Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'hacking'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 121 results

  1. Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. The worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws. EternalRocks uses seven NSA tools The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations. Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines. Origin of the EternalRocks name The WannaCry ransomware outbreak, which affected over 240,000 victims, also used an SMB worm to infect computers and spread to new victims. Unlike EternalRocks, WannaCry's SMB worm used only ETERNALBLUE for the initial compromise, and DOUBLEPULSAR to propagate to new machines. EternalRocks is more complex but less dangerous As a worm, EternalRocks is far less dangerous than WannaCry's worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it's actually the opposite. For starters, EternalRocks is far more sneaky than WannaCry's SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage. During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web. Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server. No kill switch domain Additionally, EternalRocks also uses files with identical names to the ones used by WannaCry's SMB worm, in another attempt to fool security researchers into misclassifying it. But unlike WannaCry, EternalRocks does not include a kill switch domain, the Achille's heel that security researchers used to stop the WannaCry outbreak. After the initial dormancy period expires and the C&C server responds, EternalRocks goes into the second stage of its installation process and downloads a second stage malware component in the form of an archive named shadowbrokers.zip. The name of this file is pretty self-explanatory, as it contains NSA SMB-centric exploits leaked by the Shadow Brokers group in April 2017. The worm then starts a rapid IP scanning process and attempts to connect to random IP addresses. The configuration files for NSA tools found in the shadowbrokers.zip archive EternalRocks could be weaponized in an instant Because of its broader exploit arsenal, the lack of a kill switch domain, and because of its initial dormancy, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else. At first glance, the worm seems to be an experiment, or a malware author performing tests and fine-tuning a future threat. This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm's owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks. Furthermore, DOUBLEPULSAR, an NSA implant with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm's author has not taken any measures to protect the DOUBLEPULSAR implant, which runs in a default unprotected state, meaning other threat actors could use it as a backdoor to machines infected by EternalRocks, by sending their own malware to those PCs. IOCs and more info on the worm's infection process are available in a GitHub repo Stampar set up a few days ago. An SMB free-for-all Currently, there are multiple actors scanning for computers running older and unpatched versions of the SMB services. System administrators have already taken notice and started patching vulnerable PCs or disabling the old SMBv1 protocol, slowly reducing the number of vulnerable machines that EternalRocks can infect. Furthermore, malware such as Adylkuzz also shuts down SMB ports, preventing further exploitation from other threats, also contributing to reducing the number of potential targets for EternalRocks and other SMB-hunting malware. Reports from Forcepoint, Cyphort, and Secdo detail other threats currently targeting computers with SMB ports. Nonetheless, the faster system administrators patch their systems the better. "The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer in a private conversation. "Once infected, he can weaponize any time he wants, no matter the late patch." Article source
  2. Hackers managed to inject the NFTC website with malicious code in a watering hole attack Nation state level hackers based out of China have targeted directors at some of the world's largest firms by compromising the website of a global trade lobby group. The sophisticated nature of the campaign against the Washington-based National Foreign Trade Council has led cybersecurity researchers at Fidelis to the conclusion that the attacks were carried out by the Chinese APT10 hacking group. It's the second time in a week that an APT10 campaign has come to light, with PwC also detailing how the group has been targeting managed IT services providers across the globe in order to steal sensitive data. The latest campaign, dubbed Operation Tradesecret, has been detailed in a new report, and has come to light just ahead of US President Donald Trump's meeting with Chinese President Xi Jinping. The two leaders are expected to discuss cyber warfare and cybersecurity. The number of cyberattacks emerging from China has declined recently, although the incidents that are taking place are more sophisticated and targeted. Fidelis security researchers say specific pages of NFTC's website were injected with a watering hole attack link, designed to run malware to compromise a very precise set of targets: those registering for specific meetings at the NFTC, such as a board of directors meeting in Washington DC. The targeted individuals hold key roles in some of the largest corporations in the world and gaining access to their personal data and sensitive corporate information would be a boon for hackers looking for ways to steal company secrets. This particular campaign took place between February 27 and March 1, with malicious links on the NFTC website serving Scanbox malware, a well-known web reconnaissance tool that has been used in cyberespionage campaigns dating back to at least 2014. It has also been associated with campaigns linked to the Chinese government. Cyberespionage capabilities of Scanbox -- which was also used in attacks against the US Office of Personnel Management and Anthem Healthcare -- include monitoring which websites were viewed by the victim as well as their operating system, screen size, and location, along with keylog monitoring. The latter potentially enables attackers to make off with login details and passwords for internal networks and even compromise others using phishing attacks. Indeed, Fidelis notes how the waterhole attack against the National Foreign Trade Council is likely to be a precursor for an upcoming sustained campaign against targets -- and those affected should be mindful. "The reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that such personnel will be subject to further targeted attempts to compromise them -- for example, through a spearphishing campaigns," the report warns. The malicious link itself was removed from the NFTC website on March 2 and Fidelis briefed the organisation about the incident shortly after it was discovered. The APT10 hacking collective has been focusing on espionage since 2009 and has evolved from targeting US defence firms, as well as the technology and telecommunications sectors, to organisations in multiple industries across the globe. The group was behind the Poison Ivy malware family, and today uses custom tools capable of compromising organisations and their customers, as well as stealing large amounts of data. Source
  3. VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines. The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion. Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own. The team's exploit chain started with a compromise of Microsoft Edge, moved to the Windows kernel, and then exploited the two flaws to escape from a virtual machine and execute code on the host operating system. The researchers were awarded $105,000 for their feat. Pwn2Own is an annual hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) program that runs during the CanSecWest conference in Vancouver, British Columbia. Researchers receive cash prizes for demonstrating zero-day -- previously unknown -- exploits against browsers, operating systems and other popular enterprise software programs. This year, the contest organizers added prizes for exploits in hypervisors like VMware Workstation and Microsoft Hyper-V and two teams stepped up to the challenge. The second team, made up of researchers from the Keen Lab and PC Manager divisions of internet services provider Tencent, exploited the two other flaws patched by VMware this week: CVE-2017-4904 and CVE-2017-4905. The latter is a memory information leak vulnerability that is rated only as moderate, but which could help hackers pull off a more serious attack. Users are advised to update VMware Workstation to version 12.5.5 on all platforms and VMware Fusion to version 8.5.6 on macOS (OS X). Individual patches are also available for ESXi 6.5, 6.0 U3, 6.0 U2, 6.0 U1 and 5.5, where applicable. Virtual machines are often used to create throw-away environments that pose no threat to the main operating system in case of compromise. For example, malware researchers execute malicious code and visit suspicious URLs inside virtual machines to observe their behavior. Companies also run many applications inside virtual machines to limit the potential impact if they're compromised. One of the main goals of hypervisors like VMware Workstation is to create a barrier between the guest operating system that runs inside the virtual machine and the host OS where the hypervisor runs. That's why VM escape exploits are highly prized among hackers. Source
