — Have I been pwned? (@haveibeenpwned) 29 agosto 2016 Exposed records include email addresses, IP address data, login credentials for the popular site Minecraft World Map, Troy Hunt clarified that passwords included in the dumps were salted and hashed.
A rapid check allowed the Australian expert to verify that more than half of the compromised accounts were already listed in its online service haveibeenpwned.com that allows users to discover if they have an account that has been compromised in a data breach. According to the experts, the website Minecraft World Map was breached in January 2016, but the incident was not publicly reported. “In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords. Compromised data: Email addresses, IP addresses, Passwords, Usernames” Hunt wrote on his website. Users have to reset their passwords on the Minecraft World Map and on any other website that shares the same login credentials. This is the last incident occurred in the gaming industry disclosed online, recently security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, many of them belonging to gamers on mail.ru. Giving a close look to the compromised mail.ru accounts they belong from CFire, parapa.mail.ru (ParaPa Dance City game), and tanks.mail.ru (Ground War: Tank game).


Endwall 08/31/2016 (Wed) 01:10:28 [Preview] No. 471 del
IT WORLD
Attackers deploy rogue proxies on computers to hijack HTTPS traffic
http://www.itworld.com/article/3114065/attackers-deploy-rogue-proxies-on-computers-to-hijack-https-traffic.html
The new attack uses Word documents loaded with malicious code
Lucian Constantin * IDG News Service | August 30, 2016
Security researchers have highlighted in recent months how the web proxy configuration in browsers and operating systems can be abused to steal sensitive user data. It seems that attackers are catching on. A new attack spotted and analyzed by malware researchers from Microsoft uses Word documents with malicious code that doesn't install traditional malware, but instead configures browsers to use a web proxy controlled by attackers. In addition to deploying rogue proxy settings, the attack also installs a self-signed root certificate on the system so that attackers can snoop on encrypted HTTPS traffic as it passes through their proxy servers.The attack starts with spam emails that have a .docx attachment. When opened, the document displays an embedded element resembling an invoice or receipt. If clicked and allowed to run, the embedded object executes malicious JavaScript code. The JavaScript code is obfuscated, but its purpose is to drop and execute several PowerShell scripts. PowerShell is a scripting environment built into Windows that allows the automation of administrative tasks. One of the PowerShell scripts deploys a self-signed root certificate that will later be used to monitor HTTPS traffic. Another script adds the same certificate to the Mozilla Firefox browser, which uses a separate certificate store than the one in Windows. The third script installs a client that allows the computer to connect to the Tor anonymity network. That's because the attackers use a Tor .onion website to serve the proxy configuration file.The system's proxy auto-config setting is then modified in the registry to point to the .onion address. This allows attackers to easily change the proxy server in the future if it's taken offline by researchers. "At this point, the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned," the Microsoft researchers said in a blog post. "This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information or web credentials could be stolen remotely, without user awareness." Researchers from the SANS Internet Storm Center recently reported a similar attack from Brazil, where hackers installed rogue proxies on computers in order to hijack traffic to an online banking website. A rogue root CA certificate was deployed in that case as well in order to bypass HTTPS encryption. At the DEF CON and Black Hat security conferences earlier this month, several researchers showed how man-in-the-middle attackers can abuse the Web Proxy Auto-Discovery (WPAD) protocol to remotely hijack people's online accounts and steal their sensitive information, even when those users access websites over encrypted HTTPS or VPN connections.


Endwall 08/31/2016 (Wed) 01:12:44 [Preview] No. 472 del
Comey: FBI wants 'adult conversation' on device encryption'
http://www.sfgate.com/business/technology/article/Comey-FBI-wants-adult-conversation-on-device-9192617.php
Eric Tucker, Associated Press,Updated 4:33 pm, Tuesday, August 30, 2016
WASHINGTON (AP) — FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. The Justice Department decided within the last year to not seek a legislative resolution, and some of the public debate surrounding the FBI's legal fight with Apple Inc. has subsided in the last few months since federal authorities were able to access a locked phone in a terror case without the help of the technology giant. The FBI sought a court order to force Apple to help it hack into an iPhone used by one of the San Bernardino shooters, a demand the tech giant and other privacy advocates said would dramatically weaken security of its products. The FBI ultimately got in the phone with the help of an unidentified third party, leaving the legal dispute unresolved. But Comey made clear Tuesday he expects that dialogue to continue. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces — including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States — through judges and law enforcement — can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." He also stood by the Justice Department's decision to bring indictments against Chinese and Iranian officials in major cyberattack cases in the last two years, rejecting criticism from those who have called the criminal charges meaningless gestures unlikely to result in a conviction. "We want to lock some people up, so that we send a message that it's not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them," Comey said. "And if we can't lock people up, we want to call it out. We want to name and shame through indictments, or sanctions, or public relation campaigns, who is doing this and exactly what they're doing." Those actions can make a foreign defendant think twice before traveling overseas, and can deter governments. He said there's been progress with the Chinese government since 2014 indictments that accused five Chinese military officials of siphoning secrets from American corporations. "We are working hard to make people at keyboards feel our breath on their necks and try to change that behavior, he said. "We've got to get to a point where we can reach them as easily as they can reach us and change behavior by that reach-out."


Endwall 08/31/2016 (Wed) 01:20:30 [Preview] No. 474 del
Threatpost
Privacy Groups File FTC Complaint over WhatsApp Data Sharing with Facebook
https://threatpost.com/privacy-groups-file-ftc-complaint-over-whatsapp-data-sharing-with-facebook/120218/
by Michael Mimoso Follow @mike_mimoso August 30, 2016 , 12:23 pm
Alleging a trail of broken promises, two privacy-focused advocacy groups yesterday filed a complaint with the Federal Trade Commission against a recent WhatsApp privacy policy change that states it will begin sharing user data with parent company Facebook. The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) said in a joint complaint that the proposed change constitutes an unfair and deceptive trade practice, and called on the FTC to investigate.
August 25, 2016 , 9:22 am
EPIC Consumer Protection Counsel Claire T. Gartland told Threatpost that the FTC has yet to reply to the complaint; the commission does not publicize investigations and filing organizations may not be notified whether the FTC proceeds on a complaint, most of which are ultimately settled without formal hearings. “EPIC will be keeping the pressure on the Commission to act, since this is such a clear violation of their numerous statements on the issue,” Gartland said. “If and when the FTC acts, they have the power to stop the proposed changes from going forward and/or enter into a settlement agreement with the companies – similar to the 2012 consent order with Facebook.” In 2012, the FTC and Facebook settled over charges that Facebook repeatedly shared information that users intended to remain private. Facebook was ordered in the settlement to give consumers “clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers’ information, and by obtaining biennial privacy audits from an independent third party,” the FTC said in a release. WhatsApp, which was acquired by Facebook two years ago for $19 billion, said last Thursday in a blogpost that it would soon begin sharing users’ phone numbers with Facebook, a move that would improve targeted advertising and connections with the friends on Facebook. “Our belief in the value of private communications is unshakeable, and we remain committed to giving you the fastest, simplest, and most reliable experience on WhatsApp,” WhatsApp said. EPIC and CDD, however, said in their complaint to the FTC that the transfer of such data was collected by WhatsApp under promises made in the early days of the Facebook acquisition that private information would not be used or disclosed for marketing purposes. WhatsApp says in its new policy that users will have the opportunity to choose not to share data with Facebook, rather than opt-in to the program. In the FTC complaint, EPIC and CDD point out that WhatsApp founder Jan Koum and Facebook founder Mark Zuckerberg both promised that WhatsApp would operate autonomously and that nothing would change regarding the way WhatsApp uses user data. The complaint also references a 2014 complaint filed with the FTC by EPIC and CDD that called for an investigation and possible injunction blocking the acquisition. Yesterday’s complaint cites a 2014 letter from FTC Consumer Protection Bureau director Jessica Rich to Facebook and WhatsApp officers reminding the companies of promises Facebook made to WhatsApp users, stating that any uses of WhatsApp user data for marketing and advertising purposes violates privacy promises made by the two companies, and that both must obtain consumers’ consent before doing so. “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties–promises that exceed the protections currently promised to Facebook users,” Rich wrote. “We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.” WhatsApp and Facebook combined have more than two billion users globally. WhatsApp’s messaging service in April introduced end-to-end encryption based on the Signal protocol, securing calls, messages, files, video and voice messages.


Endwall 08/31/2016 (Wed) 01:22:18 [Preview] No. 475 del
SOFTPEDIA
Danish Man Arrested for DDoS Attacks on Finnish State Websites
http://news.softpedia.com/news/danish-man-arrested-for-ddos-attacks-on-finnish-state-websites-507766.shtml
Attacker also DDoSed sites in Denmark, Norway, and the US
Aug 30, 2016 15:25 GMT · By Catalin Cimpanu ·
Danish police arrested a young Dane for launching DDoS attacks against Finnish government websites, local newspaper Yle Uutiset reports. Police did not reveal the suspect's name but a representative of Finland's NBI's Cybercrime Centre told press that the identity of the attacker is clear. According to Detective Chief Inspector Jyrki Kaipanen, one man was behind all attacks. The same suspect is also investigated by Danish authorities for similar DDoS attacks against websites in Denmark, Norway and the US. All countries collaborated on investigating the attacks, including the FBI. In Finland, authorities accused the young Dane of launching DDoS attacks against more than 200 websites, some belonging to the government. Finnish officials said the crook launched 4-5-hour-long DDoS attacks against the websites of the Social Insurance Institution (Kela), the Ministry of Defence and Parliament. The DDoS attacks took place last spring, in February and March. At the time, officials said the attacker had managed slow down the websites, even halt functionality for hours. There are many incidents of DDoS attack occurring on a daily basis all around the world. Most of these take place because of the low cost of renting a DDoS botnet to carry out the attacks. In most cases, perpetrators get away with their crimes, but sometimes authorities track down and arrest the attackers due to using their home connection to connect and manage the botnet, or because the perpetrators liked to brag online, revealing their identity.


Endwall 08/31/2016 (Wed) 01:54:59 [Preview] No. 476 del
Lurk cybercrime Gang developed, maintained and rent the Angler EK
August 30, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50779/cyber-crime/lurk-cybercrime-gang.html
Experts from Kaspersky Lab confirmed that the Lurk cybercrime Gang developed, maintained and rent the infamous Angler Exploit Kit.
Security experts from Kaspersky Lab have confirmed that the Lurk cybercrime group are the author of the infamous Angler exploit kit. The members of the Lurk cybercrime crew were arrested by Russian law enforcement this summer, according to the experts they also offered for rent the Angler exploit kit that after the arrest disappeared from the exploit landscape. Law enforcement arrested suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan. According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild. Malware researchers confirmed that the overall traffic related to other EKs shows a drastic fall, around 96% since early April. The Angler and Nuclear exploit kits rapidly disappeared, likely due to the operations conducted by the law enforcement in the malware industry. A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The experts now confirmed that the Lurk group was also responsible for developing and maintaining the Angler exploit kit, that they called “XXX.” Experts from Kaspersky published a blog post that details how the security firm helped law enforcement in catching the Lurk cybercrime group. The experts explained that the Lurk gang started renting the Angler Exploit Kit after their fraudulent activities became less profitable. “In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.” “Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” reads the post. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.” Lurk first appeared on the scene in 2011 when its activities were first spotted by Kaspersky experts. Kaspersky initially determined the Lurk cybercrime group was composed of roughly 15 people. Across the years the number of members of the criminal gang increased to 40.
Kaspersky also provided an estimation of the cost for the Lurk infrastructure that reached tens of thousands of dollars per month. “The criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.” continues the post.


Endwall 08/31/2016 (Wed) 05:21:35 [Preview] No. 483 del
Hak 5
Was Shadow Brokers an Inside Job? - Threat Wire
https://www.youtube.com/watch?v=M_TQCqUCG-8


Endwall 08/31/2016 (Wed) 22:10:43 [Preview] No. 484 del
Hak 5
15 Second Password Hack, Mr. Robot Style - Hak5 2101 - Duration: 30 minutes.
https://www.youtube.com/watch?v=4kX90HzA0FM


Endwall 09/01/2016 (Thu) 00:19:55 [Preview] No. 485 del
Ars Technica
Building a new Tor that can resist next-generation state surveillance
http://tornews3zbdhuan5.onion/newspage/38222/
http://arstechnica.com/security/2016/08/building-a-new-tor-that-withstands-next-generation-state-surveillance/
J.M. Porup (UK) - Aug 31, 2016 12:42 pm UTC
Since Edward Snowden stepped into the limelight from a hotel room in Hong Kong three years ago, use of the Tor anonymity network has grown massively. Journalists and activists have embraced the anonymity the network provides as a way to evade the mass surveillance under which we all now live, while citizens in countries with restrictive Internet censorship, like Turkey or Saudi Arabia, have turned to Tor in order to circumvent national firewalls. Law enforcement has been less enthusiastic, worrying that online anonymity also enables criminal activity. Tor's growth in users has not gone unnoticed, and today the network first dubbed "The Onion Router" is under constant strain from those wishing to identify anonymous Web users. The NSA and GCHQ have been studying Tor for a decade, looking for ways to penetrate online anonymity, at least according to these Snowden docs. In 2014, the US government paid Carnegie Mellon University to run a series of poisoned Tor relays to de-anonymise Tor users. A 2015 research paper outlined an attack effective, under certain circumstances, at decloaking Tor hidden services (now rebranded as "onion services"). Most recently, 110 poisoned Tor hidden service directories were discovered probing .onion sites for vulnerabilities, most likely in an attempt to de-anonymise both the servers and their visitors. Cracks are beginning to show; a 2013 analysis by researchers at the US Naval Research Laboratory (NRL), who helped develop Tor in the first place, concluded that "80 percent of all types of users may be de-anonymised by a relatively moderate Tor-relay adversary within six months." Despite this conclusion, the lead author of that research, Aaron Johnson of the NRL, tells Ars he would not describe Tor as broken—the issue is rather that it was never designed to be secure against the world’s most powerful adversaries in the first place. "It may be that people's threat models have changed, and it's no longer appropriate for what they might have used it for years ago," he explains. "Tor hasn't changed, it's the world that's changed." Enlarge / Tor use in Turkey spiked during the recent crackdown.Tor's weakness to traffic analysis attacks is well-known. The original design documents highlight the system's vulnerability to a "global passive adversary" that can see all the traffic both entering and leaving the Tor network. Such an adversary could correlate that traffic and de-anonymise every user. But as the Tor project's cofounder Nick Mathewson explains, the problem of "Tor-relay adversaries" running poisoned nodes means that a theoretical adversary of this kind is not the network's greatest threat. "No adversary is truly global, but no adversary needs to be truly global," he says. "Eavesdropping on the entire Internet is a several-billion-dollar problem. Running a few computers to eavesdrop on a lot of traffic, a selective denial of service attack to drive traffic to your computers, that's like a tens-of-thousands-of-dollars problem." At the most basic level, an attacker who runs two poisoned Tor nodes—one entry, one exit—is able to analyse traffic and thereby identify the tiny, unlucky percentage of users whose circuit happened to cross both of those nodes. At present the Tor network offers, out of a total of around 7,000 relays, around 2,000 guard (entry) nodes and around 1,000 exit nodes. So the odds of such an event happening are one in two million (1/2000 x 1/1000), give or take. Further ReadingOp-Ed: In defense of Tor routersBut, as Bryan Ford, professor at the Swiss Federal Institute of Technology in Lausanne (EPFL), who leads the Decentralised/Distributed Systems (DeDiS) Lab, explains: "If the attacker can add enough entry and exit relays to represent, say, 10 percent of Tor's total entry-relay and exit-relay bandwidth respectively, then suddenly the attacker is able to de-anonymise about one percent of all Tor circuits via this kind of traffic analysis (10 percent x 10 percent)." "Given that normal Web-browsing activity tends to open many Tor circuits concurrently (to different remote websites and HTTP servers) and over time (as you browse many different sites)," he adds, "this means that if you do any significant amount of Web browsing activity over Tor, and eventually open hundreds of different circuits over time, you can be virtually certain that such a poisoned-relay attacker will trivially be able to de-anonymise at least one of your Tor circuits." For a dissident or journalist worried about a visit from the secret police, de-anonymisation could mean arrest, torture, or death. As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users. The biggest hurdle? Despite the caveats mentioned here, Tor remains one of the better solutions for online anonymity, supported and maintained by a strong community of developers and volunteers. Deploying and scaling something better than Tor in a real-world, non-academic environment is no small feat. Tor was designed as a general-purpose anonymity network optimised for low-latency, TCP-only traffic. Web browsing was, and remains, the most important use case, as evidenced by the popularity of the Tor Browser Bundle. This popularity has created a large anonymity set in which to hide—the more people who use Tor, the more difficult it is to passively identify any particular user. But that design comes at a cost. Web browsing requires low enough latency to be usable. The longer it takes for a webpage to load, the fewer the users who will tolerate the delay. In order to ensure that Web browsing is fast enough, Tor sacrifices some anonymity for usability and to cover traffic. Better to offer strong anonymity that many people will use than perfect anonymity that's too slow for most people's purposes, Tor's designers reasoned. "There are plenty of places where if you're willing to trade off for more anonymity with higher latency and bandwidth you'd wind up with different designs," Mathewson says. "Something in that space is pretty promising. The biggest open question in that space is, 'what is the sweet spot?' "Is chat still acceptable when we get into 20 seconds of delay?" he asks. "Is e-mail acceptable with a five-minute delay? How many users are willing to use that kind of a system?" Mathewson says he's excited by some of the anonymity systems emerging today but cautions that they are all still at the academic research phase and not yet ready for end users to download and use. Ford agrees: "The problem is taking the next big step beyond Tor. We've gotten to the point where we know significantly more secure is possible, but there's still a lot of development work to make it really usable." You must login or create an account to comment.


Endwall 09/01/2016 (Thu) 01:23:21 [Preview] No. 486 del
Soylent News
Big Data Busts Crypto: 'Sweet32' Captures Collisions in Old Ciphers
posted by janrinok on Wednesday August 31, @09:46AM
http://7rmath4ro2of2a42.onion/article.pl?sid=16/08/31/0710222
http://www.theregister.co.uk/2016/08/29/big_data_busts_crypto_sweet32_captures_collisions_in_old_ciphers/
Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed. The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a "birthday attack" on Blowfish and triple DES encryption. They dubbed the attack "Sweet32". Sophos' Paul Ducklin has a handy explanation of why it matters here. The trick to Sweet32, the Duck writes, is the attackers worked out that with a big enough traffic sample, any repeated crypto block gives them a start towards breaking the encryption – and collisions are manageably common with a 64-bit block cipher like Blowfish or Triple-DES. They call it a "birthday attack" because it works on a similar principle to what's known as the "birthday paradox" – the counter-intuitive statistic that with 23 random people in a room, there's a 50 per cent chance that two of them will share a birthday. In the case of Sweet32 (the 32 being 50 per cent of the 64 bits in a cipher), the "magic number" is pretty big: the authors write that 785 GB of captured traffic will, under the right conditions, yield up the encrypted HTTP cookie and let them decrypt Blowfish- or Triple-DES-encrypted traffic. [...] "Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec connections, but we do not have concrete measurements for these protocols" (emphasis added).


Endwall 09/01/2016 (Thu) 03:12:03 [Preview] No. 487 del
Open Sources
Cybersecurity, Encryption Keep the FBI Busy
http://opensources.info/cybersecurity-encryption-keep-the-fbi-busy/
WASHINGTON, D.C. — Cyberattacks are hitting U.S. businesses and governments in multiple ways, and the Federal Bureau of Investigation is stepping up efforts to detect and deter the growing problem, said FBI Director James Comey. Comey made his remarks Tuesday, Aug. 30, just as his agency warned state election officials across the country to be on guard against hackers after the breach of a voter information database in Illinois and an attempted attack in Arizona. Speaking at the Symantec Government Symposium, Comey labeled today’s hackers and data thieves as increasingly sophisticated and often part of a multinational or foreign state supported effort to breach information and databases. “Many of these threats are from criminals with inside information harvested from social media,” he said. Comey did not comment directly on the election hacking attempts, but said that highest level of cyberthreats today are state-supported, and the biggest players include China, Russia and North Korea. “Next down in the threat stack are the multinational criminal syndicates, followed by purveyors of ransomware, which is spreading like a virus,” he said. Further down the list are the so-called hacktivists, who aren’t interested in profit, but in embarrassing institutions and governments through leaking sensitive data. Surprisingly, Comey listed terrorists as the weakest cyberthreat tracked by the FBI. He explained that terrorists are proficient at disseminating their messages to the public around the clock, but have yet to turn their attention toward computers as a target for terrorism. To battle against the rising tide of cybercrime, the FBI has established cyberthreat teams around the country that take on threats based on their ability to counteract to specific kinds of criminal activity. Comey said the program has a created a healthy competition among teams to handle certain types of intrusions, extortions and breaches. In addition, the bureau has a Cyber Action Team that is ready to fly into a hotspot and respond at any time. The FBI also works closely with the U.S. Department of Homeland Security and national intelligence, as well as foreign partners to deter and, when possible, “incapacitate the bad boys,” he said. Like other government agencies, the FBI struggles to find information security talent willing to work for government pay. The director also said that working with state and local government has become increasingly important as cybercrime continues to grow. “We can’t help with every problem [faced by states and localities], but we can provide training and equipment,” he said. Perhaps the most controversial remarks focused on privacy and encryption, or what Comey termed: going dark. “This is our inability to use judicial authority to get access to data on a device,” he said. “Strong encryption is making more and more of the room going dark. In three years, post Snowden, through default encryption, that shadow is spreading through the room.” A growing number of technology firms, most notably Apple, have introduced devices that encrypt data that not even the companies themselves can access. The FBI and other law enforcement agencies say the devices have become warrant-proof spaces for criminals. The FBI has received 5,000 devices from state and local government agencies requesting help with decrypting them, Comey said, adding that the bureau was unable to open several hundred. With probable cause, he added, law enforcement has always been able to access an individual’s personal property, including communications, such as correspondence. “But there is no such thing as absolute privacy,” he said. “Widespread default encryption changes that bargain. We have never lived with absolute privacy, and default encryption impacts our ability to go after criminals and national security. Tools are becoming less effective because we are going dark.” Comey called for a national conversation about the problem, saying an individual’s absolute control of data is not acceptable. But having that talk might not be easy. Nuala O’Connor, president and CEO of the Center for Democracy and Technology, spoke after Comey and strongly disagreed with his views on encryption. “I don’t agree with FBI Director Comey on dark room encryption,” she said. “The FBI wants to have the master key to the problem. That’s not right.”


Endwall 09/01/2016 (Thu) 03:13:12 [Preview] No. 488 del
SWIFT warns of new attacks, pushes for security upgrades
http://www.scmagazine.com/swift-warns-of-new-attacks-pushes-for-security-upgrades/article/519774/
After cybercriminals lifted $81 million from Bangladesh Bank, SWIFT tightened security but attackers managed to compromise systems at some member banks. While six Democratic senators were beseeching President Obama in a letter to make cybercrime a priority at this weekend's Group of 20 Summit in China, SWIFT was sending a letter of its own to clients alerting them to additional attacks on member banks. Earlier attacks against SWIFT banks were, in part, the impetus behind the senators' letter to Obama, as legislators and world leaders have grown increasingly concerned about the devastation hacks could wreak on the global financial systems. "With so many attack vectors, it was just a matter of time before SWIFT became a focal point for cybercriminals with their financial understanding of the sector's common reactive-ness mentality, or in other words, 'let us see what gets hacked, and then we will react tactically to address it,'” Shane Stevens, VASCO Data Security's director of omni-channel identity and trust solutions, said in comments emailed to SCMagazine.com, “SWIFT got a wake-up call finally for its decision to stay with passwords, albeit stronger ones, when there are far more effective means of authentication available and the 30-year old technology of passwords has long been been proven easy to defeat.” The additional attacks, which SWIFT said indicated a threat that “is persistent, adaptive and sophisticated – and is here to stay,” included compromises of customers' environments “and subsequent attempts made to send fraudulent payment instructions,” according to Reuters, which obtained a copy of the SWIFT letter. “This new wave of cyber attacks leveraging the SWIFT messaging system highlights the fact that banks are still behind the times. They've mastered physical security with big vaults and armed guards,” Yorgen Edholm, CEO of Accellion, said in emailed comments to SCMagazine.com. “However, Jesse James and Patty Hearst aren't the bank robbers society has to worry about any more. What's even more frustrating is the fact that hackers are employing the same methods time and time again – and are still successful. We need change now! Until SWIFT and their customers figure out together a way to prevent these hacks, they will continue and faith in the global banking system will continue to suffer.” Dawid Kowalski, technical director - EMEA at FireMon, said in comments emailed to SCMagazine.com that earlier “events related to Bangladesh Bank exposed weak points of risk management” while the “latest revelations show that for at least one of the attacks on Banks, there was lack of firewall management, not to mention any security posture assessments or event correlation.” The first attacks, which resulted in the theft of $81 million from Bangladesh Bank in February, had prompted the global financial messaging system to tighten security and put in place additional security procedures. In the letter to clients, SWIFT urged its members to implement its updated software by the November 19 deadline or risk being reported to regulators and other banks, the report said. But following SWIFT's recommendations for upgrading security tools and procedures, likely won't be enough, István Szabó, product manager at Balabit, said in comments emailed to SCMagazine.com,"It is important to highlight that these attacks are not primarily machine based and current security tools won't spot them, as the attackers have already gained foothold behind the defense perimeters,” he said. “ As the account they've used for such actions might already possess the highest level of privileges, the bad actors can often do whatever they want and cover up their tracks with ease.” Privileged users, he added, are targeted in these types of attacks. “Such sophisticated attacks require more sophisticated methods to discover and stop them,” he explained.


Endwall 09/01/2016 (Thu) 03:14:19 [Preview] No. 489 del
Security Affairs
Dropbox Data Breach, more than 68 Million account details leaked online
August 31, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50803/data-breach/dropbox-data-breach.html
A DropBox data breach occurred in 2012 is forcing the company to reset login passwords for users included in a data dump leaked online.
Another clamorous data breach is in the headlines, a data dump containing more than 68 Million account credentials for online cloud storage platform Dropbox was leaked online. Earlier this week, Dropbox announced it was forcing password resets for a number of accounts after discovering the data dump online linked to a 2012 breach. “The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria. Specifically, we’re prompting the update for users who: * Signed up to use Dropbox before mid-2012, and * Have not changed their password since mid-2012″ states the announcement published by DropBox that did not provide further details about the number of impacted users. Dropbox has confirmed the data breach that occurred in 2012, the company already notified its users of a potential forced password resets in response to the incident. “We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox. “We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.” According to Motherboard that obtained parts of the leaked archive, the files contain email addresses and hashed passwords for the Dropbox users. Motherboard had access to four files total in at around 5GB that contains details on 68,680,741 accounts.Out of 68 Million disclosed after the Dropbox Data Breach, 32 Million passwords are protected by the BCrypt hashing, the remaining is hashed with the SHA-1 hashing algorithm. “Motherboard was provided the full set by breach notification service Leakbase, and found many real users in the dataset who had signed up to Dropbox in around 2012 or earlier.” reported Motherboard. There is no doubt, the data is legitimate, as confirmed by an unnamed Dropbox employee that has spoken on condition of anonymity. “Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” states a security update published by the company. In 2012, Dropbox initially notified users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn’t admit that data was stolen by attackers.disclose that the hackers were able to pilfer passwords too. Dropbox data breach is the last incident in order of time, other IT giants suffered similar problems, including LinkedIn, MySpace, VK.com and Tumblr. In response to the DropBox data breach, users, as usual, have to reset their passwords for the service and on any other website that shares the same login credentials.


