/os/ - Online Security

News, techniques and methods for computer network security.

Posting mode: Reply

Check to confirm you're not a robot
Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Welcome to Online Security the place for internet and computer security, privacy and anonymity.
If you have some helpful tips please feel free to share your ideas. Start a new thread, or contribute to an existing thread.

Expand All Images

Online Security News Endwall 07/07/2016 (Thu) 06:09:23 [Preview] No. 149
See a news article or CVE bug report on an emerging computer security issue and want to share it? Post below.

I will also post links to Hak5 Threatwire videos.
Edited last time by Endwall on 07/07/2016 (Thu) 16:22:47.

Endwall 08/19/2016 (Fri) 23:32:58 [Preview] No. 340 del
A new LOCKY ransomware campaign targets the healthcare
Aug 19, 2016
Malware researchers at FireEye security firm have spotted a new Locky ransomware campaign mainly targeting the healthcare sector. Security experts from FireEye have spotted a Locky ransomware campaign mainly targeting the healthcare sector, Telecom and Transportation industries. Attackers launched a massive phishing campaign to deliver the threat. The campaign bit organizations worldwide, mostly in the US, Japan, South Korea. Threat actors behind this Locky campaign leveraged on DOCM FORMAT email attachments to deliver the ransomware, instead Javascript based downloaders. “From our trend analysis, Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems.” reads the report published by FireEye. “These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.” The researchers believe crooks are investing to compromise systems maximizing their efforts. Another interesting trend reported by FireEye is the pause in the distribution of the Dridex banking Trojan through the same channel. Experts noticed many similarities in the macro code used by Attackers in three distinct Locky campaigns running on Aug. 9, Aug. 11 and Aug. 15.

Endwall 08/19/2016 (Fri) 23:38:16 [Preview] No. 341 del
New Snowden Documents Links Shadow Brokers Leak to Official NSA Hacking Tools
Aug 19, 2016 18:30 GMT · By Catalin Cimpanu
This particular exploit was used in Pakistan and Lebanon
The Intercept has published today new Snowden documents that reveal an official connection between official NSA cyber-weapons and the malware dumped by The Shadow Brokers. The documents are internal NSA operations manuals that describe how CNE (Computer Network Exploitation) tools must be used. The document which The Intercept received from Snowden a few years back but never published describes a hacking system called BADDECISION. Leaked exploit was part of a bigger hacking system The BADDECISION system is made up of the FOXACID server, the SECONDDATE exploit, and the BLINDDATE field operations software, among other things. The SECONDDATE exploit is a tool that works at the network level by intercepting web requests and redirecting them to the FOXACID server, where the user is infected with the desired malware. According to procedures described in the operations manual (page 28), NSA employees must use IDs to tag victims sent to the FOXACID server via different exploits. The document reveals that SECONDDATE's ID is ace02468bdf13579. This very same ID was found in 14 different files in the files named SECONDDATE included in the Shadow Brokers leak. NSA used exploit in Pakistan and Lebanon Furthermore, other documents revealed that the NSA used a system called BLINDDATE to automate SECONDDATE attacks on Wi-Fi networks in the field. BLINDDATE is a hardware system running custom software that can launch MitM (man-in-the-middle) attacks leveraging SECONDDATE, HAPPY HOUR, NITESTAND, and others. The equipment is used in the field, in the range of an enemy's wireless network. BLINDDATE is a laptop with a giant antenna, which can also be mounted on drones, and redirect a Wi-Fi network's web traffic to the NSA FOXACID server. According to Snowden documents leaked in 2013, BLINDDATE was used to spy on Pakistan's National Telecommunications Corporation’s (NTC) VIP Division and on Lebanon's major ISPs. These campaigns provided the NSA with information on Pakistan’s Green Line communications network, Pakistan's civilian and military leadership, and on Hizballah's Unit 1800 activities. Before The Intercept linked the Shadow Brokers leak with actual NSA cyber-weapons, Kaspersky researchers tied the malware in the group's data dump to tools used by the Equation Group cyber-espionage APT, believed to be linked to the NSA.

Endwall 08/19/2016 (Fri) 23:41:59 [Preview] No. 342 del
Poorly configured DNSSEC servers at root of DDoS attacks
InfoWorld | Aug 19, 2016
Administrators who have configured their domains to use DNSSEC: Good job! But congratulations may be premature if the domain hasn't been correctly set up. Attackers can abuse improperly configured DNSSEC (Domain Name System Security Extensions) domains to launch denial-of-service attacks. The DNS acts as a phone book for the Internet, translating IP addresses into human-readable addresses. However, the wide-open nature of DNS leaves it susceptible to DNS hijacking and DNS cache poisoning attacks to redirect users to a different address than where they intended to go.DNSSEC is a series of digital signatures intended to protect DNS entries from being modified. Done properly, DNSSEC provides authentication and verification. Done improperly, attackers can loop the domain into a botnet to launch DDoS amplification and reflection attacks, according to the latest research from Neustar, a network security company providing anti-DDoS services. "DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack," said Neustar's Joe Loveless. "If DNSSEC is not properly secured, it can be exploited, weaponized, and ultimately used to create massive DDoS attacks In a study of more than 1,300 DNSSEC-protected domains, 80 percent could be used in such an attack, Neustar found. The attacks rely on the fact that the size of the ANY response from a DNSSEC-signed domain is significantly larger than the ANY response from a non-DNSSEC domain because of the accompanying digital signature and key exchange information. The ANY request is larger than a normal server request because it asks the server to provide all information about a domain, including the mail server MX records and IP addresses. Armed with a script and a botnet, attackers can trick nameservers into reflecting DNSSEC responses to the target IP address in a DDoS attack. A DNSSEC reflection attack could transform an 80-byte query into a 2,313-byte response, capable of knocking networks offline. The biggest response the researchers received from a DNSSEC-protected server was 17,377 bytes. The number of DNS reflection and amplification DDoS attacks abusing DNSSEC-configured domains have been growing. Neustar said the overall number of attacks using multiple vectors, which probe defenses until they succeed, is on the rise, and more than half of these multivector attacks involve reflection attacks. Internet security company Akamai observed a similar pattern, as it found 400 DNS reflection/amplification DDoS attacks abusing a single DNSSEC domain in the fourth quarter of 2015. The domain was used in DDoS attacks against customers in multiple verticals, suggesting the domain had been included into a DDoS-for-hire service. "As with other DNS reflection attacks, malicious actors continue to use open DNS resolvers for their own purpose -- effectively using these resolvers as a shared botnet," Akamai wrote in its quarterly State of the Internet Security report back in February. The problem isn't with DNSSEC or its functionality, but rather how it's administered and deployed. DNSSEC is the best way to combat DNS hijacking, but the complexity of the signatures increases the possibility of administrators making mistakes. DNS is already susceptible to amplification attacks because there aren't a lot of ways to weed out fake traffic sources. "DNSSEC prevents the manipulation of DNS record responses where a malicious actor could potentially send users to its own site. This extra security offered by DNSSEC comes at a price as attackers can leverage the larger domain sizes for DNS amplification attacks," Akamai said in its report. To prevent a DNSSEC attack, configure DNSSEC correctly on the domain so that it cannot be used to amplify DNS reflection attacks. That's easier said than done. DNSSEC adoption has been slow, but progress is being made. Administrators should check with their service providers to make sure their digital signatures are valid and test deployments regularly. While blocking DNS traffic from certain domains is certainly an option, it's not one most organizations would be comfortable with as it could block legitimate users and queries. Neustar recommends DNS providers not respond to ANY requests at all. Other filtering systems to detect abuse -- such as looking for patterns of high activity from specific domains -- should also be in place. Fixing DNSSEC won't end these types of attacks, as there are plenty of other protocols that can be used in amplification and reflection attacks, but it can cut down on the current batch. As long as there are systems generating traffic with spoofed IP addresses and networks allowing such traffic, reflection-amplification DDoS attacks will continue. Efforts to dismantle botnets, and prevent systems from joining botnets in the first place, will put a dent in the number of DDoS attacks. In addition, administrators should make sure they have anti-DDoS mechanisms in place, such as preventing source IP spoofing in a network, closing an open resolver, and rate limiting.

Endwall 08/19/2016 (Fri) 23:43:44 [Preview] No. 343 del
Open Sources
New Brazilian Banking Trojan Uses Windows PowerShell Utility
Aug 19, 2016
Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said. Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication. Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%599D.tmp599E.ps1” is cued. This is an attempt to bypass PowerShell execution policies, Assolini said. The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server. The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March. That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.

Endwall 08/19/2016 (Fri) 23:45:05 [Preview] No. 344 del
Massive Cyberattack Aimed at Flooding .Gov Email Inboxes With Subscription Requests
"Massive Email Bombs Target .Gov Addresses," Brian Krebs writes in Krebs on Security: "Over the weekend, unknown assailants launched a massive cyber attack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists. According to experts, the attack — designed to render the targeted inboxes useless for a period of time — was successful largely thanks to the staggering number of email newsletters that don't take the basic step of validating new signup requests." — Steve Linford, CEO of Spamhaus further explanis: "This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. The attack undoubtably also hit lists which used Captcha in addition to COI and thus did not even proceed to COI (those list admins deserve some sort of community ‘hi 5’ award, since one can imagine how hard it is to convince one’s management to implement COI let alone put Captcha in front of it). The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses." — Krebs was also the target of this subscription attack and writes about it based on his first-hand experience: "At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless." — Laura Atkins in her report on the incident on Monday said, "this should be a major wakeup call for ESPs and senders." ... "Internet harassment seems to be a bigger and bigger issue. I don’t know if it’s because people are being more open about harassment or if it’s actually more common. In either case, it is the responsibility of networks to minimize the harassment. If your network is a conduit for harassment, you need to do something to stop it."

Endwall 08/21/2016 (Sun) 00:35:34 [Preview] No. 347 del
Lorenzo Franceschi-Bicchierai March 29, 2016 // 07:00 AM EST
More Than 14,000 College Printers in the US Are Open to Hackers
Last week, the notorious hacker and troll Andrew Auernheimer showed just how easy it is to use insecure internet-connected printers to spread hateful racist propaganda. The hacker, also known as Weev, said he used two lines of code to make 20,000 printers, many in colleges and universities, spit out an anti-semitic flyer all over the United States. His exploit quickly made the rounds on social media and local news outlets, showing the staff at American schools that they need to make sure their printers aren’t set up in a way that lets anyone, from anywhere in the world, abuse them. “Printer security is basically a joke...and it's the elephant on the network.” Days after the first reports of the incident, a few seem to have gotten the message. But as of Monday afternoon, there are still more than 14,000 printers in colleges and universities in the US that are completely open to hackers, according to a search on Shodan, a search engine for internet-connected devices. While this might be seen as good news, it’s probably too little too late. And it’s not like colleges and universities had not been warned before.Almost 10 years ago, security researcher Adrian Crenshaw noted that many printers were programmed to accept any printing job sent over the internet to their port 9100 (the same port Auernheimer exploited). Also, just two years ago, Shawn Merdinger, another security researcher, encouraged universities and colleges to remove their printers from the public internet in a talk at a security conference for higher education institutions. At the time of his talk, Merdinger said there were more than 38,000 vulnerable printers on the internet. “I'm only surprised this hasn't happened sooner,” Merdinger told me in an email. “Printer security is basically a joke...and it's the elephant on the network.” And if you think all a hacker can do with these open devices is print flyers, think again. As former NSA researcher Dave Aitel noted on Twitter, Auernheimer could have sent an update to the printer’s firmware with a similar command to the one he used last week, bricking the printers.

Endwall 08/21/2016 (Sun) 00:43:46 [Preview] No. 348 del
Researcher Grabs VPN Password With Tool From NSA Dump
Joseph Cox August 19, 2016 // 07:00 AM EST

Cisco has already warned customers about two exploits found in the NSA-linked data recently dumped by hackers calling themselves The Shadow Brokers. Now, researchers have uncovered another attack included in the cache, which they claim allows the extraction of VPN passwords from certain Cisco products—meaning hackers could snoop on encrypted traffic. Security researcher Mustafa Al-Bassam first documented the hacking tool, which uses the codename BENIGNCERTAIN, in a blog post published Thursday. He coined the attack “PixPocket” after the hardware the tool targets: Cisco PIX, a popular, albeit now outdated, firewall and VPN appliance. Corporations or government departments might use these devices to allow only authorised users onto their network. Based on his analysis of the code, Al-Bassam writes that the tool works by sending a packet to the target machine that makes it dump some of its memory. Included in that dump is the VPN’s authentication password, which is used to log into the device. "With access to the preshared key, they could decrypt any traffic" Brian Waters, another security researcher, tested BENIGNCERTAIN on his own hardware and managed to obtain the VPN's password, also known as a preshared key. On Friday, he tweeted a message of the output from his test, which revealed his test password of “password123” among a list of two other possibilities. I can confirm that BENIGNCERTAIN works against real hardware @XORcat @GossiTheDog @musalbas @marcan42 @msuiche pic.twitter.com/81gAmeHNlL — Brian H₂O's (@int10h) August 19, 2016 “I was able to pop out a VPN password from the ‘outside’ interface. Meaning the one that would be connected to the internet,” Waters told Motherboard in a Twitter message. “To me this is verified,” Al-Bassam told Motherboard in an online chat. “It's proof that in a VPN that uses authentication with preshared keys, the NSA could have remotely sent a packet to that VPN from an outside Internet IP (unlike the other exploits which require internal access), and grabbed the preshared key […] With access to the preshared key, they could decrypt any traffic,” he added. Once they’ve accessed the network, an attacker might then be able to snoop on a target organisation’s traffic and spy on its users. According to Al-Bassam, the tool references PIX versions 5.2(9) up to 6.3(4). However, Brian Waters said he carried out his test on hardware running the 6.3(5) version, implying that the attack may work on other versions of PIX than those listed in the tool's code. Both Al-Bassam and Maksym Zaitsev, another researcher who has been looking into BENIGNCERTAIN, believe that the attack is likely capable of extracting private encryption keys from VPNs as well, which is another, more robust way of authenticating access. Waters was unable to test that however. #EquationGroup seems to be capable of extracting #Cryptography keys from #Cisco VPNs, up to 4096 bits RSA pic.twitter.com/0Fy08KdR6a — Maksym Zaitsev (@cryptolok) August 18, 2016 Cisco officially stopped selling PIX products back in 2009. it is unclear if anyone has used this attack in the wild, or who still uses PIX products today. Kevin Beaumont, another researcher who has been digging through The Shadow Brokers dump, claimed that one of the UK government’s biggest IT contractors still uses a PIX VPN. On Thursday, after Al-Bassam had published his analysis, but before Waters had verified the attack, Cisco spokesperson Yvonne Malmgren told Motherboard in an email that the company’s security team “continues the process of investigating all aspects of the exploits that were released, including the one you mention. As noted, if something new is found that our customers need to be aware of and respond to, we will share it through our established disclosure processes.”

Endwall 08/21/2016 (Sun) 01:00:02 [Preview] No. 349 del
Anonymous Created Special DDoS Tool Just for the #OpOlympicHacking Attacks
Aug 20, 2016 21:25 GMT · By Catalin Cimpanu
Tool used to automate attacks against five major targets

Members of the Anonymous hacker collective have created a custom tool that allows them and any person to launch DDoS attacks at five built-in targets. The tool was released to aid the group in its recent hacktivism campaign named #OpOlympicHacking, which started at the beginning of the month, just in time for the Rio Olympic Games. The tool is a Windows executable that launches a window with six buttons, as pictured below this article. The first five buttons are for attacking five built-in targets, while the sixth is for stopping the attacks. The tool can be used only for #OpOlympicHacking attacks The five targets are the official Rio 2016 Olympics website, the Brazil 2016 government portal, the Brazil Olympic Committee website, the government portal for the city of Rio de Janeiro, and the website for Brazil's Sports Ministry. These are only a few of the targets Anonymous hackers included in a list of they uploaded online when they announced #OpOlympicHacking at the start of the month. The DDoS tool is offered online as a free download called "opolympddos." Softpedia has discovered links to this tool on Twitter. At the time of writing, the links are dead, so we couldn't check and see if the DDoS tool came with other malware built-in. Users should not download and run this tool because (1) they would be carrying out an illegal activity; (2) they would be exposing themselves to possible malware infections. Users need Tor before using the tool According to security researchers from RSA, the tool is a mashup of VB, Python, and .NET scripts packaged into a Windows executable. Researchers say that users that install this tool are told to install Tor as well, to hide their real IP. Launching "opolympddos" executes out a Layer 7 DoS attack. "This is achieved by creating persistent connections and sending HTTP requests with random data and user-agents," the RSA team explained. Compared to other Anonymous ops, the #OpOlympicHacking campaign can be considered a success, bringing a lot of attention to its cause via high-profile hacks.

Endwall 08/21/2016 (Sun) 01:02:02 [Preview] No. 350 del
US hacked NTC to spy on Pakistan military, political leadership: Snowden documents

The United States hacked into targets in the Pakistan’s National Telecommunications Corporation (NTC) to spy on the country’s political and military leadership, documents released by former National Security Agency contractor Edward Snowden confirm. According to a report by online news site The Intercept, the previously unpublished documents released by Snowden confirm that some of the NSA’s top-secret code has been leaked or hacked. The Intercept’s editors include journalists that worked with Snowden to publicise his notorious 2013 NSA leak revealing the extent of government snooping on private data. In the latest leak of top-secret documents, Snowden has given The Intercept a classified draft NSA manual on how to implant the SECONDDATE malware – malicious code that is used to monitor or control someone else’s computer, the website said. The draft NSA manual contains instructions to NSA operators telling them to use a specific string of characters associated with the SECONDDATE malware program. According to The New York Times, much of the code was created to peer through the computer firewalls of foreign powers. Such access would enable the NSA to plant malware in rivals’ systems and monitor – or even attack – their networks. Now, according to The Intercept report which sheds lights on the NSA’s broader surveillance and infection network, SECONDDATE was also used to spy on Pakistan. “There are at least two documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation boasts of successful attacks against computer systems in both Pakistan and Lebanon,” said The Intercept report. “In the first, NSA hackers used SECONDDATE to breach ‘targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,’ which contained documents pertaining to ‘the backbone of Pakistan’s Green Line communications network’ used by ‘civilian and military leadership’,” said the report. According to report, SECONDDATE is just one method used by the NSA to hack into target computer systems and networks. Another document in the cache released by Snowden today describe how the NSA used software other than SECONDDATE to repeatedly attack and hack into computer systems in Pakistan.

Endwall 08/21/2016 (Sun) 05:47:00 [Preview] No. 351 del
Linux Terminal 201: Getting Started with Vi - HakTip 0147

Endwall 08/21/2016 (Sun) 09:19:15 [Preview] No. 352 del
Security Affairs
Bitcoins move from the seized SilkRoad wallet to the ShadowBrokers
A security expert noticed strange transactions from the Bitcoin wallet of the SilkRoad (now in the hands of Feds) to the ShadowBrokers ‘ wallet. I was surfing the Internet searching for interesting data about the ShadowBrokers group that leaked exploits and hacking tools belonging to the NSA Equation Group. I have found a very intriguing analysis of the popular security researcher krypt3ia that has analyzed the Bitcoin transactions linked to the #ShadowBrokers account. It seems that the account is receiving small amounts of money (at about $990.00 a couple of days ago), but the real surprise is that some of the payments are coming from the seized Silk Road bitcoins and account.
Hey, wait a moment, the Silk Road Bitcoin are under the control of the FBI after the seizure of the popular black market. krypt3ia decided to investigate the overall transactions and discovered that also the US Marshall service was involved in the transfers. “So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.” wrote krypt3ia in a blog post. Analyzing the transactions the expert noticed transactions of 0,001337 BTC for the for ShadowBrokers.
We are aware that Silk Road coins are in the hands of the US GOV, but someone is sending ShadowBrokers fractions of them. “What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?” added the experts. At this point, the researcher invited readers to analyze transactions involving all the accounts that passed money to Bitcoin Wallets used by the Government and that were used to transfer money to the ShadowBrokers. At the time I’m writing the ShadowBroker wallet was involved in 41 transactions for a total of 1.738 BTC, and the highest bidder is of 1.5 bitcoin, or around $850.

Endwall 08/22/2016 (Mon) 05:33:57 [Preview] No. 353 del
ISIS Noobs Share ‘How To Hack’ Tutorials Online
By Gilad Shiloach with Mor Turgeman Aug 19, 2016 at 2:28 PM ET
A member of al-Minbar, an active and influential online forum frequented by ISIS sympathizers, is offering an online course on hacking tools with the aim of teaching supporters how to “hack American and European security sites” and creating a group of cyber soldiers affiliated with the terror organization. But this is likely to be simply the latest in a series hapless attempts by ISIS affiliates to threaten cyber warfare on the West, to little effect. The online course is focused on Kali Linux, an open-source Linux distribution, which is a type of operating system based on Linux, that includes hundreds of penetration-testing programs, which are designed to help identify vulnerabilities in a computer network or app. It is being promoted by a prominent member of the ISIS-sympathetic forum, who goes by the username Ayam Fath Baghdad, which translates to “the days of the conquest of Baghdad.” “As-salamu alaykum, my brothers, the members of al-Minbar, and those who are registered for the course on Kali Linux. Please gather in the section tonight at 9 p.m., Mecca time, in order to take a class,” he on Wednesday night, in Arabic. In a 20-page thread, this user interacts with at least other 25 members in the forum, all of whom express interest in taking the course and becoming hackers affiliated with the terror group. The course is based upon several Arabic-language YouTube tutorials, which have been uploaded by a non-ISIS affiliated account. Online tutorials on Kali Linux use are plentiful and freely available from a variety of online sources. To supplement the YouTube videos, Ayam Fath Baghdad offers advice on the use of the OS. “Kali Linux is known as the ‘go-to’ for black [hat] and white [hat] hackers alike,” Omri Moyal, VP Research at Minerva Labs, an Israeli cybersecurity company, told Vocativ over email. “It is widely promoted and educated in underground forums and anonymous chat rooms, and the combination of its pre-installed, ready-to-use, powerful tools make it extremely dangerous in the wrong hands,” he adds. “As we have heard that ISIS are declaring that they will move to operate in the cyber domain, it is very natural that they will go to this tool.” But there’s likely no cause for immediate concern. Moyal analyzed portions of the forum thread, including screenshots uploaded by the “students” and responses by the course’s teacher, and explained that the contents were “very, very basic material,” adding, “I can’t say anything about the teacher but the students are complete noobs.” According to his analysis, the would-be hackers “have problems with the very basic commands and also are not looking for the solution themselves, something a good hacker must be able to learn and do.” Moyal stressed the importance of the sophistication of the hacker themselves over the tools at their disposal, which, like Kali Linux, are typically readily available. He explained that while “the capabilities of Kali Linux are unlimited, it’s a tool box. The question is, ‘What are the skills of the person behind the keyboard?'” One of the methods presented in the course is an SQL injection, which according to Moyal, “has the capabilities of extracting data from those databases. It is commonly used to deface websites and steal credentials.” Moyal explains that similar tool was used by a Saudi hacker to steal thousands of credit card data from a unencrypted online database a few years ago. However, substantial technical know-how and experience is necessary for a hack of this nature. The goal of this online course is a grand finale in which students will conduct “join[t] attacks [by] the graduated members” and the group will create an ISIS-sympathetic hacking organization “along the lines of the United Cyber Caliphate (UCC),” referring to an online coalition of four ISIS-sympathetic, so-called hacking groups that was formed in late 2015. At that time, ISIS supporters created a channel on the encrypted-chat app Telegram dedicated for “publishing courses of hacking and programming languages for the supporters of the Caliphate on the Internet.”...

Endwall 08/23/2016 (Tue) 05:53:20 [Preview] No. 361 del
Stolen NSA hacking tools reportedly on sale for $8000
It’s been a rough week for the NSA, to say the least. Last week, a group of hackers collectively known as The Shadow Brokers allegedly stole and released a treasure trove of NSA hacking tools and exploits. What’s more, the group promised to release even more weapons from the NSA’s cyber arsenal for the right price. While the initial leak was met with skepticism, researchers and security experts who examined the leak subsequently confirmed that the leaked exploits were very much real. “It definitely looks like a toolkit used by the NSA,” French computer researcher Matt Suiche said after taking a look at the code. As if that weren’t bad enough, now comes word that The Shadow Brokers may not be the only hackers who hold the keys to the NSA’s cache of advanced hacking tools and exploits. DON’T MISS: Samsung’s best phone yet might have some quality issues that can’t be fixed Late on Sunday night, a hacker with the Twitter handle 1×0123 indicated that he was willing to sell the aforementioned hacking tools for $8,000. Speaking to Gizmodo, the hacker also said that he’d be willing to provide screenshots to verify his claims for $1,000. Interestingly, 1×0123 didn’t come to possess these files by hacking the NSA, but allegedly by stealing them from the Shadow Brokers. It’s unclear how the hacker supposedly stole the hacks and he refused to explain beyond saying “traded some exploits for access to a private escrow and stole the tar file.” This could mean a variety of things, but it seems like he’s indicating that he tricked the Shadow Brokers, the group that originally claimed to have accessed the NSA tools, and stole the .tar file containing the exploits. Again, we don’t have a way to confirm this is true but this hacker has hacked and sold his exploits in the past. Notably, 1×0123 is not some fly by night Twitter account with no track record to speak of. On the contrary, 1×0123 is a self-identified “underground researcher” who has been behind a number of big name exploits in the past, including a hack of Fidelity National Information Services. It’s also worth noting that famed NSA whistleblower Edward Snowden gave 1×0123 some praise on Twitter just a few months ago.

Endwall 08/23/2016 (Tue) 08:37:56 [Preview] No. 362 del
Hacker's claims met with flat denials and skepticism by most of the security industry
Steve Ragan — Senior Staff Writer, CSO
CSO | Aug 19, 2016 7:33 PM PT
On Friday, messages posted to Pastebin and Tumblr allege the recently leaked NSA files came from a contractor working a red team engagement for RedSeal, a company that offers a security analytics platform that can assess a given network's resiliency to attack. In addition, the hackers claim the intention was to disclose the tools this year during DEF CON. Salted Hash reached out to the press team at DEF CON, as well as RedSeal. In a statement, RedSeal would only confirm they are an In-Q-Tel portfolio company. The company also denied any knowledge of red team assessments against their products by In-Q-Tel or contractors working with In-Q-Tel. Sourcesclose to DEF CON also say the claims in the published letter aren't real.
At this point, it's best to take the claims posted to Pastebin and Tumblr with a grain of salt. The note and subsequent blog post from "Brother Spartacus" and "13 Johns" says that an individual known as "Dark Lord" – reported to be a skilled hardware engineer – was working an In-Q-Tel contract to assess the security of RedSeal products. This red team engagement used a C&C server as a staging point for the leaked NSA tools. When "Dark Lord" walked off the job, they did so with a copy of the tools that were placed on the C&C server. Given how RedSeal products work, attacking routers and other network devices with the leaked NSA code makes sense if you're wanted to prove the RedSeal will detect such incidents. The company has even used the Shadow Broker incident as a means to promote themselves this week. However, there is a split between the claims on the blog and the Pastebin note. The blog claims the test was to harden RedSeal software, while the note says the test was aimed at RedSeal products. It isn't clear how the leaked tools could be used to assess the RedSeal platform directly. Moreover, the Pastebin post claims to be from DEF CON, and says the annual hacker gathering was approached in July with details surrounding the Shadow Brokers leak. The note says that "Brother Spartacus" approached DEF CON with details about the code theft, with the intention to disclose the incident during this year's show. "The individual self reported they had walked off an In-Q-Tel contract with RedSeal. They had took the Malware pack from a CNC server that was set-up to test RedSeal products. The individual was not well versed in software and could not point out any zero day threats. We decided to not push the person forward to public Defcon leaders. (sic)" As mentioned, sources close to DEF CON deny this letter is legitimate. This was suspected early on due to the tone of the message, the description of "Brother Spartacus," as well as the fact that DEF CON is misspelled. (Normal communications from DEF CON use the proper branding.) At this point, it's clear the Pastebin and Tumblr posts are some sort of hoax. However, there has been a lot of coverage of the Shadow Brokers leak this week, so this is just one more log on the fire. Recap: On Wednesday, Motherboard published a story citing former NSA staffers who feel the leak didn't happen because of a hack. Instead, they feel the incident is the work of a single individual with insider access. Those thoughts somewhat align with the claims posted on Friday, as a contractor would be considered an insider. In addition, security researcher Mustafa Al-Bassam posted a solid examination of the leaked tools and what they do.

Endwall 08/24/2016 (Wed) 02:33:35 [Preview] No. 364 del
Hak 5
NSA Hack Speculation - Threat Wire

Endwall 08/24/2016 (Wed) 02:53:43 [Preview] No. 365 del
Jupiter Broadcasting
Tech Talk Today
Internet for your Things | TTT 257

Endwall 08/24/2016 (Wed) 02:56:01 [Preview] No. 366 del
Former CIA head Michael Hayden on why he won't endorse Trump or Clinton
Apokelypse: Violence, crime, and death connected to Pokemon Go

Endwall 08/24/2016 (Wed) 03:31:08 [Preview] No. 367 del
Feds Investigate Hack of The New York Times, Suspect Russian Operatives Are to Blame
Federal authorities are investigating a series of cyberattacks on The New York Times and other U.S. media organizations, and they believe those web-based assaults were "probably" carried out by the same Russian hackers who recently infiltrated Democratic organizations, a source familiar with the probe told ABC News. The intrusions were discovered in recent months, and it's unclear exactly why the hackers would have targeted news outlets. Journalists, however, routinely interact with countless officials across the U.S. government as part of their jobs. ABC News was unable to determine what other news outlets, aside from The New York Times, were hit. CNN first reported the intrusions and subsequent investigation. The New York Times said its Moscow bureau was targeted, but noted no "internal systems" were breached. "We are constantly monitoring our systems with the latest available intelligence and tools. We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised," the Times said in a statement on Tuesday evening. For months, the FBI has been investigating what appear to be coordinated cyberattacks on Democratic organizations, with the hacking of the Democratic National Committee being the most damaging so far. Top Intel Official Tells Americans to End 'Hyperventilation' Over DNC Hack but Calls Breach Potentially 'Serious' Not only did the hack apparently allow cyber operatives to steal opposition research on Republican nominee Donald Trump, but many suspect it led to the theft of internal messages that showed efforts by DNC officials to undermine Democratic presidential candidate Bernie Sanders during the primary season. After those damaging emails were publicly released by WikiLeaks, Florida Rep. Debbie Wasserman Schultz stepped down as DNC chairwoman. The FBI declined to comment for this article. Asked last month whether Russia might have intentions to undermine the U.S. political process, James Clapper, the nation’s top intelligence official, said Russian officials “believe we’re trying to influence political developments in Russia, we’re trying to affect change, and so their natural response is to retaliate and do unto us as they think we've done to them." Speaking at the annual Aspen Security Forum in Aspen, Colorado, Clapper said Russian President Vladimir Putin is "paranoid" about the potential for revolutions in Russia, "and of course they see a U.S. conspiracy behind every bush, and ascribe far more impact than we’re actually guilty of." Referring to cyber warfare, Clapper said it is not "terribly different than what went on during the heyday of the Cold War," just with different tools and "a different modality." And, he said, the U.S. intelligence community is now "at war" with Russia, conducting operations every hour of every day against Russia and other adversaries. Nevertheless, Clapper said he's "taken aback a bit by ... the hyperventilation over" the hack of the DNC, adding in a sarcastic tone, "I'm shocked somebody did some hacking. That’s never happened before." The American people "just need to accept" that cyber threats and computer-based attacks are a major long-term challenge facing the United States, and he said Americans should "not be quite so excitable when we have yet another instance of it."

#YcYLSH 08/24/2016 (Wed) 03:39:42 [Preview] No. 368 del
Is Snowden dead?

Also, you should look at jimstone.is occasionally.

Endwall 08/24/2016 (Wed) 03:40:25 [Preview] No. 369 del
Linux.Rex.1, a new Linux Trojan the creates a P2P Botnet
23. August 2016
Security researchers discovered a new Linux Trojan dubbed Linux.Rex.1 that is capable of self-spreading and create a peer-to-peer botnet. A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn. Security researchers from the firm Dr. Web have discovered […]

Endwall 08/24/2016 (Wed) 03:42:03 [Preview] No. 370 del
France, Germany push for access to encrypted messages after wave of terror attacks
By Zack Whittaker for Zero Day | August 23, 2016 -- 21:12 GMT (22:12 BST)
France and Germany are to ask the EU for new powers that could see state intelligence agencies compel makers of mobile messaging services to turn over encrypted content. The two member states have both numerous suffered terrorist attacks in the past year and a half, with hundreds killed by the so-called Islamic State group, but argue that their intelligence agencies are struggling to intercept messages from criminals and suspected terrorists.Many mobile messaging providers, like WhatsApp, Apple's iMessage, and Telegram, all provide end-to-end encrypted messaging to thwart spying by both hackers and governments alike. Many other sites and services -- including Facebook -- have followed suit by pushing for strong encryption to ensure government spies can't access a person's messages. Reuters reported Tuesday that French interior minister Bernard Cazeneuve wants the European Commission to draft a law that would oblige companies to turn over data. "It's a central issue in the fight against terrorism," Cazeneuve told reporters last week. "Exchanges carried out via applications like Telegram must be identified and used in the course of judicial proceedings," he added. But Cazeneuve's initiative, echoing similar US and British efforts to install "backdoors" for in encryption for governments and law enforcement agencies, effectively undermining its very point, has long been criticized by privacy and security experts, who argue that there's no feasible way to guarantee that hackers won't be able to exploit the same access. The request for a review falls just short calls for an all-out ban. Earlier this year, one prominent French politician called for fines and ban on services that are unable to turn over encrypted communications. The European Commission said it "welcomed" the initiatives between the two countries, but said that data protection laws are already under review. But the executive body may face internal pressure to dismiss the idea of undermining the effectiveness encryption. Only a few weeks ago, the European data protection supervisor said that nation states should be forbidden from trying to decrypt encrypted communications, or install backdoors. In a report, the supervisor said that end-to-end encryption to be "encouraged, and when necessary, mandated." European authorities have been particularly aggrieved by reports of mass surveillance by the US government, which were brought to light three years ago by the Edward Snowden files. The transatlantic pact that allowed the free flow of data between the two continents was later suspended by a top European court in the wake of the disclosures. A new pact was agreed upon earlier this year.

Endwall 08/24/2016 (Wed) 03:44:19 [Preview] No. 371 del
Russian hackers suspected in hack of New York Times, others
Newspaper says its Moscow bureau was the target of a cybersecurity breach but that there's no evidence hackers were successful. by Steven Musil @stevenmusil August 23, 20164:44 PM PDT
Russian hackers are suspected of being behind a cyberattack on The New York Times and other media outlets. Getty Images The FBI suspects cybersecurity breaches targeting reporters at The New York Times and other news agencies were carried out by hackers working for Russian intelligence, CNN reported Monday. "Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said," according to CNN. In a follow-up report, The New York Times reported late Monday that its Moscow bureau was the target of an attempted cyberattack earlier this month. The Times did not immediately respond to a request for comment but said in its report that there was no evidence hackers succeeded in penetrating the newspaper's cyberdefenses. "We are constantly monitoring our systems with the latest available intelligence and tools," Eileen Murphy, a spokeswoman for the Times, said in the report. "We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised." Neither the FBI nor the Russian embassy immediately responded to a request for comment. News of the hack attempt comes amid allegations that hackers working for the Russian government broke into the Democratic National Committee's computer network, gaining access to emails and chat transcripts, as well as opposition research on Republican presidential candidate Donald Trump. US-based news agencies have become popular targets for hack attempts in recent years. In 2013, The Washington Post reported that its servers had been breached for the second time in three years, giving hackers access to employee usernames and passwords.

Anonymous 08/24/2016 (Wed) 05:09:22 [Preview] No. 373 del
<!DOCTYPE html> <!-- HHHHHH →→HHHH HHHHHH →→→→HH HHHHHH →→→→→→→ →→→→→→→→→→→→→→→→→→→→→→ Git out the vote! →→→→→→→→→→→→→→→→→→→→→→→→ Join the only 18 month, nationally televised hackathon. →→→→→→→→→→→→→→→→→→→→→→ https://boards.greenhouse.io/hillaryforamerica HHHHHH →→→→→→→ HHHHHH →→→→HH HHHHHH →→HHHH --> <html lang="en"> <head>

Endwall 08/24/2016 (Wed) 05:30:33 [Preview] No. 374 del
I briefly looked into this. He's most probably still alive from what I've seen. He's been tweeting non stop for the last couple of days.


Recent Videos:
Its only getting better

The evidence for dead was very weak, the evidence for alive is very strong. We'll know for sure at his next teleconference.

Endwall 08/24/2016 (Wed) 17:36:39 [Preview] No. 378 del
Daily Mail
Sickening hack attack on Leslie Jones: Hacker steals nude photos of SNL star and posts them on her website with racist memes and copies of her driving license
* A hacker posted nude photos and personal information on Leslie Jones' website on Wednesday  * The website was taken down just after noon ET * The SNL star has yet to issue a public statement on the hack  * Jones became the target for racist online trolling earlier this year  
By Ashley Collman For Dailymail.com Published: 15:57 GMT, 24 August 2016 | Updated: 17:23 GMT, 24 August 2016
SNL comedian Leslie Jones has had her personal website hacked.  Nude photos of the actress were posted on her website Wednesday morning, alongside copies of her driver's license and passport. The hacker also posted a video in tribute to the gorilla Harambe, a racist dig at African-American Jones.
Leslie Jones has had her website hacked. The SNL star pictured above at the August 3 premiere of War Dogs in New York  Also released in the attack were several selfies of Jones with famous celebrities including Rihanna, Kanye West, Kim Kardashian and 50 Cent.  TMZ reports that the hacker accessed the personal photos and information by hacking Jones' Cloud storage or iPhone.   Shortly after noon ET on Wednesday, JustLeslie.com was taken down by hosting website Tumblr. Jones has yet to publicly comment on the hack....Jones' website was taken down shortly after noon ET on Wednesday, following the hack The 48-year-old funny woman has been the target of racist online trolling ever since the new Ghostbusters reboot came out earlier this summer.  Twitter went to far as to ban one of Jones' trolls, as well as delete some of the nastier comments made about her on the website when she complained last month. Internet trolls didn't like it when Jones complained about fashion designers refusing to work with her on a dress for the Ghostbusters premiere earlier this summer. Jones pictured above in a dress Christian Siriano made for her at the last minute The company's CEO Jack Dorsey explained that they don't ban people 'for expressing their thoughts' but that 'targeted abuse and inciting abuse against people' is not allowed. In an interview about the internet abuse on Late Night with Seth Meyers, Jones said: 'What's scary about the whole thing is that the insults didn't hurt me. Unfortunately I'm used to the insults. But what scared me was the injustice of a gang of people jumping against you for such a sick cause.' In the lead up to Ghostbusters' release, Jones complained that several fashion designers had refused to make a dress for her for the film's premiere. 'It’s so funny how there are no designers wanting to help me with a premiere dress for movie,' she tweeted on June 28. 'Hmmmm that will change and I remember everything.' After the drama made headlines, designer Christian Siriano created a custom red gown for Jones.

Endwall 08/24/2016 (Wed) 17:46:23 [Preview] No. 379 del
Security Affairs
The Equation Group’s exploit ExtraBacon works on newer Cisco ASA
August 24, 2016 By Pierluigi Paganini
Security experts have improved the ExtraBacon exploit included in the NSA Equation Group arsenal to hack newer version of CISCO ASA appliance. The data dump leaked online by ShadowBrokers is a treasure for security experts and hackers that are analyzing every tool it contains. Cisco and Fortinet have confirmed their network appliance are vulnerable to the exploits listed in the leaked dump. Recently security researchers tested the BENIGNCERTAIN tool included in the precious archive belonging to the NSA Equation Group that allows attackers to extract VPN passwords from certain Cisco devices. Now the Hungary-based security consultancy SilentSignal has focused his analysis on another exploit that could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA). We successfully ported EXTRABACON to ASA 9.2(4) #ShadowBrokers #Cisco pic.twitter.com/UPG6yq9Km2 — SilentSignal (@SilentSignalHU) 23 agosto 2016 The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought. Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).An attacker who has already gained a foothold in a targeted network could use the zero-day exploit to take full control of a firewall. In an e-mail sent to ArsTechnica, SilentSignal researcher Balint Varga-Perke wrote: “We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions. Turns out it is very easy, that implies two things: * The leaked code is not as poor quality as some might suggest * The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy” Experts from the IT vendor Juniper also confirmed that one of the exploits in the Equation Group archive could be used to hack the Juniper NetScreen firewalls, they also confirmed that are conduction further investigation on the exploit. The tool codenamed FEEDTROUGH and ZESTYLEAK could be used by attackers to target Juniper Netscreen firewalls, the company is investigating their efficiency. “As part of our analysis of these (Equation Group) files, we identified an attack against NetScreen devices running ScreenOS,” explained the company incident response director Derrick Scholl. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.” “We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

Endwall 08/24/2016 (Wed) 17:49:43 [Preview] No. 380 del
Tech Week Europe
Security Researchers Discover First Twitter-Controlled Botnet
Ben Sullivan, August 24, 2016, 4:21 pm
Twitoor, uncovered by ESET, can plague Android devices with malicious malware The first ever Twitter-controlled botnet has been discovered by security experts at ESET, who claim the backdoor is downloading malware onto infected Android devices. Twitoor is a backdoor that is able to install dodgy malware and has been active for around a month, said ESET. Porn and MMS While the app isn’t listed on the official Android app store, it spreads to users by SMS and malicious URLs, impersonating porn players or MMS applications.ESET said that on launch, the app masks its presence and checks the phone’s Twitter account for commands from a control server, acting as part of a botnet. When commands are received, it can download more malicious apps. “Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” said Lukáš Štefanko, the ESET malware researcher who discovered the malicious app. As malware that takes down devices to form botnets needs to receive instructions, that communication channel is vital to their survival, said ESET. And to make the Twitoor botnet’s communication more resilient, botnet designers encrypted their messages and used innovative means for communication, among them the use of social networks, said ESET. “These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” said Štefanko. Other non-traditional means of controlling Android bots have already been found in blogs or cloud messaging systems, said ESET, but Twitoor is the first Twitter-based bot malware, according to Štefanko. “In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks”, states ESET’s researcher. Twitoor has been found downloading versions of mobile banking malware. However, the botnet operators can start distributing other malware, including ransomware, at any time, warned Štefanko. “Twitoor serves as another example of how cybercriminals keep on innovating their business,” Stefanko continues. “The takeaway? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices.”

Endwall 08/24/2016 (Wed) 23:58:54 [Preview] No. 381 del
HTTPS and OpenVPN face new attack that can decrypt secret cookies
Ars Technica, Aug. 24, 2016 Dan Goodin - Aug 24, 2016 3:45 pm UTC Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet's HTTPS traffic and could affect about 600 of the Internet's most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in. The attack isn't particularly easy to carry out because it requires an attacker to have the ability to monitor traffic passing between the end user and one of the vulnerable websites and to also control JavaScript on a webpage loaded by the user's browser. The latter must be done either by actively manipulating an HTTP response on the wire or by hosting a malicious website that the user is tricked into visiting. The JavaScript then spends the next 38 hours collecting about 785GB worth of data to decrypt the cookie, which allows the attacker to log into the visitor's account from another browser. A related attack against OpenVPN requires 18 hours and 705GB of data to recover a 16-byte authentication token. Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously. They are calling on developers to stop using legacy 64-bit block-ciphers. For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish. Ciphers with larger block sizes, such as AES, are immune to the attack. Further ReadingNew attack steals SSNs, e-mail addresses, and more from HTTPS pages"It is well-known in the cryptographic community that a short block size makes a block cipher vulnerable to birthday attacks, even if the[re] are no cryptographic attacks against the block cipher itself," the researchers wrote in a blog post explaining the attacks. "We observe that such attacks have now become practical for the common usage of 64-bit block ciphers in popular protocols like TLS and OpenVPN." A birthday attack is a type of cryptographic exploit that is based on the mathematical principle known as the birthday paradox. It holds that in a room of 23 randomly selected people, there is a 50-percent chance two of them will share the same birthday, and there's a 99.9 percent chance when the number is increased to 70 people. The same principle can be used by cryptographers to find so-called collisions, in which the output of two chunks of encrypted text is the same. Collisions, in turn, easily return the plaintext. By collecting hundreds of gigabytes worth of HTTPS or VPN data and carefully analyzing it, the attackers are able to recover the sensitive cookie. In response to the new attack, which the researchers have dubbed Sweet32, OpenVPN developers on Tuesday released a new version of the program that actively discourages the use of 64-bit ciphers. OpenSSL maintainers, meanwhile, said in a blog post that they plan to disable Triple DES in version 1.1.0, which they expect to release on Thursday. In versions 1.0.2 and 1.0.1, they downgraded Triple DES from the "high" to "medium," a change that increases the chances that safer ciphers are used to encrypt data traveling between servers and end users. The precise cipher choice is made dynamically and is based on a menu of options supported by both parties. While stripping Triple DES out of all versions would be the safest course, it also would leave some people unable to browse certain HTTPS sites altogether. "When you have a large installed base, it is hard to move forward in a way that will please everyone," Rich Salz, a senior architect at Akamai Technologies and a member of the OpenSSL developer team, wrote. "Leaving triple-DES in 'DEFAULT' for 1.0.x and removing it from 1.1.0 is admittedly a compromise. We hope the changes above make sense, and even if you disagree and you run a server, you can explicitly protect your users through configuration." Browser makers are also in the process of making changes that prioritize safer ciphers over Triple DES. Further ReadingGone in 30 seconds: New attack plucks secrets from HTTPS-protected pagesThe Sweet32 attack will be presented in October at the 23rd ACM Conference on Computer and Communications Security. While the time and data-collection requirements present a significant barrier, it works as described on sites that support Triple DES and allow long-lived HTTPS connections. As of May, about 600 websites in the Alexa 100,000 were identified, including those mentioned at the beginning of this article. Karthikeyan Bhargavan and Gaëtan Leurent—the researchers behind Sweet32—estimate that about 1 percent of the Internet's HTTPS traffic is vulnerable. OpenSSL team member Viktor Dukhovni summed things up well in an e-mail. "We're not making a fuss about the 3DES issue, and rating it 'LOW," Dukhovni wrote. "The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES." You must login or create an account to comment.

Endwall 08/25/2016 (Thu) 00:05:42 [Preview] No. 382 del
Military submarine maker springs leak after “hack”—India, Oz hit dive alarm
Jennifer Baker (UK) - Aug 24, 2016 3:21 pm UTC A massive leak of documents on India’s new military submarines from French shipbuilder DCNS is the result of a hack, the country's defence minister said on Wednesday. Manohar Parrikar claimed, according to local reports, that the entire designs of its Scorpene submarines hadn't been disclosed. “First step is to identify if its related to us, and anyway its not all 100 percent leak,” he was quoted as saying. The documents were made public by The Australian on Tuesday, which described the breach as an “Edward Snowden-sized leak.” A DCNS spokesperson told Ars: “DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene. This serious matter is thoroughly investigated by the proper French national authorities for defence security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.” Although the 22,000-page cache of documents date from 2011, they give very detailed technical information about the combat capability of the Scorpene vessels, which are currently in use in Malaysia and Chile. India signed the £2.6 billion deal for six of the boats in 2005—they are to be built in conjunction with an Indian government-owned Mumbai shipbuilder—and Brazil is due to deploy the vessels in 2018. Such sensitive information in the wrong hands would have huge ramifications for national security in all four countries. “It appears that the source of leak is from overseas and not in India,” Parrikar said, vowing to investigate further. Australia is also very concerned. Earlier this year, DCNS won an AUS$50 billion contract—the country’s largest-ever defence deal—to build a new submarine fleet. The French group saw off bids from Germany’s ThyssenKrupp AG and a Japanese-government consortium of Mitsubishi Heavy Industries and Kawasaki Heavy Industries. Details about the Australian contract, expected to run into the 2050s, weren't disclosed in the leak. But it has raised concerns about the data security of the defence project. The country's prime minister Malcolm Turnbull said the leak was a reminder of the importance of cyber security, but claimed that Australia, where the 4,500-tonne Shortfin Barracuda submarines will be built, has “high security standards”—an assertion called into question in the recent census debacle. This post originated on Ars Technica UK You must login or create an account to comment.

Endwall 08/25/2016 (Thu) 00:13:59 [Preview] No. 383 del
Open Sources
Word Games: What the NSA Means by “Targeted” Surveillance Under Section 702
Aug 24, 2016
We all know that the NSA uses word games to hide and downplay its activities. Words like “collect,” “conversations,” “communications” and even “surveillance” have suffered tortured definitions that create confusion rather than clarity. There’s another one to watch: “targeted” v. “mass” surveillance. Since 2008, the NSA has seized tens of billions of Internet communications. It uses the Upstream and PRISM programs—which the government claims are authorized under Section 702 of the FISA Amendments Act—to collect hundreds of millions of those communications each year. The scope is breathtaking, including the ongoing seizure and searching of communications flowing through key Internet backbone junctures,[1]the searching of communications held by service providers like Google and Facebook, and, according to the government’s own investigators, the retention of significantly more than 250 million Internet communications per year.[2] Yet somehow, the NSA and its defenders still try to pass 702 surveillance off as “targeted surveillance,” asserting that it is incorrect when EFF and many others call it “mass surveillance.” Our answer: if “mass surveillance” includes the collection of the content of hundreds of millions of communications annually and the real-time search of billions more, then the PRISM and Upstream programs under Section 702 fully satisfy that definition. This word game is important because Section 702 is set to expire in December 2017. EFF and our colleagues who banded together to stop the Section 215 telephone records surveillance are gathering our strength for this next step in reining in the NSA. At the same time, the government spin doctors are trying to avoid careful examination by convincing Congress and the American people that this is just “targeted” surveillance and doesn’t impact innocent people. Section 702 Surveillance: PRISM and Upstream PRISM and Upstream surveillance are two types of surveillance that the government admits that it conducts under Section 702 of the FISA Amendments Act, passed in 2008. Each kind of surveillance gives the U.S. government access to vast quantities of Internet communications.[3] Upstream gives the NSA access to communications flowing through the fiber-optic Internet backbone cables within the United States.[4] This happens because the NSA, with the help of telecommunications companies like AT&T, makes wholesale copies of the communications streams passing through certain fiber-optic backbone cables. Upstream is at issue in EFF’s Jewel v. NSA case. PRISM gives the government access to communications in the possession of third-party Internet service providers, such as Google, Yahoo, or Facebook. Less is known about how PRISM actually works, something Congress should shine some light on between now and December 2017.[5] Note that those two programs existed prior to 2008—they were just done under a shifting set of legal theories and authorities.[6] EFF has had evidence of the Upstream program from whistleblower Mark Klein since 2006, and we have been suing to stop it ever since...

Endwall 08/25/2016 (Thu) 03:52:44 [Preview] No. 387 del
Deep Dot Web
Police Push For a Law Requiring Canadians to Give Up Their Passwords
Posted by: C. Aliens August 24, 2016
At the organization’s annual news conference on the 16th of August, The Canadian Association of Chiefs of Police (CACP) passed a resolution that calls for a law allowing the police to force people to provide law enforcement with their computer passwords. CTV spoke with RCMP Assistant Commissioner Joe Oliver after the conference where he explained that under current Canadian laws, the police have no way to legally compel users to hand over passwords. The resolution passed by the CACP is part of an effort to allow law enforcement to catch up with the digital age. “The victims in the digital space are real,” Oliver said. “Canada’s law and policing capabilities must keep pace with the evolution of technology.” The resolution was intentionally passed during a time when the federal government began a study on cybersecurity to find a way to balance online freedoms with the police’s ability to enforce the law. The study will run until the 15th of October. As pointed out by Motherboard, the CACP posted a report on “the challenges of gathering electronic evidence” as a backboard for the resolution, implying that the decision is influenced by recent events such as Apple’s refusal to unlock an iPhone for the FBI. Oliver told CTV that since police tensions are being raised around the globe, new measures are being sought out to make their job easier. One example of this is CACP pushing for police to be able to easily obtain information from cellphone carriers, such as names and addresses of subscribers in real-time. Although the invasive ruling would require permission from a judge before an individual would need to provide law enforcement with his password, advocates for civil liberties have expressed their explicit disapproval. Michael Vonn, policy director for the BC Civil Liberties Association, when questioned by journalists gave a further explanation. “To say this is deeply problematic is to understate the matter,” he said. “We have all kinds of laws that do not compel people to incriminate themselves or even speak.” Since Canada has laws in place to allow people to keep their privacy through silence and choose not to reveal any information, Vonn says the resolution’s proposed law would not fit in Canada’s legal landscape. It would be “tricky constitutionally,” he added. A lawyer for the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa questions whether or not the proposal would be constitutional. “It’s rare to force people to help police investigate themselves, and for good reason,” Tamir Israel writes. “It shifts the focus of criminal condemnation away from actual criminal activity and onto compliance. So if an individual legitimately objects to handing over their password, that alone makes them criminal.” Vonn added that while this is what the Chiefs of Police do, the law should not be in violation of people’s civil liberties.

Endwall 08/25/2016 (Thu) 04:20:21 [Preview] No. 388 del
US intelligence still sorting out NSA hack
August 24, 2016
YORBA LINDA, Calif. (AP) — The U.S. is still probing the extent of a recent cyber leak of what purports to be hacking tools used by the National Security Agency, the nation's top intelligence official said Wednesday. "We are still sorting this out," James Clapper, director of national intelligence, said at an event at the Nixon Presidential Library and Museum in Yorba Linda, California. "It's still under investigation," Clapper said. "We don't know exactly the full extent — or the understanding — of exactly what happened." The tool kit consists of malicious software intended to tamper with firewalls, the electronic defenses protecting computer networks. The leak has set the information security world atwitter — and sent major companies rushing to update their defenses. The rogue programs appear to date back to 2013 and have whimsical names like EXTRABACON or POLARSNEEZE. Three of them — JETPLOW, FEEDTROUGH and BANANAGLEE — have previously appeared in an NSA compendium of top secret cyber surveillance tools. The documents have been leaked by a group calling itself the "Shadow Brokers," although many have floated the possibility of Russian involvement. CIA Director John Brennan, who appeared with Clapper at the event, called cyber threats the most serious issue facing the nation. "This administration, the intelligence community is focused like a laser on this and I would say the next administration really needs to take this up early on as probably the most important issue they have to grapple with," Brennan said.

Endwall 08/25/2016 (Thu) 04:33:42 [Preview] No. 389 del
France and Germany against encrypted messaging apps
Wednesday, August 24, 2016
France and Germany are pushing for a common rule in Europe for the encrypted messaging apps such as Telegram to help governments in monitoring communications between the extremists. According to the Privacy advocates, encryption is essential for online security,especially in banking transactions. Whereas, security experts argues that encrypted apps are increasingly used by extremists to hide their location, coordinate operations and trade weapons and sex slaves. Interior Minister Bernard Cazeneuve said "French authorities have detained three people this month with "clear attack plans," but police need better tools to eavesdrop on encrypted text conversations utilizing the kinds of powers used to wiretap phones." He and German Interior Minister Thomas de Maiziere are insisting on a ban on encrypted services.However, Cazeneuve said instead of banning the app, they should work with companies to ensure they can't be abused by militants. In a joint proposal released on Tuesday, "Encrypted communications among terrorists constitute a challenge during investigations.Solutions must be found to enable effective investigation ... while at the same time protecting the digital privacy of citizens by ensuring the availability of strong encryption." There were no specific solutions, but the leaders want to discuss encryption next month during a summit in Bratislava, Slovakia. On the other hand, Telegram wrote on its website that they blocked terrorist-related public channels but doesn't intervene in private chats.

Anonymous 08/25/2016 (Thu) 07:56:08 [Preview] No. 390 del
DEF CON 24: Warwalking at DEF CON, Semaphor, Mousejack and Keysniffer - Hak5 2026

Endwall 08/25/2016 (Thu) 17:49:32 [Preview] No. 392 del
Australian Broadcasting Corp
Cyber War
By Linton Besser and Poppy Stockell
Monday 29th August 2016

Cyber War: How hackers are threatening everything from your bank account to the nation's secrets. In a room, deep inside a Las Vegas hotel, the world's best hackers are gathering. "You have to go into a backroom... there you're going to find about a dozen teams playing against each other, no more than a hundred people. These are really the world's cyber elite." Artificial Intelligence developer They're here to compete against each other and they're being watched by cyber warfare agencies the world over, not for prosecution, but for recruitment. They have the skills needed to wage espionage and warfare in the modern age. On Monday night Four Corners takes you into the world of cyber hacking, where the weapon of choice is computer code. "In WWII we bombed and destroyed the electrical infrastructure of our enemies. Now we have the ability through a cyber attack to just shut the grid down." Former CIA Director Michael Hayden Featuring an interview with the former head of the CIA and the NSA, Michael Hayden, he explains how the intelligence business has changed with young hackers parachuted into sensitive operational activities. "Right ok, take out the power grid... Red Team power is going down, what I want you to look at now, do as much damage as you can." Australian Cyber Trainer We take you into the cutting edge facility where Australian soldiers are being trained in the arts of cyber warfare - where their computer skills can be used to shut down a power grid or cut off a city's water supply. "The Australian Government knows it needs to protect these things... and will continue to strive to stay ahead of whatever the threat environment is." Australian Govt Cyber Adviser And will reveal the strategic Australian companies and institutions that have found themselves hacked. "They're so deep inside our network it's like we had someone sitting over our shoulder for anything we did." IT manager It's not just nation states that are in the hacking business, it's also criminals, and as the program demonstrates, it's frighteningly easy to hack our lives. If you have a smart phone, if you use internet banking, if you store your information "in the cloud" then you are at risk. "Cybercrime poses one of the greatest challenges to law enforcement this century. No longer do we have that individual who carries a firearm and wears a balaclava to disguise their identity. It's a lot more profitable and a lot easier for someone to pick up a laptop, sit in the comfort of their lounge room behind the anonymity of the internet and take the bank for millions of dollars." Australian Police Officer Cyber War, reported by Linton Besser and presented by Sarah Ferguson, goes to air on Monday 29th August at 8.30pm EDT. It is replayed on Tuesday 30th August at 10.00am and Wednesday 31st at 11pm. It can also be seen on ABC News 24 on Saturday at 8.00pm AEST, ABC iview and at abc.net.au/4corners.
Edited last time by Endwall on 08/25/2016 (Thu) 18:38:01.