  4. FBI Director James Comey (left) testifies in front of the House Intelligence Committee on Monday regarding Russian hacking during the 2016 election. The agency's director, James Comey, confirms the FBI is looking into any possible ties between the president's campaign and the Russian government. In a rare move, the FBI confirmed that it is investigating whether Russian hackers had any links to President Trump's election team. Citing "unusual circumstances," FBI Director James Comey said that the bureau is looking into whether Trump's campaign worked with Russian officials during the 2016 election. "I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government's efforts to interfere in the 2016 presidential election," Comey testified at a House committee hearing on Monday. "That includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government, and whether there was any coordination with the campaign and Russia's efforts." These are unusual circumstances indeed. Worries about Russian hacks plagued the US presidential election and its aftermath, with US intelligence agencies accusing Russia of meddling in the race for the White House. The House Intelligence Committee is investigating how the cyberattacks happened and how to protect the nation's democratic processes from interference in the future. The breaches included hacking emails from the Democratic National Committee, Democratic candidate Hillary Clinton and her campaign manager, John Podesta. Comey had earlier testified before the House Intelligence committee concerning Russian hacks during the election, revealing there were no attacks against the Trump campaign or the Republican National Committee. During the campaign, Donald Trump publicly urged Russia to help turn up Clinton's emails. Members of the Trump administration, including attorney general Jeff Sessions, former national security adviser Michael Flynn and Secretary of State Rex Tillerson, have also faced controversy for ties to Russian officials. The Obama administration in late December retaliated against Russia, imposing sanctions over the cyberattacks even as Russian officials continue to deny any involvement in the hacks. Russia's relationships with the US has been on shaky ground since. Comey revealed that the FBI has been investigating Russian influence on the 2016 election since last July, when hackers apparently first infiltrated the DNC. It remains unclear when the investigation will end. During the hearing, Comey also rebutted President Trump's tweets that the Obama administration ordered a wiretap on Trump Tower during the campaign. That echoed House Intelligence committee chairman Devin Nunes and the Justice Department's findings. "I have no information that supports those tweets, and we have looked carefully inside the FBI," Comey said. The National Security Agency director Michael Rogers also denied Trump's claims during the hearing. Source
  5. Your Apple iCloud account may be open to attacks. Worried about hackers destroying your iCloud music, pictures, and documents? Here are three things you should do right now. Maybe the London-based hacker group -- which goes by the name "Turkish Crime Family" -- doesn't have access to 250-million Apple iCloud account names and passwords. But they do have access to some indeterminate number of accounts, and that's more than enough reason to exercise caution: Protect your iCloud password and data today or risk losing it tomorrow. Here's how to do it. Back up vulnerable data First, you need to back up your iCloud data. Yes, I know Apple's idea was you could use iCloud to back up your Apple device data, and that's fine, but it's iCloud itself we're worried about today. For your iPhone, iPad, or iPod, the easiest way to do this is to back up your device's files to your Mac or PC with an iTunes backup. Plug your device into your Mac or PC with iTunes on. In iTunes' top left-hand corner, under the play controls, there's a tiny phone icon. Click here and it will take you to your device's menu. Click on Summary in the left-hand column. You will be presented with three boxes. Choose Select Backups. Choose to automatically or manually back-up your device. If you choose automatic, every time you plug your gadget in, iTunes will start to back it up. Backing up your Apple device locally, and not just to iCloud, is a good idea The only problem here is that iTunes doesn't back everything up. For example, it won't back up your Apple Pay information and settings, photos already on iCloud, or purchased iTunes and App Stores content. So, to be safe, you really must change and secure your password. Change your passwords Apple could help here -- and not just by paying off the Turkish Crime Family. Other major sites -- like Amazon, Netflix, and LinkedIn -- buy cracked password lists, and use one-way hashing matches to check for existing passwords. They then reset vulnerable passwords and ask users to switch passwords. Apple hasn't done that, but it should consider doing it, given just how large the threat appears to be. Since Apple isn't doing this, it's up to you. One thing that has always annoyed me is that Apple talks as if your Apple ID and iCloud ID are different. They're not. They're the same, and they use the same password. To change your Apple ID password, sign in to your Apple ID account page with any web browser and follow the instructions to reset your password. I changed mine using Google Chrome from a Mint Linux system. Your new Apple ID password must contain at least eight characters, a number, an uppercase letter, and a lowercase letter. You also can't use spaces, the same character three times in a row, your Apple ID, or a password you've used in the last year. Whatever you do, do NOT use dumb passwords such as "abcdefgh," "qwerty," or "password." The easiest way to create a secure password that won't try your memory is to use passphrases instead of passwords. Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard (e.g. "sdf9usdf"), use an easy-to-remember but nonsensical phrase instead. For example, "Plump/Trotting Pups:" or "UNC?Win!Duke?Lose!" or "AC!DC!Tesla!Edison?" These are easy to recall and hard for crackers to break. Once you've changed your password, you'll need to change it on all your Apple devices. Then, you're going to want to add another layer of protection: Two-factor authentication (2FA). 2FA Apple's 2FA is clunky, but it still does a great job of protecting your account. For additional protection, turn on Apple's two-factor authentication. When you activate 2FA, you can access your account only from trusted devices such as your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information. These are your Apple ID password and the six-digit verification code that's automatically displayed on your trusted devices. To use Apple 2FA, you'll also need a trusted phone number so you can receive verification codes. To add a trusted phone number, take the following steps: Go to your Apple ID account page Sign in with your Apple ID Go to the Security section and click Edit Click Add a Trusted Phone Number and enter the phone number Now, you're ready for 2FA. For a trusted device, you need an iPhone, iPad, or iPod touch with iOS 9 and later, or you need a Mac running OS X El Capitan or later that you've already signed into with 2FA. To turn on Apple 2FA, take the following steps. On your iPhone, iPad, or iPod touch with iOS 9 or later: Go to Settings > iCloud > tap your Apple ID Tap Password & Security Tap Turn on Two-Factor Authentication On your Mac with OS X El Capitan or later: Go to Apple menu > System Preferences > iCloud > Account Details Click Security Click Turn on Two-Factor Authentication Yes, this can be a lot of work. On the other hand, how much work would it take you to replace your important photos, music, books, or documents if your Apple iCloud account goes up in smoke? Take the time, do it now. You'll be glad you did. Source
  6. Apple has received a ransom threat from a hacking group claiming to have access to data for up to 800 million iCloud accounts. The hackers, said to be a London-based group called the "Turkish Crime Family," have threatened to reset passwords and remotely wipe the iPhones of millions of iCloud users if Apple fails to hand over a total of US$700,000. They have given the company an ultimatum to respond by April 7. Apple reportedly has denied that the group succeeded in hacking its systems, maintaining that it obtained the email addresses and passwords from previously compromised third-party services. Apple is working with law enforcement on the threats. The data set in the iCloud hack matches the data found in the 2012 hack of 117 million accounts on LinkedIn, according to some published reports. However, the Turkish Crime Family strongly denied that in a message to TechNewsWorld on Friday. Correcting the Message The initial reports of a ransom demand of just $75,000 were incorrect, the group said in response to our email query. It actually demanded $100,000 for each of its seven members, plus "extra stuff from Apple that are worth more to us than money," which it promised Apple it would keep secret. The group also told TechNewsWorld that the only member based in London is Kerem Albayrek, who is facing charges related to listing a hacked Yahoo database for sale. It claimed that its iCloud ransom demands were in part to spread awareness of Albayrek, as well as of Karim Baratov, a Canadian resident charged earlier this month, along with a second hacker and two Russian FSB agents, in the 2014 breach of 500 million Yahoo account holders. The group told TechNewsWorld that it showed Apple scan logs that contain 800 million iCloud accounts, and that Apple claimed the data had come from outside sources. The group said it planned to launch a website that would list iCloud user names, last names, dates of birth and a captcha of their current location from an iCloud app. The site will not disclose passwords initially, the group said, but it would do so "most probably in the future." Shaking Down Apple The Turkish Crime Family threat should be taken seriously, said Pierluigi Paganini, a cybersecurity analyst and member of the Cyber Group G7 2017 Summit in Italy. "I consider the threat is credible, even if it is quite impossible to know the exact number of iCloud credentials in the hands of hackers," he told TechNewsWorld. The group is known in the hacking underground for the sale of stolen databases, Paganini said. The group reportedly has approached several media outlets directly; it told TechNewsWorld that it had been in contact with five. However, it is unlikely that the group's efforts to stir public pressure against Apple will be effective, noted Mark Nunnikhoven, vice president for cloud research at Trend Micro, in an online post. Apple is too large and has too many resources to give in to public pressure, he pointed out. The group's demands are similar to a shakedown in the physical world, in which criminals demand monthly payments to "protect" a business, Nunnikhoven noted. "In the digital world, the pressures that make victims pay (e.g. keeping your store in one piece) don't apply," Nunnikhoven wrote. "With iCloud accounts, Apple has the ultimate safety valve ... they control the infrastructure behind the accounts," he added. "Which removes most of the pressure points criminals could use." There is no evidence of state involvement in this cyberthreat, Nunnikhoven told TechNewsWorld. However, there is "mounting evidence that this is a group whose eyes are bigger than their stomachs," he suggested. "Selling credentials on the underground is rather commonplace. Attempting to extort one of the biggest companies on the planet with poor quality data is quite another." Credible Threat A report in ZDNet appeared to lend credence to some of the hacking group's claims, however. The group provided 54 credentials to the publication, which were verified as authentic based on a check of the password reset function. Most of the accounts were outdated, but 10 people did confirm to the publication that the obtained passwords were legitimate and that they since had changed them. Those 10 people were living in the UK, and had UK mobile numbers. Trend Micro is urging iCloud users to protect their accounts by using two-factor authentication, and also to use a password manager. A password manager helps users create unique passwords for every account and stores them remotely so that hackers cannot access one or two accounts and thereby gain access to many more. The FBI declined to comment for this story. Apple officials did not respond to our request to comment, and a Yahoo spokesperson was not immediately available. Source