Endwall 09/01/2016 (Thu) 03:15:45 [Preview] No. 490 del
Open Sources
Hacker Interviews – NorthScripts from P0werfulGreakArmy
http://opensources.info/hacker-interviews-northscripts-from-p0werfulgreakarmy/
Aug 31, 2016
NorthScripts is one of the members of the PøwerfulGreəkArmy hacker group, a young team that conducted several hacking campaigns against multiple targets. Enjoy the interview! Could you tell me more about you? Could you tell me which his your technical background and when you started hacking? I started hacking in 2013, but got better in 2015 when I started the development of 0-day exploits, developing custom programs and scripts, that’s why I use the name “NorthScripts,” North because I live in North America. What was your greatest hacking challenge? My greatest hacking challenge was when I took down BBC News website with P.G.A and PhantomSquad. Which are your motivations? I want to get the world free from racist. Which was your latest hack? Can you describe me it? My latest hack was an attack against an the ISIS Government website. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? A botnet. Every hacker should know coding. Linux system (for example Backbox). Php shells. A VPN to protect anonymity online. Which are the most interesting hacking communities on the web today, why? There are a lot of interesting communities on the web, but Hackforums is still the best. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, I have participated in several attacks, but not so much. I’m not the best on defacing websites I’m known for my DDoSing abilities, for developing DDoS scripts, proxies, doxxes and all the other things


Endwall 09/01/2016 (Thu) 03:16:49 [Preview] No. 491 del
Computer World
SWIFT: More banks hacked; persistent, sophisticated threat is here to stay
http://www.computerworld.com/article/3114337/security/swift-more-banks-hacked-persistent-sophisticated-threat-is-here-to-stay.html
SWIFT warned that more banks have been attacked, some losing money in the high-tech heists, and urged banks to tighten security since the persistent and sophisticated threat is here to stay.
Computerworld | Aug 31, 2016 9:43 AM PT
Bad news for banks with lax security that also use SWIFT, the global financial transaction messaging network, as hackers are still pulling off high-tech heists. On Tuesday, the Society for Worldwide Interbank Financial Telecommunication, more commonly called SWIFT, notified customers of “ongoing attacks.” Hackers have again stolen money from banks, yet SWIFT did not say how many attacks were successful, did not identify specific banks and did not say how much was stolen. The banks, which “varied in size and geography and used different methods for accessing SWIFT,” shared one common denominator; each had weak local security. The SWIFT notice, according to Reuters, read: Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay. Banks were urged to stop dragging their feet, get serious about security, and get the latest version of SWIFT software installed pronto. Or else… Although SWIFT claimed it doesn’t disclose “affairs of specific customers,” that confidentiality arrangement might change. If banks miss the November 19 deadline for installing the latest and more secure version of SWIFT software, then SWIFT threatened it might report the banks “to regulators and banking partners.” No bank wants its private dirty laundry to be aired in public. The newest SWIFT software reportedly includes security features which could have stopped the latest hack attacks. The features were rolled out after Bangladesh Bank was breached and almost lost $1 billion … saved only by a New York Federal Reserve Bank employee noticing a typo which raised suspicions about the payment request. Bangladesh Bank had used $10 second-hand networking gear and had no firewall. Researchers at BAE analyzed the malware which is believed to have been designed specifically so attackers can abuse SWIFT. After other banks were targeted, SWIFT issued a warning. Hackers managed to steal $12 million from Ecuador's Banco del Austro and attempted to steal $1.36 million from Vietnam's Tien Phong Bank. Attacks abusing weak security measures to target SWIFT were also aimed at banks in the Philippines and New Zealand. The security firm FireEye was sent in to investigate attacks on up to another dozen banks. Symantec researchers suspected that a hacking group known as Lazarus was responsible for the attacks; in fact, the wiping code used to hide the bank hacks was also used in the Sony Pictures attack. The FBI decided the North Korean government was behind the attack on Sony. Near the end of June, hackers stole $10 million from an unnamed Ukrainian bank after taking advantage of shoddy security and then transferring money out via SWIFT. The Information Systems Audit and Control Association reported, “Dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars.” SWIFT believes better security could put an end to these high-tech heists. In its letter to customers, SWIFT said the affected banks “shared one thing in common; they have all had particular weaknesses in their local security. These weaknesses have been identified and exploited by the attackers, enabling them to compromise the customers’ local environments and input the fraudulent messages.” SWIFT has tried repeatedly to get banks to step up security, adding that there is “no indication that the SWIFT network or core messaging services have been compromised.”


Endwall 09/01/2016 (Thu) 03:19:00 [Preview] No. 492 del
Who is Guccifer 2.0, the mysterious hacker targeting the Democratic Party?
http://www.ibtimes.co.uk/democratic-party-tactics-dealing-black-lives-matter-leaked-by-hacker-1578918
An internal memo reportedly hacked from the personal computer of Nancy Pelosi, the top Democrat in the US House of Representatives, shows how officials were briefed on how to respond to the Black Lives Matter (BLM) movement – including tactics on how to answer questions by activists. The document, reportedly authored in November last year by a staffer called Troy Perry, states that Democratic Party candidates and members should never use the phrases all lives matter nor mention black on black crime as they are viewed as red herring attacks and will garner additional media scrutiny and only anger BLM activists. The Black Lives Matter movement was formed in 2012 following the death of Trayvon Martin and has been at the forefront of alleged US police brutality ever since – documenting and protesting the slew of killings including, most recently, those of Alton Sterling and Philando Castile. The BLM-centric document was leaked online by Guccifer 2.0, the self-proclaimed hacker claiming to be responsible for infiltrating the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC). Many cybersecurity experts believe the persona is maintained by Russian intelligence to manage a disinformation campaign with the intention of influencing the upcoming 8 November election. Kremlin officials have denied the accusations. Presidential candidates have struggled to respond to tactics of the Black Lives Matter movement, the memo continues. While there has been little engagement with House candidates, candidates and campaign staff should be prepared. This document should not be emailed or handed to anyone outside of the building. Please only give campaign staff these best practices in meetings or over the phone. Under a section marked tactics, Perry instructs Democratic Party officials to meet with local activists. He wrote: If approached by BLM activists, campaign staff should offer to meet with local activists. Invited BLM attendees should be limited. Please aim for personal or small group meetings. He advised to listen to their concerns but dont offer support for concrete policy positions. According to his public Twitter profile, Troy Perry is a former DCCC staffer who now works on the election campaign of Democratic nominee Hillary Clinton. BLM needs partners to achieve their agenda and they want to be a part of the conversation, Perry wrote in the memo last November. However, BLM activists dont want their movement co-opted by the Democrat Party. They are leary of politicians who hijack their message to win campaigns. Under the title What to say to media, Perry noted that officials should aim to rebuild the relationship between police and community and explore reforms to ensure officers are properly trained and dont infringe on citizens rights. The mysterious Guccifer 2.0 figure also released nine other documents in total – all reportedly compromised from the PC of Pelosi. Other titles included: Recent Immigration Reform Proposals, 2016 NP Proposed Contributions, ISIS (talking points) and Framework One Pager Benghazi. A statement posted alongside the latest release said: Hi everyone. As you see Ive been gradually posting DCCC docs on different states. But besides that I have a folder from the Nancy Pelosis PC and Id like to share some docs from it with you. They are related to immigration, Hispanics, BLM, Islam and other issues. So here they are Due to the documents featuring potentially sensitive financial data, IBTimes UK has not linked directly to the release.Guccifer 2.0 did not respond to a request for comment.


Endwall 09/01/2016 (Thu) 03:20:23 [Preview] No. 493 del
DNS tunneling widely used, Infoblox says
By Sead Fadilpašić
DNS tunnelling, a security threat which can indicate either active malware, or data exfiltration, is fairly widespread today, according to a new report by network control company Infoblox.
http://www.itproportal.com/news/dns-tunneling-widely-used-infoblox-says
DNS tunnelling, a security threat which can indicate either active malware, or data exfiltration, is fairly widespread today, according to a new report by network control company Infoblox. Infoblox analysed 559 files capturing DNS traffic, uploaded from 248 customers. Two thirds (66 per cent) of files have shown evidence of suspicious DNS activity. Almost half (40 per cent) show evidence of DNS tunnelling. “In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “Cybersecurity is much the same. The widespread evidence of DNS tunnelling uncovered by the Infoblox Security Assessment Report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.” According to the company’s report, cyber-criminals know how well-established and trusted protocol DNS really is, which is why they use it. Many organisations, Infoblox says, do not look at DNS traffic for malicious activity. Besides DNS tunnelling, there are a couple of other security threats uncovered, including protocol anomalies (48 per cent), botnets (35 per cent), amplification and reflection traffic (17 per cent), distributed denial of service – DDoS attacks (14 per cent), and ransomware (13 per cent). “While these threats are serious, DNS can also be a powerful security enforcement point within the network,’ said Rasmussen. “When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers.” The full report can be found on this link.


Endwall 09/01/2016 (Thu) 03:22:47 [Preview] No. 494 del
Security Affairs
iOS 9.3.4 and minor versions are vulnerable to the Trident Exploit
August 31, 2016 By Pierluigi Paganini
Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware. Researchers linked it to the NSO group.
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware. Researchers say it’s belonging to an exploit infrastructure connected to the NSO group.Thanks to the great work made by the researchers from the Citizenlab organization and the Lookout firm that responsibly disclosed the exploits and their related vulnerabilities to Apple. Given the severity of the Trident, Apple worked extremely quickly to patch these vulnerabilities and it has released iOS 9.3.5 to address them. In this post, we want to give you a description and some technical information about the inner logic of the Trident exploit instead of the attack received by Ahmed Mansoor. With the episode of Ahmed Mansoor we can quickly understand the infection vector of that exploit: SMS, email, social media, or any other message. The most scaring part of that attack is that the single action the user have to do to trigger this dangerous attack is just a click on an external link. The exploit seems to contain the logic to remote jailbreak an iPhone to install arbitrary applications and then deliver a commercial spyware called Pegasus as an espionage software to track the victim. What is Pegasus and who is behind it? Pegasus  is a spy software installable on iOS devices that allow reading messages, emails, passwords and address lists as well as eavesdropping on phone calls, making and transmitting audio recordings and tracking the location on a compromised device (but we will look better in the following section). It seems that this spyware is attributed to NSO Group, an Israeli firm based in Herzliya in the country’s “Silicon Valley”. This spyware was attributed to the NSO Group because in the Mansoor’s attack the domain used for the phishing message (webdav.co) belongs to a network of domains that is a part of an exploit infrastructure provided by the company NSO Group. NSO Group, now owned by US private equity firm Francisco Partners Management, has flown far under the radar, without even a website. The Citizenlab reported that just opening the link included in the message sent to the victims with an iPhone version 9.3.3 it is possible to observe an active unknown software that was remotely implanted into the system through the delivery of unknown exploits from that link. The complex exploit takes the name as Trident. ATTACK SCENARIO After the user get baited the exploit start his work to infect the phone, following the 3 main stages of that attack, better detailed here: 1. Delivery and WebKit vulnerability This stage comes down over the initial URL in the form of an HTML file that exploits a vulnerability (CVE-2016-4655) in WebKit (used in Safari and other browsers). CVE-2016-4655: Memory Corruption in Safari WebKit A memory corruption vulnerability exists in Safari WebKit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser. 2. Jailbreak This stage is downloaded from the first stage code based on the device type (32-bit vs 64- bit). Stage 2 is downloaded as an obfuscated and encrypted package. Each package is encrypted with unique keys at each download, making traditional network-based controls ineffective. It contains the code that is needed to exploit the iOS Kernel (CVE-2016-4656 and CVE-2016-4657) and a loader that downloads and decrypts a package for stage 3. CVE-2016-4656: Kernel Information Leak Circumvents KASLR Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address Space Layout Randomization (KASLR) makes this task difficult by mapping the kernel into different and unpredictable locations in memory. In short, before attacking the kernel, Pegasus has to find it. The attacker has found a way to locate the kernel by using a function call that leaks a non-obfuscated kernel memory address in the return value, allowing the kernel’s actual memory location to be mapped. CVE-2016-4657: Memory Corruption in Kernel leads to Jailbreak The third vulnerability in Pegasus’ Trident is the one that is used to jailbreak the phone. A memory corruption vulnerability in the kernel is used to corrupt memory in both the 32- and 64-bit versions. The exploits are performed differently on each version....


Endwall 09/01/2016 (Thu) 03:25:08 [Preview] No. 495 del
The NSA Research Director Wants Hackers to Know Who She Is
http://www.matthewaid.com/post/149756647326/the-nsa-research-director-wants-hackers-to-know
August 31, 2016 Paul O'Donnell Washingtonian August 30, 2016
Even before Edward Snowden, the National Security Agency—the super-secret electronic spy outfit at Fort Meade—had started showing signs of thaw. Locally, NSA employees were acknowledging to friends and neighbors where they worked, while increasing links to Silicon Valley opened NSA to the outside world. Then in June 2013 came Snowden’s leak of documents demonstrating the level of surveillance aimed at US citizens, and the Agency That Would Not Be Named made headlines. In the scrutiny from the press and Congress that followed, one quip had it that NSA stood for Not Secret Anymore. At the time, Deborah Frincke, a computer scientist and cyberresearcher, was still settling in as the agency’s research director, taking charge of developing cutting-edge tools for protecting the government’s computer systems and cracking those of our enemies. Frincke had spent most of her career as a specialist in computer security, first at the University of Idaho, then at the federal Pacific Northwest National Lab in Seattle. A relative outsider at NSA and the first woman to head the research directorate, Frincke found herself uniquely disposed to explain NSA to the world, and the world to NSA. We talked to her recently for an update. So NSA has been making news.How did the Snowden controversy affect people inside the walls? It was certainly very hard in the early days. It was hurtful to people who work so hard to save lives and obey the Constitution, and now the country doesn’t trust them. As one whose role is outwardly leaning, I’ve tried to explain how people outside the agency could have such a misunderstanding. I think we’ve rebounded now, and I think we understand why people got an impression that they did.Has the controversy made it harder to attract good people to the agency? We haven’t had trouble attracting candidates. Most people have had a chance to think about the revelations and what intelligence communities mean in general. If you ask those who’ve been here 20, 30 years, many had no idea what the agency was when they interviewed. That would be true of few of our new hires. They know what they signed up for. What about other players in the cyber-security world—in academia and the private sector? How have you tended to those crucial relationships? I show I’m willing to have a dialogue. At [the technology conference] Black Hat, I wore a badge that said NSA—usually they very politely put DoD [Department of Defense] under my name. I changed it to NSA so everyone would know exactly who they were talking to. What’s important at this stage is that people ask questions, raise concerns. Speaking of how you’re received, it’s no secret that women are a minority in technical fields. What’s it like working in a male-dominated environment? NSA does pretty well with women advancing through the ranks. It’s when I go to conferences that I see how comfortable they are with a female leader. Sometimes I turn my badge around to get a sense of what it’s like to show up as a female in the crowd, as opposed to NSA’s research director. It’s different.It’s getting better, though. Forbes recently named you a “cool” role model for high-school girls. It’s taken me all this time to get to the point where I’m actually cool. I was a bit of a novelty in graduate school. Did you ever feel discouraged? I did when I started, because I was the only one who looked like me. The atmosphere was less accepting, especially when you got into cybercrime. It was acceptable to work on proving things were safe and secure. That was cleaner than the messier world of attacks and defenses, which was more militaristic and not suitable. So I remember getting a fair amount of pushback. But when you are an anomaly and you stick it out, you get a little bit of name recognition. The culture at NSA’s campus at Fort Meade has been criticized for being too insular and secretive. Photograph By Trevor Paglen. How did you get into computers? My dad was a prof, and when I was in third grade, he spent his sabbatical in Crofton [Maryland], helping the Naval Academy set up a computer. He would bring us in, and we would play with the big paper tape. I loved it. When the Radio Shack [home] computers came out, he of course bought them and I of course played with them. You had to write your own games then; otherwise you were stuck, so I got into computers very early on. Was it your father’s experience that gave you the idea to go into government work? I would say I grew up on a service orientation. I was really into King Arthur and Tolkien—the strong protecting the weak, the duty that we have to take care of our folks. That was part of our family culture. So it was not unnatural for me to move into a discipline where the goal was to take care of other people, to defend the systems. But why NSA? You had a long career in academia, you worked on a start-up. There are plenty of places to use your skills. As a scientist, there are very few places where I can say I’m directly helping the country. It’s harder when you go to a tech company that’s putting out widgets. Those things are important, but it’s not satisfying. But the private sector is making some important widgets for cybersecurity. I take nothing away from that. I’m just wired a little differently. It’s a happier place for me to work directly in government and try to take those skills and shape those things. In a recent article about hackers, an industry insider said, “My concern is that the bad guys are going to out-innovate us.” Is NSA still ahead? At the moment, yes. [NSA director] Michael Rogers recently announced a reorganization called NSA21 to make sure the same is true in ten years. We want to know what we can do to be easier to work with. Many of the innovative spirits in the industry are one- and two-person companies. How do they begin to bring their great solutions to a behemoth? Which I say with love, but we are. That’s a huge cultural change for NSA, isn’t it? To go from being the primary producer to being a consumer? It’s a huge cultural change. It’s a healthy change. There will always be things we’ll know how to do best. The things we buy from the outside actually allow us to focus on that. The important thing will be to maintain that focus. To farm out all of our brains, that would be a problem. But to be a savvy consumer who’s also a producer, you can be more nimble that way. Half of NSA’s job is “signals intelligence”—spying on others. The other half is defense, protecting our computers. When you lie awake at night, are you thinking about defense or offense? I’ll probably always think more about defense because I was raised that way. It’s also in many ways a harder problem. You have to get the defense right all the time. Offense can be successful if it gets in and gets out. Defense touches every US citizen every single day. The vulnerability is continually widening. It’s the electrical grid, the food supply. Everything has been technologized to the point that it’s a concern. Not all of that is NSA’s concern necessarily. It may affect Silicon Valley more. The “internet of things” means we’re bringing critical cybertechnologies literally right next to us—Fitbit, GPS, all the devices embedded in my home. That’s very personal. Yet our devices are not designed secure. Every year, more and more, so much of our lives is dependent on a fragile infrastructure. We will see breaks. If US citizens want to worry about one, it’s defense they should focus on. What can they do? If you don’t want GPS tracking to be on, turn it off. Have your e-mail set up so you have password protection. Think through: How did I protect my bank account today? And as political consumers, we should be asking: How do we devise our next culture? We should demand safety in our devices just as we demand seat belts. Can you give an example? I’m a breast-cancer survivor. Should I have a recurrence, chances are it will be at a point when the technology will enable doctors to monitor how my cancer is progressing from their office. What should be designed into those sensors so I don’t have to worry that someone else will hack that information? These devices that help regulate bodily processes—how can we make sure those are hacker-proof? What’s the balance, though? After the San Bernardino shootings, many said our phones should be locked up tight. Given the threat we’re facing, do you say, “This isn’t about protecting your Snapchats”? I’m not going to weigh the value of someone’s photos, whether of their cat or something I might consider important. That’s precious to them. What I ask is that as a nation we have thoughtful dialogue, think through where we do want to share information. What if we said you can never share information about a cancer patient? What if we never share information that would help catch lawbreakers? Where do we create that balance between maximizing civil liberties and maximizing the safety and security? If you don’t get them both right, then you are not safer and more secure. We have to get them both right.


Endwall 09/02/2016 (Fri) 13:59:30 [Preview] No. 496 del
RT
Putin on DNC hack: Let’s talk content, not hackers’ identity
http://tornews3zbdhuan5.onion/newspage/39018/
https://www.rt.com/news/358007-putin-dnc-hack-comment/
Sept. 2, 2016
A number of US officials and media outlets accused Moscow of “trying to hack” the US presidential election by using cyber-offensive operations that undermine Democratic candidate Hillary Clinton and benefiting her Republican rival Donald Trump. When asked about the allegations by Bloomberg News Editor-in-Chief John Micklethwait, Russian President Vladimir Putin denied Moscow’s involvement. READ MORE: Black Lives Matter a ‘radical movement’ & other Dems talking points revealed by Guccifer 2.0 “I wouldn’t know anything about it. You know, there are so many hackers today and they work with such finesse, planting a trail where and when they need. Not even their own trail but masquerade their actions as those of other hackers acting from other territories, nations. It’s difficult to trace, if even possible,” Putin said. “Anyway, we certainly don’t do such things on the state level,” he added. Putin suggested that the debate over who hacked election-related computer networks in the US draws attention away from the nature of the leaked documents. “The important thing here is what the public was shown. That is what the discussion should focus on. One shouldn’t draw the public attention from the core of the issue by replacing it with secondary details like who did it,” the Russian president suggested. Earlier the whistleblower website WikiLeaks published some 20,000 emails of the Democratic National Committee (DNC), which suggested that the party leadership colluded to have Clinton rather than her principal competitor Bernie Sanders be chosen as Democratic Party’s presidential hopeful. Some US media claimed that WikiLeaks received the emails from the Russian intelligence and that the organization, which has been exposing classified material to public scrutiny since 2006, timed its publications to the goals of the Russian foreign policy. WikiLeaks dismissed the allegations as a conspiracy theory. READ MORE: ‘Conspiracy, not journalism’: WikiLeaks blasts NYT story on ‘Russian intel’ behind DNC hack In the Bloomberg interview Putin implied that the individual or group behind the DNC hack must be someone with intimate understanding of how the American politics works. “Frankly, I couldn’t imagine that such information could provoke such interest from the American public,” he said. “One would have to ‘feel the nerve’ and peculiarities of the US domestic political life. I’m not sure that even our Foreign Ministry experts have that level of comprehension.” Asked whether he preferred to see as the next US president Trump, who has complimented Putin on several occasions, or Clinton, how apparently “wants to get rid” of Putin, the Russian leader said he had no preference in the matter. “I would like to deal with a person who can take responsible decisions and deliver on agreements. Name is irrelevant here,” he said. “They both make shocking statements in their own way. They both are smart people and know which points to press to be heard and understood by US voters,” Putin added, further saying that in his opinion neither candidate set a good example of campaigning in that regard. “That’s American political culture and one has to accept it as it is. America is a great nation and it deserves to be spared foreign interference and comments.” The Russian president also voiced doubt over proposals to establish a “hacking code of conduct” for G20 countries – which are to convene later on the weekend in China – saying it was not a suitable forum for the topic. “The G20 was intended as a forum for discussing world economy. Politics affects economy, obviously, but if we bring into it our quarrels or even serious issues related to world politics, we would oversaturate the G20 agenda and instead of talking finances and structural changes of the economy and taxes we would just argue about Syria and other world problems,” he said. “Such issues belong to other places and forums. Like the UN Security Council,” Putin said.


Endwall 09/02/2016 (Fri) 14:11:24 [Preview] No. 497 del
Reading this on a Mac? Install this security fix to avoid being spied on
http://tornews3zbdhuan5.onion/newspage/39025/
http://feedproxy.google.com/~r/techradar/allnews/~3/cB1mpBdMDOo/1327720
Tech Radar, Sept. 2, 2016 By Darren Allan
Remember that gaping iOS security flaw which was revealed last week? Well, turns out that it's also present on Apple's desktop operating system, with the company patching up OS X to cure the issue. The problem is a serious one involving so-called Pegasus malware created by an outfit that goes by the name of NSO Group, which is known for selling spyware to governments, and that's exactly what this nasty does – allows an attacker to spy on your device. That's why you should act quickly to make sure that these vulnerabilities are patched up on your Mac. Apple has actually issued a pair of patches. The main one addresses the problem for the OS on both Yosemite and El Capitan – it's not mentioned if the flaw also affects preview versions of macOS Sierra. The second update is for Safari, and cures a memory corruption issue present in the browser. This fix is actually included in the above patch, but is available separately for those who don't install that (as mentioned, it only pertains to Yosemite and El Capitan). At any rate, head over to the App Store and click on the Update tab (top-right) to patch your system up appropriately. It's a bit of a tired old record now, but yes, this is another small lesson in how Mac security isn't bulletproof and shouldn't be taken for granted. As we saw back in the spring, Apple computer users have also come under fire with ransomware this year, the current belle of the malware ball.


Endwall 09/02/2016 (Fri) 14:12:39 [Preview] No. 498 del
43 million passwords hacked in Last.fm breach'
TechCrunch, Sept. 2, 2016
http://feedproxy.google.com/~r/Techcrunch/~3/zFRaLDEKhoQ/
Crikey: 43,570,999 user accounts were breached in a hack of Last.fm that occurred in March of 2012, according to a report from LeakedSource. Three months after the breach, in June of 2012, Last.fm issued the following statement:  “We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.” The number of passwords and the severity of the hack were not uncovered until today. The passwords were stored using unsalted MD5 hashing. Rather than storing passwords in plaintext, nearly every site that stores critical user information utilizes some form of hashing. Hashing is a method for encrypting data, but some methods are far superior to others. MD5 is seriously out of style, in part because it is not mathematically intensive enough to resist modern methods of brute-force cracking. Moreover, Last.fm didn’t use salt in its hashing process. Salting is the practice of adding a random string of numbers to the hash for each individual password, making them more secure and decreasing the likelihood that they will be cracked if the passwords are ever leaked online. Unfortunately, Last.fm did not take that step, and LeakedSource reports that most of the passwords were easily cracked. For the second time this week, our advice is that you change your password immediately if you have an account on Last.fm. The most popular password pulled from the Last.fm database was 123456. Seriously, it’s 2016 people — use a platform like LastPass to generate randomized, complex passwords that are unique to every service for which you sign up.


Endwall 09/02/2016 (Fri) 14:25:52 [Preview] No. 499 del
Hacker Guccifer, who exposed Clinton’s use of private e-mail, gets 52 months
http://tornews3zbdhuan5.onion/newspage/38727/
http://arstechnica.com/tech-policy/2016/09/hacker-guccifer-who-exposed-clintons-use-of-private-e-mail-gets-52-months/
David Kravets - Sep 1, 2016 5:22 pm UTC
The Romanian hacker who helped expose Democratic presidential candidate Hillary Clinton's use of private e-mail as secretary of state was sentenced Thursday to 52 months in prison in connection to an admission that he broke into about 100 Americans' e-mail accounts. The compromised accounts included celebrities, former Secretary of State Colin Powell, and family members of former Presidents George W. Bush and George H.W. Bush, and Sidney Blumenthal, a political advisor whom Clinton corresponded with using her private e-mail account. Marcel Lehel Lazar, a 44-year-old cab driver known by the handle Guccifer, conducted his crimes at home and was extradited to the US this year. He pleaded guilty to identity theft and federal hacking charges. Guccifer had claimed he hacked into Clinton's private e-mail server at her New York residence. But he has never been charged for that, and he has never divulged the contents of the alleged hack. However, the hacker did reveal private documents from other hacks, including self portraits painted by George W. Bush. He also leaked memos Blumenthal sent Clinton to her private e-mail account. This eventually exposed the fact that Clinton used that account as secretary of state for personal and private businesses instead of using her government account for official business. The State Department eventually chastised Clinton for using private e-mail, though the Federal Bureau of Investigation recommended that she not be charged. Attorney General Loretta Lynch echoed that position. Republicans, including GOP presidential nominee Donald Trump, are invoking the e-mail brouhaha in the run up to the November 8 presidential election hoping to convince the public that Clinton is unfit to be president. Guccifer's sentence was in line with what federal prosecutors were seeking. They said the penalty must "address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society—or even worse, a crime to be celebrated." When handing down the term, US District Judge James Cacheris of Virginia said, "this epidemic must stop." In seeking the harsh sentence, feds had referred to a new hacker individual or collective known as Guccifer 2.0 that is suspected of having ties to the Russian government and has been credited for hacking into the Democratic National Committee earlier this year. Guccifer 2.0 has also been credited for a separate breach of the Democratic Congressional Campaign Committee. Lazar, meanwhile, has said he had no formal computer training or expertise. Instead, he claims to have guessed people's passwords after reviewing Wikipedia entries about them. You must login or create an account to comment.