Endwall 08/25/2016 (Thu) 18:23:16 [Preview] No. 393 del
Apple releases iOS 9.3.5 with “an important security update”
Andrew Cunningham Aug 25, 2016 5:21 pm UTC
Just a few weeks after posting iOS 9.3.4 to fix a jailbreaking-related bug, Apple has released iOS 9.3.5 to all supported iPhones and iPads. The update provides an "important security update" and comes just a few weeks before the expected release of iOS 10, which is currently pretty far along in the developer/public beta process. Apple's security release notes say that three bugs have been fixed, two in the iOS kernel and one in WebKit. The bugs were discovered by Citizen Lab and Lookout, the latter of which posted more information in a blog post. Lookout collectively calls the three zero-day vulnerabilities "Trident," and says that they could allow an victim's personal data to be accessed after opening a link sent in a text message. Trident infects a user's phone "invisibly and silently, such that victims do not know they’ve been compromised." We'll have more information about the vulnerability in a forthcoming article. The update is available now for everything that runs iOS 9: the iPhone 4S and newer; iPad 2 and newer; all iPad Minis and iPad Pros; and the fifth- and sixth-generation iPod Touches.

Endwall 08/25/2016 (Thu) 18:24:24 [Preview] No. 394 del
E hacking news
Cisco begins patching of leaked shadowbrokers attack
hursday, August 25, 2016
Enterprise-grade Cisco firewalls began the process of patching a zero-day vulnerability in its Adaptive Security Appliance (ASA) software exposed in the ShadowBrokers data dump. Researchers at Silent Signal in Hungary yesterday tweeted they had ported the EXTRABACON attack to ASA version 9.2(4), which was released a year ago. The firm expanded the attack range of the ExtraBacon Cisco hack hole revealed as part of the Shadow Brokers cache of National Security Agency-linked exploits and tools. The research after the attack confirmed that the Equation Group exploit for version 8.4(4) of the firewall appliance did indeed provide remote unauthenticated access over SSH or telnet. The attack was included in a 300 MB file download made freely available by the ShadowBrokers that also included exploits, implants and other attacks against Juniper, WatchGuard, Topsec and Fortinet firewalls and networking gear. Researchers confirmed that there was a connection between ShadowBrokers dump and Equation Group exploits. The exploit was restricted to versions 8.4 (4) and earlier of ASA boxes and has now been expanded to 9.2 (4). Users on affected versions of 7.2, 8.0 and 8.7 are requested to upgrade soon to 9.1.7 (9) or later. Newer versions that are also implicated—9.1 through 9.6—are expected to be updated in the next two days. “We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days,” Cisco’s Omar Santos said on Wednesday (August 24) in an updated advisory. Cisco and Fortinet have confirmed their kit is affected by exploits listed in data cache which included some 300 files circulated online. The vulnerability lies in the SNMP code in ASA that could allow an attacker to crash the affected system or remotely execute arbitrary code. The attacks can eventually be modified to target any version. The affected ASA software, Cisco said, runs in a number of its products including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 4100 Series, Cisco Firepower 9300 ASA Security Module, Cisco Firepower Threat Defense Software, Cisco Firewall Services Module (FWSM), and Cisco Industrial Security Appliance 3000 Cisco PIX Firewalls. Prior to yesterday’s patches, Cisco had provided its customers with IPS and Snort signatures that detect the vulnerability. The ShadowBrokers data dump happened more than a week ago when the group claimed to have hacked the Equation Group, which is widely believed to be connected to the NSA.

Endwall 08/25/2016 (Thu) 18:26:01 [Preview] No. 395 del
Experts calling for password abolition following Mail.ru breach
By Sead Fadilpašić
Russian internet giant Mail.ru has been hacked once again, and some 25 million accounts associated with forums run by the company have been compromised.

Russian internet giant Mail.ru has been hacked once again, and some 25 million accounts associated with forums run by the company have been compromised. Among the data that was stolen are usernames, passwords (easily crackable, according to CloudLink), email addresses, phone numbers, birthdays and IP addresses. Security firm CloudLink says theft of this kind of data is worrying, especially with IP addresses involved, as hackers could find a person’s real life address. For the security company, this is yet another proof we need to move away from passwords and into more modern solutions: “Given the severity and regularity of data breaches, it’s clear that passwords are now unsustainable. This latest hack has just added to the long list of large data breaches amongst organisations including Apple, LinkedIn, MySpace, Tumblr and Citrix, yet companies are still risking their client’s security by using passwords,” says Gideon Wilkins, VP of Sales and Marketing at Secure Cloudlink. “The system is flawed and as the appetite for stolen data continues to grow, these breaches will persist unless the IT industry finds a better way of protecting data.” Wilkins says that it doesn’t even matter how well-crafted the password is. If the company handling it doesn’t encrypt it, everything is pointless. “The most concerning angle of this breach is the fact that people’s location may have been exposed, which adds a physical risk on top of the digital element. Even if an individual picks a highly complex password to make it ‘strong’, when a website is hacked, and the website doesn’t encrypt passwords then personal details as well as other high-risk data can still be compromised. Even if passwords are stored in an encrypted format, they can still be stolen and the encryption cracked.” “We have changed the approach and changed the game, the faster a no-password solution is embraced, the less data breaches we will see and the safer user’s data will become,” concludes Wilkins.

Endwall 08/25/2016 (Thu) 18:28:45 [Preview] No. 396 del
Linux at 25: Linus Torvalds on the evolution and future of Linux

By Paul Venezia
The last time I had the occasion to interview Linus Torvalds, it was 2004, and version 2.6 of the Linux kernel had been recently released. I was working on a feature titled “Linux v2.6 scales the enterprise.” The opening sentence was “If commercial Unix vendors weren’t already worried about Linux, they should be now.” How prophetic those words turned out to be. More than 12 years later -- several lifetimes in the computing world -- Linux can be found in every corner of the tech world. What started as a one-man project now involves thousands of developers. On this, its 25th anniversary, I once again reached out to Torvalds to see whether he had time to answer some questions regarding Linux’s origins and evolution, the pulse of Linux’s current development community, and how he sees operating systems and hardware changing in the future. He graciously agreed. The following interview offers Torvalds’ take on the future of x86, changes to kernel development, Linux containers, and how shifts in computing and competing OS upgrade models might affect Linux down the line. Linux’s origins were in low-resource environments, and coding practices were necessarily lean. That’s not the case today in most use cases. How do you think that has affected development practices for the kernel or operating systems in general? I think your premise is incorrect: Linux's origins were definitely not all that low-resource. The 386 was just about the beefiest machine you could buy as a workstation at the time, and while 4MB or 8MB of RAM sounds ridiculously constrained today, and you'd say "necessarily lean," at the time it didn't feel that way at all. So I felt like I had memory and resources to spare even back 25 years ago and not at all constrained by hardware. And hardware kept getting better, so as Linux grew -- and, perhaps more importantly, as the workloads you could use Linux for grew -- we still didn't feel very constrained by hardware resources. From a development angle, I don't think things have changed all that much. If anything, I think that these days when people are trying to put Linux in some really tiny embedded environments (IoT), we actually have developers today that feel more constrained than kernel developers felt 25 years ago. It sounds odd, since those IoT devices tend to be more powerful than that original 386 I started on, but we've grown (a lot) and people’s expectations have grown, too...
Edited last time by Endwall on 08/25/2016 (Thu) 18:33:16.

Endwall 08/25/2016 (Thu) 18:39:51 [Preview] No. 397 del
All the Ways Your Wi-Fi Router Can Spy on You
City dwellers spend nearly every moment of every day awash in Wi-Fi signals. Homes, streets, businesses and office buildings are constantly blasting wireless signals every which way for the benefit of nearby phones, tablets, laptops, wearables and other connected paraphernalia. When those devices connect to a router, they send requests for information—a weather forecast, the latest sports scores, a news article—and, in turn, receive that data, all over the air. As it communicates with the devices, the router is also gathering information about how its signals are traveling through the air, and whether they’re being disrupted by obstacles or interference. With that data, the router can make small adjustments to communicate more reliably with the devices it’s connected to. But it can also be used to monitor humans—and in surprisingly detailed ways. As people move through a space with a Wi-Fi signal, their bodies affect it, absorbing some waves and reflecting others in various directions. By analyzing the exact ways a Wi-Fi signal is altered when a human moves through it, researchers can “see” what someone writes with their finger in the air, identify a particular person by the way they walk, and even read a person’s lips with startling accuracy—in some cases even if a router isn’t in the same room as the person performing the actions. Several recent experiments have focused on using Wi-Fi signals to identify people, either based on their body shape or the specific way they tend to move. Earlier this month, a group of computer-science researchers at Northwestern Polytechnical University in China posted a paper to an online archive of scientific research, detailing a system that can accurately identify humans as they walk through a door nine times out of 10. The system must first be trained: It has to learn individuals’ body shapes so it can identify them later. After memorizing body shapes, the system, which the researchers named FreeSense, watches for people walking across its line of sight. If it’s told the next passerby will be one of two people, the system can correctly identify which it is 95 percent of the time. If it’s choosing between six people, it identifies the right one 89 percent of the time. The researchers proposed using their technology in a smart-home setting: If the router senses one person’s entry into a room, it could communicate with other connected devices—lights, appliances, window shades—to customize the room to that person’s preferences. FreeSense mirrored another Wi-Fi-based identification system a group of researchers from Australia and the U.K. presented at a conference earlier this year. Their system, Wi-Fi ID, focused on gait as a way to identify people from among a small group. It achieved 93 percent accuracy when choosing among two people, and 77 percent when choosing from among six. Eventually, the researchers wrote, the system could become accurate enough it could sound an alarm if an unrecognized intruder entered. Something in the way? No problem. A pair of MIT researchers wrote in 2013 they could use a router to detect the number of humans in a room and identify some basic arm gestures, even through a wall. They could tell how many people were in a room from behind a solid wooden door, a 6-inch hollow wall supported by steel beams, or an 8-inch concrete wall—and detect messages drawn in the air from a distance of five meters (but still in another room) with 100 percent accuracy. (Using more precise sensors, the same MIT researchers went on to develop systems that can distinguish between different people standing behind walls, and remotely monitor breathing and heart rates with 99 percent accuracy. President Obama got a glimpse of the latter technology during last year’s White House Demo Day in the form of Emerald, a device geared toward elderly people that can detect physical activity and falls throughout an entire home. The device even tries to predict falls before they happen by monitoring a person’s movement patterns.) Beyond human identification and general gesture recognition, Wi-Fi signals can be used to discern even the slightest of movements with extreme precision. A system called “WiKey” presented at a conference last year could tell what keys a user was pressing on a keyboard by monitoring minute finger movements. Once trained, WiKey could recognize a sentence as it was typed with 93.5 percent accuracy—all using nothing but a commercially available router and some custom code created by the researchers. And a group of researchers led by a Berkeley Ph.D. student presented technology at a 2014 conference that could “hear” what people were saying by analyzing the distortions and reflections in Wi-Fi signals created by their moving mouths. The system could determine which words from a list of lip-readable vocabulary were being said with 91 percent accuracy when one person was speaking, and 74 percent accuracy when three people were speaking at the same time. Many researchers presented their Wi-Fi sensing technology as a way to preserve privacy while still capturing important data. Instead of using cameras to monitor a space—recording and preserving everything that happens in detail—a router-based system could detect movements or actions without intruding too much, they said. I asked the lead researcher behind WiKey, Kamran Ali, whether his technology could be used to secretly steal sensitive data. Ali said the system only works in controlled environments and with rigorous training. “So, it is not a big privacy concern for now, no worries there,” wrote Ali, a Ph.D. student at Michigan State University, in an email. But as Wi-Fi “vision” evolves, it may become more adaptable and need less training. And if a hacker is able to gain access to a router and install a WiKey-like software package—or trick a user into connecting to a malicious router—he or she can try to eavesdrop on what’s being typed nearby without the user ever knowing. Because all of these ideas piggyback on one of the most ubiquitous wireless signals, they’re ripe for wide distribution once they’re refined, without the need for any new or expensive equipment. Routers could soon keep kids and older adults safe, log daily activities, or make a smart home run more smoothly—but, if invaded by a malicious hacker, they could also be turned into incredibly sophisticated hubs for monitoring and surveillance.

Endwall 08/25/2016 (Thu) 18:44:54 [Preview] No. 398 del
Sensor Tech
Open-Source Ransomware Based on Hidden Tear and EDA2 on the Loose
August 25, 2016 by Milena Dimitrova+
Open-source ransomware is a real issue which is continuously evolving. Over the past few weeks, researchers have caught three open-source crypto virus strains, based on Hidden Tear and EDA2. What all of the three strains have in common is that they all look for files related to web servers and databases. This could easily mean that the ransomware viruses are specifically
Three Ransomware Strains Based on Open-Source Code Detected in the Wild Interestingly, Hidden Tear and EDA2 are widely accepted as the first open-source ransomware coded for educational purposes. This idea quickly turned out to be fishy, as it didn’t take long for cyber criminals to exploit the code for malicious operations. As pointed out by TrendMicro researchers: RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware http://sensorstechforum.com/magic-the-open-source-ransomware-that-emerged-from-github/ (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery. It’s not hard to guess why open-source ransomware is becoming so popular among crooks – it offers the ease and convenience of not having to be tech-savvy. What is more, before the source codes of Hidden Tear and EDA2 were taken down, they were publicly available long enough for cyber criminals to modify the code according to their needs. Not only are cyber criminals using open-source code but they are also using elements from pop culture. For example, RANSOM_KAOTEAR.A is built on the Hidden Tear code, uses the filename kaoTalk.exe and includes KakaoTalk icon. KakaoTalk is a popular messaging app in South Korea with 49.1 million active users globally. Another example here is the POGOTEAR or PokemonGo ransomware. The ransomware was found in the wild by the malware researcher Michael Gillespie. It is thought that the virus might still be in development or could be tweaked more in the near future, but it looks nasty enough from now. The PokemonGO ransomware places the .locked file extension on each of the encrypted files. After that process is complete, the file هام جدا.txt is placed on the desktop, containing the ransom instructions. The name of the file is translated as “very important”. Read More about PokemonGo Ransomware Let’s not forget FSociety ransomware (RANSOM_CRYPTEAR.SMILA) which is an EDA2-based ransomware and is “inspired” by the hacker group in the Mr.Robot. http://sensorstechforum.com/mr-robot-season-2-hacks-exploits-fsociety-cryptowall/ Fsociety ransomware is based on the EDA2 ransomware project which is an open source ransomware code uploaded online and created by Utku Sen. Since then, many variants of the EDA2 project have popped up, because all it takes is someone who knows coding to take this source code and design own version of ransomware, just like Fsociety ransomware variant is.
What Else Do KaoTear, POGOTEAR, and Fsociety Ransomware Share? TrendMicro researchers point out that these three ransomware cases have other striking similarities. They target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd. As mentioned in the beginning, some of these file extensions (such as XML, PHP, and ASPX) are related to web servers which points to attacks targeting businesses. Moreover, all three ransomware search for SQL and MDB files, associated with databases. […] POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server. Since it uses a private IP, the information sent stays within the organization’s network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%. If the said folder is not found, FSociety does not encrypt any files.
The Dangers of Open-Source, Educational Malware Open-source ransomware has raised a red flag in the cyber security community. Hidden Tear and EDA2 were both exploited by cyber crooks who used the public source code, modified it and attacked users. Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes. The moral here is that cyber security researchers have to address the possible risks and consequences of developing educational malware. Leaving the source-code in the public space available to anyone has proven to be a bad idea. Instead, researchers should distribute these only to credible recipients through secure channels. Before releasing anything to the public, researchers need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands, TrendMicro concludes.

Endwall 08/25/2016 (Thu) 19:19:15 [Preview] No. 399 del
Cisco Updates ASA Software to fix the Equation Group’s EXTRABACON exploit
August 25, 2016 By Pierluigi Paganini
Cisco has started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online. Security firms and IT giants are analyzing the huge archive leaked by the Shadow Brokers crew after the hack of the NSA-linked Equation Group. We reported that some of the exploits included in the archive are effective against CISCO, Fortinet, and Juniper network appliance. For example, the BENIGNCERTAIN tool included in the NSA data dump could be exploited by remote attackers to extract VPN passwords from certain Cisco devices, meanwhile the EXTRABACON was analyzed by the Hungary-based security consultancy SilentSignal to hack into the newer models of Cisco’s Adaptive Security Appliance (ASA). The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The CVE-2016-6366 flaw affects Cisco’s ASA appliances, both firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls.
The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software. “A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO. “The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.” Cisco promptly analyzed the exploits and released the necessary patches. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11). The remaining versions will be fixed by the IT giant in the upcoming days, anyway, the company provided a detailed description of the workarounds to implement as a temporary solution. The company will not issue any patch for no longer supported devices, including firewall modules and PIX firewalls.

Anonymous 08/25/2016 (Thu) 19:23:41 [Preview] No. 400 del
Spying on Canadian Phone Calls and Emails by Canadian SIGINT Agency Has Risen Dramatically
August 25, 2016 Federal spies suddenly intercepting 26 times more Canadian phone calls and communications Ian MacLeod Ottawa Citizen August 24, 2016 OTTAWA — Interception of Canadians’ private communications by the federal electronic spy agency increased 26-fold last year, for reasons authorities won’t fully explain. And despite commitments between Canada and its intelligence-sharing allies to respect the privacy of each nation’s citizens, the volume of information on Canadians collected by allied intelligence agencies and informally shared with Canada’s spies has grown to the point that it now requires a formal mechanism to cope with all the data. At least one intelligence expert is concerned the change sidesteps the spirit of Canadian privacy laws. Details are contained in the latest annual report by the independent, external oversight organization that reviews activities of the Canadian Security Establishment (CSE), Ottawa’s super-secret foreign signals intelligence agency. Quietly tabled in Parliament July 20, the report concludes CSE’s 2015-16 activities were lawful. But the watchdog Office of the Commissioner of the Communications Security Establishment notes CSE intercepted 342 private communications in 2014-15, compared to just 13 for the previous year. By law, CSE can only target communications of foreign entities outside Canada. If one end of that communication is in Canada, making it a “private communication,” it requires a written authorization from the minister of national defence, responsible for the CSE, and only if it is essential for “international affairs, defence or security.” There also must be “satisfactory measures” to protect the privacy of any Canadian citizens, including permanent residents and corporations, inadvertently caught up in the intercept. Otherwise, the CSE is not allowed to target Canadians at home or abroad. Commissioner Jean-Pierre Plouffe, a retired Quebec superior court judge, reports he is satisfied all the intercepts of Canadians’ communications last year were unintentional, essential to international affairs, defence or security, backed by ministerial authorizations and legal. There’s always been this concern about how much do our careful privacy laws get sidestepped by having allies do this stuff But Plouffe’s explanation for the 26-fold jump is not so straightforward: “This was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted,” he writes. Asked to clarify, his office Wednesday declined, saying it is bound by the Security of Information Act and, “to say more could reveal CSE operational capabilities.” CSE, too, declined to elaborate. “To protect our capabilities and ensure that they remain effective, CSE cannot provide any additional information,” agency spokesman Ryan Foreman said in a statement. Bill Robinson, a respected and unofficial CSE watchdog who hosts the Lux Ex Umbra blog site, said: “CSE has tremendous control over what the commissioner can in fact say because of its classification/declassification power. They can reduce it to total gibberish.” Robinson speculates CSE may have targeted social media conversations between individuals and counted each separate message in the string as a private communication. A small number of online conversations could be responsible for the rather large total. More concerning, he said, is the increasing practice of U.S., British, Australian and New Zealand security intelligence agencies who, along with Canada, make up the Five Eyes intelligence-sharing network, giving information collected on Canadians to the Canadian Security Intelligence Service (CSIS), the country’s domestic security intelligence guardians. Plouffe’s report says prior to February 2015, the process for such allied reporting to CSIS was “manual” and did not involve CSE. But, “to help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. “To this end, CSIS requested CSE assistance … to establish a mechanism for CSIS to receive and handle these reports via CSE’s established channels.” Robinson believes the change is evidence of just how systematic the clandestine collection of Canadians’ information by the allies has become. Authorities used to claim “that ‘we don’t really do that’. And then it was, ‘yeah, but it’s in exceptional cases’, and then it became, ‘well, we’re doing this for terrorism’ (and certain general crimes), so it’s pretty much going to be all the time,” said Robinson. “There’s always been this concern about how much do our careful privacy laws get sidestepped by having allies do this stuff instead, and the answer has always been, ‘we don’t really do that, we have these agreements’ and so on. “We’re seeing how that gets chipped away.”

Endwall 08/25/2016 (Thu) 19:29:45 [Preview] No. 402 del
Business Insider
A hacker claims he has more leaked NSA files to view — If you can solve this puzzle

Paul Szoldra/Business Insider A hacker named 1x0123 claims he has the other half of the recently-leaked NSA hacking toolkit for sale — but samples of the dataset are only available if you can figure out his cryptographic puzzle. On Sunday, the hacker posted on Twitter that he was selling the entire archive of files for $8,000, seemingly undercutting the mysterious "Shadow Brokers" hacking group that leaked one-half of the archive last week at various file-sharing websites with claims of an "auction" for the rest. It appears that 1x0123 is indeed a hacker who has found and sold security vulnerabilities in the past. Even ex-NSA contractor Edward Snowden praised him in April for finding an issue on the Freedom of the Press website. But it's not clear whether the hacker really has the other half of the NSA archive, nor is it clear where he could have obtained it. It's entirely possible this is an elaborate troll and the encrypted archive 1x0123 is offering contains nothing more than a Rickroll. Still, he's been dropping many hints over the past few days of how to access it.  Here's the first hint, which includes an encrypted web address, directory listing, and file name: #NSAHack pic.twitter.com/xAkvQ7FJ3p — 1x0123 (@1x0123) August 22, 2016 This is what he posted as a screenshot of the supposed directory structure of the files, though it should be noted that these can easily be faked. #NSA focused on browser exploits to gain access to machines, pic.twitter.com/M4GB62977P — 1x0123 (@1x0123) August 22, 2016 Then on Tuesday, he posted another hint. This time, it was a screenshot of the supposed .onion site — only accessible via the Tor browser — with the full address redacted. 2 people where able to solve the puzzle i posted, NSA exploits dump are ready for download 901028736451 need more ? pic.twitter.com/enZa7sAl5X — 1x0123 (@1x0123) August 24, 2016 There are a few things we can discern from what 1x0123 has revealed so far: The site hosting the files is an .onion link and the revealed file name — "EQ_exploits_Fullpack.zip" in the screenshot probably helps in decrypting the letters in the original message. Further, the browser title of "ng crypto" is telling, indicating the software the hacker used to encrypt his message. This hasn't really helped us much in figuring it out, but if you get it, please let us know. After 1x0123 posted his claim, Business Insider reached out to ask for a sample of the data to confirm it was legitimate. Instead, the hacker said the data could not be shared until it's sold, and he added that he does not talk to journalists. Still, we noted that 1x0123 had spoken with Gizmodo reporter William Turton. 1x0123 claimed he did not share anything with Turton since he didn't pay him, and hinted that we could get a sample if we paid around $500 to $1000. We declined. "Money is the key to write an execlusive (sic) article," 1x0123 told Business Insider. If the crypto puzzle game doesn't work out, we'll just have to wait for WikiLeaks to release the rest, which it also claims to have. "We had already obtained the archive of NSA cyber weapons released earlier today," its official Twitter account wrote on Aug. 15. "And will release our own pristine copy in due course."

Endwall 08/25/2016 (Thu) 19:45:07 [Preview] No. 403 del
The National Security Agency has no idea how a rogue hacking group leaked its exploits
A group called The Shadow Brokers leaked NSA exploit kits online on 13 August.
By Jason Murdock August 25, 2016 15:44 BST

The National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, January 29, 2010.Saul Loeb/AFP/Getty Images The US intelligence community is still attempting to figure out how a hacking group called the Shadow Brokers was able to obtain and leak a slew of NSA computer exploits used to circumvent security of routers and firewalls, top officials have admitted. "We are still sorting this out," said James Clapper, director of national intelligence, at an event at the Nixon Presidential Library on 24 August. As reported by AP, he added: "It's still under investigation. We don't know exactly the full extent – or the understanding – of exactly what happened." In what amounted to the first official comment on the hack, it's clear the US government is still attempting to find out the true scope of the embarrassing blunder. The leaked toolkits, reportedly from 2013, contained NSA surveillance and infiltration exploits that relied upon previously unknown zero-day vulnerabilities. The Shadow Brokers, the hacking group with suspected ties to Russian intelligence, released the files on 13 August. The group, which claimed to have obtained them from the NSA-linked 'Equation Group', published one file as proof of legitimacy and put the remaining one up for 'auction' for a massive 1m bitcoin – equivalent to over $550m (£416m). Many of the exploits – such as Bananaglee and Zestyleak – were eventually confirmed to be real by previously unreleased Edward Snowden documents published by The Intercept. Following this, multiple US firms – including Cisco, Fortinet and Juniper – were forced to rush out security patches and warnings to their customers. Now, cybersecurity researchers are calling on the NSA and the US government to disclose more information about the troubling leak of tools that were never meant to see the light of day. "It now safe to say that the 'Equation Group' leak by Shadow Brokers is real and consists of a genuine trove of NSA tools used to hack firewalls," said Nicholas Weaver, a senior computer security researcher at the International Computer Science Institute in California. "The leaked code references known programs, uses a particularly unusual RC6 and cruddy crypto techniques previously associated with NSA implants," he added, writing on Lawfare. "The whole episode raises a host of oversight questions. How and why did NSA lose 280MB of top secret attack tools, including multiple zero day exploits and un-obfuscated implants?" Weaver said that tough questions now been to be asked of the NSA, including when it became aware of the breach, why it didn't contact the vulnerable technology firms and if it has identified the source of the breach. "Certainly somewhere there's been a substantial screw up," he said. "Congress should not let the agency off the hook, good security systems should make things difficult to fail."
A computer workstation bears the National Security Agency (NSA) logoPAUL J. RICHARDS/AFP/Getty Images Speaking with IBTimes UK, Douglas Crawford, a cybersecurity expert at BestVPN, a firm that analyses the mounting number of virtual private network products on the market, said it was a concern – but not a surprise – to see the NSA exploiting US technology firms. "The affected companies – Cisco, Juniper and Fortinet, are all high-profile US brands," he said. "That their products were directly targeted by the NSA demonstrates that the security agency has gone rogue, and is acting against the best interests of the country whose job it is to serve." He continued: "The only way for the NSA to help restore confidence in US security products would be to adopt a policy of transparency. "Critically, international encryption standards should be developed as open source projects that can be independently audited, and NIST – which by its own admission works closely with the NSA – certification should be replaced with certification by a transparent and international body of independent experts. Is this likely to happen? The phrase 'snowball's chance in hell' comes to mind." Now, the US intelligence officials have said its probe will continue. John Brennan, the director of the CIA, who appeared alongside Clapper at the Nixon Presidential Library event, added that cybersecurity is now viewed as one of the most serious issues facing the US. "This administration, the intelligence community is focused like a laser on this and I would say the next administration really needs to take this up early on as probably the most important issue they have to grapple with," he said.

Endwall 08/25/2016 (Thu) 19:50:21 [Preview] No. 404 del
Keystroke Recognition Uses Wi-Fi Signals To Snoop
by Tom Spring August 25, 2016 , 2:19 pm
A group of academic researchers have figured out how to use off-the-shelf computer equipment and a standard Wi-Fi connection to sniff out keystrokes coming from someone typing on a keyboard nearby. The keystroke recognition technology, called WiKey, isn’t perfect, but is impressive with a reported 97.5 percent accuracy under a controlled environment. WiKey is similar to other types of motion and gesture detection technologies such as Intel’s RealSense. But what makes WiKey unique is that instead of recognizing hand gestures and body movement, it can pick up micro-movements as small as keystrokes.

The research, conducted by Michigan State University and China’s Nanjing University, relies 100 percent on the 802.11n/ac Wi-Fi protocol and uses a TP-Link WR1043ND WiFi router ($43) and a Lenovo X200 laptop ($200). Using the above equipment, researchers were able to use the Wi-Fi signal’s Channel State Information values to detect movements within a given environment. Channel State Information (CSI) in the past has been used to detect macro movements such as the presence of someone in a room, or hand or arm movements. A variation of this technology called WiHear was even developed to detect movements of a mouth with the ability to detect nearly a dozen different syllables spoken by a test subject. But WiKey takes WiHear lip reading to an entirely new level by detecting finger, hand, and keyboard key movements. The researchers see the WiKey technology as a theoretic attack vector, but they also see WiKey with applications that go beyond attacks. “The techniques proposed in this paper can be used for several HCI (human computer interaction) applications. Examples include zoom-in, zoom-out, scrolling, sliding, and rotating gestures for operating personal computers, gesture recognition for gaming consoles, in-home gesture recognition for operating various household devices, and applications such as writing and drawing in the air,” wrote co-authors of the scientific research (PDF) Kamran Ali, Alex X. Liu, Wei Wang and Muhammad Shahzad. To capture keystrokes, or micro-movements, isn’t easy. Under a controlled environment, which doesn’t include a lot of movement such as people walking around or multiple people sitting close to one another using a laptop, researchers are able to detect even the slightest variations in wireless channel activities. Along with that data researchers also factor in wealth of information including signal strength, where the keyboard is located and what, where and why is interference occurring. In order to collect micro-movement data using Wi-Fi, researchers use the router’s MIMO channels. MIMO is a wireless term used to refer to a router’s ability to use multiple antennas between a sender (router) and receiver (WNIC) that pass more than one data signal simultaneously of the same radio channel. The researchers explain: “Each MIMO channel between each transmit-receive antenna pair of a transmitter and receiver comprises of multiple subcarriers. These WiFi devices continuously monitor the state of the wireless channel to effectively perform transmit power allocations and rate adaptations for each individual MIMO stream such that the available capacity of the wireless channel is maximally utilized. These devices quantify the state of the channel in terms of CSI values. The CSI values essentially characterize the Channel Frequency Response for each subcarrier between each transmit-receive antenna pair.” If that didn’t sound challenging enough, next researchers have to filter out radio noise (frequency changes) and environmental movements not related to typing. Then, even after noise is removed, there are other considerations researchers needed to factor such as the time it takes to press a key. By associating values based on the above culling of data researchers assigned number values to each keystroke (as seen below) based on individual typists. Average values of features extracted from keystrokes of keys a-z collected from users. Under the most ideal controlled circumstances where test subjects were limited to type only one a half-dozen different sentences and typing one key every one second the researchers achieved 97.5 percent accuracy. That controlled environment also didn’t include real-world scenarios such as people walking around in the same room and typing on additional laptops. In what researchers call a real-world scenario WiKey drops to an average keystroke recognition accuracy of 77.5 percent. “WiKey requires many samples per key from each user which may be difficult to obtain in real life attack scenarios. Still, there exist ways through which an attacker can obtain the training data. For example, an attacker can start an online chat session with a person sitting near him and record CSI values while chatting with him,” researchers wrote. Researchers point out that this level of accuracy might be all that’s needed sniff out a password typed into a laptop. Other than being used in a potential attack, researchers hope WiKey can have a variety of non-attack applications such as gesture recognition. “We have shown that our technique works in controlled environments (using commodity hardware), and in future we plan to address the problem of mitigating the effects of more harsh wireless environments by building on our micro-gesture extraction and recognition techniques proposed in this paper,” the researchers wrote.

Endwall 08/26/2016 (Fri) 06:51:33 [Preview] No. 418 del
Open Sources
Attorney: US-Russia Tensions Led to Seleznev&#39;s Kidnapping by US Forces
Aug 26, 2016
SEATTLE (Sputnik) – “We wouldn’t be here if he was a Canadian,” John Henry Browne, Seleznev’s attorney, told journalists on Thursday, explaining “I think because of strained relations between the US and Russia, which I don’t agree with personally at all, the kidnapping of other people that the United States has done has involved terrorists…It’s the first time I’ve ever known of anyone with an identity theft case.” Browne also recalled news reports of a cyber attack on the US Democratic National Committee, an incident that also reflected the current relations between the United States and Russia, according to Seleznev’s lawyer. “I think they were trying to say those were Russians. That’s kind of explains my comment about the Canadian,” Browne said. On Thursday, Seleznev was found guilty by a jury panel at a US court of cybercrimes. Seleznev, 32, who is the son of Russian parliament member Valery Seleznev, was charged with 38 counts of bank fraud, hacking into secured computer networks, possession of illegal hacking devices as well as aggravated identity theft. According to US prosecutors, Seleznev hacked into retail point-of-sale systems and installed malware in order to steal over a million credit card numbers from businesses between October 2009 and October 2013. In July 2014, US forces detained Seleznev in the Maldives, transferred him to Guam before bringing him to Seattle. Russian authorities have branded the detention of Seleznev by the United States as kidnapping.

Anonymous 08/26/2016 (Fri) 18:04:24 [Preview] No. 421 del
Son Of Russian Parliament Member Convicted Of Hacking
Date August 26, 2016
Roman Seleznev, also known as “Track2,” has been convicted on charges that he conspired to hack into U.S. businesses as part of a plot to steal and sell credit card numbers. The hack is estimated to have cost upwards of $169 million. The son of a Russian parliament member, Seleznev was found guilty on 38 of 40 charges brought against him. Those counts included wire fraud and intentional damage to a protected computer. The case hinges on hacks that took place from Oct. 2009 to Oct. 2013. During that time, Seleznev hacked into retail point-of-sale systems and installed malware to steal credit card numbers from businesses. Pizza restaurants in Washington State were a particular favorite target. The trial lasted eight days. And while that may seem short, the trial concluded a decade-long investigation by the U.S. Secret Service. Seleznev was only able to be tried in the U.S. when he was caught in the Maldives before he was able to return from a vacation. Seleznev and various Russian officials have accused the Secret Service of kidnapping him to trial. He is now facing a mandatory minimum of four years in prison, according to his lawyer, John Henry Browne. Browne intends to appeal the case on the grounds that the trial itself is predicated on an illegal arrest and that prosecutors were able to submit evidence from a corrupted laptop. “I don’t know of any case that has allowed such outrageous behavior,” Browne said. Outrageous or not, prosecutors managed to convince a jury that Seleznev was behind the theft and resale of over 2.9 million credit card numbers. His adventures in the U.S. legal system are not quite complete; he still faces separate charges pending in federal courts in Nevada and Georgia.

Endwall 08/26/2016 (Fri) 18:11:45 [Preview] No. 422 del
Security Affairs
Apple fixed Zero-Days flaws exploited by nation-state spyware
August 26, 2016 By Pierluigi Paganini
Apple issued emergency iOS updates to patch three Zero-Days exploited by a government spyware in an high-sophisticated attack. Apple has released the iOS 9.3.5 update for its mobile devices (iPhones and iPads). The security updates address three zero-day vulnerabilities exploited by nation-state actors to spy on activists. Security experts have spotted a strain of spyware targeting the iPhone used by a notorious UAE human rights defender, Ahmed Mansoor. Apple labeled the update “important,” inviting users to update their devices to protect them from malicious codes that exploit the three flaws. Malware researchers believe that the Israeli surveillance NSO Group has developed a malware that has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists. The software developed by the company secretly tracks a target’s mobile phone,it exploits the zero-day flaws tracking the device location, access mobile data including contacts, texts, calls logs, emails and record surrounding rumors through the microphone. Apple has patched the three vulnerabilities just ten days after the security experts from Citizen Lab and Lookout reported them to the company. Experts from Lookout identified the targeted attack as Pegasus as explained in a detailed blog post. “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.” states the blog post published by Lookout., the three zero-day flaws, dubbed ” The three zero-day vulnerabilities, dubbed “Trident,” exploited in the attack are: * CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. * CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. * CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. Mansoor, who won the ‘Martin Ennals Award’ in the United Arab Emirates, received a text message on his iPhone on August 10. The message was sent from an unknown number. Mansoor found the message very suspicious and forwarded the message to Bill Marczak, researcher at the Citizen Lab that conducted a joint investigation with mobile security firm Lookout. The message embedded a link to a high-sophisticated spyware the was designer to exploit the flaws fixed by Apple.

Endwall 08/26/2016 (Fri) 18:45:34 [Preview] No. 424 del
Schneir on Security
The NSA Is Hoarding Vulnerabilities
The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the Internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe. On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the Internet. Near as we experts can tell, the NSA network itself wasn't hacked; what probably happened was that a "staging server" for NSA cyberweapons -- that is, a server the NSA was making use of to mask its surveillance activities -- was hacked in 2013. The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?" Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee -- or other high-profile data breaches -- the Russians will expose NSA exploits in turn. But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and "exploit code" that can be deployed against common Internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper -- systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now. All of them are examples of the NSA -- despite what it and other representatives of the US government say -- prioritizing its ability to conduct surveillance over our security. Here's one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls' security. Cisco hasn't sold these firewalls since 2009, but they're still in use today. Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes. Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard "zero days" the term used by security experts for vulnerabilities unknown to software vendors. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use). Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn't stockpile zero-days (except for the same narrow exemption). An official statement from the White House in 2014 said the same thing. The Shadow Brokers data shows this is not true. The NSA hoards vulnerabilities. Hoarding zero-day vulnerabilities is a bad idea. It means that we're all less secure. When Edward Snowden exposed many of the NSA's surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. Inside the US government, the system of figuring out what to do with individual vulnerabilities is called the Vulnerabilities Equities Process (VEP). It's an inter-agency process, and it's complicated...

Endwall 08/26/2016 (Fri) 18:48:54 [Preview] No. 425 del
Russia says Chinese hackers are getting more aggressive
While the Whttp://www.unian.info/world/1487689-bloomberg-russia-says-chinese-hackers-are-getting-more-aggressive.htmlest sees Russia as a cyber predator, hackers in the East increasingly view it as prey, according to online security company Kaspersky Lab, which says there’s been a sharp spike in attacks from China, according to Bloomberg. Cases of Chinese hacking of Russian industries including defense, nuclear, and aviation rose almost threefold to 194 in the first seven months of this year from 72 in the whole of 2015, according to Alexander Gostev, the Moscow-based company’s chief security expert, Bloomberg wrote. Proofpoint, a California-based cyber security company, also reported an increase in Chinese attacks on Russia. The hacking is going on “despite the officially promoted friendship between Russia and China and accords on cyber security, cooperation and non-aggression” between the two governments, Gostev said in an interview. “I don’t see them working.” President Vladimir Putin is seeking to boost economic and military ties with China, which he calls Russia’s “strategic partner,” amid tensions with the U.S. and Europe over the conflict in Ukraine. He and Chinese President Xi Jinping signed more than 30 cooperation deals including in energy, transport infrastructure and rocket production at a summit in Beijing in June, where Xi said he wanted the two countries to be “friends forever.” Computer hacking allegations have strained relations with the U.S. after the FBI was said to have high confidence that Russian intelligence was behind attacks on Democratic Party groups that led to the release of stolen e-mails just before Hillary Clinton’s nomination last month for the presidential elections. Russia’s denied any involvement. Republican contender Donald Trump urged Russia to find “30,000 e-mails that are missing” from a private server Clinton used as secretary of state, though he later said he was being sarcastic. Cyber Espionage Activity against Russia increased after Xi and U.S. President Barack Obama signed an agreement promising not to engage in economic cyber espionage in September last year, Gostev said. Computer security company FireEye Inc. said in a June report that attacks against the U.S. from known Chinese hacking groups with a connection to state interests have fallen substantially over the past year. Russia and China signed an information-security agreement pledging not to attack each other in May last year. “The Chinese track record of cybersecurity cooperation shows that Beijing isn’t always keen on implementing agreements fully,” Oleg Demidov, cybersecurity expert at Moscow’s PIR Center, a think tank on global security issues, said by e-mail. This is particularly true when the agreements concern China’s “strategic and military interests,” he said. The state-run Cyber Administration of China didn’t respond to a fax seeking comment on hacking attacks. China has repeatedly accused the U.S. of making groundless accusations of state involvement in hacking. Security Threat Chinese malware used against Russia includes more than 50 families of trojan viruses that attacked 35 companies and institutions this year, Kaspersky estimated. Among them were seven military enterprises specializing in missiles, radar and naval technology, five government ministries, four aviation businesses and two companies involved in the nuclear industry, Gostev said. “Almost every entity in Russia’s defense industry has been attacked recently by Chinese groups” and “clearly” lost information, he said. He declined to name specific bodies that were attacked, citing Kaspersky’s client confidentiality policy. The number of attacks on organizations is likely much higher than reported, since only 10% of Kaspersky’s corporate clients exchange data on hacking with its security network, he said. The Russian Defense Ministry and the Federal Security Service (FSB) are formulating measures against NetTraveler, a trojan linked to China, that is being used to spy on weapons manufacturers and threatens national security, SC Magazine reported in June, citing Defense Ministry sources that it didn’t identify. Tanks, Helicopters State-run tank manufacturer, Uralvagonzavod, and Russian Helicopters were among entities attacked, according to the magazine. Neither the companies nor the FSB responded to e-mailed questions seeking comment. Putin’s aide on information security, Andrei Krutskikh, also didn’t reply to e-mailed questions. While it isn’t possible to attribute hacking definitively to Chinese authorities, attacks are most likely either sponsored or approved by state bodies and in some cases are conducted by military hackers, Gostev said. They focus on cyber espionage, not financial hacking, he said.

Endwall 08/26/2016 (Fri) 18:59:49 [Preview] No. 426 del
August 26, 2016
Kuwaiti police have detained a government worker on suspicion of proliferating the ideology of the Islamic State militant group (ISIS), the interior ministry said late Thursday. The suspect, identified as 26-year-old Kuwaiti national Othman Zain Nayef, had “used his office and computer to spread the extremist ideology of the so-called Daesh terrorist organization,” the ministry said in a statement, using an Arabic term for ISIS. Nayef has allegedly confessed to being a member of ISIS’s “electronic army,” in which he played a role in its hacking operations at the heart of the Kuwaiti government, according to the ministry, as quoted by the Kuwaiti state news agency KUNA. He admitted to hacking official websites “in friendly and sister states,” AFP news agency reported. ISIS’s aims are helped by a web of sympathizers who have carried out low-level cyber attacks on online targets linked to enemies of the radical Islamist group. One notable attack included the hacking of U.S. Central Command’s Twitter and YouTube accounts. In recent months, one of the group’s affiliated cyber-wings has released a series of hit lists intended to spread fear among the U.S. population. In May, ISIS’s cyber-wing dumped the details of 3,000 New Yorkers, mostly from Brooklyn, forcing the NYPD and FBI to inform all of those included on the list. It then released the names of 800 members of the Arkansas Library Association, another apparently low-level target whose personal data the group was able to breach and circulate. Kuwait has found itself to be an ISIS target. Last month, Kuwaiti authorities said they had intercepted three ISIS cells that were planning attacks in the country, particularly against an interior ministry target and a Shiite mosque. In June 2015, ISIS claimed responsibility for a suicide bombing at a Shiite mosque in Kuwait City during a Ramadan prayer service, killing 26 worshippers. It represented the worst-ever attack in the Gulf state.

Endwall 08/27/2016 (Sat) 06:48:41 [Preview] No. 429 del
Soylent News
25-Core "Piton" SPARC CPU Unveiled by Princeton University
posted by janrinok on Saturday August 27, @02:42AM
Princeton University researchers presented a 25-core "manycore" CPU at the Hot Chips conference: It was a week for chip launches with the Hot Chips conference setting the stage for the unveiling of the IBM Power9 processor (report forthcoming) and a custom ARM-based 64-core CPU from Chinese firm Phytium Technology. A 25-core academic manycore processor out of Princeton University also made its debut from the Silicon Valley event. [...] "With Piton, we really sat down and rethought computer architecture in order to build a chip specifically for data centers and the cloud," said David Wentzlaff, a Princeton assistant professor of electrical engineering and associated faculty in the Department of Computer Science in an official announcement. "The chip we've made is among the largest chips ever built in academia and it shows how servers could run far more efficiently and cheaply." Piton is based on the SPARC V9 64-bit ISA and supports Debian Linux. After being designed in early 2015, Piton was taped-out in IBM's 32nm SOI process. The 6×6 millimeter die has more than 460 million transistors. The silicon has been tested in the lab and is working, according to the research team. The design is open source (open, DOI: 10.1145/2954679.2872414) (DX). More information here.


Endwall 08/27/2016 (Sat) 06:52:06 [Preview] No. 430 del
New microchip demonstrates efficiency and scalable design
Posted August 23, 2016; 01:30 p.m. by Adam Hadhazy for the Office of Engineering Communications

Princeton University researchers have developed a new computer chip that promises to boost the performance of data centers that lie at the core of numerous online services such as email and social media. The chip — called "Piton" after the metal spikes driven by rock climbers into mountainsides to aid in their ascent — was presented Aug. 23 at Hot Chips, a symposium on high-performance chips held in Cupertino, California. Data centers — essentially giant warehouses packed with computer servers — support cloud-based services such as Gmail and Facebook, as well as store the staggeringly voluminous content available via the internet. Yet the computer chips at the heart of the biggest servers that route and process information often differ little from the chips in smaller servers or everyday personal computers.

Princeton University researchers have developed a new computer chip called "Piton" (above) — after the metal spikes driven by rock climbers into mountainsides to aid in their ascent — that was designed specifically for massive computing systems. The chip could substantially increase processing speed while slashing energy usage, and is scalable, meaning that thousands of chips containing millions of independent processors can be connected into a single system. It was presented Aug. 23 at Hot Chips, a symposium on high-performance chips held in Cupertino, California. (Photo by David Wentzlaff, Department of Electrical Engineering) The Princeton researchers designed their chip specifically for massive computing systems. Piton could substantially increase processing speed while slashing energy usage. The chip architecture is scalable — designs can be built that go from a dozen to several thousand cores, which are the independent processors that carry out the instructions in a computer program. Also, the architecture enables thousands of chips to be connected into a single system containing millions of cores. "With Piton, we really sat down and rethought computer architecture in order to build a chip specifically for data centers and the cloud," said David Wentzlaff, a Princeton assistant professor of electrical engineering and associated faculty in the Department of Computer Science. "The chip we've made is among the largest chips ever built in academia and it shows how servers could run far more efficiently and cheaply." The unveiling of Piton is a culmination of years of effort by Wentzlaff and his students. Michael McKeown, Wentzlaff's graduate student, will present at Hot Chips. Mohammad Shahrad, a graduate student in Wentzlaff's Princeton Parallel Group, said that creating "a physical piece of hardware in an academic setting is a rare and very special opportunity for computer architects." The current version of the Piton chip measures 6 millimeters by 6 millimeters. The chip has more than 460 million transistors, each of which are as small as 32 nanometers — too small to be seen by anything but an electron microscope. The bulk of these transistors are contained in 25 cores. Most personal computer chips have four or eight cores. In general, more cores mean faster processing times, so long as software ably exploits the hardware's available cores to run operations in parallel. Therefore, computer manufacturers have turned to multi-core chips to squeeze further gains out of conventional approaches to computer hardware. In recent years companies and academic institutions have produced chips with many dozens of cores — but the readily scalable architecture of Piton can enable thousands of cores on a single chip with half a billion cores in the data center, Wentzlaff said. "What we have with Piton is really a prototype for future commercial server systems that could take advantage of a tremendous number of cores to speed up processing," Wentzlaff said.  The Piton chip's design focuses on exploiting commonality among programs running simultaneously on the same chip. One method to do this is called execution drafting. It works very much like the drafting in bicycle racing, when cyclists conserve energy by riding behind a lead rider who cuts through the air, creating a slipstream...

Princeton researchers have made its design open source and thus available to the public and fellow researchers

#OlT8DL 08/27/2016 (Sat) 07:31:20 [Preview] No. 431 del

tl;dr, Jeffery Carr says: OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor.

I honestly think that blame on Russia is a lie.

Endwall 08/27/2016 (Sat) 08:27:40 [Preview] No. 432 del

Good article.

If anyone else sees a relevant article, feel free to post a link and a description, or a short excerpt (paragraph) from the article with the link. Thanks.

Endwall 08/27/2016 (Sat) 08:39:09 [Preview] No. 433 del
Security Now
Security Now 574: Routers & Micro Kernels

Endwall 08/27/2016 (Sat) 08:42:31 [Preview] No. 434 del
DEF CON 24 - Marc Newlin - MouseJack: Injecting Keystrokes into Wireless Mice

Endwall 08/27/2016 (Sat) 08:52:07 [Preview] No. 435 del
Numchecker: A System Approach for Kernel Rootkit Detection - Duration: 52 minutes.
HEIST: HTTP Encrypted Information can be Stolen Through TCP-Windows - Duration: 49 minutes.
HTTP Cookie Hijacking in the Wild: Security and Privacy Implications - Duration: 46 minutes.
Behind the Scenes of iOS Security - Duration: 51 minutes.

Endwall 08/27/2016 (Sat) 09:01:25 [Preview] No. 436 del
Multivariate Solutions To Emerging Passive DNS Challenges - Duration: 58 minutes.
The Tactical Application Security Program: Getting Stuff Done - Duration: 57 minutes.
The Security Wolf of Wall Street: Fighting Crime With High-Frequency Classification and... - Duration: 57 minutes.
Automated Detection of Firefox Extension-Reuse Vulnerabilities - Duration: 57 minutes.
Su-A-Cyder: Homebrewing Malware for IOS Like a BO$$! - Duration: 2 hours, 38 minutes.
The Kitchen's Finally Burned Down: DLP Security Bakeoff - Duration: 53 minutes.
Automated Dynamic Fireware Analysis At Scale: A Case Study on Embedded Web Interfaces - Duration: 1 hour, 8 minutes.
Android Commercial Spyware Disease and Medication - Duration: 28 minutes.
PLC-Blaster: A worm Living Solely In The PLC - Duration: 55 minutes.
Hacking a Professional Drone - Duration: 27 minutes.
Cantact: An Open Tool for Automative Exploitation - Duration: 54 minutes.
DSCOMPROMISED: A Windows DSC Attack Framework - Duration: 59 minutes.
A New CVE-2015-0057 Exploit Technology - Duration: 51 minutes.
Enterprise Apps: Bypassing the IOS Gatekeeper - Duration: 36 minutes.
Rapid Radio Reversing - Duration: 1 hour.
Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation - Duration: 45 minutes.
Let's See What's Out There - Mapping the Wireless IOT - Duration: 48 minutes.
Never Trust Your Inputs: Causing 'Catastrophic Physical Consequences' From The Sensor... - Duration: 53 minutes.
Hey, Your Parcel Looks Bad - Fuzzing and Exploiting Parcel -Ization Vulnerabilties in Android - Duration: 35 minutes.
Incident Response @ Scale-Building a Next Generation SOC - Duration: 16 minutes.
I'm Not a Human: Breaking the Google Recaptcha - Duration: 28 minutes.
Locknote: Conclusions and Key Takeaways from Black Hat Asia 2016 - Duration: 51 minutes.

Endwall 08/28/2016 (Sun) 00:59:23 [Preview] No. 437 del
Opera warns Opera Sync users of possible security breach
August 27, 2016 By Pierluigi Paganini
The Norwegian company warned the users that the Opera Sync service of a possible security breach that might have exposed their data. On Friday, Opera, published a security alert to warn its users that the Opera Sync service might have been breached. In response to the alleged incident, Opera forced a password reset for all Sync users that were informed via mail of suspicious activity with their accounts. “Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.” states the security advisory. Opera clarified that passwords in the system used for authentication are hashed and salted with per-user salts, however, the company hasn’t provided any information about the hashing process for the authentication passwords. “Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.” continues the advisory.
The company informed users to have promptly blocked the attacks, its experts are investigating the incident. Internal security staff  believes that some users’ data, including login credentials, may have been compromised. The company reset all Opera Sync account passwords and sent emails suggesting them to change any third-party passwords that were synchronized with the service. According to Opera, 1.7 million users could be impacted by the Sync security breach, less than 0.5% of the total Opera user base of 350 million people. As usual, Opera Sync users that share their credentials among multiple sites are advised to change their passwords for those sites as soon as possible.

Endwall 08/28/2016 (Sun) 01:27:26 [Preview] No. 438 del
NSA Whistleblowers: NSA Hack Was Likely An Inside Job
Posted on August 26, 2016 by WashingtonsBlog
The mainstream press is accusing Russia of being behind the release of information on NSA hacking tools. Washington’s Blog asked the highest-level NSA whistleblower in history, William Binney – the NSA executive who created the agency’s mass surveillance program for digital information, who served as the senior technical director within the agency, who managed six thousand NSA employees, the 36-year NSA veteran widely regarded as a “legend” within the agency and the NSA’s best-ever analyst and code-breaker, who mapped out the Soviet command-and-control structure before anyone else knew how, and so predicted Soviet invasions before they happened (“in the 1970s, he decrypted the Soviet Union’s command system, which provided the US and its allies with real-time surveillance of all Soviet troop movements and Russian atomic weapons”) – what he thinks of such claims. Binney told us: The probability is that an insider provided the data. I say this because the NSA net is a closed net that is continuously encrypted.  Which would mean, that if someone wanted to hack into the NSA network they would not only have to know weaknesses in the network/firewalls/tables and passwords but also be able to penetrate the encryption. So, my bet is that it is an insider.  In my opinion, if the Russians had these files, they would use them not leak them or any part of them to the world. Similarly, former NSA employee, producer for ABC’s World News Tonight, and long-time reporter on the NSA James Bamford notes: If Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination. A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us. * The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained. Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents. So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations. In December 2013, another highly secret NSA document quietly became public. It was a top secret TAO catalog of NSA hacking tools. Known as the Advanced Network Technology (ANT) catalog, it consisted of 50 pages of extensive pictures, diagrams and descriptions of tools for every kind of hack, mostly targeted at devices manufactured by U.S. companies, including Apple, Cisco, Dell and many others. Like the hacking tools, the catalog used similar codenames. * In 2014, I spent three days in Moscow with Snowden for a magazine assignment and a PBS documentary. During our on-the-record conversations, he would not talk about the ANT catalog, perhaps not wanting to bring attention to another possible NSA whistleblower. I was, however, given unrestricted access to his cache of documents. These included both the entire British, or GCHQ, files and the entire NSA files. But going through this archive using a sophisticated digital search tool, I could not find a single reference to the ANT catalog. This confirmed for me that it had likely been released by a second leaker. And if that person could have downloaded and removed the catalog of hacking tools, it’s also likely he or she could have also downloaded and removed the digital tools now being leaked. And Motherboard reports: “My colleagues and I are fairly certain that this was no hack, or group for that matter,” the former NSA employee told Motherboard. “This ‘Shadow Brokers’ character is one guy, an insider employee.” The source, who asked to remain anonymous, said that it’d be much easier for an insider to obtain the data that The Shadow Brokers put online rather than someone else, even Russia, remotely stealing it. He argued that “naming convention of the file directories, as well as some of the scripts in the dump are only accessible internally,” and that “there is no reason” for those files to be on a server someone could hack. He claimed that these sorts of files are on a physically separated network that doesn’t touch the internet; an air-gap. * “We are 99.9 percent sure that Russia has nothing to do with this and even though all this speculation is more sensational in the media, the insider theory should not be dismissed,” the source added. “We think it is the most plausible.” * Another former NSA source, who was contacted independently and spoke on

Endwall 08/28/2016 (Sun) 01:54:44 [Preview] No. 439 del
Cyber Espionage: Project Sauron Malware Found Stealing Sensitive Data from 30 Government Networks Worldwide after Five Years Undetected
Aug 10, 2016 10:04 AM EDT By Anita Valencia, UniversityHerald Reporter
The Eye of Sauron in J.R.R Tolkiens' Lord of The Rings is known for its vast far-sight. It has inspired a group of hacker who created undetected malware called Project Sauron which has been hidden in servers of many networks, stealing data for five years.A group named Strider is reportedly responsible for Project Sauron malware that hid inside the database of 30 government organizations in Rwanda, Russia and Iran. According to Kaspersky Lab, the malware was found in scientific, military, government, and financial companies in those countries. America's Symantec Corporation who also detected the malware in China and Belgium, revealed that the platform used advanced system which would not likely to happen without any active help of state-sponsored group. Project Sauron malware uses unique operations with no similar pattern Furthermore, the experts from both companies discovered that the malware has been present since 2011 at least. Crafted in Binary Large Objects, it is untrackable with an antivirus given the unique codes. Kaspersky who described the issue as 'just a tiny tip of the iceberg', stated that the creator of this malware clearly knows that experts would look for patterns. Hence, even when experts have discovered an infection, they are not likely to discover a new one due to how the software was written. How Project Sauron works Researchers explained that Project Sauron works as sleeper cells in the targeted servers. It displays no activity while waiting for the commands, Arstechnica wrote. Project Sauron can't be viewed by Windows OS. It can collect data even without any internet connection because it uses virtual system USB storage drives. Computers infected with the malware 'think' that it is an approved system. What's more impressive is that it still works even when the data-loss prevention software is installed to block unknown USB drives. Kaspersky Lab explained in Securelist website, that the malware creator has a 'high interest in communication encryption software' used by these organizations. It is able to steal encryption keys and documents of the infected computer and even from USB sticks attached to it.