  7. Most Android phones are don't have the latest security patch -- despite efforts by Google to distribute software fixes monthly via phone carriers -- researchers at Skycure found. A cybersecurity company found that 71 percent of Android users on major US carriers are easy targets for hackers. Chances are, your Android phone would be easy pickings for hackers. That's according to research released Thursday by cybersecurity company Skycure, which found that 71 percent of Android phones on the five major US carriers haven't been patched with the latest security updates. That could be because users haven't installed updates, or because they haven't received them from carriers. The report highlights the risks posed by not updating smartphones, and the challenges Google faces in delivering security updates to Android users. Why should Android users be worried about staying up to date on their security updates? In the hacking world, security updates show bad guys all the ways that phones, computers or other devices can be compromised. For example, an Android security update in December patched a flaw nick-named "Dirty Cow" that could have let hackers get root privileges -- essentially the keys to the kingdom -- on an Android phone. So if you don't (or can't) update, hackers can build tools to break into your phone. Patching makes these hacking tools useless. "Malware, network attacks and advanced exploitation campaigns many times depend on unpatched vulnerabilities to be successful," Yair Amit, co-founder and chief technical officer at Skycure, said in a statement. The carriers in the Skycure study are T-Mobile, MetroPCS, AT&T, Verizon and Sprint. T-Mobile (which merged with MetroPCS in 2013) didn't immediately provide a comment. Sprint, Verizon and AT&T didn't immediately respond to requests for comment. Google declined to respond to the Skycure report, but a spokesman pointed to its report published Wednesday on Android security, which gave details on the company's efforts to distribute monthly Android security updates. These updates have to first go to carriers like those listed in the Skycure report before they can be sent to users' phones. "We released monthly Android security updates throughout [2016] for devices running Android 4.4.4 and up -- that accounts for 86.3 percent of all active Android devices worldwide," members of the Android security team wrote in a blog post about the report on Wednesday. The report also said the company improved its ability to stop dangerous apps from getting onto the Google Play store and then to users' phones. But Android acknowledged there was "a lot of room for improvement" in its security update process. "About half of devices in use at the end of 2016 had not received a platform security update in the previous year," members of the Android security team wrote in their blog post. Source
  8. Police officers push back demonstrators as they protest against US President Donald Trump in Washington, DC, on January 20, 2017. Court papers say data is being extracted from 100 locked phones seized during arrests at anti-Trump protests. Prosecutors are trying to pull data from 100 locked phones seized during arrests made in Washington, DC on Inauguration Day, according to court papers filed Wednesday. Prosecutors said they have search warrants to extract data from the phones, which were seized by law enforcement officers on January 20 from 214 individuals arrested on felony rioting charges related to demonstrations protesting the inauguration of Donald Trump, according to a BuzzFeed report. The filing suggests that even though the phones are locked prosecutors have successfully copied data from them, although it doesn't describe their methods. Prosecutors said in the filing they expect to "produce all of the data from the searched [phones] in the next several weeks." Wednesday's filing comes amid a mounting war of words between tech companies and policy makers, who contend that terrorist groups are benefiting from encryption, the technology that jumbles communications and files so that only the intended recipient can read them. Tech companies have become increasingly diligent about including encryption in products and services in the wake of revelations about US government surveillance programs from documents leaked by former NSA contractor Edward Snowden. Apple's iPhone was at the center of a legal back-and-forth between the government and Apple last year after the December 2015 attack that left 14 people dead. The government wanted Apple to write new software that would unlock the phone and make its data readable, but Apple refused, saying that weakening the encryption would potentially leave other iPhone users at risk. In a surprise revelation in March 2016, the Department of Justice said an unnamed outside party helped agents break into an iPhone 5C that was used by shooter Syed Farook. However, the agency wouldn't disclose exactly how the hacker got into the phone. The data extracted from protesters' phones includes personal information irrelevant to the charges, so prosecutors are seeking a court order that would prohibit defense lawyers from copying or reproducing information unless it's relevant to the defense of their client. Representatives for the US Attorney's Office for the District of Columbia, which filed the papers Wednesday in the DC Superior Court, did not immediately respond to a request for comment. Source
  9. Hacking the Western Digital MyCloud NAS Sometimes at Exploitee.rs, we look for fun devices to hack and sometimes the devices find us. Today we’re going to talk about a recent time where we found ourselves in the latter situation and our experience with the Western Digital series of Networked Attached Storage devices. In the middle of last year I (Zenofex) began looking for a NAS that provided hardware decoding through my currently prefered media player, Plex. After a bit of research I ordered a Western Digital “MyCloud” PR4100. This device met all the requirements of what I was looking for and came highly recommended by a friend. After adding the NAS to my network and visiting the device’s admin page for the first time, I grew weary of adding a new device to my network without giving it a proper audit. So, I logged in, enabled SSH access, and looked at how the web server functionality of the device worked. Login Bypass I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables. Using cookies for authentication isn’t necessarily a bad thing, but the way that the Western Digital MyCloud interface uses them is the problem. Examine the code below. /lib/login_checker.php function login_check() { $ret = 0; if (isset($_SESSION['username'])) { if (isset($_SESSION['username']) && $_SESSION['username'] != "") $ret = 2; //login, normal user if ($_SESSION['isAdmin'] == 1) $ret = 1; //login, admin } else if (isset($_COOKIE['username'])) { if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") $ret = 2; //login, normal user if ($_COOKIE['isAdmin'] == 1) $ret = 1; //login, admin } return $ret; } The above code contains a function called “login_check”, this function is used by all of the backend PHP scripts and is used to verify pre-authenticated users. The above code has two paths, one which involves checking the session values for “username” and “isAdmin” and another (if the prior fails) attempts to complete the same process but with cookies. Because cookies are supplied by the user, the requirements that the scripts are looking for can be met by the attacker. The above process for sessions and cookies is summed up as follows. “username” variable is set and is not empty – User is logged in as a normal privileged user. “isAdmin” variable is set to 1 – User is logged in as an administrator. This means that any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying 2 specially crafted cookie values. During the process of writing up my findings a new firmware was rolled out patching the above bug. However, this patch introduced a new vulnerability which had the same consequences as the original (prior to the update). Below is the current version including the fixed code. /var/www/web/lib/login_checker.php 20 function login_check() 21 { 22 $ret = 0; 23 24 if (isset($_SESSION['username'])) 25 { 26 if (isset($_SESSION['username']) && $_SESSION['username'] != "") 27 $ret = 2; //login, normal user 28 29 if ($_SESSION['isAdmin'] == 1) 30 $ret = 1; //login, admin 31 } 32 else if (isset($_COOKIE['username'])) 33 { 34 if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") 35 $ret = 2; //login, normal user 36 37 if ($_COOKIE['isAdmin'] == 1) 38 $ret = 1; //login, admin 39 40 if (wto_check($_COOKIE['username']) === 0) //wto check fail 41 $ret = 0; 42 } 43 44 return $ret; 45 } 46 ?