Jump to content

Search the Community

Showing results for tags 'hackers'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Well-Intended Hackers Broke Into Fermilab’s Network and Accessed Sensitive Data Ethical hackers of the ‘Sakura Samurai’ group have broken into Fermilab’s network. The researchers found PII, network information, credentials, project data, and proprietary code. The potential consequences of this are dire, but all of the identified flaws have been reported and fixed now. Source: Wikipedia, Credits: Justinvasel Members of the ‘Sakura Samurai’ security research hacking group have managed to break into Fermilab, accessing a trove of sensitive user information, ticketing systems, project servers, and also network information that would enable stealthy and unobstructed lateral movement. The Fermi National Accelerator Laboratory, based in Illinois, is one of the most neuralgic points of research for the American scientific community. It manages an annual budget that is measured in the hundreds of millions of USD to carry out particle acceleration experiments that have led to important discoveries on four distinct occasions since 1977. Of course, science at this level is typically open to global scientific teams, but the consequences of malicious access on Fermilab’s networks could be dire nonetheless. Apart from stealing proprietary code or accessing PII, an attacker could interrupt operations, plant malicious code that would fiddle with experimental results, and generally create the conditions for mind-boggling time and money losses for the program. This is why Fermilab has a vulnerability program in place, and that was enough for R. Willis, J. Jackson, and J. Henry to start digging. The ‘Sakura Samurai’ found a wide range of entry points, with the most promising one being an unrestricted subdomain that could be used to siphon tickets, project data, and account credentials. Many of the 4,500 tickets accessed had their own subset of valuable data, like project configuration and file attachments with sensitive info. Source: robertwillishacking.com By using “basic” network scanning tools like nmap, amass, and dirsearch, the researchers explored more accessible servers, finding a web app that gave them access to all registered users and their details (full names, workgroups, emails, user IDs). Source: robertwillishacking.com In similar ways, the team accessed an FTP server allowing anyone to log in without proper authentication, exposing data relevant to the “NOvA” experiment. This is an experiment exploring the possibility of the existence of evidence for an unknown symmetry of nature and the reason for the matter-antimatter asymmetry, which is a topic of debate for top-level physicists. As worrying as the findings were for the team, Fermilab’s response was quick and to the point. All of the identified vulnerable endpoints were promptly fixed, so the problems have been addressed now. As for how long these security flaws may have been there and whether or not someone with malicious intentions accessed the Fermilab’s network before the ‘Sakura Samurai’ team, we have no answer to that (yet). Source: Well-Intended Hackers Broke Into Fermilab’s Network and Accessed Sensitive Data
  2. Key Cypriot Infrastructure Under Attack by Turkish Hackers The Cypriot state accuses a specific Turkish actor of launching a wave of attacks against critical infrastructure. The scope of the attacks includes ministries, the Larnaca airport, and more recently, the parliament website. The country has a long way to go still when it comes to securing state services and online portals. The Cypriot authorities are reporting that key infrastructure is currently being targeted by Turkish hackers, who have had moderate success. According to the details given by state sources on the Cyprus News Agency, the attacking spree started last week with an unsuccessful attack against the Defense Ministry’s website. Yesterday, there were reports about the hackers focusing their efforts against a server used by the Larnaca airport. And today, local media outlets report that the parliament website is under attack. This has created a serious disruption in the Parliament’s functions, as today was the day when a list of loans given to 22 politically exposed persons would be published on the site. Naturally, some people in the island-nation found the timing suspicious, but the authorities promised to publish the documents as soon as they can update the website. The details shared with the public claim that the attack method is the same used in the previous cases, but what this constitutes exactly remains a mystery. Judging from the actors’ moderate success rates and the fact that the websites remain up and running, this doesn’t seem to be a ransomware incident. In the case of the Larnaca airport server, the Digital Security Authority and the Commissioner for Personal Data Protection were both informed of the incident, so there may have been signs of data access and exfiltration, even if the attack was reportedly thwarted. For Cyprus, airport operation is crucial, considering this country is relying heavily on tourism. The Larnaca airport is the largest on the island, so it’s a neuralgic target that has to be safeguarded against hackers. Back in September 2020, the undersecretary of the Cypriot Ministry of Research, Innovation, and Digital Governance Kirakos Kokkinos told the press that the state services are, in essence, left unprotected against any form of cyber-attack. As he characteristically stated: “Rating Cyprus on the issue of cybersecurity, today, we are at zero.” Kokkinos estimated that Cyprus would need at least two years to form a team that would develop an adequately effective protection umbrella. Considering that statement and the current wave of attacks, Cyprus could still be severely exposed to a wide range of cyber-risks. Source: Key Cypriot Infrastructure Under Attack by Turkish Hackers
  3. Crypto firm Tether claims hackers have demanded $24m in ransom Tether has reportedly refused to pay the 500 BTC ransom demand amid threats of a data leak. In its latest tweet, the blockchain and cryptocurrency organization Tether revealed that it had received a ransom note in which threat actors have asked for 500 Bitcoin, which is worth approx. $24 million. The company noted that threat actors have threatened to leak documents that may affect the “Bitcoin ecosystem” if their demand is not fulfilled. The documents allegedly show dubious communication between Tether, the Bahamas-based Deltec Bank & Trust, and several other third parties. However, the company claims these are forged documents. Tether Refuses to Pay According to the crypto organization, the payment deadline is 1 March, but it has decided not to pay the ransom. “We are not paying,” the company stated categorically. The wallet address linked with the demand currently has $72 in BTC. Tether wrote that people are getting desperate to cause harm to the company in particular and the crypto community as a whole. However, they are not paying heed to their demands. It is currently unclear if this is an extortion scheme or people want to undermine Tether specifically. While we believe this is a pretty sad attempt at a shakedown, we take it seriously. We have reported the forged communications and the associated ransom demand to law enforcement. As always, we will fully support law enforcement in an investigation of this extortion scheme. 5/5 — Tether (@Tether_to) February 28, 2021 Leaks are intended to Discredit Crypto- Tether CTO. The unverified email screenshots circulating the web seem to be related to Deltec Bank, which already shares a banking relationship with the crypto giant. The communication shows discussion over asset backing. They confirm 1) being backed with crypto and 2) they try to fool regulators about that fact (2/7) pic.twitter.com/DhjTXq81x6 — RiskIndemnity 🌷⏳ (@RiskIndemnity) February 28, 2021 In another tweet, Tether CTO Paolo Ardoino wrote that the objective behind this malicious act is to “discredit #bitcoin and all #crypto.” The company revealed that it is taking this “pretty sad attempt at a shakedown” very seriously and has informed the law enforcement about the bogus communications as well as the ransom demand. However, the company is unaware of the people who are making the ransom demand and also said that it could not provide a copy of the ransom note at the moment. Still, it vows to cooperate with law enforcement. “As always, we will fully support law enforcement in an investigation of this extortion scheme.” Source: Crypto firm Tether claims hackers have demanded $24m in ransom
  4. Hackers are selling access to Biochemical systems at Oxford University Lab Hackers have broken into the biochemical systems of an Oxford University lab where researchers are working on the study of Covid-19. Hackers compromised the systems at one of the most advanced biology labs at the Oxford University that is involved in the research on the Covid-19 pandemic. The news was disclosed by Forbes and the Oxford University confirmed the security breach that impacted the Division of Structural Biology (known as “Strubi”). “Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as “Strubi”) after Forbes disclosed that hackers were showing off access to a number of systems.” reported Forbes. “These included machines used to prepare biochemical samples, though the university said it couldn’t comment further on the scale of the breach.” The University notified the authorities, including the National Cyber Security Center (NCSC) and the U.K. Information Commissioner’s Office. “We have identified and contained the problem and are now investigating further,” an Oxford University spokesperson said. “There has been no impact on any clinical research, as this is not conducted in the affected area. As is standard with such incidents, we have notified the National Cyber Security Center and are working with them.” The U.K. ICO confirmed that not patient data was compromised as a result of the security breach. Forbes first reported the news and revealed it received the news of the breach by Hold Security chief technology officer Alex Holden. Holden provided screenshots showing interfaces for lab equipment, it also speculated that attackers were inside the Lab infrastructure on February 13 and February 14, 2021. Once breached the biochemical systems of an Oxford University lab the attackers were in the position of stealing research data or sabotage the equipment. The illustrious professor Alan Woodward speculate the involvement of a cybercrime organization, instead a state-sponsored operation, because the hackers were attempting to sell access to the Lab to third parties. According to Holden the crew is highly sophisticated and has been privately selling stolen data from a number of organizations. Its customers are also APT groups that could use the data to targete the compromised organizations. “He noted that the hackers spoke Portuguese. Some of the group’s other victims include Brazilian universities, Holden added, and they also use ransomware to extort some victims.” reported Forbes. Investigation is still ongoing. Source: Hackers are selling access to Biochemical systems at Oxford University Lab