Endwall 08/28/2016 (Sun) 02:01:25 [Preview] No. 440 del
Chinese man arrested in Hong Kong over FACC cyber attack in Austria
VIENNA (Reuters) - A Chinese citizen has been arrested in Hong Kong in connection with a cyber attack that cost Austrian aerospace parts maker FACC 42 million euros ($47.39 million), Austrian police said on Friday. FACC fired its chief executive and chief financial officer after the attack, which involved hoax emails asking an employee to transfer money for a fake acquisition project - a kind of scam known as a "fake president incident". FACC's customers include Airbus and Boeing. A 32-year-old man, who was an authorised signatory of a Hong Kong-based firm that received around 4 million euros from FACC, was arrested on July 1 on suspicion of money laundering, a spokesman for Austria's Federal Office for Crime said. Such attacks, also known as "business email compromise", involve thieves gaining access to legitimate email accounts inside a company – often those of top executives – to carry out unauthorized transfers of funds. The technique, which relies on simple trickery or more sophisticated computer intrusions, typically targets businesses working with international suppliers that regularly perform wire transfers. A spokesman for FACC said the company was working on getting back 10 million euros which had been found and frozen on accounts in different countries around the world. These 10 million euros are not included in the 42 million euro hit the group has already booked. The spokesman declined to give details on the arrest or the location of the accounts. In June, the U.S. Federal Bureau of Investigation (FBI) said identified losses from this scam totalled $3.1 billion and had risen by 1,300 percent in the past 18 months. Such scams have been reported by 22,143 victims in all 50 U.S. states and in 100 countries around the world. The FBI said reports indicate that fraudulent transfers have been made to 79 countries with the majority going to Asian banks located in China and Hong Kong. Another tool for fraud, "ransomware", which has received much media attention over the past year, refers to malicious software that thieves use to blocks access to a computer until a ransom is paid. Security experts say the two trends are the fastest growing cyber security threats to businesses worldwide. FBI report: https://www.ic3.gov/media/2016/160614.aspx

Endwall 08/28/2016 (Sun) 02:05:26 [Preview] No. 441 del
Irish Times
The cyber hack that could swing the US election
‘The bizarre has almost become the norm in US politics this past year’
Is there anything that might cause Donald Trump to win the US presidential election? That’s the question political pundits are asking obsessively these days as the main parties’ campaigns take increasingly unpredictable turns. A month ago Trump was almost level with Hillary Clinton in the polls but, since then, a series of gaffes has caused his numbers to slide. This week, for example, an IBT poll suggests Clinton now has a 12-point lead. While this might indicate that the Democrats are cruising for victory, the election has been so uncertain in recent months that nobody dares take anything for granted. So what might suddenly cause momentum to swing again? To my mind, there are at least three factors to watch. The most obvious is that Trump himself implements a change of course, becoming much more professional and effective in running his campaign. That is hard to believe right now but the key person to watch is Kellyanne Conway, a pollster recently brought in to serve as campaign manager. Highly respected in Republican circles and regarded as a very effective operator, she might just possibly end up turning the campaign around. A second factor is whether a nasty external shock occurs. Trump, after all, is a candidate whose campaign is built on stoking up fear, in the mould of former president Richard Nixon. If, God forbid, a big terrorist attack occurs - or something else that causes panic - this might play into Trump’s hands, particularly if his campaign had already shifted momentum under Conway. However, there is a third possibility that has gained less attention: cyber hacking. This summer, the Democratic National Committee revealed it had suffered a cyber attack and that many confidential internal documents had been stolen. CrowdStrike, the cyber security group employed by the DNC, said the culprits were Russia’s intelligence services.
This was denied by Moscow, but backed up by other cyber security groups such as Mandiant and Fidelis Cybersecurity. This is a bizarre turn of events, by any standards, not least because some 20,000 internal DNC emails have now been released via WikiLeaks and a blogging site called Guccifer 2.0. But matters may get worse. CrowdStrike says one Russian hacking group, given the nickname Cozy Bear, was in the DNC system for at least a year. It is unclear what material has been taken but cyber experts believe Cozy Bear holds extensive secret documents, including confidential memos detailing the negative traits of Democratic candidates in this year’s US elections. (It is standard practice for campaign managers to try to assemble all the dirt on their own candidates in advance, so they are prepared in case their opponents try to attack them.) If this is true — like almost everything else in the cyber security sphere, very little can be conclusively proved — it seems that only a small portion of the sensitive material has emerged. So it is possible that the hackers will leak this in the coming months, in a targeted way, trying to cause maximum damage. This week, for example, Guccifer 2.0 leaked data about the tactics that the Democratic Congressional Campaign Committee used in House races in Pennsylvania. This is the first time the hackers have tried to shape momentum in a local race. And if these leaks accelerate, they might stoke up more anti-Clinton feeling, particularly given the separate controversies surrounding Clinton’s personal email server. Or so the gossip goes. On one level, this theory sounds almost fantastical and it is entirely possible that speculation will die away in a few months and that Clinton will romp to victory. But the very fact that Washington is abuzz with these rumours right now illustrates two key points. First, just how strange this current election campaign has become on both sides and, second, the degree to which the bizarre has almost become the norm in US politics this past year. In this election we face a world of James Bond meets Alice in Wonderland, where political boundaries are stealthily shifting, day-by-day. Stand by for more surprises — from Cozy Bear, or anyone else.

Endwall 08/28/2016 (Sun) 18:02:58 [Preview] No. 442 del
Snooping Online: ‘Orwell’ game puts users into shoes of data collection specialist - Duration: 106 seconds.

Endwall 08/28/2016 (Sun) 18:07:05 [Preview] No. 443 del
Iran says malicious software hit its petrochemical complexes
Iran detects and removes malicious software from two of its petrochemical complexes.
Iran said on Saturday it has detected and removed malicious software from two of its petrochemical complexes, Reuters reported. The announcement comes after Iran said last week it was investigating whether recent petrochemical fires were caused by cyber attacks. A military official said the malware at the two plants was inactive and had not played a role in the fires. "In periodical inspection of petrochemical units, a type of industrial malware was detected and the necessary defensive measures were taken," Gholamreza Jalali, head of Iran's civilian defense, was quoted as saying by the state news agency IRNA. Iran has in the past been targeted by computer viruses. In 2010, it was attacked with the Stuxnet computer virus, which destroyed Iranian centrifuges that were enriching uranium and was allegedly jointly developed by the United States and Israel. Two years later the country's computer systems were targeted by Flame, a virus far more dangerous than the Stuxnet worm which was described by the Kaspersky Internet security firm as the “most sophisticated cyber-weapon yet unleashed”. Iran later admitted that its oil industry was briefly affected by Flame, but claimed that Iranian experts had detected and defeated the virus. The Islamic Republic's National Cyberspace Council announced last week that it was investigating whether the recent petrochemical fires were triggered by a cyber attack, according to Reuters. But when asked if the fire at Iran's Bu Ali Sina refinery complex last month and other fires this month were caused by the newly-discovered malware, Jalali said, “The discovery of this industrial virus is not related to recent fires."

Endwall 08/28/2016 (Sun) 18:09:55 [Preview] No. 444 del
The Straits Times
Cyber Cold War heats up
Sam Jones Published Aug 28, 2016, 5:00 am SGT
A shadowy group's $677m online 'auction' of a trove of weapons, thought to have been stolen from the National Security Agency, signals an intensifying cyber war between Russia and America.
This is a tale of spies, a US$500 million (S$677 million) cyber arms heist, accusations of an attempt to manipulate a US presidential election and an increasingly menacing digital war being waged between Russia and the West. It begins with a clandestine online group known as The Shadow Brokers. There is no evidence that it existed before Aug 13, when a Twitter account in its name tweeted a handful of leading global news organisations with an unusual announcement: it was conducting a US$500 million auction of cyber weapons. In a show of faith, the group put a selection of its wares - a 4,000-file, 250MB trove - on public display. Security analysts have been racing to go through the list but it is already clear that at least some of what has been revealed so far is real. What is most remarkable, though, is the likely former owner of the Shadow Brokers' cyber bounty: an outfit known as the Equation Group. Equation is an elite hacking unit of the US National Security Agency. The Shadow Brokers claim that the stolen goods are sophisticated cyber weapons used by the NSA. The Shadow Brokers' motivations are not entirely clear. "If this was someone who was financially motivated, this is not what you would do," says security response director Orla Cox at Symantec, a leading cyber security company. Cyber weapons are typically sold over the dark Web, notes Ms Cox, or they are used by hackers who want to remain anonymous. They certainly are not advertised to news outlets. And even the best are not priced in US$500 million bundles.T ILLUSTRATION: CHNG CHOON HIONG For cyber superpowers, insiders say, it is rarely technical limitations that prevent governments from castigating attackers. The problem, an age-old one for spycraft, is that in disclosing what they know, officials may give away how they got it. "It's a false flag. This isn't about money. It's a PR exercise," she says. According to three cyber security companies that declined to be identified, the Shadow Brokers is mostly likely run by Russian intelligence. "There is no digital smoking gun," said one analyst. But the circumstantial evidence is compelling, analysts say. And the list of other potential nation-state actors with the capability, wherewithal and motive is short. "The fact that the Shadow Brokers did not exist before, appeared at this time and are using intelligence that has been saved up until now, suggests this is all part of some deliberate, targeted operation, put together for a particular purpose," says Mr Ewan Lawson, a former cyber warfare officer in Britain's Joint Forces Command and now senior research fellow at Rusi, the think-tank. "That purpose looks like it is to highlight perceived US hypocrisy." Russia, he says, is the obvious perpetrator. Two senior Western intelligence officials say their assessment was evolving but similar: the Shadow Brokers' stunt grew out of Russia's desire to strike back at the US, following accusations that Russian intelligence was behind the hack into the Democratic National Committee's (DNC) servers. That intrusion, and the subsequent leak of embarrassing e-mail, has been interpreted by some as an attempt by Russia to interfere with the US presidential election. The US has yet to respond officially to that hack, even though it knows it to be Russia, according to this narrative. Now, with a piece of Le Carre-esque public signalling between spymasters, Russia's Shadow Brokers gambit has made any such response greatly more complex, the officials suggest. The US and its allies, of course, are hardly innocent of hacking. Regin, a piece of malware used to crack into telecoms networks, hotels and businesses from Belgium to Saudi Arabia - though mainly Russia - is a tool used by the US and Britain, while the Equation Group is among the most virulent and sophisticated hacking operations around. If the warning to Washington was not being telegraphed clearly enough by Moscow, Mr Edward Snowden, the NSA contractor- turned-whistle-blower now living in Russia, spelt it out. "Circumstantial evidence and conventional wisdom indicates Russian responsibility," he wrote in a tweet to his 2.3 million followers. "This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast," he said in another. In the US intelligence community, the assumption is that, at the very least, Mr Snowden is an unwitting agent of Russian intelligence, if not a tool of it. "It's all part of the signalling," says one intelligence official. Mr Jim Lewis, director of strategic technologies at the CSIS think-tank and a former US State Department official, says: "The Russians have had the initiative in this whole thing starting from even before the DNC break-in. "They have the place of honour when it comes to threats to the US in cyber space right now. They've accelerated - they're much less risk-averse and they're much more aggressive." ATTRIBUTION PROBLEMS "Attributing" cyber attacks - or identifying their source - is a thorny issue. For cyber superpowers, insiders say, it is rarely technical limitations that prevent governments from castigating attackers. The problem, an age-old one for spycraft, is that in disclosing what they know, officials may give away how they got it. For agencies like the NSA and Britain's GCHQ, there is a deeply ingrained culture of secrecy surrounding their cyber surveillance work that stretches back to the origins of signals intelligence during World War II. US intelligence knew very quickly that the Chinese were behind the hack of the Office of Personnel Management, announced in June last year, which targeted the records of millions of Americans. But it took time to decide what the appropriate response should be and what kind of effect they wanted from it. Outside the inner circles of the spy world, there is a growing sense that more public attribution is needed to try and put the brakes on a Cyber Cold War that is spiralling out of control. "Up to now, there has been a degree of approaching cyber defence one day at a time," says Rusi's Mr Lawson. "But now it's reached a momentum where people are starting to say we need to start calling people out, making more of an issue about these attacks, because otherwise, how are we ever going to establish any sort of global norms about it?" Publicly identifying attackers can be powerful. Chinese activity against US companies decreased markedly after the US authorities publicly indicted five senior Chinese military officials last year, proving to Beijing that they knew exactly what its hackers were up to - and would respond even more harshly if they continued. But the power of attribution also depends on the adversary. Unlike China, Russia does not depend economically on the US. The Kremlin's hackers are also far stealthier. A particular trend in Russia's hacking operations in the past 18 months, says a senior British cyber security official, has been towards such "false flagging", where attacks are hidden behind proxies. The official points to an attack on the French broadcaster TV5Monde in April last year. The website was defaced with pro-ISIS imagery, but it was the Russians who were responsible, he says. Russia has become much more aggressive in blurring other boundaries too: its cyber operations do not just exfiltrate information, they also sometimes weaponise it. Outright acts of destruction are on the table, too, as was the case when Russia took down the Ukrainian power grid in January. If the tools are new, the techniques may not be. Mr Philip Agee, a former CIA agent, sprang to prominence in the 1970s for publishing a series of salacious books and pamphlets claiming to expose the activities and agents of his former paymasters. He said he was a whistleblower and became a feted figure of the left in the West. But in reality he was carefully directed by the KGB, the Soviet spy agency. Under the Russians' guidance, his output blended genuine US intelligence leaks with outright disinformation concocted by Moscow to suit its own ends. Hundreds of CIA agents were exposed by his activities. The KGB's use of Mr Agee was both an act of disruption and one of manipulation. It boxed in the CIA and affected its decision-making. Moscow ensured genuine agents' names were publicised at times to suit their ends. The Shadow Brokers may be the same trick adapted to the 21st century. Both are textbook examples of what Soviet strategists called reflexive control - a concept that has become resurgent in Russian military planning today. Reflexive control is the practice of shaping an adversary's perceptions. A state might convince an opponent not to retaliate for interfering in an election, for example, by raising the possibility of releasing information about its own tactics. "These are old tactics," says CSIS' Mr Lewis. "The Russians have always been better at this kind of thing than us. But now, they're just able to wield them so much more effectively. They have taken tremendous advantage of the Internet. Information is a weapon."

Endwall 08/28/2016 (Sun) 18:19:49 [Preview] No. 445 del
New RIPPER Malware Suspected Behind Thailand ATM Heists
FireEye researchers discover new RIPPER ATM malware
Aug 28, 2016 00:20 GMT · By Catalin Cimpanu ·
A new piece of ATM malware may be behind the recent ATM heists that took place in Thailand and possibly Taiwan, security researchers from FireEye have discovered. Earlier this week, Thai authorities reported that crooks managed to steal $378,000 (12 million baht) from ATMs across Thailand. A few minutes before local press reported the heist, FireEye researchers said that cyber-security platform detected a new file uploaded on VirusTotal from an IP address in Thailand that included all the features of ATM malware. FireEye discovers new ATM malware family A subsequent investigation revealed their initial suspicion. What researchers had discovered was a new malware variant that targets ATMs, which they named RIPPER, based on text found inside the malware source code (ATMRIPPER). While this was a never-before-seen malware family, FireEye says they identified multiple components also found in other ATM malware variants such as Padpin (Tyupkin), SUCEFUL, GreenDispenser, and Skimer. It may be possible that the malware was uploaded to VirusTotal either by one of the crooks working on a new version or by Thai investigators who found it on the infected ATMs. FireEye's technical analysis for RIPPER includes many findings that corroborate with ATM heist details reported by local press. RIPPER features coincide with ATM heist press reports The malware included a component that would disable the ATM's network interface whenever needed. Thai press quotes investigators who said the robbed ATMs were taken offline during the heists. RIPPER allows an attacker to control ATMs via a payment card with a special authentication code embedded in its EMV chip. Investigators reported the same thing about the malware found on targeted ATMs. The Thailand attacks only targeted ATMs manufactured by NCR. Authorities suspect that the group behind this attack was also behind an NT$70 million ($2.18 million) ATM heist in Taiwan from July. In that attack, crooks targeted ATMs from Wincor Nixdorf. FireEye says RIPPER includes code to target three specific vendors. The company doesn't mention their names, but this fits in the group's modus operandi. Furthermore, the PE compile timestamp from the malware uploaded this week on VirusTotal is July 10, 2016, two days before the attacks in Taiwan. RIPPER steals features from other ATM malware strains FireEye researchers note that RIPPER's component that reads or ejects cards on demand is very similar to the one found in SUCEFUL while the technique of using custom-made master EMV cards is borrowed from Skimer. They add that the ability to disable the local network connection resembles that of Padpin (Tyupkin) and the "sdelete" secure self-deletion module is similar to the one found in GreenDispenser. "In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical," FireEye researcher Daniel Regalado explains. "This speaks to the formidable nature of the thieves."

Endwall 08/28/2016 (Sun) 18:24:40 [Preview] No. 446 del
CBC News
How a $64M hack changed the fate of Ethereum, Bitcoin's closest competitor
Cryptocurrency alternative to bitcoin was co-founded by 19-year-old Canadian-Russian in 2015
By Jonathan Ore, CBC News Posted: Aug 28, 2016 9:00 AM ET Last Updated: Aug 28, 2016 11:07 AM ET
Picture this: A thief steals millions of dollars by hacking into an investment fund. What if you could just hit the undo button and get that money back? That was the dilemma that the creators of Ethereum, an upstart digital currency platform, recently faced. Founded in 2015 by a group of researchers led by Russian-Canadian Vitalik Buterin — then only 19 years old — its currency, ether, is the second-most valuable digital currency after bitcoin. But the currency suffered a blow recently after a hacker siphoned $64 million worth of ether from investors. In the wake of the hack, Buterin decided to turn back the clock through a software update and reset the entire system to its previous state — i.e., before the hack. The reset created a so-called hard fork, which split Ethereum into two parallel systems. Buterin assumed most users would move to the reset platform, but the fork proved divisive and a small group of users continued using the old system, dubbing it Ethereum Classic and arguing Buterin had no right to reset the platform. That has confused cryptocurrency investors and cast a pall over the future of Ethereum. It also opened up a rift between the currency's creators, who were the ones to alter the code and render the stolen currency null and void, and dissenters who argued against any intervention — even in the face of an Ocean's Eleven-style heist. Smart contracts While bitcoin is the best-known cryptocurrency, there are, in fact, hundreds of digital, decentralized payment systems that issue and trade digital currencies online. Each operates on a blockchain, a digital ledger that keeps track of all transactions in transparent, peer-to-peer fashion. While bitcoin did away with paper currency and a central banking authority, more complex transactions, such as setting up regular coupon payments on a bond, might still require the assistance of a lawyer or other third party. Ethereum eliminates this need by incorporating code that allows transactions to occur through so-called smart contracts, which take automatic effect once mutually agreed-upon conditions have been met."An auction might automatically transfer deeds of ownership to the highest bidder after a certain time has elapsed, or a father's contract might automatically send his son a set amount of money every year on his birthday," explains Business Insider's Rob Price. 'Something that was founded by a 19-year-old university dropout in Toronto … turned into this $1-billion platform.' - Alex Tapscott, technology writer ​Like bitcoin, ether has grown in popularity beyond internet discussion boards and small tech start-ups. Technology and financial companies from Microsoft to Deloitte have taken an interest in it. "Something that was founded by a 19-year-old university dropout in Toronto, Canada, leveraging the resources of developers all over the world, turned into this $1-billion platform," said Alex Tapscott, tech writer and co-author of the book Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World. ​The hack and the fork ​But before long, the digital currency fell victim to an all-too-human problem: theft. In April, a group of Ethereum users launched what is known as a decentralized autonomous organizations, or DAO, essentially a digital venture capital firm powered by ether. DAO members were supposed to vote on future Ethereum-related projects. The DAO raised more than $160 million worth of ether from about 11,000 investors. Some have called it the biggest crowdfunding project ever.Ether units are mined using high-powered computers, much like these computers mining bitcoins in the Bitmain mining farm near Keflavik, Iceland. (Jemima Kelly/Reuters) But on June 17, before anyone could do anything with the DAO, someone found a vulnerability in the DAO's code (much like finding a legal loophole in a sloppily written real-world contract), and siphoned 3.6 million ether from the fund. Ether's value tanked from a high of $27.60 to $18 immediately after the hack. It has since dropped further to $14.The total value stolen, depending on whether you calculate it before or after the hack, ranges from $64 million to $101 million. Ethereum's creators weren't directly responsible for the DAO, but since the amount stolen from it represented 15 per cent of all ether in circulation, they locked the stolen funds in a "child DAO" — a sort of digital escrow — preventing the thief from cashing out.Buterin and his team carried out the hard fork in the blockchain, rolling back the system to a day before the DAO was formed and returning the stolen ether to the original owners. The thief was essentially left with ether unrecognized by the larger community. "Anything to do with the DAO was reverted," Anthony Di Iorio, a co-founder of Ethereum and CEO of Decentral, a Toronto-based bitcoin, told CBC News. "The contract was changed so that people could get their funds out." Ethereum Classic The hard fork was completed on July 20, but to some users, the move was akin to censorship. Instead of using the post-fork currency, a small but vocal minority kept using the old one, which currently trades for about $2. ​To these adherents, "code is law," Di Iorio said. They believe smart contracts should be immutable — even if the intent of changing the code was to restore millions of stolen ether to the rightful owners.Blockchain is the technology behind cryptocurrencies like bitcoin, ether and hundreds of other smaller offshoots and alternative currencies. (BTC Bitcoin/Flickr/Creative Commons) Tapscott calls that aversion to intervention of any kind — even by the platform's own creators — "very naive." "They confuse governance with government, and governance of any kind with authoritarianism," he said. "There are lots of global resources out there that aren't owned or controlled by anyone that have complex governance structures — like the internet."Can Ethereum and Ethereum Classic coexist? Tapscott says the co-existence of two Ethereum chains "causes confusion as to which is the 'real' Ethereum, which is bad for investor and developer confidence." "'The more the merrier' is a fine philosophy for ideologues and traders, but for people who actually want to run or build smart contracts, two chains are a mess," investor Jacob Eliosoff told cryptocurrency news site Coindesk. In a separate op-ed, he argued that if this fragmentation continues, "the technology we love will never reach a wider public." Cryptocurrency users appear to agree, as Ethereum Classic's price plunged more than 23 per cent in the last week, according to Coindesk. The debate around the forking of the Ethereum platform resembles one that raged within the Bitcoin community a few months ago when some Bitcoin developers proposed increasing the size of the blockchain so that the system could process more transactions at a faster rate.Still, Tapscott remains bullish on the future of blockchain technology, regardless of the ultimate fate of ether, bitcoin or any single digital currency. "Ethereum is one tiny fraction of the entire blockchain universe, and the universe is barrelling ahead on all fronts," he said.

Endwall 08/28/2016 (Sun) 18:39:25 [Preview] No. 447 del
Dropbox Urges Users To Change Old Passwords
on Sunday, August 28, 2016
Dropbox has asked its users to change their passwords, if they haven’t done so since the online service’s launch in 2007. This comes as a ‘precautionary measure’ after a spate of hack attacks on an old set of Dropbox credentials in 2012. In July 2012, Dropbox said its investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of of Dropbox accounts. It said it had contacted the users affected to help them protect their accounts. The cloud storage service said that the move isn’t any indication that their accounts were improperly accessed. “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” the company said. “Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.” Dropbox is also recommending that users use two-factor authentication when resetting their passwords. Launched in 2007, Dropbox allows users to store, access and share files easily from a variety of devices. It has accumulated 500 million sign-ups to the service.

Endwall 08/28/2016 (Sun) 18:51:03 [Preview] No. 448 del
Security Affairs
France, Germany calls for European Decryption Law: What’s next?
August 28, 2016 By Pierluigi Paganini
Amidst of Apple vs. FBI debacle and successful attempt of a breach at NSA headquarters by a hacker group, a new torch has flamed internationally by France and Germany calling for a European Decryption Law.

Months after the FBI-Apple encryption case standoff in the U.S. and NSA headquarters breach by hackers has started a global debate on encryption between governments and pro-security supporters. On Tuesday, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve, they called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. These propositions by the two ministers were issued based on the incidents of terrorist attacks happened in their countries, and the attackers were said to be using the highly encrypted communications apps. That being said, there is already a directive in practice for national security pointed out by Commission spokesperson Natasha Bertaud. In an email statement to the Fortune she said, “The current data protection directive (which also applies to the so-called over-the-top service providers) allows member states to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences,” she further added that “The new general data protection regulation (which will apply as from 25 May 2018) maintains these restrictions.” In an opinion based statement on encryption, the German minister talked about “good practices” and “innovative ideas” to tackle encryption. Whereas, his fellow French minister stepped the press conference up by specifically naming the Telegram app and criticizing it. Whatsapp and Telegram took their stance by stating that they cannot decrypt the data because of the encryption mechanism where only users have the access to their conversations. Even though a data protection directive is in practice, the explicit agenda upon access to encryption may be to have control over such apps internationally and EU-wide.Giving her opinion on the matter of encryption, in a French editorial Le Monde, Isabelle Falque-Pierrotin, President of the National Commission on Informatics and Liberties, France’s data protection authority. “It is through encryption that we can make a bank transfer safely. It is through encryption that we can store our health data in a shared medical file (DMP) online. It is also thanks to this tool that investigations on “Panama Papers ” were possible. For companies, encryption is now the best protection against economic espionage,” she wrote. Earlier this year in the U.S., over the debate in FBI-Apple encryption suit we saw telecommunication providers backing up Apple and the anti-encryption hardliners such as Senator Lindsey Graham, switching sides in favor of Apple after realizing the technical reality of the case. “I was all with you until I actually started getting briefed by the people in the intel community,” Graham told Attorney General Loretta Lynch during Senate Judiciary Committee hearings. “I will say that I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security.” The strong of the anti-backdoor and pro-encryption opinion came from European Commission Vice-President, Andrus Ansip who supported Apple’s decision for refusing to unblock the iPhone of the terrorist. “Identification systems are based on encryption. I am strongly against having any kind of backdoor to these systems. In Estonia, for example, we have an e-voting system. If people trust an e-banking system, they can also trust an e-voting system. This trust is based on a strong single digital identity guaranteed by the government, which is based on encryption. The question is who will trust this e-voting system if there are some back doors and someone has the keys to manipulate the results. The same goes for the e-banking system.” European Parliament resolution on September 2015 on “human rights and technology” turns out to be in favor of strong encryption. As the debate is heating up, the next step could be the revision of “e-privacy” directive of European Union. Refreshing the memory of may 2016, the EU executive body set out new e-privacy proposal, that would significantly change the telecommunication regulation, to create a “level playing field”  between traditional and online telecommunications services like Skype and Whatsapp. According to the Financial Times quoted documents, the European Commission will further proceed the e-privacy revision and bring Microsoft’s Skype and Facebook’s WhatsApp to same regulatory fold as traditional telecommunication operators and may explicitly ask for decryption orders. That would affect Google, Netflix, Amazon and Apple as well in the EU. There are also some news of possible opinion that French and German governments are running into elections next year, and are using this tactics to strong arm them. The press release has started a global tug of war but there is no easy answer to what’s come next.

Endwall 08/29/2016 (Mon) 07:56:39 [Preview] No. 449 del
A malware was found in Iran petrochemical complexes, but it’s not linked to recent incidents
August 29, 2016 By Pierluigi Paganini
The head of Iran’s civilian defense confirmed that a malware was found in petrochemical complexes, but it hasn’t caused the fires under investigation.

Last week, I reported the news related to a series of fires at Iranian petrochemical plants. The Iran’s Supreme National Cyberspace Council started an investigation to discover if the incidents at oil and petrochemical fires were caused by cyber attacks. Authorities fear that nation state actors may have launched an attack similar to Stuxnet one. Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, announced that a team of cyber experts will be involved in the investigation to understand if the incidents are linked and if they were caused by cyber attacks.“Abolhassan Firouzabadi, secretary of Iran’s Supreme National Cyberspace Council, says a team of experts will look at the possibility of cyberattacks as being a cause, Press TV reported on Sunday. Special teams will be sent to the afflicted sites to study the possibility of cyber systems having a role in the recent fires, he said.” reported the Tehran Times. Iranian cyber experts have spotted and removed two malware that infected systems at two petrochemical plants. The news was confirmed by a senior military official and reported by Venturebeat.com. “Iran has detected and removed malicious software from two of its petrochemical complexes, a senior military official said on Saturday, after announcing last week it was investigating whether recent petrochemical fires were caused by cyber attacks.” reported by Venturebeat.com. The official also added that the malware was not responsible for the incidents occurred at the petrochemical complexes, the experts discovered that it was inactive and not linked to the fires. “In periodical inspection of petrochemical units, a type of industrial malware was detected and the necessary defensive measures were taken,” Gholamreza Jalali, head of Iran’s civilian defense, said the state news agency IRNA. “the discovery of this industrial virus is not related to recent fires.” As declared by the oil minister, the string of fires in petrochemical complexes was caused by the lack of proper safety measures caused by the cut of the budgets operated by the firms in the energy sector.

Endwall 08/29/2016 (Mon) 22:46:51 [Preview] No. 450 del
After Illinois hack, FBI warns of more attacks on state election board systems
Sean Gallagher - Aug 29, 2016 3:55 pm UTC
Someone using servers in the US, England, Scotland, and the Netherlands stole voter registration from one state's Board of Elections website in June and unsuccessfully attacked another state's elections website in August, according to a restricted "Flash" memorandum sent out by the FBI's Cyber Division. The bureau issued the alert requesting other states check for signs of the same intrusion. The "Flash" memo, obtained by Yahoo News, was published three days after Secretary of Homeland Security Jeh Johnson offered state officials assistance in securing election systems during a conference call. According to Yahoo's Michael Isikoff, government officials told him that the attacks were on voter registration databases in Illinois and Arizona. The Illinois system had to be shut down in July for two weeks after the discovery of an attack; the registration information of as many as 200,000 voters may have been exposed. While saying the Department of Homeland Security was unaware of any specific threat to election systems, Johnson offered states assistance from the National Cybersecurity and Communications Integration Center (NCCIC) "to conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity," a DHS spokesperson said, describing the conference call. "The Election Assistance Commission, NIST, and DOJ are available to offer support and assistance in protecting against cyber attacks." The successful hack of the Illinois system began with a scan of the state election board's site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected "foreign hackers" for the attack. Ars attempted to contact Acunetix for comment, but received no response. The IP addresses listed as sources for the attacks are associated with commercial dedicated and virtual private server hosting companies: US and UK servers provided by King Servers LTD; Fortunix Networks LP, a custom hosting company with servers in Edinburgh; and Liteserver in Tilburg, the Netherlands. The use of virtual private servers (likely purchased with WebMoney, bitcoin, or some other anonymous currency) and off-the-shelf tools doesn't suggest any significant amount of sophistication on the part of the attackers. But state government sites like those affected so far are typically not hardened against attack, so sophistication wouldn't necessarily be required.

Endwall 08/29/2016 (Mon) 22:51:32 [Preview] No. 451 del
Two state election databases hacked, FBI warns
by Anne Dujmovic @adujmo / August 29, 201611:41 AM PDT
The FBI is urging state election officials to beef up their computer systems' security in light of two cyberattacks this summer. David Gould, Getty Images The FBI has found evidence that two state election databases were infiltrated this summer by foreign hackers, according to a Yahoo News report Monday. That's led the the agency to urge state election officials throughout the US to strengthen their computer systems' security, the report said. The bureau's cyber division issued the warning on August 18 in a "flash" alert titled "Targeting Activity Against State Board of Election Systems" (PDF). The alert said "the bureau was investigating cyberintrusions against two state election websites this summer, including one that resulted in the 'exfiltration,' or theft, of voter registration data," according to Yahoo News, which obtained a copy of the alert. The warning didn't name the states but sources told Yahoo voter registration databases in Arizona and Illinois were targeted. In Illinois, hackers stole the personal data of up to 200,000 of the state's voters. In Arizona's case, malicious software was found in the system but no data was taken, a state official told Yahoo News. The bureau suggested the two attacks may be linked but did not name the country where they may have originated, the report said. The FBI declined to comment on the specific alert. "The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals." Earlier this month at a press event in Washington, D.C., Homeland Security Secretary Jeh Johnson said the government is concerned cyberattackers could disrupt the November presidential election. He said the government should consider whether elections should be treated as "critical infrastructure." "There's a vital national interest in our election process," he said.

Endwall 08/29/2016 (Mon) 22:53:17 [Preview] No. 452 del
Election Security Comes Down to Outdated Software
Sue Marquette Poremba | Data Security | Posted 29 Aug, 2016
In the spring, I reached out to the last five presidential campaigns standing to ask why cybersecurity wasn’t a top priority in any speeches or policies. I got no response. I wasn’t too surprised by that, considering there hadn’t been any big cybersecurity news – well, nothing that would appear to affect the political landscape. That’s changed, of course, with the hacks into the DNC and the Clinton campaign. Now the FBI is warning that election systems are in jeopardy after election board websites in two states were hacked. As Wired described it: In its warning sent to state-level election boards, the FBI described an attack on at least one of those two election websites as using a technique called SQL injection. It’s a common trick, which works by entering code into an entry field on a website that’s only meant to receive data inputs, triggering commands on the site’s backend and sometimes giving the attacker unintended access to the site’s server. It’s not just a cyberattack that we need to be alert for. A Politico story showed exactly how easy it can be to physically hack elections, as well. A Princeton professor bought a voting machine used in a number of states, and within minutes, he was able to replace a few chips and added his own firmware to the machine that would allow the ballots to be manipulated. Someone with malicious intent, access to the location where machines are stored, and a little cyber-know-how could redirect the course of history. The problem with our voting system is very similar to the cybersecurity problem in many businesses today: The software is outdated and vulnerable. In a white paper released by the Institute for Critical Infrastructure Technology called “Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures,” the authors showed why voting systems are so vulnerable to an attack: Many electronic voting systems have not been patched for almost a decade because officials falsely believe that an airgap equates to security. In 2016, 43 states relied on voting machines that were at least 10 years old and that relied on antiquated proprietary operating systems such as Windows CE, Windows XP, Windows 2000, Linux, and others. Vulnerabilities for these operating systems are widely available for free download on Deepnet. Alternately, some GUI based script kiddies tools can automatically scan for Windows XP and Windows 2000 and exploit known vulnerabilities to deliver malicious payloads. Even if the officials did their due diligence and practiced moderate cyber-hygiene, Microsoft has not released a patch for Windows CE since 2013 or Windows XP since 2014. It sounds a lot like many of the problems that plague the Internet of Things, and businesses aren’t confident about addressing those security risks. Unfortunately, we tend to think about election cybersecurity every four years, during a presidential campaign, despite the fact that elections are conducted at least twice a year in most states, with primaries and general elections. Those of us who think about cybersecurity all the time know the ramifications that poor security efforts can have on a business and consumers. We don’t want poor cybersecurity to dictate the election results, so the question becomes, how do we make cybersecurity a point of discussion and what can be done to work on a fix? We have a little more than two months to figure it out.

Endwall 08/29/2016 (Mon) 22:57:46 [Preview] No. 453 del
New FairWare Ransomware targeting Linux Computers
Lawrence Abrams * August 29, 2016 * 11:27 AM
A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control. Victims have reported that they first learned about this attack when they discovered their web sites were down. When they logged into their Linux servers, they discovered that the web site folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contains a link to a further ransom note on pastebin. The content of the READ_ME.txt file is: Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files! The ransom note on pastebin requests that the victim pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back. They are also told that they can email fairware@sigaint.org with any questions. The full content of the FairWare ransom note is: YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE Hi, Your server has been infected by a ransomware variant called FAIRWARE. You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked! We are the only ones in the world that can provide your files for you! When your server was hacked, the files were encrypted and sent to a server we control! You can e-mail fairware@sigaint.org for support, but please no stupid questions or time wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as: "can i see files first?" will be ignored. We are business people and treat customers well if you follow what we ask. FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/ HOW TO PAY: You can purchase BITCOINS from many exchanges such as: http://okcoin.com http://coinbase.com http://localbitcoins.com http://kraken.com When you have sent payment, please send e-mail to fairware@sigaint.org with: 1) SERVER IP ADDRESS 2) BTC TRANSACTION ID and we will then give you access to files, you can delete files from us when done Goodbye! At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first.

Endwall 08/29/2016 (Mon) 23:01:38 [Preview] No. 454 del
Government Hackers Have Now Found a Way to Breach iPhone Security
August 29, 2016 The Cyber Threat: iPhone Software Targeted in Government-Linked Hack Bill Gertz Washington Free Beacon
August 29, 2016 Years ago during lunch with a recently-retired National Security Agency cyber security official, I immediately noticed the former official’s iPhone as he placed it on the table next to his fork. Wow, I thought, if an NSA electronic spook is using an iPhone, those babies must be secure. Days later I traded in my cell phone for an iPhone and have been using them ever since. I endured Apple’s proprietary restrictions, like the inability to change batteries, a company tactic that forces customers to buy a new phone every few years as the battery gradually wears out. So too did I accept the iPhone’s inability to expand its memory. As someone who reports on cyber threats and is not viewed as a favorite reporter by certain foreign governments (and one heavily politicized American one), I decided to accept the limits on Apple handheld devices that today more and more have come to dominate our waking hours. NSA is not alone in adopting the widespread use of Apple devices for better security. Several federal agencies and military services also demand use of iPhones in key locations because of their inherent strong security. There is no question that iPhones are much safer against cyber attacks than other operating systems, like Google’s Android mobile OS. But that is changing. Last week, Apple sent out an urgent notice to all customers to update their iPhone software with a security patch. Security flaws were discovered in the operating system revealing that the cyber threat to iPhones, once the gold standard for handheld security, is reaching new heights. Apple didn’t even know about the latest cyber attack against its software until two security companies discovered what security specialists call “zero day” flaws in the iPhone operating system. Zero days are the coin of the realm for hackers and foreign governments seeking to get into information systems, including computers and smartphones. They’re called zero days because you have zero time to fix the security hole once hackers find them and start using them in attacks. The only solution is to patch the hole after the attacks take place, to limit the data theft or other damage. The security firms Lookout and Toronto-based Citizen Lab found three zero days targeting iOS software that were used against the iPhone 6 of Ahmed Mansoor in early August. Mansoor, a United Arab Emirates-based pro-democracy activist, was sent text messages promising secrets on detainees held in UAE jails if he clicked on a link. He instead contacted the security firms. Electronic analysis showed the malware link was a hacking ploy using the three unknown zero days that researchers traced to an Israeli-based cyber security firm called the NSO Group, reportedly made up of former cyber sleuths from Unit 8200—Israel’s electronic intelligence service. NSO sells a software called Pegasus, an electronic intercept software used by governments. The cyber attack was likely the work of the Emirates’ government that in the past targeted the dissident for harassment. NSO executives aren’t talking. The three-step iPhone hack was set up to cause a targeted victim to click on a fake website that would then use an application capable of downloading sensitive information from the phone’s memory. A third feature was the ability of the hackers to manipulate the hacked iPhone as if it were the owner’s device, or to disrupt its operations by corrupting the memory. “Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” Citizen Lab said. Apple, which posted a third-quarter revenue of $42.4 billion, had little to say about the cyber attack. A company spokesman said the vulnerability was patched immediately after the company was alerted. “We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” the spokesman said. Apple iPhone software remains secure from cyber attacks based on the company’s focus on tightly controlling the software and hardware for both security and commercial reasons. For at least a decade now it used to be that if you were concerned about nefarious cyber bad guys—whether Chinese or Russian hackers or thieves and criminals secretly breaking into your phone, iPhones were the most secure. Statistics show that by comparison, the Apple operating system is far less vulnerable to cyber attack than other systems such as Android. A Nokia security report shows that of the top 20 malware threats to smartphones, 19 affect Google’s Android devices. Only one spyware afflicted iPhones. But it was the first time in years that any malware targeting Apple devices had made it to the top 20 threats, an indication of the trends. “The modern smartphone presents the perfect platform for corporate and personal espionage, information theft, denial of service attacks on businesses and governments, and banking and advertising scams,” the Nokia warns. “It can be used simply as a tool to photograph, film, record audio, scan networks and immediately transmit results to a safe site for analysis.” As smartphones become more and more sophisticated, they are also becoming more and more ubiquitous. Look at any busy street today and it is clear that smartphones are dominating our attention. People are on their handheld devices for phone calls, texts, buying things, transportation, navigation, and a host of other personal activities. Reliance on handhelds will only increase as more and more of the elements surrounding us are computerized, such as cars, kitchens, houses and workplaces. The Apple hack and the discovery of three zero day flaws is a sign that electronic security needs to be increased across the board. Good device security is imperative and important to maintaining privacy and ultimately personal freedom.

Endwall 08/29/2016 (Mon) 23:30:14 [Preview] No. 455 del
Security Affairs
The son of a Russian lawmaker could face up to 40 years in the jail for hacking
Roman Seleznev (32), the son of the Russian lawmaker and Russian Parliament member Valery Seleznev was convicted of stealing 2.9 Million credit card numbers
Roman Seleznev (32), the son of one of the most notorious Russian lawmaker and Russian Parliament member Valery Seleznev has been convicted in the US of hacking businesses and stealing 2.9 million US credit card numbers using Point-of-Sale (POS) malware “A federal jury today convicted a Vladivostok, Russia, man of 38 counts related to his scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. ” reads the announcement published by the DoJ. According to the Department of Justice, the hacking scheme defrauded banks of more than $169 Million. The stolen credit card data were offered for sale on multiple “carding” websites. “Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses.” continues the note published by the DoJ.
Seleznev, who was using the online moniker ‘Track2‘ was convicted in a Washington court on Thursday of 38 charges related to stolen credit card details, which includes: * Ten counts of Wire Fraud * Nine counts of obtaining information from a Protected Computer * Nine counts of possession of 15 Unauthorized Devices * Eight counts of Intentional Damage to a Protected Computer * Two counts of Aggravated Identity Theft “Roman Valerevich Seleznev, aka Track2, 32, was convicted after an eight-day trial of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.  U.S. District Judge Richard A. Jones of the Western District of Washington scheduled sentencing for Dec. 2, 2016.” Roman Seleznev, 32, the son of Russian Parliament member Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives, the arrest raised diplomatic tensions between American and Russian authorities. The prosecution was built starting from data found on his laptop that was seized at the time of the arrest. The PC contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington. The analysis of the laptop allowed the prosecutors to find additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the hacking scheme. The prosecution was criticized by the Seleznev’s lawyer, John Henry Browne. “I don’t know of any case that has allowed such outrageous behavior,” said Browne. The US DoJ replied that Seleznev “was prosecuted for his conduct not his nationality.” If convicted, Seleznev could face up to 40 years in the jail, his victims were small businesses and retailers hacked from 2008 to 2014. Seleznev will be sentenced on December 2.

Endwall 08/29/2016 (Mon) 23:34:36 [Preview] No. 456 del
Security Affairs
Shad0wS3C group hacked the Paraguay Secretary of National Emergency
Shad0wS3C hacker group has hacked the Paraguay’s Secretary of National Emergency (SNE) and leaked online a dump from a PostgreSQL database. Not so long ago I interviewed Gh0s7, the leader of the Shad0wS3C hacker crew, now he contacted me to announce the hack of the Paraguay’s Secretary of National Emergency (SNE). “The reason for this data leak. The government of Paraguay has violated so many human rights, and either the UN (Don’t rely on them) or anyone has done anything. just to name a few: * Impunity and justice system * Torture and other ill-treatment * Violation of Women’s and girls’ rights * Violation against Human rights defenders” this is the Shad0wS3C message.[Picture]The group has shared as proof of the hack a data dump from a PostgreSQL database, just after the announced security breach the Government website sen.gov.py was up. The leaked data dump includes information about material stocks and also PII belonging to Paraguay’s Secretary of National Emergency employees. Users’ records include names, emails, phone numbers, addresses, salary information, and other data related to their activity within the Government organization (i.e Roles in the case of national emergencies).The leaked data also includes details on hundreds website login credentials, with hashed passwords. Shad0wS3c is a hacker group recently formed, in July it claimed responsibility for the data breach of the EJBCA that resulted in the exposure of credentials and certificates.

Endwall 08/29/2016 (Mon) 23:39:29 [Preview] No. 457 del
Opera resets passwords after sync server hacked
By Zack Whittaker for Zero Day | August 28, 2016 -- 18:10 GMT (19:10 BST)
But the company won't say how the passwords are stored, which may indicate if they can be unscrambled by an attacker.
Opera has confirmed that a hacker breached one of the company's sync servers, potentially exposing passwords. The Norway-based internet browser maker said in a blog post that it "quickly blocked" an attack on its systems earlier this week, but it admitted that some data was compromised, including "some of our sync users' passwords and account information", such as login names. But the company said it doesn't know the full scope of what was compromised. Opera said that it has reset all the Opera sync account passwords as a precaution. At the time of the attack, more than 1.7 million active users last month used the feature, which allows users to share website passwords across devices. The company confirmed that passwords are hashed and salted -- an industry-standard practice to scramble passwords so that they are unusable -- but didn't provide specifics on how, leaving no clear indication if the passwords can be unscrambled by an attacker. Opera staffer Tarquin Wilton-Jones, who wrote the blog post, said the company will "not divulge exactly how authentication passwords on our systems are prepared for storage", as this would "only help a potential attacker". We sent Opera some questions but did not hear back at the time of writing. If that changes, we'll update the piece.

Endwall 08/29/2016 (Mon) 23:41:00 [Preview] No. 458 del
Hacker Interviews – New World Hackers
August 28, 2016 By Pierluigi Paganini
New World Hackers is one of the most popular groups of hackers, it conducted several hacking campaigns against multiple targets.
Did you conduct several hacking campaigns? Could you tell me more about you and your team? We have been dedicated to operations, such as taking down BBC, Donald Trump, NASA, and XBOX. I started out as just a kid wanting to mess around with a few games, later on, I realized I was more skilled than the average child. I began learning how to program in Python and Ruby. I, later on, became a Certified Network Security Analyst but did not take the offer to work for the Federal Bureau. Could you tell me which his your technical background and when you started hacking? Which are your motivations? My motivation for hacking is the excitement of being able to tell someone a security flaw they may have missed. What was your greatest hacking challenge?  The greatest hack I’ve done would be breaching an entire DNS server which held 30,000 domains back in 2014, sadly I only got the chance to deface about 20 domains and left the rest alone. 70% of all DNS servers around the world are still vulnerable to the 0day till this day. Which was your latest hack? Can you describe me it? The latest series of attacks are against celebrities actually! Our team is observing celebrity websites and we are shocked that most celebrities don’t secure the website nearly 50,000 people visit in an hour. Recently http://Adele.com  was held offline an entire day August 20th during a concert. The page for a short period of time displayed some of her domain login information. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? 4 tools: 1. I would say is a dynamic proxy chain which hides you’re ip. You would rather be safe than sorry. 2. Secondary ICMP range vulnerability  scanner. This tool can be found on TOR and can be used to scan multiple domains at the same time finding XSS vulnerability, but also SQLI vulnerability. 3. Scaled shell, not many people have heard of this. It can’t be erased from a server you have just brute forced, or has been SQL injected, thus allowing you to deface or steal data from the specific web server multiple times. 4. A 0day; 0days can’t be found unless you tell it. Make your own, or buy one. Which are the most interesting hacking communities on the web today, why? Hacking communities nowadays aren’t as common, within our boundaries we would state the Turkish Hackers, Greek Hackers, Ghost Squad Hackers, and Tactical Team Hackers, and Ourmine as far as web security are some of the most interesting groups out there at this point in time. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, participate in hacking attacks against IS, in my former group we use to take down ISIS twitter and facebook accounts and after that I personally took a few down and DDoSed some websites. Where do you find IS people to hack? How do you choose your targets? We did participate in the attacks against the Islamic State back in December, through June we defaced IS propaganda websites and jacked Twitter accounts. I’m going to do a bit of a leak because it isn’t really hacking when you are jacking ISIS Twitter accounts. People located in Saudi Arabia doesn’t need emails to register on Twitter. @ctrlsec on Twitter tweets out vulnerable ISIS accounts every 5 minutes. Since they don’t need an email to register Twitter automatically defaults their email to Gmail, so the email would be twitterhandle@gmail.com. All we have to do is make that email which isn’t valid and recover the account. 30% of Twitter is vulnerable to the 0day, have fun jacking ISIS Twitter accounts! We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Yes, we think a big risk not taking the necessary steps when you are securing your critical infrastructure. The potential threat of hackers is just around the corner.

Endwall 08/29/2016 (Mon) 23:45:04 [Preview] No. 459 del
Australian cyber crime threats: Four Corners investigates how hackers are hacking into our

Four Corners ?Cyber War?0:29
Cyber security adviser Kevin Mitnick demonstrates how easy it is to hack into a bank account using a fake wifi network. CREDIT: Four Corners, ABC
ONE of the world’s most infamous, former computer hackers has revealed how easy it is to hack into a bank account, as Australia faces serious cyber threats. In a special report on cyber crime, Four Corners spoke to Kevin Mitnick, who is now a cyber security adviser to top companies. He showed reporter Linton Besser how easy it was to set up a fake Wi-Fi scam, letting him think he was signing into his National Australia Bank account via Telstra Air. “But what he doesn’t know, he’s connecting to my fake access point. And what we’re gonna do is we’re gonna take over his computer,” he said. Mitnick was then able to record all of his keystrokes, including his banking password. “And then what I’m gonna be able to do is steal his passwords, and I’m gonna be able to inject fake updates, so once he installs them we gain full control of his computer system and he’ll never know the better.” Mitnick’s simple hack is just one part of a much larger problem with the growth of cyber crime across Australia and overseas, which is one of the greatest challenges to law enforcement.Kevin Mitnick, who showed viewers how easy it is to hack into someone’s private information. Picture: ABCSource:Supplied Four Corners also revealed that a small Australian satellite company had its computer systems so comprehensively hacked that experts described their network as the most corrupted they’d ever seen. As well, hackers, likely Chinese, had targeted the Defence Science and Technology Organisation and the Bureau of Meteorology. The real target of the Bureau of Meteorology hack was thought to be the Australian Geospatial-Intelligence Organisation which supports defence operations through provision of satellite and other imagery, it said. The firm Newsat, which planned to launch two Australian satellites and build an Australian satellite industry, attracted the attention of foreign hackers, with the Australian Signals Directorate breaking the bad news to company executives. “Our network was, as far as they could see, the most corrupted they’d seen. Period,” the company’s former chief financial officer Michael Hewins told Four Corners. Former Newsat IT manager Daryl Peter said the intruders had been inside their network for maybe two years, which was like someone looking over their shoulder for everything they did. “Newsat had been hacked and not just by teenagers in the basement or anything like that. Whoever was hacking us was very well-funded, very professional, very serious hackers.” A year ago Newsat called in the liquidators and sold off its remaining assets. Although China is alleged to be responsible for much hacking, Australian officials won’t point the finger.“It’s not useful for us to talk about any particular nation states,” said Alastair MacGibbon, special adviser on cyber security to Prime Minister Malcolm Turnbull. A recent cybercrime victim was the Australian Bureau of Statistics which came under attack on census night, prompting it to close down the Census. Mr MacGibbon said that was a denial of service attack which was certainly not of the scale or sophistication that should have caused any significant problems. He said that attack was easily predictable and should have been prevented. His comments come as former Australian government cyber security official Tim Wellsmore told the program it’s not just individuals whose secrets are vulnerable to others. Governments and businesses in Australia are attacked, and there are parts of the internet where access to hacked computer servers is bought and sold. Ex CIA + NSA head @GenMhayden on the secrets of cyber warfare, tonight on #4Corners #cyberwar pic.twitter.com/nI7TIsQPe2 — Sally Neighbour (@neighbour_s) August 29, 2016 Former CIA and NSA Director Michael Hayden said Australia, the US and other friendly similar nations around the world need to protect their data. Four Corners stated it had also been told of significant cyber attacks against Austrade. The program was also taken inside a secure facility at the Australian Defence Force Academy in Canberra, where viewers saw two rival teams compete in a training exercise to shut down each other’s power grid — which could be a real hacker’s target.One of the cyber world’s experts, Washington-based Dmitri Alperovitch, also criticised Australia for not doing enough to warn local industry about online threats. “The reality is that the Australian government is very well aware of these activities but they have not really come out and publicly acknowledged it, they have not done a good job, in my opinion, educating the public about this threat and as a result there’s a sense of complacency oftentimes among industry because they don’t appreciate that even in Australia you can be targeted,” he said. “And China happens to be your biggest trading partner — there’s a lot of reasons why they would be hacking into your industry, to try to steal intellectual property, try to get an advantage in trade negotiations and it’s happening very often and, uh, very little is being done about it.” Mr MacGibbon defended the government, saying they needed more time to develop ongoing conversations about cyber attacks with the Australian public. “You have to give us some time as we work through what can be said, how it can be said to increase the level of engagement,” he said. As for the allegations against China, the Chinese government through its embassy in Canberra told the ABC it has denied it was behind the cyber attacks in Australia, describing the allegations as “nothing but false cliches”.

Endwall 08/30/2016 (Tue) 00:09:16 [Preview] No. 460 del
Extended interview with former CIA director Michael Hayden

Cyber War: Four Corners

Endwall 08/30/2016 (Tue) 23:18:14 [Preview] No. 462 del
Ars Technica
Officials blame “sophisticated” Russian hackers for voter system attacks
Sean Gallagher - Aug 30, 2016 7:12 pm UTC
The profile of attacks on two state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI. Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack. Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware. The Illinois breach was described in detail by a message to county election officials by Kyle Thomas of the Illinois State Board of Elections. The attack was detected on July 12 and caused the state to revert to paper voter registration for more than a week. The paperless Illinois Voter Registration System (IVRS) was specifically targeted by the attack, Thomas said: On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration. The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application. The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity. We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful. They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. The characterization of the attack on the Illinois system as "highly sophisticated" doesn't necessarily match the techniques described by the FBI Cyber Division's memorandum. As Thomas noted, the attackers used a public, non-secure webpage to gain access—a page that tapped directly into the voter rolls from outside the firewall without any data validation. And as Ars reported yesterday, the vulnerability was discovered by the attackers with software from Acunetix, a security tools firm based in London and Malta, along with other free and open source software—software that is usually used to validate the security of websites rather than break into them. "Acunetix automatically crawls and scans websites and Web applications to identify Web application level vulnerabilities that may then be exploited to gain access to databases and other trusted systems," said Acunetix General Manager Chris Martin in an e-mail to Ars. "The idea behind Acunetix is for a website owner to use it to assess the security posture of its website and Web applications for exploitable code before the bad guys get to do that for their own nefarious aims." Martin said that the Acunetix team had checked the IP addresses mentioned in the FBI report as the source of the attackers' scans and said that they "cannot link those IP addresses to any legitimate installation of Acunetix technology. Unfortunately, as with all successful independent software vendors, Acunetix is pirated, and illegal unlicensed copies are used without authorization." He added that Acunetix is volunteering assistance to the FBI in its investigation. For what it's worth, voter registration rolls in Illinois are public records, supplied widely to campaigns and other organizations for direct-mail campaigns. And after the attack, passwords were reset on the IVRS—with a new password policy requiring a minimum of eight characters, at least one being non-alphanumeric.

Endwall 08/30/2016 (Tue) 23:23:51 [Preview] No. 463 del
Security Affairs
Saudi government facilities hit by cyber attacks, Saudi cyber experts convened
August 30, 2016 By Pierluigi Paganini
Saudi government facilities have been hit cyber attacks, the Government is investigating with the support of Saudi cyber experts.
Saudi government facilities have been targeted by major cyber attacks, in response, the Government has convened a group of cyber experts to examine the events. According to the Saudi Press Agency, Saudi cyber experts held urgent talks on Tuesday after the cyber attack “in recent weeks targeted government institutions and vital installations in the kingdom.” At the time I was writing there is no information about targeted agencies neither the alleged threat actor behind the cyber attacks against Saudi infrastructure.
The Saudi cyber security experts were involved in the investigation and according to the Saudi Press Agency, the kingdom’s Cybersecurity Centre “held an urgent workshop with a number of parties” to discuss the results of its investigations. The attacks were launched from abroad, attackers targeted Saudi websites with a spyware to steal sensitive information from the targets. This isn’t the first time that Saudi websites were hit by cyber attacks, in June hackers attacked a major Saudi newspaper and gained its control to publish fake news. The Saudi cyber experts analyzed the attacks and proposed the necessary countermeasures to defeat the threat and protect the information targeted by the hackers. Experts exposed the “necessary procedures to fix and to protect those sites”, reported the Saudi Press Agency. The most clamorous attack against Saudi government facilities occurred in 2012 when a virus infected 30,000 workstations of one of the world’s largest energy companies, the Saudi Aramco.

Endwall 08/31/2016 (Wed) 00:17:17 [Preview] No. 464 del
Security Affairs
The RIPPER malware linked to the recent ATM attacks in Thailand
August 30, 2016 By Pierluigi Paganini
Experts from FireEye  who analyzed the RIPPER malware believe it was used by crooks in the recent wave of cyber attacks against ATM in Thailand.
Earlier this month a malware was used by a criminal organization to steal 12 million baht from ATMs in Thailand. According to FireEye, the malware was uploaded for the first time to the online scanning service VirusTotal on Aug. 23, 2016. The malicious code was uploaded from an IP address in Thailand a few minutes the cyber heist was reported by media. Experts from FireEye who analyzed the malware, dubbed RIPPER because researchers found the “ATMRIPPER” name in the sample, revealed that it implemented techniques not seen before. Hackers belonging to a cybercrime gang from Eastern Europe have stolen over 12 Million Baht (approximately US$346,000) from a 21 ATMs in Thailand. The Central Bank of Thailand (BoT) has issued a warning to all the banks operating in the country about security vulnerabilities that plague roughly 10,000 ATMs. It seems that hackers exploited such flaws to steal cash from the ATMs. The same gang was involved in similar attacks against top eight banks in Taiwan. In Taiwan, the thieves have stolen NT$70 Million ($2.2 Million) in cash forcing the banks to shut down hundreds of their cash machines. The warning issued by the Central Bank of Thailand follows the decision of the Government Savings Bank (GSB) to shut down roughly 3,000 ATMs of its 7,000 machines in response to a recent wave of attacks that targeted its machines. According to FireEye, the RIPPER malware borrows multiple features from other ATM malware: * Targets the same ATM brand. * The technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin),SUCEFUL and GreenDispenser. * Similar to SUCEFUL, it is able to control the Card Reader device to Read or Eject the card on demand. * Can disable the local network interface, similar to capabilities of the Padpin family. * Uses the “sdelete” secure deletion tool, similar to GreenDispenser, to remove forensic evidence. * Enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor. The RIPPER malware also implements new features, for example, it was designed to target three of the main ATM Vendors worldwide, which is a first. The RIPPER malware interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip, with this mechanism crooks authenticate themselves to the cash machine. This mechanism is uncommon, the Skimmer use this method too. In order to gain persistence, the RIPPER malware uses either a standalone service or masquerade itself as a legitimate ATM process. When the RIPPER is installed as a service, it first killk the process “dbackup.exe”, then replaces it with its binary, then it installs the persistent service “DBackup Service.” “RIPPER can stop or start the “DBackup Service” with the following arguments: “service start” or “service stop” RIPPER also supports the following command line switches: /autorun: Will Sleep for 10 minutes and then run in the background, waiting for interaction. /install: RIPPER will replace the ATM software running on the ATM as follows: Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows “taskkill” tool. RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion.” continues FireEye. When RIPPER malware is executed without any parameters, it performs a series of actions, such as connecting with the local peripherals (i.e. Cash Dispenser, Card Reader, and the Pinpad). Then the threat detects a card with a malicious EMV chip it starts a timer to allow a crook  to control the ATM via the Pinpad. The crooks can perform multiple malicious actions, including clear logs and shut down the ATM local network interface. Back to the Thailand attacks, below are reported similarities between the RIPPER malware and the malicious code used by the gang.