> In the updated version of the code, a call to the new method “wto_check()” is made (line 40). This function runs a binary on the device with the client supplied username as an argument along with the user’s IP address. If the user is currently logged in and hasn’t timed out the value 1 is returned, otherwise 0 is returned (indicating the user isn’t logged in). The code for the “wto_check()” method can be found below. /var/www/web/lib/login_checker.php 3 /* 4 return value: 1: Login, 0: No login 5 */ 6 function wto_check($username) 7 { 8 if (empty($username)) 9 return 0; 10 11 exec(sprintf("wto -n \"%s\" -i '%s' -c", escapeshellcmd($username), $_SERVER["REMOTE_ADDR"]), $login_status); 12 if ($login_status[0] === "WTO CHECK OK") 13 return 1; 14 else 15 return 0; 16 } 17 18 /* ret: 0: no login, 1: login, admin, 2: login, normal user */ 19 In the above you can see that on line 11 the command is formatted to include the username and IP address as arguments to the “wto” binary. The problem with the above is the incorrect use of the PHP method “escapeshellcmd()” which, in its intended usage, handles an entire command string, and not just an argument. This is because the “escapeshellcmd()” function does not escape quotes and therefore allows an attacker the ability to break out of the encapsulating quotes (in our case for the “-n” argument), allowing for new arguments to be supplied to the binary. Because of this, instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves. Although we do not believe simply verifying that the user is already logged in by checking an IP address and login timeout is sufficient. The programmer who wrote this code should have used “escapeshellarg()”, which is intended to filter independent binary arguments and which does filter out quotes. Using “escapeshellarg()” as opposed to the currently used “escapeshellcmd()” would have at least prevented this attack from working. Command Injection Bugs A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitization. For example, consider the following code from the device. php/users.php 15 $username = $_COOKIE['username']; 16 exec("wto -n \"$username\" -g", $ret); The code above assigns a value from the COOKIE superglobal variable, which contains array indexes for cookies submitted from the request, to the local variable “$username”. This value is then immediately used in a PHP “exec()” call as an argument to the local “wto” binary. Since there is no sanitization, using a username value like username=$(touch /tmp/1) turns the existing exec command into wto -n "$(touch /tmp/1)" -g and executes the user supplied command within. Because the argument is encapsulated with double quotes and we use the “$(COMMANDHERE)” syntax, the command “touch /tmp/1” is executed prior to the execution of the “wto” binary and the return value of which is used as its “-n” argument. This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface. While some may have normally been prevented by authentication being required, that restriction is overcome by the authentication bypass mentioned above. Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root. Other Errata While you may think that the above bugs are severe, there are a number of other errors within the web interface with some being as simple as the normal authentication being commented out: addons/ftp_download.php 6 //include ("../lib/login_checker.php"); 7 // 8 ///* login_check() return 0: no login, 1: login, admin, 2: login, normal user */ 9 //if (login_check() == 0) 10 //{ 11 // echo json_encode($r); 12 // exit; 13 //} And others being more functionality specific, like the following example of a bug allowing a non-authenticated user the ability to upload files onto the myCloud device. addons/upload.php 2 //if(!isset($_REQUEST['name'])) throw new Exception('Name required'); 3 //if(!preg_match('/^[-a-z0-9_][-a-z0-9_.]*$/i', $_REQUEST['name'])) throw new Exception('Name error'); 4 // 5 //if(!isset($_REQUEST['index'])) throw new Exception('Index required'); 6 //if(!preg_match('/^[0-9]+$/', $_REQUEST['index'])) throw new Exception('Index error'); 7 // 8 //if(!isset($_FILES['file'])) throw new Exception('Upload required'); 9 //if($_FILES['file']['error'] != 0) throw new Exception('Upload error'); 10 11 $path = str_replace('//','/',$_REQUEST['folder']); 12 $filename = str_replace('\\','',$_REQUEST['name']); 13 $target = $path . $filename . '-' . $_REQUEST['index']; 14 15 //$target = $_REQUEST['folder'] . $_REQUEST['name'] . '-' . $_REQUEST['index']; 16 17 move_uploaded_file($_FILES['file']['tmp_name'], $target); 18 19 20 //$handle = fopen("/tmp/debug.txt", "w+"); 21 //fwrite($handle, $_FILES['file']['tmp_name']); 22 //fwrite($handle, "\n"); 23 //fwrite($handle, $target); 24 //fclose($handle); 25 26 // Might execute too quickly. 27 sleep(1); The above code consists of no checks for authentication and, when called will simply retrieve the uploaded file contents and use the user supplied path to determine where to place the new file. Beyond the bugs listed in this blog post, our wiki is full of bugs we’ve found within the MyCloud web interface. Our general goal at Exploitee.rs is to get bugs fixed as quickly as possible. However, the large number of severe findings means that we may need to re-evaluate the product after the vendor has properly fixed the released vulnerabilities. Responsible Disclosure At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices. Bugs Found Statistics 1 x Login Bypass 1 x Arbitrary File Write 13 x Unauthenticated Remote Command Execution Bugs 70 x Authentication Required Command Execution Bugs* *”Authentication Required” bugs can be reached with the login bypass bug. Scope Most, if not all, of the research can be applied to the entire series of Western Digital MyCloud products. This includes the following devices: My Cloud My Cloud Gen 2 My Cloud Mirror My Cloud PR2100 My Cloud PR4100 My Cloud EX2 Ultra My Cloud EX2 My Cloud EX4 My Cloud EX2100 My Cloud EX4100 My Cloud DL2100 My Cloud DL4100 Video Demo Source
  10. Mozilla Fixes Critical Vulnerability in Firefox 22 Hours After Discovery White hats were rewarded $30,000 for the effort The new Firefox version 52.0.1 which was released late on Friday contains the patch for the flaw discovered by hackers in the competition. The fix was confirmed via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla. The bug was discovered by the Chaitin Security Research Lab from China. The hackers managed to escalate privileges in an exploit during the hacking competition by combining the bug with an initialized buffer in the Windows kernel. The bug bounty for this particular vulnerability was of $30,000 indicating that it was a serious matter. In a security advisory published by Mozilla, the company marks the integer overflow in the createImageBitmap() as "critical." They say that the bug was fixed in the newest version by disabling experimental extensions to the createImageBitmap API. Mozilla also claims that since the function works int he content sandbox, it would have required a second vulnerability to compromise a user's computer. Chaitin used, in this instance, the Windows kernel. Largest awards so far Many vulnerabilities were discovered during the hacking competition. So far, few have been fixed, and definitely not many as fast as the one Mozilla patched up in Firefox. Microsoft and Apple are two of the companies people are waiting to hear from int his regard In total, contestants were awarded $833,000 for the discovered vulnerabilities this year, nearly double than what was awarded last year. In 2016, the awards reached $460,000 and the previous year $577,000. In the end, it all depends on how good a day the hackers have to find something critical to exploit. Source
  11. The attackers patch Petya on the fly to use their own encryption key, bypassing the malware's original creators in the process In a case of no honor among thieves, a group of attackers has found a way to hijack the Petya ransomware and use it in targeted attacks against companies without the program creators' knowledge. A computer Trojan dubbed PetrWrap, being used in attacks against enterprise networks, installs Petya on computers and then patches it on the fly to suit its needs, according to security researchers from antivirus vendor Kaspersky Lab. The Trojan uses programmatic methods to trick Petya to use a different encryption key than the one its original creators have embedded inside its code. This ensures that only the PetrWrap attackers can restore the affected computers to their previous state. The Trojan also removes all mentions of Petya from the ransom message, as well as its signature red skull designed in ASCII. Petya first appeared a year ago and immediately stood out from other ransomware programs. Instead of encrypting files directly, it replaces the hard drive's master boot record (MBR) code, which normally starts the operating system, with malicious code that encrypts the drive's master file table (MFT). The MFT is a special file on NTFS volumes that contains information about all other files: their name, size, and mapping to hard disk sectors. The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Unlike other ransomware infections that only lock access to certain files by encrypting them, Petya locks access to the entire computer. With a corrupted MBR and MFT, the operating system will no longer start, and users will only be greeted by a ransom message on the screen when they turn on their computer. The decision to hijack and use Petya without its authors' consent is clever because it solves several problems for the PetrWrap attackers. First of all, they don't have to write their own ransomware program, which is hard to get right, and they don't have to pay someone else for a ready-made solution either. Second, because it has been around for a while, Petya has had time to mature into a well-developed piece of malware. The PetrWrap attackers use Petya version 3, the latest variant of the program, which, unlike previous versions, has no known flaws. That's because its creators have perfected their encryption implementation over time. Creating something like Petya from scratch would not only be prone to errors but would also require knowledge of writing low-level bootloader code for the MBR. Once inside a network, the PetrWrap attackers look for and steal administrative credentials. They then use the PsExec tool to deploy the malware to all endpoint computers and servers they can access. There is no tool to decrypt the MFT of hard disk volumes affected by Petya, but because this malware doesn't actually encrypt the file contents, some data recovery tools might be able to reconstruct the files from hard disk raw data.