  5. The COVID-19 pandemic provided a huge opening for bad actors this year, thanks to remote work. Security experts expect more advanced cybersecurity threats in the coming year. Hackers are always looking for an opportunity and the COVID-19 pandemic provided a big one this year: As remote work in unprecedented numbers took hold, they preyed upon vulnerable employees who were unfamiliar with how to navigate their tech environments. Threat actors found success infecting businesses with ransomware and stealing company data, turning those ransomware attacks into data breaches. Expect more of this to continue next year as remote work continues, according to Accenture. Going into 2021, "threat actor profits [are] likely to increase as a result of targets' weakened security and remote working, enabling threat actors [to] innovate and invest in even more advanced ransomware," Accenture's 2020 Cyber Threatscape Report said. Remote work created something of a new playground for hackers in 2020, agreed Gartner. An October survey of nearly 2,000 CIOs found that cybersecurity investments in technologies that support digitization will be one of the major priorities next year. "With the opening of new attack surfaces due to the shift to remote work, cybersecurity spending continues to increase,'' the firm said, with 61% of respondents reporting they will increase investment in cyber/information security, followed closely by business intelligence and data analytics (58%); and cloud services and solutions (53%). Cybersecurity mesh for securing any digital asset, anywhere Next year and beyond, Gartner is predicting organizations will use cybersecurity mesh, a distributed architectural approach to scalable, flexible and reliable cybersecurity control. Cybersecurity mesh enables anyone to access any digital asset securely, no matter where the asset or person is located, the firm said in its Top Strategic Technology Trends for 2021 report. "Cybersecurity mesh essentially allows for the security perimeter to be defined around the identity of a person or thing," Gartner said. As perimeter protection becomes less meaningful, the security approach of a "walled city" must evolve, the firm said. By 2025, Gartner predicts the cybersecurity mesh will support over half of digital access control requests. Other predictions: More attacks on healthcare systems. "The seemingly crazy predictions of the past around the cost of ransomware attacks on the healthcare industry stand to be proven true in 2021. We've seen a substantial rise in ransomware since the onset of COVID, and as the space race 2.0 continues, so will the prevalence of attacks," said John Ford, IronNet cyber strategist and former healthcare CISO. With countries all around the world hunting for a COVID vaccine there will be more nation-state attacks leveraging ransomware and an increase in cloud-based ransomware attacks as healthcare systems expedite their transition to meet the growing remote needs, Ford predicts. "Lately, what is different about this tried-and-true attack method is that malicious actors aren't just locking out data," Ford said. "They are also putting it on data leak sites where people can buy/have access to it leading to additional compliance concerns and my prediction for upcoming HIPAA changes." Over-permissioned identities will cause more attacks in the cloud. As a result of the accelerated shift to the cloud due to the pandemic, in 2021 attackers will not only shift their focus more to cloud infrastructure and cloud applications, but also continue to advance their techniques, said Michael Raggo, cloud security expert at CloudKnox. "One of the systemic issues we've seen in organizations that have been breached recently are a vast amount of over-permissioned identities accessing cloud infrastructure and gaining access to business critical resources and confidential data," Raggo said. "We've seen when an attacker gains access to an associated identity with broad privileged permissions, the attacker can leverage those and cause havoc." Most of the time, identity permissions are too broad because enterprises are still using manual and assumptions-based techniques to manage these, he said. Over-provisioned permissions "begs for a clear need for adhering to the principle of least privilege, leveraging a continuous, automated and data driven approach using activity-based authorization across the cloud infrastructure," Raggo said. Growth of insider threats and accidents. Raggo also predicts that accidents and insider threats will become even bigger concerns for enterprises, especially those in the cloud, citing a guilty plea by a former Cisco employee earlier this year who was charged with wiping 16,000 WebEx Teams cloud accounts disrupting their access to the service. CloudKnox research found that more than 80% of the cloud users have the ability to escalate permissions that can be very hard to track in the cloud infrastructure, according to Raggo. "These escalation scenarios allow the bad actors to have the ability to create dummy accounts for themselves," which he said can be used "to perform nefarious actions as some user other than themselves, thus allowing them to cover their tracks." Where CISOs should allocate budget in 2021 Jason Rader, national director network & cloud security at Insight Enterprises, believes that if security leaders still have a viable business in 2021, they have "already done some things very right." 2021 is a time for security leaders to become more efficient with their budgets and more strategic in supporting the business, he said. According to Rader, this includes addressing: Ransomware–A huge number of organizations are expected to be hit with ransomware next year. Rader advocates for a strategy that incorporates the controls to mitigate a ransomware attack into an overall program. Buying a "ransomware solution" that doesn't integrate with workflow or other security controls is very shortsighted, he said. Data classification/appropriate controls on the data–Data is everywhere and a liability for CISOs. DevOps–It's critical to know how security is integrated into an organization's current development and operations processes. CISOs should act as the catalyst for the groups to work together. One cannot live without the other. Vulnerability management–Remote worker setup and cloud initiatives have probably stabilized for the most part after the WFH scramble. Security teams must mature the patch and vulnerability management process. Identity, authentication & access–Identifying your users, ensuring they are who they say they are, and controlling the resources they are permitted to access has always been important. With this year's rise in remote workers and WFH, it is time to revisit ways to gain more control and analysis out of this effort. Regulated data: client data, PII, etc.–Many organizations are changing the way they do business to comply with current and impending data privacy regulations. This will have a trickledown effect to the ecosystems/supply chains of different industries. "If you collect client data, know what systems touch it, how authentication is handled at each step, how the data is secured during transit and while at rest, and what back-end systems can access the systems that process the data." Source
  6. Hackers with access to the Signaling System 7 (SS7) used for connecting mobile networks across the world were able to gain access to Telegram messenger and email data of high-profile individuals in the cryptocurrency business. In what is believed to be a targeted attack, the hackers were after two-factor authentication (2FA) login codes delivered over the short messaging system of the victim’s mobile phone provider. Well-prepared hackers Hackers pulling an SS7 attack can intercept text messages and calls of a legitimate recipient by updating the location of their device as if it registered to a different network (roaming scenario). The attack occurred in September and targeted at least 20 subscribers of the Partner Communications Company (formerly known as Orange Israel), all of them involved at a higher level in cryptocurrency projects. Tsachi Ganot, the co-founder of Pandora Security in Tel-Aviv, who investigated the incident and assisted victims with regaining access to their accounts, told BleepingComputer that all clues point to an SS7 attack. Pandora Security specializes in building secure digital environments and provides cyber technology and services for high-profile individuals such as prominent business figures and celebrities. According to Ganot, customers include some of the wealthiest people in the world. Ganot told us that the hackers likely spoofed the short message service center (SMSC) of a mobile network operator (unidentified at the time of writing) to send an update location request for the targeted phone numbers to Partner (other providers may still be vulnerable to this type of attack). The update request essentially asked Partner to send to the fake MSC all the voice calls and SMS messages intended for the victims. source: Cellusys Ganot says that the attackers had good knowledge about their victims' various accounts and leaked passwords. They knew unique international subscriber numbers (MSISDN - Mobile Station International Subscriber Directory Number) and International Mobile Subscriber Identity (IMSI) numbers. SS7 attacks, while more frequent in the past years, are not easy to pull and require good knowledge of home mobile networks interact and route communication at a global level. In this case, the goal of the hackers was to obtain cryptocurrency. Ganot believes that some of the inboxes compromised this way acted as a backup method for other email accounts with richer data, allowing the threat actor to achieve their goal. “In some cases, the hackers posed as the victims in their [Telegram] IM accounts and wrote to some of their acquaintances, asking to exchange BTC for ETC and the like” - Tsachi Ganot This method is well known in the cryptocurrency community, and users are typically wary about such requests. Ganot says that “as far as we're aware no one fell for the bait.” Although sending verification codes over SMS is widely regarded as insecure in the infosec community, and for good reason, many services still rely on this practice, putting users at risk. Better authentication methods exist today than SMS or call-based 2FA authentication. Apps specifically created for this purpose or physical keys are among the solutions, Ganot says, also adding that telecom standards need move away from legacy protocols like SS7 (developed in 1975), which cannot address modern issues. Israeli newspaper Haaretz published details about this attack earlier this month, saying that Israel's national intelligence agency (Mossad) and the country's National Cyber Security Authority were involved in the investigation. The publication also notes that Ganot and his partner (founders of Pandora Security) worked for the NSO for a few years. Source