Endwall 08/31/2016 (Wed) 00:19:41 [Preview] No. 465 del
Australian Government Computer Networks Breached In Cyber Attacks As Experts Warn Of Espionage Threat
Submitted by PIR Editor on Mon, 08/29/2016 - 12:30
Intelligence sources say they suspect the attackers in these cases were sponsored by China
By Linton Besser, Jake Sturmer and Ben Sveen MELBOURNE, Australia (Radio Australia, August 29, 2016) – Sensitive Australian Government and corporate computer networks — including those holding highly confidential plans for a privately financed geostationary communications satellite — have been penetrated by sophisticated cyber attacks, a Four Corners investigation has established. Austrade and the Defence Department's elite research division, now named the Defence Science Technology Group, both suffered significant cyber infiltrations in the past five years by hackers based in China. Intelligence sources say they suspect the attackers in these cases were sponsored by Beijing. Four Corners has also confirmed Newsat Ltd, an Australian satellite company whose assets were sold off last year after the company went into administration, was so comprehensively infiltrated three years ago that its entire network had to be rebuilt in secret. But these incidents, revealed for the first time, are only a fraction of the cyber attacks being waged against Australian governments and companies. The Prime Minister's cyber security adviser, Alastair MacGibbon, told the program the Australian Government was "attacked on a daily basis". "We don't talk about all the breaches that occur," he said. Former Central Intelligence Agency boss Michael Hayden, who also served for six years as the head of the US electronic spying division, the National Security Agency (NSA), said both Australia and the US had to harden up their defences and "protect their data" from foreign cyber attacks. "It is what adult nation states do to one another," he said. "What my dad told me when I came home beat up from a fight once when I was about 10 years old: 'Quit crying, act like a man and defend yourself'.'" A spokesman for the Chinese Embassy in Canberra denied China had conducted any cyber espionage against Australian interests, calling such allegations "totally groundless" and "false cliches". "Like other countries, China suffers from serious cyber attacks and is one of the major victims of hacking attacks in the world," he said. Defence assets may have been target in BoM hack Four Corners has also been given fresh details about the high-profile hack of the Bureau of Meteorology (BoM), which was officially confirmed by Mr Turnbull earlier this year. Government and industry sources said the true targets for the cyber attack may have been defence assets linked to the BoM and its vast data-collection capabilities. One was the Australian Geospatial-Intelligence Organisation, an intelligence agency within the Department of Defence which provides highly detailed mapping information for military and espionage purposes. The other was the Jindalee Operational Radar Network (JORN), a high-tech over-the-horizon radar run by the Royal Australian Air Force. JORN provides 24-hour military surveillance of the northern and western approaches to Australia but also assists in civilian weather forecasting. Four Corners was told the cyber attack failed to reach into these networks, and that it was "sandboxed", or contained within the BoM. Intelligence sources confirmed the attack was attributed to China, which was again denied by Beijing. Mr MacGibbon said he did not know what the intention was of the people who compromised the system. "I would say to you that people who compromise systems will usually try to find a way to move laterally through it. If that means through a third party that's what they'll try to do," he said. The Australian Signals Directorate (ASD) has conducted detailed investigations into the cyber intrusion, but its boss, Dr Paul Taloni, declined to comment. A former high-ranking intelligence officer told Four Corners the Defence Department itself had significant, unresolved, cyber-security issues and had "to look at itself". He confirmed that in about 2011 the Defence Science Technology Organisation had been successfully hacked by China-sponsored hackers, but declined to provide any further details citing national security concerns. A spokesman for the Defence Science Technology Group said: "Defence policy is to not comment on matters of national security." Sensitive information 'stolen for profit' Mr Hayden said, however, China's efforts against Australia had been primarily focused on "the theft of information, and really by and large the theft of information for commercial profit", activities which he said go beyond acceptable state-on-state espionage.   The Newsat attack by China-based hackers may be a case in point. "Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn't a fair fight for us," Newsat's former IT manager Daryl Peter said. While the company carried communications for resources and fossil fuel companies, as well as the US military's campaign in Afghanistan, Mr Peter said the real target for the cyber infiltration was its plans for a Lockheed Martin-designed satellite dubbed Jabiru-1. "A company like Lockheed Martin, they have restrictions on the countries where they can build their satellites," he said. "So a country like China being able to get a hold of confidential design plans would be very beneficial for them because it's not something they would see or be able to have access to." Mr Peter was first told about the hack of the company in 2013 at a top-level meeting with ASD. The issue had come to a head because of Newsat's advanced plans to employ a restricted encryption tool for use with the new satellite designed by the US Government's NSA. ASD refused to release the tool to Newsat until it tackled the sophisticated cyber intrusion, with intelligence officials telling the company its networks were "the most corrupted" they had seen. "They actually said to us that we were the worst," Mr Peter said. "What came out of that meeting was we had a serious breach on our network and it wasn't just for a small period of time, they'd been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it's like we had someone sitting over our shoulder for anything we did." To rid the network of the infestation, Mr Peter had to build a parallel network in secret so as to not tip off the hackers that had been identified. That work took almost a year and cost the better part of $1 million. Mr MacGibbon said the revelations were no surprise. "I can't say which particular nation state would get involved in getting into a telecommunications system but I can understand why a nation state would," he said. "If you wanted to listen to someone's communications that's probably a good place to start." Austrade regularly challenged by security issues Australia's trade and investment commission, Austrade, has had persistent problems with cyber security, Four Corners has learned. The discovery of a major infestation in the Austrade network was made during work that began in 2013 within the department to develop a new data centre and a redesigned IT infrastructure. In March 2014, the agency's cyber security regime underwent an ASD-designed security assessment required because Austrade not only carries sensitive communications but works closely with the Department of Foreign Affairs and Trade. An intelligence community figure said the tests resulted in a "series of red flags". He said the infiltration was "covering the network". Austrade brought in UXC Saltbush, a cyber security contractor, to investigate its networks and put mitigation works in place to prevent future breaches A former high-ranking intelligence official said the Austrade breach followed a previous problem in 2011, which was a textbook example of a "successful [and] deeper penetration". Jim Dickins, an Austrade spokesman, said the organisation "faces ongoing and fluid challenges to its information technology security". "Austrade has worked with the Australian Signals Directorate on occasion to contain and eradicate threats but is unable to comment on specific instances. Mitigation strategies developed on those occasions are applied on an ongoing basis." The intelligence community figure said the problems had still not been entirely addressed because of the high cost of a comprehensive network-wide security upgrade, but Mr Dickins denied there were any "significant" persistent issues. "Austrade is not currently dealing with any significant threats or breaches of its network," he said. A third intelligence source told Four Corners that "Austrade is inherently vulnerable" because of its international footprint and reliance on locally-employed staff. "People are getting breached all the time," he said.

Endwall 08/31/2016 (Wed) 00:36:24 [Preview] No. 466 del
Hacker News
Two US State Election Systems Hacked to Steal Voter Databases — FBI Warns
Monday, August 29, 2016 Mohit Kumar
A group of unknown hackers or an individual hacker may have breached voter registration databases for election systems in at least two US states, according to the FBI, who found evidence during an investigation this month. Although any intrusion in the state voting system has not been reported, the FBI is currently investigating the cyberattacks on the official websites for voter registration system in both Illinois and Arizona, said Yahoo News. The FBI's Cyber Division released a "Flash Alert" to election offices and officials across the United States, asking them to watch out for any potential intrusions and take better security precautions. "In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website," the FBI alert reads. "The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor." The SQL injection attack on Illinois state board website took place in late July, which brought down the state’s voter registration for ten days and siphoned off data on as many as 200,000 registered voters. However, the Arizona attack was less significant, as the hackers were not able to discover any potential loophole using a vulnerability scanning tool, which could have allowed them to steal any data successfully. In the wake of these attacks, the FBI also advised ‘Board of Elections’ of all States to investigate their server logs and determine whether any similar SQL injection, privilege escalation attempts, or directory enumeration activity has occurred. Last December, a misconfigured 300GB of the database also resulted in the exposure of around 191 Million US Voter records, including their full names, home addresses, unique voter IDs, date of births and phone numbers. Why Blame Russia, Always? There's No Evidence Yet The attacks against the state election boards came weeks after the DNC hack that leaked embarrassing emails about the party, leading to the resignation of DNC (Democratic National Committee) Chairwoman Debbie Wasserman Schultz. Some security experts and law enforcement agencies raised concerns about politically motivated hacking, pointing finger over the Russian state-sponsored hackers in an attempt to damage Hillary Clinton’s presidential campaign. Although the FBI does not attribute the recent attacks to any particular hacking group or country, Yahoo News links the attacks to Russia on the basis of IP addresses involved. However, those IP addresses that the FBI said were associated with the attacks belong to a Russian VPN service, which does not conclude that the Russians are behind the attacks. It's believed that the hacks were carried out to disturb the election process either by altering voting totals in the database or by modifying the voter registration page. Script-Kiddie Move Reveals Everything: But, by scanning the website with a vulnerability scanner and downloading the whole database, the ‘script-kiddies’ itself made a rod for their own back, which indicates that neither they are sophisticated state-sponsored hackers, nor they had any intention to influence the election covertly. Neither the Illinois nor Arizona board of elections have responded to these hack attempts.

Endwall 08/31/2016 (Wed) 00:53:59 [Preview] No. 467 del
Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool
Woburn, MA, August 30, 2016 – At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity the Lurk group has been involved in. According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs. For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online – TeslaCrypt and others. Angler was also used to propagate the Neverquest banking Trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group. As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs. Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of outsourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay. “We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” - and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking Trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide,” explained Ruslan Stoyanov, head of computer incident investigations. The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks. All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts. Read more about how Kaspersky Lab researched the activity of the Lurk group over five years in an article by Ruslan Stoyanov on Securelist.com. About Kaspersky Lab Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.

Endwall 08/31/2016 (Wed) 00:59:49 [Preview] No. 468 del
Security Affairs
The Network of NewSat satellite telco firm was the ‘most corrupted’ of ever
August 29, 2016 By Pierluigi Paganini
The Network of NewSat satellite firm was the ‘most corrupted’ of ever, it was hacked by foreign hackers and it had interception kit in its data centre.
The story demonstrates the high interest of spy agencies in hacking communication systems. Once upon a time, the Australian satellite company was deeply hacked by cyber spies that completely corrupted its network. The  company is not out of the business, its assets were sold off last year after it went into administration. According to a former staffer that has spoken on condition of anonymity to the Australian Broadcasting Corporation, it was ‘the most corrupted’ network the nation’s intelligence had encountered. According to the ABC broadcast, the news of the hack was already reported in 2013, when the company reported the security breach to the Australian Signals Directorate. The Chinese nation-state hackers made the organization “the most corrupted network [the Directorate had ever seen”, the ABC reports. Former Central Intelligence Agency Chief Michael Hayden declared that the China’s efforts against Australia aimed at “the theft of information, and really by and large the theft of information for commercial profit.” According to the official hackers were interested in sensitive information such as the plans for a Lockheed Martin-designed satellite dubbed Jabiru-1. “Given we were up against China, state-sponsored, a lot of money behind them and a lot of resources and we were only a very small IT team, it certainly wasn’t a fair fight for us,” Newsat’s former IT manager Daryl Peter said. The issue had come to the headlines because the Newsat company was planning to install a restricted encryption tool to allows the NSA to spy on satellite communications, so it notified its intent to the ASD. The Australian Signals Directorate refused to release the encryption tool to Newsat until it was able to eradicate the intruders from its systems. intelligence officials replied to the company telling its networks were “the most corrupted” they had seen.Australian satellite company Newsat Ltd was forced to rebuild its entire network in secret. (Four Corners) Intelligence officials who examined the Newsat infrastructure confirmed it was “the most corrupted” they had seen. “They actually said to us that we were the worst,” Mr Peter said. “What came out of that meeting was we had a serious breach on our network and it wasn’t just for a small period of time, they’d been inside our network for a long period, so maybe about two years. And the way it was described to us was they are so deep inside our network it’s like we had someone sitting over our shoulder for anything we did.” According to the anonymous source that has revealed the story to the ABC, the Newsat network was completely rebuilt. Anyway the NewSat company installed an Australian Government communications interception system in its data centre, but the Australian Government had refused to deploy the restricted NSA encryption tool due to the security breach it discovered. “They (NewSat) had a lot of dealings with Middle East organisations,” the source said. Let me suggest reading a detailed analysis published by the ABC’s Four Corners that confirms Australian Government computer networks were breached by hackers.

Endwall 08/31/2016 (Wed) 01:08:46 [Preview] No. 470 del
Security Affairs
Minecraft World Map data breach, 71,000 accounts leaked online
The popular security expert Troy Hunt reported some 71,000 user accounts and IP addresses have been leaked from the website Minecraft World Map.
Another data breach affects the gaming industry, this time, 71,000 Minecraft World Map accounts has been leaked online after the ‘hack.’ Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map. The Minecraft World Map site is very popular withing the Minecraft gaming community, gamers can use the web property to share the worlds they have built. The popular security expert reported Troy Hunt reported the data dumps that include 71,000 user accounts and IP addresses. New breach: Minecraft World Map had 71k user accounts hacked in Jan. 55% were already in @haveibeenpwned https://t.co/hv1u9SmRVj — Have I been pwned? (@haveibeenpwned) 29 agosto 2016 Exposed records include email addresses, IP address data, login credentials for the popular site Minecraft World Map, Troy Hunt clarified that passwords included in the dumps were salted and hashed.
A rapid check allowed the Australian expert to verify that more than half of the compromised accounts were already listed in its online service haveibeenpwned.com that allows users to discover if they have an account that has been compromised in a data breach. According to the experts, the website Minecraft World Map was breached in January 2016, but the incident was not publicly reported. “In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords. Compromised data: Email addresses, IP addresses, Passwords, Usernames” Hunt wrote on his website. Users have to reset their passwords on the Minecraft World Map and on any other website that shares the same login credentials. This is the last incident occurred in the gaming industry disclosed online, recently security vulnerabilities in the vBulletin platform have exposed more than 27 million accounts, many of them belonging to gamers on mail.ru. Giving a close look to the compromised mail.ru accounts they belong from CFire, parapa.mail.ru (ParaPa Dance City game), and tanks.mail.ru (Ground War: Tank game).

Endwall 08/31/2016 (Wed) 01:10:28 [Preview] No. 471 del
Attackers deploy rogue proxies on computers to hijack HTTPS traffic
The new attack uses Word documents loaded with malicious code
Lucian Constantin * IDG News Service | August 30, 2016
Security researchers have highlighted in recent months how the web proxy configuration in browsers and operating systems can be abused to steal sensitive user data. It seems that attackers are catching on. A new attack spotted and analyzed by malware researchers from Microsoft uses Word documents with malicious code that doesn't install traditional malware, but instead configures browsers to use a web proxy controlled by attackers. In addition to deploying rogue proxy settings, the attack also installs a self-signed root certificate on the system so that attackers can snoop on encrypted HTTPS traffic as it passes through their proxy servers.The attack starts with spam emails that have a .docx attachment. When opened, the document displays an embedded element resembling an invoice or receipt. If clicked and allowed to run, the embedded object executes malicious JavaScript code. The JavaScript code is obfuscated, but its purpose is to drop and execute several PowerShell scripts. PowerShell is a scripting environment built into Windows that allows the automation of administrative tasks. One of the PowerShell scripts deploys a self-signed root certificate that will later be used to monitor HTTPS traffic. Another script adds the same certificate to the Mozilla Firefox browser, which uses a separate certificate store than the one in Windows. The third script installs a client that allows the computer to connect to the Tor anonymity network. That's because the attackers use a Tor .onion website to serve the proxy configuration file.The system's proxy auto-config setting is then modified in the registry to point to the .onion address. This allows attackers to easily change the proxy server in the future if it's taken offline by researchers. "At this point, the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned," the Microsoft researchers said in a blog post. "This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information or web credentials could be stolen remotely, without user awareness." Researchers from the SANS Internet Storm Center recently reported a similar attack from Brazil, where hackers installed rogue proxies on computers in order to hijack traffic to an online banking website. A rogue root CA certificate was deployed in that case as well in order to bypass HTTPS encryption. At the DEF CON and Black Hat security conferences earlier this month, several researchers showed how man-in-the-middle attackers can abuse the Web Proxy Auto-Discovery (WPAD) protocol to remotely hijack people's online accounts and steal their sensitive information, even when those users access websites over encrypted HTTPS or VPN connections.

Endwall 08/31/2016 (Wed) 01:12:44 [Preview] No. 472 del
Comey: FBI wants 'adult conversation' on device encryption'
Eric Tucker, Associated Press,Updated 4:33 pm, Tuesday, August 30, 2016
WASHINGTON (AP) — FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. The Justice Department decided within the last year to not seek a legislative resolution, and some of the public debate surrounding the FBI's legal fight with Apple Inc. has subsided in the last few months since federal authorities were able to access a locked phone in a terror case without the help of the technology giant. The FBI sought a court order to force Apple to help it hack into an iPhone used by one of the San Bernardino shooters, a demand the tech giant and other privacy advocates said would dramatically weaken security of its products. The FBI ultimately got in the phone with the help of an unidentified third party, leaving the legal dispute unresolved. But Comey made clear Tuesday he expects that dialogue to continue. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces — including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States — through judges and law enforcement — can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." He also stood by the Justice Department's decision to bring indictments against Chinese and Iranian officials in major cyberattack cases in the last two years, rejecting criticism from those who have called the criminal charges meaningless gestures unlikely to result in a conviction. "We want to lock some people up, so that we send a message that it's not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them," Comey said. "And if we can't lock people up, we want to call it out. We want to name and shame through indictments, or sanctions, or public relation campaigns, who is doing this and exactly what they're doing." Those actions can make a foreign defendant think twice before traveling overseas, and can deter governments. He said there's been progress with the Chinese government since 2014 indictments that accused five Chinese military officials of siphoning secrets from American corporations. "We are working hard to make people at keyboards feel our breath on their necks and try to change that behavior, he said. "We've got to get to a point where we can reach them as easily as they can reach us and change behavior by that reach-out."

Endwall 08/31/2016 (Wed) 01:20:30 [Preview] No. 474 del
Privacy Groups File FTC Complaint over WhatsApp Data Sharing with Facebook
by Michael Mimoso Follow @mike_mimoso August 30, 2016 , 12:23 pm
Alleging a trail of broken promises, two privacy-focused advocacy groups yesterday filed a complaint with the Federal Trade Commission against a recent WhatsApp privacy policy change that states it will begin sharing user data with parent company Facebook. The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) said in a joint complaint that the proposed change constitutes an unfair and deceptive trade practice, and called on the FTC to investigate.
August 25, 2016 , 9:22 am
EPIC Consumer Protection Counsel Claire T. Gartland told Threatpost that the FTC has yet to reply to the complaint; the commission does not publicize investigations and filing organizations may not be notified whether the FTC proceeds on a complaint, most of which are ultimately settled without formal hearings. “EPIC will be keeping the pressure on the Commission to act, since this is such a clear violation of their numerous statements on the issue,” Gartland said. “If and when the FTC acts, they have the power to stop the proposed changes from going forward and/or enter into a settlement agreement with the companies – similar to the 2012 consent order with Facebook.” In 2012, the FTC and Facebook settled over charges that Facebook repeatedly shared information that users intended to remain private. Facebook was ordered in the settlement to give consumers “clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers’ information, and by obtaining biennial privacy audits from an independent third party,” the FTC said in a release. WhatsApp, which was acquired by Facebook two years ago for $19 billion, said last Thursday in a blogpost that it would soon begin sharing users’ phone numbers with Facebook, a move that would improve targeted advertising and connections with the friends on Facebook. “Our belief in the value of private communications is unshakeable, and we remain committed to giving you the fastest, simplest, and most reliable experience on WhatsApp,” WhatsApp said. EPIC and CDD, however, said in their complaint to the FTC that the transfer of such data was collected by WhatsApp under promises made in the early days of the Facebook acquisition that private information would not be used or disclosed for marketing purposes. WhatsApp says in its new policy that users will have the opportunity to choose not to share data with Facebook, rather than opt-in to the program. In the FTC complaint, EPIC and CDD point out that WhatsApp founder Jan Koum and Facebook founder Mark Zuckerberg both promised that WhatsApp would operate autonomously and that nothing would change regarding the way WhatsApp uses user data. The complaint also references a 2014 complaint filed with the FTC by EPIC and CDD that called for an investigation and possible injunction blocking the acquisition. Yesterday’s complaint cites a 2014 letter from FTC Consumer Protection Bureau director Jessica Rich to Facebook and WhatsApp officers reminding the companies of promises Facebook made to WhatsApp users, stating that any uses of WhatsApp user data for marketing and advertising purposes violates privacy promises made by the two companies, and that both must obtain consumers’ consent before doing so. “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties–promises that exceed the protections currently promised to Facebook users,” Rich wrote. “We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.” WhatsApp and Facebook combined have more than two billion users globally. WhatsApp’s messaging service in April introduced end-to-end encryption based on the Signal protocol, securing calls, messages, files, video and voice messages.

Endwall 08/31/2016 (Wed) 01:22:18 [Preview] No. 475 del
Danish Man Arrested for DDoS Attacks on Finnish State Websites
Attacker also DDoSed sites in Denmark, Norway, and the US
Aug 30, 2016 15:25 GMT · By Catalin Cimpanu ·
Danish police arrested a young Dane for launching DDoS attacks against Finnish government websites, local newspaper Yle Uutiset reports. Police did not reveal the suspect's name but a representative of Finland's NBI's Cybercrime Centre told press that the identity of the attacker is clear. According to Detective Chief Inspector Jyrki Kaipanen, one man was behind all attacks. The same suspect is also investigated by Danish authorities for similar DDoS attacks against websites in Denmark, Norway and the US. All countries collaborated on investigating the attacks, including the FBI. In Finland, authorities accused the young Dane of launching DDoS attacks against more than 200 websites, some belonging to the government. Finnish officials said the crook launched 4-5-hour-long DDoS attacks against the websites of the Social Insurance Institution (Kela), the Ministry of Defence and Parliament. The DDoS attacks took place last spring, in February and March. At the time, officials said the attacker had managed slow down the websites, even halt functionality for hours. There are many incidents of DDoS attack occurring on a daily basis all around the world. Most of these take place because of the low cost of renting a DDoS botnet to carry out the attacks. In most cases, perpetrators get away with their crimes, but sometimes authorities track down and arrest the attackers due to using their home connection to connect and manage the botnet, or because the perpetrators liked to brag online, revealing their identity.

Endwall 08/31/2016 (Wed) 01:54:59 [Preview] No. 476 del
Lurk cybercrime Gang developed, maintained and rent the Angler EK
August 30, 2016 By Pierluigi Paganini
Experts from Kaspersky Lab confirmed that the Lurk cybercrime Gang developed, maintained and rent the infamous Angler Exploit Kit.
Security experts from Kaspersky Lab have confirmed that the Lurk cybercrime group are the author of the infamous Angler exploit kit. The members of the Lurk cybercrime crew were arrested by Russian law enforcement this summer, according to the experts they also offered for rent the Angler exploit kit that after the arrest disappeared from the exploit landscape. Law enforcement arrested suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan. According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild. Malware researchers confirmed that the overall traffic related to other EKs shows a drastic fall, around 96% since early April. The Angler and Nuclear exploit kits rapidly disappeared, likely due to the operations conducted by the law enforcement in the malware industry. A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The experts now confirmed that the Lurk group was also responsible for developing and maintaining the Angler exploit kit, that they called “XXX.” Experts from Kaspersky published a blog post that details how the security firm helped law enforcement in catching the Lurk cybercrime group. The experts explained that the Lurk gang started renting the Angler Exploit Kit after their fraudulent activities became less profitable. “In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.” “Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” reads the post. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.” Lurk first appeared on the scene in 2011 when its activities were first spotted by Kaspersky experts. Kaspersky initially determined the Lurk cybercrime group was composed of roughly 15 people. Across the years the number of members of the criminal gang increased to 40.
Kaspersky also provided an estimation of the cost for the Lurk infrastructure that reached tens of thousands of dollars per month. “The criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.” continues the post.

Endwall 08/31/2016 (Wed) 05:21:35 [Preview] No. 483 del
Hak 5
Was Shadow Brokers an Inside Job? - Threat Wire

Endwall 08/31/2016 (Wed) 22:10:43 [Preview] No. 484 del
Hak 5
15 Second Password Hack, Mr. Robot Style - Hak5 2101 - Duration: 30 minutes.

Endwall 09/01/2016 (Thu) 00:19:55 [Preview] No. 485 del
Ars Technica
Building a new Tor that can resist next-generation state surveillance
J.M. Porup (UK) - Aug 31, 2016 12:42 pm UTC
Since Edward Snowden stepped into the limelight from a hotel room in Hong Kong three years ago, use of the Tor anonymity network has grown massively. Journalists and activists have embraced the anonymity the network provides as a way to evade the mass surveillance under which we all now live, while citizens in countries with restrictive Internet censorship, like Turkey or Saudi Arabia, have turned to Tor in order to circumvent national firewalls. Law enforcement has been less enthusiastic, worrying that online anonymity also enables criminal activity. Tor's growth in users has not gone unnoticed, and today the network first dubbed "The Onion Router" is under constant strain from those wishing to identify anonymous Web users. The NSA and GCHQ have been studying Tor for a decade, looking for ways to penetrate online anonymity, at least according to these Snowden docs. In 2014, the US government paid Carnegie Mellon University to run a series of poisoned Tor relays to de-anonymise Tor users. A 2015 research paper outlined an attack effective, under certain circumstances, at decloaking Tor hidden services (now rebranded as "onion services"). Most recently, 110 poisoned Tor hidden service directories were discovered probing .onion sites for vulnerabilities, most likely in an attempt to de-anonymise both the servers and their visitors. Cracks are beginning to show; a 2013 analysis by researchers at the US Naval Research Laboratory (NRL), who helped develop Tor in the first place, concluded that "80 percent of all types of users may be de-anonymised by a relatively moderate Tor-relay adversary within six months." Despite this conclusion, the lead author of that research, Aaron Johnson of the NRL, tells Ars he would not describe Tor as broken—the issue is rather that it was never designed to be secure against the world’s most powerful adversaries in the first place. "It may be that people's threat models have changed, and it's no longer appropriate for what they might have used it for years ago," he explains. "Tor hasn't changed, it's the world that's changed." Enlarge / Tor use in Turkey spiked during the recent crackdown.Tor's weakness to traffic analysis attacks is well-known. The original design documents highlight the system's vulnerability to a "global passive adversary" that can see all the traffic both entering and leaving the Tor network. Such an adversary could correlate that traffic and de-anonymise every user. But as the Tor project's cofounder Nick Mathewson explains, the problem of "Tor-relay adversaries" running poisoned nodes means that a theoretical adversary of this kind is not the network's greatest threat. "No adversary is truly global, but no adversary needs to be truly global," he says. "Eavesdropping on the entire Internet is a several-billion-dollar problem. Running a few computers to eavesdrop on a lot of traffic, a selective denial of service attack to drive traffic to your computers, that's like a tens-of-thousands-of-dollars problem." At the most basic level, an attacker who runs two poisoned Tor nodes—one entry, one exit—is able to analyse traffic and thereby identify the tiny, unlucky percentage of users whose circuit happened to cross both of those nodes. At present the Tor network offers, out of a total of around 7,000 relays, around 2,000 guard (entry) nodes and around 1,000 exit nodes. So the odds of such an event happening are one in two million (1/2000 x 1/1000), give or take. Further ReadingOp-Ed: In defense of Tor routersBut, as Bryan Ford, professor at the Swiss Federal Institute of Technology in Lausanne (EPFL), who leads the Decentralised/Distributed Systems (DeDiS) Lab, explains: "If the attacker can add enough entry and exit relays to represent, say, 10 percent of Tor's total entry-relay and exit-relay bandwidth respectively, then suddenly the attacker is able to de-anonymise about one percent of all Tor circuits via this kind of traffic analysis (10 percent x 10 percent)." "Given that normal Web-browsing activity tends to open many Tor circuits concurrently (to different remote websites and HTTP servers) and over time (as you browse many different sites)," he adds, "this means that if you do any significant amount of Web browsing activity over Tor, and eventually open hundreds of different circuits over time, you can be virtually certain that such a poisoned-relay attacker will trivially be able to de-anonymise at least one of your Tor circuits." For a dissident or journalist worried about a visit from the secret police, de-anonymisation could mean arrest, torture, or death. As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users. The biggest hurdle? Despite the caveats mentioned here, Tor remains one of the better solutions for online anonymity, supported and maintained by a strong community of developers and volunteers. Deploying and scaling something better than Tor in a real-world, non-academic environment is no small feat. Tor was designed as a general-purpose anonymity network optimised for low-latency, TCP-only traffic. Web browsing was, and remains, the most important use case, as evidenced by the popularity of the Tor Browser Bundle. This popularity has created a large anonymity set in which to hide—the more people who use Tor, the more difficult it is to passively identify any particular user. But that design comes at a cost. Web browsing requires low enough latency to be usable. The longer it takes for a webpage to load, the fewer the users who will tolerate the delay. In order to ensure that Web browsing is fast enough, Tor sacrifices some anonymity for usability and to cover traffic. Better to offer strong anonymity that many people will use than perfect anonymity that's too slow for most people's purposes, Tor's designers reasoned. "There are plenty of places where if you're willing to trade off for more anonymity with higher latency and bandwidth you'd wind up with different designs," Mathewson says. "Something in that space is pretty promising. The biggest open question in that space is, 'what is the sweet spot?' "Is chat still acceptable when we get into 20 seconds of delay?" he asks. "Is e-mail acceptable with a five-minute delay? How many users are willing to use that kind of a system?" Mathewson says he's excited by some of the anonymity systems emerging today but cautions that they are all still at the academic research phase and not yet ready for end users to download and use. Ford agrees: "The problem is taking the next big step beyond Tor. We've gotten to the point where we know significantly more secure is possible, but there's still a lot of development work to make it really usable." You must login or create an account to comment.

Endwall 09/01/2016 (Thu) 01:23:21 [Preview] No. 486 del
Soylent News
Big Data Busts Crypto: 'Sweet32' Captures Collisions in Old Ciphers
posted by janrinok on Wednesday August 31, @09:46AM
Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed. The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a "birthday attack" on Blowfish and triple DES encryption. They dubbed the attack "Sweet32". Sophos' Paul Ducklin has a handy explanation of why it matters here. The trick to Sweet32, the Duck writes, is the attackers worked out that with a big enough traffic sample, any repeated crypto block gives them a start towards breaking the encryption – and collisions are manageably common with a 64-bit block cipher like Blowfish or Triple-DES. They call it a "birthday attack" because it works on a similar principle to what's known as the "birthday paradox" – the counter-intuitive statistic that with 23 random people in a room, there's a 50 per cent chance that two of them will share a birthday. In the case of Sweet32 (the 32 being 50 per cent of the 64 bits in a cipher), the "magic number" is pretty big: the authors write that 785 GB of captured traffic will, under the right conditions, yield up the encrypted HTTP cookie and let them decrypt Blowfish- or Triple-DES-encrypted traffic. [...] "Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec connections, but we do not have concrete measurements for these protocols" (emphasis added).

Endwall 09/01/2016 (Thu) 03:12:03 [Preview] No. 487 del
Open Sources
Cybersecurity, Encryption Keep the FBI Busy
WASHINGTON, D.C. — Cyberattacks are hitting U.S. businesses and governments in multiple ways, and the Federal Bureau of Investigation is stepping up efforts to detect and deter the growing problem, said FBI Director James Comey. Comey made his remarks Tuesday, Aug. 30, just as his agency warned state election officials across the country to be on guard against hackers after the breach of a voter information database in Illinois and an attempted attack in Arizona. Speaking at the Symantec Government Symposium, Comey labeled today’s hackers and data thieves as increasingly sophisticated and often part of a multinational or foreign state supported effort to breach information and databases. “Many of these threats are from criminals with inside information harvested from social media,” he said. Comey did not comment directly on the election hacking attempts, but said that highest level of cyberthreats today are state-supported, and the biggest players include China, Russia and North Korea. “Next down in the threat stack are the multinational criminal syndicates, followed by purveyors of ransomware, which is spreading like a virus,” he said. Further down the list are the so-called hacktivists, who aren’t interested in profit, but in embarrassing institutions and governments through leaking sensitive data. Surprisingly, Comey listed terrorists as the weakest cyberthreat tracked by the FBI. He explained that terrorists are proficient at disseminating their messages to the public around the clock, but have yet to turn their attention toward computers as a target for terrorism. To battle against the rising tide of cybercrime, the FBI has established cyberthreat teams around the country that take on threats based on their ability to counteract to specific kinds of criminal activity. Comey said the program has a created a healthy competition among teams to handle certain types of intrusions, extortions and breaches. In addition, the bureau has a Cyber Action Team that is ready to fly into a hotspot and respond at any time. The FBI also works closely with the U.S. Department of Homeland Security and national intelligence, as well as foreign partners to deter and, when possible, “incapacitate the bad boys,” he said. Like other government agencies, the FBI struggles to find information security talent willing to work for government pay. The director also said that working with state and local government has become increasingly important as cybercrime continues to grow. “We can’t help with every problem [faced by states and localities], but we can provide training and equipment,” he said. Perhaps the most controversial remarks focused on privacy and encryption, or what Comey termed: going dark. “This is our inability to use judicial authority to get access to data on a device,” he said. “Strong encryption is making more and more of the room going dark. In three years, post Snowden, through default encryption, that shadow is spreading through the room.” A growing number of technology firms, most notably Apple, have introduced devices that encrypt data that not even the companies themselves can access. The FBI and other law enforcement agencies say the devices have become warrant-proof spaces for criminals. The FBI has received 5,000 devices from state and local government agencies requesting help with decrypting them, Comey said, adding that the bureau was unable to open several hundred. With probable cause, he added, law enforcement has always been able to access an individual’s personal property, including communications, such as correspondence. “But there is no such thing as absolute privacy,” he said. “Widespread default encryption changes that bargain. We have never lived with absolute privacy, and default encryption impacts our ability to go after criminals and national security. Tools are becoming less effective because we are going dark.” Comey called for a national conversation about the problem, saying an individual’s absolute control of data is not acceptable. But having that talk might not be easy. Nuala O’Connor, president and CEO of the Center for Democracy and Technology, spoke after Comey and strongly disagreed with his views on encryption. “I don’t agree with FBI Director Comey on dark room encryption,” she said. “The FBI wants to have the master key to the problem. That’s not right.”

Endwall 09/01/2016 (Thu) 03:13:12 [Preview] No. 488 del
SWIFT warns of new attacks, pushes for security upgrades
After cybercriminals lifted $81 million from Bangladesh Bank, SWIFT tightened security but attackers managed to compromise systems at some member banks. While six Democratic senators were beseeching President Obama in a letter to make cybercrime a priority at this weekend's Group of 20 Summit in China, SWIFT was sending a letter of its own to clients alerting them to additional attacks on member banks. Earlier attacks against SWIFT banks were, in part, the impetus behind the senators' letter to Obama, as legislators and world leaders have grown increasingly concerned about the devastation hacks could wreak on the global financial systems. "With so many attack vectors, it was just a matter of time before SWIFT became a focal point for cybercriminals with their financial understanding of the sector's common reactive-ness mentality, or in other words, 'let us see what gets hacked, and then we will react tactically to address it,'” Shane Stevens, VASCO Data Security's director of omni-channel identity and trust solutions, said in comments emailed to SCMagazine.com, “SWIFT got a wake-up call finally for its decision to stay with passwords, albeit stronger ones, when there are far more effective means of authentication available and the 30-year old technology of passwords has long been been proven easy to defeat.” The additional attacks, which SWIFT said indicated a threat that “is persistent, adaptive and sophisticated – and is here to stay,” included compromises of customers' environments “and subsequent attempts made to send fraudulent payment instructions,” according to Reuters, which obtained a copy of the SWIFT letter. “This new wave of cyber attacks leveraging the SWIFT messaging system highlights the fact that banks are still behind the times. They've mastered physical security with big vaults and armed guards,” Yorgen Edholm, CEO of Accellion, said in emailed comments to SCMagazine.com. “However, Jesse James and Patty Hearst aren't the bank robbers society has to worry about any more. What's even more frustrating is the fact that hackers are employing the same methods time and time again – and are still successful. We need change now! Until SWIFT and their customers figure out together a way to prevent these hacks, they will continue and faith in the global banking system will continue to suffer.” Dawid Kowalski, technical director - EMEA at FireMon, said in comments emailed to SCMagazine.com that earlier “events related to Bangladesh Bank exposed weak points of risk management” while the “latest revelations show that for at least one of the attacks on Banks, there was lack of firewall management, not to mention any security posture assessments or event correlation.” The first attacks, which resulted in the theft of $81 million from Bangladesh Bank in February, had prompted the global financial messaging system to tighten security and put in place additional security procedures. In the letter to clients, SWIFT urged its members to implement its updated software by the November 19 deadline or risk being reported to regulators and other banks, the report said. But following SWIFT's recommendations for upgrading security tools and procedures, likely won't be enough, István Szabó, product manager at Balabit, said in comments emailed to SCMagazine.com,"It is important to highlight that these attacks are not primarily machine based and current security tools won't spot them, as the attackers have already gained foothold behind the defense perimeters,” he said. “ As the account they've used for such actions might already possess the highest level of privileges, the bad actors can often do whatever they want and cover up their tracks with ease.” Privileged users, he added, are targeted in these types of attacks. “Such sophisticated attacks require more sophisticated methods to discover and stop them,” he explained.

Endwall 09/01/2016 (Thu) 03:14:19 [Preview] No. 489 del
Security Affairs
Dropbox Data Breach, more than 68 Million account details leaked online
August 31, 2016 By Pierluigi Paganini
A DropBox data breach occurred in 2012 is forcing the company to reset login passwords for users included in a data dump leaked online.
Another clamorous data breach is in the headlines, a data dump containing more than 68 Million account credentials for online cloud storage platform Dropbox was leaked online. Earlier this week, Dropbox announced it was forcing password resets for a number of accounts after discovering the data dump online linked to a 2012 breach. “The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria. Specifically, we’re prompting the update for users who: * Signed up to use Dropbox before mid-2012, and * Have not changed their password since mid-2012″ states the announcement published by DropBox that did not provide further details about the number of impacted users. Dropbox has confirmed the data breach that occurred in 2012, the company already notified its users of a potential forced password resets in response to the incident. “We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox. “We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.” According to Motherboard that obtained parts of the leaked archive, the files contain email addresses and hashed passwords for the Dropbox users. Motherboard had access to four files total in at around 5GB that contains details on 68,680,741 accounts.Out of 68 Million disclosed after the Dropbox Data Breach, 32 Million passwords are protected by the BCrypt hashing, the remaining is hashed with the SHA-1 hashing algorithm. “Motherboard was provided the full set by breach notification service Leakbase, and found many real users in the dataset who had signed up to Dropbox in around 2012 or earlier.” reported Motherboard. There is no doubt, the data is legitimate, as confirmed by an unnamed Dropbox employee that has spoken on condition of anonymity. “Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” states a security update published by the company. In 2012, Dropbox initially notified users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn’t admit that data was stolen by attackers.disclose that the hackers were able to pilfer passwords too. Dropbox data breach is the last incident in order of time, other IT giants suffered similar problems, including LinkedIn, MySpace, VK.com and Tumblr. In response to the DropBox data breach, users, as usual, have to reset their passwords for the service and on any other website that shares the same login credentials.

Endwall 09/01/2016 (Thu) 03:15:45 [Preview] No. 490 del
Open Sources
Hacker Interviews – NorthScripts from P0werfulGreakArmy
Aug 31, 2016
NorthScripts is one of the members of the PøwerfulGreəkArmy hacker group, a young team that conducted several hacking campaigns against multiple targets. Enjoy the interview! Could you tell me more about you? Could you tell me which his your technical background and when you started hacking? I started hacking in 2013, but got better in 2015 when I started the development of 0-day exploits, developing custom programs and scripts, that’s why I use the name “NorthScripts,” North because I live in North America. What was your greatest hacking challenge? My greatest hacking challenge was when I took down BBC News website with P.G.A and PhantomSquad. Which are your motivations? I want to get the world free from racist. Which was your latest hack? Can you describe me it? My latest hack was an attack against an the ISIS Government website. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? A botnet. Every hacker should know coding. Linux system (for example Backbox). Php shells. A VPN to protect anonymity online. Which are the most interesting hacking communities on the web today, why? There are a lot of interesting communities on the web, but Hackforums is still the best. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, I have participated in several attacks, but not so much. I’m not the best on defacing websites I’m known for my DDoSing abilities, for developing DDoS scripts, proxies, doxxes and all the other things

Endwall 09/01/2016 (Thu) 03:16:49 [Preview] No. 491 del
Computer World
SWIFT: More banks hacked; persistent, sophisticated threat is here to stay
SWIFT warned that more banks have been attacked, some losing money in the high-tech heists, and urged banks to tighten security since the persistent and sophisticated threat is here to stay.
Computerworld | Aug 31, 2016 9:43 AM PT
Bad news for banks with lax security that also use SWIFT, the global financial transaction messaging network, as hackers are still pulling off high-tech heists. On Tuesday, the Society for Worldwide Interbank Financial Telecommunication, more commonly called SWIFT, notified customers of “ongoing attacks.” Hackers have again stolen money from banks, yet SWIFT did not say how many attacks were successful, did not identify specific banks and did not say how much was stolen. The banks, which “varied in size and geography and used different methods for accessing SWIFT,” shared one common denominator; each had weak local security. The SWIFT notice, according to Reuters, read: Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay. Banks were urged to stop dragging their feet, get serious about security, and get the latest version of SWIFT software installed pronto. Or else… Although SWIFT claimed it doesn’t disclose “affairs of specific customers,” that confidentiality arrangement might change. If banks miss the November 19 deadline for installing the latest and more secure version of SWIFT software, then SWIFT threatened it might report the banks “to regulators and banking partners.” No bank wants its private dirty laundry to be aired in public. The newest SWIFT software reportedly includes security features which could have stopped the latest hack attacks. The features were rolled out after Bangladesh Bank was breached and almost lost $1 billion … saved only by a New York Federal Reserve Bank employee noticing a typo which raised suspicions about the payment request. Bangladesh Bank had used $10 second-hand networking gear and had no firewall. Researchers at BAE analyzed the malware which is believed to have been designed specifically so attackers can abuse SWIFT. After other banks were targeted, SWIFT issued a warning. Hackers managed to steal $12 million from Ecuador's Banco del Austro and attempted to steal $1.36 million from Vietnam's Tien Phong Bank. Attacks abusing weak security measures to target SWIFT were also aimed at banks in the Philippines and New Zealand. The security firm FireEye was sent in to investigate attacks on up to another dozen banks. Symantec researchers suspected that a hacking group known as Lazarus was responsible for the attacks; in fact, the wiping code used to hide the bank hacks was also used in the Sony Pictures attack. The FBI decided the North Korean government was behind the attack on Sony. Near the end of June, hackers stole $10 million from an unnamed Ukrainian bank after taking advantage of shoddy security and then transferring money out via SWIFT. The Information Systems Audit and Control Association reported, “Dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars.” SWIFT believes better security could put an end to these high-tech heists. In its letter to customers, SWIFT said the affected banks “shared one thing in common; they have all had particular weaknesses in their local security. These weaknesses have been identified and exploited by the attackers, enabling them to compromise the customers’ local environments and input the fraudulent messages.” SWIFT has tried repeatedly to get banks to step up security, adding that there is “no indication that the SWIFT network or core messaging services have been compromised.”

Endwall 09/01/2016 (Thu) 03:19:00 [Preview] No. 492 del
Who is Guccifer 2.0, the mysterious hacker targeting the Democratic Party?
An internal memo reportedly hacked from the personal computer of Nancy Pelosi, the top Democrat in the US House of Representatives, shows how officials were briefed on how to respond to the Black Lives Matter (BLM) movement – including tactics on how to answer questions by activists. The document, reportedly authored in November last year by a staffer called Troy Perry, states that Democratic Party candidates and members should never use the phrases all lives matter nor mention black on black crime as they are viewed as red herring attacks and will garner additional media scrutiny and only anger BLM activists. The Black Lives Matter movement was formed in 2012 following the death of Trayvon Martin and has been at the forefront of alleged US police brutality ever since – documenting and protesting the slew of killings including, most recently, those of Alton Sterling and Philando Castile. The BLM-centric document was leaked online by Guccifer 2.0, the self-proclaimed hacker claiming to be responsible for infiltrating the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC). Many cybersecurity experts believe the persona is maintained by Russian intelligence to manage a disinformation campaign with the intention of influencing the upcoming 8 November election. Kremlin officials have denied the accusations. Presidential candidates have struggled to respond to tactics of the Black Lives Matter movement, the memo continues. While there has been little engagement with House candidates, candidates and campaign staff should be prepared. This document should not be emailed or handed to anyone outside of the building. Please only give campaign staff these best practices in meetings or over the phone. Under a section marked tactics, Perry instructs Democratic Party officials to meet with local activists. He wrote: If approached by BLM activists, campaign staff should offer to meet with local activists. Invited BLM attendees should be limited. Please aim for personal or small group meetings. He advised to listen to their concerns but dont offer support for concrete policy positions. According to his public Twitter profile, Troy Perry is a former DCCC staffer who now works on the election campaign of Democratic nominee Hillary Clinton. BLM needs partners to achieve their agenda and they want to be a part of the conversation, Perry wrote in the memo last November. However, BLM activists dont want their movement co-opted by the Democrat Party. They are leary of politicians who hijack their message to win campaigns. Under the title What to say to media, Perry noted that officials should aim to rebuild the relationship between police and community and explore reforms to ensure officers are properly trained and dont infringe on citizens rights. The mysterious Guccifer 2.0 figure also released nine other documents in total – all reportedly compromised from the PC of Pelosi. Other titles included: Recent Immigration Reform Proposals, 2016 NP Proposed Contributions, ISIS (talking points) and Framework One Pager Benghazi. A statement posted alongside the latest release said: Hi everyone. As you see Ive been gradually posting DCCC docs on different states. But besides that I have a folder from the Nancy Pelosis PC and Id like to share some docs from it with you. They are related to immigration, Hispanics, BLM, Islam and other issues. So here they are Due to the documents featuring potentially sensitive financial data, IBTimes UK has not linked directly to the release.Guccifer 2.0 did not respond to a request for comment.

Endwall 09/01/2016 (Thu) 03:20:23 [Preview] No. 493 del
DNS tunneling widely used, Infoblox says
By Sead Fadilpašić
DNS tunnelling, a security threat which can indicate either active malware, or data exfiltration, is fairly widespread today, according to a new report by network control company Infoblox.
DNS tunnelling, a security threat which can indicate either active malware, or data exfiltration, is fairly widespread today, according to a new report by network control company Infoblox. Infoblox analysed 559 files capturing DNS traffic, uploaded from 248 customers. Two thirds (66 per cent) of files have shown evidence of suspicious DNS activity. Almost half (40 per cent) show evidence of DNS tunnelling. “In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “Cybersecurity is much the same. The widespread evidence of DNS tunnelling uncovered by the Infoblox Security Assessment Report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.” According to the company’s report, cyber-criminals know how well-established and trusted protocol DNS really is, which is why they use it. Many organisations, Infoblox says, do not look at DNS traffic for malicious activity. Besides DNS tunnelling, there are a couple of other security threats uncovered, including protocol anomalies (48 per cent), botnets (35 per cent), amplification and reflection traffic (17 per cent), distributed denial of service – DDoS attacks (14 per cent), and ransomware (13 per cent). “While these threats are serious, DNS can also be a powerful security enforcement point within the network,’ said Rasmussen. “When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers.” The full report can be found on this link.

Endwall 09/01/2016 (Thu) 03:22:47 [Preview] No. 494 del
Security Affairs
iOS 9.3.4 and minor versions are vulnerable to the Trident Exploit
August 31, 2016 By Pierluigi Paganini
Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware. Researchers linked it to the NSO group.
Its name is the Trident: a chain of zero-day exploits that aim to infect iPhone with commercial spyware. Researchers say it’s belonging to an exploit infrastructure connected to the NSO group.Thanks to the great work made by the researchers from the Citizenlab organization and the Lookout firm that responsibly disclosed the exploits and their related vulnerabilities to Apple. Given the severity of the Trident, Apple worked extremely quickly to patch these vulnerabilities and it has released iOS 9.3.5 to address them. In this post, we want to give you a description and some technical information about the inner logic of the Trident exploit instead of the attack received by Ahmed Mansoor. With the episode of Ahmed Mansoor we can quickly understand the infection vector of that exploit: SMS, email, social media, or any other message. The most scaring part of that attack is that the single action the user have to do to trigger this dangerous attack is just a click on an external link. The exploit seems to contain the logic to remote jailbreak an iPhone to install arbitrary applications and then deliver a commercial spyware called Pegasus as an espionage software to track the victim. What is Pegasus and who is behind it? Pegasus  is a spy software installable on iOS devices that allow reading messages, emails, passwords and address lists as well as eavesdropping on phone calls, making and transmitting audio recordings and tracking the location on a compromised device (but we will look better in the following section). It seems that this spyware is attributed to NSO Group, an Israeli firm based in Herzliya in the country’s “Silicon Valley”. This spyware was attributed to the NSO Group because in the Mansoor’s attack the domain used for the phishing message (webdav.co) belongs to a network of domains that is a part of an exploit infrastructure provided by the company NSO Group. NSO Group, now owned by US private equity firm Francisco Partners Management, has flown far under the radar, without even a website. The Citizenlab reported that just opening the link included in the message sent to the victims with an iPhone version 9.3.3 it is possible to observe an active unknown software that was remotely implanted into the system through the delivery of unknown exploits from that link. The complex exploit takes the name as Trident. ATTACK SCENARIO After the user get baited the exploit start his work to infect the phone, following the 3 main stages of that attack, better detailed here: 1. Delivery and WebKit vulnerability This stage comes down over the initial URL in the form of an HTML file that exploits a vulnerability (CVE-2016-4655) in WebKit (used in Safari and other browsers). CVE-2016-4655: Memory Corruption in Safari WebKit A memory corruption vulnerability exists in Safari WebKit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser. 2. Jailbreak This stage is downloaded from the first stage code based on the device type (32-bit vs 64- bit). Stage 2 is downloaded as an obfuscated and encrypted package. Each package is encrypted with unique keys at each download, making traditional network-based controls ineffective. It contains the code that is needed to exploit the iOS Kernel (CVE-2016-4656 and CVE-2016-4657) and a loader that downloads and decrypts a package for stage 3. CVE-2016-4656: Kernel Information Leak Circumvents KASLR Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address Space Layout Randomization (KASLR) makes this task difficult by mapping the kernel into different and unpredictable locations in memory. In short, before attacking the kernel, Pegasus has to find it. The attacker has found a way to locate the kernel by using a function call that leaks a non-obfuscated kernel memory address in the return value, allowing the kernel’s actual memory location to be mapped. CVE-2016-4657: Memory Corruption in Kernel leads to Jailbreak The third vulnerability in Pegasus’ Trident is the one that is used to jailbreak the phone. A memory corruption vulnerability in the kernel is used to corrupt memory in both the 32- and 64-bit versions. The exploits are performed differently on each version....

Endwall 09/01/2016 (Thu) 03:25:08 [Preview] No. 495 del
The NSA Research Director Wants Hackers to Know Who She Is
August 31, 2016 Paul O'Donnell Washingtonian August 30, 2016
Even before Edward Snowden, the National Security Agency—the super-secret electronic spy outfit at Fort Meade—had started showing signs of thaw. Locally, NSA employees were acknowledging to friends and neighbors where they worked, while increasing links to Silicon Valley opened NSA to the outside world. Then in June 2013 came Snowden’s leak of documents demonstrating the level of surveillance aimed at US citizens, and the Agency That Would Not Be Named made headlines. In the scrutiny from the press and Congress that followed, one quip had it that NSA stood for Not Secret Anymore. At the time, Deborah Frincke, a computer scientist and cyberresearcher, was still settling in as the agency’s research director, taking charge of developing cutting-edge tools for protecting the government’s computer systems and cracking those of our enemies. Frincke had spent most of her career as a specialist in computer security, first at the University of Idaho, then at the federal Pacific Northwest National Lab in Seattle. A relative outsider at NSA and the first woman to head the research directorate, Frincke found herself uniquely disposed to explain NSA to the world, and the world to NSA. We talked to her recently for an update. So NSA has been making news.How did the Snowden controversy affect people inside the walls? It was certainly very hard in the early days. It was hurtful to people who work so hard to save lives and obey the Constitution, and now the country doesn’t trust them. As one whose role is outwardly leaning, I’ve tried to explain how people outside the agency could have such a misunderstanding. I think we’ve rebounded now, and I think we understand why people got an impression that they did.Has the controversy made it harder to attract good people to the agency? We haven’t had trouble attracting candidates. Most people have had a chance to think about the revelations and what intelligence communities mean in general. If you ask those who’ve been here 20, 30 years, many had no idea what the agency was when they interviewed. That would be true of few of our new hires. They know what they signed up for. What about other players in the cyber-security world—in academia and the private sector? How have you tended to those crucial relationships? I show I’m willing to have a dialogue. At [the technology conference] Black Hat, I wore a badge that said NSA—usually they very politely put DoD [Department of Defense] under my name. I changed it to NSA so everyone would know exactly who they were talking to. What’s important at this stage is that people ask questions, raise concerns. Speaking of how you’re received, it’s no secret that women are a minority in technical fields. What’s it like working in a male-dominated environment? NSA does pretty well with women advancing through the ranks. It’s when I go to conferences that I see how comfortable they are with a female leader. Sometimes I turn my badge around to get a sense of what it’s like to show up as a female in the crowd, as opposed to NSA’s research director. It’s different.It’s getting better, though. Forbes recently named you a “cool” role model for high-school girls. It’s taken me all this time to get to the point where I’m actually cool. I was a bit of a novelty in graduate school. Did you ever feel discouraged? I did when I started, because I was the only one who looked like me. The atmosphere was less accepting, especially when you got into cybercrime. It was acceptable to work on proving things were safe and secure. That was cleaner than the messier world of attacks and defenses, which was more militaristic and not suitable. So I remember getting a fair amount of pushback. But when you are an anomaly and you stick it out, you get a little bit of name recognition. The culture at NSA’s campus at Fort Meade has been criticized for being too insular and secretive. Photograph By Trevor Paglen. How did you get into computers? My dad was a prof, and when I was in third grade, he spent his sabbatical in Crofton [Maryland], helping the Naval Academy set up a computer. He would bring us in, and we would play with the big paper tape. I loved it. When the Radio Shack [home] computers came out, he of course bought them and I of course played with them. You had to write your own games then; otherwise you were stuck, so I got into computers very early on. Was it your father’s experience that gave you the idea to go into government work? I would say I grew up on a service orientation. I was really into King Arthur and Tolkien—the strong protecting the weak, the duty that we have to take care of our folks. That was part of our family culture. So it was not unnatural for me to move into a discipline where the goal was to take care of other people, to defend the systems. But why NSA? You had a long career in academia, you worked on a start-up. There are plenty of places to use your skills. As a scientist, there are very few places where I can say I’m directly helping the country. It’s harder when you go to a tech company that’s putting out widgets. Those things are important, but it’s not satisfying. But the private sector is making some important widgets for cybersecurity. I take nothing away from that. I’m just wired a little differently. It’s a happier place for me to work directly in government and try to take those skills and shape those things. In a recent article about hackers, an industry insider said, “My concern is that the bad guys are going to out-innovate us.” Is NSA still ahead? At the moment, yes. [NSA director] Michael Rogers recently announced a reorganization called NSA21 to make sure the same is true in ten years. We want to know what we can do to be easier to work with. Many of the innovative spirits in the industry are one- and two-person companies. How do they begin to bring their great solutions to a behemoth? Which I say with love, but we are. That’s a huge cultural change for NSA, isn’t it? To go from being the primary producer to being a consumer? It’s a huge cultural change. It’s a healthy change. There will always be things we’ll know how to do best. The things we buy from the outside actually allow us to focus on that. The important thing will be to maintain that focus. To farm out all of our brains, that would be a problem. But to be a savvy consumer who’s also a producer, you can be more nimble that way. Half of NSA’s job is “signals intelligence”—spying on others. The other half is defense, protecting our computers. When you lie awake at night, are you thinking about defense or offense? I’ll probably always think more about defense because I was raised that way. It’s also in many ways a harder problem. You have to get the defense right all the time. Offense can be successful if it gets in and gets out. Defense touches every US citizen every single day. The vulnerability is continually widening. It’s the electrical grid, the food supply. Everything has been technologized to the point that it’s a concern. Not all of that is NSA’s concern necessarily. It may affect Silicon Valley more. The “internet of things” means we’re bringing critical cybertechnologies literally right next to us—Fitbit, GPS, all the devices embedded in my home. That’s very personal. Yet our devices are not designed secure. Every year, more and more, so much of our lives is dependent on a fragile infrastructure. We will see breaks. If US citizens want to worry about one, it’s defense they should focus on. What can they do? If you don’t want GPS tracking to be on, turn it off. Have your e-mail set up so you have password protection. Think through: How did I protect my bank account today? And as political consumers, we should be asking: How do we devise our next culture? We should demand safety in our devices just as we demand seat belts. Can you give an example? I’m a breast-cancer survivor. Should I have a recurrence, chances are it will be at a point when the technology will enable doctors to monitor how my cancer is progressing from their office. What should be designed into those sensors so I don’t have to worry that someone else will hack that information? These devices that help regulate bodily processes—how can we make sure those are hacker-proof? What’s the balance, though? After the San Bernardino shootings, many said our phones should be locked up tight. Given the threat we’re facing, do you say, “This isn’t about protecting your Snapchats”? I’m not going to weigh the value of someone’s photos, whether of their cat or something I might consider important. That’s precious to them. What I ask is that as a nation we have thoughtful dialogue, think through where we do want to share information. What if we said you can never share information about a cancer patient? What if we never share information that would help catch lawbreakers? Where do we create that balance between maximizing civil liberties and maximizing the safety and security? If you don’t get them both right, then you are not safer and more secure. We have to get them both right.

Endwall 09/02/2016 (Fri) 13:59:30 [Preview] No. 496 del
Putin on DNC hack: Let’s talk content, not hackers’ identity
Sept. 2, 2016
A number of US officials and media outlets accused Moscow of “trying to hack” the US presidential election by using cyber-offensive operations that undermine Democratic candidate Hillary Clinton and benefiting her Republican rival Donald Trump. When asked about the allegations by Bloomberg News Editor-in-Chief John Micklethwait, Russian President Vladimir Putin denied Moscow’s involvement. READ MORE: Black Lives Matter a ‘radical movement’ & other Dems talking points revealed by Guccifer 2.0 “I wouldn’t know anything about it. You know, there are so many hackers today and they work with such finesse, planting a trail where and when they need. Not even their own trail but masquerade their actions as those of other hackers acting from other territories, nations. It’s difficult to trace, if even possible,” Putin said. “Anyway, we certainly don’t do such things on the state level,” he added. Putin suggested that the debate over who hacked election-related computer networks in the US draws attention away from the nature of the leaked documents. “The important thing here is what the public was shown. That is what the discussion should focus on. One shouldn’t draw the public attention from the core of the issue by replacing it with secondary details like who did it,” the Russian president suggested. Earlier the whistleblower website WikiLeaks published some 20,000 emails of the Democratic National Committee (DNC), which suggested that the party leadership colluded to have Clinton rather than her principal competitor Bernie Sanders be chosen as Democratic Party’s presidential hopeful. Some US media claimed that WikiLeaks received the emails from the Russian intelligence and that the organization, which has been exposing classified material to public scrutiny since 2006, timed its publications to the goals of the Russian foreign policy. WikiLeaks dismissed the allegations as a conspiracy theory. READ MORE: ‘Conspiracy, not journalism’: WikiLeaks blasts NYT story on ‘Russian intel’ behind DNC hack In the Bloomberg interview Putin implied that the individual or group behind the DNC hack must be someone with intimate understanding of how the American politics works. “Frankly, I couldn’t imagine that such information could provoke such interest from the American public,” he said. “One would have to ‘feel the nerve’ and peculiarities of the US domestic political life. I’m not sure that even our Foreign Ministry experts have that level of comprehension.” Asked whether he preferred to see as the next US president Trump, who has complimented Putin on several occasions, or Clinton, how apparently “wants to get rid” of Putin, the Russian leader said he had no preference in the matter. “I would like to deal with a person who can take responsible decisions and deliver on agreements. Name is irrelevant here,” he said. “They both make shocking statements in their own way. They both are smart people and know which points to press to be heard and understood by US voters,” Putin added, further saying that in his opinion neither candidate set a good example of campaigning in that regard. “That’s American political culture and one has to accept it as it is. America is a great nation and it deserves to be spared foreign interference and comments.” The Russian president also voiced doubt over proposals to establish a “hacking code of conduct” for G20 countries – which are to convene later on the weekend in China – saying it was not a suitable forum for the topic. “The G20 was intended as a forum for discussing world economy. Politics affects economy, obviously, but if we bring into it our quarrels or even serious issues related to world politics, we would oversaturate the G20 agenda and instead of talking finances and structural changes of the economy and taxes we would just argue about Syria and other world problems,” he said. “Such issues belong to other places and forums. Like the UN Security Council,” Putin said.