  12. Julian Assange said WikiLeaks will work with tech companies to resolve the CIA's exploits. Julian Assange, the founder of WikiLeaks, wants big players like Apple and Samsung to disarm the CIA's exploits before he releases them to the world. WikiLeaks wants to join forces with tech giants against the CIA. The leak-focused site on Tuesday released thousands of alleged CIA documents, accusing the intelligence agency of amassing tools that can break into iPhones, Android devices, smart TVs and cars. WikiLeaks' "Vault 7" release also indicated that the CIA hoarded vulnerabilities in iOS and Android and kept them secret so it could continue using them to gain access to devices. CNET is unable to verify whether the documents are real or have been altered. On Thursday, WikiLeaks founder Julian Assange said that his organization will work with tech giants like Apple, Google and Samsung to plug those holes before it releases more details on the CIA's hacking program. "We have quite a lot of exploits ... that we want to disarm before we think about publishing it," Assange said at a press conference streamed on Periscope. "We're going to work with some of these manufacturers to try and get these antidotes out there." His press conference was the latest turn in a drama that has potentially blown open how the CIA could use our own devices to spy on us. The documents show how the agency has allegedly been able to break into even encrypted devices such as phones and computers by taking control of their operating systems. Assange said he's been keeping WikiLeaks' findings under wraps while the CIA's exploits can still be used because he doesn't want them falling into the wrong hands. He said the CIA has already "lost control of its entire cyberweapons arsenal," which he criticized for being poorly secured. He said WikiLeaks has much more information on the CIA's cyberweapons program that it's waiting to reveal. "This is an historic act of devastating incompetence," Assange said, "to have created such an arsenal and stored it all in one place and not secured it." The CIA has not confirmed or denied the authenticity of WikiLeaks' release but did say that it is the CIA's job to "be innovative" and "cutting edge" with its technology. The intelligence agency said it will continue to spy on foreign countries to "protect America from terrorists, hostile nation states and other adversaries." The agency also sought to cast suspicion on the messenger. "As we've said previously, Julian Assange is not exactly a bastion of truth and integrity," CIA spokesman Jonathan Liu said Thursday in a statement. Challenges for Android and others For some of the smaller exploits, it will take companies two or three days to patch up the vulnerabilities, Assange said. For exploits on so-called internet of things devices like smart baby monitors or refrigerators, it could take much longer. Samsung said it is "urgently looking" into the CIA's alleged exploits after WikiLeaks named a program that could secretly turn its TVs into listening devices. Apple said it had already patched up most of the vunerabilities with its latest version of iOS. Microsoft said that it's aware of the CIA's alleged tools and that it's "looking into it." Google said in a statement that it had already patched up most of the holes. However, the various makers of Android devices add their own custom software, which may still be vulnerable. Android users will also have the most difficulty in getting fixes for some of the CIA's exploits because the operating system is used by multiple manufacturers with different rollout schedules for updates. "For some systems, like Android with many manufacturers, there is no automatic update to the system. That means that only people who are aware of it can fix it," Assange said. "Android is significantly more insecure than iOS, but both of them have significant problems." WikiLeaks is still sorting through thousands of documents for future releases. The organization redacted more than 78,000 IP addresses, more than a quarter of which came from the US. The CIA said it does not spy on US citizens, but WikiLeaks is still investigating how many of the 22,000 IP addresses in the US are from the CIA's hacking unit and how many are malware victims. Assange said the CIA's hacking programs cannot be properly regulated by its design. "The technology is designed to be unaccountable. It's designed to be untraceable," he said. Source
  13. But only to a certain extent… A United States representative has proposed a bill that would allow hacking victims to hack back their attackers. On 3 March, Representative Tom Graves (R-Georgia) proposed a discussion draft of what he's calling "ACDC". No, the bill has nothing to do with the "Thunderstruck" Australian rock band. ACDC in this case stands for "Active Cyber Defense Certainty." It's a term that empowers hacking victims to use "limited defensive measures that exceed the boundaries of one's network" to stop and/or identify digital attackers. Essentially, ACDC empowers companies that have experienced digital intrusions to hack back their attackers. But it's important to note there are some limitations. Indeed, the bill limits victims' defensive measures to gathering data about their attackers and sharing that information with law enforcement. It does not allow other activities such as destroying information, causing physical injury to another person, or creating a threat to public safety and/or health. That's all well and good. I commend Representative Graves for including those provisions in the bill. However, even "gathering information" can be a slippery slope when it comes to digital attackers that use compromised machines to carry out their dirty work. A hacking victim might endeavor to identify to whom an infected computer belongs, for example. In so doing, there's a strong possibility they could violate the computer owner's privacy. Worse, they might discover the machine belongs to a company that stores the personal and/or financial information of customers. By viewing that information without authorization, the victim would inadvertently compromise the confidentiality of that company's data. Representative Graves recognizes there are concerns his bill doesn't address. But it's a start. As he explains on his website At this time, interested parties have a chance to provide feedback and make recommendations for the bill. Once they have done so, Representative Graves can move forward and formally introduce the bill to the U.S. House of Representatives. By David Bisson https://www.grahamcluley.com/draft-bill-would-allow-hacking-victims-to-hack-back/
  14. UK-based activist group Privacy International has highlighted the international ramifications mass hacking operations. In February 2015, the FBI embarked on the largest known law enforcement hacking operation to date, targeting over 8,000 computers in 120 countries. Lawyers in the US have challenged the legality of the underlying warrant, arguing that the judge had no authority to greenlight searches outside of her district. Now, activist and legal group Privacy International has filed a brief in a related case, pushing back against the global nature of the FBI's operation. As Privacy International notes, 83 percent of the computer infections were outside of the United States. "Well-established international law prohibits the government from undertaking law enforcement functions in other countries, without those countries' consent, which the government did not seek here," the amicus brief signed by Privacy International's General Counsel Caroline Wilson Palow reads. Specifically this case concerns the FBI's investigation into a dark web child pornography site called Playpen. When the FBI seized the site in 2015, instead of shutting it down the agency kept Playpen running for 13 days. During this time, the FBI deployed a network investigative technique (NIT)—a piece of malware—in an attempt to identify visitors to the site. This NIT relied on a "non-public" vulnerability for the Tor Browser, and grabbed a target's IP address, MAC address, and other basic system information. The FBI ended up hacking over 8,000 computers across the world, including over 1,000 in the US. Although much attention has been paid to affected cases in the US, there has been relatively little focus on the international legal ramifications. (Motherboard reported the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey and Norway too.) In its brief, Privacy International argues that much of the same concerns around affected cases in the US extends to those outside of the country—that at the time of the Playpen operation, Rule 41, which governs when judges can authorize searches, did not allow for searches outside of the judge's own district. The group adds that these sort of international hacking operations, in which computers are targeted without the host country's permission, pose foreign relation risks. Such a move could lead to diplomatic conflict, or the possibility of breaking local laws. The brief points to a 2002 case, in which Russia's Federal Security Service (FSB) filed criminal charges against an FBI agent for remotely accessing and copying data from a Russian server. (Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law, has made related arguments in a recent paper). "How will other countries react to the FBI hacking in their jurisdictions without prior consent? Would the U.S. welcome hacking operations on a similar scale carried out on U.S. residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?" Scarlet Kim, legal officer at Privacy International wrote in a statement. However, things have shifted since the Playpen investigation. In December 2016, changes around remote searches came into effect. Today, US magistrate judges can sign global hacking warrants. By Joseph Cox https://motherboard.vice.com/en_us/article/activists-push-back-against-fbis-worldwide-hacking-operation