  7. WASHINGTON (Reuters) - Hackers working for the Russian and North Korean governments have targeted more than half a dozen organizations involved in COVID-19 treatment and vaccine research around the globe, Microsoft said on Friday. FILE PHOTO: A hacker, who asked not to have his name revealed, works on his laptop in his office in Taipei The software company said a Russian hacking group commonly nicknamed “Fancy Bear” - along with a pair of North Korean actors dubbed “Zinc” and “Cerium” by Microsoft - were implicated in recent attempts to break into the networks of seven pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. Microsoft said the majority of the targets were organizations that were in the process of testing COVID-19 vaccines. Most of the break-in attempts failed but an unspecified number succeeded, it added. Few other details were provided by Microsoft. It declined to name the targeted organizations, say which ones had been hit by which actor, or provide a precise timeline or description of the attempted intrusions. The Russian embassy in Washington - which has repeatedly disputed allegations of Russian involvement in digital espionage - said in an email that there was “nothing that we can add” to their previous denials. North Korea’s representative to the United Nations did not immediately respond to messages seeking comment. Pyongyang has previously denied carrying out hacking abroad. The allegations of cyber espionage come as world powers are jockeying behind the scenes in the race to produce a vaccine for the virus. They also highlight how Microsoft is pressing its case for a new set of global rules barring digital intrusions aimed at healthcare providers. Microsoft executive Tom Burt said in a statement his company was timing its announcement with Microsoft President Brad Smith’s appearance at the virtual Paris Peace Forum, where he would call on world leaders “to affirm that international law protects health care facilities and to take action to enforce the law.” Source
  8. FBI blames intrusions on improperly configured SonarQube source code management tools. The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website. The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments. SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems. But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin). FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications. Officials provided two examples of past incidents: "In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations' networks. "This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository." Forgot problem resurfaces in 2020 The FBI alert touches on a little known issue among software developers and security researchers. While the cyber-security industry has often warned about the dangers of leaving MongoDB or Elasticsearch databases exposed online without passwords, SonarQube has slipped through the cracks. However, some security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018. At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled. This year, a Swiss security researcher named Till Kottmann has also raised the same issue of misconfigured SonarQube instances. Throughout the year, Kottmann has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications. "Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube," Kottmann told ZDNet. "I don't know the current number of exposed SonarQube instances, but I doubt it changed much. I would guess it's still far over 1,000 servers (that are indexed by Shodan) which are 'vulnerable' by either requiring no auth or leaving default creds," he said. To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app's default configuration and credentials and then using firewalls to prevent unauthorized access to the app from unauthorized users. Source
  9. Over 1,200 organisations have fallen victim to a campaign that uses known exploits to remotely gain access to VoIP accounts - and the attackers are selling access to the highest bidder. A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts. While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a stepping stone towards much more intrusive campaigns. Detailed by cybersecurity researchers at Check Point, one hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign. Other countries where organisations fell victim to these attacks include the Netherlands, Belgium, the United States, Columbia and Germany. The attacks exploit CVE-2019-19006, a critical vulnerability in Sangoma and Asterisk VoIP phone systems that allows outsiders to remotely gain access without any form of authentication. A security patch to fix the vulnerability was released last year, but many organisations have yet to apply it – and cyber criminals are taking advantage of this by scanning for unpatched systems. One of the most common means the hacked systems are exploited for is making outgoing calls without the VoIP system being aware, which would allow attackers to secretly dial premium rate numbers they've set up in order to generate money at the expense of the compromised organisation. And because businesses make so many legitimate phone calls on these systems, it'd be difficult to detect if a server is being exploited. The attackers also make money by selling access to the systems to the highest bidder, something that could potentially be used for other cyberattacks that could be more dangerous to victims. "It's likely that those attacks can be leveraged for other malicious activity such as cryptomining and for eavesdropping," said Middlemiss. And it's potentially possible for attackers to use a compromised VoIP system as a gateway to the rest of the network, opening up the possibility of stealing credentials or deploying malware. It's recommended that organisations change default usernames and passwords on devices so they can't easily be exploited and, if possible, analyse call billings on a regular basis for potentially suspicious destinations, volumes of traffic or call patterns. And most importantly, organisations should apply the required security patches to prevent known vulnerabilities from being exploited. Source
  10. Late last month, Facebook disclosed a massive security vulnerability that it claimed affected some 50 million login tokens, but details were somewhat thin on its impact pending further investigation. In a blog post today, the results are in some ways better and worse. The company believes its initial estimate of 50 million compromised login tokens—it reset 90 million in total as a cautionary measure—was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million. That’s the good news, if you can call it that. For 400,000 of the accounts, which these attackers used to seed the process of gathering login tokens, personal information, such as “posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations” and, in one instance, actual message content, were compromised. Of the 30 million ensnared in the attack, Facebook believes that for around half, names and contact information—meaning phone numbers, email addresses, or both—were visible to the attackers; 14 million of that pool had that same information scraped as well as myriad other personal details, which Facebook believes could contain any of the following: Facebook believes only 1 million of the total compromised accounts had no personal information accessed whatsoever. Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. Facebook reaffirmed that third-party apps were not accessed using the stolen tokens, and that the vulnerability did not affect other services the company owns, like WhatsApp or Instagram. The vulnerability had existed in Facebook’s code since July of 2017, and resulted in “an unusual spike of activity” September 14 of this year. It would be almost two weeks before the activity was determined to be a legitimate attack, and to have the exploit patched. Facebook is working alongside the FBI, and according to remarks by Vice President of Product Management Guy Rosen this afternoon, the agency’s investigation appears to be ongoing. When asked if any pattern exists among the victims or who might have been behind the attack, Facebook cited an FBI request not to disclose such information. Rosen did state the company does not believe the attack was directly related to the upcoming U.S. midterm elections. According to Rosen, a tool in Facebook’s help center will now show users if they were affected and what information may have been exposed. Users will also see a “customized message” in the coming days to assist in preventative measures. Source
  11. As hacking and gaming communities continue to intersect, some hackers are selling access to botnets and likely stolen Fortnite, Spotify, and other online accounts on Instagram. Instagram isn’t only for exotic travel, pet, or food photos. Communities of hackers are also using the social network to sell stolen Spotify and Fortnite accounts, as well as access to botnets designed to launch distributed-denial-of-service (DDoS) attacks. The accounts highlight social media companies’ continuing issues with content moderation. In this case, Facebook, which owns Instagram, is having trouble preventing illegal content from being distributed on its platforms. In particular, some people on Instagram are advertising botnets they claim to be associated with Mirai, a network of internet of things-based devices that have been repurposed to attack websites and servers by spamming them with traffic. Some are selling botnets based on other code. “There is a lot of people in the community on Instagram,” Root Senpai, who sells various hacking-related goods on Instagram, told Motherboard in a message on Discord, a messaging platform popular among gamers. Caption: A screenshot of one of the Instagram posts advertising a botnet. Image: Instagram Screenshot The hackers themselves and their wares appear to be unsophisticated. One Instagram post, which includes an apparent photo of the hacker’s screen, claims to be selling access to a Mirai-based botnet, likely for attacking websites or other online services to try and slow them to a crawl. Several other users Motherboard found are selling access to other botnets, with one post advertising subscription-style plans for $5 to $80 a month (it is not immediately clear how powerful, or lackluster, these particular botnets may be.) When asked how they obtained this botnet, perhaps by hacking into computers themselves, Root Senpai declined to elaborate for “security reasons,” they said. Another account, using the name ghostttzzz, includes a screenshot of their botnet control panel, with the text “hmu [hit me up] for spots.” Some of the hackers are advertising these tools in normal Instagram posts, others are advertising them using the network’s Stories feature. Stolen accounts do generate interest from customers, “especially Fortnite accounts,” Root Senpai added. As the game skyrocketed in popularity, hackers have continually cracked into Fortnite accounts to sell, some of which come with rare character skins. As Kotaku reported in March, some hackers break into accounts to use the victim’s payment information to buy game upgrades, and then transfer them to other accounts. Indeed, much of the activity from the Instagram hacker accounts overlaps with gaming communities. Some accounts, as well as posting photos of their botnet control screens, share images from Fortnite or other online games. Some of the hackers appear to be young; Root Senpai said that “there are a lot of kids on Instagram that is [sic] willing to buy botnet spots, mostly kids that play on console.” “For me I just sell spots for fun and money because I am still to [sic] young to get a full job that can make a decent amount of money,” they added. Finding various accounts selling access to botnets and stolen accounts was fairly trivial. Many of them follow each other, making some form of hacker community on the platform. The scale of the issue is unclear, however: Motherboard focused on one particular collection of accounts that appear to interact with and follow each other. Root Senpai did describe people in the trade of these botnets and accounts as the “ig community.” Caption: A screenshot of one of the Instagram posts advertising Fortnite accounts. Image: Instagram Screenshot Instagram’s terms of service says users cannot “do anything unlawful, misleading, or fraudulent or for an illegal or unauthorized purpose.” That, an Instagram spokesperson confirmed to Motherboard, includes selling access to hacked computers or accounts. The spokesperson added that Instagram is investigating the issue and will take steps to remove content violating its terms. Motherboard did not share specific account names with Instagram. As we’ve argued before, it is not journalists’ job to act as content moderators for some of the world’s most powerful technology companies. Motherboard did share redacted screenshots with Instagram so it could see the sort of posts being shared by the hackers and provide a response. Instagram has to deal with all sorts of offensive or illegal content on its platform. Internal Instagram documents previously obtained by Motherboard showed some of the company’s enforcement strategies and policies for combating such content. “These are high intensity, prevalent abuse types that have led to PR fires on Instagram,” one of the documents for training moderators obtained by Motherboard reads, referring to terrorism and drug sales on its platform. At the time of writing, all of the accounts Motherboard found selling stolen accounts or access to botnets are still online. Source