Endwall 09/02/2016 (Fri) 14:11:24 [Preview] No. 497 del
Reading this on a Mac? Install this security fix to avoid being spied on
Tech Radar, Sept. 2, 2016 By Darren Allan
Remember that gaping iOS security flaw which was revealed last week? Well, turns out that it's also present on Apple's desktop operating system, with the company patching up OS X to cure the issue. The problem is a serious one involving so-called Pegasus malware created by an outfit that goes by the name of NSO Group, which is known for selling spyware to governments, and that's exactly what this nasty does – allows an attacker to spy on your device. That's why you should act quickly to make sure that these vulnerabilities are patched up on your Mac. Apple has actually issued a pair of patches. The main one addresses the problem for the OS on both Yosemite and El Capitan – it's not mentioned if the flaw also affects preview versions of macOS Sierra. The second update is for Safari, and cures a memory corruption issue present in the browser. This fix is actually included in the above patch, but is available separately for those who don't install that (as mentioned, it only pertains to Yosemite and El Capitan). At any rate, head over to the App Store and click on the Update tab (top-right) to patch your system up appropriately. It's a bit of a tired old record now, but yes, this is another small lesson in how Mac security isn't bulletproof and shouldn't be taken for granted. As we saw back in the spring, Apple computer users have also come under fire with ransomware this year, the current belle of the malware ball.

Endwall 09/02/2016 (Fri) 14:12:39 [Preview] No. 498 del
43 million passwords hacked in Last.fm breach'
TechCrunch, Sept. 2, 2016
Crikey: 43,570,999 user accounts were breached in a hack of Last.fm that occurred in March of 2012, according to a report from LeakedSource. Three months after the breach, in June of 2012, Last.fm issued the following statement:  “We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.” The number of passwords and the severity of the hack were not uncovered until today. The passwords were stored using unsalted MD5 hashing. Rather than storing passwords in plaintext, nearly every site that stores critical user information utilizes some form of hashing. Hashing is a method for encrypting data, but some methods are far superior to others. MD5 is seriously out of style, in part because it is not mathematically intensive enough to resist modern methods of brute-force cracking. Moreover, Last.fm didn’t use salt in its hashing process. Salting is the practice of adding a random string of numbers to the hash for each individual password, making them more secure and decreasing the likelihood that they will be cracked if the passwords are ever leaked online. Unfortunately, Last.fm did not take that step, and LeakedSource reports that most of the passwords were easily cracked. For the second time this week, our advice is that you change your password immediately if you have an account on Last.fm. The most popular password pulled from the Last.fm database was 123456. Seriously, it’s 2016 people — use a platform like LastPass to generate randomized, complex passwords that are unique to every service for which you sign up.

Endwall 09/02/2016 (Fri) 14:25:52 [Preview] No. 499 del
Hacker Guccifer, who exposed Clinton’s use of private e-mail, gets 52 months
David Kravets - Sep 1, 2016 5:22 pm UTC
The Romanian hacker who helped expose Democratic presidential candidate Hillary Clinton's use of private e-mail as secretary of state was sentenced Thursday to 52 months in prison in connection to an admission that he broke into about 100 Americans' e-mail accounts. The compromised accounts included celebrities, former Secretary of State Colin Powell, and family members of former Presidents George W. Bush and George H.W. Bush, and Sidney Blumenthal, a political advisor whom Clinton corresponded with using her private e-mail account. Marcel Lehel Lazar, a 44-year-old cab driver known by the handle Guccifer, conducted his crimes at home and was extradited to the US this year. He pleaded guilty to identity theft and federal hacking charges. Guccifer had claimed he hacked into Clinton's private e-mail server at her New York residence. But he has never been charged for that, and he has never divulged the contents of the alleged hack. However, the hacker did reveal private documents from other hacks, including self portraits painted by George W. Bush. He also leaked memos Blumenthal sent Clinton to her private e-mail account. This eventually exposed the fact that Clinton used that account as secretary of state for personal and private businesses instead of using her government account for official business. The State Department eventually chastised Clinton for using private e-mail, though the Federal Bureau of Investigation recommended that she not be charged. Attorney General Loretta Lynch echoed that position. Republicans, including GOP presidential nominee Donald Trump, are invoking the e-mail brouhaha in the run up to the November 8 presidential election hoping to convince the public that Clinton is unfit to be president. Guccifer's sentence was in line with what federal prosecutors were seeking. They said the penalty must "address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society—or even worse, a crime to be celebrated." When handing down the term, US District Judge James Cacheris of Virginia said, "this epidemic must stop." In seeking the harsh sentence, feds had referred to a new hacker individual or collective known as Guccifer 2.0 that is suspected of having ties to the Russian government and has been credited for hacking into the Democratic National Committee earlier this year. Guccifer 2.0 has also been credited for a separate breach of the Democratic Congressional Campaign Committee. Lazar, meanwhile, has said he had no formal computer training or expertise. Instead, he claims to have guessed people's passwords after reviewing Wikipedia entries about them. You must login or create an account to comment.

Endwall 09/02/2016 (Fri) 14:41:16 [Preview] No. 500 del
The Intercept
Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police
Sept. 2, 2016
A confidential, 120-page catalogue of spy equipment, originating from British defense firm Cobham and circulated to U.S. law enforcement, touts gear that can intercept wireless calls and text messages, locate people via their mobile phones, and jam cellular communications in a particular area. The catalogue was obtained by The Intercept as part of a large trove of documents originating within the Florida Department of Law Enforcement, where spokesperson Molly Best confirmed Cobham wares have been purchased but did not provide further information. The document provides a rare look at the wide range of electronic surveillance tactics used by police and militaries in the U.S. and abroad, offering equipment ranging from black boxes that can monitor an entire town’s cellular signals to microphones hidden in lighters and cameras hidden in trashcans. Markings date it to 2014. Cobham, recently cited among several major British firms exporting surveillance technology to oppressive regimes, has counted police in the United States among its clients, Cobham spokesperson Greg Caires confirmed. The company spun off its “Tactical Communications and Surveillance” business into “Domo Tactical Communications” earlier this year, presumably shifting many of those clients to the new subsidiary. Caires declined to comment further on the catalogue obtained by The Intercept or confirm its authenticity, but said it “looked authentic” to him. “By design, these devices are indiscriminate and operate across a wide area where many people may be present,” said Richard Tynan, a technologist at Privacy International, of the gear in the Cobham catalogue. Such “indiscriminate surveillance systems that are not targeted in any way based on prior suspicion” are “the essence of mass surveillance,” he added.   The national controversy over military-grade spy gear trickling down to local police has largely focused on the “Stingray,” a single type of cellular spy box manufactured by a single company, Harris Corp. But the menu of options available to domestic law enforcement is enormous and poorly understood, mostly because of efforts by both manufacturers and their police clientele to suppress information about their functionality and use. What little we know about Stingrays has often been the result of hard-fought FOIA lawsuits or courtroom disclosures by the government. When the Wall Street Journal began reporting on the use of the Stingray in 2011, the FBI declined to comment on the grounds that even discussing the device’s existence could jeopardize its usefulness. The effort to pry out details about the tool is ongoing; just this past April, the American Civil Liberties Union and Electronic Frontier Foundation prevailed in a federal court case, getting the government to admit it used a Stingray in Wisconsin. Unsurprisingly, the Cobham catalogue describes itself as “proprietary and confidential” and demands that it “must be returned upon request.” Information about Cobham’s own suite of Stingray-style boxes is almost nonexistent on the web. But starting far down on Page 105 of the catalogue is a section titled “Cellular Surveillance,” wherein the U.K.-based manufacturer of defense and intelligence-oriented hardware lays out all the small wonders it sells for spying on people’s private conversations, whether they’re in Baghdad or Baltimore...

Endwall 09/02/2016 (Fri) 15:51:35 [Preview] No. 501 del
Microsoft To Set Up Cybersecurity Center In Delhi
Microsoft is setting up a cybersecurity center in New Delhi to arm governments and private agencies with all-round intelligence on cyber attacks within the country. The center, probably will be at Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said in a ET report. “Security is becoming a big conversation topic, especially when are talking about the cloud,” he added. The center is expected to be Microsoft’s biggest such setup at its headquarters in Redmond, Washington, it would be inaugurated sometime in October or November. Globally Microsoft has seven such centers which have partnerships with international law enforcement agencies such as Interpol and Europol to fight cybercrime. The canaught place center will be an extended version of a small Gurgaon office which was launched of-lately June this year. The center will provide necessary details about malware and attacks to the government on which they can take precautionary measures and actions, Pramanik said. Earlier during Satya Nadella third visit in India he said “Microsoft is building technology around digital and virtual reality and how the tech major can help the country in its ‘Digital India’ initiative. ”While in Delhi, Nadella also met telecom minister Ravi Shankar Prasad and minister of state for finance Jayant Sinha “We shared this idea with the government departments and they are all very excited about it,” he said, adding that the idea to base the center in central Delhi was to ensure that top officials from government departments in close vicinity can “see it for themselves.”
The centre, which is likely to be in Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said. NEW DELHI: American technology giant Microsoft is setting up a cybersecurity centre in the heart of New Delhi to arm governments and private agencies with all-round intelligence on cyber attacks within the country. The centre, which is likely to be in Connaught Place in close proximity to most government establishments, would target the spread of malware by monitoring the Internet traffic flowing through the country, Bhaskar Pramanik, chairman at Microsoft India, said. "Security is becoming a big conversation topic, especially when are talking about the cloud," he told ET in an interview. To be modelled on Microsoft's biggest such setup at its headquarters in Redmond, Washington, it would be inaugurated sometime in October or November. Microsoft has seven such centres globally that have partnerships with international law enforcement agencies such as Interpol and Europol to fight cybercrime. The centre will be an expanded version of a small one launched in June this year in the company's Gurgaon office. While the centre will be a completely Microsoft set up, it will give the necessary details about malware and attacks to the government on which they can take precautionary measures and actions, Pramanik said. "We shared this idea with the government departments and they are all very excited about it," he said, adding that the idea to base the centre in central Delhi was to ensure that top officials from government departments in close vicinity can "see it for themselves." The launch of the centre comes on the heels of a discussion between PM Narendra Modi and Microsoft's global chief Satya Nadella during his last visit to India.

Endwall 09/02/2016 (Fri) 15:55:06 [Preview] No. 502 del
How US Army Cyber Command Pitched Camp in Augusta, Georgia
By Sophia Stuart * August 31, 2016 08:00am EST
The United States Army is ramping up recruitment of geeks as it builds out a massive US Army Cyber Command in Augusta, Georgia, a move that could reportedly bring up to 5,000 new workers to the region, both military and civilian. On the Internet, the enemy has no intention of following the Rules of Engagement or reading the manual, so to speak. So the Department of Defense has been stealthily building something so advanced, internally and across all joint forces (Army, Navy and Marines), that it can be proactive and reactive in dealing with modern warfare. Welcome to the future of non-kinetic combat—in cyberspace. PCMag went to Augusta, Georgia, to attend TechNet Augusta and find out more about US Army Cyber Command, which will be based in the city from 2018. The overarching USCYBERCOM has its own HQ in Fort Meade, Maryland. Augusta is already home to the Army Signal Corp and its Cyber Center of Excellence at US Army Base Fort Gordon. Considering the Signal Corp is responsible for all information systems and global networks, it's essentially where you'll find the geeks of the military, so the location makes sense.At TechNet, top ranking officers from the US Army were joined by C-Suite IT and defense contract executives for a look at the latest gear, intelligence sharing, and talent scouting. Panel discussions included everything from the challenges of critical infrastructure protection and defensive cyber operations maneuver baselines to securing your warfighting platform, managing LAN devices in the cloud, and deceiving hackers with honey hashes (aka, foiling authentication attempts to grab passwords and break into networks). The exhibition hall had all the big name IT giants, including Unisys, HP, Cisco, and IBM. But that is where the similarities to a regular tech gathering ended. Most attendees were in fatigues and a few were in full military dress with medals and spit-and-polished shoes. Networking areas mingled between security intelligence briefing desks and display booths showcasing things like ultra rugged Getac X500 briefcase-sized battlefield tested mobile server units and an NSA Certified Type 1 Harris RF Falcon III communications tactical radio unit, or "Command Post in a Ruck." Bizarrely, along with the usual booth bait of branded ballpoint pens and Post-IT note giveaways, were jars of lollipops and tubs of unbuttered popcorn. They sat a little oddly amongst the rugged battle-tested equipment, but we digress. At the sit-down lunch in the chandeliered ballroom, PCMag joined a table of soldiers who had done five tours of duty in Iraq each. Sadly they weren't empowered to talk to the press, so we can't quote anything that was said. But we can confirm the trenchant humor of the military is of an excellent standard (and it did feel like having a walk-on role in M*A*S*H). The keynote speech was given by Major General Crawford, 14th Commander of the US Army Communications-Electronics Command (CECOM). He laid out the "New Strategic Realities" for the army to be in "readiness" at both the IOC (Initial Operational Capability) and FOC (Final Operational Capability). These include irregular warfare, sustain SWA (South West Asia) long-term and Army Posture in Europe. He also highlighted problems with privacy versus security as well as keeping current with the exponential growth in software coupled with velocity of instability in global conflict regions. Unisys Stealth Though top brass was a bit press shy, most of the top defense contractors are ex-military or formerly part of the intelligence community themselves, and they are happy to talk. PCMag sat down with two executives from Unisys: Jennifer L. Napper, Group Vice President, Department of Defense and Intelligence Group and Tom Patterson, Chief Trust Officer. Napper reached the rank of Major General in the US Army and retired after 30 years of distinguished service. She's no stranger to large scale complex IT installations, as she was responsible for engineering, operating, and securing global IT and communications networks for the Army. Her role now is to securing and delivering Unisys federal contracts to DOD and other US government entities...

Endwall 09/02/2016 (Fri) 15:56:13 [Preview] No. 503 del
AgentTesla campaign engages in cybersquatting to host and deliver spyware
The spyware AgentTesla was recently found to be residing on a domain that was registered to appear as if it belonged to consulting and services firm Diode Technologies, according to Zscaler. Researchers at Zscaler recently discovered a new spyware campaign that used cybersquatting techniques to host, distribute and command-and-control the AgentTesla keylogger via a domain whose name was strikingly similar to Chesapeake, Virginia-based consulting and services firm Diode Technologies. According to Zscaler, the malicious domain, diodetechs.com, was registered two months prior to the attack, and was only one letter different from Diode Technologies' legitimate domain, diodetech.com. The domain has since been suspended. Diode, whose target customer base includes corporations, government agencies, educational institutions and health-care organizations, was informed of the incident earlier this month. The campaign infected victims using socially engineered emails with attached documents that were supposedly purchase orders but actually contained malicious macros that installed the AgentTesla payload. Upon downloading, AgentTesla is capable of keylogging, screen capturing and exfiltrating stored passwords. The malware can also terminate various security software programs on a victim's machine and evade sandboxes and virtual environments. Zscaler's director of security research Deepen Desai confirmed to SCMagazine.com that in one instance, a malicious email purported to come from Diode Technologies. "While we have only seen one instance, it is very likely that they were targeting Diode Technologies customers in this campaign," said Desai in emailed comments.

Endwall 09/02/2016 (Fri) 16:00:10 [Preview] No. 504 del
Security Affairs
Hacker Interviews – Speaking with Lorenzo Martínez
September 1, 2016 By Pierluigi Paganini
Today I have the pleasure to share with you the interview with one of the most popular Spanish cyber security experts, Lorenzo Martinez. Enjoy it!
Lorenzo Martinez is the CTO of Securizame, a Spanish security company fully oriented to consultancy, ethical hacking, forensics and security trainings. He is also one of the four editors and founders at Security By Default, one of the most well-known Spanish security blogs. You can find him on Twitter as @lawwait.You are one of the world’s most talented cyber security experts, Could you tell me which his your technical background and when you started hacking? Well. You are pointing me very high. I am just a security enthusiast who had the chance and luck to study and work in what I like: Security. I started as a security consultant, sysadmin, and trainer. The I started to learn and practice about ethical hacking in different companies. I worked for two different security vendors, related to web security (a WAF manufacturer) and strong authentication. In 2012 I started my own company and done a bunch of forensics. What was your greatest hacking challenge? Hacking for me doesn’t mean only breaking websites and develop exploits. A way of hacking is to build useful stuff that has not be created for a particular use. My greatest hacking challenge was to ‘domotize’ my home creating the intelligence to glue several devices: a Roomba vacuum, a security system with face recognition using a webcam with OpenCV, an alarm and air conditioning systems with web management panels, X10 for lights and curtains, an Asterisk, a meteorologic station, a GPS-based tracker for my car, etc… I created a bot to manage them all, and to be more or less “autonomous”. IoT in 2012! You can find a first version of the talk I gave in RootedCON 2012 in this post http://www.securitybydefault.com/2012/04/welcome-to-your-secure-home-user.html and the enhanced version with the system running in two Raspberry PI Model B in this one in Ekoparty 2012 What are the 4 tools that cannot be missed in the hacker’s arsenal and why? In my case, that I prefer forensics, I would say: Autopsy, FTK Imager, Tcpdump/Wireshark and all CAINE tools. Speaking of hacking: Nmap, Netcat, Metasploit, and BURP. Which are the most interesting hacking communities on the web today? Security and hacking communities are moving to different sectors: CONs, IRC, even Telegram groups where you can discuss specific stuff. Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why? What scares you more on the internet and why? Everything connected to the Internet (and a lot of air-gapped ones) is prone to be hacked. Several causes: misconfigurations, outdated systems, security implementation weaknesses, public or private exploits, because of being a target of any powerful government,… Others can be hacked because of people involved in the business of the organization. What do they want? Money or something that can be transformed into money, like information/data that could be sold for a strategy of a competitor or different country. I am scared because of the treatment of my data, by the providers or people who have my confidential information, as public administration, hospitals, banks, shops where I have to trust my credit card. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? I agree with that assessment. An attack to a nuclear central that would cause human casualties, would be catastrophic. In my opinion, there are more security incidents that are happening but we don’t realize because they are still unknown, and others that are discovered but kept private to avoid distrust or public panic. Thanks and compliments for your great work!

Endwall 09/02/2016 (Fri) 16:02:02 [Preview] No. 505 del
State Governments' War Against Cybercrime
Geetha Nandikotkur (AsiaSecEditor) • September 1, 2016
Following cyberattacks on public and private organizations, state governments in India are rolling up their sleeves to fight cybercrime.For example, Maharashtra Chief Minister Devendra Fadnavis announced the "Maharashtra Cyber Project" on Independence Day, planning 51 cyber labs across districts providing technical and forensic investigation support to the cyber police. The project also will launch a computer emergency response team, or CERT. Three other states - UP, Karnataka and Kerala states - that have already set up cyber labs intend to scale up and emulate the Maharashtra model. In the Maharashtra project, "the labs will be equipped to analyze mobile forensic and call detail records," Fadnavis says. "Totally, 51 labs will be started across the state, expected to be completed by December 2016." Security leaders from law enforcement and business enterprises welcome Maharashtra's move, while acknowledging the challenges the program entails. Bangalore-based Sanjay Sahay, additional director general of police-cybercrime for the Karnataka Police, says the project will be effective only when law enforcement officers understand how to leverage cyber lab capabilities. "The key challenge is finding the right resources and capabilities to develop a defensive forensic and incidence response mechanism and auditing capabilities to defend against growing hacktivism," Sahay says. The Cyber Project Although Fadnavis only recently announced the initiative, the Maharashtra government already has been issuing tenders for hardware and software tools and other infrastructure. Sources say that so far, 34 labs already have been set up. The state has trained 1,000 personnel who'll be assigned jobs at these labs and get regular updates on the latest technologies. Brijesh Singh, inspector general (cyber), says the labs will analyze evidence, including CCTV footage, call data records, retrieved files that criminals had deleted from gadgets, retrieved bank records and links traced and hacked by fraudsters. "The cyber force ... will help create forensic reports of the technical evidence collected in offences," Singh says. Maharashtra police is collaborating with the Centre for Development of Advance Computing, CERT-In, Department of Electronics and IT and Department of Telecom, to identify a system integrator and value service provider to carry out the functions. Maharashtra will establish a CERT along the lines of CERT-In with experts from the Army, Navy, Defence Research Development Organization and other cybersecurity agencies. Sources at the state's police headquarters declined to divulge details on CERT's role and cyber labs functions. Maharashtra is investing $118 million in its project, far more than other states have invested so far. By comparison, Lucknow-based Dr. Triveni Singh, additional superintendent of Police, at UP Police, says UP has established 27 cyber labs across districts, investing more than $2.5 million to build forensic investigation capabilities. "We've created training modules for the police force in coordination with the Central Bureau of Investigation for cyber forensics, investigation and telecom interception, and they are also trained under CBI," Singh says. Delhi-based Data Security Council of India initiated setting up cyber labs in about five to six states way back in 2011 as part of its private-public partnership. Vinayak Godse, DSCI's senior director, says the council partnered with state police and DeitY to set up labs across Mumbai, Pune, Bangalore and Kolkata for cybercrime investigations and standardized training material for law enforcement. "We trained over 55,000 police personnel in cyber forensics and evidence gathering," Godse says. Telangana rolled out its new cybersecurity policy early this year, emphasizing involving and training law enforcement. Recently, Andhra Pradesh's chief minister, N. ChandraBabu Naidu, worked with Nasscom and DSCI to roll out a draft cybersecurity policy. Sources say that state will come launch a CERT to drive public-private partnership. Key Challenges The key challenge in establishing cyber labs is creating a sustenance model to ensure the ability to scale up capabilities as needed. "It's critical to sustain them with enhancement in new techniques and procedures to tackle new risks; this means new investments," Godse says. Three key challenges in establishing and operationalizing these labs, security experts say, are: * Establishing robust technological framework in gathering evidence and investigation; * Gaining access to information about data thefts and hackers both inside and outside of India; * Dealing with a lack of clarity in Indian law regarding how to punish cybercriminals. "It's a challenge to get trainers to train the police on key skills like forensics, evidence gathering, log management, data mining etc., unless there's an effective public and private partnership model in place," notes Rakshit Tandon, cybersecurity adviser to the Uttar Pradesh Police Task Force. Sahay says gaining the necessary expertise is expensive. For example, he notes, "Hiring an expert to audit the website during website defacement means about $70,000 for a small activity." Role of CERTs Some security practitioners contend that because the government doesn't have an effective model for leveraging public and private partnerships in its sustenance program, the proposed CERTs will need to develop an effective program seeking private enterprises to hire talent to train law enforcement groups. The Kerala State Police has already commissioned a CyberDome - a high-tech cybersecurity and innovation centre, via public/private partnership, to tackle cybercrime. CyberDome is envisioned as a primary monitoring unit for the internet and the nodal centre for policing social networking sites and anti-terror activities, says Manoj Abraham, inspector general of police and nodal officer for the Kerala Police. Some security experts argue that state governments should support private sector for cybersecurity through effective public-private partnership models with clearly defined roles. "It's not an investment in high-tech infrastructure that's required; empowering the state academy and having an incentive program for private parties to build skills of these police groups is critical," Tandon says.

Endwall 09/02/2016 (Fri) 16:03:35 [Preview] No. 506 del
OS X malware spread via signed Transmission app... again
David Bisson | September 1, 2016 10:26 am For the second time this year, the Transmission BitTorrent client has been compromised.Researchers have caught malware being spread through a signed version of Transmission, the popular OS X BitTorrent client. A team of malware analysts notified Transmission after the malicious file was discovered on the Transmission application's official website. Transmission promptly removed the file. Even so, it's unclear when the malware, which goes by the name OSX/Keydnap, first made it onto the site. As ESET's researchers explain: "According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following files or directory:" /Applications/Transmission.app/Contents/Resources/License.rtf /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist /Library/Application Support/com.apple.iCloud.sync.daemon/ $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist Under no circumstances do you want to find any of the above files running on your computer. Their presence points to an active Keydnap infection, which doesn't mean anything good for a Mac user's passwords. ESET's researchers elaborate in another blog post: "The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X's keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware."Interestingly, this version of OSX/Keydnap bears a striking similarity to OSX.KeRanger.A, the first fully functional ransomware which posed as version 2.90 of Transmission back in March. Coincidence? Not bloody likely! The code responsible for dropping the malware payload is the same:OSX/Keydnap and OSX.KeRanger.A also share a C&C URL resource path and parameter as well as a legitimate code signing key that was signed by Apple, meaning that both malware samples can bypass GateKeeper. Per ESET's recommendation, if you installed Transmission v2.92 between August 28th and August 29th of this year, make sure you check for the presence of those files. If they're there, remove them and scan your system with an anti-virus solution just to be on the safe side.

Endwall 09/02/2016 (Fri) 16:05:58 [Preview] No. 507 del
CYBERCOM wants adversary to know it’s hacked
September 1, 2016 Mark Pomerlau
C4ISRnet.com August 31, 2016
As Cyber Command is beginning to reach initial operational capability and entering into both defensive and offensive operations around the globe, America’s cyber warriors need cyber tools to conduct their missions. However, unlike the tools used by members of the intelligence community, which seek to operate without being detected, the Defense Department is interested in “louder” tools. First reported by FedScoop, Cyber Command’s Executive Director Shawn Turskey said the command desires tools that can be attributed to DoD. “In the intelligence community you never want to be caught, you want be low and slow, you never really want to be attributed. There’s a different paradigm from where you are at in the intelligence community,” Tuskey said at a government cybersecurity workshop hosted by the Department of Homeland Security August 30, according to FedScoop reporter Chris Bing. “But there’s another space over here, where maybe you definitely want to be louder, where attribution is important to you and you actually want the adversary to know.” An official at Cyber Command, speaking to C4ISRNET on background, said joint force commanders might want their goals or objectives to be known in order to convey a message. Some cyber teams work directly to support the objectives of joint force commanders by providing options in cyberspace in furtherance of these goals. CYBERCOM is currently engaged in the global anti-ISIS coalition to help degrade and ultimately destroy the group by disrupting its command and control as well as ability to communicate. As part of the effort, CYBERCOM Commander Adm. Michael Rogers had stood up a specific task force headed by the commander of Army Cyber Command Gen Edward Cardon designed specifically at building tools tailored toward ISIS and their capabilities. Joint Task Force – Ares, as it is called, is “very consistent with what we talked earlier but from a real specific operations point of view,” Ronald Pontius, deputy to the commanding general of ARCYBER, said in a recent interview with C4ISRNET. “It’s not just about tools, it is about how do you achieve effects that are integrated into Joint Task Force – Operation Inherent Resolve as the overall joint task force leading the efforts. So how do you integrate non-kinetic with kinetic to achieve those effects. The Joint Task Force – Ares is working that very much.” Pontius added that this project is a collaboration between CYBERCOM and Central Command, responsible for the geographic area encompassing ISIS’s largest territory to include the group’s de facto capital. Joint Task Force Ares is “integrated with Joint Task Force – OIR because they have responsibility in the entire battlespace of all the airspace, land domains,” he continued. The CYBERCOM official noted that the initiative to create attributable cyber tools is broad based and not specific to any one specific effort. As CYBERCOM is nearing IOC, which will occur at the end of 2016, and while there have been reports the organization will be elevated to a unified command, it will continue to remain a close partner with the intelligence community and the NSA, its de facto parent, for the foreseeable future. “We will continue to work with the intelligence community for offensive means and offensive operations, but as the United States Cyber Command, we need totally separate tools and infrastructure to conduct our operations,” Tusky said. There is a close working relationship between signals intelligence and cyber. One can inform the other but also the other informs the other,” Pontius, whose organization is relocating its headquarters from Fort Belvior, VA to Fort Gordon, GA in 2020, collocating with NSA-Georgia, said. “There’s things that we very much could see from a cyberspace operations point of view that could say here’s something we need to look at from a signals intelligence point of view or we may have indications and warnings from signals intelligence that says we believe adversaries are thinking about pursuing this kind of thing against our networks or our systems – you need to look in this area.” In a general sense, Col Brandon Pearce, formerly chief of current intelligence for CYBERCOM, told C4ISRNET that this relationship is absolutely critical. “I believe that the relationship between signals intelligence and what U.S. CYBERCOM is trying to do in order to leverage signals intelligence and other types of intelligence to figure out what to do next inside the cyberspace is absolutely critical,” he said following an appearance at an FCW-hosted event on August 24, noting he has been out of that position for two years and was not commenting on current operations or polices. Pontius was sure to articulate the key differences between Title 10 military operations and Title 50 intelligence operations as they apply to the intelligence-military partnership in cyberspace. “Cyberspace operations as a Title 10 operations is that, it’s a military operation, not an intelligence operation. And so it’s very important and we go through a lot of training and we have our operational lawyers very much with us on everything…You have to understand under what authorities are you conducting what operation and we work that very carefully,” he said.

Endwall 09/02/2016 (Fri) 16:08:20 [Preview] No. 508 del
Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB
September 1, 2016 | By Roee Hay
Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on Twitter Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on Facebook Share Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB on LinkedIn
The IBM X-Force Application Security Research Team recently discovered a previously undocumented vulnerability in older versions of Nexus 5X’s Android images (6.0 MDA39E through 6.0.1 MMB29V or bootloaders bhz10i/k). The first nonvulnerable version is MHC19J (bootloader bhz10m), released in March 2016. The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked. Clearly such an ability would have been very appealing to thieves. Fortunately, IBM is not aware of any exploitation attempts of this vulnerability. The vulnerability could have been exploited by physical or nonphysical attackers with Android Debug Bridge (ADB) access to the device. A nonphysical attacker could gain ADB access by infecting an ADB-authorized developer’s PC with malware or by using malicious chargers targeting ADB-enabled devices. Using such chargers requires the victim to authorize the charger once connected. IBM disclosed this issue to Android a few months ago, and the Android Security Team recently acknowledged it was patched. Behind the Curtain of the Nexus 5X Vulnerability The vulnerability and its exploitation are rather straightforward: The attacker reboots the phone into fastboot mode, which can be done without any authentication. A physical attacker can do this by pressing the volume down button during device boot. An attacker with ADB access can do this by issuing the adb reboot bootloader command. The fastboot mode exposes a USB interface, which, on locked devices, must not allow any security-sensitive operation to be commanded. However, we discovered that if the attacker issued the fastboot oem panic command via the fastboot USB interface, the bootloader would be forced to crash: [38870] fastboot: oem panic [38870] panic (frame 0xf9b1768): [38870] r0 0x0f9972c4 r1 0x4e225c22 r2 0x7541206f r3 0x74206874 [38870] r4 0x0f9972e8 r5 0x0f96715c r6 0x0f9972f0 r7 0x0f9670ec [38870] r8 0x0f92e070 r9 0x00000000 r10 0x00000000 r11 0x00000000 [38870] r12 0x0f92e070 usp 0x0f9650ec ulr 0x00000000 pc 0x0f99c75c [38870] spsr 0x0f936964 [38870] fiq r13 0x0f989490 r14 0x00000000 [38870] irq r13 0x0f989490 r14 0x0f9004f4 [38870] svc r13 0x0f9b16f0 r14 0x0f92dd0c [38870] und r13 0x0f989490 r14 0x00000000 [38870] sys r13 0x00000000 r14 0x00000000 [38880] panic (caller 0xf936964): generate test-panic...

Endwall 09/02/2016 (Fri) 16:09:22 [Preview] No. 509 del
Massive Data Breach Puts French Sub Maker in Crosshairs
By David Jones Sep 1, 2016 7:00 AM PT
Officials in France and India have launched investigations of a massive data breach involving thousands of documents belonging to defense industry contractor DCNS, which was scheduled to deliver six Scorpene-class submarines to the Indian navy later this year. Hackers stole more than 22,000 pages of documents that included detailed technical information on the vessels. They turned them over en masse to The Australian, which published some of the leaked information. DCNS acknowledged it was aware of the press coverage of the leak about the Indian Scorpene submarine project, and said French authorities were investigating the case. The investigation will determine the exact nature of the leaked documents, potential damages to DCNS customers, and responsibility for the leak, the company said. Indian government officials took up the incident with the director general of armament of the French government. They asked for an investigation and for the findings to be shared with the Indian government. The Indian government also is conducting an internal investigation to rule out any security compromise. However, the leak appears to have taken place outside of India, according to defense officials. Possible Links The evidence so far has led some to suspect a link to state-sponsored activity or even organized crime, noted Pierluigi Paganini, chief information security officer at Bit4id. "A government could be interested in leaking online such precious data only to interfere with commercial relationships between the DCNS and other governments," he told TechNewsWorld. "It could be interested, for example, to benefit a company linked to it." The Kalvari, the first submarine built in India, reflects a deal between DCNS and Mazagon Dock Shipbuilders to build six vessels in Mumbai. IFrame DCNS also won the largest-ever contract awarded in Australian history, for an advanced fleet of vessels. Australia selected DCNS as the preferred international partner for the design of 12 future submarines for the Royal Australian Navy, the company announced this spring. The leakage of the India Scorpene data has created some unease over whether Australia should take delivery of those vessels. The Australian government chose DCNS for its ability to meet all of its requirements -- among them, superior sensors and stealth characteristics, as well as range and endurance similar to Collins class vessels. NATO's main cyber-responsibility is to defend its own networks, noted Press Officer Daniele Riggio. Individual allies are responsible for protecting their own networks. Sponsored Espionage? The Scorpene cyberattacks follow a series of attacks launched late last year against several contractors who were in the running for the Australian submarine contract. Several reports linked China and possibly Russian hackers to those incidents, which targeted contractors in Germany and Japan, as well as France's DCNS. Torben Beckmann, spokesman for Thyssenkrupp Industrial Solutions, confirmed to TechNewsWorld that the company was one of three contractors in contention for the submarine contract, but he declined to comment on the reported data hack.

Endwall 09/02/2016 (Fri) 16:10:22 [Preview] No. 510 del
Former Canadian SIGINT Chief Says Canada Needs Offensive Cyber Weapons
Alex Boutilier Toronto Star September 1, 2016
Former electronic spy chief urges Ottawa to prepare for ‘cyber war’
OTTAWA—The former chief of Canada’s electronic spies is calling on Ottawa to develop an arsenal of cyber weapons — and give defence and intelligence agencies the green light to attack. “Cyber war” is still in its infancy, John Adams argued in a July paper, but computer viruses could soon cause as much damage to a country as conventional bombs and bullets. Canada has traditionally — at least officially — focused cyber efforts on defending against espionage and attacks from both hostile states and hackers. But Adams, the chief of the Communications Security Establishment between 2005 and 2012, is calling on the federal Liberals to rethink that approach and allow Canada to go on the offensive. “Some people think that cyber war will sooner or later replace kinetic war. More frequently, cyber war is presented as a new kind of war that is cheaper, cleaner and less risky for an attacker than other forms of armed conflict,” Adams wrote in a paper published by the Canadian Global Affairs Institute. Article Continued Below “In either case, the Canadian Armed Forces have a responsibility not only to protect their own systems but they also need to have the authority to direct offensive action … if that is what it takes to blunt an ongoing catastrophic attack on critical infrastructure.” Adams argued that if a hostile state were attacking Canada’s networks, Canada should be able to respond in kind to stop that attack. But in an interview with the Star Tuesday, Adams was clear that he’s envisioning a much wider range of actions for Canada’s defence agencies. “Let’s say we’ve got A, B, and C. A owes C money, and we want to make sure that money does not get to C. You can take steps to make sure, even though A may intend that (the money) goes to C, in fact it goes to B.” “And C says, ‘Well, that son of a gun’ and he goes and shoots A in the head.” To most, Adams said, that would seem like an offensive action — Canadian spies misdirecting money, which ultimately results in someone getting killed. “That sort of action is very troublesome to governments, and certainly to politicians,” Adams said. “(Because) that would be judged to be an offensive action … (rather than) simply a defensive action, (where) you’re trying to stymie a whatever it might be, a nefarious action, and in so doing you take that kind of action and guess what? The bad guys are killing one another rather than doing the things you’d rather them not be doing.” Adams is making his argument as the Canadian government is in the middle of a massive re-think of defence and cyber security policy. Defence Minister Harjit Sajjan launched a review of defence policy in April, and is expected to release the new policy in 2017. Public Safety Minister Ralph Goodale has also launched a review of Canada’s cyber security posture, in addition to a promised comprehensive look at the country’s national security framework. Goodale’s office deferred comment to the Department of National Defence. Calls to Sajjan’s office were not returned as of Wednesday. In a written response, the Communications Security Establishment simply said that they have no authority to conduct offensive cyber operations. “CSE does not have a mandate to conduct offensive cyber activities,” agency spokesperson Ryan Foreman wrote in a statement. “The government of Canada is currently engaged in a defence policy review, which includes consulting Canadians on defensive and offensive military cyber capabilities.” Part of the difficulty in discussing “cyber attacks” is how often that term is used to describe everything from minor website disruptions (a favoured tool of “hacktivist” groups like Anonymous) to serious hacks aimed at stealing secrets or sabotaging networks. The lines between attacking, defending, and espionage can also be blurry. Wesley Wark, a professor at the University of Ottawa specializing in national security and intelligence issues, said while limited attack capabilities might be desirable, he thinks Canada needs to prioritize defence and intelligence gathering. “Before we leap ahead to far in investigating computer network attack capabilities and policies, we have to have a foundation in place … network defence capabilities, and the intelligence gathering capabilities,” Wark said. “If you don’t have those two, you can’t do the network attack … I’m afraid that this debate about let’s invest in cyber attack capabilities is going to drain resources, and time and attention, from those two foundational pieces.” Wark also cautioned that cyber weapons should be used sparingly, or countries risk escalating an already busy exchange of attacks and counterattacks. “The last thing you want is to get into a round of escalating, out of control cyber aggressions, tit for tat, across international boundaries between state actors,” Wark said. Proliferation and escalation are valid concerns, Adams conceded to the Star. But he said that he’s “equally concerned” about Canada not having the capacity to respond at all. “I simply say that it’s time for the debate. Let’s have the discussion,” Adams said. “Let’s get on with it, because I think it’s now time.”

Endwall 09/02/2016 (Fri) 16:12:02 [Preview] No. 511 del
Florida Man Arrested for Hacking Linux Kernel Organization
2. September 2016
Donald Ryan Austin, 27, of El Portal, Florida, was charged yesterday with hacking servers belonging to the Linux Kernel Organization (kernel.org). According to a four-count indictment, Austin gained access to server credentials used by an individual associated with the Linux Kernel Organization. Austin used the credentials to access four kernel.org servers located in a Bay Area data center, modified server configurations and installed rootkits and other trojans. Linux Kernel Organization administrators detected the intrusion and called on the FBI to investigate the incident. FBI agents tracked down the intrusion to Austin, and a federal grand jury issued a four-count indictment on June 2 […]

Endwall 09/02/2016 (Fri) 16:15:47 [Preview] No. 512 del
ABC News Australia
The internet of hacked things
Four Corners Updated August 29, 2016 10:09:04
Satellite communications Newsat was once Australia's biggest satellite company, with systems carrying sensitive communications for the Australian Defence Force and mining companies. In a 2013 meeting called by the Australian Signals Directorate, former IT manager Daryl Peter was told the company had been seriously infiltrated by foreign hackers. Mr Peter believed the hack was from China. Newsat's former chief financial officer, Michael Hewins, said the company's IT staff were told its computers had been compromised in one of the worst cases Australian intelligence had ever seen. They were told Newsat would not be allowed to launch its flagship Jabiru 1 satellite until major changes were made. Jabiru 1 was a five-tonne state-of-the-art satellite that NewSat promised to launch, but it never got off the ground as the company eventually collapsed and went into administration. Bureau of Meteorology In April, Prime Minister Malcolm Turnbull confirmed the Bureau of Meteorology had suffered a significant cyber intrusion that was first discovered in 2015. It was the first time there was official acknowledgement that a critical Australian Government agency had been penetrated by a sophisticated cyber attack. The Government did not say it publicly but Australian intelligence sources have confirmed to the ABC that China was behind the attack. Four Corners has been told the Bureau of Meteorology was probably just a gateway for a more sinister attack. China's true targets may have been the Australian Geospatial Intelligence Organisation, which provides satellite imagery for sensitive defence operations, and a high-tech Royal Australian Air Force radar system called the Jindalee Operational Radar Network (JORN). The JORN system is designed to detect planes and maritime vessels within a 3,000-kilometre radius of Australia's northern and western shorelines. Beijing continues to deny responsibility for the attack.Nuclear facilities Stuxnet is the first cyberweapon known to cause actual physical damage. At the time of its 2010 discovery by security researchers, it was the most sophisticated malware identified in the public realm. Stuxnet targeted devices that automate electro-mechanical processes to sabotage Iran's uranium enrichment program in Natanz. Since the nuclear facilities were not connected to the Internet, it is believed that the malware was deployed by infecting employees' home computers, and carried unknowingly into the facility via a USB flash drive. Once inside the facility, the malware proceeded to override the Iranian scientists' internal network, forcing the centrifuges to spin at self-destructive speeds while making it appear that nothing abnormal was occurring. It was not until loud noises were heard from the centrifuge chambers that Iran's nuclear scientists became aware that their system was failing. It took another five months before researchers discovered that the culprit: Stuxnet. Stuxnet is believed to have resulted in the destruction of roughly one-fifth of Iran's centrifuge stockpile. It also represented an unprecedented moment in history, when cyber warfare finally spilled over into the physical domain.Power grids The first publicly acknowledged successful cyber intrusion to knock a power grid offline occurred in Ukraine during December 2015. Widespread service outages were reported and it was soon discovered that about 30 substations became disconnected from the grid, leaving more than 225,000 customers freezing in the Ukrainian winter chill. The attackers are also believed to have spammed the Ukrainian utility's customer-service centre with phone calls in order to prevent real customers from requesting assistance. This was no opportunist act of hacktivism: those responsible were running a sophisticated and stealthy operation that would have required months of reconnaissance. Although power was restored hours later, many functions had to be controlled manually for months to come; the firmware inside the control centres running the substations had been rendered inoperable by the attack. Later, US security researchers found that the authors of the malware were writing in Russian. This malware was dubbed BlackEnergy.Cars In July 2015, American security researchers Charlie Miller and Chris Valasek demonstrated they could remotely hack a 2014 Jeep Cherokee, allowing them to control the car's transmission and brakes. The vulnerability they had discovered was exploited via the wi-fi in the car's multimedia system; the number of affected vehicles ran into the millions. They discovered they could crack a car's password through a method known as brute-forcing: literally decoding it through automated guesswork. Since then, a number of other vehicles have proved to be vulnerable to hacking, including models manufactured by Tesla, BMW, Nissan and Mercedes Benz. In response to security concerns, Tesla and Fiat Chrysler have both announced the establishment of bug bounty programs. Such programs allow independent security researchers to submit vulnerabilities they discover to the company and can be compensated thousands of dollars for their efforts. Drug infusion pumps We've all seen infusion pumps in hospitals before. But what you probably don't know is that many are actually connected to the hospital's computer network. In 2014, Californian researcher Billy Rios found he could remotely hack into hospital pumps that administer morphine and antibiotics to change the dosage level. After Rios sent his findings to the Department of Homeland Security, they contacted the Food and Drug Administration (FDA), who contacted the pumps' manufacturer, Hospira. The FDA eventually issued an advisory recommending that hospitals stop using the affected model of pump Rios had studied. But many more hospital pumps affected by similar vulnerabilities continue to be used today.Steel mills In 2014, the German Government confirmed that an unnamed steel mill was targeted by hackers, leaving one of its furnaces destroyed. The German Federal Office for Information Security said the attackers used a combination of techniques to attack the facility. They started by sending malicious emails to employees at the mill that surreptitiously stole login and password details. Once inside the system, they exploited software used to administer the plant's operations, allowing them to stop the blast furnace from being shut down.Building management systems In 2013, Billy Rios and Terry McCorkle hacked into the building management system of Google's offices in Sydney. Building management systems are interfaces that control power, CCTV systems, security alarms, fire alarms, electrical locks, air-conditioning, elevators and water pipes. The researchers had discovered the Google management system on a search engine for internet-connected devices known as Shodan. Google Australia thanked the researchers for alerting it, and "took appropriate action to resolve this issue".Dams Hackers almost gained control of the floodgates at Bowman Avenue Dam, near New York City, in 2013. It is believed the only reason they did not gain full control was because the dam had been manually disconnected for routine maintenance. Former government officials lay the blame for the attack on Iran, but details remain scarce as the incident remains classified.TV stations The French TV station TV5Monde fell victim to a sophisticated cyber attack that brought down 12 channels for almost a whole day in April 2015. Jihadist hackers were initially suspected to be the culprit as the TV5Monde website was defaced with Islamic State propaganda. However, cyber security experts later realised the hacker group used Russian code.ATMs New Zealand hacker Barnaby Jack came to fame in 2010 after demonstrating how to hack into automatic teller machines, causing them to spew out wads of notes. One of the vulnerabilities Jack demonstrated was in the remote monitoring feature, which in some models of ATMs is turned on by default. It was through this flaw in the ATMs' software that he uploaded a program designed to infect the machine in secret. The program would then be activated when someone entered a touch-sequence on the ATM's keypad, causing bills to fly out of the machine.Traffic lights In 2014, researchers demonstrated how they could remotely control a system of 100 intersections' traffic lights in an unnamed city in Michigan. Under the supervision of the government road agency, experts from the University of Michigan showed how the traffic lights used wireless radio to communicate data within a central network. It was through this wireless radio system that they discovered they could send commands to any intersection and control the lights at will.Planes? Security researcher Chris Robert is subject to an ongoing FBI investigation after claiming to have hacked a plane mid-flight via its entertainment console. He claims to have made the passenger jet fly in a sideways movement. However, the jury remains out as to whether his claims are correct, especially if the flight crew failed to notice any abnormality.

Watch Cyber War on Four Corners, Monday 8.30pm and on iview.

Endwall 09/02/2016 (Fri) 16:21:38 [Preview] No. 513 del
ABC Australia
Four Corners

Can someone grab this and convert it to webm? I don't have flash installed.

Endwall 09/02/2016 (Fri) 16:34:00 [Preview] No. 514 del
DNS tunneling threat drills into nearly half of networks tested'
Davey Winder September 02, 2016
InfoBlox's new report showed nearly half of all networks tested to show signs of DNS tunnelling.The latest Infoblox Security Assessment Report reveals 40 per cent of the files it tested showed evidence of DNS tunnelling. That's nearly half of the enterprise networks that were tested by Infoblox returning evidence of a threat that can mean active malware or ongoing data exfiltration within the network. For more than a decade now the bad guys have been looking at ways of using DNS to exfiltrate data. Port 53 manipulation, also known as DNS Tunneling, allows data to be directed through this established path for malicious purposes. Perhaps this shouldn't be surprising, given the inherently trusted nature of DNS. While there are some 'quasi-legitimate' uses of DNS tunnelling, many will be malicious. The nature of these attacks can vary, depending if the perpetrator is an off the shelf scripter or nation state actor. Project Sauron, an example at the nation state end of the spectrum, used DNS tunneling to exfiltrate data. Rod Rasmussen, vice president of cyber-security at Infoblox, says that "the widespread evidence of DNS tunnelling uncovered by the report shows cyber-criminals at all levels are fully aware of the opportunity." Rasmussen also points out that when suspicious DNS activity is detected, security teams can "use the information to quickly identify and remediate infected devices." Luther Martin, Distinguished Technologist at HPE Security, is in agreement that DNS tunneling is used by lots of hackers. "It's actually a fairly robust way to sneak data past a firewall" Martin told SCMagazineUK.com "it's easy to get data rates of over 100 MB/s with it." Indeed, he's even seen DNS tunneling as a service offerings out there. Interestingly, according to Martin, DNS tunneling for the egress of lots of data (think big breach) is unlikely as firewalls are often surprisingly bad at egress filtering. "The main use", Martin concludes, "might actually be to bypass firewalls and get WiFi access without paying for it." Luke Potter, Security Practice Director for SureCloud, revealed during a conversation with SC that DNS tunneling is even "an area that our testing team are actively using in client engagements" and that "we often find that mitigation for DNS tunnelling has not been considered or implemented." And Marc Laliberte, Information Security Threat Analyst at WatchGuard Technologies has seen tunneling "prominently used in the Multigrane POS malware which made its rounds earlier this year." What's more, he told us he expects to "continue to see DNS tunnelling used for data exfiltration and C2 connections until organisations better prepare themselves to stop it." So how do they do that then? Jonathan Couch, VP of Strategy at ThreatQuotient told SC that despite something like 90 per cent of malware utilising DNS for command and control as well as exfiltration, organisations which should know this continue not manage their own DNS internally and still let UDP and TCP port 53 flow freely through their firewalls. "And those that do implement internal DNS" Couch adds "either don't monitor it for tunneling or don't enforce use of it by blocking UDP/TCP 53 at the firewalls." The why is interesting, and reflects a common problem in the world of security teams. They don't plug the hole because it takes resources to implement and maintain internal DNS. "These are resources which the network operations folks need to use for other essential network services or security infrastructure" Couch concludes. That, and the fact that DNS is so core to everything that they don't want to mess it up! Meanwhile, Luke Potter admits it's not straightforward to prevent this technique of tunnelling data, but provided SC Magazine with this summary: "To block tunnelling across the network, ensure the egress firewall has intrusion prevention and deep packet inspection enabled, as well as strict outbound port and protocol whitelisting. Additionally, an internal proxy server should be in use with SSL/TLS bumping to intercept encrypted traffic."

Endwall 09/02/2016 (Fri) 16:36:28 [Preview] No. 515 del
Regular password changes make things worse
Changing passwords is supposed to make things more difficult for attackers. Unfortunately, research shows that human nature means it makes it easier
Taylor Armerding Sep 2, 2016
Security experts have been saying for decades that human weakness can trump the best technology. Apparently, it can also trump conventional wisdom. Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person's, or an organization's, security. [ Simplify your security with 8 password managers for Windows, MacOS, iOS, and Android. Find out which one prevails in InfoWorld's review. | Discover how to secure your systems with InfoWorld's Security newsletter. ] Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, "time to rethink mandatory password changes." She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point. But the message was not new -- she has been preaching it for some time. Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago. She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature. ALSO ON CSO: The CSO password management survival guide She cited research suggesting that, "users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one. Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a "3" for an "e," or simply adding a couple of letters or numbers to the end of the previous password. Cranor said the researchers found that if they knew a previous password, they could guess the new one in Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries. A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds -- and that was with 2009 technology. The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, "relatively minor at best, and questionable in light of overall costs," for the same reason the UNC researchers found. "(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses," they wrote. And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked "Retired" this past April), said password expiration policies frequently frustrate users, who then, "tend to choose weak passwords and use the same few passwords for many accounts." Not surprisingly, attackers are very much aware of these vulnerabilities. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory. MORE: Sample password protection policy All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago. The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers. But even with increasing interest and acceptance of those options, Brett McDowell, FIDO's executive director, has acknowledged that there will be a "long tail" for password use. And during that long transition, he and others say there are multiple ways to improve security that don't involve creating a new password every couple of months that is easier to crack than previous ones. Zach Lanier, director of research at Cylance, cites Apple's TouchID and Google's Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, "still around, and they're likely to be for a bit longer. It's just that they're so ‘standard' for people and enterprises, and have been for so long, that it's really hard to make them completely disappear." In the interim, he said, organizations can improve their password security through a combination of employee training and, "actively testing their authentication mechanisms and auditing users' passwords -- cracking them -- whether it's through internal infosec teams or external firms. In my opinion, it should be both," he said. "This can give the organization a better idea of where things are broken, from people to technology." The users can be brought into this as well, he added, by, "making available the tools to enable, if not force, users to test the strength of their own passwords." McDowell agrees that education is, "a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks." But he said the "shared secret" authentication model is vulnerable to too many forms of attack -- not just social engineering -- hence the need to eliminate them as soon as possible. Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. "Current policies set the bar far too low for complexity in passwords and don't require multi-factor authentication, acknowledged as the best commonly available solution," he said. Lanier agreed. "There are some really awful organizations, sites or services that can't seem to move past the year 1998 with authentication," he said. "Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms." Pendergast said he sees the same thing. "There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules. A surprising number of companies don't use these basic password reinforcement functions," he said. And, Lanier noted that, "password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note. This at least reduces the risk that a person might serialize their password choices. Certainly not a panacea, but for the average person, it's a great idea." [ RELATED: How to evaluate password managers ] Still, as McDowell noted, even rigorous passwords can't compensate for a person being fooled by a skilled attacker. "Many times, passwords are simply given away in a phishing or social engineering attack," he said. "I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing." All agree that the weaknesses of human nature mean it would be better to move beyond passwords. But, as McDowell notes, human nature also requires that whatever replaces passwords must be, "easier to use than passwords alone. "User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation," he said. Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone. "At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker," he said. This story, "Regular password changes make things worse" was originally published by CSO.

Endwall 09/02/2016 (Fri) 16:38:23 [Preview] No. 516 del
Apple Patches Safari, OS X Flaws to Prevent Snooping
September 2, 2016
The fix comes a week after Cupertino patched a similar iOS vulnerability. Apple on Thursday fixed critical vulnerabilities in its desktop Safari browser and the OS X operating system. The security update comes after Cupertino last week patched a serious iOS flaw that let malware spy on a users’ phone calls and text messages. But Safari’s mobile and desktop versions share the same codebase, making Mac users vulnerable, as well. According to Apple’s advisory, the Safari 9.1.3 bug could allow a hacker to execute arbitrary code on an unsuspecting victim’s Mac by tricking the person into visiting “a maliciously crafted website.” Hackers employed the same technique recently when they tried to infiltrate human rights activist Ahmed Mansoor’s iPhone. The prominent advocate reportedly received a text message from a “cyber war” company with a link to malware that would have jailbroken his handset and installed surveillance software. The exploit, according to research group Citizen Lab, is connected to NSO Group, an Israeli company best known for selling a government-exclusive “lawful intercept” spyware product called Pegasus. If Mansoor had activated the malware, it would have allowed NSO access to the phone’s camera, microphone, and GPS. “Not only could NSO infect iPhones at the touch of a link, but it seems that the vulnerabilities they were exploiting could be weaponized to target many different platforms,” Citizen Lab researcher Bill Marczak told Motherboard. Citizen Lab did not immediately respond to PCMag’s request for comment. Apple last week released the latest version of iOS, 9.3.5, which fixes the aforementioned issues. The update includes two improvements to how iOS devices access memory, as well as a patch that prevents visits to malware-laden websites.

Endwall 09/02/2016 (Fri) 16:52:06 [Preview] No. 517 del
Inteno Router Flaw Could Give Remote Hackers Full Access
Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
Security experts are warning of a critical new router vulnerability which could allow remote attackers to replace the firmware on a device to take complete control over it, and monitor all internet traffic flowing in and out. F-Secure claimed the issue affects the Inteno EG500, FG101, DG201 routers. However, in an advisory it added that more models could be affected but it couldn’t be sure due to the “vendor’s unwillingness to cooperate.” In fact, F-Secure claimed to have first contacted Inteno about the issue in January but when the vendor replied two months later it argued that software issues are dealt with by the “operators” that sell the equipment to end users. “Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests,” an Inteno representative told F-Secure at the time. The vulnerability itself stems from the fact that several router models don’t validate the Auto Configuration Server (ACS) certificate (CWE-295). This means that an attacker capable of launching a Man in the Middle (MitM) attack between the ACS and the device could intercept all network traffic going in and out of the device to the ACS and gain full administrative access to the router, allowing them to reflash the firmware. The implications of such a flaw are potentially serious, according to F-Secure cybersecurity expert, Janne Kauhanen. “By changing the firmware, the attacker can change any and all rules of the router. Watching video content you’re storing on another computer? So is the attacker. Updating another device through the router? Hopefully it’s not vulnerable like this, or they’ll own that too,” he warned. “Of course, HTTPS traffic is encrypted, so the attacker won’t see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine.” The one saving grace is that an attacker would have to gain a “privileged network position” before being able to launch such an attack – something which HTTPS is designed to prevent. However, if HTTPS is not implemented and an attacker is able to launch a MitM then there’s nothing a user can do to prevent a successful exploitation, short of installing a new router or a firmware update – once one is finally made available. “Gaining a MitM position is not trivial, but it’s not outside the realm of possibilities either, whether physically attacking a whole building by breaking into the distribution trunk in the building or using software tricks to route network traffic through a malicious site,” Kauhanen told Infosecurity. “If you use a vulnerable router to surf on my website for kitty pictures, here comes the payload.” In the meantime, F-Secure recommended users keep browsers and other software updated to prevent hackers exploiting any flaws; to use effective AV to prevent any malware downloads; and to use a VPN to encrypt internet traffic and prevent hackers gaining that initial foothold into the network. Unofficial reports suggest that there is a fix out there somewhere, although these have not been confirmed, according to Kauhanen.