Endwall 09/02/2016 (Fri) 14:41:16 [Preview] No. 500 del
The Intercept
Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police
http://tornews3zbdhuan5.onion/newspage/38876
https://theintercept.com/2016/09/01/leaked-catalogue-reveals-a-vast-array-of-military-spy-gear-offered-to-u-s-police/
Sept. 2, 2016
A confidential, 120-page catalogue of spy equipment, originating from British defense firm Cobham and circulated to U.S. law enforcement, touts gear that can intercept wireless calls and text messages, locate people via their mobile phones, and jam cellular communications in a particular area. The catalogue was obtained by The Intercept as part of a large trove of documents originating within the Florida Department of Law Enforcement, where spokesperson Molly Best confirmed Cobham wares have been purchased but did not provide further information. The document provides a rare look at the wide range of electronic surveillance tactics used by police and militaries in the U.S. and abroad, offering equipment ranging from black boxes that can monitor an entire town’s cellular signals to microphones hidden in lighters and cameras hidden in trashcans. Markings date it to 2014. Cobham, recently cited among several major British firms exporting surveillance technology to oppressive regimes, has counted police in the United States among its clients, Cobham spokesperson Greg Caires confirmed. The company spun off its “Tactical Communications and Surveillance” business into “Domo Tactical Communications” earlier this year, presumably shifting many of those clients to the new subsidiary. Caires declined to comment further on the catalogue obtained by The Intercept or confirm its authenticity, but said it “looked authentic” to him. “By design, these devices are indiscriminate and operate across a wide area where many people may be present,” said Richard Tynan, a technologist at Privacy International, of the gear in the Cobham catalogue. Such “indiscriminate surveillance systems that are not targeted in any way based on prior suspicion” are “the essence of mass surveillance,” he added.   The national controversy over military-grade spy gear trickling down to local police has largely focused on the “Stingray,” a single type of cellular spy box manufactured by a single company, Harris Corp. But the menu of options available to domestic law enforcement is enormous and poorly understood, mostly because of efforts by both manufacturers and their police clientele to suppress information about their functionality and use. What little we know about Stingrays has often been the result of hard-fought FOIA lawsuits or courtroom disclosures by the government. When the Wall Street Journal began reporting on the use of the Stingray in 2011, the FBI declined to comment on the grounds that even discussing the device’s existence could jeopardize its usefulness. The effort to pry out details about the tool is ongoing; just this past April, the American Civil Liberties Union and Electronic Frontier Foundation prevailed in a federal court case, getting the government to admit it used a Stingray in Wisconsin. Unsurprisingly, the Cobham catalogue describes itself as “proprietary and confidential” and demands that it “must be returned upon request.” Information about Cobham’s own suite of Stingray-style boxes is almost nonexistent on the web. But starting far down on Page 105 of the catalogue is a section titled “Cellular Surveillance,” wherein the U.K.-based manufacturer of defense and intelligence-oriented hardware lays out all the small wonders it sells for spying on people’s private conversations, whether they’re in Baghdad or Baltimore...


Endwall 09/02/2016 (Fri) 15:51:35 [Preview] No. 501 del
Microsoft To Set Up Cybersecurity Center In Delhi
http://economictimes.indiatimes.com/tech/ites/microsoft-plans-cybersecurity-centre-in-connaught-place/articleshow/53954322.cms
Microsoft is setting up a cybersecurity center in New Delhi to arm governments and private agencies with all-round intelligence on cyber attacks within the country. The center, probably will be at Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said in a ET report. “Security is becoming a big conversation topic, especially when are talking about the cloud,” he added. The center is expected to be Microsoft’s biggest such setup at its headquarters in Redmond, Washington, it would be inaugurated sometime in October or November. Globally Microsoft has seven such centers which have partnerships with international law enforcement agencies such as Interpol and Europol to fight cybercrime. The canaught place center will be an extended version of a small Gurgaon office which was launched of-lately June this year. The center will provide necessary details about malware and attacks to the government on which they can take precautionary measures and actions, Pramanik said. Earlier during Satya Nadella third visit in India he said “Microsoft is building technology around digital and virtual reality and how the tech major can help the country in its ‘Digital India’ initiative. ”While in Delhi, Nadella also met telecom minister Ravi Shankar Prasad and minister of state for finance Jayant Sinha “We shared this idea with the government departments and they are all very excited about it,” he said, adding that the idea to base the center in central Delhi was to ensure that top officials from government departments in close vicinity can “see it for themselves.”
The centre, which is likely to be in Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said. NEW DELHI: American technology giant Microsoft is setting up a cybersecurity centre in the heart of New Delhi to arm governments and private agencies with all-round intelligence on cyber attacks within the country. The centre, which is likely to be in Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said. "Security is becoming a big conversation topic, especially when are talking about the cloud," he told ET in an interview. To be modelled on Microsoft's biggest such setup at its headquarters in Redmond, Washington, it would be inaugurated sometime in October or November. Microsoft has seven such centres globally that have partnerships with international law enforcement agencies such as Interpol and Europol to fight cybercrime. The centre will be an expanded version of a small one launched in June this year in the company's Gurgaon office. While the centre will be a completely Microsoft set up, it will give the necessary details about malware and attacks to the government on which they can take precautionary measures and actions, Pramanik said. "We shared this idea with the government departments and they are all very excited about it," he said, adding that the idea to base the centre in central Delhi was to ensure that top officials from government departments in close vicinity can "see it for themselves." The launch of the centre comes on the heels of a discussion between PM Narendra Modi and Microsoft's global chief Satya Nadella during his last visit to India.


Endwall 09/02/2016 (Fri) 15:55:06 [Preview] No. 502 del
How US Army Cyber Command Pitched Camp in Augusta, Georgia
http://www.pcmag.com/news/347468/how-us-army-cyber-command-pitched-camp-in-augusta-georgia
By Sophia Stuart * August 31, 2016 08:00am EST
The United States Army is ramping up recruitment of geeks as it builds out a massive US Army Cyber Command in Augusta, Georgia, a move that could reportedly bring up to 5,000 new workers to the region, both military and civilian. On the Internet, the enemy has no intention of following the Rules of Engagement or reading the manual, so to speak. So the Department of Defense has been stealthily building something so advanced, internally and across all joint forces (Army, Navy and Marines), that it can be proactive and reactive in dealing with modern warfare. Welcome to the future of non-kinetic combat—in cyberspace. PCMag went to Augusta, Georgia, to attend TechNet Augusta and find out more about US Army Cyber Command, which will be based in the city from 2018. The overarching USCYBERCOM has its own HQ in Fort Meade, Maryland. Augusta is already home to the Army Signal Corp and its Cyber Center of Excellence at US Army Base Fort Gordon. Considering the Signal Corp is responsible for all information systems and global networks, it's essentially where you'll find the geeks of the military, so the location makes sense.At TechNet, top ranking officers from the US Army were joined by C-Suite IT and defense contract executives for a look at the latest gear, intelligence sharing, and talent scouting. Panel discussions included everything from the challenges of critical infrastructure protection and defensive cyber operations maneuver baselines to securing your warfighting platform, managing LAN devices in the cloud, and deceiving hackers with honey hashes (aka, foiling authentication attempts to grab passwords and break into networks). The exhibition hall had all the big name IT giants, including Unisys, HP, Cisco, and IBM. But that is where the similarities to a regular tech gathering ended. Most attendees were in fatigues and a few were in full military dress with medals and spit-and-polished shoes. Networking areas mingled between security intelligence briefing desks and display booths showcasing things like ultra rugged Getac X500 briefcase-sized battlefield tested mobile server units and an NSA Certified Type 1 Harris RF Falcon III communications tactical radio unit, or "Command Post in a Ruck." Bizarrely, along with the usual booth bait of branded ballpoint pens and Post-IT note giveaways, were jars of lollipops and tubs of unbuttered popcorn. They sat a little oddly amongst the rugged battle-tested equipment, but we digress. At the sit-down lunch in the chandeliered ballroom, PCMag joined a table of soldiers who had done five tours of duty in Iraq each. Sadly they weren't empowered to talk to the press, so we can't quote anything that was said. But we can confirm the trenchant humor of the military is of an excellent standard (and it did feel like having a walk-on role in M*A*S*H). The keynote speech was given by Major General Crawford, 14th Commander of the US Army Communications-Electronics Command (CECOM). He laid out the "New Strategic Realities" for the army to be in "readiness" at both the IOC (Initial Operational Capability) and FOC (Final Operational Capability). These include irregular warfare, sustain SWA (South West Asia) long-term and Army Posture in Europe. He also highlighted problems with privacy versus security as well as keeping current with the exponential growth in software coupled with velocity of instability in global conflict regions. Unisys Stealth Though top brass was a bit press shy, most of the top defense contractors are ex-military or formerly part of the intelligence community themselves, and they are happy to talk. PCMag sat down with two executives from Unisys: Jennifer L. Napper, Group Vice President, Department of Defense and Intelligence Group and Tom Patterson, Chief Trust Officer. Napper reached the rank of Major General in the US Army and retired after 30 years of distinguished service. She's no stranger to large scale complex IT installations, as she was responsible for engineering, operating, and securing global IT and communications networks for the Army. Her role now is to securing and delivering Unisys federal contracts to DOD and other US government entities...


Endwall 09/02/2016 (Fri) 15:56:13 [Preview] No. 503 del
AgentTesla campaign engages in cybersquatting to host and deliver spyware
http://www.scmagazine.com/agenttesla-campaign-engages-in-cybersquatting-to-host-and-deliver-spyware/article/519750/
The spyware AgentTesla was recently found to be residing on a domain that was registered to appear as if it belonged to consulting and services firm Diode Technologies, according to Zscaler. Researchers at Zscaler recently discovered a new spyware campaign that used cybersquatting techniques to host, distribute and command-and-control the AgentTesla keylogger via a domain whose name was strikingly similar to Chesapeake, Virginia-based consulting and services firm Diode Technologies. According to Zscaler, the malicious domain, diodetechs.com, was registered two months prior to the attack, and was only one letter different from Diode Technologies' legitimate domain, diodetech.com. The domain has since been suspended. Diode, whose target customer base includes corporations, government agencies, educational institutions and health-care organizations, was informed of the incident earlier this month. The campaign infected victims using socially engineered emails with attached documents that were supposedly purchase orders but actually contained malicious macros that installed the AgentTesla payload. Upon downloading, AgentTesla is capable of keylogging, screen capturing and exfiltrating stored passwords. The malware can also terminate various security software programs on a victim's machine and evade sandboxes and virtual environments. Zscaler's director of security research Deepen Desai confirmed to SCMagazine.com that in one instance, a malicious email purported to come from Diode Technologies. "While we have only seen one instance, it is very likely that they were targeting Diode Technologies customers in this campaign," said Desai in emailed comments.


Endwall 09/02/2016 (Fri) 16:00:10 [Preview] No. 504 del
Security Affairs
Hacker Interviews – Speaking with Lorenzo Martínez
http://securityaffairs.co/wordpress/50848/hacking/hacker-interviews-lorenzo-martinez.html
September 1, 2016 By Pierluigi Paganini
Today I have the pleasure to share with you the interview with one of the most popular Spanish cyber security experts, Lorenzo Martinez. Enjoy it!
Lorenzo Martinez is the CTO of Securizame, a Spanish security company fully oriented to consultancy, ethical hacking, forensics and security trainings. He is also one of the four editors and founders at Security By Default, one of the most well-known Spanish security blogs. You can find him on Twitter as @lawwait.You are one of the world’s most talented cyber security experts, Could you tell me which his your technical background and when you started hacking? Well. You are pointing me very high. I am just a security enthusiast who had the chance and luck to study and work in what I like: Security. I started as a security consultant, sysadmin, and trainer. The I started to learn and practice about ethical hacking in different companies. I worked for two different security vendors, related to web security (a WAF manufacturer) and strong authentication. In 2012 I started my own company and done a bunch of forensics. What was your greatest hacking challenge? Hacking for me doesn’t mean only breaking websites and develop exploits. A way of hacking is to build useful stuff that has not be created for a particular use. My greatest hacking challenge was to ‘domotize’ my home creating the intelligence to glue several devices: a Roomba vacuum, a security system with face recognition using a webcam with OpenCV, an alarm and air conditioning systems with web management panels, X10 for lights and curtains, an Asterisk, a meteorologic station, a GPS-based tracker for my car, etc… I created a bot to manage them all, and to be more or less “autonomous”. IoT in 2012! You can find a first version of the talk I gave in RootedCON 2012 in this post http://www.securitybydefault.com/2012/04/welcome-to-your-secure-home-user.html and the enhanced version with the system running in two Raspberry PI Model B in this one in Ekoparty 2012 What are the 4 tools that cannot be missed in the hacker’s arsenal and why? In my case, that I prefer forensics, I would say: Autopsy, FTK Imager, Tcpdump/Wireshark and all CAINE tools. Speaking of hacking: Nmap, Netcat, Metasploit, and BURP. Which are the most interesting hacking communities on the web today? Security and hacking communities are moving to different sectors: CONs, IRC, even Telegram groups where you can discuss specific stuff. Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why? What scares you more on the internet and why? Everything connected to the Internet (and a lot of air-gapped ones) is prone to be hacked. Several causes: misconfigurations, outdated systems, security implementation weaknesses, public or private exploits, because of being a target of any powerful government,… Others can be hacked because of people involved in the business of the organization. What do they want? Money or something that can be transformed into money, like information/data that could be sold for a strategy of a competitor or different country. I am scared because of the treatment of my data, by the providers or people who have my confidential information, as public administration, hospitals, banks, shops where I have to trust my credit card. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? I agree with that assessment. An attack to a nuclear central that would cause human casualties, would be catastrophic. In my opinion, there are more security incidents that are happening but we don’t realize because they are still unknown, and others that are discovered but kept private to avoid distrust or public panic. Thanks and compliments for your great work!


Endwall 09/02/2016 (Fri) 16:02:02 [Preview] No. 505 del
State Governments' War Against Cybercrime
http://www.bankinfosecurity.com/state-governments-war-against-cybercrime-a-9376
Geetha Nandikotkur (AsiaSecEditor) • September 1, 2016
Following cyberattacks on public and private organizations, state governments in India are rolling up their sleeves to fight cybercrime.For example, Maharashtra Chief Minister Devendra Fadnavis announced the "Maharashtra Cyber Project" on Independence Day, planning 51 cyber labs across districts providing technical and forensic investigation support to the cyber police. The project also will launch a computer emergency response team, or CERT. Three other states - UP, Karnataka and Kerala states - that have already set up cyber labs intend to scale up and emulate the Maharashtra model. In the Maharashtra project, "the labs will be equipped to analyze mobile forensic and call detail records," Fadnavis says. "Totally, 51 labs will be started across the state, expected to be completed by December 2016." Security leaders from law enforcement and business enterprises welcome Maharashtra's move, while acknowledging the challenges the program entails. Bangalore-based Sanjay Sahay, additional director general of police-cybercrime for the Karnataka Police, says the project will be effective only when law enforcement officers understand how to leverage cyber lab capabilities. "The key challenge is finding the right resources and capabilities to develop a defensive forensic and incidence response mechanism and auditing capabilities to defend against growing hacktivism," Sahay says. The Cyber Project Although Fadnavis only recently announced the initiative, the Maharashtra government already has been issuing tenders for hardware and software tools and other infrastructure. Sources say that so far, 34 labs already have been set up. The state has trained 1,000 personnel who'll be assigned jobs at these labs and get regular updates on the latest technologies. Brijesh Singh, inspector general (cyber), says the labs will analyze evidence, including CCTV footage, call data records, retrieved files that criminals had deleted from gadgets, retrieved bank records and links traced and hacked by fraudsters. "The cyber force ... will help create forensic reports of the technical evidence collected in offences," Singh says. Maharashtra police is collaborating with the Centre for Development of Advance Computing, CERT-In, Department of Electronics and IT and Department of Telecom, to identify a system integrator and value service provider to carry out the functions. Maharashtra will establish a CERT along the lines of CERT-In with experts from the Army, Navy, Defence Research Development Organization and other cybersecurity agencies. Sources at the state's police headquarters declined to divulge details on CERT's role and cyber labs functions. Maharashtra is investing $118 million in its project, far more than other states have invested so far. By comparison, Lucknow-based Dr. Triveni Singh, additional superintendent of Police, at UP Police, says UP has established 27 cyber labs across districts, investing more than $2.5 million to build forensic investigation capabilities. "We've created training modules for the police force in coordination with the Central Bureau of Investigation for cyber forensics, investigation and telecom interception, and they are also trained under CBI," Singh says. Delhi-based Data Security Council of India initiated setting up cyber labs in about five to six states way back in 2011 as part of its private-public partnership. Vinayak Godse, DSCI's senior director, says the council partnered with state police and DeitY to set up labs across Mumbai, Pune, Bangalore and Kolkata for cybercrime investigations and standardized training material for law enforcement. "We trained over 55,000 police personnel in cyber forensics and evidence gathering," Godse says. Telangana rolled out its new cybersecurity policy early this year, emphasizing involving and training law enforcement. Recently, Andhra Pradesh's chief minister, N. ChandraBabu Naidu, worked with Nasscom and DSCI to roll out a draft cybersecurity policy. Sources say that state will come launch a CERT to drive public-private partnership. Key Challenges The key challenge in establishing cyber labs is creating a sustenance model to ensure the ability to scale up capabilities as needed. "It's critical to sustain them with enhancement in new techniques and procedures to tackle new risks; this means new investments," Godse says. Three key challenges in establishing and operationalizing these labs, security experts say, are: * Establishing robust technological framework in gathering evidence and investigation; * Gaining access to information about data thefts and hackers both inside and outside of India; * Dealing with a lack of clarity in Indian law regarding how to punish cybercriminals. "It's a challenge to get trainers to train the police on key skills like forensics, evidence gathering, log management, data mining etc., unless there's an effective public and private partnership model in place," notes Rakshit Tandon, cybersecurity adviser to the Uttar Pradesh Police Task Force. Sahay says gaining the necessary expertise is expensive. For example, he notes, "Hiring an expert to audit the website during website defacement means about $70,000 for a small activity." Role of CERTs Some security practitioners contend that because the government doesn't have an effective model for leveraging public and private partnerships in its sustenance program, the proposed CERTs will need to develop an effective program seeking private enterprises to hire talent to train law enforcement groups. The Kerala State Police has already commissioned a CyberDome - a high-tech cybersecurity and innovation centre, via public/private partnership, to tackle cybercrime. CyberDome is envisioned as a primary monitoring unit for the internet and the nodal centre for policing social networking sites and anti-terror activities, says Manoj Abraham, inspector general of police and nodal officer for the Kerala Police. Some security experts argue that state governments should support private sector for cybersecurity through effective public-private partnership models with clearly defined roles. "It's not an investment in high-tech infrastructure that's required; empowering the state academy and having an incentive program for private parties to build skills of these police groups is critical," Tandon says.


Endwall 09/02/2016 (Fri) 16:03:35 [Preview] No. 506 del
OS X malware spread via signed Transmission app... again
https://www.grahamcluley.com/2016/09/signed-sealed-delivered-malware-spread-signed-transmission-app/
David Bisson | September 1, 2016 10:26 am For the second time this year, the Transmission BitTorrent client has been compromised.Researchers have caught malware being spread through a signed version of Transmission, the popular OS X BitTorrent client. A team of malware analysts notified Transmission after the malicious file was discovered on the Transmission application's official website. Transmission promptly removed the file. Even so, it's unclear when the malware, which goes by the name OSX/Keydnap, first made it onto the site. As ESET's researchers explain: "According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following files or directory:" /Applications/Transmission.app/Contents/Resources/License.rtf /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist /Library/Application Support/com.apple.iCloud.sync.daemon/ $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist Under no circumstances do you want to find any of the above files running on your computer. Their presence points to an active Keydnap infection, which doesn't mean anything good for a Mac user's passwords. ESET's researchers elaborate in another blog post: "The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X's keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware."Interestingly, this version of OSX/Keydnap bears a striking similarity to OSX.KeRanger.A, the first fully functional ransomware which posed as version 2.90 of Transmission back in March. Coincidence? Not bloody likely! The code responsible for dropping the malware payload is the same:OSX/Keydnap and OSX.KeRanger.A also share a C&C URL resource path and parameter as well as a legitimate code signing key that was signed by Apple, meaning that both malware samples can bypass GateKeeper. Per ESET's recommendation, if you installed Transmission v2.92 between August 28th and August 29th of this year, make sure you check for the presence of those files. If they're there, remove them and scan your system with an anti-virus solution just to be on the safe side.


Endwall 09/02/2016 (Fri) 16:05:58 [Preview] No. 507 del
CYBERCOM wants adversary to know it’s hacked
http://www.matthewaid.com/post/149789428791/cybercom-wants-adversary-to-know-its-hacked
September 1, 2016 Mark Pomerlau
C4ISRnet.com August 31, 2016
As Cyber Command is beginning to reach initial operational capability and entering into both defensive and offensive operations around the globe, America’s cyber warriors need cyber tools to conduct their missions. However, unlike the tools used by members of the intelligence community, which seek to operate without being detected, the Defense Department is interested in “louder” tools. First reported by FedScoop, Cyber Command’s Executive Director Shawn Turskey said the command desires tools that can be attributed to DoD. “In the intelligence community you never want to be caught, you want be low and slow, you never really want to be attributed. There’s a different paradigm from where you are at in the intelligence community,” Tuskey said at a government cybersecurity workshop hosted by the Department of Homeland Security August 30, according to FedScoop reporter Chris Bing. “But there’s another space over here, where maybe you definitely want to be louder, where attribution is important to you and you actually want the adversary to know.” An official at Cyber Command, speaking to C4ISRNET on background, said joint force commanders might want their goals or objectives to be known in order to convey a message. Some cyber teams work directly to support the objectives of joint force commanders by providing options in cyberspace in furtherance of these goals. CYBERCOM is currently engaged in the global anti-ISIS coalition to help degrade and ultimately destroy the group by disrupting its command and control as well as ability to communicate. As part of the effort, CYBERCOM Commander Adm. Michael Rogers had stood up a specific task force headed by the commander of Army Cyber Command Gen Edward Cardon designed specifically at building tools tailored toward ISIS and their capabilities. Joint Task Force – Ares, as it is called, is “very consistent with what we talked earlier but from a real specific operations point of view,” Ronald Pontius, deputy to the commanding general of ARCYBER, said in a recent interview with C4ISRNET. “It’s not just about tools, it is about how do you achieve effects that are integrated into Joint Task Force – Operation Inherent Resolve as the overall joint task force leading the efforts. So how do you integrate non-kinetic with kinetic to achieve those effects. The Joint Task Force – Ares is working that very much.” Pontius added that this project is a collaboration between CYBERCOM and Central Command, responsible for the geographic area encompassing ISIS’s largest territory to include the group’s de facto capital. Joint Task Force Ares is “integrated with Joint Task Force – OIR because they have responsibility in the entire battlespace of all the airspace, land domains,” he continued. The CYBERCOM official noted that the initiative to create attributable cyber tools is broad based and not specific to any one specific effort. As CYBERCOM is nearing IOC, which will occur at the end of 2016, and while there have been reports the organization will be elevated to a unified command, it will continue to remain a close partner with the intelligence community and the NSA, its de facto parent, for the foreseeable future. “We will continue to work with the intelligence community for offensive means and offensive operations, but as the United States Cyber Command, we need totally separate tools and infrastructure to conduct our operations,” Tusky said. There is a close working relationship between signals intelligence and cyber. One can inform the other but also the other informs the other,” Pontius, whose organization is relocating its headquarters from Fort Belvior, VA to Fort Gordon, GA in 2020, collocating with NSA-Georgia, said. “There’s things that we very much could see from a cyberspace operations point of view that could say here’s something we need to look at from a signals intelligence point of view or we may have indications and warnings from signals intelligence that says we believe adversaries are thinking about pursuing this kind of thing against our networks or our systems – you need to look in this area.” In a general sense, Col Brandon Pearce, formerly chief of current intelligence for CYBERCOM, told C4ISRNET that this relationship is absolutely critical. “I believe that the relationship between signals intelligence and what U.S. CYBERCOM is trying to do in order to leverage signals intelligence and other types of intelligence to figure out what to do next inside the cyberspace is absolutely critical,” he said following an appearance at an FCW-hosted event on August 24, noting he has been out of that position for two years and was not commenting on current operations or polices. Pontius was sure to articulate the key differences between Title 10 military operations and Title 50 intelligence operations as they apply to the intelligence-military partnership in cyberspace. “Cyberspace operations as a Title 10 operations is that, it’s a military operation, not an intelligence operation. And so it’s very important and we go through a lot of training and we have our operational lawyers very much with us on everything…You have to understand under what authorities are you conducting what operation and we work that very carefully,” he said.


Endwall 09/02/2016 (Fri) 16:08:20 [Preview] No. 508 del
Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB
https://securityintelligence.com/undocumented-patched-vulnerability-in-nexus-5x-allowed-for-memory-dumping-via-usb/
September 1, 2016 | By Roee Hay
Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on Twitter Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on Facebook Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on LinkedIn
The IBM X-Force Application Security Research Team recently discovered a previously undocumented vulnerability in older versions of Nexus 5X’s Android images (6.0 MDA39E through 6.0.1 MMB29V or bootloaders bhz10i/k). The first nonvulnerable version is MHC19J (bootloader bhz10m), released in March 2016. The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked. Clearly such an ability would have been very appealing to thieves. Fortunately, IBM is not aware of any exploitation attempts of this vulnerability. The vulnerability could have been exploited by physical or nonphysical attackers with Android Debug Bridge (ADB) access to the device. A nonphysical attacker could gain ADB access by infecting an ADB-authorized developer’s PC with malware or by using malicious chargers targeting ADB-enabled devices. Using such chargers requires the victim to authorize the charger once connected. IBM disclosed this issue to Android a few months ago, and the Android Security Team recently acknowledged it was patched. Behind the Curtain of the Nexus 5X Vulnerability The vulnerability and its exploitation are rather straightforward: The attacker reboots the phone into fastboot mode, which can be done without any authentication. A physical attacker can do this by pressing the volume down button during device boot. An attacker with ADB access can do this by issuing the adb reboot bootloader command. The fastboot mode exposes a USB interface, which, on locked devices, must not allow any security-sensitive operation to be commanded. However, we discovered that if the attacker issued the fastboot oem panic command via the fastboot USB interface, the bootloader would be forced to crash: [38870] fastboot: oem panic [38870] panic (frame 0xf9b1768): [38870] r0 0x0f9972c4 r1 0x4e225c22 r2 0x7541206f r3 0x74206874 [38870] r4 0x0f9972e8 r5 0x0f96715c r6 0x0f9972f0 r7 0x0f9670ec [38870] r8 0x0f92e070 r9 0x00000000 r10 0x00000000 r11 0x00000000 [38870] r12 0x0f92e070 usp 0x0f9650ec ulr 0x00000000 pc 0x0f99c75c [38870] spsr 0x0f936964 [38870] fiq r13 0x0f989490 r14 0x00000000 [38870] irq r13 0x0f989490 r14 0x0f9004f4 [38870] svc r13 0x0f9b16f0 r14 0x0f92dd0c [38870] und r13 0x0f989490 r14 0x00000000 [38870] sys r13 0x00000000 r14 0x00000000 [38880] panic (caller 0xf936964): generate test-panic...