  12. Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom. But Instagram is silent. “Your Instagram has been hacked,” the message sent to various high profile Instagrammers reads. If the victim doesn’t pay up a Bitcoin ransom, “we will have to delete your account within 3 hours,” the hackers’ message continues. Kevin Kreider, a fitness-focused Instagrammer from Los Angeles, told Motherboard that paying $100 in cryptocurrency didn’t save his account. The hackers still deleted it, and Kreider lost more than 100,000 followers and an important part of his social media focused business. Kreider eventually got his account back—it’s not clear how though, Instagram didn’t say—but Kreider is not the only person to fall victim to these hackers this month. The hackers have hijacked multiple targets’ accounts, with an apparent focus on ‘lifestyle’ accounts and other people who use Instagram for business. Instagram has not acted on requests for help from some of the victims. A second victim wrote on her personal website, “Instagram doesn’t care.” Kreider shared a slew of emails, screenshots, and receipts with Motherboard that detail the hacking and extortion episode. At first, someone identifying themselves as ‘Lana’ emailed Kreider under the pretence of being a press relations staffer from fashion company French Connection. They offered a sponsorship deal, and provided a link to their own Instagram account. That link, despite looking legitimate on the face of it, did not actually go to a real Instagram page. Instead, it redirected to a fake Instagram login portal designed to steal a target’s credentials. According to online records kept by Bit.ly, a link shortening service the hackers used, the link has been clicked 65 times at the time of writing, although it’s not clear if those are all victims. “I was at the gym going through my emails and thought it was an opportunity with a brand I respected and thought I could put on my Instagram, and when I saw that my Instagram [@kevin.kreider] disappeared from my app, my heart dropped to my stomach,” Kreider told Motherboard. The hackers were in. Shortly after using that fake Instagram login page, the hackers contacted Kreider demanding their ransom. Kreider paid the hackers just over $110 in Bitcoin, according to a receipt from Bitcoin exchange Coinbase Kreider shared with Motherboard. The hackers, it appears, still deleted his account, as it became unavailable. Lindsey Simon, another Instagram user and hacking victim, told Motherboard in an email she “kept in contact with the hacker while also getting help from a computer-savvy friend of mine. I ended up paying, but less than they were asking for. I stalled and sent small increments until my friend recovered my password.” Cassie Gallegos, a third apparent victim also focused on providing lifestyle content on Instagram, wrote in a blog post that she “had 57k followers that I had work tirelessly for, posting my own photography (that I was very proud of, and was my LIFE) along with my stories and adventures on traveling, living your best life, and being financially savvy.” Gallegos says she negotiated the hackers down to a “measly” $122, and she paid in bitcoin. The hackers still have control over her account, Gallegos wrote. Instagram’s response to the hacks and extortion campaigns has been mixed. All three victims said they contacted Instagram multiple times, resulting in either generic or seemingly automated responses. Simon only regained access through her friend’s help, and Gallegos’ account is still unavailable. After Motherboard contacted Instagram asking for comment on the hack of Kreider’s account, Kreider said he “got it back” although at the time of writing his account is not appearing in Instagram search results. It is not entirely clear if the events are connected, as Instagram has not responded to Motherboard’s requests for comment. A fourth victim wrote on her blog that Instagram did provide her access once again, but only after her fans and others pressured Instagram to do so in their own posts and messages. “I never heard from Instagram. Not one word. I don’t know how they fixed it,” that fourth victim, lifestyle blogger Anna Wood, wrote. A previous Motherboard investigation found, in a separate set of attacks, so-called SIM jackers have targeted peoples’ phone numbers to hijack valuable Instagram accounts. These attacks relied on tricking a telco into porting a victim’s number over to the hackers SIM card, so they can then intercept any two-factor authentication tokens. Instagram is doing more to help with account security though. Instagram recently introduced app-based two-factor authentication, which can stop a hacker from accessing an account even if they do manage to obtain a target’s passwords, and does not rely on using a mobile phone number. There is no indication that any of these victims had two-factor authentication enabled. An email sent to the hacker’s address went undelivered, with an error message saying no such address existed. However, Motherboard confirmed that the username “pumpams,” which the hacker used on a particular email service, was indeed in use. According to a screenshot a security researcher shared on Twitter, the scammer may be based in Ukraine. “I had an emotional breakdown. I had worked so hard to become an influencer, to make the life I wanted to be living, I had partnerships with Hotels.com, PierHouse Key West, Dick’s Sporting Goods, Living Proof lined up to name a few. GONE. ALL OF MY WORK WAS GONE,” Gallegos adds in her blog post. Source
  13. Imperva: Up to 77 percent of the sites we monitor were attacked by a Python-based tool. After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool Image: Imperva "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says. These advantages include an easy to pick up syntax, a breadth of online tutorials, and an extensive collection of libraries and other ready-made tools available in places like PyPI and GitHub. In fact, many of the Python tools attackers use have often been created for use inside legitimate apps, or by security researchers themselves, for use in testing their own systems against various vulnerabilities. But once these testing tools make it on GitHub, they also enter the public domain, from where hackers deploy them in other ways than the ones for which they were initially created. Based on Imperva's data, the most abused legitimate Python tools are the "requests" and "urllib" libraries, two of the cornerstones of almost any Python web app. As for what hackers do with these things, Imperva's crew says they're attempting to exploit vulnerabilities like CVE-2017-9841 (PHPUnit), CVE-2015-8562 (Joomla), or CVE-2018-1000207 (ModX PHP CMS). The moral of this report is that if you have a web app, web server, or website exposed online, it's quite likely that some script kiddie is using a Python tool downloaded from GitHub to break into your server. Which, in hindsight, is no surprise, since Python is just as versatile as Java, but much easier to learn, good and bad guys alike. Source
  14. Jobseekers' files follow internal records leaking online The United Nations has been hit with two damning data leak allegations in as many days. The global organization has seen researchers uncover a pair of flaws that had left a number of its records, and those of its employees, accessible to hackers online. Word of the first issue came out yesterday when security researcher Kushagra Pathak found that the UN had left an unsecured set of Trello, Jira and Google Docs projects exposed to the internet. Pathak, who has specialized in uncovering vulnerable Trello boards and web apps, said the exposed information included account credentials and internal communications and documents used by UN staff to plan projects. After stumbling onto the vulnerable Trello board, he was able to then get access to the Jira and Google Docs deployments where he harvested other sensitive data. Pathak privately reported the issue to UN, who has since locked down the vulnerable web app instances. The second exposure was uncovered by researcher Mohamed Baset of Seekurity and resulted in the exposure of "thousands" of CVs submitted by job applicants. Baset reports that the UN failed to patch vulnerabilities in one of the WordPress CMS systems it uses to handle job applications. This would potentially allow anyone who chose to exploit the local path disclosure the ability to access the thousands of CVs people had submitted when they applied for a job with a UN agency. The vulnerability was reported to the UN in August, but after getting the full bureaucratic runaround, Baset decided to go public with the flaw this week, and share a proof of concept video: It wasn't all long faces at the UN this week, however. Members of the org had a moment of levity this morning when US President Donald Trump addressed the General Assembly. The Commander-in-Chief's boasts of historic accomplishments at the helm of America sparked chuckling and guffawing by foreign diplomats witnessing his speech... A nice chuckle was had by most. Meanwhile, at last estimate, Trump was custodian to some 4,000 nuclear warheads. Source