Endwall 09/02/2016 (Fri) 16:53:26 [Preview] No. 518 del
Man Convicted for Hacking Linux Kernel Servers
September 2, 2016 by Vencislav Krustev+
A man from El Portal, Florida was arrested for gaining unauthorized access to the kernel.org (Linux Kernel) servers. According to the court, the hacker Ryan Austin used credentials to the servers of what appears to be an employee associated with the Linux Organization. The organization’s network administrators have detected the unauthorized login and have notified the authorities. The FBI took over this investigation, and they have eventually discovered that there were also attempts by Austin to modify the configuration files of the servers and have had installed malware such as rootkits and Trojan horses on a server based in Bay Area. The agents behind the investigation eventually tracked down the tracks of the intrusion, and they let to Ryan Austin, who was arrested on August 28, 2016. The suspect Ryan Austin was indicted to possibly face a 10-year solitary confinement as well as a fine of $250000.Is This The Same Hacker Behind the 2011 Attack? This is similar to the 2011 kernel.org hack which resulted in the successful installation of the Phalanx Rootkit infection with other Trojans able to steal passwords as well as perform other malicious activities. This time, the hack was relatively the same and the cyber-criminal attempted the same actions, suggesting that it may have been Austin who did the hack. There hasn’t been much fuzz since this accident has happened, besides that the hack was found half a month later. What is known from back then is that during that time, there was access to several machines that were used to distribute the Linux OS, according to officials. The consequences of the hack were that the attackers were able to track down anyone using these servers and what they do. Not only this but besides the servers Hera and Odin1 the hackers were able to access a senior developer’s personal machines as well. It is not disclosed as to what extent the data was stolen, but other computers within the kernel.org network may have also become victims of this attack.What About The Future? The good news for this situation is that Linux Kernel has learned from their mistakes and this time they have caught the attacker. However, it remains a mystery whether this was just Austin or there were other attackers as well since multiple computers were attacked. So far the big question remains is whether or not this is going to be the end of those type of trojan and rootkit attacks against Linux Kernel. The reality is with this attack and other attacks, like the Fairware ransomware, Linux becomes increasingly bigger target for malware writers espeicially when it comes to servers.

Endwall 09/02/2016 (Fri) 16:54:45 [Preview] No. 519 del
Man charged with hacking city sites in Arizona, Wisconsin
By Associated Press | September 1, 2016 @ 5:41 pm
PHOENIX — A man has been indicted on federal charges of hacking into government websites in Arizona and Wisconsin, including a cyberattack that came three days after a police shooting of an unarmed man in the city of Madison and interrupted communications equipment for emergency workers there. Randall Charles Tucker of Apache Junction, Arizona, is charged with intentional damage to protected computers and threatening damage to protected computers for allegedly attacking municipal computer systems in March 2015 in Madison and two Phoenix suburbs, Chandler and Mesa. He also is accused of attacking the Washington, D.C.-based News2Share site in late 2014 after it failed to run a video he had provided. The video’s contents weren’t publicly revealed. It’s unknown whether Tucker has an attorney, and there was no listed phone number for his home. He hasn’t yet made an initial appearance in U.S. District Court in Phoenix. The indictment says Tucker temporarily disabled access to the city of Madison’s website and crippled the automatic dispatch system for emergency workers. The attack came three days after a white Madison police officer fatally shot Tony Robinson, a 19-year-old biracial man, during an altercation in an apartment building stairwell. The shooting put the police department under intense scrutiny and sparked days of protests. The officer was eventually cleared of criminal wrongdoing. The indictment against Tucker doesn’t mention the shooting. Less than a week after the Madison hack, authorities say Tucker launched an attack on city websites in Mesa and Chandler that temporarily made them inaccessible to users.

Endwall 09/02/2016 (Fri) 16:56:13 [Preview] No. 520 del
Florida Man Arrested for Hacking Linux Kernel Organization
Security Newspaper | September 2, 2016
Donald Austin is the main suspect behind the kernel.org security breach that took place in the summer of 2011.Donald Ryan Austin, 27, of El Portal, Florida, was charged yesterday with hacking servers belonging to the Linux Kernel Organization (kernel.org). According to a four-count indictment, Austin gained access to server credentials used by an individual associated with the Linux Kernel Organization. Austin used the credentials to access four kernel.org servers located in a Bay Area data center, modified server configurations and installed rootkits and other trojans. Linux Kernel Organization administrators detected the intrusion and called on the FBI to investigate the incident. FBI agents tracked down the intrusion to Austin, and a federal grand jury issued a four-count indictment on June 23, 2016. Austin arrested this past Sunday Officers from the Miami Shores Police Department arrested Austin during a routine traffic stop last Sunday, on August 28, 2016. The suspect made an initial appearance in a Miami court on Monday, and officials unsealed the indictment the following day. Austin appeared in court yesterday again, where a judge set bail for $50,000 and scheduled the next court appearance for September 21, 2016, in a San Francisco federal court. The suspect was released on bond. For his crimes, Austin faces a maximum sentence of ten years in prison, a fine of $250,000, and any other restitution.The Linux Kernel Organization manages Linux Kernel development and the kernel.org website. The Linux Kernel Organization is different from the Linux Foundation, which is a separate nonprofit foundation that supports the former. Is Austin the hacker behind the 2011 kernel.org incident? Back in 2011, the kernel.org website was hacked by an unknown attacker, who used a volunteer’s credentials to install the Phalanx rootkit along with other trojans capable of logging passwords and other malicious actions. It took the kernel.org team 17 days to discover the hack, and administrators never released an incident report detailing the data breach. Five years later, there are still very few details available about what really happened back then. With all the currently available information, Austin seems to be the main suspect behind the 2011 kernel.org security breach. Source:http://news.softpedia.com/

Endwall 09/02/2016 (Fri) 16:57:08 [Preview] No. 521 del
Countdown to IANA Transition Is Not the Countdown to Doomsday
Michele Neylon Sep 02, 2016 7:28 AM PDT
I've mentioned the IANA transition in several posts over the last year or so. Personally I'd love to not have to mention it ever again, as it's not the kind of topic that we should be spending too much time thinking about or worrying about. There are plenty of other things out there that cause us all headaches without adding to the list. However the IANA transition is a topic that is of fundamental importance for the global internet community. As a company we rely heavily on the internet, in fact we are pretty much 100% online. Sure, we have physical offices and staff and all that, but pretty much everything we do is online. As a business our ability to serve our customers is predicated on our clients being able to have unfettered access to the global internet. Sure, there are limitations on some private networks and various government regimes around the world may place restrictions on what can and cannot be accessed at any given time. We may not like that, but part of freedom is that people are free to do lots of things, even things we don't really like. And the internet is built in such a way that most of those restrictions can be routed around either directly or indirectly, so the overall network's health is not adversely impacted. The transition will result in the US government losing its special relationship with the IANA functions. That's all that will change and for the average internet user or business nothing will be impacted. The only "tangible" impact will be in how changes to the IANA functions are processed in the future. Which, again, has no impact on the average internet user. Post-IANA transition no one government or subset of governments will have more power than anyone else. The internet has blossomed where governments have taken a "light touch". Where governments have been more "heavy handed" in their interactions the online world has not grown and flourished as quickly. It wouldn't be in anyone's interests to allow the very nature of the internet to be adversely changed. Yet, unfortunately, some elements in the US government (and elsewhere) have been spreading lots of scary, but factually incorrect, stories about how the Obama administration is going to handover the internet to Russia and China. One has even setup a sort of "doomsday" countdown clock. From our side we look forward to the IANA functions being transitioned to ICANN and the global internet community. We don't expect it to have any impact on our business nor that of our clients. However a failure to finalise the transition will definitely cause us all headaches, so let's just get it done once and for all!

Endwall 09/02/2016 (Fri) 16:58:20 [Preview] No. 522 del
TrustedSec Security Podcast Episode 53 – DropBox, NSA Breach, Medical Professionals
TrustedSec Security Podcast Episode 53 for September 1, 2016.  This podcast is hosted by Rick Hayes, Scott White, Justin Elze, and Geoff Walton
Download Page https://www.trustedsec.com/podcasts/trustedsec-security-podcast-episode-53.mp3
XML Page https://www.trustedsec.com/podcasts/trustedsecsecuritypodcast.xml

Endwall 09/03/2016 (Sat) 22:40:24 [Preview] No. 524 del
Clinton aide destroyed Hillary's phones by 'breaking them in half or hitting them with a hammer,' FBI documents reveal
* Justin Cooper recalled two instances where he broke Hillary's phones * FBI listed 13 phones Hillary may have used to send emails on private server * Hillary was known to switch to new phones before resorting back to older ones because she was more familiar with how to use it, Huma Abedin said * 'The whereabouts of Clinton's devices would frequently become unknown once she transitioned to a new device,' according to the FBI  * Cooper set up email domain a week before she was sworn in as secretary of state and shut the server down in 2011 during a hacking attempt * He did not have security clearance and was not an expert in cyber security
By Jessica Chia For Dailymail.com
Published: 21:06 GMT, 3 September 2016 | Updated: 21:16 GMT, 3 September 2016

An aide to Bill Clinton destroyed Hillary's phones by 'breaking them in half or hitting them with a hammer', according to FBI documents released Friday. The FBI identified 13 mobile phones Hillary may have used to send emails through a private server, and staffer Justin Cooper recalled two instances where he destroyed the phones through brute force. Hillary's 'shadow' Huma Abedin told the FBI the former Secretary of State would often use a new phone for a few days before switching back to an older one because she was more familiar with how to use it.The FBI identified 13 phones Hillary may have used to send emails through a private server, and Huma Abedin said the former Secretary of State was known to switch between them Cooper recalled 'two instances where he destroyed Clinton's old mobile phones by breaking them in half or hitting them with a hammer,' according to the FBI report. Abedin said aides would help transfer Hillary's sim cards when she switched between phones. 'The whereabouts of Clinton's devices would frequently become unknown once she transitioned to a new device,' according to the FBI. 
Abedin said aides would help transfer Hillary's sim cards Cooper got a start as an intern in the Office of Science and Technology, before working as Bill Clinton's senior adviser and moving on to the Clinton Foundation and it's initiatives. He registered the domain clintonemail.com a week before Clinton was sworn in as secretary of state and shut down the private server in 2011 when someone tried to hack it. He did not have security clearance and was not an expert in cyber security, the Washington Post reported.    After the FBI published additional documents on Friday, Hillary's press secretary Brian Fallon said they were 'pleased'.  'While her use of a single email account was clearly a mistake and she has taken responsibility for it, these materials make clear why the Justice Department believed there was no basis to move forward with this case,' he said. The documents revealed Hillary told the FBI she could not recall answers to some of their questions about her secret server scandal because she had a concussion in 2012.

Endwall 09/03/2016 (Sat) 22:44:25 [Preview] No. 525 del
Leakedsource breach notification service reported two Bitcoin Data Breaches
September 3, 2016 By Pierluigi Paganini
Now LeakedSource disclosed details from two Bitcoin data breaches that affected the bitcoin exchange BTC-E.com and the discussion forum Bitcointalk.org.
The data breach notification service LeakedSource is becoming familiar to my readers, recently it reported the data breach suffered by many IT services, including Last.fm and DropBox, both occurred in 2012. Now LeakedSource disclosed details from two Bitcoin data breaches that affected the Bitcoin sector, the incident were suffered by the bitcoin exchange BTC-E.com and the bitcoin discussion forum Bitcointalk.org. The incident occurred at the Bitcointalk.org was disclosed in May when the servers of the forum were compromised by attackers. Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall. — BitcoinTalk (@bitcointalk) 22 maggio 2015 “The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised.” was reported on Reddit by the theymos user.”The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.” “each password has a 12-byte unique salt. The passwords are hashed with 7500 rounds of SHA-256.” he added. LeakedSource reported that 499,593 user details were stolen in the incident, the leaked records include usernames, passwords, emails, birthdays, secret questions, hashed secret answers and some other internal data. 91% of passwords were hashed with sha256crypt, the experts explained that and that it would take about a year to crack an estimated 60-70% of them. 9% were hashed with MD5 and all were protected with the same salt value, LeakedSource has already cracked approximately 68% of those.
More mysterious was the BTC-E.com incident, it is possible that hackers also compromised some users’ wallets stealing bitcoins. Despite the LeakedSource’s notification, there is no news about incidents occurred to BTC-E customers. In January 2016 the Financial Underground Kingdom blog reported that the exchange has suffered one hack without effects for its customers, it is likely the data leaked by LeakedSource are related that incident. “During years of existance [BTC-E] had just 1 hack after which the owners paid all the debt to users.” It isn’t clear whether that hack and the data disclosure made by LeakedSource refer to the same incident. LeakedSource reported that that BTC-E.com was hacked in October 2013 and 568,355 users were impacted. The passwords were protected with an unknown hashing method, making the “passwords completely uncrackable although that may change.”

Endwall 09/03/2016 (Sat) 22:45:44 [Preview] No. 526 del
Security Affairs
Apple issued fixes for Pegasus spyware bugs in OS X, Safari. Apply it now!
September 2, 2016 By Pierluigi Paganini
Apple issued security fixes for Mac OS X and Safari to patch zero-day flaws exploited by Pegasus spyware to spy on mobile users.
A few days ago, we reported a detailed analysis of the Trident exploit that triggers three vulnerabilities in order to remotely hack Apple mobile devices through the installation of the Pegasus spyware. The joint investigation conducted by experts from CitizenLab organization and Lookout security firm demonstrated that nation-state actors exploited the three vulnerabilities to spy on activists’ Apple mobile devices. Experts from Lookout identified the targeted attack as Pegasus as explained in a detailed blog post. “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.” states the blog post published by Lookout., the three zero-day flaws, dubbed ” The three zero-day vulnerabilities, dubbed “Trident,” exploited in the attack are: * CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. * CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. * CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Malware experts linked the attacks leveraging on the Pegasus malware to the activity of the Israeli surveillance NSO Group that has developed a malicious code that has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists. The vulnerabilities, including a hole in IOMobileFrameBuffer (found and fixed in Safari and coded CVE-2016-4564) affect also desktop Safari and OS X, too. Do not forget that iOS and OS X, share a big portion of code, so it is normal the presence of the flaws in the MAC desktop PCs. Apple, that released the iOS 9.3.5 update for its mobile devices (iPhones and iPads) to address the flaws, now has issued security updates also for the Safari Browser and OS X. The Safari patch fixes the Trident vulnerabilities, Apple also issued the updates for the El Capitan and Yosemite. Don’t waste time, patch as soon as possible your Apple device.

Endwall 09/03/2016 (Sat) 22:48:49 [Preview] No. 527 del
Vigil@nce - HTTP: Man-in-the-Middle via Proxy CONNECT September 2016 by Vigil@nce This bulletin was written by Vigil@nce : https://vigilance.fr/offer SYNTHESIS OF THE VULNERABILITY An attacker can act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. Impacted products: HTTP protocol, SSL protocol. Severity: 1/4. Creation date: 18/08/2016. DESCRIPTION OF THE VULNERABILITY When an HTTP proxy is configured, the web browser uses the HTTP CONNECT method to ask the proxy to setup a secured TLS session. However, the HTTP CONNECT query and its reply are sent in a clear HTTP session. An attacker can act as a Man-in-the-Middle, and spoof a 407 Proxy Authentication reply to the client. The victim then sees an authentication windows, and may enter his password, which is sent to the attacker’s server. It can be noted that this vulnerability impacts all session types requested to the proxy, but as the victim requests an https/TLS url, he expects his session to be encrypted. It is thus a perception problem, instead of a real new vulnerability. An attacker can therefore act as a Man-in-the-Middle when an HTTP proxy is configured, in order to obtain passwords of users of this proxy. ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

Endwall 09/03/2016 (Sat) 22:51:37 [Preview] No. 528 del
Attackers Combine Three Botnets to Launch Massive DDoS Attack
Sep 2, 2016 18:50 GMT By Catalin Cimpanu
Crooks use a botnet of CCTV cameras, one of home routers, and one made up by compromised web servers
An unnamed website has been at the end of a ferocious Layer 7 DDoS attack that involved traffic from over 47,000 distinct IP addresses, most of which belonged to IoT (CCTV) devices, home routers, and compromised Linux servers. Sucuri, a US web security vendor who was called in to mitigate the incident, says the attack reached a whopping 120,000 requests per second, and that the attacker used a flood of HTTPS packets in order to maximize resource consumption on the target's machines. Most of the DDoS traffic came from hijacked CCTV systems After the attack had subsided, Sucuri experts that were investigating the incident discovered that the DDoS traffic didn't come from one singular source, but the attacker had combined (possibly rented) three different distinct botnets. The company was well aware of one of the botnets, which they previously discovered at the end of June. This was a 25,000-strong botnet assembled after compromising Internet-connected CCTV devices from different vendors, most of which were running firmware made by Chinese firm TVT. The group behind this recent DDoS attack wasn't content with the capabilities provided by this botnet and had also created/rented another botnet to help their efforts. A quarter of the traffic also came from compromised home routers According to Sucuri, the group was controlling another botnet comprised of 11,767 home routers from eight major industry brands. The attackers had managed to take control over these devices by using various firmware vulnerabilities or by hijacking the routers for which device owners didn't change the default admin panel password. Compromised Huawei routers made more than half of this botnet, with 6,015 devices, almost 51 percent of the entire botnet. Second came Mikro RouterOS (2,119 devices - 18 percent), AirOS routers (245 routers), but also NuCom 11N Wireless Routers, Dell SonicWall, VodaFone, Netgear, and Cisco.
Geographic distribution of compromised home routers Most compromised home routers found in Spanish-speaking countries The home router botnet was very effective because not all compromised devices were in the same geographical area, which would have been easy to block. Devices were spread all over the world, but mainly in Spanish-speaking countries, such as Spain (45 percent of the entire botnet), Uruguay, Mexico, the Dominican Republic, and Argentina. The third and last botnet used in the DDoS attack was made up by compromised web servers coming from data centers. "This new [three-botnet] distribution allowed the attacker to generate a massive number of requests per second without affecting the operation of the infected devices," Sucuri CTO Daniel Cid explains. "Under this configuration, the devices would only need to generate a few requests per second – well within their means." Sucuri isn't the only company that has discovered huge botnets of IoT devices engaging in DDoS attacks. Researchers from Arbor Networks have also discovered a botnet of 120,000 IoT devices,

Endwall 09/03/2016 (Sat) 22:53:13 [Preview] No. 529 del
US Government Admits IANA Transition May Not Move Forward
Sep 02, 2016 12:51 PM PDT
The US government plan to move control of the internet's naming and numbering functions to ICANN next month may not move forward, reports Kieren McCarthy: "In a letter from the Department of Commerce (DoC) to ICANN sent August 31, the department's CFO gives the organization 30 days' notice that it may extend its current contract over the critical IANA functions by a year. In other words, Uncle Sam will continue to oversee ICANN's running of IANA for another 12 months. That contract is due to terminate on September 30, and following a two-year process started by the US government and run by the internet community, ICANN is due to take over full control." — McCarthy: "In the heart of election season, it is not inconceivable that Congress will agree to that 'significant impediment,' but it won't happen if Ted Cruz – who remains widely disliked within Congress – is the only standard-bearer of the move to disrupt the transition." — "Countdown to IANA transition is not the countdown to doomsday," said Michele Neylon, earlier today on CircleID: "The transition will result in the US government losing its special relationship with the IANA functions. That's all that will change and for the average internet user or business nothing will be impacted. The only 'tangible' impact will be in how changes to the IANA functions are processed in the future. Which, again, has no impact on the average internet user." — I have advocated that there is "No Legal Basis for IANA Transition," says Sophia Bekele: "My recent letter to Sens. Marco Rubio (R-Fla.) and Ted Cruz (R-Texas) certainly have helped in identifying the majority of the key issues that the Congress is now forming its opinion on and it has vindicated me. We now see an activated campaign against this transition by various senators supporting it, highlighting the same issues. A legislation process is in progress to block this transition as part of the Republican policy… Even before such open statements were made by the respective parties, I rightfully predicted in my public commentary to The Hill [November 2016 Elections will determine fate of Internet Privatization; Fixing what is not broken] and rightfully so, we will be waiting for this outcome."

Endwall 09/03/2016 (Sat) 22:54:08 [Preview] No. 530 del
USA spy agency&#39;s hacking tools revealed on Internet
Sep 2, 2016
He believes the Shadow Brokers’ cyberattack on the NSA’s group is linked to the Democratic National Convention, afterRussian hackers leaked several emails and voice messages. Further tweets made by the former NSA contractor suggest that ties exist between “The Shadow Brokers” and Russian Federation, the country that has hosted Snowden since his escape from the US and the reported source of the DNC massive leak that took place a couple of months ago. Yesterday, it was reported that a new murky hacking collective, The Shadow Brokers, had infiltrated another hacking sect called The Equation Group, dumping its sensitive documents online over the weekend. The group also said that if the auction raised 1 million bitcoins – equivalent to roughly $500 million – it would release the second file to the world. The group’s name appears to be a reference to a character in the “Mass Effect” video games who sells off information to the highest bidder. But despite this freaky, disjointed statement, security experts see other motives behind the dump of several hacking tools believed to belong to the NSA: whoever is behind it wanted to send a warning message. If the hack is real, experts believe that a foreign government must have helped the group in order for it to have exploited NSA resources in this way. As explained Edward Snowden through CNN, modern spying is like launching a missile attack to an enemy where you will not directly hit them from your base, you have to look for a dummy spot to fire the missile to avoid trace back. Former NSA employees who worked at the agency’s hacking division known as Tailored Access Operations told the Washington Post the hack appeared genuine. As proof, the hackers released a swathe of malware programs, including a number of pieces of software referenced in the leaks from NSA whistleblower Edward Snowden. If the Shadow Brokers owned NSA’s command and control server, it would be a great approach to try other interesting things they might be able to find. “You’re welcome, @NSAGov. Lots of love”, Snowden tweeted. The NSA has steadfastly declined to comment on whether it has been the victim of a security breach. Dick Clarke – a former White House counterterrorism adviser, a cybersecurity expert and an ABC News consultant – said, “You can bet the NSA is trying to figure out whether or not this is legitimate”. The leaked malware reveals encryption techniques that are identical to those employed by the Equation Group, which indicates they probably came from the same source, according to Kaspersky. The same targets would presumably be at the top of a list of USA intelligence priorities. The main suspect is Russian Federation, and it’s not clear if the hackers broke into the secure NSA computer network or, perhaps more likely, a TAO employee left the tool kit on an unsecured intermediary server being used in a hacking operation. Between 15-16 August, users visiting the agency’s website were greeted by the live homepage, however almost every other link was met with an error message.

Endwall 09/03/2016 (Sat) 22:57:18 [Preview] No. 531 del
We want GCHQ-style spy powers to hack cybercrims, say police
Sep 2, 2016
Why catch crooks when you can DDoS them from the nick?
Traditional law enforcement techniques are incapable of tackling the rise of cybercrime, according to a panel of experts gathered to discuss the issue at the Chartered Institute of IT. Last night more than a hundred IT professionals and academics, including representatives of the National Crime Agency and Sir David Omand, the former director of GCHQ, discussed what they saw as the necessity of the police acting more like intelligence agencies and “disrupting” cybercriminals where other methods of law enforcement failed. The perpetrators of cybercrime are often not only overseas, but in hard-to-reach jurisdictions. Evgeniy Bogachev, the Russian national who created the GameOver Zeus trojan, for instance, currently has a $3m bounty on his capture – but Russia does not want to hand him over to the US. In such situations, when arrests are not possible, disrupting criminal activities “may be the only response” suggested Sir David Omand, adding that “the experts in disruption are in the intelligence community.” Technical disruption, as the NCA practices it, can involve sinkholing, getting hold of the domains used by malware to communicate and so breaking its command and control network. Paul Edmunds, the head of technology at the NCA’s National Cyber Crime Unit, explained how Operation Bluebonnet took aim at the Dridex banking trojan, but said that sinkholing it and organising arrests required a concerted international effort – one that may need to be repeated with the “up-and-coming” exploit kit Rig. Disruption as an intelligence agency technique, however, is a much more proactive and engaged activity. A Snowden-provided document covering the activities of GCHQ’s Joint Threat Research Intelligence Group (JTRIG) showed active “disruption” targeted at those flogging malware. The attacks included providing false resources and denial of service attacks.
Six users of the Lizard Stresser DDoS-for-hire tool were arrested by the NCA last year – when the agency’s average age for arrests dropped from 24 to 17 – and the agency was surprised when it discovered its users were all very young and male, as NCA officer Zulfikar Moledina explained to those attending. When the NCA tackled the use of the Blackshades remote access trojan last year, it had 750 suspects who had used it. It sent 350 emails warning downloaders, 200 “influence letters”, and 99 cease and desist notifications. 21 individuals were arrested; among those who bought the RAT was a 12-year-old boy. In response to this demographic shift, the NCA launched a “Prevent” campaign last year – sharing a name, if not policy, with the controversial counter-extremist strategy – targeting the parents of 12-15 year old boys whose web hi-jinks could potentially progress towards serious cybercrime. Disrupting real offenders and providing guidance to potential offenders – encouraging them to engage in more productive activities – must be part of a more considered response to cybercrime, the panel considered. Professor Gloria Laycock OBE, the founding director of the Jill Dando Institute of Crime Science at UCL, explained the model for dealing with meatspace crime and how that could be applied to cybercrime. According to an attrition table on crime rates published by the Home Office, for every 100 crimes committed only 50 are reported to police, even fewer of those reports are recorded and a mere two per cent of crimes are successfully prosecuted. Laycock said that while a means of punishment and retribution is necessary, this showed that “you cannot control crime through the criminal justice system.” Instead, there are five ways to reduce crime: increase the effort criminals need to apply to commit the crime successfully; increase the risks criminals need to take; reduce the rewards of criminal activity; remove the excuses for it; and reduce provocation. When it comes to cybercrime, the questions that persisted were whether it could be designed out of the systems we use, and if not whether it was possible to better educate the public. To what extent police need the security and intelligence agencies’ powers to deal with cybercrime was a strongly recurring theme as well.

Endwall 09/03/2016 (Sat) 22:59:05 [Preview] No. 532 del
Bill Clinton Staffer’s Email Was Breached on Hillary's Private Server, FBI Says
Since it came to light that Hillary Clinton ran a private email server during her time as Secretary of State, that computer’s security has become a subject of controversy among politicos whose only notion of a “server” until recently was a waiter carrying canapés at a fundraising dinner. But now the FBI has released the first hint that Clinton’s private server may have been compromised by hackers, albeit only to access the email of one of former president Bill Clinton’s staffers. And though there’s no evidence the breach went further, it’s sure to offer new fodder to critics of Clinton’s handling of classified data. On Friday afternoon, the FBI released a new set of documents from its now-concluded investigation into Clinton’s private email server controversy. The 60-page report includes a description of what sounds like an actual hacker compromise of one of Bill Clinton’s staffers. It describes that in early January 2013, someone accessed the email account of one of his female employees, whose name is redacted from the report. The unnamed hacker apparently used the anonymity software Tor to browse through this staffer’s messages and attachments. The FBI wasn’t able to determine how the hacker would have obtained the her username and password to access her account, which was also hosted on the same private server used by then-Secretary of State Clinton.“The FBI’s review of available…web logs showed scanning attempts from external IP addresses over the course of [IT manager Bryan] Pagliano’s administration of the server, only one appears to have resulted in a successful compromise of an email account on the server,” the report reads. “Three IP addresses matching known Tor exit nodes were observed accessing an e-mail account on the Pagliano Server believed to belong to President Clinton staffer [redacted].” In a press conference in July, FBI director James Comey said that how presidential candidate Clinton mishandled classified documents stored in emails on that private server didn’t warrant criminal charges, but nonetheless called her behavior “extremely careless.” And the FBI’s investigation did, in fact, turn up dozens of email chains that contained classified documents, including eight whose contents were “top secret.” The FBI could find no evidence that any of those classified documents had been compromised, but also cautioned that it might lack the forensic records to know if they had been. The compromise of a Bill Clinton staffer—who almost certainly had no access to any of then-Secretary Clinton’s classified material—doesn’t make the security of those classified documents any clearer. But it will no doubt be seized on by the Clintons’ political opponents to raise more questions about their server’s security. “Clinton’s reckless conduct and dishonest attempts to avoid accountability show she cannot be trusted with the presidency and its chief obligation as commander-in-chief of the U.S. armed forces,” wrote Donald Trump campaign communications staffer Jason Miller in response to the FBI’s release of more documents from its investigation. The Clinton campaign didn’t immediately respond to a request for comment. Though the single-user email breach doesn’t indicate any inherent vulnerability in the Clintons’ server, it does show a lack of attention to its access logs, says Dave Aitel, a former NSA security analyst and founder of security firm Immunity. “They weren’t auditing and restricting IP addresses accessing the server,” Aitel says. “That’s annoying and difficult when your user is the Secretary of State and traveling all around the world…But if she’s in Russia and I see a login from Afghanistan, I’d say that’s not right, and I’d take some intrusion detection action. That’s not the level this team was at.” Often overlooked in Clinton’s email scandal, however, is the fact that the official State Department IT systems have suffered terrible breaches of their own. Since it first came to light, the security community has roundly criticized Clinton for the reckless move of hosting her own email outside of scrutiny of federal government security efforts like those at the NSA. But often overlooked in Clinton’s email scandal, however, is the fact that the official State Department IT systems have suffered terrible breaches of their own. In 2014 and 2015, hackers believed to be based in Russia accessed State unclassified email systems so thoroughly that in November of 2014, the Department’s security staff were forced to take the email servers offline to try to root out the hackers. On Clinton’s private server, other than that single staffer’s compromised account, the FBI’s report notes only multiple hacking attempts in the form of “brute force” guessing of login credentials. Those attempts increased when the existence of the server was exposed by the New York Times in the spring of last year. But none of the recorded attempts seem to have succeeded. At one point, the FBI record notes, Clinton did receive an email containing a malicious link, sent from the apparently hijacked or spoofed personal account of a State Department staffer. Clinton responded, “Is this really from you? I was worried about opening it!” But the FBI found no evidence of malware on Clinton’s server or any of her personal devices. For all her security snafus, give Clinton this much credit: she can at least spot a phishing email when she sees it.

Endwalll 09/03/2016 (Sat) 22:59:56 [Preview] No. 533 del
A mystery user breached an email account on Clinton's server
The unknown user browsed email folders and attachments, the FBI says in newly released documents
In 2013, an unknown user accessed an email account on Hillary Clinton’s private email server through Tor, the anonymous web surfing tool, according to new FBI documents. On Friday, the FBI provided details on the possible breach in newly released files about its investigation of Clinton’s use of a private email server when she was the U.S. secretary of state. The affected email account belonged to a member of Bill Clinton's staff. In January 2013, an unknown user managed to log in to the account and browse email folders and attachments. The FBI later interviewed the staffer, who said she had never used Tor. The tool is popular among hackers, journalists and activists to help mask their online presence. The agency’s investigation so far hasn’t found the actor responsible or how the login credentials were obtained. The FBI has said Clinton was “extremely careless” in her use of the server, but in a July report, the agency didn’t recommend bringing charges against her. The new documents released on Friday said the FBI found no evidence confirming that Clinton’s email server system was ever compromised. Still, the agency said that the server had faced ongoing threats from possible hackers, including phishing email attacks and failed login attempts. Bryan Pagliano, a Clinton aide who helped administer the server, was interviewed in the FBI’s investigation. Although Pagliano said there were no security breaches, there were many failed login attempts, or “brute force attacks,” according to the FBI documents. At one point, “Pagliano recalled finding ‘a virus,’ but could provide no additional details, other than it was nothing of great concern,” the FBI said. The agency also found “multiple occurrences” of phishing attacks against Clinton’s email account. In July, FBI director James Comey said it’s impossible to rule out that Clinton’s server could have been hacked.

Endwall 09/03/2016 (Sat) 23:02:50 [Preview] No. 534 del
'Ultra secure' Turing Phone plagued by shaky security claims
By Zack Whittaker for Zero Day | September 2, 2016 -- 22:15 GMT (23:15 BST) | Topic: Security
It's the "ultra-secure smartphone" claim that Turing chief executive Steve Chao desperately tried to claw back. "We're a fashion technology company," said Chao on the phone a few weeks ago. "Seldom do we get people talking about security. I wouldn't brand Turing Phone as a 'secure' phone... it's more a fashion tech phone," he said. It was a fairly swift, unexpected turnaround from what the company touts as hacker-resistant and "ultra secure". Chao didn't deny the phone has "groundbreaking security", but his backtrack seemed to raise more questions than Chao had answers. The long-awaited Turing Phone was first slated as an unbreakable, security-heavy smartphone that's able to withstand the greatest of malware, hackers, and nation states attackers. But that illusion quickly unraveled. We got our hands on the long-awaited smartphone, dogged by delays and setbacks, in part because of a switch from Android to the lesser-known Sailfish OS. Yet, after a detailed and examined look, the device is yet another device in a long list of "secure" smartphones from a company, which nobody's ever heard of, touting theoretical security and unproven privacy. The phone's flagship feature, a hardware encryption chip, dubbed the Turing Imitation Key, encrypts the Turing Phone, and it lets a device owner communicate securely through end-to-end encryption, said Chao. "When you initiate a communication, the other user's private key is generated by the chip," he said. That means every email, text message, and VoIP call to another Turing Phone will be encrypted, without having to rely on a third-party key server. If you want to communicate with someone who doesn't have a Turing Phone, you have to rely on a third-party app.
Security going south? There are a few things about this "secure" smartphone that don't add up. Chao said the cryptography used in the phone's end-to-end encryption is semi-proprietary. "It's our own algorithm," said Chao. Making it worse, the encryption is closed-source, so it can't be inspected -- though, Chao said that would change down the line. He said that the cryptography had been "inspected by experts", but he declined to name them or say what conclusions they came to, making it impossible to verify the integrity of the encryption. Ask anyone in security about "proprietary encryption", and they'll tell you it's an immediate security red flag. Some of the most trusted algorithms have been around for decades. New algorithms haven't been inspected. And "closed-source" is another red flag, as it makes it impossible to know how good the code is, or if there were any backdoors added during the process. Not having the code open to scrutiny by the community means we have no basis of trust for it.Justin Troutman, an independent cryptographer, told me he had concerns about the company's security approach. "I remember taking a look at their former QSAlpha Quasar device, and while I generally like the software and hardware approach of securing mobile devices, three fundamental problems remain, just as they did back then," he said. "Firstly, they're using something proprietary," he said, describing the cryptography. "We can't independently and openly inspect [the crypto]," and, "we have no knowledge of who [the company is] and their ability to design cryptographic primitives". But it gets worse.Chao said that the private key, which is the basis for scrambling data on the phone, is created by a master private key. That key, Chao said, generated five million keys -- far more keys than the company expects it may ever need. The company has over 1,000 devices shipped as of July, out of a total of 10,000 devices manufactured in the first batch. Once the keys were created, the company "made the decision to destroy" the key, Chao said.I asked if the company kept the key. "We don't have access to the master private key," he said. "Not even we have access to the user's data," which is stored in its datacenter in Finland, where the company is now headquartered. "How do we know you destroyed the key?" I asked. "Well, there's no way to guarantee that," he said. "Although, we say so. But knowing that we're a private business, even if we go public one day, we're still a business -- not a government agency," said Chao. "That we know of," I said, half-joking. Troutman also expressed concerns that users have to take "their word that this master key is being destroyed". It turns out these aren't even new complaints. Cast your mind back three years ago, when the Turing Phone was the first edition of the futuristic Quasar IV. The phone had some promise and appeared to be a good concept -- with similarities drawn between BlackBerry devices. But after a detailed analysis, it was slated to look like "snake oil" by Ars Technica in a review from 2013. The phone itself has promise. But the core of the device is built on sketchy security and poorly thought-out principles. The company didn't learn the mistakes the first time, and that's troubling if the phone is effectively a repackaged and rebranded phone with "ultra secure" slapped on its side. It's tough to reserve judgment when a company promises state-of-the-art and custom security at such a high price. But for anyone looking for an all-in-one security solution, there are far better alternatives that are tried and tested -- and a lot cheaper.

Endwall 09/03/2016 (Sat) 23:04:40 [Preview] No. 535 del
Feds pin brazen kernel.org intrusion on 27-year-old programmer Indictment comes five years after mysterious breach of the Linux repository.
Dan Goodin - Sep 2, 2016 9:20 pm UTC
In August 2011, multiple servers used to maintain and distribute the Linux operating system kernel were infected with malware that gave an unknown intruder almost unfettered access. Earlier this week, the five-year-old breach investigation got its first big break when federal prosecutors unsealed an indictment accusing a South Florida computer programmer of carrying out the attack. Further Reading Who rooted kernel.org servers two years ago, how did it happen, and why? Donald Ryan Austin, 27, of El Portal, Florida, used login credentials belonging to a Linux Kernel Organization system administrator to install a hard-to-detect backdoor on servers belonging to the organization, according to the document that was unsealed on Monday. The breach was significant because the group manages the network and the website that maintain and distribute the open source OS that's used by millions of corporate and government networks around the world. One of Austin's motives for the intrusion, prosecutors allege, was to "gain access to the software distributed through the www.kernel.org website." The indictment refers to kernel.org officials P.A. and J.H., who are presumed to be Linux kernel developer H. Peter Anvin and kernel.org Chief System Administrator John "'Warthog9" Hawley, respectively. It went on to say that Austin used the credentials to install a class of extremely hard-to-detect malware known as a rootkit and a Trojan that logs the credentials of authorized users who use the secure shell protocol to access an infected computer. According to the indictment: The defendant, DONALD RYAN AUSTIN ("AUSTIN"), used credentials belonging to an individual, J.H., to gain unauthorized access to servers belonging to the Linux Foundation, the Linux Kernel Organization, and P.A. AUSTIN installed the Phalanx rootkit and Ebury Trojan on several of those servers, causing damage without authorization. AUSTIN also used the unauthorized administrative privileges to make other changes to the servers, such as inserting messages that would automatically display when the servers restarted. One of AUSTIN's goals was to gain access to the software distributed through the www.kernel.org website. Prosecutors went on to say Austin infected Linux servers known as "Odin1," "Zeus1," and "Pub3," which were all leased by the Linux Foundation and used to operate kernel.org. The infections started around August 13, 2011 and continued until around September 1 of that year. Austin also stands accused of infecting a personal e-mail server belonging to Anvin during the same dates. There was no mention of "Hera," a kernel.org server that Linux Kernel officials say had been rooted when they disclosed bare-bones details of the breach shortly after it occurred. Kernel.org was offline for more than a month following the intrusion while the affected servers were rebuilt. According to a Justice Department release, Austin was arrested by Miami Shores Police on Sunday following a traffic stop. The federal indictment was filed in June and was unsealed only after he was taken into custody. He was freed on $50,000 bond provided by the family of his girlfriend. He has been ordered to stay away from computers, the Internet, and any type of social media or e-mail. Court documents said he "may pose a risk of danger" because of a "substance abuse history." He is scheduled to appear in San Francisco federal court on September 22. The indictment raises almost as many questions as it answers. Given that Linux is freely available, it's not clear what kernel.org-distributed software Austin hoped to obtain when he allegedly breached the site. Also noticeably absent is any explanation of how Austin initially obtained Hawley's credentials to gain unauthorized access, as prosecutors allege. There's also no detail about the messages that Austin allegedly caused to be displayed when the infected servers were restarted. What's more, there's little information about Austin, who was just 22 years old when the breach occurred. No record exists of anyone named "Donald Ryan Austin" doing public Linux development or contributing to the Linux Kernel Mailing List. Attempts to reach Austin didn't succeed. Last, why prosecutors took five years to indict the suspect also remains a mystery. Officials from kernel.org pledged to provide a full autopsy of the breach shortly after it occurred. They never made good on that promise and declined to comment for this post. In the past, they have said they were confident the 2011 breach didn't result in any malicious changes being made to Linux source code. The intrusion may be the work of someone motivated by a grudge, the challenge of pulling it off, or some other personal motive. But it's not every day that someone gets three weeks of root access to the gateway to one of the world's most widely used operating systems. Until we know more about how and why this breach happened, we should push prosecutors and Linux officials for answers.

Endwall 09/03/2016 (Sat) 23:06:48 [Preview] No. 536 del
We Are Change
Aaron Kesel | Sep 2, 2016
According to the FBI’s released notes on Hillary Clinton and her server, a Tor user breached Hillary’s server shortly before she left as Secretary Of State just one month prior. This marks the first confirmed incident that Hillary Clinton’s server was indeed breached by an individual — something that Hillary strongly denied. IFrame In the section titled “cyber targeting” of Clinton’s “personal E-mail and Associated Accounts” there are multiple notes about possible hack attacks along with one documented case where another user of Hillary’s private server had their email account breached. The FBI’s review of server logs revealed that someone accessed an email account on Jan. 5, 2013, using Tor “exit nodes.” Three different IP addresses were used in order to conceal the user’s identity. The owner of the account was redacted but their quote was left – “I’m not familiar with nor have I ever used Tor software.” the anonymous person said. Tor is a software that was developed under the U.S. Navy for secure communications. Today, Tor is used to circumvent censorship by governments and oppressive regimes. Tor is used by journalists and activists to conceal their identity, communicate and surf the Web without interference. Tor is also used for illegal activities such as funding terrorism, buying/viewing child pornography, buying/selling drugs, and buying/selling unregistered firearms. Tor’s biggest darkweb market place, Silk Road ,was taken down in 2013 when the FBI raided and arrested it’s owner. Since then, many copycats have emerged with the same result of eventually being either shutdown or raided. It was revealed today that a remote desktop used for remote server access was turned on by a Clinton aide, which is highly vulnerable and susceptible to hack attacks, to say the least(and “Extremely careless”). Earlier in the year we had learned that a Clinton staffer turned off the firewall to try to fix the connection problems Hillary was having between her insecure private server and the State Department’s secure server. This left her server open to hackers for weeks before the firewall was finally turned back on. Hillary herself instructed aides to remove classified markings and send classified materials insecure. It’s also noted in the FBI’s findings report that Hillary’s e-mail accounts were targeted in multiple “spear phishing” attacks. The FBI noted an e-mail sent to Clinton, “contained a potentially malicious link.” Hilariously, the link Hillary clicked was for porn. “Open source information indicated, if opened, the targeted user’s device may have been infected, and information would have been sent to at least three computers overseas, including one in Russia.” ~The FBI, notes on Hillary Clinton state. Mrs.Clinton has encountered far too many resolvable security issues and handled in an irresponsible and reckless manner. Many people have been asking themselves, “Is this the woman we are going to choose as the next president to lead us into the 21st century? “.  Not only is she “extremely careless”, but the extremity of that carelessness leads to suspiscion of whether or not this was deliberate. Of course, we at We Are Change having followed the course of this election in full, our 100% confident we know the answer to that question based on extensive analysis of the timeline of events this took place. Time and time again, Hillary has been exposed of  corrupt activity. Whether it be using her non-taxed, charity organization as a front for illegal political activities and arms deals to deliberately infiltrating and corrupting the DNC in order to manipulate the election, its  all tied together in the emails. The mere fact that she had persistently neglected security measures should eliminate general consideration for electing her to be President. “When asked what the parenthetical ‘C’ meant before a paragraph … Clinton stated she did not know and could only speculate it was referencing paragraphs marked in alphabetical order,”- the FBI wrote in a in a highly-filtered FBI interview summary released on Friday. Hmm, perhaps that has something to due with her not taking the required training any Secretary of State must go through in order to learn the procedures of handling classified date.The use of slang to circumvent any incriminating statements is obvious. Hillary’s entire defense against the charges has been claiming ignorance of handling classified data. The intent to disguise the transfer of classified information blows her defense out of the water.

Endwall 09/03/2016 (Sat) 23:08:10 [Preview] No. 537 del
Security Affairs
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data
September 3, 2016 By Pierluigi Paganini
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data and passport details of foreign visitors to Armenia. A group of Azerbaijani hacktivists has leaked the passport details of foreign visitors to Armenia. The data breach exposed the Internal resources of the Security Service (SNS) that are involved in the process of updating information about passports of foreign passports. The hackers breached Armenian government servers stealing sensitive data, including passport scans. Intelligence experts who analyzed the data leaks confirmed their authenticity. The Anti-Armenia Team took credit for a series of data leaks that the hackers claim were stolen from servers of Armenian national security ministry. “We would like to notice that Anti – Armenia team is an independent group, who is active for five years and repeatedly makes anxious Armenian side by its cyber attacks,” the group explained to El Reg. Armenia and Azerbaijan are neighbouring countries that engaged a war over the disputed Nagorno-Karabakh region between 1988 and 1994. There is a great tension between the two countries, in April, the Azerbaijani army tried to regain control of the Nagorno-Karabakh Republic, but the battle caused the death of 350 people.
A source that has spoken to El Reg on condition of anonymity told to El Reg the leaked information is more likely to have come from an insider, excluding that the alleged Anti–Armenia team has hacked on Armenian government systems. “I am familiar with the incident, and [can] confirm, that such attacks really happened, and the documents are legitimate and not fake,” the source told el Reg. “I have more confidence that one of their employees having access to it has been compromised and technical border control service is a part of SNS (Security Service), that’s why there is such overlap, and the documents could be stolen from particular person, and not ‘systems’, like they claim.”

Endwall 09/03/2016 (Sat) 23:08:53 [Preview] No. 538 del
Details of BTC-E and BitcoinTalk breach revealed
Saturday, September 03, 2016
Data breach monitoring service, LeakedSource revealed on Friday (September 03) that that leading cryptocurrency exchange BTC-E.com and largest bitcoin discussion forum Bitcointalk.org suffered major hacks in 2014 and 2015 respectively. LeakedSource, which is a great source for leaked passwords and accounts has reported that 499,593 user details of Bitcointalk.org were actually stolen in May 2015 which comprised of "usernames, emails, passwords, birthdays, secret questions, hashed secret answers and some other internal data." It confirmed that 91% were hashed with sha256crypt, which would take a year to crack around 60-70% of them. The remaining 9% were hashed with MD5 and a unique salt and LeakedSource has cracked around 68% of them. In the BTC-E.com hack, 568,355 accounts had been compromised in October 2014. “They [BTC-E.com] used some unknown password hashing method which currently makes their passwords completely uncrackable although that may change. This is good because if the passwords were easy to crack, hackers could log into the exchange and start stealing members Bitcoins”, LeakedSource said. The BTC-E.com hack is more serious since wallets could be accessed and bitcoins stolen. LeakedSource says it hasn't yet seen any news about stolen BTC-E customers losing their coins. The presence of two hash types suggest they changed their password storage mechanism at some point. Meanwhile, the company also disclosed that 43 million account details were stolen from music site, Last.fm in 2012. Last.fm was hacked on March 22nd 2012 for a total of 43,570,999 users which is becoming public like all others. The site said that the most commonly used password on Last.fm is the shockingly common, ‘123456’, followed by 'password' and 'last.fm'. LeakedSource is processing enough additional databases to publish one per day or several years.

Endwall 09/03/2016 (Sat) 23:10:45 [Preview] No. 539 del
Mission Impossible? FBI wants to be cool enough to recruit hackers
FBI director James Comey said that the agency is looking to 'steal people' from the private sector.
By India Ashok September 3, 2016 10:02 BST
After a series of high-profile cyberattacks against individuals and organisations in the US, the FBI is increasing its efforts to combat cybercrime, including adopting a new approach to recruiting hackers. The agency has had long-standing issues attracting people from the hacking community to work for them, over staying independent or working in the private sector. But, in a recent speech, FBI director James Comey said the agency is now "working very hard" to "be a whole lot cooler than you may think we are", in efforts to get people with cyberattack and cyberdefence skills to work for them. Comey said that the FBI is looking to staff its cyberattack response teams, specifically the Cyber Threat Team and the Cyber Act Team (CAT) – which he called the "fly team" – who are deployed "at a moment's notice" to provide on-location support during investigations. "We are not to bean bags and granola and a lot of white boards yet," Comey said at the Symantec Government Symposium. "But we're working very hard at marching in that direction, so that when this talent comes into our organisation we are open to having them make us better – in a way that connects us and them to our mission more closely." Comey also said that the agency was working on doing "a better job" to "steal people" that the private sector was looking to hire "to work at the FBI". According to a report by the Washington Post, the FBI has had limited success in recruiting hackers, despite its outreach at high-profile cyber events such as DefCon and Black Hat. Reports speculate that the FBI's much-publicised encryption battle with tech giant Apple and its alleged use of privacy-infringing surveillance techniques, revealed by whistleblower Edward Snowden, may have adversely affected the agency's recruitment efforts.In the wake of the growing and imminent threat of digital crimes, the FBI now appears to be grappling with the ability to come to terms with the changing timesGetty Images
Who is the typical FBI cyberagent?
In his speech, Comey explained that the FBI recognises the challenges in hiring qualified people. He pointed out that finding people skilled in IT, who are also able to "run, fight, and shoot", is the major challenge. Additionally, Comey said that the agents they're looking to hire need to have integrity, "which is non-negotiable". Comey acknowledged that those three "buckets of attributes" are "rare to find in the same human being in nature". In the wake of the growing and imminent threat of digital crimes, the FBI now appears to be grappling with the ability to come to terms with the changing times. "We're leaving our mind open to the fact that we've never faced a transformation like the digital transformation, and so the FBI wanted to be open to being different in the way we think about our people. Lots more to come there," Comey added. However, it remains to be seen if the FBI's new approach to be "more open" and "cooler" will be successful in luring talented hackers from choosing government work over the perks offered by the private sector. As Comey's daughter put it, "Dad, the problem is you're 'The Man'," she said. "Who would want to work for 'The Man?'"

Endwall 09/03/2016 (Sat) 23:12:04 [Preview] No. 540 del
Putin on DNC hack: 'Does it even matter who hacked this data?
By India Ashok September 3, 2016 07:56 BST
Russian President Vladimir Putin deemed the cyberattack on the Democratic National Committee (DNC), a public service. The attack saw hackers stealing thousands of emails from the DNC, which were later leaked by the whistleblowing platform WikiLeaks, just days before US Democratic presidential candidate Hillary Clinton's nomination was announced. Putin, however, asserted that Russia had no hand in the DNC hack. "Listen, does it even matter who hacked this data?'' Putin said in an interview, Bloomberg reported. "The important thing is the content that was given to the public. There's no need to distract the public's attention from the essence of the problem by raising some minor issues connected with the search for who did it. But I want to tell you again, I don't know anything about it, and on a state level Russia has never done this." Several cybersecurity firms, including CrowdStrike, Fidelis Security and FireEye's Mandiant have concluded that the malware used in the DNC breach was linked to Russian intelligence services. Additionally, US officials have also accused Russia of having a hand in the hacking, in efforts to influence the US elections. However, Kremlin officials have categorically denied any knowledge of the attacks. Following Putin's comments, the Clinton campaign hit back, accusing the Russian president of endorsing disruptions of the US elections by characterising the cyberattack as a public service. "Unsurprisingly, Putin has joined Trump in cheering foreign interference in the U.S. election that is clearly designed to inflict political damage on Hillary Clinton and Democrats," said Jesse Lehrich, spokesperson for the Clinton campaign. "This is a national security issue and every American deserves answers about potential collusion between Trump campaign associates and the Kremlin." The cyberattacks against US have since accelerated with further indications of Russia based hackers launching attacks. In late August, CrowdStrike reported about Washington-based think tanks focusing on researching Russia being targeted by hackers. According to CrowdStrike the hacker group believed to be affiliated to Russia's Federal Security Service, Cozy Bear or APT29 was behind the breaches.Putin claimed that even if Russia desired to influence the US elections, it did not necessarily comprehend the nuances of US politics to successfully do soReuters Putin, however, claimed that even if Russia desired to influence the US elections, it did not necessarily comprehend the nuances of US politics to successfully do so. "To do that you need to have a finger on the pulse and get the specifics of the domestic political life of the U.S.," he said. "I'm not sure that even our Foreign Ministry experts are sensitive enough." Putin also said that given the level of sophistication of the current crop of cybercriminals, it would be nearly impossible to accurately attribute the attacks. "You know how many hackers there are today?" Putin said. "They act so delicately and precisely that they can leave their mark — or even the mark of others — at the necessary time and place, camouflaging their activities as that of other hackers from other territories or countries. It's an extremely difficult thing to check, if it's even possible to check. At any rate, we definitely don't do this at a state level." Hillary Clinton recently said that if elected, she would like the US to "lead the world in setting the rules in cyberspace," adding that under her regime, the US would treat cyberattacks "just like any other attack", indicating the use of military action in response to such attacks.

Endwall 09/03/2016 (Sat) 23:14:24 [Preview] No. 541 del
USBee Malware Turns Regular USB Connectors into Data-Stealing Weapons
3. September 2016 Researchers from the Ben-Gurion University in Israel have discovered a novel method of using USB connectors to steal data from air-gapped computers without the need of special radio-transmitting hardware mounted on the USB. Their attack scenario relies on infecting a computer with malware they’ve created called USBee. An NSA cyber-weapon inspired the research Researchers said that NSA cyber-weapons inspired their research, namely, the COTTONMOUTH[/IMG] hardware implant included in a catalog of NSA hacking tools leaked by Edward Snowden via the DerSpiegel German newspaper. USBee is superior to COTTONMOUTH because it does not need an NSA agent to smuggle a modified USB connector/dongle/thu […]

Endwall 09/03/2016 (Sat) 23:19:57 [Preview] No. 542 del
Security Affairs
Hacker Interviews – The Riddler, the founder of the BinarySec Group
September 3, 2016 By Pierluigi Paganini
Today I present you the Riddler, aka Binary, the founder of the BinarySec group, a hacker collective focused in the fight against the ISIS propaganda online.
You are a popular talented hacker that has already participated in several hacking campaigns, could you tell me more about. Could you tell me which his your technical background and when you started hacking? All of our members come from many different backgrounds. A few of our members are just an “average joe” who’s picked up hacking in their spare time, while other members actually do security and Hacking for a living. Which is the technical background of your members?  My background is in IT, I started hacking about 8 years ago and my motivation was actually looking at a website and thinking. How can I make this work for me without the owner knowing… What was your greatest hacking challenge?  My greatest hacking challenge was about 4 years ago when I launched a hacking campaign called OpBangladesh with some old hacking buddies. We targeted Bangladeshi websites and proceeded to hack and deface them, By the time the campaign was over. 20+ Bangladeshi government websites were defaced and shelled. What are the 4 tools that cannot be missed in the hacker’s arsenal and why? The 4 tools a hacker absolutely needs aren’t actually tools at all, They are Curiosity, Willingness to learn, Perseverance, and A unique way of thinking, these 4 things can actually make or break any hacker. Which are the most interesting hacking communities on the web today, why? As for me specifically I couldn’t tell you about hacking communities because they have really diminished. Did you participate in hacking attacks against the IS propaganda online? When? How? Where do you find IS people to hack? How do you choose your targets? I personally did participate in the attacks against the IS Propaganda online and so did many of our members. We’ve been and still currently taking down and removing their propaganda . As for the IS people we hack, We carefully check each and any suspicious person or submission to our website. If they are ruled to be an IS member or some other form of a Terrorist Organization, We attack accordingly. We exhaust every resource possible in efforts to shut down ISIS propaganda and recruitment online. I personally do believe that cyber attacks can cause a huge risk to critical infrastructure . We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?  I personally do believe that cyber attacks can cause a huge risk to critical infrastructure .

Endwall 09/03/2016 (Sat) 23:23:07 [Preview] No. 543 del
Spies Love People Who Use Smartphones Because They Are So Easy to Tap
September 3, 2014
How Spy Tech Firms Let Governments See Everything on a Smartphone
Nicole Perlroth New York Times September 3, 2016
SAN FRANCISCO — Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device. Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government. Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The emails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals. The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group’s corporate mission statement is “Make the world a safe place.” Advertisement Continue reading the main story Ten people familiar with the company’s sales, who refused to be identified, said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license. But critics note that the company’s spyware has also been used to track journalists and human rights activists. “There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” The NSO Group’s capabilities are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects. The NSO Group’s spyware finds ways around encryption by baiting targets to click unwittingly on texts containing malicious links or by exploiting previously undiscovered software flaws. It was taking advantage of three such flaws in Apple software — since fixed — when it was discovered by researchers last month. The cyberarms industry typified by the NSO Group operates in a legal gray area, and it is often left to the companies to decide how far they are willing to dig into a target’s personal life and what governments they will do business with. Israel has strict export controls for digital weaponry, but the country has never barred the sale of NSO Group technology.The founders of NSO Group, Omri Lavie, left, and Shalev Hulio. Credit NSO Group Since it is privately held, not much is known about the NSO Group’s finances, but its business is clearly growing. Two years ago, the NSO Group sold a controlling stake in its business to Francisco Partners, a private equity firm based in San Francisco, for $120 million. Nearly a year later, Francisco Partners was exploring a sale of the company for 10 times that amount, according to two people approached by the firm but forbidden to speak about the discussions. The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.” Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. He declined to comment on whether the company would cease selling to the U.A.E. and Mexico after last week’s disclosures. For the last six years, the NSO Group’s main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones — including iPhones, Androids, and BlackBerry and Symbian systems — without leaving a trace. Among the Pegasus system’s capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls “room tap” can gather sounds in and around the room, using the phone’s own microphone. Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone’s web browser. And all of the data can be sent back to the agency’s server in real time. In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person. Much like a traditional software company, the NSO Group prices its surveillance tools by the number of targets, starting with a flat $500,000 installation fee. To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal. You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter. What that gets you, NSO Group documents say, is “unlimited access to a target’s mobile devices.” In short, the company says: You can “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.”

Endwall 09/04/2016 (Sun) 17:38:59 [Preview] No. 545 del
How Much Do We Know (Or Not Know) About Canadian Intelligence
September 4, 2016
Victori H.S. Scott The Independent (Canada) August 16, 2016
Last year American whistle-blower Edward Snowden proclaimed that Canadian intelligence agencies have the “weakest oversight” in the Western world and compared the Canadian government’s Bill C-51 to George W. Bush’s post-9-11 U.S. Patriot Act. Canada became a surveillance state under the Stephen Harper Conservatives. In 2014, for example, it came to light that the Government Operations Centre was monitoring residents of Newfoundland and Labrador, including Indigenous Peoples, residents of the Island’s west coast who opposed fracking, and fishermen who were protesting shrimp quotas. This ongoing problem is further complicated by multiple transnational intelligence sharing agreements, in place since World War II, that remain largely unknown to the general public. Indeed, the rise of the surveillance state is a global phenomenon that cannot be separated from the rise of the internet. But in Canada, because of the lack of any credible oversight, it has played out in a very specific way. This has everything to do with what the Canadian public knows—and more importantly, does not know—about Canadian intelligence agencies. Canada’s new and highly invasive so-called anti-terror legislation came into force last year with the support of then-Opposition Leader Justin Trudeau and the Liberal caucus. The Trudeau Liberals knew that in order to win the election they would need to undo—or at least promise to undo—much of the damage done by their predecessors. They would have to address the alienation felt by Canadians from having a government that used national security as an excuse to trade away its citizens’ freedom and civil liberties. Unfortunately, they have yet to repeal or even reform Bill C-51, and recent terrorist attacks in Europe, the U.S, and here at home in Canada have provided the perfect backdrop against which to further delay the process. On August 10, for example Aaron Driver, a 24-year-old Canadian citizen who was allegedly plotting a terrorist attack in the southern Ontario town of Strathroy, died in a confrontation with police who were following up on a tip from the FBI. Recent terrorist attacks in Europe, the U.S, and here at home in Canada have provided the perfect backdrop against which to further delay the process [of reforming Bill C-51]...
Edited last time by Endwall on 09/04/2016 (Sun) 17:46:14.