  15. Try These Cool Android Smartphone Hacks And Get The Best Out Of Your Mobile Here are some of the best Android smartphone hacking Apps Android is undoubtedly the world’s most popular mobile operating system. With over 1.5+ billion plus users, Android is way ahead of iOS. Similarly, in Apps space, Android hacking apps are also increasing. Many of these hacking Apps are meant for pros but some can become useful to you also. With such hacking Apps, you can remove unnecessary bloatware utilizing most of the internal storage memory. While other times, such hacking App may help you remove irritating ads or allow you to access blocked system Apps. We bring you such hacking Apps which let you get the best out of your Android smartphone. Remember most of these Apps require a rooted smartphone to try them out. INCREASE RAM Root your phone. Download ROEHSOFT RAM EXPANDER from Google Play Store. Convert desired amount of SD card space into system swap RAM. This will make apps perform better when you have lot of storage area in your SD card. Wi-Fi WPS/WPA TESTER Download WIFI PS/WPA Tester App from Google Play Store. It let’s you analyze your WiFi security and others in the vicinity and attempts to hack their password It only hacks WPS enabled WiFi networks. REMOVE UNWANTED SYSTEM APPS OR BLOATWARE Root your android phone and Download sSystem app remover (ROOT) from Google Play Store. Remove many unwanted inbuilt Apps which you don’t think are necessary from internal storage of your Android phone.\ HACKING HUB Download the app Linux Deploy from Google Play Store. This installs Linux Operating system on your Android phone. Then use use Aircrack and other hacking Apps on your phone to hack WiFi and website passwords. FREE STUFF Root your phone Download and install BusyBox App from Google Play Store. Install modded Play Store from Lucky Patcher. With Lucky Patcher App you hack in-App purchases and get free stuff or game coins ACCESS BLOCKED CONTENT Download CyberGhost App from Google Play Store. Use it to connect to a VPN of a country of your choice. Now you can download apps from Google Play Store which are blocked in your country and also use websites like torrent websites blocked in your country. BATTERY LIFE Root your phone Download Greenify App from Google Play Store Hibernate many user and system apps. Greenify allows you to hibernate apps that won’t use battery and memory in background. So, you can save battery life and RAM. BUILD PROP EDITING Most of the Android smartphones out promise you 8MP images but in fact deliver only 6MP picture quality on 8MP camera. If you are facing a similar issue, you can solve it using this hack. This also requires a rooted smartphone. Download BuildProp Editor App from Google Play Store. Goto –>add entry Ro.ril.max.jpeg.quality. And set it’s value to 100 so it looks like Ro.ril.max.jpeg.quality = 100 Once done, your 8MP smartphone camera will deliver you 8MP images TUBEMOTE Download Tubemote from Google Play Store. Now you can download any and all online videos, not just from YouTube but any website in your desired resolution and quality at high speeds. You can also download just mp3 or m4a sound files from videos. ANDROID ID CHANGER Root your phone. Download Android Device ID Changer App from Google Play Store. Change your Android ID, which apps use to identify you and restart the phone. Your Android smartphone has a new Android ID. DRIVEDROID Download Drivedroid App from Google Play Store. Once installed, open the App and download LINUX.iso file from the dropdown menu. Burn this image on your phone and use it as CD or USB drive to boot your PC. KABOOM THE SELF DESTRUCTING APP Download and install Kaboom App from Google Playstore This App lets you control the photos and messages you post online. You can use this App to make the images and posts disappear at a set time. FAKE LOCATION Download Fake Location GPS App from Google Play Store Go to —> Settings Tap on Build Number 7 times to unlock Developer Options. Enable Mock Locations. Open Fake Location GPS app and set your location to any place in the world you wish. Source
  16. Four in Five Britons Fearful Trump Will Abuse their Data More than three-quarters of Britons believe incoming US President Donald Trump will use his surveillance powers for personal gain, and a similar number want reassurances from the government that data collected by GCHQ will be safeguarded against such misuse. These are the headline findings from a new Privacy International poll of over 1600 Brits on the day Trump is inaugurated as the 45th President of the most powerful nation on earth. With that role comes sweeping surveillance powers – the extent of which was only revealed after NSA whistleblower Edward Snowden went public in 2013. There are many now concerned that Trump, an eccentric reality TV star and gregarious property mogul, could abuse such powers for personal gain. That’s what 78% of UK adults polled by Privacy International believe, and 54% said they had no trust that Trump would use surveillance for legitimate purposes. Perhaps more important for those living in the United Kingdom is the extent of the information sharing partnership between the US and the UK. Some 73% of respondents said they wanted the government to explain what safeguards exist to ensure any data swept up by their domestic secret services doesn’t end up being abused by the new US administration. That fear has become even more marked since the passage of the Investigatory Powers Act or 'Snoopers’ Charter', which granted the British authorities unprecedented mass surveillance and hacking powers, as well as forcing ISPs to retain all web records for up to 12 months. Privacy International claimed that although it has privately been presented with documents detailing the info sharing partnership between the two nations, Downing Street has so far refused to make the information public. The rights group and nine others are currently appealing to the European Court of Human Rights to overturn a decision by the Investigatory Powers Tribunal (IPT) not to release information about the rules governing the US-UK agreement. “UK and the US spies have enjoyed a cosy secret relationship for a long time, sharing sensitive intelligence data with each other, without parliament knowing anything about it, and without any public consent. Slowly, we’re learning more about the staggering scale of this cooperation and a dangerous lack of sufficient oversight,” argued Privacy International research officer, Edin Omanovic. “Today, a new President will take charge of US intelligence agencies – a President whose appetite for surveillance powers and how they’re used put him at odds with British values, security, and its people… Given that our intelligence agencies are giving him unfettered access to massive troves of personal data, including potentially about British people, it is essential that the details behind all this are taken out of the shadows.” Source
  17. Anonymous to Donald Trump: We Know What You Did Last Summer Hackers threaten to leak Donald Trump’s Russian ties The messages were published by Anonymous after Donald Trump took to Twitter to suggest that outgoing CIA head John Brennan might be involved in the spreading of fake news that made the headlines in the past few weeks, including “Syria, Crimea, Ukraine and the build-up of Russian nukes.” The @YourAnonCentral Twitter handle, which has some 150,000 followers, was one of the first to reply to Donald Trump’s tweet, accusing the President-elect of being directly involved in some pretty shady activities in Russia. “.@realDonaldTrump you have financial and personal ties with Russian mobsters, child traffickers, and money launderers,” Anonymous said in their first message. “This isn't the 80's any longer, information doesn't vanish, it is all out there. You are going to regret the next 4 years. We could care less about Democrats attacking you @realDonaldTrump, the fact of the matter is, you are implicated in some really heavy s**t. Roy Cohen and your daddy aren't here to protect you anymore. Oh and please tell your interns not to waste money hitting us with your Moldavian bot farm, stay frosty @realDonaldTrump.” Donald Trump tight-lipped on Anonymous’ accusations It goes without saying that Donald Trump didn’t response to Anonymous’ tweets, and there’s absolutely no chance he didn’t notice them since he’s such a big Twitter fan. In other news, Donald Trump said he would keep his personal Twitter account in the next four years, so expect similar messages to be posted occasionally during his tenure at the White House. As far as Anonymous is concerned, the hacking group hasn’t said anything about when and how it could leak the information about the new President of the United States. They did say, however, that the next four years will be very difficult for Donald Trump, so if the hackers do have evidence regarding the new President’s involvement in shady Russian activities, expect them to go online sometime in the coming years. Source
  18. Gmail Users Under Attack As Hackers Develop Sophisticated Phishing Technique New phishing attack launched against Gmail users Specifically, attackers are now sending emails to Gmail users with embedded attachments that look like images and which require just a click to launch what is supposed to be a preview of the picture. Instead, the attachment opens a new tab in your browser that requires a re-login. When inspecting the typical elements that could point to a phishing scam, such as the address bar, everything looks legit, as in this case the URL is the following: “data:text/html,https://accounts/google.com.” So naturally, most users would provide their Gmail credentials, but as WordFence reports, once you do that, the account is compromised. Surprisingly, the hacked Gmail account is almost instantly accessed in order to retrieve the contacts and then uses the same phishing email to spread the attack. Using email addresses from a person’s contacts can make emails look even more legitimate, thus helping compromise a bigger number of accounts. Most likely, the access is automatically performed by a bot, but there’s also a chance for attackers to do the whole thing manually in order to collect email addresses. How to detect the phishing attack The easiest way to determine that a message is a phishing attack or not is by looking in the address bar. As we’ve told you before, attackers were particularly focused on ways to make the URL look more legitimate, but in reality, there are a lot of white spaces that you can remove to check out the end of the address. If you do that, you can notice that the URL ends with a script that’s supposed to launch the new tab and point the browser to the phishing page used to steal login credentials. Google has already offered a response, according to the aforementioned source, but it’s not what you think, as the company doesn’t seem to be too keen on blocking the attacks. “The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are - obviously - trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http(s) page just as well,” the firm said. The easiest way to keep your account secure, even if you fall for this phishing attack, is to enable two-factor authentication for Gmail, which means that in case you do provide your login credentials on the phishing website, the attacker shouldn’t be able to access your account anyway. Source Alternate Source - Don't Fall For This Dangerously Convincing Ongoing Phishing Attack
  19. Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug! What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited What's the Issue: The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes. WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change. In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding. Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." What Experts argued: According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration." Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp." A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor." What's the fact: Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats. What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment." What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO! No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption. As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly. Then Why Signal is more Secure than WhatsApp? You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor." It's because there is always room for improvement. The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender. And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered. So, here WhatsApp chose usability over security and privacy. It’s not about 'Do We Trust WhatsApp/Facebook?': WhatsApp says it does not give governments a "backdoor" into its systems. No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users. But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access. Why 'Verifying Keys' Feature Can't Protect You? WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number. But here’s the catch: This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this. WhatsApp Prevention against such MITM Attacks are Incomplete WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings. But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense. Have you received a notification indicating that your contact's security code has changed? Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually. The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys. What WhatsApp should do? Without panicking all one-billion-plus users, WhatsApp can, at least: Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users. ...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it. Source