  15. “Oh, where’s that?” “2018. I live in 2018.” There are similar memes and jokes out there about fax machines because, outside of certain documents that are too time-sensitive for overnight delivery and require signatures, who sends faxes anymore? We might not be sending them, but if you have an all-in-one printer system, you probably have the fax option built in. You may have forgotten about it, but hackers haven’t. To them, your printer’s unused fax option is a new attack vector. The Forgotten Workstation Printers have long been an afterthought for security. Even as we spend more time focusing on IoT security, or securing mobile devices, or worry about what else might be connected to the network, the printer sits in a dark corner, forgotten about until we need to make copies or it runs out of paper in the middle of a printing. And that’s a mistake. “The absence of printer security configuration management stems from a lack of awareness and recognition of the risks, a lack of visibility and a lack of control over large print fleets and the unavailability of a cost-effective, vendor-agnostic cybersecurity solution that works for the whole fleet,” said Jim LaRoe, CEO of Symphion, whose company released a white paper, “Securing the Forgotten Workstation.” “Large print fleets are too diverse (both in brand and geography) and dynamic (constantly changing) to rely on current print-industry approaches to print fleet management for printer security configuration management,” he noted. Another problem is that common print stream security software products, common enterprise security and data loss prevention (DLP) software don’t address printer security configuration management. Or, if the manufacturer does build security features into the printer system, they aren’t always activated, especially for functions that aren’t used. Such as the fax. This leaves printer devices vulnerable for attacks. The Faxploit While you may not use the fax function anymore, there still are millions of fax numbers still in use. According to CSO, researchers from Check Point found “an attacker could send a malware-coded image file to the target. The fax machine portion of an all-in-one printer would then decode the image file and upload it to memory.” All they needed to do this was a fax number and an all-in-one device to dump malware into the network. One industry especially vulnerable is the healthcare industry, as it is one of the few industries that still uses faxing as a way to share documents quickly and efficiently. Often, information between doctors, insurance companies and patients or family members can’t wait for an overnight delivery and it can’t be sent via email. “Hackers are always trying to find new ways to get into hospital networks and cause nearly $13 million in damages for every breach,” said LaRoe. “With the widespread adoption of electronic health records (EHRs), more and more patient information is at risk and it is the responsibility of the CISO to protect these records. Unfortunately, many CISOs are currently unaware of a massive security risk to their network.” Can You Stop Faxploiting? Organizations can take proactive steps to protect their printers and fax machines by applying software updates and adding security measures so that only authorized persons can use the machines, said Heather Paunet, vice president of product management at Untangle. “However,” she noted, “fax machines generally have no authentication capabilities to stop a remote attacker from sending a fax.” If your organization must use fax machines, the best solution is to put the fax and printers on a separate network segment. “This mitigates any problems if a hacker does gain control of the printer or fax, as no other devices can be exploited,” Paunet said. Beyond that, existing security efforts provide only partial security for the print stream and enterprise because they omit printer security configuration management—the missing piece that exposes the entire enterprise to risk. Doing nothing puts the business at risk of a breach—and, in healthcare settings, at risk of HIPPA compliance issues. Replacing an entire printer fleet with new printers is expensive and won’t solve the problem of open ports. “New solutions must be offered, and printer manufacturers need to partner with security solution providers to solve the issue from a combined effort,” said LaRoe. “But first, everyone from the CISO to the CEO needs to recognize the magnitude of the problem that printer security has for hospitals and take action before the next very costly breach.” Source
  16. LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed. After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh. Dead Addict’s version of the story involves an employer who pushed him to apply for a patent — for which he was required to provide his full legal name. “The people who later doxxed me,” he said, using a term for publishing private information about someone, usually with malicious intent, “pointed to that patent.” Nico Sell managed to stay “ungoogleable,” she said, until around 2012, when, acting as chief executive of a secure-messaging company, Wickr, she felt she needed to become more of a public figure — if reluctantly. “My co-founders and I, we all drew straws,” she said, “and that was that.” I met Grifter, whose real name is Neil Wyler; Dead Addict, who, citing privacy concerns, spoke with me on the condition that I not share his real name; Nico Sell, which, while undeniably the name she uses publicly, may or may not be her legal name; and dozens of other self-described hackers in August at DEFCON, an annual hacking convention — one of the world’s largest — held in Las Vegas. A lion’s share of the media attention devoted to hacking is often directed at deeply anonymous (and nefarious) hackers like Guccifer 2.0, a shadowy online avatar — alleged to have been controlled by Russian military intelligence officers — that revealed documents stolen from the Democratic National Committee in 2016. And, to be sure, a number of DEFCON attendees, citing various concerns about privacy, still protect their identities. Many conceal their real names, instead using only pseudonyms or hacker aliases. Some wear fake beards, masks or other colorful disguises. But new pressures, especially for those who attend DEFCON, seem to be reshaping the community’s attitudes toward privacy and anonymity. Many longtime hackers, like Sell and Wyler, have been drawn into the open by corporate demands, or have traded their anonymity for public roles as high-level cybersecurity experts. Others alluded to the ways in which a widespread professionalization and gamification of the hacking world — as evidenced by bug bounty programs offered by companies like Facebook and Google, which pay (often handsomely) for hackers to hunt for and disclose cybersecurity gaps on their many platforms — have legitimized certain elements of the culture. “It’s probably fair to say that fewer and fewer people are hiding behind their handles,” said Melanie Ensign, a longtime DEFCON attendee who works on security and privacy at Uber. “A lot of hackers who have been around for a while — they have families and mortgages now. At some point, you have to join the real world, and the real world does not run on anonymity.” “This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.” DEFCON has grown exponentially since its founding in 1993, when Jeff Moss — or, as many of his hacker friends know him, The Dark Tangent, or simply DT — gathered about 100 of his hacker friends for a hastily assembled party. By contrast, this year’s convention, the 26th, drew some 27,000 attendees, including students, security researchers, government officials and children as young as 8. It’s difficult to characterize the conference without being reductive. One could describe all of its 28 constituent “villages” (including the Voting Machine Hacking Village, where attendees deconstructed and scrutinized the vulnerabilities of electronic voting machines, and the Lockpick Village, where visitors could tinker with locks and learn about hardware and physical security), offer a complete list of this year’s presentations (including one by Rob Joyce, a senior cybersecurity official at the National Security Agency), catalog its many contests and events (like the Tin Foil Hat Contest and Hacker Karaoke) and still not get at its essence. The ethos of DEFCON is perhaps best embodied by a gentleman I encountered in a hallway toward the end of the conference. He was wearing an odd contraption on his back, with wires and antennas protruding from its frame and with a blinking black box at its center. An agribusiness giant, he said, had recently heralded the impenetrability of the security systems built into one of its new computing components. He had obtained a version of it — how, he wouldn’t say — and, having now subjected it to the ever-probing DEFCON crowds, had disproved the company’s claims. “Turns out it’s not very secure after all,” he said with a grin, before vanishing around a corner. As with many of his early online friends, Moss’ foray into aliases was directly tied to his interest in hacking and phone phreaking (the manipulation of telecommunications systems) — “stuff that wasn’t really legal,” he said. Aliases provided cover for such activity. And every once in a while, he explained — if a friend let slip your name, or if you outgrew a juvenile, silly alias — you’d have to burn your identity and come up with a new name. “In my case, I had a couple previous identities,” he said, “but when I changed to The Dark Tangent, I was making a clear break from my past. I’d learned how to manage identities; I’d learned how the scene worked.” He also remembers when everything changed. During the dot-com boom, many hackers transitioned to “real jobs,” he said, “and so they had to have real names, too.” “My address book doubled in size,” he said with a laugh. “The thing I worry about today,” he added, taking a more serious tone, “is that people don’t get do-overs.” Young people now have to contend with the real-name policy on Facebook, he said, along with the ever-hovering threats of facial-recognition software and aggregated data. “How are you going to learn to navigate in this world if you never get to make a mistake — and if every mistake you do make follows you forever?” Philippe Harewood, 30, represents a relatively new class of hackers. He is ranked second on Facebook’s public list of individuals who have responsibly disclosed security vulnerabilities for the site in 2018. And while he maintains an alias on Twitter (phwd), a vast majority of his hacking work is done under his real name — which is publicized on and by Facebook. He also maintains a blog (again, under his real name) where he analyzes and discusses his exploits. For Harewood, maintaining his alias is partly about creating a personal brand — a retro nod, in a sense, to the era when using a hacker handle was a more essential element of the trade. But it also has practical advantages. “People want to reach out all the time,” he said. “And I’m still not all that comfortable communicating with people on my Facebook profile, under my real name.” “In a way,” he said, “it just helps me filter my communications.” In the wake of the Cambridge Analytica scandal, Facebook expanded its existing bug bounty with a program that specifically targets data abuse. And just last week the company again widened the scope to help address vulnerabilities in third-party apps. Such efforts — coupled with the rise in recent years of companies like Bugcrowd and HackerOne, which mediate between hackers and companies interested in testing their online vulnerabilities — have created a broader marketplace for hackers interested in pursuing legitimate forms of compensation. Like Harewood, 11-year-old Emmett Brewer, who garnered national media attention at this year’s DEFCON by hacking a mock-up of the Florida state election results website in 10 minutes, also alluded to the marketing appeal of his alias, p0wnyb0y. “I came up with it a couple years ago, when I first got included in a news article,” he said. “I think an alias helps you get more recognition — sort of like how The Dark Tangent has his.” “P0wnyb0y