Endwall 09/02/2016 (Fri) 16:09:22 [Preview] No. 509 del
Massive Data Breach Puts French Sub Maker in Crosshairs
http://www.technewsworld.com/story/83860.html?rss=1#
By David Jones Sep 1, 2016 7:00 AM PT
Officials in France and India have launched investigations of a massive data breach involving thousands of documents belonging to defense industry contractor DCNS, which was scheduled to deliver six Scorpene-class submarines to the Indian navy later this year. Hackers stole more than 22,000 pages of documents that included detailed technical information on the vessels. They turned them over en masse to The Australian, which published some of the leaked information. DCNS acknowledged it was aware of the press coverage of the leak about the Indian Scorpene submarine project, and said French authorities were investigating the case. The investigation will determine the exact nature of the leaked documents, potential damages to DCNS customers, and responsibility for the leak, the company said. Indian government officials took up the incident with the director general of armament of the French government. They asked for an investigation and for the findings to be shared with the Indian government. The Indian government also is conducting an internal investigation to rule out any security compromise. However, the leak appears to have taken place outside of India, according to defense officials. Possible Links The evidence so far has led some to suspect a link to state-sponsored activity or even organized crime, noted Pierluigi Paganini, chief information security officer at Bit4id. "A government could be interested in leaking online such precious data only to interfere with commercial relationships between the DCNS and other governments," he told TechNewsWorld. "It could be interested, for example, to benefit a company linked to it." The Kalvari, the first submarine built in India, reflects a deal between DCNS and Mazagon Dock Shipbuilders to build six vessels in Mumbai. IFrame DCNS also won the largest-ever contract awarded in Australian history, for an advanced fleet of vessels. Australia selected DCNS as the preferred international partner for the design of 12 future submarines for the Royal Australian Navy, the company announced this spring. The leakage of the India Scorpene data has created some unease over whether Australia should take delivery of those vessels. The Australian government chose DCNS for its ability to meet all of its requirements -- among them, superior sensors and stealth characteristics, as well as range and endurance similar to Collins class vessels. NATO's main cyber-responsibility is to defend its own networks, noted Press Officer Daniele Riggio. Individual allies are responsible for protecting their own networks. Sponsored Espionage? The Scorpene cyberattacks follow a series of attacks launched late last year against several contractors who were in the running for the Australian submarine contract. Several reports linked China and possibly Russian hackers to those incidents, which targeted contractors in Germany and Japan, as well as France's DCNS. Torben Beckmann, spokesman for Thyssenkrupp Industrial Solutions, confirmed to TechNewsWorld that the company was one of three contractors in contention for the submarine contract, but he declined to comment on the reported data hack.


Endwall 09/02/2016 (Fri) 16:10:22 [Preview] No. 510 del
Former Canadian SIGINT Chief Says Canada Needs Offensive Cyber Weapons
http://www.matthewaid.com/post/149802230576/former-canadian-sigint-chief-says-canada-needs
Alex Boutilier Toronto Star September 1, 2016
Former electronic spy chief urges Ottawa to prepare for ‘cyber war’
OTTAWA—The former chief of Canada’s electronic spies is calling on Ottawa to develop an arsenal of cyber weapons — and give defence and intelligence agencies the green light to attack. “Cyber war” is still in its infancy, John Adams argued in a July paper, but computer viruses could soon cause as much damage to a country as conventional bombs and bullets. Canada has traditionally — at least officially — focused cyber efforts on defending against espionage and attacks from both hostile states and hackers. But Adams, the chief of the Communications Security Establishment between 2005 and 2012, is calling on the federal Liberals to rethink that approach and allow Canada to go on the offensive. “Some people think that cyber war will sooner or later replace kinetic war. More frequently, cyber war is presented as a new kind of war that is cheaper, cleaner and less risky for an attacker than other forms of armed conflict,” Adams wrote in a paper published by the Canadian Global Affairs Institute. Article Continued Below “In either case, the Canadian Armed Forces have a responsibility not only to protect their own systems but they also need to have the authority to direct offensive action … if that is what it takes to blunt an ongoing catastrophic attack on critical infrastructure.” Adams argued that if a hostile state were attacking Canada’s networks, Canada should be able to respond in kind to stop that attack. But in an interview with the Star Tuesday, Adams was clear that he’s envisioning a much wider range of actions for Canada’s defence agencies. “Let’s say we’ve got A, B, and C. A owes C money, and we want to make sure that money does not get to C. You can take steps to make sure, even though A may intend that (the money) goes to C, in fact it goes to B.” “And C says, ‘Well, that son of a gun’ and he goes and shoots A in the head.” To most, Adams said, that would seem like an offensive action — Canadian spies misdirecting money, which ultimately results in someone getting killed. “That sort of action is very troublesome to governments, and certainly to politicians,” Adams said. “(Because) that would be judged to be an offensive action … (rather than) simply a defensive action, (where) you’re trying to stymie a whatever it might be, a nefarious action, and in so doing you take that kind of action and guess what? The bad guys are killing one another rather than doing the things you’d rather them not be doing.” Adams is making his argument as the Canadian government is in the middle of a massive re-think of defence and cyber security policy. Defence Minister Harjit Sajjan launched a review of defence policy in April, and is expected to release the new policy in 2017. Public Safety Minister Ralph Goodale has also launched a review of Canada’s cyber security posture, in addition to a promised comprehensive look at the country’s national security framework. Goodale’s office deferred comment to the Department of National Defence. Calls to Sajjan’s office were not returned as of Wednesday. In a written response, the Communications Security Establishment simply said that they have no authority to conduct offensive cyber operations. “CSE does not have a mandate to conduct offensive cyber activities,” agency spokesperson Ryan Foreman wrote in a statement. “The government of Canada is currently engaged in a defence policy review, which includes consulting Canadians on defensive and offensive military cyber capabilities.” Part of the difficulty in discussing “cyber attacks” is how often that term is used to describe everything from minor website disruptions (a favoured tool of “hacktivist” groups like Anonymous) to serious hacks aimed at stealing secrets or sabotaging networks. The lines between attacking, defending, and espionage can also be blurry. Wesley Wark, a professor at the University of Ottawa specializing in national security and intelligence issues, said while limited attack capabilities might be desirable, he thinks Canada needs to prioritize defence and intelligence gathering. “Before we leap ahead to far in investigating computer network attack capabilities and policies, we have to have a foundation in place … network defence capabilities, and the intelligence gathering capabilities,” Wark said. “If you don’t have those two, you can’t do the network attack … I’m afraid that this debate about let’s invest in cyber attack capabilities is going to drain resources, and time and attention, from those two foundational pieces.” Wark also cautioned that cyber weapons should be used sparingly, or countries risk escalating an already busy exchange of attacks and counterattacks. “The last thing you want is to get into a round of escalating, out of control cyber aggressions, tit for tat, across international boundaries between state actors,” Wark said. Proliferation and escalation are valid concerns, Adams conceded to the Star. But he said that he’s “equally concerned” about Canada not having the capacity to respond at all. “I simply say that it’s time for the debate. Let’s have the discussion,” Adams said. “Let’s get on with it, because I think it’s now time.”


Endwall 09/02/2016 (Fri) 16:12:02 [Preview] No. 511 del
Florida Man Arrested for Hacking Linux Kernel Organization
http://www.itsecuritynews.info/florida-man-arrested-for-hacking-linux-kernel-organization/
2. September 2016
Donald Ryan Austin, 27, of El Portal, Florida, was charged yesterday with hacking servers belonging to the Linux Kernel Organization (kernel.org). According to a four-count indictment, Austin gained access to server credentials used by an individual associated with the Linux Kernel Organization. Austin used the credentials to access four kernel.org servers located in a Bay Area data center, modified server configurations and installed rootkits and other trojans. Linux Kernel Organization administrators detected the intrusion and called on the FBI to investigate the incident. FBI agents tracked down the intrusion to Austin, and a federal grand jury issued a four-count indictment on June 2 […]


Endwall 09/02/2016 (Fri) 16:15:47 [Preview] No. 512 del
ABC News Australia
The internet of hacked things
http://www.abc.net.au/news/2015-10-07/four-corners-internet-of-hacked-things/7778954
Four Corners Updated August 29, 2016 10:09:04
Satellite communications Newsat was once Australia's biggest satellite company, with systems carrying sensitive communications for the Australian Defence Force and mining companies. In a 2013 meeting called by the Australian Signals Directorate, former IT manager Daryl Peter was told the company had been seriously infiltrated by foreign hackers. Mr Peter believed the hack was from China. Newsat's former chief financial officer, Michael Hewins, said the company's IT staff were told its computers had been compromised in one of the worst cases Australian intelligence had ever seen. They were told Newsat would not be allowed to launch its flagship Jabiru 1 satellite until major changes were made. Jabiru 1 was a five-tonne state-of-the-art satellite that NewSat promised to launch, but it never got off the ground as the company eventually collapsed and went into administration. Bureau of Meteorology In April, Prime Minister Malcolm Turnbull confirmed the Bureau of Meteorology had suffered a significant cyber intrusion that was first discovered in 2015. It was the first time there was official acknowledgement that a critical Australian Government agency had been penetrated by a sophisticated cyber attack. The Government did not say it publicly but Australian intelligence sources have confirmed to the ABC that China was behind the attack. Four Corners has been told the Bureau of Meteorology was probably just a gateway for a more sinister attack. China's true targets may have been the Australian Geospatial Intelligence Organisation, which provides satellite imagery for sensitive defence operations, and a high-tech Royal Australian Air Force radar system called the Jindalee Operational Radar Network (JORN). The JORN system is designed to detect planes and maritime vessels within a 3,000-kilometre radius of Australia's northern and western shorelines. Beijing continues to deny responsibility for the attack.Nuclear facilities Stuxnet is the first cyberweapon known to cause actual physical damage. At the time of its 2010 discovery by security researchers, it was the most sophisticated malware identified in the public realm. Stuxnet targeted devices that automate electro-mechanical processes to sabotage Iran's uranium enrichment program in Natanz. Since the nuclear facilities were not connected to the Internet, it is believed that the malware was deployed by infecting employees' home computers, and carried unknowingly into the facility via a USB flash drive. Once inside the facility, the malware proceeded to override the Iranian scientists' internal network, forcing the centrifuges to spin at self-destructive speeds while making it appear that nothing abnormal was occurring. It was not until loud noises were heard from the centrifuge chambers that Iran's nuclear scientists became aware that their system was failing. It took another five months before researchers discovered that the culprit: Stuxnet. Stuxnet is believed to have resulted in the destruction of roughly one-fifth of Iran's centrifuge stockpile. It also represented an unprecedented moment in history, when cyber warfare finally spilled over into the physical domain.Power grids The first publicly acknowledged successful cyber intrusion to knock a power grid offline occurred in Ukraine during December 2015. Widespread service outages were reported and it was soon discovered that about 30 substations became disconnected from the grid, leaving more than 225,000 customers freezing in the Ukrainian winter chill. The attackers are also believed to have spammed the Ukrainian utility's customer-service centre with phone calls in order to prevent real customers from requesting assistance. This was no opportunist act of hacktivism: those responsible were running a sophisticated and stealthy operation that would have required months of reconnaissance. Although power was restored hours later, many functions had to be controlled manually for months to come; the firmware inside the control centres running the substations had been rendered inoperable by the attack. Later, US security researchers found that the authors of the malware were writing in Russian. This malware was dubbed BlackEnergy.Cars In July 2015, American security researchers Charlie Miller and Chris Valasek demonstrated they could remotely hack a 2014 Jeep Cherokee, allowing them to control the car's transmission and brakes. The vulnerability they had discovered was exploited via the wi-fi in the car's multimedia system; the number of affected vehicles ran into the millions. They discovered they could crack a car's password through a method known as brute-forcing: literally decoding it through automated guesswork. Since then, a number of other vehicles have proved to be vulnerable to hacking, including models manufactured by Tesla, BMW, Nissan and Mercedes Benz. In response to security concerns, Tesla and Fiat Chrysler have both announced the establishment of bug bounty programs. Such programs allow independent security researchers to submit vulnerabilities they discover to the company and can be compensated thousands of dollars for their efforts. Drug infusion pumps We've all seen infusion pumps in hospitals before. But what you probably don't know is that many are actually connected to the hospital's computer network. In 2014, Californian researcher Billy Rios found he could remotely hack into hospital pumps that administer morphine and antibiotics to change the dosage level. After Rios sent his findings to the Department of Homeland Security, they contacted the Food and Drug Administration (FDA), who contacted the pumps' manufacturer, Hospira. The FDA eventually issued an advisory recommending that hospitals stop using the affected model of pump Rios had studied. But many more hospital pumps affected by similar vulnerabilities continue to be used today.Steel mills In 2014, the German Government confirmed that an unnamed steel mill was targeted by hackers, leaving one of its furnaces destroyed. The German Federal Office for Information Security said the attackers used a combination of techniques to attack the facility. They started by sending malicious emails to employees at the mill that surreptitiously stole login and password details. Once inside the system, they exploited software used to administer the plant's operations, allowing them to stop the blast furnace from being shut down.Building management systems In 2013, Billy Rios and Terry McCorkle hacked into the building management system of Google's offices in Sydney. Building management systems are interfaces that control power, CCTV systems, security alarms, fire alarms, electrical locks, air-conditioning, elevators and water pipes. The researchers had discovered the Google management system on a search engine for internet-connected devices known as Shodan. Google Australia thanked the researchers for alerting it, and "took appropriate action to resolve this issue".Dams Hackers almost gained control of the floodgates at Bowman Avenue Dam, near New York City, in 2013. It is believed the only reason they did not gain full control was because the dam had been manually disconnected for routine maintenance. Former government officials lay the blame for the attack on Iran, but details remain scarce as the incident remains classified.TV stations The French TV station TV5Monde fell victim to a sophisticated cyber attack that brought down 12 channels for almost a whole day in April 2015. Jihadist hackers were initially suspected to be the culprit as the TV5Monde website was defaced with Islamic State propaganda. However, cyber security experts later realised the hacker group used Russian code.ATMs New Zealand hacker Barnaby Jack came to fame in 2010 after demonstrating how to hack into automatic teller machines, causing them to spew out wads of notes. One of the vulnerabilities Jack demonstrated was in the remote monitoring feature, which in some models of ATMs is turned on by default. It was through this flaw in the ATMs' software that he uploaded a program designed to infect the machine in secret. The program would then be activated when someone entered a touch-sequence on the ATM's keypad, causing bills to fly out of the machine.Traffic lights In 2014, researchers demonstrated how they could remotely control a system of 100 intersections' traffic lights in an unnamed city in Michigan. Under the supervision of the government road agency, experts from the University of Michigan showed how the traffic lights used wireless radio to communicate data within a central network. It was through this wireless radio system that they discovered they could send commands to any intersection and control the lights at will.Planes? Security researcher Chris Robert is subject to an ongoing FBI investigation after claiming to have hacked a plane mid-flight via its entertainment console. He claims to have made the passenger jet fly in a sideways movement. However, the jury remains out as to whether his claims are correct, especially if the flight crew failed to notice any abnormality.

Watch Cyber War on Four Corners, Monday 8.30pm and on iview.
http://www.abc.net.au/4corners/stories/2016/08/25/4526527.htm


Endwall 09/02/2016 (Fri) 16:21:38 [Preview] No. 513 del
ABC Australia
Four Corners
http://iview.abc.net.au/programs/four-corners/NC1604H031S00

Can someone grab this and convert it to webm? I don't have flash installed.


Endwall 09/02/2016 (Fri) 16:34:00 [Preview] No. 514 del
DNS tunneling threat drills into nearly half of networks tested'
http://www.scmagazineuk.com/dns-tunneling-threat-drills-into-nearly-half-of-networks-tested/article/520363/
Davey Winder September 02, 2016
InfoBlox's new report showed nearly half of all networks tested to show signs of DNS tunnelling.The latest Infoblox Security Assessment Report reveals 40 per cent of the files it tested showed evidence of DNS tunnelling. That's nearly half of the enterprise networks that were tested by Infoblox returning evidence of a threat that can mean active malware or ongoing data exfiltration within the network. For more than a decade now the bad guys have been looking at ways of using DNS to exfiltrate data. Port 53 manipulation, also known as DNS Tunneling, allows data to be directed through this established path for malicious purposes. Perhaps this shouldn't be surprising, given the inherently trusted nature of DNS. While there are some 'quasi-legitimate' uses of DNS tunnelling, many will be malicious. The nature of these attacks can vary, depending if the perpetrator is an off the shelf scripter or nation state actor. Project Sauron, an example at the nation state end of the spectrum, used DNS tunneling to exfiltrate data. Rod Rasmussen, vice president of cyber-security at Infoblox, says that "the widespread evidence of DNS tunnelling uncovered by the report shows cyber-criminals at all levels are fully aware of the opportunity." Rasmussen also points out that when suspicious DNS activity is detected, security teams can "use the information to quickly identify and remediate infected devices." Luther Martin, Distinguished Technologist at HPE Security, is in agreement that DNS tunneling is used by lots of hackers. "It's actually a fairly robust way to sneak data past a firewall" Martin told SCMagazineUK.com "it's easy to get data rates of over 100 MB/s with it." Indeed, he's even seen DNS tunneling as a service offerings out there. Interestingly, according to Martin, DNS tunneling for the egress of lots of data (think big breach) is unlikely as firewalls are often surprisingly bad at egress filtering. "The main use", Martin concludes, "might actually be to bypass firewalls and get WiFi access without paying for it." Luke Potter, Security Practice Director for SureCloud, revealed during a conversation with SC that DNS tunneling is even "an area that our testing team are actively using in client engagements" and that "we often find that mitigation for DNS tunnelling has not been considered or implemented." And Marc Laliberte, Information Security Threat Analyst at WatchGuard Technologies has seen tunneling "prominently used in the Multigrane POS malware which made its rounds earlier this year." What's more, he told us he expects to "continue to see DNS tunnelling used for data exfiltration and C2 connections until organisations better prepare themselves to stop it." So how do they do that then? Jonathan Couch, VP of Strategy at ThreatQuotient told SC that despite something like 90 per cent of malware utilising DNS for command and control as well as exfiltration, organisations which should know this continue not manage their own DNS internally and still let UDP and TCP port 53 flow freely through their firewalls. "And those that do implement internal DNS" Couch adds "either don't monitor it for tunneling or don't enforce use of it by blocking UDP/TCP 53 at the firewalls." The why is interesting, and reflects a common problem in the world of security teams. They don't plug the hole because it takes resources to implement and maintain internal DNS. "These are resources which the network operations folks need to use for other essential network services or security infrastructure" Couch concludes. That, and the fact that DNS is so core to everything that they don't want to mess it up! Meanwhile, Luke Potter admits it's not straightforward to prevent this technique of tunnelling data, but provided SC Magazine with this summary: "To block tunnelling across the network, ensure the egress firewall has intrusion prevention and deep packet inspection enabled, as well as strict outbound port and protocol whitelisting. Additionally, an internal proxy server should be in use with SSL/TLS bumping to intercept encrypted traffic."


Endwall 09/02/2016 (Fri) 16:36:28 [Preview] No. 515 del
InfoWorld
Regular password changes make things worse
http://www.csoonline.com/article/3113710/data-protection/regular-password-changes-make-things-worse.html
Changing passwords is supposed to make things more difficult for attackers. Unfortunately, research shows that human nature means it makes it easier
Taylor Armerding Sep 2, 2016
Security experts have been saying for decades that human weakness can trump the best technology. Apparently, it can also trump conventional wisdom. Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person's, or an organization's, security. [ Simplify your security with 8 password managers for Windows, MacOS, iOS, and Android. Find out which one prevails in InfoWorld's review. | Discover how to secure your systems with InfoWorld's Security newsletter. ] Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, "time to rethink mandatory password changes." She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point. But the message was not new -- she has been preaching it for some time. Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago. She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature. ALSO ON CSO: The CSO password management survival guide She cited research suggesting that, "users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one. Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a "3" for an "e," or simply adding a couple of letters or numbers to the end of the previous password. Cranor said the researchers found that if they knew a previous password, they could guess the new one in Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries. A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds -- and that was with 2009 technology. The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, "relatively minor at best, and questionable in light of overall costs," for the same reason the UNC researchers found. "(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses," they wrote. And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked "Retired" this past April), said password expiration policies frequently frustrate users, who then, "tend to choose weak passwords and use the same few passwords for many accounts." Not surprisingly, attackers are very much aware of these vulnerabilities. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory. MORE: Sample password protection policy All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago. The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers. But even with increasing interest and acceptance of those options, Brett McDowell, FIDO's executive director, has acknowledged that there will be a "long tail" for password use. And during that long transition, he and others say there are multiple ways to improve security that don't involve creating a new password every couple of months that is easier to crack than previous ones. Zach Lanier, director of research at Cylance, cites Apple's TouchID and Google's Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, "still around, and they're likely to be for a bit longer. It's just that they're so ‘standard' for people and enterprises, and have been for so long, that it's really hard to make them completely disappear." In the interim, he said, organizations can improve their password security through a combination of employee training and, "actively testing their authentication mechanisms and auditing users' passwords -- cracking them -- whether it's through internal infosec teams or external firms. In my opinion, it should be both," he said. "This can give the organization a better idea of where things are broken, from people to technology." The users can be brought into this as well, he added, by, "making available the tools to enable, if not force, users to test the strength of their own passwords." McDowell agrees that education is, "a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks." But he said the "shared secret" authentication model is vulnerable to too many forms of attack -- not just social engineering -- hence the need to eliminate them as soon as possible. Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. "Current policies set the bar far too low for complexity in passwords and don't require multi-factor authentication, acknowledged as the best commonly available solution," he said. Lanier agreed. "There are some really awful organizations, sites or services that can't seem to move past the year 1998 with authentication," he said. "Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms." Pendergast said he sees the same thing. "There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules. A surprising number of companies don't use these basic password reinforcement functions," he said. And, Lanier noted that, "password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note. This at least reduces the risk that a person might serialize their password choices. Certainly not a panacea, but for the average person, it's a great idea." [ RELATED: How to evaluate password managers ] Still, as McDowell noted, even rigorous passwords can't compensate for a person being fooled by a skilled attacker. "Many times, passwords are simply given away in a phishing or social engineering attack," he said. "I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing." All agree that the weaknesses of human nature mean it would be better to move beyond passwords. But, as McDowell notes, human nature also requires that whatever replaces passwords must be, "easier to use than passwords alone. "User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation," he said. Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone. "At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker," he said. This story, "Regular password changes make things worse" was originally published by CSO.


Endwall 09/02/2016 (Fri) 16:38:23 [Preview] No. 516 del
Apple Patches Safari, OS X Flaws to Prevent Snooping
http://cyberparse.co.uk/2016/09/02/apple-patches-safari-os-x-flaws-to-prevent-snooping/
September 2, 2016
The fix comes a week after Cupertino patched a similar iOS vulnerability. Apple on Thursday fixed critical vulnerabilities in its desktop Safari browser and the OS X operating system. The security update comes after Cupertino last week patched a serious iOS flaw that let malware spy on a users’ phone calls and text messages. But Safari’s mobile and desktop versions share the same codebase, making Mac users vulnerable, as well. According to Apple’s advisory, the Safari 9.1.3 bug could allow a hacker to execute arbitrary code on an unsuspecting victim’s Mac by tricking the person into visiting “a maliciously crafted website.” Hackers employed the same technique recently when they tried to infiltrate human rights activist Ahmed Mansoor’s iPhone. The prominent advocate reportedly received a text message from a “cyber war” company with a link to malware that would have jailbroken his handset and installed surveillance software. The exploit, according to research group Citizen Lab, is connected to NSO Group, an Israeli company best known for selling a government-exclusive “lawful intercept” spyware product called Pegasus. If Mansoor had activated the malware, it would have allowed NSO access to the phone’s camera, microphone, and GPS. “Not only could NSO infect iPhones at the touch of a link, but it seems that the vulnerabilities they were exploiting could be weaponized to target many different platforms,” Citizen Lab researcher Bill Marczak told Motherboard. Citizen Lab did not immediately respond to PCMag’s request for comment. Apple last week released the latest version of iOS, 9.3.5, which fixes the aforementioned issues. The update includes two improvements to how iOS devices access memory, as well as a patch that prevents visits to malware-laden websites.


Endwall 09/02/2016 (Fri) 16:52:06 [Preview] No. 517 del
Inteno Router Flaw Could Give Remote Hackers Full Access
http://www.infosecurity-magazine.com/news/inteno-router-flaw-remote-hackers/
Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
Security experts are warning of a critical new router vulnerability which could allow remote attackers to replace the firmware on a device to take complete control over it, and monitor all internet traffic flowing in and out. F-Secure claimed the issue affects the Inteno EG500, FG101, DG201 routers. However, in an advisory it added that more models could be affected but it couldn’t be sure due to the “vendor’s unwillingness to cooperate.” In fact, F-Secure claimed to have first contacted Inteno about the issue in January but when the vendor replied two months later it argued that software issues are dealt with by the “operators” that sell the equipment to end users. “Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests,” an Inteno representative told F-Secure at the time. The vulnerability itself stems from the fact that several router models don’t validate the Auto Configuration Server (ACS) certificate (CWE-295). This means that an attacker capable of launching a Man in the Middle (MitM) attack between the ACS and the device could intercept all network traffic going in and out of the device to the ACS and gain full administrative access to the router, allowing them to reflash the firmware. The implications of such a flaw are potentially serious, according to F-Secure cybersecurity expert, Janne Kauhanen. “By changing the firmware, the attacker can change any and all rules of the router. Watching video content you’re storing on another computer? So is the attacker. Updating another device through the router? Hopefully it’s not vulnerable like this, or they’ll own that too,” he warned. “Of course, HTTPS traffic is encrypted, so the attacker won’t see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine.” The one saving grace is that an attacker would have to gain a “privileged network position” before being able to launch such an attack – something which HTTPS is designed to prevent. However, if HTTPS is not implemented and an attacker is able to launch a MitM then there’s nothing a user can do to prevent a successful exploitation, short of installing a new router or a firmware update – once one is finally made available. “Gaining a MitM position is not trivial, but it’s not outside the realm of possibilities either, whether physically attacking a whole building by breaking into the distribution trunk in the building or using software tricks to route network traffic through a malicious site,” Kauhanen told Infosecurity. “If you use a vulnerable router to surf on my website for kitty pictures, here comes the payload.” In the meantime, F-Secure recommended users keep browsers and other software updated to prevent hackers exploiting any flaws; to use effective AV to prevent any malware downloads; and to use a VPN to encrypt internet traffic and prevent hackers gaining that initial foothold into the network. Unofficial reports suggest that there is a fix out there somewhere, although these have not been confirmed, according to Kauhanen.


Endwall 09/02/2016 (Fri) 16:53:26 [Preview] No. 518 del
Man Convicted for Hacking Linux Kernel Servers
http://sensorstechforum.com/man-convicted-hacking-linux-kernel-servers/
September 2, 2016 by Vencislav Krustev+
A man from El Portal, Florida was arrested for gaining unauthorized access to the kernel.org (Linux Kernel) servers. According to the court, the hacker Ryan Austin used credentials to the servers of what appears to be an employee associated with the Linux Organization. The organization’s network administrators have detected the unauthorized login and have notified the authorities. The FBI took over this investigation, and they have eventually discovered that there were also attempts by Austin to modify the configuration files of the servers and have had installed malware such as rootkits and Trojan horses on a server based in Bay Area. The agents behind the investigation eventually tracked down the tracks of the intrusion, and they let to Ryan Austin, who was arrested on August 28, 2016. The suspect Ryan Austin was indicted to possibly face a 10-year solitary confinement as well as a fine of $250000.Is This The Same Hacker Behind the 2011 Attack? This is similar to the 2011 kernel.org hack which resulted in the successful installation of the Phalanx Rootkit infection with other Trojans able to steal passwords as well as perform other malicious activities. This time, the hack was relatively the same and the cyber-criminal attempted the same actions, suggesting that it may have been Austin who did the hack. There hasn’t been much fuzz since this accident has happened, besides that the hack was found half a month later. What is known from back then is that during that time, there was access to several machines that were used to distribute the Linux OS, according to officials. The consequences of the hack were that the attackers were able to track down anyone using these servers and what they do. Not only this but besides the servers Hera and Odin1 the hackers were able to access a senior developer’s personal machines as well. It is not disclosed as to what extent the data was stolen, but other computers within the kernel.org network may have also become victims of this attack.What About The Future? The good news for this situation is that Linux Kernel has learned from their mistakes and this time they have caught the attacker. However, it remains a mystery whether this was just Austin or there were other attackers as well since multiple computers were attacked. So far the big question remains is whether or not this is going to be the end of those type of trojan and rootkit attacks against Linux Kernel. The reality is with this attack and other attacks, like the Fairware ransomware, Linux becomes increasingly bigger target for malware writers espeicially when it comes to servers.


