Jump to content

Search the Community

Showing results for tags 'hacking'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. Hey guys, I just wanna share something with you to see if someone can help me because I am frustrated. My facebook and instagram account were hacked for the 4th time this month. When it first happened, I created a new hotmail account and linked it with both my facebook and instagram profiles because my original hotmail was also hacked. 2 step verification was enabled for both social media accounts but still didn't protect me. After the second and the third time, I became convinced that someone had access to my phone or laptop so I resetted both of them. After each hack I recover my accounts using my phone number. Last night was the fourth time so instead of recovering and re-use them I recovered and deleted both social media accounts. Can someone please help give me some advise on what I can do to protect myself in case I created new social media accounts or reactivated my already existing ones ? Thank you
  2. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8. - Inno Setup-based installers. Changelog (4.4.1.132): Homepage: http://www.havysoft.cl/Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?xgkjwbwdtcis9sh
  3. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?xgkjwbwdtcis9sh Homepage: http://www.havysoft.cl/ Screenshot: Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8. - Inno Setup-based installers. Changelog:
  4. When a government body creates a self-service payment system for paying for everything from utility bills to permits and fines, you would expect convenience to be tied to adequate security for financial data. Not necessarily so in the case of Click2Gov, a payment portal system used by many US cities, both small and large. Developed by Central Square, formerly known as Superion, it was rumored last year that the local government portal service may have been subject to a data breach. In September this year, cybersecurity firm FireEye confirmed that a security incident had taken place, in which threat actors had planted never-before-seen malware to scrape payment card details from US citizens. It was suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details. Security research firm Gemini Advisory has now released a report examining the after-effects of the attack, in which it is believed 294,929 payment records have been compromised across at least 46 cities in the US, as well as one in Canada. The findings suggest that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites. On Tuesday, the company said that by selling this information in the Dark Web, the threat actors have earned themselves at least $1.7 million. In the meantime, Central Square is still trying to work out how the attacks took place -- and potentially portals are still at risk. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov, but told Gemini Advisory that "the system remains vulnerable for an unknown reason." However, the firm added that the affected systems were all locally hosted, while the cloud-based Click2Gov software was not affected. It seems, then, that local systems have security issues which are yet to be addressed. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months. Payment data from these portals have been found for sale in the web's underbelly. "In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised," Gemini Advisory says. "Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card. " Two hackers have been tracked through their wares, of which the cybersecurity firm believes both are likely part of the criminal ring which conducted the widespread attacks. Gemini advisory's Director of Research, Stas Alforov, told Fortune that Click2Gov is working with local authorities to resolve the security issues which still exist, and the data theft is due in part to "a lack of sophistication on the part of municipal IT workers." source
  5. The accounts of Eamonn Holmes and Louis Theroux were among those hacked An online hacking security agency has “hijacked” multiple Twitter accounts in an effort to make a point regarding online security issues. On Thursday, the message: “This account has been temporarily hijacked by Insinia Security,” appeared on the Twitter accounts of a “number of celebrities” including Eamonn Holmes and Louis Theroux. The tweet also appeared on the Twitter feed of The Independent's travel correspondent Simon Calder. According to a post on Medium by Insinia Security, which explains the hijacking, it was done to highlight the security dangers of having a phone number associated with a Twitter account. Mike Godfrey, the CEO of Insinia Security, confirmed to The Independent the reason behind the hacking, explaining: “Insinia have warned for years that using text messaging for authentication, interaction or security is totally unacceptable and leaves people vulnerable to attack. “This issue was highlighted to Twitter in 2007, again in 2009, again in 2011 and almost every year since. Quite simply; Twitter doesn’t listen. The campaign today was to highlight these vulnerabilities, how serious they can be and how someone with a relatively low skill set and a range of tools can control social media that people use to control their brands, career, image and much more. People have a right to know the truth about the state of insecurity that huge companies like Twitter leave innocent users in.” And, according to Godfrey, hijacking the accounts was easy - “In this case, it was a simple task of ‘spoofing’ the Twitter users MSISDN (mobile phone number) and sending texts that appeared to be from their phone to Twitter, which will automatically accept commands provided it believes that the text has come from the users phone number, which it did,” he told us. While Godfrey would not disclose “how these numbers were obtained,” he did say the entire attack “took less than 10 minutes to carry out and complete.” On Medium, the depth of the hijacking was further explained - and the dangers this lack of security poses. “We used this method to successfully control the targets Twitter account, allowing us to send DM’s, retweet and like tweets, follow and unfollow people and much more,” the post reads. According to Insinia Security, this flaw in security could lead to potential risks such as the spread of offensive or extremist material and the spread of fake news. To protect oneself, Godfrey told us the best way is to use a “separate number for TFA (two-factor authentication) on Twitter.” “People must understand that even someone having your phone number puts you at risk,” he continued. “We shouldn’t be so relaxed with who we give our numbers to and Twitter certainly shouldn’t be allowing people to tweet and control accounts by sending texts with no authentication.” source
  6. By replacing a PC's SPI flash chip with one that contains rogue code, an attacker can can gain full, persistent access. Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way. Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week. Boot Guard is a technology that was added in Intel Core 4th generation microarchitecture -- also known as Haswell -- and is meant to provide assurance that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts. Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his own laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in cache, it later re-read modules from the original copy located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code. This isn't correct behavior, because the system should only rely on the verified copy after the cryptographic checks are passed. This made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory. He took his findings and an early proof-of-concept implementation to Trammell Hudson, a well-known hardware and firmware researcher whose previous work includes the Thunderstrike attacks against Apple's Thunderbolt technology. Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy. The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent. While the attack requires opening the laptop case to attach clip-on connectors to the chip, there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. In fact, Hudson has already designed such an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it. What are the implications of such TOCTOU attacks? The Intel Boot Guard and Secure Boot features were created to prevent attackers from injecting malware into the UEFI or other components loaded during the booting process such as the OS bootloader or the kernel. Such malware programs have existed for a long time and are called boot rootkits, or bootkits, and attackers have used them because they are very persistent and hard to remove. That's because they re-infect the operating system after every reboot before any antivirus program has a chance to start and detect them. In its chip-swapping variant, Hudson's and Bosch's attack acts like a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system and it's very hard to detect without opening the device and closely inspecting its motherboard. Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information. Such a physical compromise could occur in different ways, for example in an Evil-Maid-type scenario where a high value target, like a company's CEO, travels to a foreign country and leaves their laptop unattended in their hotel room. Bosch tells CSO that replacing the SPI memory chip with a rogue one designed to execute this attack would take 15 to 20 minutes for an experienced attacker with the right equipment. Another possibility are supply chain attacks or the so-called "interdiction" techniques where computer shipments are intercepted in transit, for example by an intelligence agency, are backdoored and then resealed to hide any tampering. The documents leaked by Edward Snowden showed that the NSA uses such techniques, and it is likely not the only intelligence agency to do so. Some devices do have tamper-evident seals or mechanisms, but someone with the right resources and knowledge can easily bypass those defenses, Bosch tells CSO. Malicious employees could also use this technique on their work-issued laptops to either bypass access controls and gain administrator privileges or to maintain access to the company's data and network after they leave the company. Such a compromise would survive the computer being wiped and being put back into use. There have been several cases over the years of economic espionage where employees working for various companies were caught stealing trade secrets and passing them to foreign governments or to competitors. What is the mitigation? The two researchers notified Intel of their findings in January and tell CSO that the chipmaker treated the issue seriously and assigned a high severity to it. The company already has patches available for its reference UEFI implementation -- known as Tianocore -- that it shares with BIOS vendors and PC manufacturers. The researchers haven't yet tested the fixes, but at least based on the description they seem comprehensive and should prevent similar attacks in the future. The problem is that distributing UEFI patches has never been an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have contracts with various PC manufacturers. Those OEMs then make their own firmware customizations before they ship it inside their products. This means that any subsequent fixes require collaboration and coordination from all involved parties, not to mention end users who need to actually care enough to install those UEFI updates. The patches for the critical Meltdown and Spectre vulnerabilities that affected Intel CPUs also required UEFI updates and it took months for some PC vendors to release them for their affected products. Many models never received the patches in the form of UEFI updates because their manufacturers no longer supported them. The two researchers plan to release their proof-of-concept code in the following months as part of a tool called SPISpy that they hope will help other researchers and interested parties to check if their own machines are vulnerable and to investigate similar issues on other platforms. "I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security," says Bosch. Source
  7. If you are someone who relies on “Windows Defender” on Windows 10 to protect your device from malware threats, you should know about the new version of TrickBot malware that attempts to disable the antivirus software altogether. TrickBot Trojan isn’t exactly new as it surfaces from time to time. The last we heard about TrickBot was a couple of weeks ago when it managed to infect nearly 250 million Gmail accounts with new cookie stealing abilities. For the uninitiated, TrickBot is a trojan that tries to steal bank account information, crypto wallets, browser data, and other credentials saved on your PC and browser. TrickBot Disabling Windows Defender Every time TrickBot surfaces, it has newly added capabilities. This time, it has the ability to disable Windows Defender and deploys about 17 steps to achieve it. According to Bleeping Computer, TrickBot tries to delete the WinDefend service and terminates associated processes. It also adds a DisableAntiSpyware Windows policy to disable Windows Defender. It goes the extra malware mile by disabling Windows Defender real-time protection and Windows security notifications. Bleeping Computer’s report states: “These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.” Can we stop TrickBot? By blocking access to the Windows Registry and removing a user’s admin rights by default, TrickBot can be prevented from disabling Windows Defender. That being said, a lot depends on how advanced the particular strain of TrickBot is because it appears to download additional payloads “to gain higher system privileges once executed.” Windows 10 users can make use of AppLocker to control which apps and files they can run. It covers executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. Another thing Windows 10 users should check is whether “Tamper Protection” is enabled or not. This feature usually remains ‘On’ by default and as long as it is enabled, Windows 10 users should be relatively safe from getting their Windows Defender disabled. One thing we can say for sure is that the authors of TrickBot are constantly adding new tricks and methods to bypass security so you should keep your device as secure as possible. Source
  8. A newly discovered hacking group is targeting energy and telecoms companies There’s a new hacking group on the radar targeting telecommunications and oil and gas companies across Africa and the Middle East. Industrial security company Dragos, which discovered the group, calls it “Hexane,” but remains largely tight lipped on its activities. The security company said Thursday, however, that that the group’s activity has ramped up in recent months amid heightened tensions in the region since the group first emerged a year ago. Dragos said Hexane, the latest in a list of nine hacking groups it tracks, was observed targeting telecoms companies, potentially as a “stepping stone” to gain access to the networks of oil and gas companies. “Targeting telecommunications firms can potentially enable third-party access to downstream refining or upstream production operations via cellular networks,” said Casey Brooks, a senior adversary hunter at Dragos, told TechCrunch. Dragos would not go into specifics about the threat group but hinted that it targets and compromises “devices, firmware, or telecommunications networks” in the supply chain which could be used to breach a victim’s network from within. The researchers have “moderate confidence” that Hexane does not yet have an attack capability to disrupt industrial control networks critical to the continued operations of power plants, energy suppliers and other critical infrastructure, but the group may use its leverage on telecommunications networks as a “precursor” to an attack on industrial control networks. Dragos said Hexane is expected to increase targeting oil and gas companies in the region. Hexane was first observed in mid-2018, said the company, which specializes in finding and understanding the threats faced by critical infrastructure. The group followed a similar trend as other similar groups targeting industrial control systems. But Hexane isn’t the only threat group targeting third-party companies. Dragos said other groups it tracks target hardware and software suppliers used in industrial control networks. Hexane has “similar behaviors” to OilRig, a previously reported threat group with suspected Iranian ties. But Dragos said that Hexane’s behaviors, tools, and targeted victims make the hacking group “a unique entity” compared to other observed groups. Dragos said the hacking groups said oil and gas remain a high target for causing “major process and equipment destruction or loss of life.” Image Credits: Getty Images Source: A newly discovered hacking group is targeting energy and telecoms companies
  9. Cybercrime comes to school lunches School lunches exec faces felony charges related to the hacking of his rival’s network to expose weak security Every form of crime seems to invade the world of cybersecurity. Sooner or later that had to include the age-old childhood bullying trauma of school lunch theft. Except in this case the pilfered prize was data, not baloney. Keith Wesley Cosbey, CFO of California school lunch provider Choicelunch, was arrested in April on two felony counts — identity theft and unlawful computer access. The San Francisco Chronicle reports that law enforcement accuses Cosbey of hacking into the network of longtime Choicelunch rival The LunchMaster, accessing sensitive student data including names, grades, meal preferences, and allergy info. The charges contend that Cosbey, claiming to be an anonymous tipster, then sent the stolen data to the California Department of Education in an attempt to discredit The LunchMaster by exposing weak security and complaining the company does not do enough to protect student data. When the Department of Education confronted The LunchMaster about the breach, the company launched an internal investigation. The LunchMaster cybersecurity team was able to trace the breach back to an IP address in Danville, Calif., where Choicelunch is based. The LunchMaster contacted the FBI in April 2018, and after a yearlong investigation, Cosbey was arrested. Cosbey is currently out on $125,000 bond and is due in court later this month. If convicted, he faces over three years in prison. This week, investigators allowed LunchMaster to notify families affected by the breach, which the company has been doing, The Chronicle reported. Source