is shorter and catchier than my name,” he added. “And it just seems a lot cooler.” Emmett said his involvement with DEFCON — he has attended for several years, accompanied by his father — has left him skeptical about the degree to which his peers share things online. “My friends put everything up on the internet,” he said, “but I’m more mindful.” Still, he said he wasn’t invested in keeping his real name separate from his alias. “I don’t see it as the end of the world” if people can easily link the two, he said. “But some other people take that stuff more seriously.” That’s not to say, though, that the younger generations of hackers are all comfortable operating so openly. Sell’s daughter, who spoke with me on the condition that I refer to her by her hacking handle, CyFi, was especially guarded about her identity. “When I was 9, I discovered a class of zero-day vulnerabilities,” said CyFi, 17, referring to software bugs that developers are unaware of. She ultimately disclosed the bugs, she added, “but I didn’t want to risk being sued by all those companies — so hiding my identity was the best way to go.” As with Emmett, CyFi is wary of her generation’s penchant for oversharing online. “My friends have definitely been frustrated with my lack of social media,” she said. “But the less data there is about you out in the world, the less people can try to mess with you.” One of the most intriguing aspects of DEFCON is the relationship between the hacker community and the attendees from the federal government, the complexities of which have ebbed and flowed over time. For many years, the tension resulted in a cat-and-mouse game called “Spot the Fed.” “In the early days, if a fed got spotted, it was pretty consequential,” Moss said. “Later on, they were outing each other,” he said with a laugh — because they wanted the T-shirt granted to both the fed and the person who outed them. Linton Wells II, a former principal deputy to the assistant secretary of defense for networks and information integration, began attending DEFCON around 2003. He now volunteers as a “goon” — the term for the volunteers (roughly 450 this year) who help organize and run the conference. Wells said governmental officials who attend DEFCON fall into one of three categories. “One was the people who openly announced they were feds — either speakers who announced their affiliations, or there was a Meet the Fed panel,” he said. “There were others who wouldn’t deny it if you asked them, but who didn’t go out of their way to advertise it. And then there were those who were either officially or unofficially undercover.” The relationship hasn’t always been contentious, he added, noting that, in 2012, Keith Alexander, who was then director of the NSA, “came out here and spoke in a T-shirt and bluejeans.” Less than a year later, though, after the Edward Snowden leak, things soured. “For the next couple years,” Wells said, “the feds were — well, if not uninvited, then at least tacitly not particularly welcome.” Joe Grand, who for many years operated under his alias, Kingpin, understands the complexities of the relationship as well as anyone. Twenty years ago, in May 1998, Grand was one of seven computer hackers who testified before a congressional panel that included Sens. John Glenn, Joseph Lieberman and Fred Thompson. The hackers, members of a collective called L0pht (pronounced “loft”), had recently boasted that they could shut down the internet in 30 minutes, and lawmakers had taken notice. “Due to the sensitivity of the work done at the L0pht,” Thompson explained in his opening remarks — haltingly, as if for effect — “they’ll be using their hacker names of Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan and Stefan.” Chuckles echoed through the room. Until then, staff members had told the L0pht hackers, the only witnesses to testify while using aliases had been members of the witness protection program. “I hope my grandkids don’t ask me who my witnesses were today,” Thompson added, to another chorus of laughter. “It probably helped their agenda — by having these kids show up with fake names,” said Grand, who sat for an interview at DEFCON. “It probably made it that much more intriguing.” “But using our handles,” he added, “was our natural way of communicating. And having that protection, it felt good. We were putting ourselves out there as hackers communicating with the government — which, at the time, was not something you did.” As with many longtime hackers, Grand — who became widely known after appearing on a Discovery Channel show called “Prototype This!” — has grown more comfortable operating in the open. But he still appreciates the value of anonymity. “Hiding behind a fake name doesn’t mean you’re doing something malicious, and it doesn’t mean you’re a bad person,” he said. “It means you’re trying to protect your privacy.” “And, in this day and age, you need to,” he added, “because everywhere you look, your privacy is being stripped away.” Keren Elazari, a cybersecurity expert whose 2014 TED Talk has been viewed millions of times, expressed a similar sentiment — that hackers, by fighting to maintain their anonymity, can help push back against the trends of eroding online privacy. But she also described what she calls a “maturing of the industry and the community.” “More and more people who started hacking in the ‘90s are now becoming icons and thought leaders — and, most importantly, role models for the younger generations of hackers,” she said. To help guide younger generations, elder hackers can often still use nicknames, she added. “But sometimes it makes it more powerful when they can speak up in their own voices.” Source
  17. A hacker has targeted and released private data on German chancellor Angela Merkel and other senior German lawmakers and officials. The data was leaked from a Twitter account, since suspended, and included email addresses, phone numbers, photo IDs and other personal data on hundreds of senior political figures. According to a government spokesperson, there was no “sensitive” data from the chancellor’s office, but other lawmakers had more personal data stolen. Other portions of the leaked data included Facebook and Twitter passwords. Some had their credit card information stolen, and chat logs and private letters published in the breach. Germany’s Federal Office for Information Security said in a statement that it was “extensively investigating” the breach, but does not believe there was an attack on the government’s networks. It’s been reported that the hacker may have obtained passwords to access social media accounts. Often, hackers do this by tricking a phone company into “porting out” a person’s phone number to another SIM card, allowing them to password reset accounts or obtain two-factor codes. The hacker leaked data on senior lawmakers across the political spectrum, but noticeably absent were accounts for the country’s far-right Alternative for Germany party. The hack is reminiscent of a data breach involving the Democratic National Committee in 2016, which targeted the Democrats in the U.S. in the months running up to the U.S. presidential election. The U.S. government later attributed the hack to Russia, which prosecutors say tried to influence the election to elect Donald Trump to the White House. The Justice Department brought charges against seven suspects earlier this year for being part of the so-called “Fancy Bear” group of hackers, working on behalf of the Russian government. Little is known about who is behind the leak of German lawmakers’ data. The German government has not speculated about who — or if a nation state — may have been behind the attack. But the alleged hacker said in a statement linked from their Twitter account that they “operated alone and does not belong to any organization or similar on Twitter.” According to security experts who’ve seen portions of the data, the hacker spread the stolen information across several sites and mirrors, making it “really hard to take down.” This data leak has so much data squirrelled away to avoid take downs. It must have required many man hours of uploading. – 70 mirrors of the download links – 40 d/l links, each with 3-5 mirrors – 161 mirrors of data files Plus the tweets, blog posts, mirrors of mirror links. — the grugq (@thegrugq) January 4, 2019 Germany’s minister for justice Katarina Barley called the breach a “serious attack,” one that aimed to “damage confidence in our democracy and institutions,” according to the BBC. It’s not the first time that the German parliament has faced security issues. In 2015, attackers stole gigabytes of data on lawmakers, which Germany’s domestic spy agency later accused Russia of being behind the breach. Russia has repeatedly denied launching cyberattacks. Source
  18. Hackers Broke Into Real News Sites to Plant Fake Stories A disinfo operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO. The propagandists have created and disseminated disinformation since at least March of 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics.Photograph: PETRAS MALUKAS/Getty Images Over the last few years, online disinformation has taken evolutionary leaps forward, with the Internet Research Agency pumping out artificial outrage on social media and hackers leaking documents—both real and fabricated—to suit their narrative. More recently, Eastern Europe has faced a broad campaign that takes fake news ops to yet another level: hacking legitimate news sites to plant fake stories, then hurriedly amplifying them on social media before they're taken down. On Wednesday, security firm FireEye released a report on a disinformation-focused group it's calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March of 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they've posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: Hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content. That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about a US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,” says John Hultquist, director of intelligence at FireEye. “And they’re pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they’re on, and then they go in and spread the link to the story.” FireEye itself did not conduct incident response analysis on these incidents, and concedes that it doesn't know exactly how the hackers are stealing credentials that give them access to the content management systems that allow posting and altering news stories. Nor does it know who is behind the string of website compromises, or for that matter the larger disinformation campaign that the fake stories are a part of. But the company's analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye's Hultquist points out that the campaign doesn't seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement. Nor would it be the first time that Russian hackers planted fake news stories; in 2017 US intelligence agencies concluded that Russian hackers breached Qatar's state news agency and planted a fake news story designed to embarrass the country's leader and cause a rift with the US, though US intelligence never confirmed the Kremlin's involvement. "We can’t concretely tie it to Russia at this time, but it’s certainly in line with their interests," Hultquist says of the Ghostwriter campaign. "It wouldn’t be a surprise to me if this is where the evidence leads us." Two false stories planted on the Lithuanian news site Kas