  20. WhatsApp Security: Make This Change Right Now! Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages. Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application. It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out. Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim: WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access. The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default. While WhatsApp users cannot block the company -- or any state actors requesting data -- from taking advantage of the loophole, they can at least activate security notifications in the application. The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook's response was that it was "intended behavior" according to the newspaper. Activate security notifications in WhatsApp To enable security notifications in WhatsApp, do the following: Open WhatsApp on the device you are using. Tap on menu, and select Settings. Select Account on the Settings page. Select Security on the page that opens. Enable "show security notifications" on the Security page. You will receive notifications when a contact's security code has changed. While this won't prevent misuse of the backdoor, it will at least inform you about its potential use. Source Alternate Source - 1: WhatsApp Encryption Has Backdoor, Facebook Says It's "Expected Behaviour" Alternate Source - 2: WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages Alternate Source - 3: Oh, for F...acebook: Critics bash WhatsApp encryption 'backdoor' Alternate Source - 4: Your encrypted WhatsApp messages can be read by anyone Alternate Source - 5: How to protect yourself from the WhatsApp 'backdoor' Alternate Source - 6: 'Backdoor' in WhatsApp's end-to-end encryption leaves messages open to interception [Updated] Detailed Explanation of the Issue and Prevention/Alternatives:
  21. Secret CIA Assessment Says Russia Was Trying To Help Trump Win White House CIA officials told senators it is now “quite clear” that electing Donald Trump was Russia’s goal. In an interview on Fox News Sunday on Dec. 11, President-elect Trump denied the CIA's assessment. (Victoria Walker/The Washington Post) The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter. Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton’s chances. “It is the assessment of the intelligence community that Russia’s goal here was to favor one candidate over the other, to help Trump get elected,” said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. “That’s the consensus view.” The Post's Ellen Nakashima goes over the events, and discusses the two hacker groups responsible. (Jhaan Elker/The Washington Post) The Obama administration has been debating for months how to respond to the alleged Russian intrusions, with White House officials concerned about escalating tensions with Moscow and being accused of trying to boost Clinton’s campaign. [U.S. government officially accuses Russia of hacking campaign to interfere with elections] In September, during a secret briefing for congressional leaders, Senate Majority Leader Mitch McConnell (R-Ky.) voiced doubts about the veracity of the intelligence, according to officials present. The Trump transition team dismissed the findings in a short statement issued Friday evening. “These are the same people that said Saddam Hussein had weapons of mass destruction. The election ended a long time ago in one of the biggest Electoral College victories in history. It’s now time to move on and ‘Make America Great Again,’ ” the statement read. Trump has consistently dismissed the intelligence community’s findings about Russian hacking. “I don’t believe they interfered” in the election, he told Time magazine this week. The hacking, he said, “could be Russia. And it could be China. And it could be some guy in his home in New Jersey.” The CIA shared its latest assessment with key senators in a closed-door briefing on Capitol Hill last week, in which agency officials cited a growing body of intelligence from multiple sources. Agency briefers told the senators it was now “quite clear” that electing Trump was Russia’s goal, according to the officials, who spoke on the condition of anonymity to discuss intelligence matters. Sen. Lindsey Graham (R-S.C.) says he wants to investigate whether Russia interfered with the 2016 U.S. election, amongst claims that Donald Trump's rhetoric on Russia and Vladimir Putin is too soft. (Peter Stevenson/The Washington Post) The CIA presentation to senators about Russia’s intentions fell short of a formal U.S. assessment produced by all 17 intelligence agencies. A senior U.S. official said there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered. For example, intelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees. Moscow has in the past used middlemen to participate in sensitive intelligence operations so it has plausible deniability. Julian Assange, the founder of WikiLeaks, has said in a television interview that the “Russian government is not the source.” The White House and CIA officials declined to comment. On Friday, the White House said President Obama had ordered a “full review” of Russian hacking during the election campaign, as pressure from Congress has grown for greater public understanding of exactly what Moscow did to influence the electoral process. “We may have crossed into a new threshold, and it is incumbent upon us to take stock of that, to review, to conduct some after-action, to understand what has happened and to impart some lessons learned,” Obama’s counterterrorism and homeland security adviser, Lisa Monaco, told reporters at a breakfast hosted by the Christian Science Monitor. Obama wants the report before he leaves office Jan. 20, Monaco said. The review will be led by James Clapper, the outgoing director of national intelligence, officials said. During her remarks, Monaco didn’t address the latest CIA assessment, which hasn’t been previously disclosed. Seven Democratic senators last week asked Obama to declassify details about the intrusions and why officials believe that the Kremlin was behind the operation. Officials said Friday that the senators specifically were asking the White House to release portions of the CIA’s presentation. This week, top Democratic lawmakers in the House also sent a letter to Obama, asking for briefings on Russian interference in the election. U.S. intelligence agencies have been cautious for months in characterizing Russia’s motivations, reflecting the United States’ long-standing struggle to collect reliable intelligence on President Vladi­mir Putin and those closest to him. In previous assessments, the CIA and other intelligence agencies told the White House and congressional leaders that they believed Moscow’s aim was to undermine confidence in the U.S. electoral system. The assessments stopped short of saying the goal was to help elect Trump. On Oct. 7, the intelligence community officially accused Moscow of seeking to interfere in the election through the hacking of “political organizations.” Though the statement never specified which party, it was clear that officials were referring to cyber-intrusions into the computers of the DNC and other Democratic groups and individuals. Some key Republican lawmakers have continued to question the quality of evidence supporting Russian involvement. “I’ll be the first one to come out and point at Russia if there’s clear evidence, but there is no clear evidence — even now,” said Rep. Devin Nunes (R-Calif.), the chairman of the House Intelligence Committee and a member of the Trump transition team. “There’s a lot of innuendo, lots of circumstantial evidence, that’s it.” [U.S. investigating potential covert Russian plan to disrupt elections] Though Russia has long conducted cyberspying on U.S. agencies, companies and organizations, this presidential campaign marks the first time Moscow has attempted through cyber-means to interfere in, if not actively influence, the outcome of an election, the officials said. The reluctance of the Obama White House to respond to the alleged Russian intrusions before Election Day upset Democrats on the Hill as well as members of the Clinton campaign. Within the administration, top officials from different agencies sparred over whether and how to respond. White House officials were concerned that covert retaliatory measures might risk an escalation in which Russia, with sophisticated cyber-capabilities, might have less to lose than the United States, with its vast and vulnerable digital infrastructure. The White House’s reluctance to take that risk left Washington weighing more-limited measures, including the “naming and shaming” approach of publicly blaming Moscow. By mid-September, White House officials had decided it was time to take that step, but they worried that doing so unilaterally and without bipartisan congressional backing just weeks before the election would make Obama vulnerable to charges that he was using intelligence for political purposes. Instead, officials devised a plan to seek bipartisan support from top lawmakers and set up a secret meeting with the Gang of 12 — a group that includes House and Senate leaders, as well as the chairmen and ranking members of both chambers’ committees on intelligence and homeland security. Obama dispatched Monaco, FBI Director James B. Comey and Homeland Security Secretary Jeh Johnson to make the pitch for a “show of solidarity and bipartisan unity” against Russian interference in the election, according to a senior administration official. Specifically, the White House wanted congressional leaders to sign off on a bipartisan statement urging state and local officials to take federal help in protecting their voting-registration and balloting machines from Russian cyber-intrusions. Though U.S. intelligence agencies were skeptical that hackers would be able to manipulate the election results in a systematic way, the White House feared that Russia would attempt to do so, sowing doubt about the fundamental mechanisms of democracy and potentially forcing a more dangerous confrontation between Washington and Moscow. [Putin denies that Russia hacked the DNC but says it was for the public good] In a secure room in the Capitol used for briefings involving classified information, administration officials broadly laid out the evidence U.S. spy agencies had collected, showing Russia’s role in cyber-intrusions in at least two states and in hacking the emails of the Democratic organizations and individuals. And they made a case for a united, bipartisan front in response to what one official described as “the threat posed by unprecedented meddling by a foreign power in our election process.” The Democratic leaders in the room unanimously agreed on the need to take the threat seriously. Republicans, however, were divided, with at least two GOP lawmakers reluctant to accede to the White House requests. According to several officials, McConnell raised doubts about the underlying intelligence and made clear to the administration that he would consider any effort by the White House to challenge the Russians publicly an act of partisan politics. Some of the Republicans in the briefing also seemed opposed to the idea of going public with such explosive allegations in the final stages of an election, a move that they argued would only rattle public confidence and play into Moscow’s hands. McConnell’s office did not respond to a request for comment. After the election, Trump chose McConnell’s wife, Elaine Chao, as his nominee for transportation secretary. Some Clinton supporters saw the White House’s reluctance to act without bipartisan support as further evidence of an excessive caution in facing adversaries. “The lack of an administration response on the Russian hacking cannot be attributed to Congress,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee, who was at the September meeting. “The administration has all the tools it needs to respond. They have the ability to impose sanctions. They have the ability to take clandestine means. The administration has decided not to utilize them in a way that would deter the Russians, and I think that’s a problem.” Philip Rucker contributed to this report. Source Alternate Source - Intelligence Figures Fear Trump Reprisals Over Assessment Of Russia Election Role Also Read:
  22. After Spying Webcams, Welcome the Spy Toys “My Friend Cayla and I-Que” Privacy advocates claim both toys pose security and privacy threat for children and parents. Internet-connected toys are currently a rage among parents and kids alike but what we are not aware of are the associated security dangers of using Smart toys. It is a fact that has been acknowledged by the Center for Digital Democracy that smart toys pose grave privacy, security and similar other risks to children. There are certain privacy and security flaws in a pair of smart toys that have been designed to engage with kids. Last year, we reported how “Hello Barbie” toy spies on kids by talking to them, recording their conversations and send them to company’s servers which are then analyzed and stored in another cloud server. Now, the dolls My Friend Cayla and I-Que Intelligent Robot that are being marketed for both male and female kids are the objects of security concern. In fact the Federal Trade Commission’s child advocacy, consumer and privacy groups have filed a complaint [PDF] against these dolls. It is being suspected that these dolls are violating the Children’s Online Privacy Protection Act (COPPA) as well as the FTC rules because these collect and use personal data via communicating with kids. This feature of the dolls is being termed as a deceptive practice by the makers. The FTC has been asked in the complaint to investigate the matter and take action against the manufacturer of the dolls Genesis Toys as well as the provider of third-party voice recognition software for My Friend Cayla and I-Que, Nuance Communications. The complaints have been filed by these groups: the Campaign for a Commercial-Free Childhood (CCFC), Consumers Union, Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC). According to complainers, these dolls are already creepy looking and the fact that these gather information makes them even creepier. Both these toys use voice recognition technology coupled with internet connectivity and Bluetooth to engage with the kids through answering questions and making up conversations. However, according to the CDD, this is done in a very insecure and invasive manner. The Genesis Toys claims on its website that while “most of Cayla’s conversational features can be accessed offline,” but searching for information would require internet connectivity. The promotional video for Cayla doll also focuses upon the toy’s ability to communicate with the kid as it stated: “ask Cayla almost anything.” To work, these dolls require mobile apps but some questions might be asked directly. The toys keep a Bluetooth connection enabled constantly so that the dolls could reach to the actions in the app and identify the objects when the kid taps on the screen. Some of the asked questions are recorded and sent to Nuance’s servers for parsing but it is yet unclear how much of the information is kept private. The toys’ manufacturer maintains that complete anonymity is observed. The toys were released in late 2015 but still these are selling like hot cakes. As per researchers’ statement in the FTC complaint, “by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys.” This means anyone can use their smartphone to communicate with the child using the doll as the gateway. Watch this add to see how Cayla works Watch this video to understand how anyone can spy on your child with Cayla and i-Que If you own a smart toy, keep an eye on the conversation between you and your kid. Courtesy: CDD Source
  23. Germany Warns Moscow Will Splash Cash On Pre-Election Propaganda And Misinformation Spree Top security agency issues warning ahead of 2017 poll Germany's intelligence agency has accused Russia of hacking its politicians and election systems under the guise of online activism. Federal Office for the Protection of the Constitution (BfV) chief Hans-Georg Maassen says Russia is intending to “weaken or destabilise the Federal Republic of Germany”. Germany's national election is expected in September 2017. Maassen says Russia is tipping money into misinformation campaigns in "aggressive and elevated" spying against "German Government officials, members of parliament, and employees of democratic parties". The BfV head says in a statement (PDF in German) that the Government is expecting more hacking in the run up to the elections. He says Russia has "enormous resources" and noted increased activity of known advanced hacking groups including Pawn Storm (Fancy Bear) said to be a state-sponsored entity. Maassen says citizen's reliance on social media makes them vulnerable to consuming fake news propaganda which he says is an "ideal gateway" for disinformation using bots to spread messages. Chief Hans-Georg Maassen It comes as US intelligence agencies accused Moscow of hacking and leaking information to deliberately discredit Democrat presidential contender Hillary Clinton, and compromising but withholding data stolen from the Republican National Committee. President-elect Donald Trump has rejected the "high confidence" assertion by the intelligence agencies. Russia has hit back with Dmitry Peskov, a spokesman for president Vladimir Putin, saying last month that the nation is also bracing for attacks during its next election, adding that Germany like all other European countries hacks other nation's infrastructure. Moscow has been blamed for the hacking and release of Democratic National Committee emails before the US presidential election. But Moscow has strongly denied involvement in orchestrating cyberattacks on foreign soil and hit back with allegations of its own against the West. Source
  24. Gone in 6 seconds: Credit cards can be hacked in a flash, researchers reveal (VIDEO) Cyber criminals can work out card numbers, expiry dates and security codes of any Visa credit or debit card in as few as six seconds using nothing more than simple guessing technology, a new study has revealed. The study, carried out by researchers from the University of Newcastle and published in the IEEE Security & Privacy journal, shows how a so-called ‘Distributed Guessing Attack’ can bypass every security feature put in place to protect online users in a matter of seconds. The guessing technique works by automatically generating different variations of the card security data across multiple websites until hackers are able to land on a ‘hit’ for each required piece of information. The team found that by spreading the guesses across multiple websites, neither the network nor the banks were able to detect all of the invalid attempts. “The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website,” said Mohammed Ali, computer science PhD student in Newcastle University and lead author of the paper. Additionally, while websites seek to bolster online shopping security by asking for different variations of card info, this actually works to the hackers’ advantage, according to the researchers, because it makes it “quite easy to build up the information and piece it together like a jigsaw.” “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” Ali explained. For anyone concerned about how to keep their credit and debit cards safe, the fact is “there is no magic bullet” according the paper’s co-author Dr. Martin Emms. However, he added that there are some steps consumers can take to minimize their risk of becoming a victim of credit card fraud. “Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it,” Emms advises. Source
  25. Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users. But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it's own security blunder. Recently the information security firm InfoArmor that analyzed the data breach refuted the Yahoo's claim, stating that the data breach was the work of seasoned cyber criminals who later sold the compromised Yahoo accounts to an Eastern European nation-state. Over 1 Billion Accounts May Have Been Hacked Now, there's one more twist in the unprecedented data heist. A recent advancement in the report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion. An unnamed, former Yahoo executive who is familiar with the company's security says that the Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, Business Insider reported Friday. So all usernames and passwords that users enter to log into services like Yahoo Mail, Sports or Finance goes to this one central database to ensure they are valid, allowing them access. This central database is what got compromised, and therefore, it's quite difficult to believe that the hackers who compromised the whole database walk away with just a small bunch of "the core crown jewels of Yahoo customer credentials." Whoever carried out the hack not only stole usernames and email addresses of affected users but also pilfered other personal information, including their dates of birth, phone numbers, hashed passwords, and unencrypted security answers. So, it's unclear how Yahoo come up with the 500 Million number. The company had not commented further on how the data breach happened or when it was discovered, citing an active investigation. Yahoo! could have saved you, but decided not to: A lengthy report published by the New York Times seemingly explains that the company did not reset the passwords of its users after the breach due to the decisions made by Yahoo's CEO Marissa Mayer, who seemed to prioritize developing new products over making security improvements. The reason sounds stupid, as the article reads: If Yahoo had reset the passwords of its affected users, proper security measures would have been taken by users to protect their personal data from hackers. Let's see what new advancements come to this unprecedented data breach. Already, the Yahoo hack is believed to be one of the biggest in history, and the company is still trying to negotiate a deal to sell its core business to Verizon for $4.8 Billion. Yahoo! has yet to respond to the recent revelation by the insider. Data breach news has already magnified company's problems, but if breach number reaches Billion, would the company be able to save its acquisition deal? Let us know in the comments below... Source