  10. Equifax revealed its earnings release related to the security breach suffered in 2017, the incident has cost about $1.4 billion plus legal fees. Equifax revealed this week its earnings release related to the security breach suffered by the credit bureau back in 2017, the incident has cost about $1.4 billion plus legal fees. In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK. Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server. The vulnerability was fixed back in March 2017, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency. Compromised records included names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers. In March 2018, experts argued the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. A few weeks later the results of the forensic investigation revealed additional 2.4 Million identities were involved in the security incident. Chief Executive Mark Begor confirmed that Equifax reached settlement agreements recently with some of the class action lawsuits and government investigators. “This is a positive step forward for Equifax, as we work to put the 2017 cybersecurity event behind us,” he explained. According to Begor, the settlement terms include the creation of a single “consumer redress fund” to respond and consolidate redress requests. “There are still many other lawsuits outstanding.” reported the website Wabe.org. “The company has said hundreds of suits were filed against it since the breach, including more than 2,500 individual consumer plaintiffs, international and domestic class action suits, shareholder litigation and government lawsuits from states and cities.” In June 2018, Equifax agreed to the Consent Order from some state banking regulators, many governmental agencies and officials are still investigating the breach. “The company said earlier this year that the Consumer Financial Protection Bureau and Federal Trade Commission had told Equifax the agencies do “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident.”” continues the Wabe site. Expert believe that Equifax must be punished with exemplary penalties that have to incentivize the credit bureaus to protect consumer data. “Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans,” said Mike Lit, a national campaign director at the consumer advocate, U.S. Public Interest Research Group. “That’s why we need strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data.” Source
  11. Members of Congress in both parties are taking some clear if limited steps this week toward protecting the country, and their own campaigns, from hackers out to disrupt the next election. Next to easing access to the polls and otherwise enhancing the right to vote, protecting against the sort of foreign interference that marred the 2016 balloting is top of mind for those who say boosting confidence in the electoral system is essential to restoring democracy. To that end, the Senate unexpectedly passed legislation Wednesday night that would make it a federal crime to hack into any voting systems used in a congressional or presidential election. The voice vote came after minimal debate, meaning Majority Leader Mitch McConnell was persuaded by fellow Republicans to permit at least an occasional narrow exception to his decision to block election policy legislation. McConnell has labeled many of the proposals as unnecessary, and he's keenly aware that President Trump views legislation designed to correct shortcomings in the system as implicitly questioning his 2016 victory. -------------------------------------------------------------------------------- In this case, however, the bill was the handiwork of one of his most prominent turnabout GOP allies in the Senate, Lindsey Graham of South Carolina. It is actually the second election security measure the Senate has passed this summer, following a bipartisan voice vote in June for a bill denying visas to anyone even suspected of meddling in an American election. The debate was more polarized when the House Foreign Affairs Committee considered similar legislation on Wednesday. In the end, the Democratic majority pushed through a bill that would prevent anyone implicated in 2016 election interference from entering the United States and ordering any suspects already in the country to leave. Republicans wanted the bill only to restrict entry to meddlers in future elections. Those some Republicans, however, were expected to move soon to bolster the cybersecurity forces being deployed on 2020 House GOP campaigns. Officials at the party's political organization, the National Republican Congressional Committee, told The Washington Post they would be making their own technology experts available to train people to spot suspicious online activity and patch vulnerabilities in their campaign software — and would pay for a cybersecurity company to monitor and respond to suspicious activity on the computer networks of any GOP incumbent or party nominee who asks for the help. The move by the NRCC, which says it was hacked a few months before the 2018 vote, will increase pressure on the Democrats' congressional campaign organizations to do likewise. Those groups has been offering advice, but not people or software, to candidates in the three years since Russia hacked into email accounts belonging to the Democratic National Committee and the Democratic Congressional Campaign Committee — leaking material that was damaging to Hillary Clinton's campaign and beneficial to Trump. On Wednesday, Microsoft said that since last August it had sent more than 740 notifications to political party organizations, campaigns and democracy-focused nonprofits that use its free cybersecurity services, warning that they had been targeted by foreign government hackers. Most of the attempted infiltrations, the company said, were from Iran, North Korea and Russia. Source
  12. With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time. Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade's worth of federal funding, congressional apportionment and redistricting throughout the country. "Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power," said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. "I think there will be lots of attempts. We should be concerned." So far, there has been no indication of anyone trying to target the survey, but experts say the risks will probably grow as the launch draws closer. Census Bureau officials say they are working with experts in the government and private sector, including at the Department of Homeland Security, Facebook, Microsoft and Google, to defend against people or foreign states who try to undermine the U.S. government or prevent certain groups from being counted. They plan to encrypt incoming information, scan responses for unusual activity and monitor social media to spot attempts to mislead the public. The bureau has bought up more than 100 census-related domain names so they can't be used to create fake census sites, and it plans to aggressively push the message that completing the survey is safe and that being counted is beneficial to communities. Yet cybersecurity experts cite several reasons to be concerned with the plan. It comes at a time when trust in the government generally is low. Many people's trust in the census in particular has been eroded by fears about the Trump administration's decision last year to add a citizenship question to the survey. The question has been struck down by two federal courts and the Supreme Court is expected to decide this spring whether it will appear on the forms. At the same time, previous data breaches have left many Americans leery of sharing personal information online. The federal government’s troubled track record in building and maintaining technological systems includes the repeated meltdowns of healthcare.gov in 2013 and the Office of Personnel Management hack, revealed in 2015, that exposed names, Social Security numbers, salaries and other information on more than 21 million federal workers, allegedly to Chinese hackers. More recently, the Federal Emergency Management Agency exposed the personal addresses and banking information of 2.5 million disaster survivors. Joshua Geltzer, a former National Security Council official who has warned of security risks to the census and called for greater transparency on it, said it is particularly important to clarify how it will be protected given how Russian interference in the last presidential election spawned years of questions - many still unanswered - about how seriously outside forces were able to affect a major American vote. "We know that actors like the Russians and others are interested in finding ways to make our democracy seem weak, brittled, flawed," said Geltzer, who is executive director of Georgetown Law's Institute for Constitutional Advocacy and Protection. He added, "I don't think it's crazy to worry that there might still be problems when this thing rolls around. We haven't cracked the code on this in terms of other contexts, of the elections, of the general democracy, so I wouldn't expect the Census Bureau to have figured this out." Disrupting a census is not unprecedented: When Australia put its census online in 2016, cyberattackers launched what experts call a Distributed Denial of Service attack, in which hackers intentionally overload online systems. The onslaught crashed a critical website, slowing the count. In past U.S. censuses, survey forms arrived in people's mailboxes, and those who didn't mail them in received visits from enumerators carrying another set of paper forms. This time, most households will receive an initial mailing inviting them to log on to the bureau's website (paper forms will be mailed at that point to the 20 percent least likely to be online, including older people and those in areas with low Internet connectivity). Households that don't respond electronically will then receive paper forms by mail, and when enumerators knock on doors to follow up with those who still haven't responded, they will intake respondents' information electronically, via an iPhone 8. The decennial census does not gather Social Security numbers or financial information "Most people fill out credit card applications with much more personal information," said the bureau's assistant director of communications, Stephen Buckner. The bureau has systems in place to guard against hacks. After encrypting the data at two points in the process, it will store the data in its own secure Cloud environment through the Amazon Web Services' GovCloud. (Amazon Chief Executive Jeff Bezos owns The Washington Post.) It will continuously monitor incoming data, using an automated system that will look for suspicious activity, check information against existing records, and refer questionable surveys to analysts for follow-up. In the event of a website slowdown or crash, there will be a backup system as well as options to complete the survey via telephone