Vyksta Kaune, one about a planned NATO invasion of Belarus (left) and another about German soldiers desecrating a Jewish cemetery, including a photoshopped image that shows a military vehicle with a German flag. Screenshot: Archive.is via Kas Vyksta Kaune False news stories planted on the Baltics-focused news sites The Baltic Course and The Baltic Times claim a US armored vehicle ran over and killed a Lithuanian child (left) and that the first Covid-19 patient in Lithuania is a U.S. soldier who had previously “visited public places and participated in city events with child and youth participation.”Screenshot: Archive.is via The Baltic Course; The Baltic Times In June of 2018, for instance, the English-language, Baltics-focused news site the Baltic Course published a story claiming that a US Stryker armored vehicle had collided with a Lithuanian child on a bicycle, killing the child "on the spot." The same day, the Baltic Course posted a notice to the site that "hackers posted this news about the deceased child, which is FAKE!!! We thank our vigilant Lithuanian readers who reported on our Facebook page about fake new on site. We strengthened security measures." A few months later, the Lithuanian news site Kas Vyksta Kaune published a story stating that "NATO plans to invade Belarus," showing a map of how NATO forces in Polish and Baltic countries would enter the neighboring country. Kas Vyksta Kaune later acknowledged that the story was fake, and planted by hackers. Someone had used a former employee's credentials to gain access to the CMS. Then in September of last year, another fake story was posted to the site about German NATO soldiers desecrating a Jewish cemetery, including what FireEye describes as a photoshopped image of a military vehicle with a German flag visible behind the cemetery. More recently, the fake stories have attempted to exploit fears of Covid-19. One story posted to both Kas Vyksta Kaune and the English-language Baltic Times in January claimed that the first Covid-19 case in Lithuania was a US soldier who was hospitalized in critical condition, but only after he "visited public places and participated in city events with child and youth participation," according to the Baltic Times version of the story. In April and May of this year, the focus turned toward Poland: A fake story was posted across several Polish news sites in which a US official disparaged local Polish forces as disorganized and incompetent. This time the campaign went even beyond news sites. A fake letter from a Polish military official was posted to the Polish Military Academy website, calling on the Polish military to cease military exercises with the US, decrying the US "occupation" of Poland and calling the exercises a "obvious provocation" of Russia. The Polish government quickly called out the letter as fake. FireEye's finding that all of those operations to plant fake news were carried out by a single group comes on the heels of a report from the New York Times that Russia's military intelligence agency, the GRU, has been coordinating the publication of disinformation on sites like InfoRos, OneWorld.press and GlobalResearch.ca. US intelligence officials speaking to the I said that disinformation campaign, which included false reports that Covid-19 originated in the US, was specifically the work of the GRU's "psychological warfare unit," known as Unit 54777. Given the GRU's role in meddling in the 2016 presidential election, including its hack-and-leak operations against the Democratic National Committee and the Clinton Campaign, any GRU role in more recent disinformation raises fears that they may be targeting the 2020 election as well. While FireEye has made no such claims that the Ghostwriter news site compromises were the work of the GRU, Hultquist argues that the incidents in Poland and the Baltics should nonetheless serve as a warning. Even if false stories are spotted quickly and taken down, they could have a significant, temporary effect on public opinion, he warns. "My concern is that we could see this sort of compromised media tactic in the West and even during the election. It’s a perfect sort of last-minute tactic," Hultquist says. "Once the genie is out of the bottle, can you get it back in? Can you make enough people understand this is some foreign power that’s pushed this story? It may be too late." Hackers Broke Into Real News Sites to Plant Fake Stories
  19. Hackers Could Use IoT Botnets to Manipulate Energy Markets With access to just 50,000 high-wattage smart devices, attackers could make a bundle off of causing minor fluctuations. Researchers calculated that by running an attack for three hours a day, 100 days a year, market manipulators could take home as much as $24 million per year.Photograph: George Rose/Getty Images On a Friday morning in the fall of 2016, the Mirai botnet wrecked havoc on internet infrastructure, causing major website outages across the United States. It was a wake-up call, revealing the true damage that zombie armies of malware-infected gadgets could cause. Now, researchers at the Georgia Institute of Technology are thinking even farther afield about targets that botnets could someday disrupt—such as energy markets. At the Black Hat security conference on Wednesday, the researchers will present their findings, which suggest that high-wattage IoT botnets—made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats—could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags. "Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he’s basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. Unlike regular IoT botnets that are ubiquitous and available for hire on criminal forums, high-wattage botnets are not as practical to amass. None are known to be available for rent by would-be attackers. But over the past couple of years, researchers have begun investigating how they could be weaponized—one example looked at the possibility of mass blackouts—in anticipation that such botnets will someday emerge. Meanwhile, the idea of energy market manipulation in general is not far-fetched. The US Federal Energy Regulatory Commission investigated 16 potential market manipulation cases in 2018, though it closed 14 of them with no action. Additionally, in mid-May, attackers breached the IT systems of Elexon, the platform used to run the United Kingdom's energy market. The attack did not appear to result in market changes. The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack. In contrast, many current criminal IoT botnets contain millions of bots. Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. The idea is to maximize strategic moments that both capitalize on market conditions and help maintain a low profile. The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed. For hackers, the rewards could be significant. The researchers calculated that by running an attack for three hours per day, 100 days per year, market manipulators could take home as much as $24 million a year. And a determined saboteur could use the same type of attacks to cause as much as $350 million per year in economic damage. It's difficult to know, though, how such attacks would actually play out in practice. For example, the researchers assumed that one attacker attempting to launch botnet-driven market manipulation campaigns at a time in a given region. Multiple actors attempting the same scam in the same place could degrade their returns or make it more likely that they'd get caught. The research also assumes both the existence of high-wattage IoT botnets and that they would be consistent and predictable platforms. Still, the fact that such attacks were relatively easy to conceive and model indicates that they could be crazy enough to work someday. The researchers emphasize that their goal is to promote prevention and defense before that happens. They suggest that high-wattage IoT devices should include some type of real-time monitoring that could flag suspicious use potentially consistent with a malware infection. And they suggest that energy markets revisit how much granular and constantly updating load data they need to release publicly. Limiting that access wouldn't make it impossible for attackers to get their hands on the data, but it would add a barrier to entry. "It's an example of how the threat landscape changes in unexpected ways," says Beyah, who also cofounded the industrial-control security firm Fortiphyd Logic. "Who would have thought that my washing machine or stationary bike could be the foundation of a completely new type of attack?" Hackers Could Use IoT Botnets to Manipulate Energy Markets
  20. Government says hackers breached 30 computers and stole data from 10. Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country's military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea's Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country's next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. Reports claim that hackers gained access to the server of a security program installed on all government computers. Named "Data Storage Prevention Solution," the app is installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. According to reports, hackers gained admin access to the software's server and used it to siphon documents from connected workstations. The country's intelligence agency (NIS, National Intelligence Service) investigated the breach in November and reported its findings to government officials, who disclosed the cyber-attack to the public this week. Government officials didn't pin the blame on North Korean hackers, as they usually do, although it wouldn't surprise anyone if they did, as North Korea has often launched cyber-espionage and intelligence collection operations against its southern neighbor. For example, in October 2017, South Korea accused North Korea of hacking and stealing the South's secret joint US war plans, which included detailed plans to attack the North in case diplomatic relations deteriorated to a point where military action was needed. Source
  21. Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers. The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems. The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet. Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers. Besides stealing money, the suspects also left the backdoor on the victims' computers for further control, so that they can use them in the future for carrying out other illicit activities. Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks. Two Ukrainian DDoS Hackers Arrested In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions. According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable. The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks. Source