Endwall 09/02/2016 (Fri) 16:54:45 [Preview] No. 519 del
Man charged with hacking city sites in Arizona, Wisconsin
http://ktar.com/story/1257828/man-charged-with-hacking-city-sites-in-arizona-wisconsin/
By Associated Press | September 1, 2016 @ 5:41 pm
PHOENIX — A man has been indicted on federal charges of hacking into government websites in Arizona and Wisconsin, including a cyberattack that came three days after a police shooting of an unarmed man in the city of Madison and interrupted communications equipment for emergency workers there. Randall Charles Tucker of Apache Junction, Arizona, is charged with intentional damage to protected computers and threatening damage to protected computers for allegedly attacking municipal computer systems in March 2015 in Madison and two Phoenix suburbs, Chandler and Mesa. He also is accused of attacking the Washington, D.C.-based News2Share site in late 2014 after it failed to run a video he had provided. The video’s contents weren’t publicly revealed. It’s unknown whether Tucker has an attorney, and there was no listed phone number for his home. He hasn’t yet made an initial appearance in U.S. District Court in Phoenix. The indictment says Tucker temporarily disabled access to the city of Madison’s website and crippled the automatic dispatch system for emergency workers. The attack came three days after a white Madison police officer fatally shot Tony Robinson, a 19-year-old biracial man, during an altercation in an apartment building stairwell. The shooting put the police department under intense scrutiny and sparked days of protests. The officer was eventually cleared of criminal wrongdoing. The indictment against Tucker doesn’t mention the shooting. Less than a week after the Madison hack, authorities say Tucker launched an attack on city websites in Mesa and Chandler that temporarily made them inaccessible to users.


Endwall 09/02/2016 (Fri) 16:56:13 [Preview] No. 520 del
Florida Man Arrested for Hacking Linux Kernel Organization
http://www.securitynewspaper.com/2016/09/02/florida-man-arrested-hacking-linux-kernel-organization/
Security Newspaper | September 2, 2016
Donald Austin is the main suspect behind the kernel.org security breach that took place in the summer of 2011.Donald Ryan Austin, 27, of El Portal, Florida, was charged yesterday with hacking servers belonging to the Linux Kernel Organization (kernel.org). According to a four-count indictment, Austin gained access to server credentials used by an individual associated with the Linux Kernel Organization. Austin used the credentials to access four kernel.org servers located in a Bay Area data center, modified server configurations and installed rootkits and other trojans. Linux Kernel Organization administrators detected the intrusion and called on the FBI to investigate the incident. FBI agents tracked down the intrusion to Austin, and a federal grand jury issued a four-count indictment on June 23, 2016. Austin arrested this past Sunday Officers from the Miami Shores Police Department arrested Austin during a routine traffic stop last Sunday, on August 28, 2016. The suspect made an initial appearance in a Miami court on Monday, and officials unsealed the indictment the following day. Austin appeared in court yesterday again, where a judge set bail for $50,000 and scheduled the next court appearance for September 21, 2016, in a San Francisco federal court. The suspect was released on bond. For his crimes, Austin faces a maximum sentence of ten years in prison, a fine of $250,000, and any other restitution.The Linux Kernel Organization manages Linux Kernel development and the kernel.org website. The Linux Kernel Organization is different from the Linux Foundation, which is a separate nonprofit foundation that supports the former. Is Austin the hacker behind the 2011 kernel.org incident? Back in 2011, the kernel.org website was hacked by an unknown attacker, who used a volunteer’s credentials to install the Phalanx rootkit along with other trojans capable of logging passwords and other malicious actions. It took the kernel.org team 17 days to discover the hack, and administrators never released an incident report detailing the data breach. Five years later, there are still very few details available about what really happened back then. With all the currently available information, Austin seems to be the main suspect behind the 2011 kernel.org security breach. Source:http://news.softpedia.com/


Endwall 09/02/2016 (Fri) 16:57:08 [Preview] No. 521 del
Countdown to IANA Transition Is Not the Countdown to Doomsday
http://www.circleid.com/posts/20160902_countdown_to_iana_transition_is_not_the_countdown_to_doomsday/
Michele Neylon Sep 02, 2016 7:28 AM PDT
I've mentioned the IANA transition in several posts over the last year or so. Personally I'd love to not have to mention it ever again, as it's not the kind of topic that we should be spending too much time thinking about or worrying about. There are plenty of other things out there that cause us all headaches without adding to the list. However the IANA transition is a topic that is of fundamental importance for the global internet community. As a company we rely heavily on the internet, in fact we are pretty much 100% online. Sure, we have physical offices and staff and all that, but pretty much everything we do is online. As a business our ability to serve our customers is predicated on our clients being able to have unfettered access to the global internet. Sure, there are limitations on some private networks and various government regimes around the world may place restrictions on what can and cannot be accessed at any given time. We may not like that, but part of freedom is that people are free to do lots of things, even things we don't really like. And the internet is built in such a way that most of those restrictions can be routed around either directly or indirectly, so the overall network's health is not adversely impacted. The transition will result in the US government losing its special relationship with the IANA functions. That's all that will change and for the average internet user or business nothing will be impacted. The only "tangible" impact will be in how changes to the IANA functions are processed in the future. Which, again, has no impact on the average internet user. Post-IANA transition no one government or subset of governments will have more power than anyone else. The internet has blossomed where governments have taken a "light touch". Where governments have been more "heavy handed" in their interactions the online world has not grown and flourished as quickly. It wouldn't be in anyone's interests to allow the very nature of the internet to be adversely changed. Yet, unfortunately, some elements in the US government (and elsewhere) have been spreading lots of scary, but factually incorrect, stories about how the Obama administration is going to handover the internet to Russia and China. One has even setup a sort of "doomsday" countdown clock. From our side we look forward to the IANA functions being transitioned to ICANN and the global internet community. We don't expect it to have any impact on our business nor that of our clients. However a failure to finalise the transition will definitely cause us all headaches, so let's just get it done once and for all!


Endwall 09/02/2016 (Fri) 16:58:20 [Preview] No. 522 del
TrustedSec Security Podcast Episode 53 – DropBox, NSA Breach, Medical Professionals
https://www.trustedsec.com/september-2016/tsp-episode-53-show-notes/
TrustedSec Security Podcast Episode 53 for September 1, 2016.  This podcast is hosted by Rick Hayes, Scott White, Justin Elze, and Geoff Walton
Download Page https://www.trustedsec.com/podcasts/trustedsec-security-podcast-episode-53.mp3
XML Page https://www.trustedsec.com/podcasts/trustedsecsecuritypodcast.xml


Endwall 09/03/2016 (Sat) 22:40:24 [Preview] No. 524 del
Clinton aide destroyed Hillary's phones by 'breaking them in half or hitting them with a hammer,' FBI documents reveal
http://www.dailymail.co.uk/news/article-3772563/Clinton-aide-destroyed-two-Hillary-s-phones-breaking-half-hitting-hammer-FBI-documents-reveal.html
* Justin Cooper recalled two instances where he broke Hillary's phones * FBI listed 13 phones Hillary may have used to send emails on private server * Hillary was known to switch to new phones before resorting back to older ones because she was more familiar with how to use it, Huma Abedin said * 'The whereabouts of Clinton's devices would frequently become unknown once she transitioned to a new device,' according to the FBI  * Cooper set up email domain a week before she was sworn in as secretary of state and shut the server down in 2011 during a hacking attempt * He did not have security clearance and was not an expert in cyber security
By Jessica Chia For Dailymail.com
Published: 21:06 GMT, 3 September 2016 | Updated: 21:16 GMT, 3 September 2016

An aide to Bill Clinton destroyed Hillary's phones by 'breaking them in half or hitting them with a hammer', according to FBI documents released Friday. The FBI identified 13 mobile phones Hillary may have used to send emails through a private server, and staffer Justin Cooper recalled two instances where he destroyed the phones through brute force. Hillary's 'shadow' Huma Abedin told the FBI the former Secretary of State would often use a new phone for a few days before switching back to an older one because she was more familiar with how to use it.The FBI identified 13 phones Hillary may have used to send emails through a private server, and Huma Abedin said the former Secretary of State was known to switch between them Cooper recalled 'two instances where he destroyed Clinton's old mobile phones by breaking them in half or hitting them with a hammer,' according to the FBI report. Abedin said aides would help transfer Hillary's sim cards when she switched between phones. 'The whereabouts of Clinton's devices would frequently become unknown once she transitioned to a new device,' according to the FBI. 
Abedin said aides would help transfer Hillary's sim cards Cooper got a start as an intern in the Office of Science and Technology, before working as Bill Clinton's senior adviser and moving on to the Clinton Foundation and it's initiatives. He registered the domain clintonemail.com a week before Clinton was sworn in as secretary of state and shut down the private server in 2011 when someone tried to hack it. He did not have security clearance and was not an expert in cyber security, the Washington Post reported.    After the FBI published additional documents on Friday, Hillary's press secretary Brian Fallon said they were 'pleased'.  'While her use of a single email account was clearly a mistake and she has taken responsibility for it, these materials make clear why the Justice Department believed there was no basis to move forward with this case,' he said. The documents revealed Hillary told the FBI she could not recall answers to some of their questions about her secret server scandal because she had a concussion in 2012.


Endwall 09/03/2016 (Sat) 22:44:25 [Preview] No. 525 del
Leakedsource breach notification service reported two Bitcoin Data Breaches
http://securityaffairs.co/wordpress/50890/data-breach/bitcoin-data-breaches.html
September 3, 2016 By Pierluigi Paganini
Now LeakedSource disclosed details from two Bitcoin data breaches that affected the bitcoin exchange BTC-E.com and the discussion forum Bitcointalk.org.
The data breach notification service LeakedSource is becoming familiar to my readers, recently it reported the data breach suffered by many IT services, including Last.fm and DropBox, both occurred in 2012. Now LeakedSource disclosed details from two Bitcoin data breaches that affected the Bitcoin sector, the incident were suffered by the bitcoin exchange BTC-E.com and the bitcoin discussion forum Bitcointalk.org. The incident occurred at the Bitcointalk.org was disclosed in May when the servers of the forum were compromised by attackers. Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall. — BitcoinTalk (@bitcointalk) 22 maggio 2015 “The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised.” was reported on Reddit by the theymos user.”The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.” “each password has a 12-byte unique salt. The passwords are hashed with 7500 rounds of SHA-256.” he added. LeakedSource reported that 499,593 user details were stolen in the incident, the leaked records include usernames, passwords, emails, birthdays, secret questions, hashed secret answers and some other internal data. 91% of passwords were hashed with sha256crypt, the experts explained that and that it would take about a year to crack an estimated 60-70% of them. 9% were hashed with MD5 and all were protected with the same salt value, LeakedSource has already cracked approximately 68% of those.
More mysterious was the BTC-E.com incident, it is possible that hackers also compromised some users’ wallets stealing bitcoins. Despite the LeakedSource’s notification, there is no news about incidents occurred to BTC-E customers. In January 2016 the Financial Underground Kingdom blog reported that the exchange has suffered one hack without effects for its customers, it is likely the data leaked by LeakedSource are related that incident. “During years of existance [BTC-E] had just 1 hack after which the owners paid all the debt to users.” It isn’t clear whether that hack and the data disclosure made by LeakedSource refer to the same incident. LeakedSource reported that that BTC-E.com was hacked in October 2013 and 568,355 users were impacted. The passwords were protected with an unknown hashing method, making the “passwords completely uncrackable although that may change.”


Endwall 09/03/2016 (Sat) 22:45:44 [Preview] No. 526 del
Security Affairs
Apple issued fixes for Pegasus spyware bugs in OS X, Safari. Apply it now!
http://securityaffairs.co/wordpress/50868/hacking/pegasus-tridend-exploit.html
September 2, 2016 By Pierluigi Paganini
Apple issued security fixes for Mac OS X and Safari to patch zero-day flaws exploited by Pegasus spyware to spy on mobile users.
A few days ago, we reported a detailed analysis of the Trident exploit that triggers three vulnerabilities in order to remotely hack Apple mobile devices through the installation of the Pegasus spyware. The joint investigation conducted by experts from CitizenLab organization and Lookout security firm demonstrated that nation-state actors exploited the three vulnerabilities to spy on activists’ Apple mobile devices. Experts from Lookout identified the targeted attack as Pegasus as explained in a detailed blog post. “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.” states the blog post published by Lookout., the three zero-day flaws, dubbed ” The three zero-day vulnerabilities, dubbed “Trident,” exploited in the attack are: * CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. * CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. * CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Malware experts linked the attacks leveraging on the Pegasus malware to the activity of the Israeli surveillance NSO Group that has developed a malicious code that has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists. The vulnerabilities, including a hole in IOMobileFrameBuffer (found and fixed in Safari and coded CVE-2016-4564) affect also desktop Safari and OS X, too. Do not forget that iOS and OS X, share a big portion of code, so it is normal the presence of the flaws in the MAC desktop PCs. Apple, that released the iOS 9.3.5 update for its mobile devices (iPhones and iPads) to address the flaws, now has issued security updates also for the Safari Browser and OS X. The Safari patch fixes the Trident vulnerabilities, Apple also issued the updates for the El Capitan and Yosemite. Don’t waste time, patch as soon as possible your Apple device.


Endwall 09/03/2016 (Sat) 22:48:49 [Preview] No. 527 del
https://vigilance.fr/
Vigil@nce - HTTP: Man-in-the-Middle via Proxy CONNECT September 2016 by Vigil@nce This bulletin was written by Vigil@nce : https://vigilance.fr/offer SYNTHESIS OF THE VULNERABILITY An attacker can act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. Impacted products: HTTP protocol, SSL protocol. Severity: 1/4. Creation date: 18/08/2016. DESCRIPTION OF THE VULNERABILITY When an HTTP proxy is configured, the web browser uses the HTTP CONNECT method to ask the proxy to setup a secured TLS session. However, the HTTP CONNECT query and its reply are sent in a clear HTTP session. An attacker can act as a Man-in-the-Middle, and spoof a 407 Proxy Authentication reply to the client. The victim then sees an authentication windows, and may enter his password, which is sent to the attacker’s server. It can be noted that this vulnerability impacts all session types requested to the proxy, but as the victim requests an https/TLS url, he expects his session to be encrypted. It is thus a perception problem, instead of a real new vulnerability. An attacker can therefore act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN


Endwall 09/03/2016 (Sat) 22:51:37 [Preview] No. 528 del
Attackers Combine Three Botnets to Launch Massive DDoS Attack
http://news.softpedia.com/news/attackers-combine-three-botnets-to-launch-massive-ddos-attack-507901.shtml
Sep 2, 2016 18:50 GMT By Catalin Cimpanu
Crooks use a botnet of CCTV cameras, one of home routers, and one made up by compromised web servers
An unnamed website has been at the end of a ferocious Layer 7 DDoS attack that involved traffic from over 47,000 distinct IP addresses, most of which belonged to IoT (CCTV) devices, home routers, and compromised Linux servers. Sucuri, a US web security vendor who was called in to mitigate the incident, says the attack reached a whopping 120,000 requests per second, and that the attacker used a flood of HTTPS packets in order to maximize resource consumption on the target's machines. Most of the DDoS traffic came from hijacked CCTV systems After the attack had subsided, Sucuri experts that were investigating the incident discovered that the DDoS traffic didn't come from one singular source, but the attacker had combined (possibly rented) three different distinct botnets. The company was well aware of one of the botnets, which they previously discovered at the end of June. This was a 25,000-strong botnet assembled after compromising Internet-connected CCTV devices from different vendors, most of which were running firmware made by Chinese firm TVT. The group behind this recent DDoS attack wasn't content with the capabilities provided by this botnet and had also created/rented another botnet to help their efforts. A quarter of the traffic also came from compromised home routers According to Sucuri, the group was controlling another botnet comprised of 11,767 home routers from eight major industry brands. The attackers had managed to take control over these devices by using various firmware vulnerabilities or by hijacking the routers for which device owners didn't change the default admin panel password. Compromised Huawei routers made more than half of this botnet, with 6,015 devices, almost 51 percent of the entire botnet. Second came Mikro RouterOS (2,119 devices - 18 percent), AirOS routers (245 routers), but also NuCom 11N Wireless Routers, Dell SonicWall, VodaFone, Netgear, and Cisco.
Geographic distribution of compromised home routers Most compromised home routers found in Spanish-speaking countries The home router botnet was very effective because not all compromised devices were in the same geographical area, which would have been easy to block. Devices were spread all over the world, but mainly in Spanish-speaking countries, such as Spain (45 percent of the entire botnet), Uruguay, Mexico, the Dominican Republic, and Argentina. The third and last botnet used in the DDoS attack was made up by compromised web servers coming from data centers. "This new [three-botnet] distribution allowed the attacker to generate a massive number of requests per second without affecting the operation of the infected devices," Sucuri CTO Daniel Cid explains. "Under this configuration, the devices would only need to generate a few requests per second – well within their means." Sucuri isn't the only company that has discovered huge botnets of IoT devices engaging in DDoS attacks. Researchers from Arbor Networks have also discovered a botnet of 120,000 IoT devices,


Endwall 09/03/2016 (Sat) 22:53:13 [Preview] No. 529 del
US Government Admits IANA Transition May Not Move Forward
http://www.circleid.com/posts/20160902_us_government_admits_iana_tranisition_may_not_move_forward/
Sep 02, 2016 12:51 PM PDT
The US government plan to move control of the internet's naming and numbering functions to ICANN next month may not move forward, reports Kieren McCarthy: "In a letter from the Department of Commerce (DoC) to ICANN sent August 31, the department's CFO gives the organization 30 days' notice that it may extend its current contract over the critical IANA functions by a year. In other words, Uncle Sam will continue to oversee ICANN's running of IANA for another 12 months. That contract is due to terminate on September 30, and following a two-year process started by the US government and run by the internet community, ICANN is due to take over full control." — McCarthy: "In the heart of election season, it is not inconceivable that Congress will agree to that 'significant impediment,' but it won't happen if Ted Cruz – who remains widely disliked within Congress – is the only standard-bearer of the move to disrupt the transition." — "Countdown to IANA transition is not the countdown to doomsday," said Michele Neylon, earlier today on CircleID: "The transition will result in the US government losing its special relationship with the IANA functions. That's all that will change and for the average internet user or business nothing will be impacted. The only 'tangible' impact will be in how changes to the IANA functions are processed in the future. Which, again, has no impact on the average internet user." — I have advocated that there is "No Legal Basis for IANA Transition," says Sophia Bekele: "My recent letter to Sens. Marco Rubio (R-Fla.) and Ted Cruz (R-Texas) certainly have helped in identifying the majority of the key issues that the Congress is now forming its opinion on and it has vindicated me. We now see an activated campaign against this transition by various senators supporting it, highlighting the same issues. A legislation process is in progress to block this transition as part of the Republican policy… Even before such open statements were made by the respective parties, I rightfully predicted in my public commentary to The Hill [November 2016 Elections will determine fate of Internet Privatization; Fixing what is not broken] and rightfully so, we will be waiting for this outcome."


Endwall 09/03/2016 (Sat) 22:54:08 [Preview] No. 530 del
USA spy agency&#39;s hacking tools revealed on Internet
http://opensources.info/usa-spy-agency39s-hacking-tools-revealed-on-internet/
Sep 2, 2016
He believes the Shadow Brokers’ cyberattack on the NSA’s group is linked to the Democratic National Convention, afterRussian hackers leaked several emails and voice messages. Further tweets made by the former NSA contractor suggest that ties exist between “The Shadow Brokers” and Russian Federation, the country that has hosted Snowden since his escape from the US and the reported source of the DNC massive leak that took place a couple of months ago. Yesterday, it was reported that a new murky hacking collective, The Shadow Brokers, had infiltrated another hacking sect called The Equation Group, dumping its sensitive documents online over the weekend. The group also said that if the auction raised 1 million bitcoins – equivalent to roughly $500 million – it would release the second file to the world. The group’s name appears to be a reference to a character in the “Mass Effect” video games who sells off information to the highest bidder. But despite this freaky, disjointed statement, security experts see other motives behind the dump of several hacking tools believed to belong to the NSA: whoever is behind it wanted to send a warning message. If the hack is real, experts believe that a foreign government must have helped the group in order for it to have exploited NSA resources in this way. As explained Edward Snowden through CNN, modern spying is like launching a missile attack to an enemy where you will not directly hit them from your base, you have to look for a dummy spot to fire the missile to avoid trace back. Former NSA employees who worked at the agency’s hacking division known as Tailored Access Operations told the Washington Post the hack appeared genuine. As proof, the hackers released a swathe of malware programs, including a number of pieces of software referenced in the leaks from NSA whistleblower Edward Snowden. If the Shadow Brokers owned NSA’s command and control server, it would be a great approach to try other interesting things they might be able to find. “You’re welcome, @NSAGov. Lots of love”, Snowden tweeted. The NSA has steadfastly declined to comment on whether it has been the victim of a security breach. Dick Clarke – a former White House counterterrorism adviser, a cybersecurity expert and an ABC News consultant – said, “You can bet the NSA is trying to figure out whether or not this is legitimate”. The leaked malware reveals encryption techniques that are identical to those employed by the Equation Group, which indicates they probably came from the same source, according to Kaspersky. The same targets would presumably be at the top of a list of USA intelligence priorities. The main suspect is Russian Federation, and it’s not clear if the hackers broke into the secure NSA computer network or, perhaps more likely, a TAO employee left the tool kit on an unsecured intermediary server being used in a hacking operation. Between 15-16 August, users visiting the agency’s website were greeted by the live homepage, however almost every other link was met with an error message.


Endwall 09/03/2016 (Sat) 22:57:18 [Preview] No. 531 del
We want GCHQ-style spy powers to hack cybercrims, say police
http://opensources.info/we-want-gchq-style-spy-powers-to-hack-cybercrims-say-police/
Sep 2, 2016
Why catch crooks when you can DDoS them from the nick?
Traditional law enforcement techniques are incapable of tackling the rise of cybercrime, according to a panel of experts gathered to discuss the issue at the Chartered Institute of IT. Last night more than a hundred IT professionals and academics, including representatives of the National Crime Agency and Sir David Omand, the former director of GCHQ, discussed what they saw as the necessity of the police acting more like intelligence agencies and “disrupting” cybercriminals where other methods of law enforcement failed. The perpetrators of cybercrime are often not only overseas, but in hard-to-reach jurisdictions. Evgeniy Bogachev, the Russian national who created the GameOver Zeus trojan, for instance, currently has a $3m bounty on his capture – but Russia does not want to hand him over to the US. In such situations, when arrests are not possible, disrupting criminal activities “may be the only response” suggested Sir David Omand, adding that “the experts in disruption are in the intelligence community.” Technical disruption, as the NCA practices it, can involve sinkholing, getting hold of the domains used by malware to communicate and so breaking its command and control network. Paul Edmunds, the head of technology at the NCA’s National Cyber Crime Unit, explained how Operation Bluebonnet took aim at the Dridex banking trojan, but said that sinkholing it and organising arrests required a concerted international effort – one that may need to be repeated with the “up-and-coming” exploit kit Rig. Disruption as an intelligence agency technique, however, is a much more proactive and engaged activity. A Snowden-provided document covering the activities of GCHQ’s Joint Threat Research Intelligence Group (JTRIG) showed active “disruption” targeted at those flogging malware. The attacks included providing false resources and denial of service attacks.
Six users of the Lizard Stresser DDoS-for-hire tool were arrested by the NCA last year – when the agency’s average age for arrests dropped from 24 to 17 – and the agency was surprised when it discovered its users were all very young and male, as NCA officer Zulfikar Moledina explained to those attending. When the NCA tackled the use of the Blackshades remote access trojan last year, it had 750 suspects who had used it. It sent 350 emails warning downloaders, 200 “influence letters”, and 99 cease and desist notifications. 21 individuals were arrested; among those who bought the RAT was a 12-year-old boy. In response to this demographic shift, the NCA launched a “Prevent” campaign last year – sharing a name, if not policy, with the controversial counter-extremist strategy – targeting the parents of 12-15 year old boys whose web hi-jinks could potentially progress towards serious cybercrime. Disrupting real offenders and providing guidance to potential offenders – encouraging them to engage in more productive activities – must be part of a more considered response to cybercrime, the panel considered. Professor Gloria Laycock OBE, the founding director of the Jill Dando Institute of Crime Science at UCL, explained the model for dealing with meatspace crime and how that could be applied to cybercrime. According to an attrition table on crime rates published by the Home Office, for every 100 crimes committed only 50 are reported to police, even fewer of those reports are recorded and a mere two per cent of crimes are successfully prosecuted. Laycock said that while a means of punishment and retribution is necessary, this showed that “you cannot control crime through the criminal justice system.” Instead, there are five ways to reduce crime: increase the effort criminals need to apply to commit the crime successfully; increase the risks criminals need to take; reduce the rewards of criminal activity; remove the excuses for it; and reduce provocation. When it comes to cybercrime, the questions that persisted were whether it could be designed out of the systems we use, and if not whether it was possible to better educate the public. To what extent police need the security and intelligence agencies’ powers to deal with cybercrime was a strongly recurring theme as well.