or mail. Indications of hacks might include unusual patterns of activity, such as a single-family home reporting that it has 30 residents, or responses coming in too rapidly for a survey that should take about 10 minutes to fill out online. "If the Census Bureau sees a response is being generated every 15 seconds from a certain computer or a certain area," that would raise suspicions, said Maria Filippelli, public interest technology census fellow with New America, a nonpartisan Washington think tank. Any unusual spikes "would be investigated, isolated and shut down." But the system for collecting information has built-in vulnerabilities, some security experts say. For example, there is no way to stop a person from uploading information about a particular address even if he or she is not a resident there. (While the mailings will include an ID number, respondents can fill out the survey without using the number.) Census Bureau officials say such activity will be detected as incoming responses are automatically checked against existing records; if a discrepancy is spotted, it will be flagged for human review. "We constantly scan it to see if some new vulnerability occurred, and if it occurred, then we fix it," said Kevin Smith, the bureau's chief information officer. "We are absolutely performance-testing it above and beyond the level that we need to." The bureau has been working with DHS's Cybersecurity and Infrastructure Security Agency (CISA), where a team of about 20 people is focused on helping secure the system and gaming out possible hacks. "The two most important things that I've got going on in both prepping and executing next year are the election and the census," an official there said. "The risk to the census is fairly broad, and they're well aware of this, they're taking a lot of really good actions to secure against these. But then you could have anything from an individual hacker trying to get into some aspect of it to just be difficult, to nation-states trying to gain access in order to get access to personally identifiable information to potentially change census collection, and then you've got the foreign influence piece as well, sowing confusion and discord. The census is a key tenet of our democracy, and so some of the same risks and threats you saw to elections are applicable to census." A research company that surveys the Web for signs of malfeasance said it detected some chatter about the census a couple of years ago, but so far has seen no evidence of a concerted campaign. That is not surprising given the survey is a year off. A more coordinated effort might not come together until later in the process, said a researcher at the company, which asked for anonymity because of the private nature of its work. But even if census data aren't hacked, concerns over cybersecurity could create an atmosphere ripe for disinformation campaigns seeking to influence how, or whether, respondents fill out the survey. This could come in the form of fake reports of Immigration and Customs Enforcement officials accompanying census enumerators to people's homes, fake news stories about census data being hacked, or phishing websites that trick people into thinking they have filled out the real survey. Any of this could lower response rates, jeopardizing the quality of the data and driving up costs as the agency attempts to collect information for nonresponding households by going door to door and combing government and public records. The bureau must navigate a delicate balance between warning people about these dangers and scaring them off. "It's tough, for those who care about the census," Dutta-Gupta said. "We have to be careful in not raising false alarms or concerning people more than they need to be, since trust is essential in ensuring a fair and accurate count." The bureau has been meeting with companies such as Microsoft, Google, Facebook and Twitter to plan how to identify and stop misinformation as it comes online. In March, Facebook hosted an event with the bureau and other technology companies and civic organizations to talk about the census. "They're opening their doors, they realize the importance of this, they're being collaborative," Buckner said. Last year Facebook and Twitter adopted clear, specific prohibitions around voter suppression, hoping to stop the spread of posts, videos and other content designed to deceive users about how to vote. Representatives from these companies would not say whether they are planning something similar for the census. Facebook said only that census-related posts could be submitted to its third-party fact-checkers for review, while Twitter said it would take action against inauthentic accounts created with the intention to deceive users about the census. Google declined to discuss the census, and Microsoft said it is working with the bureau on cybersecurity but did not provide details. Educating the public about how the census works and what information to believe is a key part of protecting it, the CISA official said. "We need to ensure that the public understands where the information is coming from," the official said. "An informed public is our best defense." The U.S. Government Accountability Office has put the 2020 count on its high-risk list, and in a report last month it cited more than 1,000 system security weaknesses and warned that the bureau needs to address "before systems are deployed." At a full dress rehearsal for the count last year (which was scaled down from three locations to one because of funding shortages), "the Bureau did not test all 2020 Census systems and IT capabilities," the report said, adding that incomplete testing "increases the risk that innovations and IT systems will not function as intended," The bureau said it meets regularly with the GAO to address its recommendations, but added that not all the systems needed to be tested during the dress rehearsal, as some were up and running for other census surveys, and it was too early to test others. Nick Marinos, director of IT and cybersecurity issues at the GAO, said although the bureau's innovations make sense, it is coming up against a hard deadline to make sure its systems run smoothly. "This is an unprecedented effort. . . . Globally, there haven't been too many online censuses performed," he said. "I think the bureau itself is anxious and I think that is warranted. I think we are also holding our breath, waiting to see what the next six months brings." Source
  13. A Romanian Woman Eveline Cismaru. 28, pled guilty to federal charges for illegally gaining access to more than 126 computers that connected to Surveillance cameras installed and used by Metropolitan Police Department (MPD) and infected them with ransomware. She pled guilty before the Honorable Dabney L. Friedrich to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud, carry statutory maximums of 20 years and five years in prison, Cismaru agrees to cooperate fully in the investigation and she is to be sentenced on Dec. 3, 2018. Investigators arrested Cismaru, 28, and a co-defendant, Mihai Alexandru Isvanca, 25 in Romania, Cismaru extradited to the united states on July 26, 2018, and Isvanca pending extradition to the United States. “According to the government’s evidence, beginning in early January 2017, and continuing through Jan. 12, 2017, a computer hacking attack on the MPD computer network disabled two-thirds of the outdoor surveillance cameras operated by MPD in the District of Columbia, just days before the 2017 Presidential Inauguration.” reads Department of Justice press release. Investigators also spotted that the conspirators were in the process of attacking as many as 179,616 other computers using stolen e-mails, e-mail passwords, and banking credentials. The ransomware attack held on 2017 just before the day of Presidential Inauguration and due to the rapid response by investigators and MPD’s Chief Technology Office, the overall security of the 2017 Inauguration was not impacted by this event. Source
  14. An Australian teenager has pled guilty to hacking Apple’s system multiple times in a span of several months, but will not be going to jail. He said he did it because he’s just a huge Apple fanboy. Melbourne news outlet the Age reported that Apple had alerted the FBI after the company detected a breach. Then authorities notified the Australian Federal Police, which raided the teen’s home. There agents found 90Gb of sensitive files in a folder titled “hacky hack hack.” A magistrate told the court that the teen (not named for legal reasons) exploited a VPN intended for remote connection, according to Bloomberg. Apple reportedly blocked his access in November 2016, but he regained access last year. Apple did not immediately respond to a Gizmodo request for comment, but in a statement to Bloomberg Apple said that customers’ personal data was not compromised. The teen’s lawyer said at the boy’s appearance at Children’s Court in August that he hacked Apple “because he was such a fan” of the company, according to the Age. Bloomberg reports the teen told police that he breached Apple’s systems, in part, because he enjoyed “just being in the corporation pretending you were employees,” and the activity was apparently addictive. According to Bloomberg, the magistrate told the court that the teenager had shown remorse and had cooperated with law enforcement, and would only be given an eight-month probation instead of jail time. “Your offending is serious,” the magistrate said to the teen, according to Bloomberg. “It was sustained, sophisticated, and a successful attack on the security of a major multinational corporation.” The teen was 16 when he first accessed Apple’s system. According to the Age, he is now 19 and has been accepted at a university where he plans on studying criminology and cyber security. Source