  22. These are the top ten security vulnerabilities most exploited by hackers But one simple thing could help stop the vast majority of these attacks, say researchers. Security vulnerabilities in Microsoft software have become an even more popular means of attack by cyber criminals - but an Adobe Flash vulnerability still ranks as the second most used exploit by hacking groups. Analysis by researchers at Recorded Future of exploit kits, phishing attacks and trojan malware campaigns deployed during 2018 found that flaws in Microsoft products were the most consistently targeted during the course of the year, accounting for eight of the top ten vulnerabilities. That figure is up from seven during the previous year. Patches are available for all the flaws on the list - but not all users get around to applying them, leaving themselves vulnerable. Microsoft is the most common target, likely thanks to how widespread use of its software is. The top exploited vulnerability on the list is CVE-2018-8174. Nicknamed Double Kill, it's a remote code execution flaw residing in Windows VBSsript which can be exploited through Internet Explorer. Double Kill was included in four of the most potent exploit kits available to cyber criminals – RIG, Fallout, KaiXin and Magnitude – and they helped deliver some of the most notorious forms of banking trojan and ransomware to unsuspecting victims. But the second most commonly observed vulnerability during the course of the year was one of only two which didn't target Microsoft software: CVE-2018-4878 is an Adobe Flash zero-day first identified in February last year. An emergency patch was released within hours, but large numbers of users didn't apply it, leaving them open to attacks. CVE-2018-4878 has since been included in multiple exploit kits, most notably the Fallout Exploit Kit which is used to power GandCrab ransomware – the ransomware remains prolific to this day. Adobe exploits used to be the most commonly deployed vulnerabilities by cyber criminals, but they appear to be going off it as we get closer to 2020. Third in the most commonly exploited vulnerability list is CVE-2017-11882. Disclosed in December 2016, it's a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened – putting users at risk malware being dropped onto their computer. The vulnerability has come to be associated with a number of malicious campaigns including the QuasarRAT trojan, the prolific Andromeda botnet and more. Only a handful of vulnerabilities remain in the top ten on a year on year basis. CVE-2017-0199 – a Microsoft Office vulnerability which can be exploited to take control of an affected system – was the most commonly deployed exploit by cyber criminals in 2017, but slipped to the fifth most in 2018. CVE-2016-0189 was the ranked vulnerability of 2016 and second ranked of 2017 and still features among the most commonly exploited exploits. The Internet Explorer zero-day is still going strong almost three years after it first emerged, suggesting there's a real issue with users not applying updates to their browsers. Applying the appropriate patches to operating systems and applications can go a long way to protecting organisations against of some the most commonly deployed cyber attacks, as can having some intelligence on the potential risks posed by cyber attackers. "The biggest take-away is the importance of having insight into vulnerabilities actively sold and exploited on underground and dark web forums," Kathleen Kuczma, sales engineer at Recorded Future told ZDNet. "Although the ideal situation would be to patch everything, having an accurate picture of which vulnerabilities are impacting a company's most critical systems, paired with which vulnerabilities are actively exploited or in development, allows vulnerability management teams to better prioritize the most important places to patch," she added. The only non-Microsoft vulnerability in the list aside from the Adobe vulnerability is CVE-2015-1805: a Linux kernel vulnerability which is often used to attack Android smartphones with malware. The top ten most commonly exploited vulnerabilities – and the software they target – according to the Recorded Future Annual Vulnerability report are: CVE-2018-8174 – Microsoft CVE-2018-4878 – Adobe CVE-2017-11882 – Microsoft CVE-2017-8750 – Microsoft CVE-2017-0199 – Microsoft CVE-2016-0189 – Microsoft CVE-2017-8570 – Microsoft CVE-2018-8373 – Microsoft CVE-2012-0158 – Microsoft CVE-2015-1805 – Google Android Source
  23. As the 2020 election looms and legislation to secure voting machines languishes, politicians head to the largest hacking conference in the world for help. For two years in a row, hackers at Defcon have demonstrated that voting machines currently in use in US elections have serious security issues. With the 2020 US presidential election quickly approaching, lawmakers who want to fix those vulnerabilities are heading to the Las Vegas hacking conference, which starts Thursday, to see them in person. Many lawmakers have wanted to pass an election security bill since the race for the White House in 2016, when Russian hackers interfered with the election. A Senate Intelligence Committee report released in late July detailed how the hackers likely targeted election systems in all 50 states. In states such as Illinois and Florida, they were successful. While there's no evidence that any votes were tampered with during the 2016 election, hackers have shown plenty of proof that the voting machines being used are vulnerable to attacks. Lawmakers like Sen. Ron Wyden, a Democrat from Oregon, have proposed legislation to improve election security to make sure these vulnerabilities wouldn't affect future voters. "White hat hackers do an invaluable public service in this technologic age by identifying security holes and, if necessary, shaming the government or the companies responsible into fixing them," Wyden said in a statement. "The success of the Voting Village -- in which public demonstrations of voting machine flaws by hackers at Defcon quickly convinced officials in Virginia to promptly move to paper-based voting systems -- is a prime example of how the computer security community has positively impacted public policy and protected our national security." Despite those efforts, Congress hasn't been able to pass an election security bill. Senate Majority Leader Mitch McConnell, a Republican from Kentucky, blocked two election security bills in July, calling it "partisan legislation." This comes after former special counsel Robert Mueller warned Congress last month that Russia would continue its efforts to hack US elections, telling lawmakers, "They're doing it as we sit here." Along with Wyden, Rep. Eric Swalwell, a Democrat from California, will also be at the Voting Village at the hacker conference. There, hackers and election security experts will have an opportunity to explain to lawmakers what policies are needed to keep voters safe from hackers. "The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority and we need policy solutions that address the concerns brought to light each year by this Village," Voting Village co-founder Harri Hursti said in a statement. This is the first year that Defcon has volunteers specifically to help politicians integrate with hackers and learn about issues in cybersecurity. The outreach could potentially affect proposed legislation that would keep cities, elections and devices secure for years to come. Rep. Ted Lieu, a Democrat from California and Rep. Jim Langevin, a Democrat from Rhode Island, will also be at the hacking convention to learn how policymakers can affect future legislation on cybersecurity. "I became one of the first members of Congress to attend Defcon when I spoke two years ago about how security researchers have shaped my work," Langevin said in a statement. "I know firsthand the incredible value and knowledge the Defcon community can offer to policymakers. I'm looking forward to returning to the conference this year to keep the lines of communication open." A new machine Lawmakers at the Voting Village will be able to see a prototype of a $10 million DARPA-funded open source voting machine, designed to prevent hackers from tampering with people's votes. The project is headed by Galois, a government contractor that DARPA awarded in March. Since then, Galois has also worked with Microsoft to develop ElectionGuard, software for voting machines to verify ballots. While in both years that the Voting Village has existed, hackers were able to find vulnerabilities, Galois is aiming to bring the first voting machine that hackers at Defcon can't crack. But even if hackers do find vulnerabilities with the prototype, which its creators expect to happen, it's a win-win. "There's an ambition that this demonstration will not have vulnerabilities comparable to what's in the room," Joe Kiniry, a principal scientist at Galois, said in an interview. "But of course, the point of the exercise is to learn. If they do find flaws, it helps the researchers put on a different thinking cap and adjust their work over the next 2.5 years while this project continues." Galois's machine reads votes on paper, and verifies that the vote is valid through scans. It'll be equipped with a secure CPU that Galois created, designed to prevent against common attacks that other voting machines have fallen to in previous Voting Villages. Kiniry said the team has been looking at voting machines for nearly two decades, learning from past mistakes. This prototype, he said, goes beyond normal voting machine standards. "We're building things that aim to have a security profile comparable to the work we do for the Department of Defense and intelligence agencies," Kiniry said. "Showing that we can do that for a voting system, we hope will show the world that it is really possible to raise the bar." The project is open-source, so that voting machine vendors can adopt the security features for its own devices in future elections. If successful, lawmakers will be able to see this technology as another step for election security legislation. Source
  24. But they didn’t cover their tracks Recently, The Verge reported on a string of ransomware attacks that have hit cities including Baltimore; Atlanta, Georgia; Newark, New Jersey; and 22 Texas towns. Even The Weather Channel has fallen victim. But before those attacks, there was an attack on the nation’s capital, days before the presidential inauguration. An article from The Wall Street Journal details how hackers Alexandru Isvanca and Eveline Cismaru seized control of Washington, DC’s surveillance cameras right before Trump’s inauguration. The piece is full of twists and turns, from the small-time beginnings of the hackers’ scamming careers to them eventually turning on each other. The story contains a lot of colorful details about the pair. Here are some highlights: The hackers weren’t initially trying to hit DC police cameras. They caught a break after sending out hundreds of thousands of emails containing ransomware to a list of addresses purchased on the dark web — it just so happened that at least one was connected to DC police. In the end, they controlled 126 out of 186 DC police computers, which in turn controlled the surveillance cameras. Isvanca and Cismaru led authorities straight to a smoking gun. Well, at least a barbecuing device called a smoking gun. It turns out the pair used that same hacked DC police computer in a separate Amazon scam Cismaru was running. She ordered a smoking gun, and the tracking number showed up on the police computer, allowing authorities to see and raid the package’s destination. Isvanca didn’t do a great job of covering his tracks either. He ordered pizza using the same email address he used to hack the computers. Cismaru said that hacking into the capital’s surveillance system was easy. “Americans are stupid,” she said in a text to The Wall Street Journal. You can read the rest of the fascinating details in the full story here. Source: Hackers hijacked the capital’s surveillance cameras days before Trump’s inauguration and said it was easy (via The Verge)
  • Create New...