Endwall 09/03/2016 (Sat) 22:59:05 [Preview] No. 532 del
Bill Clinton Staffer’s Email Was Breached on Hillary's Private Server, FBI Says
https://www.wired.com/2016/09/fbi-says-bill-clinton-staffers-email-breached-private-server/
Since it came to light that Hillary Clinton ran a private email server during her time as Secretary of State, that computer’s security has become a subject of controversy among politicos whose only notion of a “server” until recently was a waiter carrying canapés at a fundraising dinner. But now the FBI has released the first hint that Clinton’s private server may have been compromised by hackers, albeit only to access the email of one of former president Bill Clinton’s staffers. And though there’s no evidence the breach went further, it’s sure to offer new fodder to critics of Clinton’s handling of classified data. On Friday afternoon, the FBI released a new set of documents from its now-concluded investigation into Clinton’s private email server controversy. The 60-page report includes a description of what sounds like an actual hacker compromise of one of Bill Clinton’s staffers. It describes that in early January 2013, someone accessed the email account of one of his female employees, whose name is redacted from the report. The unnamed hacker apparently used the anonymity software Tor to browse through this staffer’s messages and attachments. The FBI wasn’t able to determine how the hacker would have obtained the her username and password to access her account, which was also hosted on the same private server used by then-Secretary of State Clinton.“The FBI’s review of available…web logs showed scanning attempts from external IP addresses over the course of [IT manager Bryan] Pagliano’s administration of the server, only one appears to have resulted in a successful compromise of an email account on the server,” the report reads. “Three IP addresses matching known Tor exit nodes were observed accessing an e-mail account on the Pagliano Server believed to belong to President Clinton staffer [redacted].” In a press conference in July, FBI director James Comey said that how presidential candidate Clinton mishandled classified documents stored in emails on that private server didn’t warrant criminal charges, but nonetheless called her behavior “extremely careless.” And the FBI’s investigation did, in fact, turn up dozens of email chains that contained classified documents, including eight whose contents were “top secret.” The FBI could find no evidence that any of those classified documents had been compromised, but also cautioned that it might lack the forensic records to know if they had been. The compromise of a Bill Clinton staffer—who almost certainly had no access to any of then-Secretary Clinton’s classified material—doesn’t make the security of those classified documents any clearer. But it will no doubt be seized on by the Clintons’ political opponents to raise more questions about their server’s security. “Clinton’s reckless conduct and dishonest attempts to avoid accountability show she cannot be trusted with the presidency and its chief obligation as commander-in-chief of the U.S. armed forces,” wrote Donald Trump campaign communications staffer Jason Miller in response to the FBI’s release of more documents from its investigation. The Clinton campaign didn’t immediately respond to a request for comment. Though the single-user email breach doesn’t indicate any inherent vulnerability in the Clintons’ server, it does show a lack of attention to its access logs, says Dave Aitel, a former NSA security analyst and founder of security firm Immunity. “They weren’t auditing and restricting IP addresses accessing the server,” Aitel says. “That’s annoying and difficult when your user is the Secretary of State and traveling all around the world…But if she’s in Russia and I see a login from Afghanistan, I’d say that’s not right, and I’d take some intrusion detection action. That’s not the level this team was at.” Often overlooked in Clinton’s email scandal, however, is the fact that the official State Department IT systems have suffered terrible breaches of their own. Since it first came to light, the security community has roundly criticized Clinton for the reckless move of hosting her own email outside of scrutiny of federal government security efforts like those at the NSA. But often overlooked in Clinton’s email scandal, however, is the fact that the official State Department IT systems have suffered terrible breaches of their own. In 2014 and 2015, hackers believed to be based in Russia accessed State unclassified email systems so thoroughly that in November of 2014, the Department’s security staff were forced to take the email servers offline to try to root out the hackers. On Clinton’s private server, other than that single staffer’s compromised account, the FBI’s report notes only multiple hacking attempts in the form of “brute force” guessing of login credentials. Those attempts increased when the existence of the server was exposed by the New York Times in the spring of last year. But none of the recorded attempts seem to have succeeded. At one point, the FBI record notes, Clinton did receive an email containing a malicious link, sent from the apparently hijacked or spoofed personal account of a State Department staffer. Clinton responded, “Is this really from you? I was worried about opening it!” But the FBI found no evidence of malware on Clinton’s server or any of her personal devices. For all her security snafus, give Clinton this much credit: she can at least spot a phishing email when she sees it.


Endwalll 09/03/2016 (Sat) 22:59:56 [Preview] No. 533 del
A mystery user breached an email account on Clinton's server
http://www.arnnet.com.au/article/606234/mystery-user-breached-an-email-account-clinton-server/
The unknown user browsed email folders and attachments, the FBI says in newly released documents
In 2013, an unknown user accessed an email account on Hillary Clinton’s private email server through Tor, the anonymous web surfing tool, according to new FBI documents. On Friday, the FBI provided details on the possible breach in newly released files about its investigation of Clinton’s use of a private email server when she was the U.S. secretary of state. The affected email account belonged to a member of Bill Clinton's staff. In January 2013, an unknown user managed to log in to the account and browse email folders and attachments. The FBI later interviewed the staffer, who said she had never used Tor. The tool is popular among hackers, journalists and activists to help mask their online presence. The agency’s investigation so far hasn’t found the actor responsible or how the login credentials were obtained. The FBI has said Clinton was “extremely careless” in her use of the server, but in a July report, the agency didn’t recommend bringing charges against her. The new documents released on Friday said the FBI found no evidence confirming that Clinton’s email server system was ever compromised. Still, the agency said that the server had faced ongoing threats from possible hackers, including phishing email attacks and failed login attempts. Bryan Pagliano, a Clinton aide who helped administer the server, was interviewed in the FBI’s investigation. Although Pagliano said there were no security breaches, there were many failed login attempts, or “brute force attacks,” according to the FBI documents. At one point, “Pagliano recalled finding ‘a virus,’ but could provide no additional details, other than it was nothing of great concern,” the FBI said. The agency also found “multiple occurrences” of phishing attacks against Clinton’s email account. In July, FBI director James Comey said it’s impossible to rule out that Clinton’s server could have been hacked.


Endwall 09/03/2016 (Sat) 23:02:50 [Preview] No. 534 del
'Ultra secure' Turing Phone plagued by shaky security claims
http://www.zdnet.com/article/ultra-secure-turing-phone-plagued-by-shaky-security-claims/
By Zack Whittaker for Zero Day | September 2, 2016 -- 22:15 GMT (23:15 BST) | Topic: Security
It's the "ultra-secure smartphone" claim that Turing chief executive Steve Chao desperately tried to claw back. "We're a fashion technology company," said Chao on the phone a few weeks ago. "Seldom do we get people talking about security. I wouldn't brand Turing Phone as a 'secure' phone... it's more a fashion tech phone," he said. It was a fairly swift, unexpected turnaround from what the company touts as hacker-resistant and "ultra secure". Chao didn't deny the phone has "groundbreaking security", but his backtrack seemed to raise more questions than Chao had answers. The long-awaited Turing Phone was first slated as an unbreakable, security-heavy smartphone that's able to withstand the greatest of malware, hackers, and nation states attackers. But that illusion quickly unraveled. We got our hands on the long-awaited smartphone, dogged by delays and setbacks, in part because of a switch from Android to the lesser-known Sailfish OS. Yet, after a detailed and examined look, the device is yet another device in a long list of "secure" smartphones from a company, which nobody's ever heard of, touting theoretical security and unproven privacy. The phone's flagship feature, a hardware encryption chip, dubbed the Turing Imitation Key, encrypts the Turing Phone, and it lets a device owner communicate securely through end-to-end encryption, said Chao. "When you initiate a communication, the other user's private key is generated by the chip," he said. That means every email, text message, and VoIP call to another Turing Phone will be encrypted, without having to rely on a third-party key server. If you want to communicate with someone who doesn't have a Turing Phone, you have to rely on a third-party app.
Security going south? There are a few things about this "secure" smartphone that don't add up. Chao said the cryptography used in the phone's end-to-end encryption is semi-proprietary. "It's our own algorithm," said Chao. Making it worse, the encryption is closed-source, so it can't be inspected -- though, Chao said that would change down the line. He said that the cryptography had been "inspected by experts", but he declined to name them or say what conclusions they came to, making it impossible to verify the integrity of the encryption. Ask anyone in security about "proprietary encryption", and they'll tell you it's an immediate security red flag. Some of the most trusted algorithms have been around for decades. New algorithms haven't been inspected. And "closed-source" is another red flag, as it makes it impossible to know how good the code is, or if there were any backdoors added during the process. Not having the code open to scrutiny by the community means we have no basis of trust for it.Justin Troutman, an independent cryptographer, told me he had concerns about the company's security approach. "I remember taking a look at their former QSAlpha Quasar device, and while I generally like the software and hardware approach of securing mobile devices, three fundamental problems remain, just as they did back then," he said. "Firstly, they're using something proprietary," he said, describing the cryptography. "We can't independently and openly inspect [the crypto]," and, "we have no knowledge of who [the company is] and their ability to design cryptographic primitives". But it gets worse.Chao said that the private key, which is the basis for scrambling data on the phone, is created by a master private key. That key, Chao said, generated five million keys -- far more keys than the company expects it may ever need. The company has over 1,000 devices shipped as of July, out of a total of 10,000 devices manufactured in the first batch. Once the keys were created, the company "made the decision to destroy" the key, Chao said.I asked if the company kept the key. "We don't have access to the master private key," he said. "Not even we have access to the user's data," which is stored in its datacenter in Finland, where the company is now headquartered. "How do we know you destroyed the key?" I asked. "Well, there's no way to guarantee that," he said. "Although, we say so. But knowing that we're a private business, even if we go public one day, we're still a business -- not a government agency," said Chao. "That we know of," I said, half-joking. Troutman also expressed concerns that users have to take "their word that this master key is being destroyed". It turns out these aren't even new complaints. Cast your mind back three years ago, when the Turing Phone was the first edition of the futuristic Quasar IV. The phone had some promise and appeared to be a good concept -- with similarities drawn between BlackBerry devices. But after a detailed analysis, it was slated to look like "snake oil" by Ars Technica in a review from 2013. The phone itself has promise. But the core of the device is built on sketchy security and poorly thought-out principles. The company didn't learn the mistakes the first time, and that's troubling if the phone is effectively a repackaged and rebranded phone with "ultra secure" slapped on its side. It's tough to reserve judgment when a company promises state-of-the-art and custom security at such a high price. But for anyone looking for an all-in-one security solution, there are far better alternatives that are tried and tested -- and a lot cheaper.


Endwall 09/03/2016 (Sat) 23:04:40 [Preview] No. 535 del
Feds pin brazen kernel.org intrusion on 27-year-old programmer Indictment comes five years after mysterious breach of the Linux repository.
http://arstechnica.com/tech-policy/2016/09/feds-pin-brazen-kernel-org-intrusion-on-27-year-old-programmer/
Dan Goodin - Sep 2, 2016 9:20 pm UTC
In August 2011, multiple servers used to maintain and distribute the Linux operating system kernel were infected with malware that gave an unknown intruder almost unfettered access. Earlier this week, the five-year-old breach investigation got its first big break when federal prosecutors unsealed an indictment accusing a South Florida computer programmer of carrying out the attack. Further Reading Who rooted kernel.org servers two years ago, how did it happen, and why? Donald Ryan Austin, 27, of El Portal, Florida, used login credentials belonging to a Linux Kernel Organization system administrator to install a hard-to-detect backdoor on servers belonging to the organization, according to the document that was unsealed on Monday. The breach was significant because the group manages the network and the website that maintain and distribute the open source OS that's used by millions of corporate and government networks around the world. One of Austin's motives for the intrusion, prosecutors allege, was to "gain access to the software distributed through the www.kernel.org website." The indictment refers to kernel.org officials P.A. and J.H., who are presumed to be Linux kernel developer H. Peter Anvin and kernel.org Chief System Administrator John "'Warthog9" Hawley, respectively. It went on to say that Austin used the credentials to install a class of extremely hard-to-detect malware known as a rootkit and a Trojan that logs the credentials of authorized users who use the secure shell protocol to access an infected computer. According to the indictment: The defendant, DONALD RYAN AUSTIN ("AUSTIN"), used credentials belonging to an individual, J.H., to gain unauthorized access to servers belonging to the Linux Foundation, the Linux Kernel Organization, and P.A. AUSTIN installed the Phalanx rootkit and Ebury Trojan on several of those servers, causing damage without authorization. AUSTIN also used the unauthorized administrative privileges to make other changes to the servers, such as inserting messages that would automatically display when the servers restarted. One of AUSTIN's goals was to gain access to the software distributed through the www.kernel.org website. Prosecutors went on to say Austin infected Linux servers known as "Odin1," "Zeus1," and "Pub3," which were all leased by the Linux Foundation and used to operate kernel.org. The infections started around August 13, 2011 and continued until around September 1 of that year. Austin also stands accused of infecting a personal e-mail server belonging to Anvin during the same dates. There was no mention of "Hera," a kernel.org server that Linux Kernel officials say had been rooted when they disclosed bare-bones details of the breach shortly after it occurred. Kernel.org was offline for more than a month following the intrusion while the affected servers were rebuilt. According to a Justice Department release, Austin was arrested by Miami Shores Police on Sunday following a traffic stop. The federal indictment was filed in June and was unsealed only after he was taken into custody. He was freed on $50,000 bond provided by the family of his girlfriend. He has been ordered to stay away from computers, the Internet, and any type of social media or e-mail. Court documents said he "may pose a risk of danger" because of a "substance abuse history." He is scheduled to appear in San Francisco federal court on September 22. The indictment raises almost as many questions as it answers. Given that Linux is freely available, it's not clear what kernel.org-distributed software Austin hoped to obtain when he allegedly breached the site. Also noticeably absent is any explanation of how Austin initially obtained Hawley's credentials to gain unauthorized access, as prosecutors allege. There's also no detail about the messages that Austin allegedly caused to be displayed when the infected servers were restarted. What's more, there's little information about Austin, who was just 22 years old when the breach occurred. No record exists of anyone named "Donald Ryan Austin" doing public Linux development or contributing to the Linux Kernel Mailing List. Attempts to reach Austin didn't succeed. Last, why prosecutors took five years to indict the suspect also remains a mystery. Officials from kernel.org pledged to provide a full autopsy of the breach shortly after it occurred. They never made good on that promise and declined to comment for this post. In the past, they have said they were confident the 2011 breach didn't result in any malicious changes being made to Linux source code. The intrusion may be the work of someone motivated by a grudge, the challenge of pulling it off, or some other personal motive. But it's not every day that someone gets three weeks of root access to the gateway to one of the world's most widely used operating systems. Until we know more about how and why this breach happened, we should push prosecutors and Linux officials for answers.


Endwall 09/03/2016 (Sat) 23:06:48 [Preview] No. 536 del
We Are Change
FBI REPORT: TOR USER BREACHED HILLARY’S SERVER
http://wearechange.org/fbi-report-tor-user-breached-hillarys-server/
Aaron Kesel | Sep 2, 2016
According to the FBI’s released notes on Hillary Clinton and her server, a Tor user breached Hillary’s server shortly before she left as Secretary Of State just one month prior. This marks the first confirmed incident that Hillary Clinton’s server was indeed breached by an individual — something that Hillary strongly denied. IFrame In the section titled “cyber targeting” of Clinton’s “personal E-mail and Associated Accounts” there are multiple notes about possible hack attacks along with one documented case where another user of Hillary’s private server had their email account breached. The FBI’s review of server logs revealed that someone accessed an email account on Jan. 5, 2013, using Tor “exit nodes.” Three different IP addresses were used in order to conceal the user’s identity. The owner of the account was redacted but their quote was left – “I’m not familiar with nor have I ever used Tor software.” the anonymous person said. Tor is a software that was developed under the U.S. Navy for secure communications. Today, Tor is used to circumvent censorship by governments and oppressive regimes. Tor is used by journalists and activists to conceal their identity, communicate and surf the Web without interference. Tor is also used for illegal activities such as funding terrorism, buying/viewing child pornography, buying/selling drugs, and buying/selling unregistered firearms. Tor’s biggest darkweb market place, Silk Road ,was taken down in 2013 when the FBI raided and arrested it’s owner. Since then, many copycats have emerged with the same result of eventually being either shutdown or raided. It was revealed today that a remote desktop used for remote server access was turned on by a Clinton aide, which is highly vulnerable and susceptible to hack attacks, to say the least(and “Extremely careless”). Earlier in the year we had learned that a Clinton staffer turned off the firewall to try to fix the connection problems Hillary was having between her insecure private server and the State Department’s secure server. This left her server open to hackers for weeks before the firewall was finally turned back on. Hillary herself instructed aides to remove classified markings and send classified materials insecure. It’s also noted in the FBI’s findings report that Hillary’s e-mail accounts were targeted in multiple “spear phishing” attacks. The FBI noted an e-mail sent to Clinton, “contained a potentially malicious link.” Hilariously, the link Hillary clicked was for porn. “Open source information indicated, if opened, the targeted user’s device may have been infected, and information would have been sent to at least three computers overseas, including one in Russia.” ~The FBI, notes on Hillary Clinton state. Mrs.Clinton has encountered far too many resolvable security issues and handled in an irresponsible and reckless manner. Many people have been asking themselves, “Is this the woman we are going to choose as the next president to lead us into the 21st century? “.  Not only is she “extremely careless”, but the extremity of that carelessness leads to suspiscion of whether or not this was deliberate. Of course, we at We Are Change having followed the course of this election in full, our 100% confident we know the answer to that question based on extensive analysis of the timeline of events this took place. Time and time again, Hillary has been exposed of  corrupt activity. Whether it be using her non-taxed, charity organization as a front for illegal political activities and arms deals to deliberately infiltrating and corrupting the DNC in order to manipulate the election, its  all tied together in the emails. The mere fact that she had persistently neglected security measures should eliminate general consideration for electing her to be President. “When asked what the parenthetical ‘C’ meant before a paragraph … Clinton stated she did not know and could only speculate it was referencing paragraphs marked in alphabetical order,”- the FBI wrote in a in a highly-filtered FBI interview summary released on Friday. Hmm, perhaps that has something to due with her not taking the required training any Secretary of State must go through in order to learn the procedures of handling classified date.The use of slang to circumvent any incriminating statements is obvious. Hillary’s entire defense against the charges has been claiming ignorance of handling classified data. The intent to disguise the transfer of classified information blows her defense out of the water.


Endwall 09/03/2016 (Sat) 23:08:10 [Preview] No. 537 del
Security Affairs
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data
http://securityaffairs.co/wordpress/50873/hacktivism/anti-armenia-team.html
September 3, 2016 By Pierluigi Paganini
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data and passport details of foreign visitors to Armenia. A group of Azerbaijani hacktivists has leaked the passport details of foreign visitors to Armenia. The data breach exposed the Internal resources of the Security Service (SNS) that are involved in the process of updating information about passports of foreign passports. The hackers breached Armenian government servers stealing sensitive data, including passport scans. Intelligence experts who analyzed the data leaks confirmed their authenticity. The Anti-Armenia Team took credit for a series of data leaks that the hackers claim were stolen from servers of Armenian national security ministry. “We would like to notice that Anti – Armenia team is an independent group, who is active for five years and repeatedly makes anxious Armenian side by its cyber attacks,” the group explained to El Reg. Armenia and Azerbaijan are neighbouring countries that engaged a war over the disputed Nagorno-Karabakh region between 1988 and 1994. There is a great tension between the two countries, in April, the Azerbaijani army tried to regain control of the Nagorno-Karabakh Republic, but the battle caused the death of 350 people.
A source that has spoken to El Reg on condition of anonymity told to El Reg the leaked information is more likely to have come from an insider, excluding that the alleged Anti–Armenia team has hacked on Armenian government systems. “I am familiar with the incident, and [can] confirm, that such attacks really happened, and the documents are legitimate and not fake,” the source told el Reg. “I have more confidence that one of their employees having access to it has been compromised and technical border control service is a part of SNS (Security Service), that’s why there is such overlap, and the documents could be stolen from particular person, and not ‘systems’, like they claim.”


Endwall 09/03/2016 (Sat) 23:08:53 [Preview] No. 538 del
Details of BTC-E and BitcoinTalk breach revealed
http://www.ehackingnews.com/2016/09/details-of-btc-e-and-bitcointalk-breach.html
Saturday, September 03, 2016
Data breach monitoring service, LeakedSource revealed on Friday (September 03) that that leading cryptocurrency exchange BTC-E.com and largest bitcoin discussion forum Bitcointalk.org suffered major hacks in 2014 and 2015 respectively. LeakedSource, which is a great source for leaked passwords and accounts has reported that 499,593 user details of Bitcointalk.org were actually stolen in May 2015 which comprised of "usernames, emails, passwords, birthdays, secret questions, hashed secret answers and some other internal data." It confirmed that 91% were hashed with sha256crypt, which would take a year to crack around 60-70% of them. The remaining 9% were hashed with MD5 and a unique salt and LeakedSource has cracked around 68% of them. In the BTC-E.com hack, 568,355 accounts had been compromised in October 2014. “They [BTC-E.com] used some unknown password hashing method which currently makes their passwords completely uncrackable although that may change. This is good because if the passwords were easy to crack, hackers could log into the exchange and start stealing members Bitcoins”, LeakedSource said. The BTC-E.com hack is more serious since wallets could be accessed and bitcoins stolen. LeakedSource says it hasn't yet seen any news about stolen BTC-E customers losing their coins. The presence of two hash types suggest they changed their password storage mechanism at some point. Meanwhile, the company also disclosed that 43 million account details were stolen from music site, Last.fm in 2012. Last.fm was hacked on March 22nd 2012 for a total of 43,570,999 users which is becoming public like all others. The site said that the most commonly used password on Last.fm is the shockingly common, ‘123456’, followed by 'password' and 'last.fm'. LeakedSource is processing enough additional databases to publish one per day or several years.


Endwall 09/03/2016 (Sat) 23:10:45 [Preview] No. 539 del
Mission Impossible? FBI wants to be cool enough to recruit hackers
http://www.ibtimes.co.uk/mission-impossible-fbi-wants-be-cool-enough-recruit-hackers-1579480
FBI director James Comey said that the agency is looking to 'steal people' from the private sector.
By India Ashok September 3, 2016 10:02 BST
After a series of high-profile cyberattacks against individuals and organisations in the US, the FBI is increasing its efforts to combat cybercrime, including adopting a new approach to recruiting hackers. The agency has had long-standing issues attracting people from the hacking community to work for them, over staying independent or working in the private sector. But, in a recent speech, FBI director James Comey said the agency is now "working very hard" to "be a whole lot cooler than you may think we are", in efforts to get people with cyberattack and cyberdefence skills to work for them. Comey said that the FBI is looking to staff its cyberattack response teams, specifically the Cyber Threat Team and the Cyber Act Team (CAT) – which he called the "fly team" – who are deployed "at a moment's notice" to provide on-location support during investigations. "We are not to bean bags and granola and a lot of white boards yet," Comey said at the Symantec Government Symposium. "But we're working very hard at marching in that direction, so that when this talent comes into our organisation we are open to having them make us better – in a way that connects us and them to our mission more closely." Comey also said that the agency was working on doing "a better job" to "steal people" that the private sector was looking to hire "to work at the FBI". According to a report by the Washington Post, the FBI has had limited success in recruiting hackers, despite its outreach at high-profile cyber events such as DefCon and Black Hat. Reports speculate that the FBI's much-publicised encryption battle with tech giant Apple and its alleged use of privacy-infringing surveillance techniques, revealed by whistleblower Edward Snowden, may have adversely affected the agency's recruitment efforts.In the wake of the growing and imminent threat of digital crimes, the FBI now appears to be grappling with the ability to come to terms with the changing timesGetty Images
Who is the typical FBI cyberagent?
In his speech, Comey explained that the FBI recognises the challenges in hiring qualified people. He pointed out that finding people skilled in IT, who are also able to "run, fight, and shoot", is the major challenge. Additionally, Comey said that the agents they're looking to hire need to have integrity, "which is non-negotiable". Comey acknowledged that those three "buckets of attributes" are "rare to find in the same human being in nature". In the wake of the growing and imminent threat of digital crimes, the FBI now appears to be grappling with the ability to come to terms with the changing times. "We're leaving our mind open to the fact that we've never faced a transformation like the digital transformation, and so the FBI wanted to be open to being different in the way we think about our people. Lots more to come there," Comey added. However, it remains to be seen if the FBI's new approach to be "more open" and "cooler" will be successful in luring talented hackers from choosing government work over the perks offered by the private sector. As Comey's daughter put it, "Dad, the problem is you're 'The Man'," she said. "Who would want to work for 'The Man?'"


Endwall 09/03/2016 (Sat) 23:12:04 [Preview] No. 540 del
Putin on DNC hack: 'Does it even matter who hacked this data?
http://www.ibtimes.co.uk/putin-dnc-hack-does-it-even-matter-who-hacked-this-data-1579465
By India Ashok September 3, 2016 07:56 BST
Russian President Vladimir Putin deemed the cyberattack on the Democratic National Committee (DNC), a public service. The attack saw hackers stealing thousands of emails from the DNC, which were later leaked by the whistleblowing platform WikiLeaks, just days before US Democratic presidential candidate Hillary Clinton's nomination was announced. Putin, however, asserted that Russia had no hand in the DNC hack. "Listen, does it even matter who hacked this data?'' Putin said in an interview, Bloomberg reported. "The important thing is the content that was given to the public. There's no need to distract the public's attention from the essence of the problem by raising some minor issues connected with the search for who did it. But I want to tell you again, I don't know anything about it, and on a state level Russia has never done this." Several cybersecurity firms, including CrowdStrike, Fidelis Security and FireEye's Mandiant have concluded that the malware used in the DNC breach was linked to Russian intelligence services. Additionally, US officials have also accused Russia of having a hand in the hacking, in efforts to influence the US elections. However, Kremlin officials have categorically denied any knowledge of the attacks. Following Putin's comments, the Clinton campaign hit back, accusing the Russian president of endorsing disruptions of the US elections by characterising the cyberattack as a public service. "Unsurprisingly, Putin has joined Trump in cheering foreign interference in the U.S. election that is clearly designed to inflict political damage on Hillary Clinton and Democrats," said Jesse Lehrich, spokesperson for the Clinton campaign. "This is a national security issue and every American deserves answers about potential collusion between Trump campaign associates and the Kremlin." The cyberattacks against US have since accelerated with further indications of Russia based hackers launching attacks. In late August, CrowdStrike reported about Washington-based think tanks focusing on researching Russia being targeted by hackers. According to CrowdStrike the hacker group believed to be affiliated to Russia's Federal Security Service, Cozy Bear or APT29 was behind the breaches.Putin claimed that even if Russia desired to influence the US elections, it did not necessarily comprehend the nuances of US politics to successfully do soReuters Putin, however, claimed that even if Russia desired to influence the US elections, it did not necessarily comprehend the nuances of US politics to successfully do so. "To do that you need to have a finger on the pulse and get the specifics of the domestic political life of the U.S.," he said. "I'm not sure that even our Foreign Ministry experts are sensitive enough." Putin also said that given the level of sophistication of the current crop of cybercriminals, it would be nearly impossible to accurately attribute the attacks. "You know how many hackers there are today?" Putin said. "They act so delicately and precisely that they can leave their mark — or even the mark of others — at the necessary time and place, camouflaging their activities as that of other hackers from other territories or countries. It's an extremely difficult thing to check, if it's even possible to check. At any rate, we definitely don't do this at a state level." Hillary Clinton recently said that if elected, she would like the US to "lead the world in setting the rules in cyberspace," adding that under her regime, the US would treat cyberattacks "just like any other attack", indicating the use of military action in response to such attacks.


Endwall 09/03/2016 (Sat) 23:14:24 [Preview] No. 541 del
USBee Malware Turns Regular USB Connectors into Data-Stealing Weapons
http://www.itsecuritynews.info/usbee-malware-turns-regular-usb-connectors-into-data-stealing-weapons/
3. September 2016 Researchers from the Ben-Gurion University in Israel have discovered a novel method of using USB connectors to steal data from air-gapped computers without the need of special radio-transmitting hardware mounted on the USB. Their attack scenario relies on infecting a computer with malware they’ve created called USBee. An NSA cyber-weapon inspired the research Researchers said that NSA cyber-weapons inspired their research, namely, the COTTONMOUTH[/IMG] hardware implant included in a catalog of NSA hacking tools leaked by Edward Snowden via the DerSpiegel German newspaper. USBee is superior to COTTONMOUTH because it does not need an NSA agent to smuggle a modified USB connector/dongle/thu […]


Endwall 09/03/2016 (Sat) 23:19:57 [Preview] No. 542 del
Security Affairs
Hacker Interviews – The Riddler, the founder of the BinarySec Group
http://securityaffairs.co/wordpress/50886/hacking/hacker-interviews-binarysec.html
September 3, 2016 By Pierluigi Paganini
Today I present you the Riddler, aka Binary, the founder of the BinarySec group, a hacker collective focused in the fight against the ISIS propaganda online.
You are a popular talented hacker that has already participated in several hacking campaigns, could you tell me more about. Could you tell me which his your technical background and when you started hacking? All of our members come from many different backgrounds. A few of our members are just an “average joe” who’s picked up hacking in their spare time, while other members actually do security and Hacking for a living. Which is the technical background of your members?  My background is in IT, I started hacking about 8 years ago and my motivation was actually looking at a website and thinking. How can I make this work for me without the owner knowing… What was your greatest hacking challenge?  My greatest hacking challenge was about 4 years ago when I launched a hacking campaign called OpBangladesh with some old hacking buddies. We targeted Bangladeshi websites and proceeded to hack and deface them, By the time the campaign was over. 20+ Bangladeshi government websites were defaced and shelled. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? The 4 tools a hacker absolutely needs aren’t actually tools at all, They are Curiosity, Willingness to learn, Perseverance, and A unique way of thinking, these 4 things can actually make or break any hacker. Which are the most interesting hacking communities on the web today, why? As for me specifically I couldn’t tell you about hacking communities because they have really diminished. Did you participate in hacking attacks against the IS propaganda online? When? How? Where do you find IS people to hack? How do you choose your targets? I personally did participate in the attacks against the IS Propaganda online and so did many of our members. We’ve been and still currently taking down and removing their propaganda . As for the IS people we hack, We carefully check each and any suspicious person or submission to our website. If they are ruled to be an IS member or some other form of a Terrorist Organization, We attack accordingly. We exhaust every resource possible in efforts to shut down ISIS propaganda and recruitment online. I personally do believe that cyber attacks can cause a huge risk to critical infrastructure . We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?  I personally do believe that cyber attacks can cause a huge risk to critical infrastructure .