  15. Twitter Hacking for Profit and the LoLs The New York Times last week ran an interview with several young men who claimed to have had direct contact with those involved in last week’s epic hack against Twitter. These individuals said they were only customers of the person who had access to Twitter’s internal employee tools, and were not responsible for the actual intrusion or bitcoin scams that took place that day. But new information suggests that at least two of them operated a service that resold access to Twitter employees for the purposes of modifying or seizing control of prized Twitter profiles. As first reported here on July 16, prior to bitcoin scam messages being blasted out from such high-profile Twitter accounts @barackobama, @joebiden, @elonmusk and @billgates, several highly desirable short-character Twitter account names changed hands, including @L, @6 and @W. A screenshot of a Discord discussion between the key Twitter hacker “Kirk” and several people seeking to hijack high-value Twitter accounts. Known as “original gangster” or “OG” accounts, short-character profile names confer a measure of status and wealth in certain online communities, and such accounts can often fetch thousands of dollars when resold in the underground. The people involved in obtaining those OG accounts on July 15 said they got them from a person identified only as “Kirk,” who claimed to be a Twitter employee. According to The Times, Kirk first reached out to the group through a hacker who used the screen name “lol” on OGusers, a forum dedicated to helping users hijack and resell OG accounts from Twitter and other social media platforms. From The Times’s story: “The hacker ‘lol’ and another one he worked with, who went by the screen name ‘ever so anxious,’ told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday. ‘lol’ did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. “ever so anxious” said he was 19 and lived in the south of England with his mother. Kirk connected with “lol” late Tuesday and then “ever so anxious” on Discord early on Wednesday, and asked if they wanted to be his middlemen, selling Twitter accounts to the online underworld where they were known. They would take a cut from each transaction.” Twice in the past year, the OGUsers forum was hacked, and both times its database of usernames, email addresses and private messages was leaked online. A review of the private messages for “lol” on OGUsers provides a glimpse into the vibrant market for the resale of prized OG accounts. On OGUsers, lol was known to other members as someone who had a direct connection to one or more people working at Twitter who could be used to help fellow members gain access to Twitter profiles, including those that had been suspended for one reason or another. In fact, this was how lol introduced himself to the OGUsers community when he first joined. “I have a twitter contact who I can get users from (to an extent) and I believe I can get verification from,” lol explained. In a direct message exchange on OGUsers from November 2019, lol is asked for help from another OGUser member whose Twitter account had been suspended for abuse. “hello saw u talking about a twitter rep could you please ask if she would be able to help unsus [unsuspend] my main and my friends business account will pay 800-1k for each,” the OGUusers profile inquires of lol. Lol says he can’t promise anything but will look into it. “I sent her that, not sure if I will get a reply today bc its the weekend but ill let u know,” Lol says. In another exchange, an OGUser denizen quizzes lol about his Twitter hookup. “Does she charge for escalations? And how do you know her/what is her department/job. How do you connect with them if I may ask?” “They are in the Client success team,” lol replies. “No they don’t charge, and I know them through a connection.” As for how he got access to the Twitter employee, lol declines to elaborate, saying it’s a private method. “It’s a lil method, sorry I cant say.” In another direct message, lol asks a fellow OGUser member to edit a comment in a forum discussion which included the Twitter account “@tankska,” saying it was his IRL (in real life) Twitter account and that he didn’t want to risk it getting found out or suspended (Twitter says this account doesn’t exist, but a simple text search on Twitter shows the profile was active until late 2019). “can u edit that comment out, @tankska is a gaming twitter of mine and i dont want it to be on ogu :D’,” lol wrote. “just dont want my irl getting sus[pended].” Still another OGUser member would post lol’s identifying information into a forum thread, calling lol by his first name — “Josh” — in a post asking lol what he might offer in an auction for a specific OG name. “Put me down for 100, but don’t note my name in the thread please,” lol wrote. WHO IS LOL? The information in lol’s OGUsers registration profile indicates he was probably being truthful with The Times about his location. The hacked forum database shows a user “tankska” registered on OGUsers back in July 2018, but only made one post asking about the price of an older Twitter account for sale. The person who registered the tankska account on OGUsers did so with the email address [email protected], and from an Internet address tied to the San Ramon Unified School District in Danville, Calif. According to 4iq.com, a service that indexes account details like usernames and passwords exposed in Web site data breaches, the jperry94526 email address was used to register accounts at several other sites over the years, including one at the apparel store Stockx.com under the profile name Josh Perry. Tankska was active only briefly on OGUsers, but the hacked OGUsers database shows that “lol” changed his username three times over the years. Initially, it was “freej0sh,” followed by just “j0sh.” lol did not respond to requests for comment sent to email addresses tied to his various OGU profiles and Instagram accounts. ALWAYS IN DISCORD Last week’s story on the Twitter compromise noted that just before the bitcoin scam tweets went out, several OG usernames changed hands. The story traced screenshots of Twitter tools posted online back to a moniker that is well-known in the OGUsers circle: PlugWalkJoe, a 21-year-old from the United Kingdom. Speaking with The Times, PlugWalkJoe — whose real name is Joseph O’Connor — said while he acquired a single OG Twitter account (@6) through one of the hackers in direct communication with Kirk, he was otherwise not involved in the conversation. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.” In an interview with KrebsOnSecurity, O’Connor likewise asserted his innocence, suggesting at least a half dozen other hacker handles that may have been Kirk or someone who worked with Kirk on July 15, including “Voku,” “Crim/Criminal,” “Promo,” and “Aqua.” “That twit screenshot was the first time in a while I joke[d], and evidently I shouldn’t have,” he said. “Joking is what got me into this mess.” O’Connor shared a number of screenshots from a Discord chat conversation on the day of the Twitter hack between Kirk and two others: “Alive,” which is another handle used by lol, and “Ever So Anxious.” Both were described by The Times as middlemen who sought to resell OG Twitter names obtained from Kirk. O’Connor is referenced in these screenshots as both “PWJ” and by his Discord handle, “Beyond Insane.” The negotiations over highly-prized OG Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams. Ever So Anxious told Kirk his OGU nickname was “Chaewon,” which corresponds to a user in the United Kingdom. Just prior to the Twitter compromise, Chaewon advertised a service on the forum that could change the email address tied to any Twitter account for around $250 worth of bitcoin. O’Connor said Chaewon also operates under the hacker alias “Mason.” “Ever So Anxious” tells Kirk his OGUsers handle is “Chaewon,” and asks Kirk to modify the display names of different OG Twitter handles to read “lol” and “PWJ”. At one point in the conversation, Kirk tells Alive and Ever So Anxious to send funds for any OG usernames they want to this bitcoin address. The payment history of that address shows that it indeed also received approximately $180,000 worth of bitcoin from the wallet address tied to the scam messages tweeted out on July 15 by the compromised celebrity accounts. The Twitter hacker “Kirk” telling lol/Alive and Chaewon/Mason/Ever So Anxious where to send the funds for the OG Twitter accounts they wanted. SWIMPING My July 15 story observed there were strong indications that the people involved in the Twitter hack have connections to SIM swapping, an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account. The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface. SIM swapping was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year. As recounted by Wired.com, @jack was hijacked after the attackers conducted a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account. Immediately after Jack Dorsey’s Twitter handle was hijacked, the hackers tweeted out several shout-outs, including one to @PlugWalkJoe. O’Connor told KrebsOnSecurity he has never been involved in SIM swapping, although that statement was contradicted by two law enforcement sources who closely track such crimes. However, Chaewon’s private messages on OGusers indicate that he very much was involved in SIM swapping. Use of the term “SIM swapping” was not allowed on OGusers, and the forum administrators created an automated script that would watch for anyone trying to post the term into a private message or discussion thread. The script would replace the term with “I do not condone illegal activities.” Hence, a portmanteau was sometimes used: “Swimping.” “Are you still swimping?” one OGUser member asks of Chaewon on Mar. 24, 2020. “If so and got targs lmk your discord.” Chaewon responds in the affirmative, and asks the other