Endwall 09/04/2016 (Sun) 17:49:47 [Preview] No. 546 del
Security Affairs
Dutch Police seized two servers of the VPN provider Perfect Privacy
September 4, 2016 By Pierluigi Paganini
September 4, 2016 By Pierluigi Paganini
The Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation.
Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to build encryption backdoors in their secure messaging services. The fight to the cybercrime is a priority for every European government, law enforcement agencies worldwide are joining their efforts to fight illegal activities online. Law enforcement bodies claim their investigation are hampered by the wide adoption of encryption of criminal organizations and ask more powers to their governments. France and Germany governments call for an European Decryption Law, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve. They called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. Netherlands is another country that is adopting measures to contrast cybercrime, recently the Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. At the time I was writing the Dutch police hasn’t provided further details about the seizures. The Perfect Privacy VPN provider informed its customers that two servers in Rotterdam were seized by the Dutch police on Thursday, August 24. The Dutch authorities seized the servers of the company, they requested the I3D to give them the access to the servers with a subpoena that allowed them to seize the hardware.Perfect Privacy confirms that the company was back up and running the following day after I3D The Perfect Privacy provider confirmed the seizures and declared that it received the news about the law enforcement operation I3D, the company that provides server hosting in the Netherlands. “Today our hoster I3D informed us that the Dutch authorities have seized two servers from our location in Rotterdam. Currently we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster.” states the announcement from the Perfect Privacy VPN provider. “Since we are not logging any data there is currently no reason to believe that any user data was compromised.” VPNs are privileged tools that allow security experts, activists, and journalists, to protect their privacy online, unfortunately, they are often abused also by crooks and black hat hackers. VPN service providers numerous requests from law enforcement agencies for supporting their investigation, but in the majority of cases the company doesn’t offer their collaboration. It is likely that this is what has happened to the Perfect Privacy VPN provider. In April, the Dutch Police seized the servers of the Ennetcom VPN provider based in the Netherlands and Canada to shut down their operations during a criminal investigation. In that case, the Dutch Police accused Ennetcom of helping criminal activities, including drug trafficking and assassinations. The I3D hosting provider offered two replacement servers to avoid problems with the VPN provider.

Endwall 09/04/2016 (Sun) 17:56:24 [Preview] No. 547 del
Transmission Bittorrent Client Download Was Compromised for 2 Days
posted by cmn32480 on Sunday September 04, @01:04PM
A. It appears that on or about August 28, 2016, unauthorized access was gained to our [TransmissionBT's] website server. The official Mac version of Transmission 2.92 was replaced with an unauthorized version that contained the OSX/Keydnap malware. The infected file was available for download somewhere between a few hours and less than a day. Additional information about the malware is available here and here. A. The infected file was removed from the server immediately upon discovering its existence, which was less than 24 hours after the file was posted to the website. To help prevent future incidents, we have migrated the website and all binary files from our current servers to GitHub. Other services, which are currently unavailable, will be migrated to new servers in the coming days. As an added precaution, we will be hosting the binaries and the website (including checksums) in two separate repositories.

Endwall 09/04/2016 (Sun) 18:06:51 [Preview] No. 548 del
Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police
Sam Biddle 2016-09-01T20:31:32+00:00
A confidential, 120-page catalogue of spy equipment, originating from British defense firm Cobham and circulated to U.S. law enforcement, touts gear that can intercept wireless calls and text messages, locate people via their mobile phones, and jam cellular communications in a particular area. The catalogue was obtained by The Intercept as part of a large trove of documents originating within the Florida Department of Law Enforcement, where spokesperson Molly Best confirmed Cobham wares have been purchased but did not provide further information. The document provides a rare look at the wide range of electronic surveillance tactics used by police and militaries in the U.S. and abroad, offering equipment ranging from black boxes that can monitor an entire town’s cellular signals to microphones hidden in lighters and cameras hidden in trashcans. Markings date it to 2014. Cobham, recently cited among several major British firms exporting surveillance technology to oppressive regimes, has counted police in the United States among its clients, Cobham spokesperson Greg Caires confirmed. The company spun off its “Tactical Communications and Surveillance” business into “Domo Tactical Communications” earlier this year, selling the entity to another company and presumably shifting many of those clients into it. Caires declined to comment further on the catalogue obtained by The Intercept or confirm its authenticity, but said it “looked authentic” to him. “By design, these devices are indiscriminate and operate across a wide area where many people may be present,” said Richard Tynan, a technologist at Privacy International, of the gear in the Cobham catalogue. Such “indiscriminate surveillance systems that are not targeted in any way based on prior suspicion” are “the essence of mass surveillance,” he added. The national controversy over military-grade spy gear trickling down to local police has largely focused on the “Stingray,” a single type of cellular spy box manufactured by a single company, Harris Corp. But the menu of options available to domestic law enforcement is enormous and poorly understood, mostly because of efforts by both manufacturers and their police clientele to suppress information about their functionality and use. What little we know about Stingrays has often been the result of hard-fought FOIA lawsuits or courtroom disclosures by the government. When the Wall Street Journal began reporting on the use of the Stingray in 2011, the FBI declined to comment on the grounds that even discussing the device’s existence could jeopardize its usefulness. The effort to pry out details about the tool is ongoing; just this past April, the American Civil Liberties Union and Electronic Frontier Foundation prevailed in a federal court case, getting the government to admit it used a Stingray in Wisconsin. Unsurprisingly, the Cobham catalogue describes itself as “proprietary and confidential” and demands that it “must be returned upon request.” Information about Cobham’s own suite of Stingray-style boxes is almost nonexistent on the web. But starting far down on Page 105 of the catalogue is a section titled “Cellular Surveillance,” wherein the U.K.-based manufacturer of defense and intelligence-oriented hardware lays out all the small wonders it sells for spying on people’s private conversations, whether they’re in Baghdad or Baltimore:The above page immediately stood out to ACLU attorney Nathan Wessler, who has made Stingray-like devices a major focus of his work for the civil liberties group. Wessler said “the note at the top of the page about the ability to intercept calls and text messages (in addition to the ability to geo-locate phones)” is of particular interest, because “domestic law enforcement agencies generally say they don’t use that capability.” Also remarkable to Wessler is the claim that cellphone users can be “tracked to less than 1 [meter] of accuracy.” Tynan said Cobham’s cellular surveillance devices are, like the Stingray, standard “IMSI catchers,” deeply controversial equipment that can be used to create fake cellular networks and swallow up International Mobile Subscriber Identity fingerprints, calls, and texts. But he noted that such devices can operate on a vast scale: The Cobham devices in this catalogue are standard interception devices with the ability to masquerade as 1-4 base stations simultaneously. This would allow it to pretend to be 4 different operators or 4 base stations from the same operator or any combination. These specifications allow for the interception of up to 4 calls at a time. The operational distance of these devices would be around 1-2 KM for 3G and significantly greater for 2G devices. Devices of this type can typically acquire the unique identifiers of handsets at a rate of 200 per minute. Cobham also offers equipment capable of causing immense cellular blackouts and bulk data collection, including the “3G-N” — operated via laptop...

Endwall 09/04/2016 (Sun) 18:11:23 [Preview] No. 549 del
How Bitcoin Users Reclaim Their Privacy Through its Anonymous Sibling, Monero
Bitcoin right now is not really anonymous. While Bitcoin addresses aren't necessarily linked to real-world identities, they can be. Monitoring the unencrypted peer-to-peer network, analyses of the public blockchain and Know Your Customer (KYC) policy or Anti-Money Laundering (AML) regulations can reveal a lot about who's using Bitcoin and for what. This is not great from a privacy perspective. For example, Bitcoin users might not necessarily want the world to know where they spend their money, what they earn or how much they own; similarly, businesses may not want to leak transaction details to competitors. Additionally, the fact that the transaction history of each bitcoin is traceable puts the fungibility of all bitcoins at risk. "Tainted" bitcoins, for example, may be valued less than other bitcoins, possibly even calling into question Bitcoin's value proposition as money. There are potential solutions that may increase privacy and improve fungibility in Bitcoin. But most of these solutions are either partial, works-in-progress or just largely theoretical. To reclaim their privacy right now, therefore, have begun to utilize one of its competitors: the altcoin Monero. The article continues with an explanation of how Monero works differently from Bitcoin. Monero is based on the CryptoNote reference implementation, which is an altcoin that was designed from scratch. It uses XMR as its native currency which is one of the top altcoins by market capitalization It has implementation details that greatly reduce the ability of someone to follow the chain of inputs and outputs of transactions and trace back someone's identity. The real trick is Monero's use of "Ring Signatures": The actual magic comes from a cryptographic signature scheme called "ring signatures," based on the older concept of "group signatures." Ring signatures exist as several iterations and variations, but all share the property of obfuscating which cryptographic key signed "which" message, while still proving "that" a cryptographic key signed "a" message. The version used by Monero is called "Traceable Ring Signatures (pdf)," invented by Eiichiro Fujisaki and Koutarou Suzuki. Lastly, a Bitcoin holder can exchange Bitcoin for Monero, perform a transaction, and then (if desired) convert any change from the transaction back to Bitcoin (with suitable delays to allow other transactions to occur on the Monero blockchain.)

Endwall 09/05/2016 (Mon) 20:10:40 [Preview] No. 551 del
Hacker Interviews – 0xOmar (@0XOMAR1337)
September 4, 2016 By Pierluigi Paganini
Today I present you 0xOmar  (@0XOMAR1337) an expert very active in the hacking community online with a great experience. Enjoy the Interview. Why do you use the nickname of TeaMp0isoN? I know them and you are not a member of the original crew. Trick was very good friend of mine invited me to join TeaMp0isoN in 2012 after my interview with Skynews on skype in 2012 then i meet MLT after 2013 I have been underground for many years because Israeli intelligence was trying to track me, but I still was here like other Anons are still wearing their masks. No one will know you. New crew of TeaMp0isoN don’t know me. Members of the old crew like MLT knows me. Good Time, when I have joint the team it was composed of only 4 persons. Did you participate in in several hacking campaigns, could you tell me more about? I have participated in many operations and campaigns during my 17 years career. I taught many Anons hackers and I was member of many teams. I have built 4 teams. I have participated in campaigns, including #OpISIS, #OpIsrael, #Opusa, #OpIran, #OpMyanmar. Could you tell me which his your technical background and when you started hacking? My skills are Hardware, Networking, Coding HTML,PHP,ASP,APSX,VB,C++,C#,JS2E5.0,Java SE 8, JavaScript, JavaScript, Perl, SQL, NET, XML, Scala, Python, Matlab, Cobol, haskell Smalltalk, Object-Oriented, Fortran, Scripting, Squeak, Ada, Labview. My first software was made in VB and later in 2004 I developed a lot of software. One of my best software allowed me to get in yahoo conference without been invited. I developed many booters,  DDoS scripts, malware, crypters & Binders etc. I started hacking in 1999. Which are your motivations? I fight for peace in the World. What was your greatest hacking challenge? Taking Down el Aviv Stock Exchange in 2012, airline and Government web sites. Below the list: http://www.zone-h.org/archive/notifier=0xOmar/page=1 … I infected with malware the Iranian Oil Feld and I took down the site of the Israeli Intelligence Agencies when I was testing my tools (https://vid.me/9sqj ) What are the 4 tools that cannot be missed in the hacker’s arsenal and why? * Nmap For Scan Ports Map Networks and connecting to Targets. * Metasploit Exploitation & hacking framework. * Hydra brute force other network cracking techniques. * Acunetix WVS web vulnerability scanner Cross-site Scripting, SQL injection,WordPress,1200 vulnerabilities. Which are the most interesting hacking communities on the web today, why? Most Interesting hacking communities are common in You can find them on social media platforms like Facebook, Twitter, etc. Did you participate in hacking attacks against the IS propaganda online? When? How? Yes, I Do. I participated in hacking attacks against IS, I attacked the main sites used by the IS with botnet and malware. I hacked into many of their accounts. For me ISIS are not evenMuslims.Where do you find IS people to hack? How do you choose your targets?  Social media, mobile apps, Twitter, Facebook, Telegram, Etc & friends been reporting chosen targets. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Yes, It Is. I Do Attacks against critical infrastructure. It is easy to attack them and person inside them. Send them emails with a malware .and you got it. It is quite easy to scan online searching for vulnerable SCADA exposed on the Internet. Then you can user known exploit to hack them or write your own exploit code.

Endwall 09/05/2016 (Mon) 20:24:42 [Preview] No. 552 del
Riseup, providing encrypted comms for over 15 years, could run out of money next month
Graham Cluley | September 5, 2016 5:36 pm Riseup.net, the non-profit collective which has been providing dissidents a way to encrypt their communications since 1999, without revealing your location or logging your IP address, is running out of money: The news is not good We hate to be bad news birds, but we need to tell you that Riseup will run out of money next month. We had a number of unexpected hardware failures, lower-than-expected regular donations, and a record year of new Riseup users which puts more financial pressure on us than ever before. We need your help to keep things going this year, so we are starting a campaign to ask Riseup users to give us just one dollar! Can you give us a dollar? There are a lot of easy ways to do it: https://riseup.net/donate It seems that Riseup.net saw a boom in new users in the wake of the Edward Snowden revelations, but has not managed to match that growth with sufficient regular donations. If Riseup.net shuts down, that also means the end for 150,000 email accounts and over 18,000 mailing lists that depend on the service for their privacy and security. It would be sad to see Riseup.net close its doors. I hope people who value online liberty will support this noble cause. (Yes, I already donated.)

Endwall 09/05/2016 (Mon) 20:26:25 [Preview] No. 553 del
NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes
Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.
A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits. ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA). The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought. Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software. “A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO. “The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.” At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11). Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit. The bad news Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot. The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times. Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.What does it means? It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched: * the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string * an attacker must also have telnet or SSH access to the devices Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers. “This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis. “Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.”  “Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.” The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.

Endwall 09/05/2016 (Mon) 20:27:24 [Preview] No. 554 del
Dutch Police seized two servers of the VPN provider Perfect Privacy
September 4, 2016 By Pierluigi Paganini
The Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to build encryption backdoors in their secure messaging services. The fight to the cybercrime is a priority for every European government, law enforcement agencies worldwide are joining their efforts to fight illegal activities online. Law enforcement bodies claim their investigation are hampered by the wide adoption of encryption of criminal organizations and ask more powers to their governments. France and Germany governments call for an European Decryption Law, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve. They called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. Netherlands is another country that is adopting measures to contrast cybercrime, recently the Dutch Police has seized two servers belonging to Switzerland-based Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation. At the time I was writing the Dutch police hasn’t provided further details about the seizures. The Perfect Privacy VPN provider informed its customers that two servers in Rotterdam were seized by the Dutch police on Thursday, August 24. The Dutch authorities seized the servers of the company, they requested the I3D to give them the access to the servers with a subpoena that allowed them to seize the hardware.Perfect Privacy confirms that the company was back up and running the following day after I3D The Perfect Privacy provider confirmed the seizures and declared that it received the news about the law enforcement operation I3D, the company that provides server hosting in the Netherlands. “Today our hoster I3D informed us that the Dutch authorities have seized two servers from our location in Rotterdam. Currently we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster.” states the announcement from the Perfect Privacy VPN provider. “Since we are not logging any data there is currently no reason to believe that any user data was compromised.” VPNs are privileged tools that allow security experts, activists, and journalists, to protect their privacy online, unfortunately, they are often abused also by crooks and black hat hackers. VPN service providers numerous requests from law enforcement agencies for supporting their investigation, but in the majority of cases the company doesn’t offer their collaboration. It is likely that this is what has happened to the Perfect Privacy VPN provider. In April, the Dutch Police seized the servers of the Ennetcom VPN provider based in the Netherlands and Canada to shut down their operations during a criminal investigation. In that case, the Dutch Police accused Ennetcom of helping criminal activities, including drug trafficking and assassinations. The I3D hosting provider offered two replacement servers to avoid problems with the VPN provider.

Endwall 09/05/2016 (Mon) 20:28:46 [Preview] No. 555 del
Linux/Mirai ELF, when malware is recycled could be still dangerous
September 5, 2016 By Pierluigi Paganini
Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild. The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service. “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog. The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them. But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”. And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.” This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning. We are in a hostile environment, called Internet of Things (IoT), shaping new kind of powerful Botnets spreading worldwide, but which Countries are more exposed to this kind of attack? “Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“ In fact seems that he continues, “the Linux/Mirai creators succeed to encode the strings and making diversion of traffic to camouflage themself. As is possible to see analyzing the samples, shown in the link to Virustotal  the best detection is only “3 of 53” or “3 to 55.” What is very important for all the sysadmins is to be provided by a shield against these infections: “along with the good friends involved in the open filtration system, security engineers are trying to push” – says again MalwareMustDie – “the correct filtration signature to alert the sysadmins if having the attacks from this threat. And on one pilot  a sysadmins provided with the correct signatures, found the source attack from several hundreds of addresses within only a couple of days.” Then it seems that the infection is really going widespread and the Botnet seems to be really very large. At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions: * If you have an IoT device, please make sure you have no telnet service open and running. * Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage, * Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service, * Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips. But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts? “The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.” This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case. It remembers the Greek mobile wiretap named “Vodafone Hack”, no evidence than in the memory. But in your opinion which is the main difference among the previous ELF malware versions? “The actors are now having different strategy than older type of similar threat.” – says MalwareMustDie – “by trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner. ” The real insidiously of this ELF is that the only way to track it is to extract it from the memory of the running devices and there is not so much expertise among people that can “hack their own routers or webcam or DVR to get the malware binary dumped from the memory or checking the trace of infection.” Digging in the details: how the infection works...

Endwall 09/05/2016 (Mon) 20:30:48 [Preview] No. 556 del
Evidence on hacks of the US State Election Systems suggest Russian origin
September 5, 2016 By Pierluigi Paganini
Researchers have found links between the attacks on US state election systems and campaigns managed by alleged Russian state-sponsored hackers.
Security experts at threat intelligence firm ThreatConnect have conducted an analysis on the IP addresses listed in the flash alert issued in August by the FBI that warned about two cyber attacks against the election systems in two U.S. states. The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers violated the databases of two state election systems for this reason the FBI issued the flash alert to election officials across the country inviting them to adopt security measured to protect their computer systems. “The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility ofcyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.”reported Yahoo News that obtained a copy of the “flash” alert.The FBI alert contains technical details about the attacks, including the IP addresses involved in the both attacks that have been analyzed by ThreatConnect. The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums. Some of the IPs are owned by the FortUnix Networks firm that was known to the security experts because its infrastructure was exploited by attackers that hit in December the Ukrainian power grid with the Black Energy malware. The experts revealed that one of them was used in the past in spear-phishing campaigns that targeted the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament. “However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spear phishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi.” states the analysis published by ThreatConnect”As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.” The phishing campaigns mentioned in the analysis exploited an open source phishing framework named Phishing Frenzy, the security experts managed to hack into the control panel of the system used by the phishers and discovered a total of 113 emails written in Ukrainian, Turkish, German and English. Out of the 113 total emails, 48 of them are malicious messages targeting Gmail accounts, while the rest were specifically designed to look like an email from an organization of interest for the victims. 16 of the malicious email used to target AK Party officials were also included in the WikiLeaks dump of nearly 300,000 AK Party emails disclosed in July. The experts from ThreatConnect discovered some connections to a Russian threat actor, alleged linked to the Government of Moscow. One of the domains hosting the phishing content was registered with an email address associated with a domain known to be used by the infamous APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy). Below the evidence collected by experts at ThreatConnect that suggest the involvement of the Russian Government, “but do not prove” it: * Six of the eight IP addresses belong to a Russian-owned hosting service * 5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015 * Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks * The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).

Endwall 09/05/2016 (Mon) 20:32:22 [Preview] No. 557 del
NSO Group, the surveillance firm that could spy on every smartphone
September 5, 2016 By Pierluigi Paganini
The NSO Group is one of the surveillance companies that allow their clients to spy on their targets through almost any smartphone.
It is quite easy for any Government to spy on mobile users, recently we have discussed the Trident vulnerabilities that were exploited by a surveillance software developed by the NSO Group to deliver the Pegasus malware. But it could be very expensive if you decide to use the NSO Group’s software, according to The New York Times spy on 10 iPhones will cost $650,000, plus a $500,000 setup fee. “To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.” reported The New York Times. “You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.” There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor. The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government. “The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.” added The New York Times.“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.” The New York Times has conducted further investigations on the NSO Group, the company that specializes its offer in surveillance applications for governments and law enforcement agencies around the world. People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights. Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organization and terrorist groups. Unfortunately, its software is known to have been abused to spy on journalists and human rights activists. “There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide. The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems. Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone. “In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times. Now we have more information about the mysterious NSO Group, but many other companies operate in the same “legal gray area.”

Endwall 09/07/2016 (Wed) 23:39:36 [Preview] No. 560 del
Hak 5

Threat Wire
Ford to Nix Key Fobs for Better Security? - Threat Wire - Duration: 5 minutes, 47 seconds.

2 Second Password Hash Hack - Hak5 2102 - Duration: 26 minutes.

Endwall 09/08/2016 (Thu) 01:11:21 [Preview] No. 561 del
Hacking Passports and Credit Cards with Major Malfunction - Duration: 6 minutes, 17 seconds.

Endwall 09/08/2016 (Thu) 05:50:38 [Preview] No. 567 del
CVE-2016-3862 flaw – Silently hack millions Androids devices with a photo
The CVE-2016-3862 flaw is a remote code execution vulnerability that affects the way images used by certain Android apps parsed the Exif data.
Are you an Android user? I have a bad news for you, an apparently harmless image on social media or messaging app could compromise your mobile device. The last security updates issued by Google have fixed the Quadrooter vulnerabilities, that were threatening more than 900 Million devices, and a critical zero-day that could let attackers deliver their hack hidden inside an image. The flaw, coded as CVE-2016-3862, is a remote code execution vulnerability in the Mediaserver. It affects the way images used by certain Android applications parsed the Exif data included in the images. “Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (includingsmartphones), scanners and other systems handling image and sound files recorded by digital cameras. ” reads Wikipedia. The flaw was first discovered by the security researcher Tim Strazzere from the SentinelOne firm, who explained that it could be exploited by hackers to take complete control of the device without the victim knowing or crash it. “Strazzere told me that as long as an attacker can get a user to open the image file within an affected app – such as Gchat and Gmail – they could either cause a crash or get “remote code execution”; ergo they could effectively place malware on the device and take control of it without the user knowing.” explained Forbes. The victim doesn’t need to click on the malicious image, neither on a link, because as soon as it’s data was parsed by the device it would trigger the CVE-2016-3862 vulnerability. “The problem was made even more severe as a malicious hacker wouldn’t even need the victim to do anything. “Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone. Once that application attempts to parse the image (which was done automatically), the crash is triggered,” Strazzere explained.  What does it mean? Just one photo containing a generic exploit can silently hack millions of Android devices, is a way similar to the Stagefright exploits that allowed the attackers to hack a smartphone with just a simple text message. “Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” Strazzere developed the exploits for the affected devices and tested them on Gchat, Gmail and many other messenger and social media apps. Strazzere did not reveal the names of the other apps that are also affected by the CVE-2016-3862 vulnerability, it also added that the list of vulnerable software includes “privacy-sensitive” tools. Any mobile app implementing the Android Java object ExifInterface code is likely vulnerable to the vulnerability.The vulnerability is similar to last year’s Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it. Google Android version from 4.4.4 to 6.0.1 are affected by the CVE-2016-3862 vulnerability, of course, the devices that installed the last update. Google has already delivered a patch to fix the vulnerability, as usual, this doesn’t mean that your mobile has already applied it because the patch management depends on handset manufacturers and carriers. So, if you are not running an updated version of the Android OS, you probably are vulnerable to the image-based attack. Google rewarded  Strazzere $4,000 as part of its Android bug bounty and added another $4,000, as the researcher had pledged to give all $8,000 to Girls Garage, a program of the nonprofit Project H Design for girls aged 9-13.

Endwall 09/08/2016 (Thu) 05:52:28 [Preview] No. 568 del
Security Affairs
Hacker Interviews – @h0t_p0ppy, the hacktivist
Today I’ll present you  @h0t_p0ppy, a skilled online hacktivist that participated in the major hacking campaigns, including#OpWhales, #OpSeaWorld, #OpKillingBay, and #OpBeast,
September 7, 2016 By Pierluigi Paganini
You are a popular talented hacker that has already participated in several hacking campaigns, could you tell me more about. I have participated in campaigns against animal abuses. There are many ops for animals that don’t get enough attention or recognition. The first big one was #OpFunKill then #OpKillingBay which inspired me to create #OpSeaWorld, #OpKillingBay-EU and #OpWhales. All these campaigns focus on either the slaughter or confinement of cetaceans. Few people were aware about the impact of cetacean slaughter on our environment. As Paul Watson said “If the oceans die, we die” With these ops the public can learn about whale slaughter which is still happening today and the truth behind SeaWorld and marine prisons. Its not easy keeping all these ops up to date with relevant information. It take a lot of my spare time but if it makes a difference, it’s worth it. Could you tell me which his your technical background and when you started hacking? I was inspired by the anonymous movement to believe that every single person has the ability to make a change. I went from office to hacktivism. I have picked up skills, taught myself and relied on team members to teach me new skills. The team as a whole have a varied skill base from researching to dd0s and hacking. Each and everyone of us is equally important to the success of the ops. Which are your motivations? Simply to bring awareness to the public about the crimes against cetaceans at the hands of humans. I also want to see an end to whaling. What was your greatest hacking challenge? The greatest challenge isn’t hacking, it’s keeping the momentum and interest in the ops. #OpKillingBay for instance is in year 4 now and still as important as the day it launched. All our work is a team effort. Action taken for #OpWhales has brought Iceland’s commercial hunt of fin whales (an endangered animal) into the spotlight. Sites were brought down including the prime minister’s official website and that of the environment and interior ministries. This brought worldwide media attention to the plight of these whales. Which was your latest hack? Can you describe me it? The guys at Powerful Greek Army have been getting involved with ops hitting SeaWorld with a huge dd0s attack in the last few days. Also a few other Animal Rights Hacktivists have had a few whale meat sellers sites de-hosted. (Many thanks to all) What are the 4 tools that cannot be missed in the hacker’s arsenal and why? A range of vulnerability scanners, patience, determination and most importantly a trust worthy team. Which are the most interesting hacking communities on the web today, why? The guys at Anon Rising are doing a great job building up an IRC and support Base for anons and Ops. How do you choose your targets? Targets are connected to the whaling industry ~ the sale and transport of whale meat and governments that approve whaling. Also any company connected with the trade in dolphins and their incarceration. We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?  Yes,  it is just a matter of time.

Endwall 09/08/2016 (Thu) 05:54:27 [Preview] No. 569 del
CSTO Ransomware, a malware that uses UDP and Google Maps
September 7, 2016 By Pierluigi Paganini
CSTO ransomware it is able to query the Google Maps API to discover the victim’s location and connects to the C&C via UDP.
Ransomware is considered by the security experts one of the most dangerous threats to Internet users and organizations across the world. Malware authors are developing new malicious codes that implement new features to improve evasion and spreading abilities. Security researchers at BleepingComputer have reported a new ransomware dubbed Cry or CSTO because it pretends to come from the inexistent organization Central Security Treatment Organization. The CSTO ransomware was first spotted by the malware researcher MalwareHunterTeam. Once infected a machine the CSTO ransomware encrypts files and append the .cry extension to them. Like the Cerber ransomware, also the CSTO sends information to its command and control server via UDP. After infecting a computer, the CSTO ransomware collects information on the host (Windows version, installed service pack, OS version, username, computer name, and CPU type) that sends via UDP to 4096 different IP addresses, but only one of them is the C&C server. The Vxers have chosen the UDP protocol in an attempt to hide the location of the C&C server. The threat requests the payment of a 1.1 Bitcoins (more than $600) ransom in order to decrypt the files. The CSTO ransomware implements a singular feature, it leverages websites such as Imgur.com and Pastee.org to host information about victims, it is able to query the Google Maps API to discover the victim’s location using SSIDs of nearby wireless networks . The ransomware uses the WlanGetNetworkBssList function to get the nearby SSIDs, in this way it is able to determine the victim’s location, but it is not clear how the malware uses this information. “Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.” reported bleepingcomputer.com.The threat encrypts the file, it uploads host information along with a list of encrypted files to Imgur.com by compiling all details in a fake PNG image file and sending it to a certain album. Imgur, in turn, assigns a unique name for the image file and notifies it to the CSTO ransomware and then broadcasts the filename over UDP to inform the C&C server. Similar to other ransomware, the Cry ransomware deletes the Shadow Volume Copies using the command vssadmin delete shadows /all /quiet. In this way it prevents victims from restoring the encrypted files. The threat gains the persistency by creating a randomly named scheduled task that is triggered every time the user logs into Windows. The task also drops ransom notes on the desktop of the infected machine. The ransom note includes instructions on how to access the Tor network to reach the payment site used by the authors. “The ransom notes created by the Central Security Treatment Organization Ransomware contain links to a TOR payment site that has a Window title of User Cabinet. When a user visits this site, they will be prompted to login using the personal code from their ransom note.” continues bleepingcomputer.com. The payment site includes a support page and offers victims the possibility to decryption just one file for free as proof that it is possible to decrypt all the locked files. The researchers tested the free decryption feature, but it failed, another good reason to avoid paying the ransom.

Endwall 09/08/2016 (Thu) 05:57:04 [Preview] No. 570 del
Cry Ransomware Uses UDP, Imgur, Google Maps
by Chris Brook September 6, 2016 , 2:40 pm
Ransomware purporting to come from a phony government agency, something called the Central Security Treatment Organization, has been making the rounds, researchers say. The ransomware, which is already known by a number of names including Cry, CSTO ransomware, or Central Security Treatment Organization ransomware, uses the User Datagram Protocol (UDP) to communicate and the photo sharing service Imgur and Google Maps to carry out its infections to an extent, as well. A security researcher who goes under the guise MalwareHunterTeam discovered the malware last Thursday. Lawrence Abrams, who runs BleepingComputer.com, helped analyze the ransomware alongside MalwareHunterTeam and security researcher Daniel Gallagher. Abrams discussed their collected findings in a blog post Monday night. The three point out that the ransomware is still being analyzed so many of the details around it are still hazy; that includes how it’s being distributed and whether or not decryption is possible. What is known is that the malware has managed to hit 8,000 victims in almost two weeks so far. Abrams told Threatpost on Tuesday that when he started to analyze the ransomware with MalwareHunterTeam on Sept. 2 there were roughly 3,200 victims. That figure later ballooned to 6,800 two days later and when he checked on Monday, it had reached 8,000. The ransomware is still being developed too; Abrams claims Gallagher discovered a new sample earlier today. After machines are infected, Cry leaves ransom notes, “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on a victim’s desktop, notifying them their files have been encrypted with the “.cry” extension – hence the name. The notes demand 1.1 bitcoin, or roughly $625 to decrypt them. From there, it uses the UDP protocol to relay information about the infected machine, including its Windows version, its Windows bit type, which service pack is installed, the computer’s name and CPU type to over 4,000 IP addresses. According to Abrams, this method is likely used to make it trickier for authorities to finger the command and control server’s location, a technique that has been used in the past by the Cerber ransomware strain. Researchers at Invincea saw a Cerber variant in May generating loads of outgoing UDP traffic, to the point that it was flooding subnets with UDP packets over port 6892. Experts didn’t rule out the possibility that the ransomware could be capable of carrying out a distributed denial of service attack. In addition to UDP, Cry also uses two other services not usually leveraged by ransomware: Imgur and Google Maps. The ransomware culls all the information it sends to the IP addresses and embeds it in a PNG image file and subsequently uploads to an Imgur photo gallery. “Once the file has successfully been uploaded, Imgur will respond with a unique name for the filename,” Abrams writes. “This filename (can) then be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected.” The ransomware can also use Google Maps’ API to determine the Service Set Identifier (SSID) of packets sent by any nearby wireless networks. By using Windows’ WlanGetNetworkBssList function, Cry can get the list of wireless networks and SSIDs. After querying any SSIDs visible to the infected machine, it can use Google Maps to get the victims’ location. While the location data is no doubt valuable, Abrams claims it’s unclear what exactly it’s for, but admits it can likely be used to further scare a victim into paying. Abrams told Threatpost that while it wasn’t discovered until Sept. 1, it appears the developer behind Cry first began testing the waters several days before, on Aug. 25. Abrams, Gallagher and MalwareHunterTeam can see the developer began testing uploaded PNG files at the time with just the strings “LOLWTFAMIDOINGHERE.” While the Central Security Treatment Organization doesn’t exist, neither does the Department of Pre-Trial Settlement or the Federal Agency of Investigation, two other bogus groups that the ransomware touts itself as representing on its Tor payment site. The seal for the fake organization appears to borrow the crest, branches, and stars from the FBI’s logo and the eagle’s head from the CIA logo.

Endwall 09/08/2016 (Thu) 05:58:07 [Preview] No. 571 del
Information Security Newspaper
LuaBot Is the First Botnet Malware Coded in Lua Targeting Linux Platforms
Security Newspaper | September 6, 2016
LuaBot is the latest addition to the Linux malware scene. A trojan coded in Lua is targeting Linux platforms with the goal of adding them to a global botnet, security researcher MalwareMustDie! has reported today. For an operating system with a minuscule 2.11 percent market share, this is our third story on Linux malware in the past 24 hours, after previously reporting on the Mirai DDoS trojan and the Umbreon rootkit. LuaBot falls into the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers, and add them as bots inside a bigger botnet controlled by the attacker. LuaBot most likely used for DDoS attacks At the time of writing, this botnet’s purpose is currently unknown, but MalwareMustDie told Softpedia on Twitter that the code for launching packet floods (DDoS attacks) is there, only that he wasn’t able to confirm the functionality yet. At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on his experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms. Unlike Mirai, which is the fruit of a two-year-long coding frenzy, LuaBot is in its early stages of development, with the first detection being reported only a week ago and a zero detection rate on VirusTotal for current samples. Since it’s only a one-week-old malware strain, details are scarce about its distribution and infection mechanism. LuaBot author challenges security researchers MalwareMustDie has managed to reverse-engineer some of the trojan’s code and discovered that the bot communicates with a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL. The researcher also found that LuaBot’s brazen developer left a message behind for all the infosec professionals trying to deconstruct his code. The message reads, “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].” Additionally, MMD also discovered code labeled as “penetrate_sucuri,” alluding to features capable of skirting Sucuri’s infamous Web Application Firewall, a cyber-security product that has stopped many web threats in the past. MMD told Softpedia that “it seems the function is there […] coded with that purpose,” but the researcher later admitted that “I don’t know the Sucuri WAF much, so I can not test it.” Softpedia has reached out to Sucuri, and we’ll update the article if this function proves to be a successful firewall bypass or just an unfinished piece of code.

Endwall 09/14/2016 (Wed) 01:59:21 [Preview] No. 577 del
Hak 5
Steal Passwords from a Locked PC - Threat Wire - Duration: 4 minutes, 38 seconds.

Endwall 09/19/2016 (Mon) 01:42:01 [Preview] No. 583 del

Endwall 09/19/2016 (Mon) 01:44:15 [Preview] No. 584 del
Hak 5
MOSH: High Latency Alternative to SSH - Hak5 2103 - Duration: 18 minutes.

Endwall 09/23/2016 (Fri) 01:05:09 [Preview] No. 585 del
Hak 5
Snagging Creds From Locked Machines With a LAN turtle - Hak5 2104 - Duration: 24 minutes.

Tor Endwall 09/26/2016 (Mon) 03:59:00 [Preview] No. 588 del
Tor Project
Tor is released, with important fixes
Posted September 23rd, 2016 by nickm
Tor adds improved support for entities that want to make high-performance services available through the Tor .onion mechanism without themselves receiving anonymity as they host those services. It also tries harder to ensure that all steps on a circuit are using the strongest crypto possible, strengthens some TLS properties, and resolves several bugs -- including a pair of crash bugs from the 0.2.8 series. Anybody running an earlier version of 0.2.9.x should upgrade.

Tor is released, with important fixes
Posted September 23rd, 2016 by nickm
Tor fixes two crash bugs present in previous versions of the 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users who select public relays as their bridges. You can download the source from the Tor website. Packages should be available over the next week or so.


Endwall 10/02/2016 (Sun) 05:32:02 [Preview] No. 591 del
US to Transfer Internet DNS Oversight After GOP Sabotage Effort Fails
Sam Gustin Correspondent * October 1, 2016 // 01:00 PM EST
The United States government moved to relinquish stewardship of key internet technical functions on Saturday, paving the way for a private, international non-profit group to assume oversight of the internet’s core naming directory. Tech policy experts say the historic transfer of US stewardship over the Domain Name System (DNS) to an independent group of global stakeholders will help ensure internet openness and freedom. The transition moved forward after a last-ditch Republican effort to sabotage the handover was rejected by a federal judge late Friday. The oversight transfer, which has been in the works for nearly two decades, is largely clerical in nature, and is unlikely to even be noticed by internet users. But that didn’t stop Republicans like Sen. Ted Cruz of Texas and presidential candidate Donald Trump from using scare-tactics to try to scuttle the plan for political gain. “This is a symbolic, but important step in preserving the stability and openness of the internet, which impacts free speech, our economy and our national security,” Ed Black, President & CEO of the Computer & Communications Industry Association, which represents companies like Google, Amazon, and Facebook, said in an emailed statement. Starting Saturday, stewardship of the Internet Assigned Numbers Authority (IANA) functions, including the DNS, which translates website names like vice.com into numeric internet protocol (IP) addresses, will be fully overseen by a Los Angeles-based nonprofit group of international stakeholders called the Internet Corporation for Assigned Names and Numbers (ICANN). On Wednesday, four Republican state attorneys general sued the Obama administration in Texas federal court in order to block the transition. In their lawsuit, the attorneys general for Arizona, Oklahoma, Nevada and Texas argued that the move would violate US law and imperil US national security—spurious claims that have been debunked by US officials and tech policy experts. Late Friday, Galveston, Texas federal judge George Hanks Jr. denied the state attorneys general request for an injunction, clearing the way for the transition to move forward. On Saturday morning, the US government allowed its contract with ICANN to expire, which means that ICANN will now assume sole stewardship over key internet naming functions. “This decision is another clear sign that efforts from a fringe group to block the IANA transition are misguided and irresponsible.” Sen. Brian Schatz, the Democrat from Hawaii who serves as Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet, said he was “glad the court found this lawsuit to be baseless, and appropriately threw it out.” “This decision is another clear sign that efforts from a fringe group to block the IANA transition are misguided and irresponsible,” Sen. Schatz said in a statement. “We can now keep our long-standing and public commitment to the global community to keep the internet open and free.” Republican arguments suggesting that the transition will undermine US interests by leading to a UN takeover of the internet are baseless, according to tech policy experts. In fact, the transition will help promote internet freedom by distributing stewardship of the global internet’s technical functions to a broad, international coalition of public and private stakeholders, ensuring that no single nation can undermine the key functions for everyone else. For more than a decade, ICANN managed the IANA functions under a contract with the Commerce Department’s National Telecommunications and Information Administration (NTIA). But the US has long made clear that it intended to relinquish oversight of the DNS oversight functions in order to facilitate “international participation” in internet governance. Leading civil society and public interest groups supported the transition, including the Internet Society, Access Now, Public Knowledge, the Center for Democracy & Technology, and New America Foundation’s Open Technology Institute. These groups argued that the transition to a multi-stakeholder model will help prevent any one nation from exercising direct government control over the internet. “No one country or entity controls the internet." For the last several weeks, Cruz and other Republicans, including Donald Trump, have been pushing false claims that the US is surrendering “control” of the internet to the UN, or perhaps more ominously, to “enemies” like Iran or China. Most tech policy experts reject those assertions because the internet is a decentralized, global “network of networks” that no single government can control. Authoritarian countries like Iran and China can and do censor the internet for their own citizens, but they have no power to exert similar repression over US consumers—and that won’t change after the governance transition, experts say. “No one country or entity controls the internet,” Assistant US Commerce Secretary and NTIA Chief Larry Strickling, who is overseeing the transition for the US government, testified before Congress last month. “The internet is a network of networks that operates with the cooperation of stakeholders around the world.” Lauren Weinstein, a veteran tech policy expert who was involved in developing the ARPANET, the precursor to the internet, blasted the last-minute efforts by Republicans to sow fear about the transition for political gain. “Anyone hearing the bizarre, false, politicized, last-ditch rants of the politicians who tried to block the transition could be excused for waking up Saturday morning and being stunned to discover that the transition took place as scheduled, and yet there was no related internet Armageddon,” Weinstein told Motherboard. “Nor will there be.”

Endwall 10/02/2016 (Sun) 06:43:19 [Preview] No. 592 del
Hak 5
InfoSec Journalist Censored by DDoS - Threat Wire - Duration: 6 minutes, 14 seconds.

Endwall 10/05/2016 (Wed) 06:30:32 [Preview] No. 595 del
Brian Krebs Attacked By Hackers: Largest DDoS Attack Against A Security Blogger
Posted by: Benjamin Vitáris October 3, 2016
Brian Krebs, a top security blogger who writes on the Krebs on Security blog, was attacked by a massive DDoS attack, recently. A giant botnet made up with things connected to the internet, such as lightbulbs, cameras, and thermostats, had launched the largest DDoS attack ever delivered with the use of IoT (internet of things) devices. The attack was so big that Akamai, the CDN (content delivery network) and cloud service provider of Krebs, has canceled the security blogger’s account. The reason for the cancellation was not that Akamai couldn’t mitigate the attack, but they used so many resources for protection that it became rather expensive, according to Andy Ellis, the firm’s Chief Security Officer. The delivery network stopped protection for the Krebs on Security blog after 665 Gbps of traffic overwhelmed the security expert’s site on Tuesday. The attack’s size was almost over the double what Akamai had ever seen before. Ellis says it will take time to analyze and come up with more effective mitigation tools for this IoT botnet. The Akamai CSO added the attack was similar to the 2010 attacks of Anonymous where they used the open source, low-orbit ion cannon tool, or to the 2014 DDoS attacks launched from compromised Joomla and WordPress servers. According to Ellis, this is a lesson for companies to have a better system against DDoS attacks. The Krebs on Security attack is a work of a botnet made up of IoT devices, Ellis says. So many devices were used in the breach that the hacker didn’t even have to amplify the impact of the individual devices. “We’re still trying to size it,” Ellis said estimating the number of IoT devices used in the attack to a million. “We think that might be an overestimate but it’s also possible that will be a real estimate once we get into the numbers.” According to Dave Lewis, a global security advocate for Akamai, with estimates of 21 billion IoT devices by 2020, the size of the botnets created for attacks could be massive. “What if an attacker injects code into devices to create a Fitbit botnet?” Lewis said. “Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds so the possibility isn’t fantastic. “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks. There are indicators that there are IoT devices here, at scale.” Ellis says the attack didn’t use any reflection or amplification and it consisted of legitimate HTTP requests. Some things are still unknown, for example, who is behind the attack and what method did they used to infect the devices. According to Ellis, Akamai had contacted other websites where they reported similar, but smaller attacks from the same botnet. Many of the sites were related to gaming, and Krebs wrote about such attacks so there could be a connection between them.

Endwall 10/05/2016 (Wed) 06:33:05 [Preview] No. 596 del
Soylent News
Systemd Crashing Bug
posted by CoolHand on Tuesday October 04, @08:46PM
mechanicjay writes: Security researcher and MateSSL founder, Andrew Ayer has uncovered a bug which will either crash or make systemd unstable (depending on who you talk to) on pretty much every linux distro. David Strauss posted a highly critical response to Ayer. In true pedantic nerd-fight fashion there is a bit of back and forth between them over the "true" severity of the issue and what not. Nerd fights aside, how you feel about this bug, will probably largely depend on how you feel about systemd in general. The following command, when run as any user, will crash systemd: NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system). All of this can be caused by a command that's short enough to fit in a Tweet. Edit (2016-09-28 21:34): Some people can only reproduce if they wrap the command in a while true loop. Yay non-determinism!


Endwall 10/05/2016 (Wed) 06:57:28 [Preview] No. 597 del
A zero day flaw in OpenJPEG JPEG 2000 could lead arbitrary code execution
October 2, 2016 By Pierluigi Paganini
Cisco Talos Team disclosed a zero-day flaw affecting the JPEG 2000 image file format parser implemented in the OpenJPEG library.
  Security experts at Cisco Talos group have discovered a serious vulnerability (TALOS-2016-0193/CVE-2016-8332) affecting the JPEG 2000 image file format parser implemented in OpenJPEG library. An attacker could exploit the flaw to trigger the heap corruption and execute arbitrary code on the target system. “This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibility to the library maintainers to ensure a patch is available.” states the security advisory published by Talos. The experts successfully tested the JPEG 2000 image exploit on the OpenJpeg openjp2 2.1.1.The security experts have has ethically reported the security flaw to the library maintainers to ensure a patch is available. The flaw has a serious impact because the JPEG 2000 file format is commonly used for embedding images inside PDF documents. In order to exploit the vulnerability, an attacker has to trick victims into opening a file containing a specifically crafted JPEG 2000 image that triggers the flaw. A first attack scenario sees attackers sending an email to the targets, the malicious message will include a PDF document including a specifically crafted JPEG 2000 image, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox. Attackers could also leverage on cloud storage like Google Drive or Dropbox where he hosts a specifically crafted JPEG 2000 image, then he will share the link to the picture. Experts from Talos have also released Snort Rules (40314-40315) that could help experts in detecting attempts to exploit the flaw. Cisco Talos group also announced that additional rules may be released at a future date informing users that current rules are subject to change pending additional vulnerability information. Below the Timeline of the Vulnerability.

Endwall 10/05/2016 (Wed) 06:59:06 [Preview] No. 598 del
DefecTor – Deanonymizing Tor users with the analysis of DNS traffic from Tor exit relays
October 2, 2016 By Pierluigi Paganini
Researchers devised two correlation attacks, dubbed DefecTor, to deanonymize Tor users using also data from observation of DNS traffic from Tor exit relays.
Law enforcement and intelligence agencies dedicate an important commitment in the fight of illegal activities in the Dark Web where threat actors operate in a condition of pseudo-anonymity. A group of security researchers at the Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attack technique to deanonymize Tor users. “While the use of Tor constitutes a significant privacy gain over off-the-shelf web browsers, it is no panacea, and the Tor Project is upfront about its limitations. These limitations are not news to the research community. It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries. We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.” says Phillip Winter, a researcher at Princeton University that was involved in the research. The techniques were dubbed DefecTor by the researchers, they leverage on the observation of the DNS traffic from Tor exit relays, for this reason, the methods could integrate existing attack strategies. “We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. ” reads the analysis published by the researchers. “
“Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.” The test results obtained with the DefecTor technique are excellent anyway we have to consider that such attacks request a significant effort, typically spent by persistent attackers like government bodies. The simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited sites. The experts highlighted that Google operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network, a privileged point of observation for attackers. Google is also able to monitor some network traffic that is entering the Tor network, the experts reported as an example the traffic via Google Fiber or via guard relays that are occasionally running in Google’s cloud. “Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains. The experts also remark that DNS requests could be used to obtain other precious information about the traffic of Tor users, they traverse autonomous systems and Internet exchanges. “there are entities on the Internet such as ISPs, autonomous systems, or Internet exchange points that can monitor some DNS traffic but not web traffic coming out of the Tor networkand potentially use the DNS traffic to deanonymize Tor users.” says Winter. “Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.” The researchers also developed a tool, dubbed “DNS Delegation Path Traceroute” (dptr), that could be used to determine the DNS delegation path for a fully qualified domain name. The tool runs UDP traceroutes to all DNS servers on the path that are then compared to a TCP traceroute to the web server behind the same fully qualified domain name. On the other side, experts from the Tor Project are already working on a series of significant improvements to the popular anonymizing network. In March the Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software. While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity in how exit relays resolve DNS domains. The experts invite the security community to review their paper, for further information visit the DefecTor project page.

Endwall 10/06/2016 (Thu) 04:34:57 [Preview] No. 599 del
Snowden 2.0: NSA contractor arrested for stealing malware - Duration: 86 seconds.

Endwall 10/06/2016 (Thu) 04:41:56 [Preview] No. 600 del
Hak 5
Emergency Texts Upgraded; Hackable? - Threat Wire - Duration: 6 minutes, 35 seconds.
DerbyCon 6.0 2016: Hacking Sex Toys - Hak5 2106 - Duration: 24 minutes.

Endwall 10/06/2016 (Thu) 04:46:02 [Preview] No. 601 del
BBC News
NSA government contractor stole classified files
A National Security Agency contractor has been arrested, accused of taking top secret information, officials say. Harold Thomas Martin III is charged with theft of government property and unauthorised removal of "highly classified" materials. The 51-year-old had a top secret national security clearance and faces 10 years in prison. Mr Martin's lawyer said there was no evidence he had betrayed the US, a country he very much loved. The Justice Department said he worked for Booz Allen Hamilton, the same contractor that employed NSA leaker Edward Snowden. Six of the documents found in Mr Martin's possession were classified as top secret, "meaning that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the US", the Justice Department said. According to a warrant, Mr Martin was arrested two days after his Glen Burnie, Maryland, home, garage and vehicle were searched on 27 August this year. The FBI said Mr Martin at first denied taking the documents, but later admitted removing documents and digital files. James Wyda, Mr Martin's lawyer, told the Baltimore Sun his client has yet to be proven guilty of the charges. "There's no evidence that Hal Martin has betrayed his country," Mr Wyda said. "What we do know is that Hal Martin loves his family and his country. He served this nation honourably in the US Navy and he has devoted his entire life to protecting his country." Mr Martin faces up to 10 years in prison for the theft of government property, and up to one year for the removal of classified materials. The New York Times, which broke the story, said Mr Martin was suspected of taking the NSA's "source code" used to hack into the systems of Russia, China, Iran and North Korea. "A large percentage of the materials recovered from Martin's residence and vehicle bore markings indicating that they were property of the United States and contained highly classified information of the United States," FBI Special Agent Jeremy Bucalo wrote. "The disclosure of the documents would reveal those sensitive sources, methods, and capabilities." John Carlin, the Justice Department's top national security official, said the arrest underlined the threat posed by insiders.
Clearnet Link

Endwall 10/09/2016 (Sun) 00:37:58 [Preview] No. 603 del
Jupiter Broadcasting

The Foundation of NetBSD | BSD Now 162
This week on the show, we’ll be talking to Petra about the NetBSD foundation & how they operate and assist NetBSD behind the scenes. That plus lots of news about the pending 11.0-RELEASE of FreeBSD & more!


Open Source Botnet | TechSNAP 287

The Source code for a historic botnet has been released, the tale of a DNS packet & four ways to hack ATMs.

Endwall 10/12/2016 (Wed) 03:59:26 [Preview] No. 604 del
Hak 5
Signal App Subpoenaed by Government - Threat Wire - Duration: 6 minutes, 22 seconds.

Tor Endwall 10/18/2016 (Tue) 17:59:37 [Preview] No. 610 del
Tor is released, with important fixes
Posted October 17th, 2016 by nickm

Tor backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to Patches will be released for older versions of Tor.

You can download the source from the Tor website. Packages should be available over the next week or so.

Below is a list of changes since
Changes in version - 2016-10-17

Major features (security fixes, also in
Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
Minor features (geoip):
Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 Country database.

Tor Endwall 10/18/2016 (Tue) 18:01:15 [Preview] No. 611 del
Tor is released, with important fixes
Posted October 17th, 2016 by nickm

Tor fixes a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to Patches will be released for older versions of Tor.

Tor also adds numerous small features and fix-ups to previous versions of Tor, including the implementation of a feature to future- proof the Tor ecosystem against protocol changes, some bug fixes necessary for Tor Browser to use unix domain sockets correctly, and several portability improvements. We anticipate that this will be the last alpha in the Tor 0.2.9 series, and that the next release will be a release candidate.

You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures!

Please note: This is an alpha release. You should only try this one if you are interested in tracking Tor development, testing new features, making sure that Tor still builds on unusual platforms, or generally trying to hunt down bugs. If you want a stable experience, please stick to the stable releases.

Below are the changes since
Changes in version - 2016-10-17

Major features (security fixes):
Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
Major features (subprotocol versions):
Tor directory authorities now vote on a set of recommended subprotocol versions, and on a set of required subprotocol versions. Clients and relays that lack support for a _required_ subprotocol version will not start; those that lack support for a _recommended_ subprotocol version will warn the user to upgrade. Closes ticket 19958; implements part of proposal 264.
Tor now uses "subprotocol versions" to indicate compatibility. Previously, versions of Tor looked at the declared Tor version of a relay to tell whether they could use a given feature. Now, they should be able to rely on its declared subprotocol versions. This change allows compatible implementations of the Tor protocol(s) to exist without pretending to be 100% bug-compatible with particular releases of Tor itself. Closes ticket 19958; implements part of proposal 264.

Anonymous 10/18/2016 (Tue) 18:05:57 [Preview] No. 613 del
Hello faget :^)
endchan is bad replacement for RSS, it's lot better to get news like that directly from their RSS.

Bugfixes, nice.

Endwall 10/21/2016 (Fri) 05:26:18 [Preview] No. 617 del
This pdf file is an index of http hyperlinks to wikileaks documents. If you click on the links in the pdf it will open up your web-browser and navigate there in plain text (clearnet) deanonymizing you as a user of this website (Endchan). A website based version of this index would be a better idea, then you could browse it behind tor, I'm sure wikileaks has a search engine on their website. I didn't post this but download and use at your own discretion.

If you do so, use safedown.sh, safemode.sh, pdfclean.sh to build good habits when dealing with strange pdfs from the internet, view with firejail with no internet protocols.

Endwall 10/21/2016 (Fri) 05:39:53 [Preview] No. 618 del
Blockchain Technology May Be Borrowed By DARPA To Secure Military Networks


Posted by: DeepDotWeb October 20, 2016

Blockchain, the technology that underlies digital cryptocurrencies such as Bitcoin, has acquired a different identity. According to Steve Norton’s article “CIO Explainer: What Is Blockchain?” published in the Wall Street Journal, he explains how the technology is emerging as an alternative way for companies to instantaneously make and verify their network transactions. A considerable number of firms are experimenting with Blockchain technology for different purposes. The Defense Advanced Research Projects Agency (DARPA) is studying the possible implementation of the Blockchain technology as a way of securing sensitive military systems; which could also help in ensuring the safe storage of nuclear weapons. The Blockchain technology provides a number of benefits which are the main reasons why it has caused a stir in the technology as well as the business world. Its major benefit is security. Blockchain allows the universal recording of all transactions taking place into “blocks,” which are then chronologically and cryptographically bound together into a “chain.” The security advantage also arises from the one-way nature of the blockchain encryption process which prevents the ledgers from being tampered with. In the case of Bitcoin, it makes sure that all Bitcoins sent from wallet to wallet can be accounted for and tracked. The transaction ledgers are stored in multiple locations. This distributed nature makes hacking more difficult, unlike when a centralized ledger is used. It makes data secure by making it almost impossible to hide activity by modifying the data since there are multiple copies of the database on different computers across the network. According to Timothy Booher, the leader of DARPA’s Blockchain implementation efforts, Blockchain makes it difficult to modify or steal system files. Using the analogy of castle defense, he explains that despite the implementation of more and more security policies and measures, hackers can still find a way in; much like people can still get into a castle despite efforts to build high walls and seal cracks. It’s important to know who got in and what activities they carried out while inside. With Blockchain technology, this type of information is securely logged and cannot be altered. The technology can help avoid instances where agencies are not even aware they have been hacked until it’s too late to stop their private data from being made public. Progress has so far been made in DARPA’s efforts with formal verification being carried out. A computer security firm was contracted by DARPA to test a Blockchain implementation which was provided by a different contractor. This process is carried out to make sure that the technology implemented works as intended. Depending on the findings of the verification, DARPA may implement Blockchain to monitor information integrity in military systems that require high security such the nuclear weapon and satellite surveillance control systems. Such an implementation would enhance security by making it extremely difficult to alter information. It would also make it possible to easily and accurately detect any access or change to any file by providing an immutable record. Even though bitcoin has previously had some problems and its ability to gain universal acceptance as a substitute for regular money is questioned, the blockchain technology might just change the world, as reported by Extreme Tech.

Anonymous 10/21/2016 (Fri) 05:47:02 [Preview] No. 619 del

Endwall 10/23/2016 (Sun) 18:18:05 [Preview] No. 623 del
How to install LibertyBSD or OpenBSD on a libreboot system

Endwall 10/25/2016 (Tue) 06:31:42 [Preview] No. 628 del
Tor’s Biggest Threat – Correlation Attack
Posted by Filip Jelic October 25, 2016
Throughout the years of Tor existence many users lost their anonymity. I’m going to explain a technique called “Correlation Attack” that government agencies used in the past for that purpose. These include exploiting human errors as well as highly sophisticated mathematical methods exploiting software flaws. This attack has been around since Tor widespread usage began and it seems like it isn’t going anywhere in the recent future. An attacker controlling the first and last router in a Tor circuit can use timing and data properties to correlate streams observed at those routers and therefore break Tor’s anonymity.
No simple patch can be made that can prevent this method because it’s not exploiting any bug, but rather uses math (probability and statistics) and attacks the logic of Tor network. With that said, there are ways to made this task much more difficult, but they are usually rejected to preserve low latency. Some attacks are not even against software, but against users. For example, if dark market admin shared some information about himself such as state, age and/or past criminal activities, it becomes feasible for government agencies to monitor all possible suspects’ internet activity and try to see which one connects to the Tor network at the same time admin comes online. Previous example was easy, let’s analyze a case where targets are smarter and disclose zero information about themselves. The idea is to control a sizeable portion of Tor relays and hopefully, as many guards (1st relay that knows your IP address) and exit relays (those that connect to server). It’s already clear that this attack needs good sponsorship and is mostly done by government agencies. Reason behind this is that Tor counts over 7000 relays and over 2 million daily users. Since Tor employs volunteer resource model, anyone is encouraged to start any number of relays to help Tor network. One that controls a sizeable portion of relays has a chance of “serving” as guard and end relay for the same user. It’s only a matter of time when you will start using compromised circuit.Attacker uses automatic packet analysis on both relays to calculate a correlation coefficient. The most useful variables are timing, packet size and frequency. Although this information gives the attacker pretty good idea which website you are visiting, because of huge size of Tor network there are many false positives. Exact percentage of these conclusion greatly vary on what kind of traffic you are making. For example, the easiest target is the one that is downloading some files because there are many sizeable packets to compare. One that is simply browsing a website is doing the same as thousands of other users and a chance for false positives increases. According to this paper, 80% of users can de deanonymized in the period of six months by realistic adversaries. This is no proof on court because of possible false positives (ranges from 5-10% depending on the correlation algorithm), but provides enough suspicion to start further monitoring. It’s very likely that Carnegie Mellon University attack on Tor network was indeed correlation attack. The information about Tor users was then sold to FBI for $1 million. At the time (early 2014), Tor relays could easily confirm their suspicion by adding an arbitrary value to the packet and check for it on the other end to reach the level of certainty. This was quickly patched, but correlation attack is still not prevented. This attack was pitfall for many websites and their users including Silk Road 2.0 and 2 child porn sites. Good thing is that Tor contributors are well aware of this attack. The Tor Project is already working on techniques that make website fingerprinting attacks less effective. You shouldn’t be concerned about these attacks if you’re using a trusted VPN to connect to Tor network because this attack won’t yield your IP address, but the one belonging to a proxy server. Be aware that all VPNs must obey the laws of the country they reside in and most countries require all ISP (including VPNs) to keep the log of all users activity for a period of time (usually around 2 years) and provide that information if the court issues a warrant. Even if VPN resides in a country that has no such laws, they might be selling your information. Thankfully, deepdotweb offers great advice on choosing the right VPN. Before you comment “VPN + Tor sucks”, read what Tor developers have to say on this topic. Using VPN has both its benefits and downsides, I recommended using VPN because it saves you from this particular attack. My opinion is that the quality of VPN is all that matters. If they log your data, they will only make government agencies wait for a warrant. They’ll sell it to everyone that offers some money too. On the other hand, no-log VPN can be invaluable. P.S. I believe all VPNs keep logs – why wouldn’t they? You can’t know it anyway. And I can’t persuade myself that they would refuse money for my identity either. At least some VPNs don’t have to give up our identity to law enforcement agencies, which is nice.