Endwall 09/03/2016 (Sat) 23:23:07 [Preview] No. 543 del
Spies Love People Who Use Smartphones Because They Are So Easy to Tap
http://www.matthewaid.com/post/149878162341/spies-love-people-who-use-smartphones-because-they
September 3, 2014
How Spy Tech Firms Let Governments See Everything on a Smartphone
Nicole Perlroth New York Times September 3, 2016
SAN FRANCISCO — Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device. Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government. Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The emails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals. The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group’s corporate mission statement is “Make the world a safe place.” Advertisement Continue reading the main story Ten people familiar with the company’s sales, who refused to be identified, said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license. But critics note that the company’s spyware has also been used to track journalists and human rights activists. “There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” The NSO Group’s capabilities are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects. The NSO Group’s spyware finds ways around encryption by baiting targets to click unwittingly on texts containing malicious links or by exploiting previously undiscovered software flaws. It was taking advantage of three such flaws in Apple software — since fixed — when it was discovered by researchers last month. The cyberarms industry typified by the NSO Group operates in a legal gray area, and it is often left to the companies to decide how far they are willing to dig into a target’s personal life and what governments they will do business with. Israel has strict export controls for digital weaponry, but the country has never barred the sale of NSO Group technology.The founders of NSO Group, Omri Lavie, left, and Shalev Hulio. Credit NSO Group Since it is privately held, not much is known about the NSO Group’s finances, but its business is clearly growing. Two years ago, the NSO Group sold a controlling stake in its business to Francisco Partners, a private equity firm based in San Francisco, for $120 million. Nearly a year later, Francisco Partners was exploring a sale of the company for 10 times that amount, according to two people approached by the firm but forbidden to speak about the discussions. The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.” Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. He declined to comment on whether the company would cease selling to the U.A.E. and Mexico after last week’s disclosures. For the last six years, the NSO Group’s main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones — including iPhones, Androids, and BlackBerry and Symbian systems — without leaving a trace. Among the Pegasus system’s capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls “room tap” can gather sounds in and around the room, using the phone’s own microphone. Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone’s web browser. And all of the data can be sent back to the agency’s server in real time. In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person. Much like a traditional software company, the NSO Group prices its surveillance tools by the number of targets, starting with a flat $500,000 installation fee. To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal. You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter. What that gets you, NSO Group documents say, is “unlimited access to a target’s mobile devices.” In short, the company says: You can “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.”


Endwall 09/04/2016 (Sun) 17:38:59 [Preview] No. 545 del
How Much Do We Know (Or Not Know) About Canadian Intelligence
http://www.matthewaid.com/post/149925768271/how-much-do-we-know-or-not-know-about-canadian
September 4, 2016
Victori H.S. Scott The Independent (Canada) August 16, 2016
Last year American whistle-blower Edward Snowden proclaimed that Canadian intelligence agencies have the “weakest oversight” in the Western world and compared the Canadian government’s Bill C-51 to George W. Bush’s post-9-11 U.S. Patriot Act. Canada became a surveillance state under the Stephen Harper Conservatives. In 2014, for example, it came to light that the Government Operations Centre was monitoring residents of Newfoundland and Labrador, including Indigenous Peoples, residents of the Island’s west coast who opposed fracking, and fishermen who were protesting shrimp quotas. This ongoing problem is further complicated by multiple transnational intelligence sharing agreements, in place since World War II, that remain largely unknown to the general public. Indeed, the rise of the surveillance state is a global phenomenon that cannot be separated from the rise of the internet. But in Canada, because of the lack of any credible oversight, it has played out in a very specific way. This has everything to do with what the Canadian public knows—and more importantly, does not know—about Canadian intelligence agencies. Canada’s new and highly invasive so-called anti-terror legislation came into force last year with the support of then-Opposition Leader Justin Trudeau and the Liberal caucus. The Trudeau Liberals knew that in order to win the election they would need to undo—or at least promise to undo—much of the damage done by their predecessors. They would have to address the alienation felt by Canadians from having a government that used national security as an excuse to trade away its citizens’ freedom and civil liberties. Unfortunately, they have yet to repeal or even reform Bill C-51, and recent terrorist attacks in Europe, the U.S, and here at home in Canada have provided the perfect backdrop against which to further delay the process. On August 10, for example Aaron Driver, a 24-year-old Canadian citizen who was allegedly plotting a terrorist attack in the southern Ontario town of Strathroy, died in a confrontation with police who were following up on a tip from the FBI. Recent terrorist attacks in Europe, the U.S, and here at home in Canada have provided the perfect backdrop against which to further delay the process [of reforming Bill C-51]...
Edited last time by Endwall on 09/04/2016 (Sun) 17:46:14.


Endwall 09/04/2016 (Sun) 17:49:47 [Preview] No. 546 del
Security Affairs
Dutch Police seized two servers of the VPN provider Perfect Privacy
September 4, 2016 By Pierluigi Paganini
http://securityaffairs.co/wordpress/50897/laws-and-regulations/perfect-privacy-seizures.htm
September 4, 2016 By Pierluigi Paganini
The Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation.
Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to build encryption backdoors in their secure messaging services. The fight to the cybercrime is a priority for every European government, law enforcement agencies worldwide are joining their efforts to fight illegal activities online. Law enforcement bodies claim their investigation are hampered by the wide adoption of encryption of criminal organizations and ask more powers to their governments. France and Germany governments call for an European Decryption Law, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve. They called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. Netherlands is another country that is adopting measures to contrast cybercrime, recently the Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. At the time I was writing the Dutch police hasn’t provided further details about the seizures. The Perfect Privacy VPN provider informed its customers that two servers in Rotterdam were seized by the Dutch police on Thursday, August 24. The Dutch authorities seized the servers of the company, they requested the I3D to give them the access to the servers with a subpoena that allowed them to seize the hardware.Perfect Privacy confirms that the company was back up and running the following day after I3D The Perfect Privacy provider confirmed the seizures and declared that it received the news about the law enforcement operation I3D, the company that provides server hosting in the Netherlands. “Today our hoster I3D informed us that the Dutch authorities have seized two servers from our location in Rotterdam. Currently we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster.” states the announcement from the Perfect Privacy VPN provider. “Since we are not logging any data there is currently no reason to believe that any user data was compromised.” VPNs are privileged tools that allow security experts, activists, and journalists, to protect their privacy online, unfortunately, they are often abused also by crooks and black hat hackers. VPN service providers numerous requests from law enforcement agencies for supporting their investigation, but in the majority of cases the company doesn’t offer their collaboration. It is likely that this is what has happened to the Perfect Privacy VPN provider. In April, the Dutch Police seized the servers of the Ennetcom VPN provider based in the Netherlands and Canada to shut down their operations during a criminal investigation. In that case, the Dutch Police accused Ennetcom of helping criminal activities, including drug trafficking and assassinations. The I3D hosting provider offered two replacement servers to avoid problems with the VPN provider.


Endwall 09/04/2016 (Sun) 17:56:24 [Preview] No. 547 del
Transmission Bittorrent Client Download Was Compromised for 2 Days
http://7rmath4ro2of2a42.onion/article.pl?sid=16/09/04/0236201
posted by cmn32480 on Sunday September 04, @01:04PM
A. It appears that on or about August 28, 2016, unauthorized access was gained to our [TransmissionBT's] website server. The official Mac version of Transmission 2.92 was replaced with an unauthorized version that contained the OSX/Keydnap malware. The infected file was available for download somewhere between a few hours and less than a day. Additional information about the malware is available here and here. A. The infected file was removed from the server immediately upon discovering its existence, which was less than 24 hours after the file was posted to the website. To help prevent future incidents, we have migrated the website and all binary files from our current servers to GitHub. Other services, which are currently unavailable, will be migrated to new servers in the coming days. As an added precaution, we will be hosting the binaries and the website (including checksums) in two separate repositories.


Endwall 09/04/2016 (Sun) 18:06:51 [Preview] No. 548 del
Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police
https://theintercept.com/2016/09/01/leaked-catalogue-reveals-a-vast-array-of-military-spy-gear-offered-to-u-s-police/
Sam Biddle 2016-09-01T20:31:32+00:00
A confidential, 120-page catalogue of spy equipment, originating from British defense firm Cobham and circulated to U.S. law enforcement, touts gear that can intercept wireless calls and text messages, locate people via their mobile phones, and jam cellular communications in a particular area. The catalogue was obtained by The Intercept as part of a large trove of documents originating within the Florida Department of Law Enforcement, where spokesperson Molly Best confirmed Cobham wares have been purchased but did not provide further information. The document provides a rare look at the wide range of electronic surveillance tactics used by police and militaries in the U.S. and abroad, offering equipment ranging from black boxes that can monitor an entire town’s cellular signals to microphones hidden in lighters and cameras hidden in trashcans. Markings date it to 2014. Cobham, recently cited among several major British firms exporting surveillance technology to oppressive regimes, has counted police in the United States among its clients, Cobham spokesperson Greg Caires confirmed. The company spun off its “Tactical Communications and Surveillance” business into “Domo Tactical Communications” earlier this year, selling the entity to another company and presumably shifting many of those clients into it. Caires declined to comment further on the catalogue obtained by The Intercept or confirm its authenticity, but said it “looked authentic” to him. “By design, these devices are indiscriminate and operate across a wide area where many people may be present,” said Richard Tynan, a technologist at Privacy International, of the gear in the Cobham catalogue. Such “indiscriminate surveillance systems that are not targeted in any way based on prior suspicion” are “the essence of mass surveillance,” he added. The national controversy over military-grade spy gear trickling down to local police has largely focused on the “Stingray,” a single type of cellular spy box manufactured by a single company, Harris Corp. But the menu of options available to domestic law enforcement is enormous and poorly understood, mostly because of efforts by both manufacturers and their police clientele to suppress information about their functionality and use. What little we know about Stingrays has often been the result of hard-fought FOIA lawsuits or courtroom disclosures by the government. When the Wall Street Journal began reporting on the use of the Stingray in 2011, the FBI declined to comment on the grounds that even discussing the device’s existence could jeopardize its usefulness. The effort to pry out details about the tool is ongoing; just this past April, the American Civil Liberties Union and Electronic Frontier Foundation prevailed in a federal court case, getting the government to admit it used a Stingray in Wisconsin. Unsurprisingly, the Cobham catalogue describes itself as “proprietary and confidential” and demands that it “must be returned upon request.” Information about Cobham’s own suite of Stingray-style boxes is almost nonexistent on the web. But starting far down on Page 105 of the catalogue is a section titled “Cellular Surveillance,” wherein the U.K.-based manufacturer of defense and intelligence-oriented hardware lays out all the small wonders it sells for spying on people’s private conversations, whether they’re in Baghdad or Baltimore:The above page immediately stood out to ACLU attorney Nathan Wessler, who has made Stingray-like devices a major focus of his work for the civil liberties group. Wessler said “the note at the top of the page about the ability to intercept calls and text messages (in addition to the ability to geo-locate phones)” is of particular interest, because “domestic law enforcement agencies generally say they don’t use that capability.” Also remarkable to Wessler is the claim that cellphone users can be “tracked to less than 1 [meter] of accuracy.” Tynan said Cobham’s cellular surveillance devices are, like the Stingray, standard “IMSI catchers,” deeply controversial equipment that can be used to create fake cellular networks and swallow up International Mobile Subscriber Identity fingerprints, calls, and texts. But he noted that such devices can operate on a vast scale: The Cobham devices in this catalogue are standard interception devices with the ability to masquerade as 1-4 base stations simultaneously. This would allow it to pretend to be 4 different operators or 4 base stations from the same operator or any combination. These specifications allow for the interception of up to 4 calls at a time. The operational distance of these devices would be around 1-2 KM for 3G and significantly greater for 2G devices. Devices of this type can typically acquire the unique identifiers of handsets at a rate of 200 per minute. Cobham also offers equipment capable of causing immense cellular blackouts and bulk data collection, including the “3G-N” — operated via laptop...


Endwall 09/04/2016 (Sun) 18:11:23 [Preview] No. 549 del
How Bitcoin Users Reclaim Their Privacy Through its Anonymous Sibling, Monero
http://7rmath4ro2of2a42.onion/article.pl?sid=16/09/03/1412225
http://www.nasdaq.com/article/how-bitcoin-users-reclaim-their-privacy-through-its-anonymous-sibling-monero-cm673770
Bitcoin right now is not really anonymous. While Bitcoin addresses aren't necessarily linked to real-world identities, they can be. Monitoring the unencrypted peer-to-peer network, analyses of the public blockchain and Know Your Customer (KYC) policy or Anti-Money Laundering (AML) regulations can reveal a lot about who's using Bitcoin and for what. This is not great from a privacy perspective. For example, Bitcoin users might not necessarily want the world to know where they spend their money, what they earn or how much they own; similarly, businesses may not want to leak transaction details to competitors. Additionally, the fact that the transaction history of each bitcoin is traceable puts the fungibility of all bitcoins at risk. "Tainted" bitcoins, for example, may be valued less than other bitcoins, possibly even calling into question Bitcoin's value proposition as money. There are potential solutions that may increase privacy and improve fungibility in Bitcoin. But most of these solutions are either partial, works-in-progress or just largely theoretical. To reclaim their privacy right now, therefore, have begun to utilize one of its competitors: the altcoin Monero. The article continues with an explanation of how Monero works differently from Bitcoin. Monero is based on the CryptoNote reference implementation, which is an altcoin that was designed from scratch. It uses XMR as its native currency which is one of the top altcoins by market capitalization It has implementation details that greatly reduce the ability of someone to follow the chain of inputs and outputs of transactions and trace back someone's identity. The real trick is Monero's use of "Ring Signatures": The actual magic comes from a cryptographic signature scheme called "ring signatures," based on the older concept of "group signatures." Ring signatures exist as several iterations and variations, but all share the property of obfuscating which cryptographic key signed "which" message, while still proving "that" a cryptographic key signed "a" message. The version used by Monero is called "Traceable Ring Signatures (pdf)," invented by Eiichiro Fujisaki and Koutarou Suzuki. Lastly, a Bitcoin holder can exchange Bitcoin for Monero, perform a transaction, and then (if desired) convert any change from the transaction back to Bitcoin (with suitable delays to allow other transactions to occur on the Monero blockchain.)


Endwall 09/05/2016 (Mon) 20:10:40 [Preview] No. 551 del
Hacker Interviews – 0xOmar (@0XOMAR1337)
http://securityaffairs.co/wordpress/50938/hacking/hacker-interviews-0xomar.html
September 4, 2016 By Pierluigi Paganini
Today I present you 0xOmar  (@0XOMAR1337) an expert very active in the hacking community online with a great experience. Enjoy the Interview. Why do you use the nickname of TeaMp0isoN? I know them and you are not a member of the original crew. Trick was very good friend of mine invited me to join TeaMp0isoN in 2012 after my interview with Skynews on skype in 2012 then i meet MLT after 2013 I have been underground for many years because Israeli intelligence was trying to track me, but I still was here like other Anons are still wearing their masks. No one will know you. New crew of TeaMp0isoN don’t know me. Members of the old crew like MLT knows me. Good Time, when I have joint the team it was composed of only 4 persons. Did you participate in in several hacking campaigns, could you tell me more about? I have participated in many operations and campaigns during my 17 years career. I taught many Anons hackers and I was member of many teams. I have built 4 teams. I have participated in campaigns, including #OpISIS, #OpIsrael, #Opusa, #OpIran, #OpMyanmar. Could you tell me which his your technical background and when you started hacking? My skills are Hardware, Networking, Coding HTML,PHP,ASP,APSX,VB,C++,C#,JS2E5.0,Java SE 8, JavaScript, JavaScript, Perl, SQL, NET, XML, Scala, Python, Matlab, Cobol, haskell Smalltalk, Object-Oriented, Fortran, Scripting, Squeak, Ada, Labview. My first software was made in VB and later in 2004 I developed a lot of software. One of my best software allowed me to get in yahoo conference without been invited. I developed many booters,  DDoS scripts, malware, crypters & Binders etc. I started hacking in 1999. Which are your motivations? I fight for peace in the World. What was your greatest hacking challenge? Taking Down el Aviv Stock Exchange in 2012, airline and Government web sites. Below the list: http://www.zone-h.org/archive/notifier=0xOmar/page=1 … I infected with malware the Iranian Oil Feld and I took down the site of the Israeli Intelligence Agencies when I was testing my tools (https://vid.me/9sqj ) What are the 4 tools that cannot be missed in the hacker’s arsenal and why? * Nmap For Scan Ports Map Networks and connecting to Targets. * Metasploit Exploitation & hacking framework. * Hydra brute force other network cracking techniques. * Acunetix WVS web vulnerability scanner Cross-site Scripting, SQL injection,WordPress,1200 vulnerabilities. Which are the most interesting hacking communities on the web today, why? Most Interesting hacking communities are common in You can find them on social media platforms like Facebook, Twitter, etc. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, I Do. I participated in hacking attacks against IS, I attacked the main sites used by the IS with botnet and malware. I hacked into many of their accounts. For me ISIS are not evenMuslims.Where do you find IS people to hack? How do you choose your targets?  Social media, mobile apps, Twitter, Facebook, Telegram, Etc & friends been reporting chosen targets. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Yes, It Is. I Do Attacks against critical infrastructure. It is easy to attack them and person inside them. Send them emails with a malware .and you got it. It is quite easy to scan online searching for vulnerable SCADA exposed on the Internet. Then you can user known exploit to hack them or write your own exploit code.


Endwall 09/05/2016 (Mon) 20:24:42 [Preview] No. 552 del
Riseup, providing encrypted comms for over 15 years, could run out of money next month
https://www.grahamcluley.com/2016/09/riseup-encrypted-communications/
Graham Cluley | September 5, 2016 5:36 pm Riseup.net, the non-profit collective which has been providing dissidents a way to encrypt their communications since 1999, without revealing your location or logging your IP address, is running out of money: The news is not good We hate to be bad news birds, but we need to tell you that Riseup will run out of money next month. We had a number of unexpected hardware failures, lower-than-expected regular donations, and a record year of new Riseup users which puts more financial pressure on us than ever before. We need your help to keep things going this year, so we are starting a campaign to ask Riseup users to give us just one dollar! Can you give us a dollar? There are a lot of easy ways to do it: https://riseup.net/donate It seems that Riseup.net saw a boom in new users in the wake of the Edward Snowden revelations, but has not managed to match that growth with sufficient regular donations. If Riseup.net shuts down, that also means the end for 150,000 email accounts and over 18,000 mailing lists that depend on the service for their privacy and security. It would be sad to see Riseup.net close its doors. I hope people who value online liberty will support this noble cause. (Yes, I already donated.)


Endwall 09/05/2016 (Mon) 20:26:25 [Preview] No. 553 del
NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes
http://securityaffairs.co/wordpress/50971/hacking/nsa-extrabacon.html
Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.
A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits. ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA). The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought. Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software. “A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO. “The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.” At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11). Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit. The bad news Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot. The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times. Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.What does it means? It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched: * the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string * an attacker must also have telnet or SSH access to the devices Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers. “This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis. “Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.”  “Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.” The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.


Endwall 09/05/2016 (Mon) 20:27:24 [Preview] No. 554 del
Dutch Police seized two servers of the VPN provider Perfect Privacy
http://securityaffairs.co/wordpress/50897/laws-and-regulations/perfect-privacy-seizures.html
September 4, 2016 By Pierluigi Paganini
The Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to build encryption backdoors in their secure messaging services. The fight to the cybercrime is a priority for every European government, law enforcement agencies worldwide are joining their efforts to fight illegal activities online. Law enforcement bodies claim their investigation are hampered by the wide adoption of encryption of criminal organizations and ask more powers to their governments. France and Germany governments call for an European Decryption Law, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve. They called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. Netherlands is another country that is adopting measures to contrast cybercrime, recently the Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. At the time I was writing the Dutch police hasn’t provided further details about the seizures. The Perfect Privacy VPN provider informed its customers that two servers in Rotterdam were seized by the Dutch police on Thursday, August 24. The Dutch authorities seized the servers of the company, they requested the I3D to give them the access to the servers with a subpoena that allowed them to seize the hardware.Perfect Privacy confirms that the company was back up and running the following day after I3D The Perfect Privacy provider confirmed the seizures and declared that it received the news about the law enforcement operation I3D, the company that provides server hosting in the Netherlands. “Today our hoster I3D informed us that the Dutch authorities have seized two servers from our location in Rotterdam. Currently we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster.” states the announcement from the Perfect Privacy VPN provider. “Since we are not logging any data there is currently no reason to believe that any user data was compromised.” VPNs are privileged tools that allow security experts, activists, and journalists, to protect their privacy online, unfortunately, they are often abused also by crooks and black hat hackers. VPN service providers numerous requests from law enforcement agencies for supporting their investigation, but in the majority of cases the company doesn’t offer their collaboration. It is likely that this is what has happened to the Perfect Privacy VPN provider. In April, the Dutch Police seized the servers of the Ennetcom VPN provider based in the Netherlands and Canada to shut down their operations during a criminal investigation. In that case, the Dutch Police accused Ennetcom of helping criminal activities, including drug trafficking and assassinations. The I3D hosting provider offered two replacement servers to avoid problems with the VPN provider.


Endwall 09/05/2016 (Mon) 20:28:46 [Preview] No. 555 del
Linux/Mirai ELF, when malware is recycled could be still dangerous
http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html
September 5, 2016 By Pierluigi Paganini
Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild. The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service. “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog. The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them. But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”. And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.” This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning. We are in a hostile environment, called Internet of Things (IoT), shaping new kind of powerful Botnets spreading worldwide, but which Countries are more exposed to this kind of attack? “Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“ In fact seems that he continues, “the Linux/Mirai creators succeed to encode the strings and making diversion of traffic to camouflage themself. As is possible to see analyzing the samples, shown in the link to Virustotal  the best detection is only “3 of 53” or “3 to 55.” What is very important for all the sysadmins is to be provided by a shield against these infections: “along with the good friends involved in the open filtration system, security engineers are trying to push” – says again MalwareMustDie – “the correct filtration signature to alert the sysadmins if having the attacks from this threat. And on one pilot  a sysadmins provided with the correct signatures, found the source attack from several hundreds of addresses within only a couple of days.” Then it seems that the infection is really going widespread and the Botnet seems to be really very large. At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions: * If you have an IoT device, please make sure you have no telnet service open and running. * Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage, * Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service, * Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips. But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts? “The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.” This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case. It remembers the Greek mobile wiretap named “Vodafone Hack”, no evidence than in the memory. But in your opinion which is the main difference among the previous ELF malware versions? “The actors are now having different strategy than older type of similar threat.” – says MalwareMustDie – “by trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner. ” The real insidiously of this ELF is that the only way to track it is to extract it from the memory of the running devices and there is not so much expertise among people that can “hack their own routers or webcam or DVR to get the malware binary dumped from the memory or checking the trace of infection.” Digging in the details: how the infection works...


Endwall 09/05/2016 (Mon) 20:30:48 [Preview] No. 556 del
Evidence on hacks of the US State Election Systems suggest Russian origin
http://securityaffairs.co/wordpress/50962/intelligence/election-systems-attacks.html
September 5, 2016 By Pierluigi Paganini
Researchers have found links between the attacks on US state election systems and campaigns managed by alleged Russian state-sponsored hackers.
Security experts at threat intelligence firm ThreatConnect have conducted an analysis on the IP addresses listed in the flash alert issued in August by the FBI that warned about two cyber attacks against the election systems in two U.S. states. The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers violated the databases of two state election systems for this reason the FBI issued the flash alert to election officials across the country inviting them to adopt security measured to protect their computer systems. “The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility ofcyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.”reported Yahoo News that obtained a copy of the “flash” alert.The FBI alert contains technical details about the attacks, including the IP addresses involved in the both attacks that have been analyzed by ThreatConnect. The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums. Some of the IPs are owned by the FortUnix Networks firm that was known to the security experts because its infrastructure was exploited by attackers that hit in December the Ukrainian power grid with the Black Energy malware. The experts revealed that one of them was used in the past in spear-phishing campaigns that targeted the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament. “However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spear phishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi.” states the analysis published by ThreatConnect”As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.” The phishing campaigns mentioned in the analysis exploited an open source phishing framework named Phishing Frenzy, the security experts managed to hack into the control panel of the system used by the phishers and discovered a total of 113 emails written in Ukrainian, Turkish, German and English. Out of the 113 total emails, 48 of them are malicious messages targeting Gmail accounts, while the rest were specifically designed to look like an email from an organization of interest for the victims. 16 of the malicious email used to target AK Party officials were also included in the WikiLeaks dump of nearly 300,000 AK Party emails disclosed in July. The experts from ThreatConnect discovered some connections to a Russian threat actor, alleged linked to the Government of Moscow. One of the domains hosting the phishing content was registered with an email address associated with a domain known to be used by the infamous APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy). Below the evidence collected by experts at ThreatConnect that suggest the involvement of the Russian Government, “but do not prove” it: * Six of the eight IP addresses belong to a Russian-owned hosting service * 5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015 * Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks * The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).


Endwall 09/05/2016 (Mon) 20:32:22 [Preview] No. 557 del
NSO Group, the surveillance firm that could spy on every smartphone
http://securityaffairs.co/wordpress/50949/hacking/nso-group-firm.html
September 5, 2016 By Pierluigi Paganini
The NSO Group is one of the surveillance companies that allow their clients to spy on their targets through almost any smartphone.
It is quite easy for any Government to spy on mobile users, recently we have discussed the Trident vulnerabilities that were exploited by a surveillance software developed by the NSO Group to deliver the Pegasus malware. But it could be very expensive if you decide to use the NSO Group’s software, according to The New York Times spy on 10 iPhones will cost $650,000, plus a $500,000 setup fee. “To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.” reported The New York Times. “You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.” There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor. The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government. “The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.” added The New York Times.“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.” The New York Times has conducted further investigations on the NSO Group, the company that specializes its offer in surveillance applications for governments and law enforcement agencies around the world. People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights. Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organization and terrorist groups. Unfortunately, its software is known to have been abused to spy on journalists and human rights activists. “There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide. The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems. Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone. “In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times. Now we have more information about the mysterious NSO Group, but many other companies operate in the same “legal gray area.”