user to share his account name on Wickr, an encrypted online messaging app that automatically deletes messages after a few days. Chaewon/Ever So Anxious/Mason did not respond to requests for comment. O’Connor told KrebsOnSecurity that one of the individuals thought to be associated with the July 15 Twitter hack — a young man who goes by the nickname “Voku” — is still actively involved in SIM-swapping, particularly against customers of AT&T and Verizon. Voku is one of several hacker handles used by a Canton, Mich. youth whose mom turned him in to the local police in February 2018 when she overheard him talking on the phone and pretending to be an AT&T employee. Officers responding to the report searched the residence and found multiple cell phones and SIM cards, as well as files on the kid’s computer that included “an extensive list of names and phone numbers of people from around the world.” The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, Voku’s mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint against him — saying he’d obtained yet another mobile phone. Voku’s cooperation with authorities led them to bust up a conspiracy involving at least nine individuals who stole millions of dollars worth of cryptocurrency and other items of value from their targets. CONSPIRACY Samy Tarazi, an investigator with the Santa Clara County District Attorney’s Office, has spent hundreds of hours tracking young hackers during his tenure with REACT, a task force set up to combat SIM swapping and bring SIM swappers to justice. According to Tarazi, multiple actors in the cybercrime underground are constantly targeting people who work in key roles at major social media and online gaming platforms, from Twitter and Instagram to Sony, Playstation and Xbox. Tarazi said some people engaged in this activity seek to woo their targets, sometimes offering them bribes in exchange for the occasional request to unban or change the ownership of specific accounts. All too often, however, employees at these social media and gaming platforms find themselves the object of extremely hostile and persistent personal attacks that threaten them and their families unless and until they give in to demands. “In some cases, they’re just hitting up employees saying, ‘Hey, I’ve got a business opportunity for you, do you want to make some money?'” Tarazi explained. “In other cases, they’ve done everything from SIM swapping and swatting the victim many times to posting their personal details online or extorting the victims to give up access.” Allison Nixon is chief research officer at Unit 221B, a cyber investigations company based in New York. Nixon says she doesn’t buy the idea that PlugWalkJoe, lol, and Ever So Anxious are somehow less culpable in the Twitter compromise, even if their claims of not being involved in the July 15 Twitter bitcoin scam are accurate. “You have the hackers like Kirk who can get the goods, and the money people who can help them profit — the buyers and the resellers,” Nixon said. “Without the buyers and the resellers, there is no incentive to hack into all these social media and gaming companies.” Mark Rasch, Unit 221B’s general counsel and a former U.S. federal prosecutor, said all of the players involved in the Twitter compromise of July 15 can be charged with conspiracy, a legal concept in the criminal statute which holds that any co-conspirators are liable for the acts of any other co-conspirator in furtherance of the crime, even if they don’t know who those other people are in real life or what else they may have been doing at the time. “Conspiracy has been called the prosecutor’s friend because it makes the agreement the crime,” Rasch said. “It’s a separate crime in addition to the underlying crime, whether it be breaking in to a network, data theft or account takeover. The ‘I just bought some usernames and gave or sold them to someone else’ excuse is wrong because it’s a conspiracy and these people obviously don’t realize that.” In a statement on its ongoing investigation into the July 15 incident, Twitter said it resulted from a small number of employees being manipulated through a social engineering scheme. Twitter said at least 130 accounts were targeted by the attackers, who succeeded in sending out unauthorized tweets from 45 of them and may have been able to view additional information about those accounts, such as direct messages. On eight of the compromised accounts, Twitter said, the attackers managed to download the account history using the Your Twitter Data tool. Twitter added that it is working with law enforcement and is rolling out additional company-wide training to guard against social engineering tactics. Twitter Hacking for Profit and the LoLs
  16. Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and affects any PC manufactured before 2019. New research shows that Intel's Thunderbolt port is vulnerable to so-called evil maid attacks on all but the most recent PCs.Photograph: Oleksiy Maksymenko Photography/Alamy Security paranoiacs have warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs. On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he's calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion, and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether. "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg, who plans to present his Thunderspy research at the Black Hat security conference this summer—or the virtual conference that may replace it. "All of this can be done in under five minutes." 'Security Level' Zero Security researchers have long been wary of Intel's Thunderbolt interface as a potential security issue. It offers faster speeds of data transfer to external devices in part by allowing more direct access to a computer's memory than other ports, which can lead to security vulnerabilities. A collection of flaws in Thunderbolt components known as Thunderclap revealed by a group of researchers last year, for instance, showed that plugging a malicious device into a computer's Thunderbolt port can quickly bypass all of its security measures. As a remedy, those researchers recommended that users take advantage of a Thunderbolt feature known as "security levels," disallowing access to untrusted devices or even turning off Thunderbolt altogether in the operating system's settings. That would turn the vulnerable port into a mere USB and display port. But Ruytenberg's new technique allows an attacker to bypass even those security settings, altering the firmware of the internal chip responsible for the Thunderbolt port and changing its security settings to allow access to any device. It does so without creating any evidence of that change visible to the computer's operating system. "Intel created a fortress around this," says Tanja Lange, a cryptography professor at the Eindhoven University of Technology and Ruytenberg's advisor on the Thunderspy research. "Björn has gotten through all their barriers." Following last year's Thunderclap research, Intel also created a security mechanism known as Kernel Direct Memory Access Protection, which prevents Ruytenberg's Thunderspy attack. But that Kernel DMA Protection is lacking in all computers made before 2019, and is still not standard today. In fact, many Thunderbolt peripherals made before 2019 are incompatible with Kernel DMA Protection. In their testing, the Eindhoven researchers could find no Dell machines that have the Kernel DMA Protection, including those from 2019 or later, and they were only able to verify that a few HP and Lenovo models from 2019 or later use it. Computers running Apple's MacOS are unaffected. Ruytenberg is also releasing a tool to determine if your computer is vulnerable to the Thunderspy attack, and whether it's possible to enable Kernel DMA Protection on your machine. Return of the Evil Maid Ruytenberg's technique, shown in the video below, requires unscrewing the bottom panel of a laptop to gain access to the Thunderbolt controller, then attaching an SPI programmer device with an SOP8 clip, a piece of hardware designed to attach to the controller's pins. That SPI programmer then rewrites the firmware of the chip—which in Ruytenberg's video demo takes a little over two minutes—essentially turning off its security settings. "I analyzed the firmware and found that it contains the security state of the controller," Ruytenberg says. "And so I developed methods to change that security state to 'none.' So basically disabling all security." An attacker can then plug a device into the Thunderbolt port that alters its operating system to disable its lock screen, even if it's using full disk encryption. The full attack Ruytenberg shows in his demo video uses only about $400 dollars worth of equipment, he says, but requires an SPI programmer device and a $200 peripheral that can be plugged into a Thunderbolt port to carry out the direct memory attack that bypasses the lockscreen, like the AKiTiO PCIe Expansion Box Ruytenberg used. But he argues that a better-funded hacker could build the entire setup into a single small device for around $10,000. "Three-letter agencies would have no problem miniaturizing this," Ruytenberg says. The fact that Thunderbolt remains a viable attack method for evil maids isn't entirely unexpected, says Karsten Nohl, a well-known hardware security researcher and founder of SR Labs, who reviewed Ruytenberg's work. Nor should it freak out too many users, he says, given that it requires a certain level of sophistication and physical access to a victim machine. Still, he was surprised to see how easily Intel's "security levels" can be bypassed. "If you're adding an authentication scheme against hardware attacks and then you implement it in unsecured hardware...that’s the wrong way to tackle a hardware security problem," says Nohl. "It’s a false sense of protection." Ruytenberg says there's also a less invasive version of