Endwall 10/26/2016 (Wed) 03:54:59 [Preview] No. 630 del
Hak 5
IoT DDoS on DynDNS Takes Down the Internet!? - Threat Wire - Duration: 6 minutes, 14 seconds.
https://youtube.com/watch?v=z6HHLEVJgkE [Embed]

Endwall 10/29/2016 (Sat) 07:47:51 [Preview] No. 632 del
Hak 5

Hardware Hacking with Samy Kamkar - Hak5 2109 - Duration: 28 minutes.
https://youtube.com/watch?v=kqaIL_XJjSI [Embed]

Endwall 10/30/2016 (Sun) 02:57:57 [Preview] No. 636 del
CYBERWAR (New Season Starts Oct 25) - Duration: 61 seconds
https://youtube.com/watch?v=Rf5BucTo5bI [Embed]

The Zero Day Market: CYBERWAR (Full Episode) - Duration: 22 minutes.
https://youtube.com/watch?v=UPXctbdBth0 [Embed]

Anonymous vs. ISIS: CYBERWAR (Trailer) - Duration: 31 seconds.
https://youtube.com/watch?v=RTyV94gCz6s [Embed]

Endwall 11/02/2016 (Wed) 01:56:02 [Preview] No. 640 del
Hak 5
Are Hacker Counterattacks Legal? - Threat Wire - Duration: 6 minutes, 4 seconds.
https://youtube.com/watch?v=3An7w9RGcQk [Embed]

Endwall 11/02/2016 (Wed) 02:10:42 [Preview] No. 642 del
Ars Technica
“Most serious” Linux privilege-escalation bug ever is under active exploit (updated) Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.
Dan Goodin - Oct 20, 2016 8:20 pm UTC
A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild. "It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important." As their names describe, privilege-escalation or privilege-elevation vulnerabilities allow attackers with only limited access to a targeted computer to gain much greater control. The exploits can be used against Web hosting providers that provide shell access, so that one customer can attack other customers or even service administrators. Privilege-escalation exploits can also be combined with attacks that target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit, however, such attacks can often achieve highly coveted root status. The in-the-wild attacks exploiting this specific vulnerability were found by Linux developer Phil Oester, according to an informational site dedicated to the vulnerability. It says Oester found the exploit using an HTTP packet capture, but the site doesn't elaborate. Update: In e-mails received about nine hours after this post went live, Oester wrote: Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff. The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works. The particular exploit which was uploaded to my system was compiled with GCC 4.8.5 released 20150623, though this should not imply that the vulnerability was not available earlier than that date given its longevity. As to who is being targeted, anyone running Linux on a web facing server is vulnerable. For the past few years, I have been capturing all inbound traffic to my webservers for forensic analysis. This practice has proved invaluable on numerous occasions, and I would recommend it to all admins. In this case, I was able to extract the uploaded binary from those captures to analyze its behavior, and escalate to the appropriate Linux kernel maintainers. The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW. Disclosure of the nine-year-old vulnerability came the same week that Google researcher Kees Cook published research showing that the average lifetime of a Linux bug is five years. "The systems using a Linux kernel are right now running with security flaws," Cook wrote. "Those flaws are just not known to the developers yet, but they’re likely known to attackers."

Endwall 11/05/2016 (Sat) 06:07:56 [Preview] No. 654 del
Secure Or Not (DIGITS) - Edward Snowden - Duration: 0:40.
https://youtube.com/watch?v=s488jRN5R68 [Embed]

Endwall 11/05/2016 (Sat) 06:15:32 [Preview] No. 655 del
Windows 0-day Exploited in the Wild
Posted by: Filip Jelic November 4, 2016

Google’s Threat Analysis Group found a zero-day vulnerability – CVE-2016-7855, notified Adobe and Microsoft on October 21st and released it after a short period. This is yet another zero-day regarding flash software on Windows. Adobe patched it on October 26th while Microsoft said Windows patch will be ready on November 8th. Vulnerability was publicly disclosed on October 31st which means there is still a window of one week in which Windows users are vulnerable. Google stated that it was already being exploited in the wild which is why they published it. Affected systems are Windows Vista and newer. All users are advised to update their Flash and browser software, and Windows as soon as the patch arrives. According to this document by Google, Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability. Also, Microsoft published that users of Microsoft are safe on Windows 10 and Microsoft Edge browser. What you need to know to understand this vulnerability When you watch a video in your browser, it is viewed in a sandbox environment. It enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing actions that can lead to potentially malicious behavior. Sandboxes usually restrict calls to system functions that are not needed to non-malicious files. System call is the programmatic way in which a program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system. System calls can be roughly grouped into five major categories: 1. Process Control – create, execute, terminate, get/set attributes. 2. File management – create, delete, open, close, read, write, get/set attributes. 3. Device Management – request, detach device, get/set attributes. 4. Information Maintenance – get/set time, date, control system data. 5. Communication – create/cancel connection, send and receive messages etc. On Windows, system calls are broadly split into two main types, implemented by two separate subsystems in the kernel. First, there are the NT calls, which are implemented by ntoskrnl.exe, then there are the win32k calls, which are implemented by Win32k.sys. Win32k calls tend to be associated with the graphics subsystem (which runs in the kernel on Windows, for performance and historical reasons), while ntoskrnl calls are more for the Windows NT API e.g. file access, network, POSIX. On Windows, there is no fine grained system call filtering, but each system call is responsible for verifying the access token of the caller that allows the call to be made. The Vulnerability The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Previous paragraph is all internet news say, so I decided to take a deeper look...

Endwall 11/05/2016 (Sat) 06:26:28 [Preview] No. 656 del
Hak 5
How to Get a Reverse Shell in 3 Seconds with the USB Rubber Ducky - Hak5 2110 - Duration: 22 minutes.
https://youtube.com/watch?v=M6bhXx75RMs [Embed]

Endwall 11/05/2016 (Sat) 07:27:04 [Preview] No. 657 del
Jacob Appelbaum's Insider Talk : Drones, No Privacy & Surveillance F**king Massive! - Duration: 46:04.
https://youtube.com/watch?v=6uDbr07yA8s [Embed]

Endwall 11/05/2016 (Sat) 22:36:14 [Preview] No. 658 del
Secret World of US Election: Julian Assange talks to John Pilger (FULL INTERVIEW) - Duration: 24 minutes.
https://youtube.com/watch?v=_sbT3_9dJY4 [Embed]
Cyber sabotage? US govt hackers reportedly penetrate Russian infrastructure - Duration: 7 minutes, 24 seconds.
https://youtube.com/watch?v=tMfpsSaTGvM [Embed]
Million Mask March 2016: Anonymous readies for global day of action - Duration: 2 minutes, 30 seconds.
https://youtube.com/watch?v=ZmrM9UcwkD0 [Embed]
Assange busts ‘Russian spy’ myth in exclusive interview about leaks - Duration: 2 minutes, 51 seconds.
https://youtube.com/watch?v=hPYlmDv10Cg [Embed]
Fears of chaos as hundreds join Million Mask March in London - Duration: 2 minutes, 59 seconds.
https://youtube.com/watch?v=07jt7B8oXf8 [Embed]

Endwall 11/05/2016 (Sat) 22:43:11 [Preview] No. 659 del
How Anti-ISIS Hacktivists Are Helping the Government: CYBERWAR (Clip) - Duration: 4 minutes, 51 seconds.
https://youtube.com/watch?v=ylZcsv86Uiw [Embed]
An Interview with Discordian of Anonymous: CYBERWAR (Clip) - Duration: 2 minutes, 38 seconds.
https://youtube.com/watch?v=GGBt2k7Nohg [Embed]
The Ashley Madison Hack: CYBERWAR (Trailer) - Duration: 31 seconds.
https://youtube.com/watch?v=SSi71_hq0uE [Embed]

Endwall 11/09/2016 (Wed) 06:59:03 [Preview] No. 670 del
Hak 5
Hacking Cars, Legally! - Threat Wire - Duration: 6 minutes, 51 seconds.
https://youtube.com/watch?v=SJhxQg28bL8 [Embed]

Endwall 11/13/2016 (Sun) 23:31:16 [Preview] No. 675 del
Hak 5
How to Tether Without The Fees - Hak5 2111 - Duration: 43 minutes.
https://youtube.com/watch?v=07C1Ds8Nuqo [Embed]

Endwall 11/16/2016 (Wed) 04:31:16 [Preview] No. 676 del
Hak 5
A New Era of Security and Privacy? - Threat Wire - Duration: 7 minutes, 13 seconds.
https://youtube.com/watch?v=W60Bp5hSC2w [Embed]

Edward Snowden Endwall 11/19/2016 (Sat) 00:20:10 [Preview] No. 677 del
Snowden: Fear of terrorism used as ‘legislative magic wand’ for surveillance (streamed live) - Duration: 43 minutes.
https://youtube.com/watch?v=s3CgyOYt9fc [Embed]

Endwall 11/19/2016 (Sat) 00:22:02 [Preview] No. 678 del
Hak 5
Stealing Files with the USB Rubber Ducky - Hak5 2112 - Duration: 30 minutes.
https://youtube.com/watch?v=48viMtzQ4rE [Embed]

Endwall 11/20/2016 (Sun) 21:18:59 [Preview] No. 680 del
Israel: Cyber Nation - CYBERWAR (Trailer) - Duration: 31 seconds.
https://youtube.com/watch?v=6p12x0VrouA [Embed]

The Only Reporter to Interview the Ashley Madison Hackers: CYBERWAR (Clip) - Duration: 3 minutes, 8 seconds.
https://youtube.com/watch?v=D3PYN7eAFco [Embed]

Endwall 11/22/2016 (Tue) 18:03:42 [Preview] No. 683 del
Hak 5
Stealing Cookies From Sleeping PCs, iCloud Call History, Android Updates Unencrypted - Threat Wire - Duration: 5 minutes, 21 seconds.
https://youtube.com/watch?v=OFnr8MWTM9w [Embed]

Endwall 11/24/2016 (Thu) 04:25:58 [Preview] No. 684 del
Stealing Files with the USB Rubber Ducky Pt 2 - Hak5 2113 - Duration: 33 minutes.
https://youtube.com/watch?v=qzRTpG8TVK4 [Embed]

Endwall 11/26/2016 (Sat) 03:05:21 [Preview] No. 685 del
RT America
Mysterious NYC skyscraper owned by AT&T nerve center of NSA mass surveillance programs - Duration: 5 minutes, 24 seconds.
https://youtube.com/watch?v=BtSSHgVOunU [Embed]

Endwall 11/26/2016 (Sat) 03:09:47 [Preview] No. 686 del
Jupiter Broadcasting
Scheduling your NetBSD | BSD Now 169
We’re loaded and ready to go. Lots of OpenBSD news, a look at LetsEncrypt usage, the NetBSD scheduler & much more! Keep it tuned to your place to B…SD!


Turkey.deb | TechSNAP 294
The Debian packaging flaw that exposes your server, we go over the state of the Internet… report that is & hacking 27% of the web.


Endwall 11/26/2016 (Sat) 05:35:02 [Preview] No. 687 del
An Israeli High School That Trains Future Cyber Warriors: CYBERWAR (Clip) - Duration: 3 minutes, 38 seconds.
https://youtube.com/watch?v=mZjljfgMNyE [Embed]

Talking to a Former Member of Israel's Cyber Spy Agency: CYBERWAR (Clip) - Duration: 2 minutes, 17 seconds.
https://youtube.com/watch?v=gfKkLPF-Woo [Embed]

Endwall 11/26/2016 (Sat) 05:39:39 [Preview] No. 688 del
Lights Out In Ukraine: CYBERWAR (Trailer) - Duration: 31 seconds.
https://youtube.com/watch?v=SUqzIbkIupY [Embed]

Endwall 11/27/2016 (Sun) 06:15:08 [Preview] No. 691 del
US Army Prepares Bug Bounty Program, Asks Hackers to Find Cybersecurity Exploits
Posted by: C. Aliens November 27, 2016

Eric Fanning, Secretary of the Army, announced plans to set up a bug bounty. The US Army, according to the press release, partnered up with HackerOne to have eligible hackers find exploits in the Army’s cybersecurity systems. HackerOne is a “vulnerability coordination and bug bounty platform” that previously partnered with the Department of Defense for the widely successful “Hack the Pentagon.” According to HackerOne, “Hack the Pentagon” participants revealed 138 vulnerabilities in 24 days. The US Army’s program will be similar in structure. Following the initial hacking run, the Department of Defense will begin to expand these programs to other essential departments. The US Army is the first of these “bold” challenges, a HackerOne spokesperson published in a press release. So far, HackerOne has worked and had success with the following companies: Uber, Twitter, New Relic, General Motors, Github, CloudFlare, Kaspersky Labs, Panasonic Avionics, Snapchat, Zenefits—and the Department of Defense. The Secretary of Defense, Ash Carter, has been quintessential in terms of promoting this level of interaction with the private sector. Carter spoke about the usefulness of the “Hack the Pentagon” program: By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The (program) showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly. The push for this type of initiative has not been from Carter alone. After the successfulness of the DoD’s first run, the idea took off.Greg Touhill, U.S. Chief Information Security Office stated, “Frankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered.” Fanning said that these hackers would, in essence, provide an external view of the Army’s cybersecurity systems. The Army’s own cybersecurity staff know what the systems look like from the inside but skilled hackers could provide insight from an attacker’s perspective. The full details have not been released yet and the US Army has not made a full public announcement through a platform of their own. However, the HackerOne press release mentioned that only “eligible hackers will be able to try to exploit the Army’s systems.” We can expect this event to very closely mirror the previous Pentagon one. Participants had to be vetted and pass a mandatory background check before taking part in the program. In the partnership announcement, HackerOne said that the full details would be available soon. If one would like to “Hack the Army,” they recommended checking the HackerOne Twitter account: @hacker0x01.

Endwall 12/04/2016 (Sun) 04:58:29 [Preview] No. 703 del
Crime & Government: Russia's Hackers - CYBERWAR (Trailer) - Duration: 31 seconds.
https://youtube.com/watch?v=QbpRxq25XVM [Embed]
Did Russia Hack Ukraine's Electrical Grid?: CYBERWAR (Clip) - Duration: 4 minutes,
https://youtube.com/watch?v=KtmItYMJlFo [Embed]
27 seconds.

Endwall 12/04/2016 (Sun) 05:01:45 [Preview] No. 704 del
‘Googligan’ Hackers score largest theft of Google accounts - Duration: 4 minutes, 5 seconds.
https://youtube.com/watch?v=keIJq2sLKuc [Embed]

FBI gets new hacking powers - Duration: 2 minutes, 29 seconds.
https://youtube.com/watch?v=9j9oU_VqztU [Embed]

Snoopers Charter: ISPs in Britain required to keep a record of users’ browsing history - Duration: 2 minutes
https://youtube.com/watch?v=sUVy920C7TY [Embed]

Endwall 12/04/2016 (Sun) 05:03:45 [Preview] No. 705 del
WikiLeaks reveals secret collaboration between US and German intelligence agencies - Duration: 91 seconds.
https://youtube.com/watch?v=D76AIoHLgY8 [Embed]

Julian Assange Is Finally Questioned Over Rape Allegations: VICE News Tonight (Full Segment) - Duration: 105 seconds.
https://youtube.com/watch?v=xW-U-7mAT0c [Embed]

Endwall 12/09/2016 (Fri) 23:59:16 [Preview] No. 714 del
Hak 5
Stealing Files with the USB Rubber Ducky Pt 3 - Hak5 2114 - Duration: 35 minutes.
https://youtube.com/watch?v=z5UUTUmGQlY [Embed]

SF Muni Hacker Gets Hacked, Avalanche Goes Offline, AirDroid is Vulnerable - Threat Wire - Duration: 5 minutes, 55 seconds.
https://youtube.com/watch?v=doyK1FD232o [Embed]

Links 2.14 Endwall 12/12/2016 (Mon) 03:13:03 [Preview] No. 718 del
Links 2.14
Nov 26 2016



Current version is 2.14. See ChangeLog

Thu Nov 3 19:45:34 CET 2016 mikulas:
Enable DECC$EFS_CHARSET on OpenVMS, so that we can browser files and directories with extended names
Wed Nov 2 20:35:31 CET 2016 mikulas:
Limit keepalive of ciphers with 64-bit block size to mitigate the SWEET32 attack
Wed Nov 2 19:14:33 CET 2016 mikulas:
Disable SSL compression to avoid the CRIME attack

Edited last time by Endwall on 12/12/2016 (Mon) 03:16:29.

Anonymous 12/12/2016 (Mon) 05:46:34 [Preview] No. 719 del
Firefox Zero-Day Can Be Used To Deanonymize Tor Users
Posted by: Benjamin Vitáris December 11, 2016
Recently, a Firefox zero-day was being used to target Tor users. Experts say the code is nearly identical to what the Federal Bureau of Investigation used in their hack against Tor users in 2013. However, on the same day, the exploit came out, the Tor Project and Mozilla published browser updates that fixed the issues within the software. The Tor Project was notified about the zero-day by a user who posted the exploit code to the Tor mailing list from a Sigaint dark net email address. “This is a JavaScript exploit actively used against Tor Browser NOW,” the anonymous user wrote. Shortly after the user posted the exploit code, Roger Dingledine, co-founder of the Tor Project Team, confirmed the fact and said the Firefox team had been notified. He also added that Firefox found the bug and are working on a patch. On November 28, Mozilla had to update its browser for a different critical vulnerability. Several researchers started analyzing the zero-day exploit. Among the experts was Dan Guido, CEO of TrailofBits who made posted on Twitter that the zero-day exploit is “a garden-variety use-after-free, not a heap overflow” and it’s “not an advanced exploit.” The researcher added that the vulnerability is also present on the Mac OS, “but the exploit does not include support for targeting any operating system but Windows.” Security researcher Joshua Yabut told the media that the exploit code is “100% effective for remote code execution on Windows systems.” “The shellcode used is almost exactly the shellcode of the 2013 one,” a security researcher using the pseudo name “TheWack0lian” tweeted. “When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn’t looking at a 3-year-old post.” The researcher referred to the payload used by the FBI to deanonymize the users of a dark web child porn site. This allowed the Bureau to tag Tor users who visited the illegal website on Freedom Hosting. The exploit code forced the browser to send sensitive data, such as MAC address, hostname, and IP address to a third-party server with a public IP address. The FBI only had to request customer information from the ISPs to acquire the identity of the hacked users. According to TheWack0lian, the malware was talking to a server assigned to French ISP OVH, however, when checked, the server seemed to be down. “The Tor malware calling home to a French IP address is puzzling, though. I’d be surprised to see a US federal judge authorize that,” Privacy advocate Christopher Soghoian tweeted after he knew about the French IP. The same day as the zero-day exploit was discovered, both Tor and Mozilla published a press release that they fixed the issue. “This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (” “The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.”

Snowden Anonymous 12/13/2016 (Tue) 00:23:47 [Preview] No. 720 del
ABC News
Edward Snowden Full Interview on Trump, Petraeus, & Having 'No Regrets' - Duration: 7:08.
https://youtube.com/watch?v=Flej-73VLW8 [Embed]

Anonymous 12/13/2016 (Tue) 00:27:24 [Preview] No. 721 del
Edward Snowden - Insight of NSA - Interview - Duration: 19 minutes.
https://youtube.com/watch?v=DlrJI3o5WL8 [Embed]
Edward Snowden - NSA Spying Hardware - Interview - Duration: 40 minutes.
https://youtube.com/watch?v=7EBW5wAMTl4 [Embed]

Anonymous 12/13/2016 (Tue) 05:11:13 [Preview] No. 722 del
Edward Snowden - Donald Trump Pardon - Latest Interview Russia - - Duration: 50:01.
https://youtube.com/watch?v=kHzfGsUvKUc [Embed]

Endwall 12/13/2016 (Tue) 23:52:03 [Preview] No. 723 del
Election Season Hacks, OpenVPN Audit, Malvertising, and NSA Cellphone Spying - Threat Wire -Duration: 8 minutes, 5 seconds.
https://youtube.com/watch?v=uMPQqK50ZQ4 [Embed]

Anonymous 12/14/2016 (Wed) 03:02:22 [Preview] No. 724 del
Pardon Snowden #AskSnowden Q&A hosted by Jack Dorsey [December 13, 2016] - Duration: 54:13.
https://youtube.com/watch?v=X-PpLJL-POY [Embed]

Endwall 12/16/2016 (Fri) 06:14:51 [Preview] No. 727 del
Associated Press
Yahoo Hack Highlights Threat to Users, Companies - Duration: 2 minutes, 11 seconds.
https://youtube.com/watch?v=YhNcROjt1c4 [Embed]

Obama on Hacking: 'We Need to Take Actions' - Duration: 32 seconds.
https://youtube.com/watch?v=46HK9rlkJ_U [Embed]

Endwall 12/16/2016 (Fri) 06:18:45 [Preview] No. 728 del
Yahoo reveals one billion users hit in second cyber attack - Duration: 61 seconds.
https://youtube.com/watch?v=wnwSZUgBaXI [Embed]

Endwall 12/17/2016 (Sat) 01:42:18 [Preview] No. 730 del
Jupiter Broadcasting
December 15, 2016
A tale of BSD from yore | BSD Now 172

This week on BSDNow, we have a very special guest joining us to tell us a tale of the early days in BSD history. That plus some new OpenSSH goodness, shell scripting utilities & much more! Stay tuned for your place to B…SD!


The Bourne Avalanche | TechSNAP 297

The Malvertising campaign that targets routers, script kiddies get a talking to & the Avalanche crime ringleader is on the run.

Edited last time by Endwall on 12/17/2016 (Sat) 01:58:24.

Tor Endwall 12/22/2016 (Thu) 05:25:14 [Preview] No. 732 del
''' Tor is released: finally, a new stable series!
Posted December 19th, 2016'''

by nickm in release stable tor

Tor is the first stable release of the Tor 0.2.9 series.

The Tor 0.2.9 series makes mandatory a number of security features that were formerly optional. It includes support for a new shared- randomness protocol that will form the basis for next generation hidden services, includes a single-hop hidden service mode for optimizing .onion services that don't actually want to be hidden, tries harder not to overload the directory authorities with excessive downloads, and supports a better protocol versioning scheme for improved compatibility with other implementations of the Tor protocol.

And of course, there are numerous other bugfixes and improvements.

This release also includes a fix for a medium-severity issue (bug 21018 below) where Tor clients could crash when attempting to visit a hostile hidden service. Clients are recommended to upgrade as packages become available for their systems.

You can download the source code from the usual place on the website. Packages should be up within the next few days, with a
TorBrowser release planned for early January.

Below are listed the changes since Tor For a list of changes since, see the ChangeLog file.
Changes in version - 2016-12-19

New system requirements:
When building with OpenSSL, Tor now requires version 1.0.1 or later. OpenSSL 1.0.0 and earlier are no longer supported by the OpenSSL team, and should not be used. Closes ticket 20303.
Tor now requires Libevent version 2.0.10-stable or later. Older versions of Libevent have less efficient backends for several platforms, and lack the DNS code that we use for our server-side DNS support. This implements ticket 19554.
Tor now requires zlib version 1.2 or later, for security, efficiency, and (eventually) gzip support. (Back when we started, zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was released in 2003. We recommend the latest version.)

Tor Endwall 12/22/2016 (Thu) 05:27:24 [Preview] No. 733 del
Tor A new alpha series begins
Posted December 19th, 2016 by nickm

Now that Tor is stable, it's time to release a new alpha series for testing and bug-hunting!

Tor is the first alpha release in the 0.3.0 development series. It strengthens Tor's link and circuit handshakes by identifying relays by their Ed25519 keys, improves the algorithm that clients use to choose and maintain their list of guards, and includes additional backend support for the next-generation hidden service design. It also contains numerous other small features and improvements to security, correctness, and performance.

You can download the source from the usual place on the website. Packages should be available over the next weeks, including an alpha TorBrowser release some time in January.

Please note: This is an alpha release. Please expect more bugs than usual. If you want a stable experience, please stick to the stable releases.

Below are the changes since
Changes in version - 2016-12-19

Major features (guard selection algorithm):
Tor's guard selection algorithm has been redesigned from the ground up, to better support unreliable networks and restrictive sets of entry nodes, and to better resist guard-capture attacks by hostile local networks. Implements proposal 271; closes ticket 19877.
Major features (next-generation hidden services):
Relays can now handle v3 ESTABLISH_INTRO cells as specified by prop224 aka "Next Generation Hidden Services". Service and clients don't use this functionality yet. Closes ticket 19043. Based on initial code by Alec Heifetz.
Relays now support the HSDir version 3 protocol, so that they can can store and serve v3 descriptors. This is part of the next- generation onion service work detailled in proposal 224. Closes ticket 17238.
Major features (protocol, ed25519 identity keys):
Relays now use Ed25519 to prove their Ed25519 identities and to one another, and to clients. This algorithm is faster and more secure than the RSA-based handshake we've been doing until now. Implements the second big part of proposal 220; Closes ticket 15055.
Clients now support including Ed25519 identity keys in the EXTEND2 cells they generate. By default, this is controlled by a consensus parameter, currently disabled. You can turn this feature on for testing by setting ExtendByEd25519ID in your configuration. This might make your traffic appear different than the traffic generated by other users, however. Implements part of ticket 15056; part of proposal 220.
Relays now understand requests to extend to other relays by their Ed25519 identity keys. When an Ed25519 identity key is included in an EXTEND2 cell, the relay will only extend the circuit if the other relay can prove ownership of that identity. Implements part of ticket 15056; part of proposal 220.

tor files and SHA check sums Endwall 12/22/2016 (Thu) 05:32:46 [Preview] No. 734 del


Check the signatures before unpacking. It would be nice if they would post the SHA256 and SHA512 sums as well. Here's what I'm getting:
SHA 256
fbdd33d3384574297b88744622382008d1e0f9ddd300d330746c464b7a7d746a tor-
7013353f0cbd2af8c0144f6167339f6eb252eb35ca9a2db2971310171108b064 tor-

6a43a56ebed7b24ccdd2474406f25347819d4efec4916bdb2e725177b34e233632cc17e68c823efa3d0aad4a5bd13e00a5077cdfeb8830a612253a03ab91b622 tor-

181cada87ece0f1d6f852948a66fdcff013b8db6e3d39a635ef8050c4e7671ade186925297025888151753e6280f7eea4511f2051a19ddac79834caf8f7ba9ea tor-

Endwall 12/23/2016 (Fri) 03:26:23 [Preview] No. 738 del
Jupiter Broadcasting
December 22, 2016
Best of 2016 | TechSNAP 298
We’ve given the Jupiter Broadcasting staff the holidays off, so lets take this moment to have a look back at some of the best moments of TechSNAP in 2016!


Carry on my Wayland son | BSD Now 173

This week on the show, we’ve got some great stories to bring you, a look at the odder side of UNIX history from Ritchie, news about Wayland/Weston, a new ‘syspatch’ binary patch tool & more! Stay tuned for your place to B…SD!


Endwall 12/23/2016 (Fri) 04:37:51 [Preview] No. 739 del
Hak 5
Freedom of the Press Foundation Ramps Up Security Awareness! - Threat Wire - Duration: 7 minutes, 45 seconds.
https://youtube.com/watch?v=nppA6d7qMlQ [Embed]

Endwall 12/25/2016 (Sun) 05:05:57 [Preview] No. 741 del
dot Security
dotSecurity 2016 - Theo de Raadt - Privilege Separation and Pledge - Duration: 14:52.
https://youtube.com/watch?v=a_EYdzGyNWs [Embed]

Endwall 12/28/2016 (Wed) 10:36:31 [Preview] No. 749 del
The Top 5 Biggest Hacks of 2016 - Threat Wire - Duration: 6 minutes, 15 seconds.
https://youtube.com/watch?v=YYmPRq6IC_c [Embed]

Endwall 12/30/2016 (Fri) 06:46:18 [Preview] No. 750 del
RT America
I would rather know my govt is doing something illegal than not know’ – McAfee - Duration: 27
https://youtube.com/watch?v=aDTKKmBjlwE [Embed]

Endwall 12/30/2016 (Fri) 06:47:50 [Preview] No. 751 del
Escalating Privileges in Windows & Staged Reverse Shells - Hak5 2117 - Duration: 31 minutes.
https://youtube.com/watch?v=fmRRX7-G4lc [Embed]

Endwall 01/06/2017 (Fri) 03:30:51 [Preview] No. 764 del
Jupiter Broadcasting
How the Dtrace saved Christmas | BSD Now 175

We’ve got all sorts of post-holiday goodies to share. New OpenSSL APIs, Dtrace, OpenBSD desktops, a truly paranoid start to your 2017 security & more!



Endwall 01/06/2017 (Fri) 03:41:32 [Preview] No. 765 del
RT America
McAfee breaks down inconsistencies in FBI’s Grizzly Steppe report - Duration: 5 minutes, 2 seconds.
https://youtube.com/watch?v=C2jD4SF9gFE [Embed]

Endwall 01/06/2017 (Fri) 23:29:02 [Preview] No. 771 del
Jupiter Broadcasting
2089 Days Uptime | TechSNAP 300

How the hack of DigiNotar changed the infrastructure of the Internet forever, changing the way we think about security & how to hide malware in a PNG.



Anonymous 01/12/2017 (Thu) 01:55:48 [Preview] No. 784 del
Just wanted to say I really appreciate everything you've done with the board, Endwall. You're an incredible BO.

Original BO.

Endwall 01/12/2017 (Thu) 02:37:32 [Preview] No. 785 del
Hey thanks, I hope that some of the content is helpful to people looking to get increased computer security.

Thank you for setting up the board in the first place, it's been a great resource for me and hopefully for other people too.

Feel free to contribute original content or start a new thread to curate original content. I tried my best with Endware, but more needs to be done...

I need to work on the board and get some banners and stuff, but I'm tied up with homework from school.

I'll try to keep it up.


Endwall 01/13/2017 (Fri) 03:51:09 [Preview] No. 789 del
Hak 5
Top 5 Security and Privacy Apps! - Threat Wire - Duration: 10 minutes.
https://youtube.com/watch?v=hsAP0fM_-bA [Embed]
VM Packet Sniffing and Lasers - Hak5 2119 - Duration: 47 minutes.
https://youtube.com/watch?v=6YwiBdgOwUI [Embed]

Endwall 01/13/2017 (Fri) 03:52:16 [Preview] No. 790 del
Defend Against Ransomware | Federal Trade Commission - Duration: 4 minutes, 13 seconds.
https://youtube.com/watch?v=2I_VWCcVh1s [Embed]

Endwall 01/13/2017 (Fri) 03:55:34 [Preview] No. 791 del
Way too unsophisticated- cybersecurity legend McAfee on Russian hack evidence - Duration: 2 minutes, 9 seconds.
https://youtube.com/watch?v=6Zu5ihyt7dA [Embed]

Endwall 01/13/2017 (Fri) 03:58:22 [Preview] No. 792 del
RT America
Intelligence community behind times - McAffee - Duration: 6 minutes, 13 seconds.
https://youtube.com/watch?v=eH_8PupUmyc [Embed]

Endwall 01/13/2017 (Fri) 04:01:39 [Preview] No. 793 del
McAfee Breaking It Down on Infowars - Duration: 11 minutes.
https://youtube.com/watch?v=thbIgTHPhFw [Embed]

Endwall 01/13/2017 (Fri) 04:06:18 [Preview] No. 794 del
Jupiter Broadcasting

The Next Generation | TechSNAP 301
January 10, 2017

Malware that evades blocking systems and getting into BSD for the first time.


Linking your world | BSD Now 176
January 12, 2017
Another exciting week on BSDNow, we’re queueing up with LLVM / Linking news, a look at NetBSD’s scheduler, routers, desktops, build-systems & more!

Anonymous 01/15/2017 (Sun) 18:16:53 [Preview] No. 796 del
detailed instructions and tips for hooking system calls of android for REing and profiling applications.


Endwall 01/17/2017 (Tue) 02:48:40 [Preview] No. 799 del
E Hacking News
Italian siblings arrested for cyberattack
Monday, January 16, 2017
Italian police have arrested a nuclear engineer, Giulio Occhionero, 45 and his sister, Francesca Maria Occhionero, 49 for hacking into 18,000 high-profile email accounts, including the former Prime Minister. Authorities suspect that the siblings may have ties to the Freemasons, because the malware used in the hack was called Eye Pyramid believed to be a reference to the all-seeing eye of God, or Eye of Providence, a symbol typically associated with Freemasonry. The name of the software may also have been a play on his own surname – Occhionero means “black eye” in Italian. The widespread cyber-attack compromised communications of prominent Italian institutions and individuals, including Vatican’s two former Prime Ministers, Vatican cardinals, bank executives and other high profile targets, which prosecutors claim was used to conduct insider trading. Mario Draghi, the president of the European Central Bank was also among the targeted individuals. Former Prime Minister, Matteo Renzi was also one who resigned in December last year after losing a constitutional reform referendum. The attackers, who have dual residencies in London and Rome, are accused of spearphishing attacks using malware to gain access to victims' email accounts and illegally accessing classified information and breaching and intercepting information technology systems and data communications since 2012. The siblings were most recently living in Italy. Vatican officials have not yet commented on the attack and it is yet unknown to what extent sensitive Vatican information may have been compromised. There are indications the malware campaign may have been running from as early as 2008. In total, just under 1800 passwords were allegedly captured by the Occhionero siblings, who exfiltrated around 87 gigabytes of data to servers in the United States. Mr Occhionero who had strong links to the Masonic movement allegedly developed software that infected email accounts, enabling him to access the information. Several of the compromised accounts belonged to Mason members. Whether or not there are ties to the Masons, cyber security experts believe it is highly unlikely that the sibling pair acted alone. The illegally accessed information was stored on servers in the United States, leading to an ongoing investigation with the assistance of the FBI’s cyberdivision. The stolen data has been seized by Italian police and the FBI. Italian police believe the siblings used the stolen confidential information to make investments through a firm operated by Mr Occhionero, a nuclear engineer by profession.

Anonymous 01/17/2017 (Tue) 14:33:06 [Preview] No. 800 del

Endwall 01/19/2017 (Thu) 03:34:25 [Preview] No. 801 del
Is WhatsApp Secure? - Threat Wire - Duration: 8 minutes, 2 seconds.
https://youtube.com/watch?v=0yenDWEXpo0 [Embed]

Endwall 01/19/2017 (Thu) 03:37:39 [Preview] No. 802 del
Jupiter Broadcasting
Internet of Voice Triggers | TechSNAP 302
The Github enterprise SQL scare, malware that lives in your browser, Dan’s mail server war story, your feedback, a righteous roundup & more!

Endwall 01/22/2017 (Sun) 22:32:32 [Preview] No. 804 del
Jupiter Broadcasting
Getting Pi on my Wifi | BSD Now 177
January 19, 2017
This week on BSDNow, we’ve got Wifi galore, a new iocage and some RPi3 news and guides to share. Stay tuned for your place to B…SD!

Anonymous 01/23/2017 (Mon) 02:33:41 [Preview] No. 805 del
FULL: WikiLeaks Julian Assange answer questions (1/10/2017) - Duration: 1:15:44.
https://youtube.com/watch?v=G22B_xHRVas [Embed]

Endwall 01/26/2017 (Thu) 04:53:48 [Preview] No. 806 del
Hak 5
Meitu, Spyware or Just Plain Kawaii - Threat Wire - Duration: 6 minutes, 46 seconds.
https://youtube.com/watch?v=XlbBDzx-61c [Embed]

Endwall 01/28/2017 (Sat) 04:29:42 [Preview] No. 807 del
Jupiter Broadcasting

DDos Mafia | TechSNAP 303 January 24, 2017
A remote vulnerability in Ansible has been patched, the latest updates on the Mirai botnet, our first TechSNAP challenge, your feedback, a gigantic roundup & so much more!

Enjoy the Silence | BSD Now 178 January 26, 2017
We discuss a wide variety of topics including Routers, Run-Controls, the “Rule” of silence and some Minecraft just for good measure. Stay tuned for your place to B…SD!

Endwall 02/02/2017 (Thu) 08:32:51 [Preview] No. 808 del
Tor Project
Tor is released
Posted January 23rd, 2017 by arma
Tor fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with the --enable-expensive-hardening option. This bug affects all 0.2.9.x versions, and also affects all relays running an affected version should upgrade. Tor also improves how exit relays and clients handle DNS time-to-live values, makes directory authorities enforce the 1-to-1 mapping of relay RSA identity keys to ED25519 identity keys, fixes a client-side onion service reachability bug, does better at selecting the set of fallback directories, and more. You can download the source code from https://dist.torproject.org/ but most users should wait for the upcoming 7.0a Tor Browser alpha release, or for their upcoming system package updates.

Tor is released
Posted January 23rd, 2017 by arma in * release * stable * tor Tor fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with the --enable-expensive-hardening option. This bug affects all 0.2.9.x versions, and also affects all relays running an affected version should upgrade. This release also resolves a client-side onion service reachability bug, and resolves a pair of small portability issues. You can download the source code from https://dist.torproject.org/ but most users should wait for the upcoming Tor Browser release, or for their upcoming system package updates.



Endwall 02/04/2017 (Sat) 02:31:02 [Preview] No. 809 del
Hak 5
New FCC, No More Net Neutrality? Facebook Adds Security Keys! - Threat Wire - Duration: 6 minutes, 40 seconds.
https://youtube.com/watch?v=u5V3Vn3Vaw0 [Embed]
Advanced Password Recovery with Hashcat - Hak5 2122 - Duration: 27 minutes.
https://youtube.com/watch?v=1rUy-M7bxDc [Embed]

Endwall 02/04/2017 (Sat) 02:54:20 [Preview] No. 810 del
Jupiter Broadcasting
Three C’s to Tweet By | TechSNAP 304
February 1, 2017
The guys cover Dropbox bugs that could be holding on to your deleted files, explain what the heck ATM ‘shimmers’ are & talk about how to keep your secret identity secret.

The Wayland Machine | BSD Now 179
February 2, 2017
We lead off with the latest news about Wayland and Xorg support on FreeBSD, then a look at OpenBSD ARM64 support, inside the chacha20 cipher & much more!

Endwall 02/08/2017 (Wed) 05:39:26 [Preview] No. 821 del
Hak 5
House of Reps Passes New Email Privacy Act - Threat Wire - Duration: 6 minutes, 32 seconds.
https://youtube.com/watch?v=OLkYcDocebc [Embed]

Endwall 02/11/2017 (Sat) 08:47:37 [Preview] No. 825 del
Jupiter Broadcasting
Gambling with Code | TechSNAP 305
We’ve got the latest on GitLabs data disaster, a clever new method to cheat at the slots & a new Netgear exploit thats coming for your network!
Illuminating the desktop | BSD Now 180
This week on BSDNow, Kris is out of town but we have a great interview with Ken Moore, his brother, about the latest in BSD desktop computing & Lumina specifically. Stay tuned to your place to B…SD.

Endwall 02/18/2017 (Sat) 02:05:57 [Preview] No. 831 del
Jupiter Broadcasting

Metadata Matters | TechSNAP 306
February 15, 2017
The latest on just who has access to your private email, Dan dives deep on the GitLab Postmortem & did you know that Transport for London has been tracking your wifi? We’ve got the details.

The Cantrillogy | BSD Now 181
February 15, 2017
This week on BSDNow we have a Cantrill special to bring you! All three interviews back to back in their original glory, you won’t want to miss it. Stay tuned for your place to B…SD!

Endwall 02/18/2017 (Sat) 02:08:39 [Preview] No. 832 del
Hak 5
Steam Profile XSS Attack - Threat Wire - Duration: 5 minutes, 53 seconds.
https://youtube.com/watch?v=ZIcLFkmgFqI [Embed]

Endwall 02/22/2017 (Wed) 04:21:14 [Preview] No. 833 del
Hak 5
Operation BugDrop Targets Ukrainian Infrastructure - Threat Wire - Duration: 5 minutes, 54 seconds.
https://youtube.com/watch?v=Ap2xkiBZ9hw [Embed]

Endwall 02/22/2017 (Wed) 20:11:46 [Preview] No. 838 del
Can Foreign Governments Hack Americans With Impunity?

Posted by: DividedBy0 February 21, 2017

A lawsuit being heard by the US Court of Appeals for the District of Columbia Circuit seeks to answer the question of whether foreign governments can hack Americans with impunity. In the case of Kidane v. Ethiopia, lawyers for the Electronic Frontier Foundation (EFF) and the law firm of Jones Day and Robins Kaplan are representing a man from Maryland, who is going by the pseudonym of Mr. Kidane, in a lawsuit where Mr. Kidane alleges the government of Ethiopia infected his computer with spyware. The lawsuit alleges that the secret malware, known as FinSpy, allowed the government of Ethiopia to conduct wiretaps on his Skype calls and monitor everything he and his family did on the computer for a period that lasted months. The court has allowed the man to use a pseudonym that he had used in the Ethiopian community, because the Ethiopian government has a history of punishing the family members of people who dare to oppose it. Mr. Kidane was born in Ethiopia and moved to the United States 20 years ago, where he sought asylum and became an American citizen. Kidane became infected with the spyware after he opened a Word document that was sent to him by agents of the Ethiopian government. After opening the document, FinSpy was secretly downloaded onto his computer from a server with an IP address located in Ethiopia. All activities, including Skype calls, keystrokes, passwords, e-mails, chats, and web browsing was monitored, recorded, and uploaded to a command and control server with an IP address located in Ethiopia and controlled by the Ethiopian government. FinSpy is developed and marketed by FinFisher, formerly known as Gamma International, a company based in the United Kingdom. It is part of a line of “IT intrusion” software made by FinFisher, which are only sold to government agencies. Their software is frequently used to spy on activists around the world. Kidane continues his lawsuit, which is being appealed. Recently, attorneys for Mr. Kidane argued before a 3 judge panel that the lawsuit should be allowed to continue. Under the Foreign Sovereign Immunities Act, foreign governments are only liable for acts committed within the United States. Kidane’s attorneys argued that his computer was located in Maryland and remained there the entire time it was being spied upon. Attorneys for Ethiopia argued that they should not be held liable because they did not have a human agent who was physically located within the United States. One of the judges on the panel asked the attorneys representing Ethiopia if they believed that they could be held liable for mailing a letter bomb to the United States, or for remotely hacking a self driving car in the United States and causing it to crash. The attorneys for Ethiopia responded to the judge’s question by saying that they believed they could not be sued for such actions. Kidane was spied on from at least late October of 2012 until March of 2013. The lawsuit was originally filed in February of 2014. Previously in the case, a federal court ruled that foreign governments could not be held liable for wiretapping American citizens within the United States. The DC Circuit Court is expected to rule on the appeal within a few months.
Edited last time by Endwall on 02/23/2017 (Thu) 20:15:32.

Endwall 02/23/2017 (Thu) 20:09:19 [Preview] No. 840 del
Jupiter Broadcasting

State Sponsored Audiophiles | TechSNAP 307
February 21, 2017
The details on the latest WordPress vulnerability, then the surprising, or perhaps not so surprising takeover of a cybersecurity firms website & watch out, hacker’s may be using your microphone to steal your data!

Bloaty McBloatface | BSD Now 182
February 22, 2017
This week on the show, we’ve got FreeBSD quarterly Status reports to discuss, OpenBSD changes to the installer, EC2 and IPv6 & more! Stay tuned for your place to B…SD!
Edited last time by Endwall on 02/23/2017 (Thu) 20:14:37.

Endwall 03/05/2017 (Sun) 00:43:57 [Preview] No. 842 del
Hak 5

Operation BugDrop Targets Ukrainian Infrastructure - Threat Wire - Duration: 5 minutes, 54 seconds.
https://youtube.com/watch?v=Ap2xkiBZ9hw [Embed]
SHA-1 is Officially Dead and What is CloudBleed? - Threat Wire - Duration: 7 minutes, 53 seconds.
https://youtube.com/watch?v=HguaJV7tGtU [Embed]

Hak 5 Main Show
USB Hacks for Windows, Linux, and Macs - Hak5 2124 - Duration: 31 minutes.
https://youtube.com/watch?v=qGPGOoJn54E [Embed]
Introducing the Bash Bunny - Hak5 2125 - Duration: 29 minutes.
https://youtube.com/watch?v=CvI_mrQYaF8 [Embed]

Endwall 03/05/2017 (Sun) 00:47:40 [Preview] No. 843 del
Jupiter Broadcasting

Cloudy with a Chance of Leaks | TechSNAP 308

Google heard you like hashes so they broke SHA1, we’ve got the details. Plus we dive in to Cloudflare’s data disaster, Dan shows us his rack, your feedback, a huge roundup & so much more!

Getting Steamy Here | BSD Now 183

This week on BSDNow, we have “Weird Unix Things”, “Is it getting Steamy in here?” & an Interview about BSD Sockets API. (Those aren’t all related). It’s going to be a good one, buckle up for your place to B…SD!


Endwall 03/09/2017 (Thu) 23:45:21 [Preview] No. 850 del
Jupiter Broadcasting
Bad Boy Backups | TechSNAP 309
We’ve got the sad story of cloud-enabled toys leading to, you guessed it, leaking customer’s personal information! Plus a case of backups gone bad, but this time, it’s a good thing!

Tokyo Dreaming | BSD Now 184
This week on BSDNow, Allan & Kris are in Tokyo for AsiaBSDCon, but not to worry, we have a full episode lined up and ready to go.

Vault 7 Unlocked | Unfilter 228
Wikileaks drops Vault 7 filled with CIA secrets. We analyze it & the establishment’s response. Plus are Trump’s claims he was wiretapped crazy or rooted in reality?

Endwall 03/09/2017 (Thu) 23:50:10 [Preview] No. 851 del
Hak 5
FCC Stays Privacy Regulations, CloudPets Ignores Hack, & 32 Million Yahoo Accts Hacked - Threat Wire - Duration: 7 minutes, 53 seconds.
https://youtube.com/watch?v=3Sch7loo1mk [Embed]
How to Write Bash Bunny Payloads & Contribute on GitHub - Hak5 2126 - Duration: 29 minutes.
https://youtube.com/watch?v=H6z9BXevsZg [Embed]

Endwall 03/16/2017 (Thu) 22:10:46 [Preview] No. 853 del
Jupiter Broadcasting

Don’t Panic & P your S | TechSNAP 310
March 14, 2017

We crack open Vault 7 & are a little let down by what’s inside, give you one more reason you should already be using ZFS & just when you thought you could trust your phone again, we’ve got the story of preinstalled Android malware. Then it’s your feedback, a huge roundup & so much more!


Exit Interview | BSD Now 185
March 16, 2017

This is a very special BSD Now! New exciting changes are coming to the show and we’re gonna cover them, so stick around or you’ll miss it!


Endwall 03/16/2017 (Thu) 22:12:53 [Preview] No. 854 del
Hak 5

'Linux Terminal 201: Customize The Shell Prompt - HakTip 148 - Duration: 7 minutes.'
https://youtube.com/watch?v=_kSCpNqKJbM [Embed]
CIA Hacking Tools Released in Wikileaks Vault 7 - Threat Wire - Duration: 11 minutes.
https://youtube.com/watch?v=5LYSjLwkAo4 [Embed]
Hack Across the Planet 2017 Day 1 - Hak5 2201 - Duration: 6 minutes, 27 seconds.
https://youtube.com/watch?v=8CU2IwvMJzw [Embed]

Endwall 03/17/2017 (Fri) 00:01:18 [Preview] No. 855 del
Jupiter Broadcasting

Trump Taxes and Tappin | Unfilter 229

The big Trump tax reveal is a bust, but not for the reasons you might think. Trump’s wiretapping claims are looking more and more farfetched & who else could have been behind the DNC leaks.



Endwall 03/25/2017 (Sat) 17:33:43 [Preview] No. 862 del
Jupiter Broadcasting

Check Yo Checksum | TechSNAP 311
The guys break with the usual format & turn things over to Dan for a deep deep dive on Bacula! Then it’s the latest Yahoo hack news & a few more reasons you should already be using ZFS.

Fast & the Firewall: Tokyo Drift | BSD Now 186
This week on BSDNow, reports from AsiaBSDcon, TrueOS & FreeBSD news, Optimizing IllumOS Kernel, your questions & more!

Endwall 03/25/2017 (Sat) 17:35:58 [Preview] No. 863 del
Hak 5
Linux Terminal 201: Installing and Updating Packages - HakTip 149 - Duration: 6 minutes, 37 seconds.
https://youtube.com/watch?v=EJgXqQvqaIM [Embed]
WhatsApp Web App Account Takeover, and Yahoo Hackers Indicted - Threat Wire - Duration: 7 minutes, 9 seconds.
https://youtube.com/watch?v=eaxVrD9JGIs [Embed]
Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny - Hak5 2202 - Duration: 37 minutes.
https://youtube.com/watch?v=VPhqD__lOBQ [Embed]
Linux Terminal 201: Working with Storage Media, ISO Images, and MD5 Checksums - HakTip 150 - Duration: 9 minutes, 15 seconds.
https://youtube.com/watch?v=ZA5KMyuj5jk [Embed]

Endwall 03/26/2017 (Sun) 07:11:46 [Preview] No. 864 del
Jupiter Broadcasting
Das Boot Manager | LUP 189
Bulletproof Linux Kernel upgrades might be near, Kodi gets a real Netflix Plugin & the dirty, stinky, no good, obvious, elephant in the room around desktop Linux.


High Nunes Showdown | Unfilter 230
Have Trump’s claims of “wiretapping” been vindicated or have we just witnessed political suicide? Plus the important moments from the big Russia hearings & the top secret tight spot the Donald is in.


Anonymous 03/30/2017 (Thu) 15:45:05 [Preview] No. 867 del
BeyondTrust Software
The Top 3 Linux Security Vulnerabilities (and How to Fix Them)
https://youtube.com/watch?v=jVATPTm0COg [Embed]

Endwall 04/01/2017 (Sat) 00:14:58 [Preview] No. 868 del
ISPs Could Sell User Web Data with Senate Vote - Threat Wire - Duration: 9 minutes, 15 seconds.
https://youtube.com/watch?v=QK-xmVq-7t4 [Embed]

Keybase Chat & A Hak5 Host Takeover! - Hak5 2203 - Duration: 20 minutes.
https://youtube.com/watch?v=MXh4SUFeRQQ [Embed]

Linux Terminal 201: Apt vs Apt-Get - HakTip 151 - Duration: 7 minutes, 33 seconds.
https://youtube.com/watch?v=9jNcjdQxEV8 [Embed]

Endwall 04/01/2017 (Sat) 00:22:09 [Preview] No. 869 del
Jupiter Broadcasting

Boot Free or Die Tryin’ | LUP 190
Posted on: March 28, 2017
We dig deep into the LibreBoot project, how the Intel ME problem impacts open source & limits badass free laptops. Then we spend Wes’ money and shop for his next perfect Linux rig.


Privacy is Dead | TechSNAP 312
Posted on: March 29, 2017
This week, we sell your private browsing history to the highest bidder! Oh wait, that’s your ISP! We cover the latest rollback of internet privacy regulations in the US, plus the surprisingly uplifting story of script kiddies getting their day in court, Dan does a not-so-deep dive into ZFS & explains why you should already be using it.


Catching up to BSD | BSD Now 187
Posted on: March 30, 2017
This week on BSDNow, news about the NetBSD project, a BSD Phone, bunch of OpenBSD and TrueOS News & more!


Endwall 04/06/2017 (Thu) 22:43:53 [Preview] No. 874 del
Hak 5

To VPN or Not To VPN? - Threat Wire - Duration: 7 minutes, 4 seconds.
https://youtube.com/watch?v=mv61e0BeVmU [Embed]

Bash Bunny Development: Behind the Scenes - Hack Across the Planet - Hak5 2204 - Duration: 19 minutes.
https://youtube.com/watch?v=J33mkvdKR5U [Embed]

Endwall 04/06/2017 (Thu) 23:12:17 [Preview] No. 875 del
Jupiter Broadcasting

Dubstep Allan | LAS 463
We start this week covering the latest news about Red Hat’s record profits, some new changes coming video editing & audio sampling under linux & Apple releasing their new APFS file system. Then Noah reveals the real reason behind LAS ending, we cover your feedback & much more!

What’s a Distro? | LUP 191
Joe Ressington of Late Night Linux joins Wes to discuss just what makes a “Proper” distribution. Then the latest news about Libreboot and the Free Software Foundation, Containers explained in pictures & our complaints about the latest Telegram release.

Endwall 04/06/2017 (Thu) 23:14:22 [Preview] No. 876 del
Jupiter Broadcasting

Wifi Stack Overfloweth | TechSNAP 313
April 5, 2017
Your Wifi Stack is under attack! But dont worry, Apple’s got the patch & we’ve got the story. Then the latest ATM hacking tips that will only cost you $15 & Dan does a deep dive into Let’s Encrypt!

And then the murders began | BSD Now 188
April 6, 2017
Today on BSD Now, the latest Dragonfly BSD release, RaidZ performance, another OpenSSL Vulnerability & more; all this week on BSD Now!

Endwall 04/16/2017 (Sun) 01:59:48 [Preview] No. 878 del
Hak 5
Better Border Protections for Your Electronic Devices - Threat Wire - Duration: 6 minutes, 4 seconds.
https://youtube.com/watch?v=E8aGl4kisUM [Embed]

Linux Terminal 201: Networking Commands You Should Know! - HakTip 152 - Duration: 9 minutes, 52 seconds.
https://youtube.com/watch?v=F1geJWP4Yvs [Embed]

Endwall 04/16/2017 (Sun) 02:07:30 [Preview] No. 879 del
Jupiter Broadcasting

Cyber Liability | TechSNAP 314
Posted on: April 12, 2017
We cover some fascinating new research that can steal your phone’s PIN using just the on-board sensors. Then we cover how computer security is broken from top to bottom and Dan does another deep dive, this time on everyone’s favorite database, PostgresSQL.

Codified Summer | BSD Now 189
Posted on: April 13, 2017
This week on the show we interview Wendell from Level1Techs, cover Google Summer of Code on the different BSD projects, cover YubiKey usage, dive into how NICs work & more!

Endwall 04/20/2017 (Thu) 03:15:39 [Preview] No. 882 del
Hak 5
ShadowBrokers Release New NSA Docs - Threat Wire - Duration: 7 minutes, 46 seconds.
https://youtube.com/watch?v=oM3SGXmOLgE [Embed]

Endwall 04/20/2017 (Thu) 18:46:42 [Preview] No. 883 del
Jupiter Broadcasting

Tales of FileSystems | TechSNAP 315
April 18, 2017
We’ve got the latest gossip on Apple’s brand new filesystem & why you should care! Plus Dan dives deep into the wonderful world of ZFS and FreeBSD jails & shows us how he is putting them to use in his latest server build.

The Moore You Know | BSD Now 190
April 20, 2017
This week, we look forward with the latest OpenBSD release, look back with Dennis Ritchie’s paper on the evolution of Unix Time Sharing, have an Interview with Kris Moore about FreeNAS & more!

Endwall Board owner 04/30/2017 (Sun) 02:17:17 [Preview] No. 891 del
Hak 5
Steal a Car With $22 in Tech, FCC Removes Price Caps, and Punycode is Full of Win - Threat Wire - Duration: 8 minutes, 57 seconds.
https://youtube.com/watch?v=G1NSfB6dBEE [Embed]

Linux Terminal 201: Networking Commands You Should Know Pt 2! - HakTip 153 - Duration: 8 minutes, 43 seconds.
https://youtube.com/watch?v=RrmWU_Hg9e4 [Embed]

Endwall Board owner 04/30/2017 (Sun) 02:31:24 [Preview] No. 892 del
Jupiter Broadcasting

Internet of Troubles | LUP 194

Linux Foundation thinks they have the solution to the Internet of Terrible & they might actually be right. We’ll share the exclusive interview that has us excited for the future.


PHP Steals Your Nuts | TechSNAP 316

The squirrels have gotten in the mailbag as the guys discuss an unfortunate new vulnerability in Squirrelmail. Plus an interesting new entrant to the anonymous domain name space from some of the internet’s most famous rabble rousers. Then Dan & Wes get just a bit jealous of Canada’s new take on net neutrality & more!


I Know 64 & A Bunch More | BSD Now 191

We cover TrueOS/Lumina working to be less dependent on Linux, How the IllumOS network stack works, Throttling the password gropers, the 64 bit inode call for testing & more!


Endwall 05/03/2017 (Wed) 05:45:52 [Preview] No. 896 del
Hak 5
The FCC Targets Net Neutrality, NSA Stops Email Spying - Threat Wire - Duration: 10 minutes.
https://youtube.com/watch?v=WfzwYbNyyJw [Embed]

Endwall 05/05/2017 (Fri) 10:20:36 [Preview] No. 900 del
Jupiter Broadcasting

Some Fishy Chips | TechSNAP 317
Posted on: May 3, 2017

Intel’s patched a remote execution exploit that’s been lurking in their chips for the past nine years, we’ve got the details & some handy tips to check if you’re affected. Then Dan does a deep dive into friend of the show Tarsnap: what it is, how to use it & why it’s so awesome. Plus we discuss when we use external services versus building ourselves & a few tips for lightweight backup solutions that might work for you.

https://youtube.com/watch?v=hoPcL_vo-BY [Embed]

SSHv1 Be Gone | BSD Now 192
Posted on: May 4, 2017

This week we have a FreeBSD Foundation development update, tell you about sprinkling in the TrueOS project, Dynamic WDS & a whole lot more!

https://youtube.com/watch?v=sM0CIpJzpAI [Embed]

Endwall 05/06/2017 (Sat) 04:27:26 [Preview] No. 910 del
Privacy Online News

Intel confirms remote code execution hole in all Intel CPUs since 2008
Posted on May 1, 2017 by Caleb Chen
According to security researchers, media, and now Intel themselves, a security hole allowing remote code execution (RCE) has been present in Intel CPUs since 2008. The exploit was usable on Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manage