Endwall 09/07/2016 (Wed) 23:39:36 [Preview] No. 560 del
Hak 5

Threat Wire
Ford to Nix Key Fobs for Better Security? - Threat Wire - Duration: 5 minutes, 47 seconds.
https://www.youtube.com/watch?v=30lQcx4srbc

2 Second Password Hash Hack - Hak5 2102 - Duration: 26 minutes.
https://www.youtube.com/watch?v=BH4M7djZfew


Endwall 09/08/2016 (Thu) 01:11:21 [Preview] No. 561 del
Motherboard
Hacking Passports and Credit Cards with Major Malfunction - Duration: 6 minutes, 17 seconds.
https://www.youtube.com/watch?v=-4_on9zj-zs


Endwall 09/08/2016 (Thu) 05:50:38 [Preview] No. 567 del
CVE-2016-3862 flaw – Silently hack millions Androids devices with a photo
http://securityaffairs.co/wordpress/51043/mobile-2/android-cve-2016-3862-flaw.html
The CVE-2016-3862 flaw is a remote code execution vulnerability that affects the way images used by certain Android apps parsed the Exif data.
Are you an Android user? I have a bad news for you, an apparently harmless image on social media or messaging app could compromise your mobile device. The last security updates issued by Google have fixed the Quadrooter vulnerabilities, that were threatening more than 900 Million devices, and a critical zero-day that could let attackers deliver their hack hidden inside an image. The flaw, coded as CVE-2016-3862, is a remote code execution vulnerability in the Mediaserver. It affects the way images used by certain Android applications parsed the Exif data included in the images. “Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (includingsmartphones), scanners and other systems handling image and sound files recorded by digital cameras. ” reads Wikipedia. The flaw was first discovered by the security researcher Tim Strazzere from the SentinelOne firm, who explained that it could be exploited by hackers to take complete control of the device without the victim knowing or crash it. “Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.” explained Forbes. The victim doesn’t need to click on the malicious image, neither on a link, because as soon as it’s data was parsed by the device it would trigger the CVE-2016-3862 vulnerability. “The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere explained.  What does it mean? Just one photo containing a generic exploit can silently hack millions of Android devices, is a way similar to the Stagefright exploits that allowed the attackers to hack a smartphone with just a simple text message. “Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” Strazzere developed the exploits for the affected devices and tested them on Gchat, Gmail and many other messenger and social media apps. Strazzere did not reveal the names of the other apps that are also affected by the CVE-2016-3862 vulnerability, it also added that the list of vulnerable software includes “privacy-sensitive” tools. Any mobile app implementing the Android Java object ExifInterface code is likely vulnerable to the vulnerability.The vulnerability is similar to last year’s Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it. Google Android version from 4.4.4 to 6.0.1 are affected by the CVE-2016-3862 vulnerability, of course, the devices that installed the last update. Google has already delivered a patch to fix the vulnerability, as usual, this doesn’t mean that your mobile has already applied it because the patch management depends on handset manufacturers and carriers. So, if you are not running an updated version of the Android OS, you probably are vulnerable to the image-based attack. Google rewarded  Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a program of the nonprofit Project H Design for girls aged 9-13.


Endwall 09/08/2016 (Thu) 05:52:28 [Preview] No. 568 del
Security Affairs
Hacker Interviews – @h0t_p0ppy, the hacktivist
http://securityaffairs.co/wordpress/51038/hacktivism/hacker-interviews-h0t_p0ppy-the-hacktivist.html
Today I’ll present you  @h0t_p0ppy, a skilled online hacktivist that participated in the major hacking campaigns, including#OpWhales, #OpSeaWorld, #OpKillingBay, and #OpBeast,
September 7, 2016 By Pierluigi Paganini
You are a popular talented hacker that has already participated in several hacking campaigns, could you tell me more about. I have participated in campaigns against animal abuses. There are many ops for animals that don’t get enough attention or recognition. The first big one was #OpFunKill then #OpKillingBay which inspired me to create #OpSeaWorld, #OpKillingBay-EU and #OpWhales. All these campaigns focus on either the slaughter or confinement of cetaceans. Few people were aware about the impact of cetacean slaughter on our environment. As Paul Watson said “If the oceans die, we die” With these ops the public can learn about whale slaughter which is still happening today and the truth behind SeaWorld and marine prisons. Its not easy keeping all these ops up to date with relevant information. It take a lot of my spare time but if it makes a difference, it’s worth it. Could you tell me which his your technical background and when you started hacking? I was inspired by the anonymous movement to believe that every single person has the ability to make a change. I went from office to hacktivism. I have picked up skills, taught myself and relied on team members to teach me new skills. The team as a whole have a varied skill base from researching to dd0s and hacking. Each and everyone of us is equally important to the success of the ops. Which are your motivations? Simply to bring awareness to the public about the crimes against cetaceans at the hands of humans. I also want to see an end to whaling. What was your greatest hacking challenge? The greatest challenge isn’t hacking, it’s keeping the momentum and interest in the ops. #OpKillingBay for instance is in year 4 now and still as important as the day it launched. All our work is a team effort. Action taken for #OpWhales has brought Iceland’s commercial hunt of fin whales (an endangered animal) into the spotlight. Sites were brought down including the prime minister’s official website and that of the environment and interior ministries. This brought worldwide media attention to the plight of these whales. Which was your latest hack? Can you describe me it? The guys at Powerful Greek Army have been getting involved with ops hitting SeaWorld with a huge dd0s attack in the last few days. Also a few other Animal Rights Hacktivists have had a few whale meat sellers sites de-hosted. (Many thanks to all) What are the 4 tools that cannot be missed in the hacker’s arsenal and why? A range of vulnerability scanners, patience, determination and most importantly a trust worthy team. Which are the most interesting hacking communities on the web today, why? The guys at Anon Rising are doing a great job building up an IRC and support Base for anons and Ops. How do you choose your targets? Targets are connected to the whaling industry ~ the sale and transport of whale meat and governments that approve whaling. Also any company connected with the trade in dolphins and their incarceration. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?  Yes,  it is just a matter of time.


Endwall 09/08/2016 (Thu) 05:54:27 [Preview] No. 569 del
CSTO Ransomware, a malware that uses UDP and Google Maps
http://securityaffairs.co/wordpress/51015/malware/csto-ransomware.html
September 7, 2016 By Pierluigi Paganini
CSTO ransomware it is able to query the Google Maps API to discover the victim’s location and connects to the C&C via UDP.
Ransomware is considered by the security experts one of the most dangerous threats to Internet users and organizations across the world. Malware authors are developing new malicious codes that implement new features to improve evasion and spreading abilities. Security researchers at BleepingComputer have reported a new ransomware dubbed Cry or CSTO because it pretends to come from the inexistent organization Central Security Treatment Organization. The CSTO ransomware was first spotted by the malware researcher MalwareHunterTeam. Once infected a machine the CSTO ransomware encrypts files and append the .cry extension to them. Like the Cerber ransomware, also the CSTO sends information to its command and control server via UDP. After infecting a computer, the CSTO ransomware collects information on the host (Windows version, installed service pack, OS version, username, computer name, and CPU type) that sends via UDP to 4096 different IP addresses, but only one of them is the C&C server. The Vxers have chosen the UDP protocol in an attempt to hide the location of the C&C server. The threat requests the payment of a 1.1 Bitcoins (more than $600) ransom in order to decrypt the files. The CSTO ransomware implements a singular feature, it leverages websites such as Imgur.com and Pastee.org to host information about victims, it is able to query the Google Maps API to discover the victim’s location using SSIDs of nearby wireless networks . The ransomware uses the WlanGetNetworkBssList function to get the nearby SSIDs, in this way it is able to determine the victim’s location, but it is not clear how the malware uses this information. “Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.” reported bleepingcomputer.com.The threat encrypts the file, it uploads host information along with a list of encrypted files to Imgur.com by compiling all details in a fake PNG image file and sending it to a certain album. Imgur, in turn, assigns a unique name for the image file and notifies it to the CSTO ransomware and then broadcasts the filename over UDP to inform the C&C server. Similar to other ransomware, the Cry ransomware deletes the Shadow Volume Copies using the command vssadmin delete shadows /all /quiet. In this way it prevents victims from restoring the encrypted files. The threat gains the persistency by creating a randomly named scheduled task that is triggered every time the user logs into Windows. The task also drops ransom notes on the desktop of the infected machine. The ransom note includes instructions on how to access the Tor network to reach the payment site used by the authors. “The ransom notes created by the Central Security Treatment Organization Ransomware contain links to a TOR payment site that has a Window title of User Cabinet. When a user visits this site, they will be prompted to login using the personal code from their ransom note.” continues bleepingcomputer.com. The payment site includes a support page and offers victims the possibility to decryption just one file for free as proof that it is possible to decrypt all the locked files. The researchers tested the free decryption feature, but it failed, another good reason to avoid paying the ransom.


Endwall 09/08/2016 (Thu) 05:57:04 [Preview] No. 570 del
Threatpost
Cry Ransomware Uses UDP, Imgur, Google Maps
https://threatpost.com/cry-ransomware-uses-udp-imgur-google-maps/120383/
by Chris Brook September 6, 2016 , 2:40 pm
Ransomware purporting to come from a phony government agency, something called the Central Security Treatment Organization, has been making the rounds, researchers say. The ransomware, which is already known by a number of names including Cry, CSTO ransomware, or Central Security Treatment Organization ransomware, uses the User Datagram Protocol (UDP) to communicate and the photo sharing service Imgur and Google Maps to carry out its infections to an extent, as well. A security researcher who goes under the guise MalwareHunterTeam discovered the malware last Thursday. Lawrence Abrams, who runs BleepingComputer.com, helped analyze the ransomware alongside MalwareHunterTeam and security researcher Daniel Gallagher. Abrams discussed their collected findings in a blog post Monday night. The three point out that the ransomware is still being analyzed so many of the details around it are still hazy; that includes how it’s being distributed and whether or not decryption is possible. What is known is that the malware has managed to hit 8,000 victims in almost two weeks so far. Abrams told Threatpost on Tuesday that when he started to analyze the ransomware with MalwareHunterTeam on Sept. 2 there were roughly 3,200 victims. That figure later ballooned to 6,800 two days later and when he checked on Monday, it had reached 8,000. The ransomware is still being developed too; Abrams claims Gallagher discovered a new sample earlier today. After machines are infected, Cry leaves ransom notes, “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on a victim’s desktop, notifying them their files have been encrypted with the “.cry” extension – hence the name. The notes demand 1.1 bitcoin, or roughly $625 to decrypt them. From there, it uses the UDP protocol to relay information about the infected machine, including its Windows version, its Windows bit type, which service pack is installed, the computer’s name and CPU type to over 4,000 IP addresses. According to Abrams, this method is likely used to make it trickier for authorities to finger the command and control server’s location, a technique that has been used in the past by the Cerber ransomware strain. Researchers at Invincea saw a Cerber variant in May generating loads of outgoing UDP traffic, to the point that it was flooding subnets with UDP packets over port 6892. Experts didn’t rule out the possibility that the ransomware could be capable of carrying out a distributed denial of service attack. In addition to UDP, Cry also uses two other services not usually leveraged by ransomware: Imgur and Google Maps. The ransomware culls all the information it sends to the IP addresses and embeds it in a PNG image file and subsequently uploads to an Imgur photo gallery. “Once the file has successfully been uploaded, Imgur will respond with a unique name for the filename,” Abrams writes. “This filename (can) then be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected.” The ransomware can also use Google Maps’ API to determine the Service Set Identifier (SSID) of packets sent by any nearby wireless networks. By using Windows’ WlanGetNetworkBssList function, Cry can get the list of wireless networks and SSIDs. After querying any SSIDs visible to the infected machine, it can use Google Maps to get the victims’ location. While the location data is no doubt valuable, Abrams claims it’s unclear what exactly it’s for, but admits it can likely be used to further scare a victim into paying. Abrams told Threatpost that while it wasn’t discovered until Sept. 1, it appears the developer behind Cry first began testing the waters several days before, on Aug. 25. Abrams, Gallagher and MalwareHunterTeam can see the developer began testing uploaded PNG files at the time with just the strings “LOLWTFAMIDOINGHERE.” While the Central Security Treatment Organization doesn’t exist, neither does the Department of Pre-Trial Settlement or the Federal Agency of Investigation, two other bogus groups that the ransomware touts itself as representing on its Tor payment site. The seal for the fake organization appears to borrow the crest, branches, and stars from the FBI’s logo and the eagle’s head from the CIA logo.


Endwall 09/08/2016 (Thu) 05:58:07 [Preview] No. 571 del
Information Security Newspaper
LuaBot Is the First Botnet Malware Coded in Lua Targeting Linux Platforms
http://www.securitynewspaper.com/2016/09/06/luabot-first-botnet-malware-coded-lua-targeting-linux-platforms/
Security Newspaper | September 6, 2016
LuaBot is the latest addition to the Linux malware scene. A trojan coded in Lua is targeting Linux platforms with the goal of adding them to a global botnet, security researcher MalwareMustDie! has reported today. For an operating system with a minuscule 2.11 percent market share, this is our third story on Linux malware in the past 24 hours, after previously reporting on the Mirai DDoS trojan and the Umbreon rootkit. LuaBot falls into the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers, and add them as bots inside a bigger botnet controlled by the attacker. LuaBot most likely used for DDoS attacks At the time of writing, this botnet’s purpose is currently unknown, but MalwareMustDie told Softpedia on Twitter that the code for launching packet floods (DDoS attacks) is there, only that he wasn’t able to confirm the functionality yet. At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on his experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms. Unlike Mirai, which is the fruit of a two-year-long coding frenzy, LuaBot is in its early stages of development, with the first detection being reported only a week ago and a zero detection rate on VirusTotal for current samples. Since it’s only a one-week-old malware strain, details are scarce about its distribution and infection mechanism. LuaBot author challenges security researchers MalwareMustDie has managed to reverse-engineer some of the trojan’s code and discovered that the bot communicates with a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL. The researcher also found that LuaBot’s brazen developer left a message behind for all the infosec professionals trying to deconstruct his code. The message reads, “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].” Additionally, MMD also discovered code labeled as “penetrate_sucuri,” alluding to features capable of skirting Sucuri’s infamous Web Application Firewall, a cyber-security product that has stopped many web threats in the past. MMD told Softpedia that “it seems the function is there […] coded with that purpose,” but the researcher later admitted that “I don’t know the Sucuri WAF much, so I can not test it.” Softpedia has reached out to Sucuri, and we’ll update the article if this function proves to be a successful firewall bypass or just an unfinished piece of code.


Endwall 09/14/2016 (Wed) 01:59:21 [Preview] No. 577 del
Hak 5
Steal Passwords from a Locked PC - Threat Wire - Duration: 4 minutes, 38 seconds.
https://www.youtube.com/watch?v=A7lCB1Vz5hg


Endwall 09/19/2016 (Mon) 01:42:01 [Preview] No. 583 del


Endwall 09/19/2016 (Mon) 01:44:15 [Preview] No. 584 del
Hak 5
MOSH: High Latency Alternative to SSH - Hak5 2103 - Duration: 18 minutes.
https://www.youtube.com/watch?v=mh7oTjV73fI


Endwall 09/23/2016 (Fri) 01:05:09 [Preview] No. 585 del
Hak 5
Snagging Creds From Locked Machines With a LAN turtle - Hak5 2104 - Duration: 24 minutes.
https://www.youtube.com/watch?v=AVqh5mcFcFU


Tor Endwall 09/26/2016 (Mon) 03:59:00 [Preview] No. 588 del
Tor Project
Tor 0.2.9.3-alpha is released, with important fixes
https://blog.torproject.org/blog/tor-0293-alpha-released-important-fixes
Posted September 23rd, 2016 by nickm
Tor 0.2.9.3-alpha adds improved support for entities that want to make high-performance services available through the Tor .onion mechanism without themselves receiving anonymity as they host those services. It also tries harder to ensure that all steps on a circuit are using the strongest crypto possible, strengthens some TLS properties, and resolves several bugs -- including a pair of crash bugs from the 0.2.8 series. Anybody running an earlier version of 0.2.9.x should upgrade.

Tor 0.2.8.8 is released, with important fixes
https://blog.torproject.org/blog/tor-0288-released-important-fixes
Posted September 23rd, 2016 by nickm
Tor 0.2.8.8 fixes two crash bugs present in previous versions of the 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users who select public relays as their bridges. You can download the source from the Tor website. Packages should be available over the next week or so.

https://www.torproject.org/dist/tor-0.2.8.8.tar.gz
https://www.torproject.org/dist/tor-0.2.8.8.tar.gz.asc
https://www.torproject.org/dist/tor-0.2.9.3-alpha.tar.gz
https://www.torproject.org/dist/tor-0.2.9.3-alpha.tar.gz.asc


Endwall 10/02/2016 (Sun) 05:32:02 [Preview] No. 591 del
Motherboard
US to Transfer Internet DNS Oversight After GOP Sabotage Effort Fails
Sam Gustin Correspondent * October 1, 2016 // 01:00 PM EST
http://motherboard.vice.com/read/us-to-transfer-internet-dns-oversight-after-gop-sabotage-effort-fails
The United States government moved to relinquish stewardship of key internet technical functions on Saturday, paving the way for a private, international non-profit group to assume oversight of the internet’s core naming directory. Tech policy experts say the historic transfer of US stewardship over the Domain Name System (DNS) to an independent group of global stakeholders will help ensure internet openness and freedom. The transition moved forward after a last-ditch Republican effort to sabotage the handover was rejected by a federal judge late Friday. The oversight transfer, which has been in the works for nearly two decades, is largely clerical in nature, and is unlikely to even be noticed by internet users. But that didn’t stop Republicans like Sen. Ted Cruz of Texas and presidential candidate Donald Trump from using scare-tactics to try to scuttle the plan for political gain. “This is a symbolic, but important step in preserving the stability and openness of the internet, which impacts free speech, our economy and our national security,” Ed Black, President & CEO of the Computer & Communications Industry Association, which represents companies like Google, Amazon, and Facebook, said in an emailed statement. Starting Saturday, stewardship of the Internet Assigned Numbers Authority (IANA) functions, including the DNS, which translates website names like vice.com into numeric internet protocol (IP) addresses, will be fully overseen by a Los Angeles-based nonprofit group of international stakeholders called the Internet Corporation for Assigned Names and Numbers (ICANN). On Wednesday, four Republican state attorneys general sued the Obama administration in Texas federal court in order to block the transition. In their lawsuit, the attorneys general for Arizona, Oklahoma, Nevada and Texas argued that the move would violate US law and imperil US national security—spurious claims that have been debunked by US officials and tech policy experts. Late Friday, Galveston, Texas federal judge George Hanks Jr. denied the state attorneys general request for an injunction, clearing the way for the transition to move forward. On Saturday morning, the US government allowed its contract with ICANN to expire, which means that ICANN will now assume sole stewardship over key internet naming functions. “This decision is another clear sign that efforts from a fringe group to block the IANA transition are misguided and irresponsible.” Sen. Brian Schatz, the Democrat from Hawaii who serves as Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet, said he was “glad the court found this lawsuit to be baseless, and appropriately threw it out.” “This decision is another clear sign that efforts from a fringe group to block the IANA transition are misguided and irresponsible,” Sen. Schatz said in a statement. “We can now keep our long-standing and public commitment to the global community to keep the internet open and free.” Republican arguments suggesting that the transition will undermine US interests by leading to a UN takeover of the internet are baseless, according to tech policy experts. In fact, the transition will help promote internet freedom by distributing stewardship of the global internet’s technical functions to a broad, international coalition of public and private stakeholders, ensuring that no single nation can undermine the key functions for everyone else. For more than a decade, ICANN managed the IANA functions under a contract with the Commerce Department’s National Telecommunications and Information Administration (NTIA). But the US has long made clear that it intended to relinquish oversight of the DNS oversight functions in order to facilitate “international participation” in internet governance. Leading civil society and public interest groups supported the transition, including the Internet Society, Access Now, Public Knowledge, the Center for Democracy & Technology, and New America Foundation’s Open Technology Institute. These groups argued that the transition to a multi-stakeholder model will help prevent any one nation from exercising direct government control over the internet. “No one country or entity controls the internet." For the last several weeks, Cruz and other Republicans, including Donald Trump, have been pushing false claims that the US is surrendering “control” of the internet to the UN, or perhaps more ominously, to “enemies” like Iran or China. Most tech policy experts reject those assertions because the internet is a decentralized, global “network of networks” that no single government can control. Authoritarian countries like Iran and China can and do censor the internet for their own citizens, but they have no power to exert similar repression over US consumers—and that won’t change after the governance transition, experts say. “No one country or entity controls the internet,” Assistant US Commerce Secretary and NTIA Chief Larry Strickling, who is overseeing the transition for the US government, testified before Congress last month. “The internet is a network of networks that operates with the cooperation of stakeholders around the world.” Lauren Weinstein, a veteran tech policy expert who was involved in developing the ARPANET, the precursor to the internet, blasted the last-minute efforts by Republicans to sow fear about the transition for political gain. “Anyone hearing the bizarre, false, politicized, last-ditch rants of the politicians who tried to block the transition could be excused for waking up Saturday morning and being stunned to discover that the transition took place as scheduled, and yet there was no related internet Armageddon,” Weinstein told Motherboard. “Nor will there be.”


Endwall 10/02/2016 (Sun) 06:43:19 [Preview] No. 592 del
Hak 5
InfoSec Journalist Censored by DDoS - Threat Wire - Duration: 6 minutes, 14 seconds.
https://www.youtube.com/watch?v=PoxTdsWlvxU


Endwall 10/05/2016 (Wed) 06:30:32 [Preview] No. 595 del
DeepDotWeb
Brian Krebs Attacked By Hackers: Largest DDoS Attack Against A Security Blogger
https://www.deepdotweb.com/2016/10/03/brian-krebs-attacked-hackers-largest-ddos-attack-security-blogger/
Posted by: Benjamin Vitáris October 3, 2016
Brian Krebs, a top security blogger who writes on the Krebs on Security blog, was attacked by a massive DDoS attack, recently. A giant botnet made up with things connected to the internet, such as lightbulbs, cameras, and thermostats, had launched the largest DDoS attack ever delivered with the use of IoT (internet of things) devices. The attack was so big that Akamai, the CDN (content delivery network) and cloud service provider of Krebs, has canceled the security blogger’s account. The reason for the cancellation was not that Akamai couldn’t mitigate the attack, but they used so many resources for protection that it became rather expensive, according to Andy Ellis, the firm’s Chief Security Officer. The delivery network stopped protection for the Krebs on Security blog after 665 Gbps of traffic overwhelmed the security expert’s site on Tuesday. The attack’s size was almost over the double what Akamai had ever seen before. Ellis says it will take time to analyze and come up with more effective mitigation tools for this IoT botnet. The Akamai CSO added the attack was similar to the 2010 attacks of Anonymous where they used the open source, low-orbit ion cannon tool, or to the 2014 DDoS attacks launched from compromised Joomla and WordPress servers. According to Ellis, this is a lesson for companies to have a better system against DDoS attacks. The Krebs on Security attack is a work of a botnet made up of IoT devices, Ellis says. So many devices were used in the breach that the hacker didn’t even have to amplify the impact of the individual devices. “We’re still trying to size it,” Ellis said estimating the number of IoT devices used in the attack to a million. “We think that might be an overestimate but it’s also possible that will be a real estimate once we get into the numbers.” According to Dave Lewis, a global security advocate for Akamai, with estimates of 21 billion IoT devices by 2020, the size of the botnets created for attacks could be massive. “What if an attacker injects code into devices to create a Fitbit botnet?” Lewis said. “Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds so the possibility isn’t fantastic. “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks. There are indicators that there are IoT devices here, at scale.” Ellis says the attack didn’t use any reflection or amplification and it consisted of legitimate HTTP requests. Some things are still unknown, for example, who is behind the attack and what method did they used to infect the devices. According to Ellis, Akamai had contacted other websites where they reported similar, but smaller attacks from the same botnet. Many of the sites were related to gaming, and Krebs wrote about such attacks so there could be a connection between them.


Endwall 10/05/2016 (Wed) 06:33:05 [Preview] No. 596 del
Soylent News
Systemd Crashing Bug
posted by CoolHand on Tuesday October 04, @08:46PM
http://7rmath4ro2of2a42.onion/article.pl?sid=16/10/04/2258217
mechanicjay writes: Security researcher and MateSSL founder, Andrew Ayer has uncovered a bug which will either crash or make systemd unstable (depending on who you talk to) on pretty much every linux distro. David Strauss posted a highly critical response to Ayer. In true pedantic nerd-fight fashion there is a bit of back and forth between them over the "true" severity of the issue and what not. Nerd fights aside, how you feel about this bug, will probably largely depend on how you feel about systemd in general. The following command, when run as any user, will crash systemd: NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system). All of this can be caused by a command that's short enough to fit in a Tweet. Edit (2016-09-28 21:34): Some people can only reproduce if they wrap the command in a while true loop. Yay non-determinism!

https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet


Endwall 10/05/2016 (Wed) 06:57:28 [Preview] No. 597 del
A zero day flaw in OpenJPEG JPEG 2000 could lead arbitrary code execution
http://securityaffairs.co/wordpress/51860/hacking/jpeg-2000-zero-day.html
October 2, 2016 By Pierluigi Paganini
Cisco Talos Team disclosed a zero-day flaw affecting the JPEG 2000 image file format parser implemented in the OpenJPEG library.
  Security experts at Cisco Talos group have discovered a serious vulnerability (TALOS-2016-0193/CVE-2016-8332) affecting the JPEG 2000 image file format parser implemented in OpenJPEG library. An attacker could exploit the flaw to trigger the heap corruption and execute arbitrary code on the target system. “This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibility to the library maintainers to ensure a patch is available.” states the security advisory published by Talos. The experts successfully tested the JPEG 2000 image exploit on the OpenJpeg openjp2 2.1.1.The security experts have has ethically reported the security flaw to the library maintainers to ensure a patch is available. The flaw has a serious impact because the JPEG 2000 file format is commonly used for embedding images inside PDF documents. In order to exploit the vulnerability, an attacker has to trick victims into opening a file containing a specifically crafted JPEG 2000 image that triggers the flaw. A first attack scenario sees attackers sending an email to the targets, the malicious message will include a PDF document including a specifically crafted JPEG 2000 image, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox. Attackers could also leverage on cloud storage like Google Drive or Dropbox where he hosts a specifically crafted JPEG 2000 image, then he will share the link to the picture. Experts from Talos have also released Snort Rules (40314-40315) that could help experts in detecting attempts to exploit the flaw. Cisco Talos group also announced that additional rules may be released at a future date informing users that current rules are subject to change pending additional vulnerability information. Below the Timeline of the Vulnerability.


Endwall 10/05/2016 (Wed) 06:59:06 [Preview] No. 598 del
DefecTor – Deanonymizing Tor users with the analysis of DNS traffic from Tor exit relays
http://securityaffairs.co/wordpress/51848/deep-web/defector-tor-deanonymizing.html
October 2, 2016 By Pierluigi Paganini
Researchers devised two correlation attacks, dubbed DefecTor, to deanonymize Tor users using also data from observation of DNS traffic from Tor exit relays.
Law enforcement and intelligence agencies dedicate an important commitment in the fight of illegal activities in the Dark Web where threat actors operate in a condition of pseudo-anonymity. A group of security researchers at the Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attack technique to deanonymize Tor users. “While the use of Tor constitutes a significant privacy gain over off-the-shelf web browsers, it is no panacea, and the Tor Project is upfront about its limitations. These limitations are not news to the research community. It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries. We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.” says Phillip Winter, a researcher at Princeton University that was involved in the research. The techniques were dubbed DefecTor by the researchers, they leverage on the observation of the DNS traffic from Tor exit relays, for this reason, the methods could integrate existing attack strategies. “We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. ” reads the analysis published by the researchers. “
“Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.” The test results obtained with the DefecTor technique are excellent anyway we have to consider that such attacks request a significant effort, typically spent by persistent attackers like government bodies. The simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited sites. The experts highlighted that Google operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network, a privileged point of observation for attackers. Google is also able to monitor some network traffic that is entering the Tor network, the experts reported as an example the traffic via Google Fiber or via guard relays that are occasionally running in Google’s cloud. “Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains. The experts also remark that