his Thunderspy attack, but it requires access to a Thunderbolt peripheral the user has plugged into their computer at some point. Thunderbolt devices set as "trusted" for a target computer contain a 64-bit code that Ruytenberg found he could access and copy from one gadget to another. That way he could bypass a target device's lockscreen without even opening the case. "There's no real cryptography involved here," Ruytenberg says. "You copy the number over. And that's pretty much it." That version of the Thunderspy attack only works, however, when the Thunderbolt port's security settings are configured to their default setting of allowing trusted devices. Ruytenberg shared his findings with Intel three months ago. When WIRED reached out to the company it responded in a blog post noting, as the researchers had, that Kernel DMA Protections prevent the attack. "While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device," the blog post reads. (The researchers counter that the vulnerability is in fact new, and their attack uses only off-the-shelf components.) "For all systems, we recommend following standard security practices," Intel added, "including the use of only trusted peripherals and preventing unauthorized physical access to computers." An Unpatchable Flaw In a statement to WIRED, HP said it offers protection against direct memory attacks via the Thunderbolt port in "most HP Commercial PC and Mobile Workstation products that support Sure Start Gen5 and beyond," which includes systems that have launched since the beginning of 2019. "HP is also unique in that we are the only [computer manufacturer] that provides protection against DMA attacks via internal card (PCI) and Thunderbolt devices," the company added. "Protection from DMA attacks via Thunderbolt is enabled by default." Lenovo said that it "is assessing this new research along with our partners and will communicate with customers as appropriate." Samsung didn't respond to a request for comment. Dell said in a statement that "customers concerned about these threats should follow security best practices and avoid connecting unknown or untrusted devices to PC ports," and referred WIRED to Intel for more information. When WIRED asked Intel which computer manufacturers use its Kernel DMA Protection feature, it referred us back to the manufacturers. Ruytenberg points out that the flaws he found extend to Intel's hardware, and can't be fixed with a mere software update. "Basically they will have to do a silicon redesign," he says. Nor can users change the security settings of their Thunderbolt port in their operating system to prevent the attack, given that Ruytenberg discovered how to turn those settings off. Instead, he says that paranoid users may want to disable their Thunderbolt port altogether in their computer's BIOS, though the process of doing so will be different for every affected PC. On top of disabling Thunderbolt in BIOS, users will also need to enable hard disk encryption and turn their computers off entirely when they leave it unattended to be fully protected. Evil maid attacks have, of course, been possible in some cases for years. Firmware-focused security companies like Eclypsium have demonstrated five-minute physical access hacking of Windows machines using BIOS vulnerabilities, for instance, and WikiLeaks' Vault7 release included information about CIA tools designed to hack Macs' firmware with physical access techniques. But both of those sorts of attacks are based on vulnerabilities that can be patched; the CIA's attack was blocked by the time news of it leaked in 2017. Thunderspy, on the other hand, remains both unpatched and unpatchable for millions of computers. The owners of those machines may now need to upgrade to a model that has Kernel DMA Protection in place—or think twice about leaving their sleeping computers unattended. Source: Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking (Wired)
  17. French Firms Rocked by Kasbah Hacker? A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East. Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network’s control center. Other victims included one of France’s largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities. HYAS said it quickly notified the French national computer emergency team and the FBI about its findings, which pointed to a dynamic domain name system (DNS) provider on which the purveyors of this attack campaign relied for their various malware servers. When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “sinkhole” the malware network’s control servers. Sinkholing is a practice by which researchers assume control over a malware network’s domains, redirecting any traffic flowing to those systems to a server the researchers control. While sinkholing doesn’t clean up infected systems, it can prevent the attackers from continuing to harvest data from infected PCs or sending them new commands and malware updates. HYAS found that despite its notifications to the French authorities, some of the apparently infected systems were still attempting to contact the sinkholed control networks up until late 2019. “Due to our remote visibility it is impossible for us to determine if the malware infections have been contained within the [affected] organizations,” HYAS wrote in a report summarizing their findings. “It is possible that an infected computer is beaconing, but is unable to egress to the command and control due to outbound firewall restrictions.” About the only French critical infrastructure vertical not touched by the Kasbah hackers was the water management sector. HYAS said given the entities compromised — and that only a handful of known compromises occurred outside of France — there’s a strong possibility this was the result of an orchestrated phishing campaign targeting French infrastructure firms. It also concluded the domains associated with this campaign were very likely controlled by a group of adversaries based in Morocco. “What caught our attention was the nature of the victims and the fact that there were no other observed compromises outside of France,” said Sasha Angus, vice president of intelligence for HYAS. “With the exception of water management, when looking at the organizations involved, each fell within one of the verticals in France’s critical infrastructure strategic plan. While we couldn’t rule out financial crime as the actor’s potential motive, it didn’t appear that the actor leveraged any normal financial crime tools.” ‘FATAL’ ERROR HYAS said the dynamic DNS provider shared information showing that one of the email addresses used to register a key DNS server for the malware network was tied to a domain for a legitimate business based in Morocco. According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — [email protected] — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim. Archived copies of talainine.com indicate the business was managed by two individuals, including someone named Yassine Algangaf. A Google search for that name reveals a similarly named individual has been credited by a number of major software companies — including Apple, Dell and Microsoft — with reporting security vulnerabilities in their products. A search on this name at Facebook turned up a page for another now-defunct business called Yamosoft.com that lists Algangaf as an owner. A cached copy of Yamosoft.com at archive.org says it was a Moroccan computer security service that specialized in security audits, computer hacking investigations, penetration testing and source code review. A search on the [email protected] address at 4iq.com — a service that indexes account details like usernames and passwords exposed in Web site data breaches — shows this email address was used to register an account at the computer hacking forum cracked[.]to for a user named “fatal.001.” A LinkedIn profile for a Yassine Algangaf says he’s a penetration tester from the Guelmim province of Morocco. Yet another LinkedIn profile under the same name and location says he is a freelance programmer and penetration tester. Both profiles include the phrase “attack prevention mechanisms researcher security tools proof of concepts developer” in the description of the user’s job experience. Searching for this phrase in Google turns up another Facebook page, this time for a “Yassine Majidi,” under the profile name “FatalW01.” A review of Majidi’s Facebook profile shows that phrase as his tag line, and that he has signed several of his posts over the years as “Fatal.001.” There are also two different Skype accounts registered to the ing.equipepro.com email address, one for Yassine Majidi and another for Yassine Algangaf. There is a third Skype account nicknamed “Fatal.001” that is tied to the same phone number included on talainine.com as a contact number for Yassine Algangaf (+212611604438). A video on Majidi’s Facebook page shows him logged in to the “Fatal.001” Skype account. On his Facebook profile, Majidi includes screen shots of several emails from software companies thanking him for reporting vulnerabilities in their products. Fatal.001 was an active member on dev-point[.]com, an Arabic-language computer hacking forum. Throughout multiple posts, Fatal.001 discusses his work in developing spam tools and RAT malware. In this two-hour Arabic language YouTube tutorial from 2014, Fatal.001 explains how to use a RAT he developed called “Little Boy” to steal credit card numbers and passwords from victims. The main control screen for the Little Boy botnet interface includes a map of Morocco. Reached via LinkedIn, Algangaf confirmed he used the pseudonyms Majidi and Fatal.001 for his security research and bug hunting. But he denied ever participating in illegal hacking activities. He acknowledged that [email protected] is his email address, but claims the email account was hacked at some point in 2017. “It has already been hacked and recovered after a certain period,” Algangaf said. “Since I am a security researcher, I publish from time to time a set of blogs aimed at raising awareness of potential security risks.” As for the notion that he has somehow been developing hacking programs for years, Algangaf says this, also, is untrue. He said he never sold any copies of the Little Boy botnet, and that this was one of several tools he created for raising awareness. “In 2013, I developed a platform for security research through which penetration test can be done for phones and computers,” Algangaf said. “It contained concepts that could benefit from a controlled domain. As for the fact that unlawful attacks were carried out on others, it is impossible because I simply have no interest in blackhat [activities].” Source: French Firms Rocked by Kasbah Hacker? (KrebsOnSecurity - Brian Krebs)
  18. Millions of VPN users at risk of hacking - here's what you need to know After analyzing the top free VPNs available on the Google Play Store, security researchers have discovered that several contain critical vulnerabilities. VPNPro's investigation found that the app SuperVPN Free VPN Client, which has over 100m installs, contains critical vulnerabilities that open users of the app up to man-in-the-middle (MITM) attacks. By exploiting these vulnerabilities, a hacker can easily intercept all of the communications between a user and the VPN provider to find out exactly what the user is doing online. Security flaws found in top free VPN Android apps Ethics and VPN: the industry needs to aim higher The hidden truth behind ‘unlimited’ or ‘lifetime’ VPNs According to VPNPro, nearly 105m users who have installed SuperVPN Free VPN Client could be at risk of having their credit card details stolen, their private photos and videos leaked or sold online or their conversations recorded. To make matters worse, of the top free VPN apps analyzed by its security researchers, 10 other apps contained similar vulnerabilities. Free VPN apps Besides SuperVPN Free VPN Client, the other free VPN apps that VPNPro found to have vulnerabilities include TapVPN Free VPN, Best Ultimate VPN – Fastest Secure Unlimited VPN, Korea VPN – Plugin for Open VPN, VPN Unblocker Free unlimited Best Anonymous Secure, Super VPN 2019 USA – Free VPN, Unblock Proxy VPN, Wuma VPN-Pro (Fast & Unlimited & Security), VPN Download: Top, Quick & Unblock Sites, Secure VPN – Fast VPN Free & Unlimited VPN and Power VPN Free VPN. Cybersecurity expert at VPNPro, Jan Youngren explained to 9News that using a free VPN could actually leave users less protected than not using one at all, saying: "(VPN users are) more willing to transmit sensitive information on VPN apps than on other apps. For a VPN app to then be so vulnerable is a betrayal of users' trust and puts them in a worse position than if they hadn't used any VPN at all." VPNPro disclosed these vulnerabilities to the developers of all 10 affected VPN apps back in October in order to give them enough time to fix these issues. However, only one VPN app, Best Ultimate VPN, responded and patched the vulnerabilities. Source
  19. Three men have been indicted in the US for trying to steal at least $15m by hacking into the Department of Defence's payroll service and customer accounts at 14 different financial institutions. The US Attorney's office in New Jersey has charged two men from Kiev in Ukraine, Oleksiy Sharapka and Leonid Yanovitsky, and a third man from New York, Richard Gundersen, with conspiracy to commit wire fraud, conspiracy to commit access device fraud and identity theft and aggravated identity theft. According to prosecutors, Sharapka led the conspiracy with the help of Yanovitsky, while Gundersen allegedly facilitated the movement of the proceeds from the hacks. The New Yorker is in custody, but both Ukrainians are currently fugitives.The hackers were able to gain access to bank accounts of over a dozen financial institutions and businesses, including Citibank, JP Morgan Chase, PayPal, Nordstrom Bank and Veracity Payment Solutions. Once they were in, they diverted cash from the accounts to their own bank accounts or on to pre-paid debit cards. After that, they allegedly hired crews of individuals to "cash out" the stolen money. These "cashers" withdrew the funds from ATMs and by shopping for fraudulent purchases in the US. To help do this, the men stole US identities, which could be used to file fraudulent tax returns and to transfer money to. The men are facing a maximum potential sentence of 27 years for the charges against them as well as a maximum fine of $250,000 or twice the gross amount of the gains they made from their offences and another $500,000 for laundering the money through international wire transfers and other means. Source
  20. How can I know if a phone has been hacked? How can I demonstrate that a phone can be hacked easily to a relative? So a relative of mine had a misunderstanding that I am a computer engineer and that I know alot about hacking and stuffs like that because they often see me on a computer but I am from commercial, social and spiritual field. Nonetheless, I would like to know some easy as well as detailed methods which can be used to figure out if the phone or my relative uses has been hacked because I know. If possible I would also like to know how to delete or counterspy without letting the actual hacker know that I know. Also if one could let me know or guide in the direction where I can learn a simple way to hack a phone in the presence of those relatives and let them know a bit about methods that can be used to hacking for creating awareness within the family member that I don't want to be spied upon. Now I know that questions regarding hacking aren't permitted here but I am not asking for real hacking. I just want to learn a little to let the relative know that it's possible and pretty easy. Plus I am pretty sure that her phone is hacked with a paid spyware app by her significant other so the first question is most important which is how to figure out that malicious apps with intent to spy on the calls, sms record and pics are present on the phone. I think my own phone is either hacked or affected by malwares because there are folders on my phone that I am unable to delete. Sorry for long post. Thanks for reading.
  21. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?1a5z25ioxet5z05 Homepage: http://www.havysoft.cl/Screenshot: Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8/8.1. - Inno Setup-based installers. Changelog:
  22. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?xgkjwbwdtcis9sh Homepage: http://www.havysoft.cl/Screenshot: Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8/8.1. - Inno Setup-based installers. Changelog:
  23. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?xgkjwbwdtcis9sh Homepage: http://www.havysoft.cl/ Softpedia site: http://www.softpedia.com/get/Compression-tools/InnoExtractor.shtml Screenshot: Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8/8.1. - Inno Setup-based installers. Changelog:
  24. Description: InnoExtractor is a powerful application that helps you to unpack Inno Setup installers using InnoUnp technology. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Features: Simple and friendly GUI.Open installers into the application with only drag and drop executables from Windows Explorer.Explore the internal content (files and more) of the installer.Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable).Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only).Open internal files of the installer into the same application.Perform file searches by keyword.Input panel, that allows you to enter a valid password to extract encrypted installers.Properties panel to see advanced information about the installer.History for recently opened installer.Other miscellaneous options.Support older and latest versions of Inno Setup.Support older and latest versions of InnoUnp.Full Unicode support.Application available in multiple languages.Designed for Windows 2000, XP, Vista, 7 and 8.Much more!Changelog (4.4.0.909‏): Homepage: http://www.havysoft.clSoftpedia site: http://www.softpedia.com/get/Compression-tools/InnoExtractor.shtmlDownload up-to-date installer (clean / ads free installer version): http://www.mediafire.com/?xgkjwbwdtcis9sh
  25. InnoExtractor is a powerful application that helps you to unpack Inno Setup installers. With InnoExtractor you can explore the internal structure and content of the installer and you can to extract them to a local folder or a portable devices, without having to run the setup. Download up-to-date installer (clean / ads free installer edition): http://www.mediafire.com/?1a5z25ioxet5z05 http://www.datafilehost.com/d/3841ea2d Homepage: http://www.havysoft.cl/Screenshot: Features: - Simple and friendly GUI. - Open installers into the application with only drag and drop executables from Windows Explorer. - Explore the internal content (files and more) of the installer. - Extract the embedded files and script to a local folder, to a zip package or to a self-extracting module (portable). - Decompiles the "CompiledCode.bin" file of the Installer to get the assembly code, corresponding to the "Code" script section (for advanced users only). - Open internal files of the installer into the same application. - Perform file searches by keyword. - Input panel, that allows you to enter a valid password to extract encrypted installers. - Properties panel to see advanced information about the installer. - History for recently opened installer. - Other miscellaneous options. - Support older and latest versions of Inno Setup. - Support older and latest versions of InnoUnp. - Full Unicode support. - Application available in multiple languages. - Much more! Requirements: - Windows 2000/XP/Vista/7/8/8.1. - Inno Setup-based installers. Changelog:
×
×
  • Create New...