Month: December 2014

Hey, devs! Those software libraries aren’t always safe to use

Posted on

In today’s world of agile software development and fast release cycles, developers increasingly rely on third-party libraries and components to get the job done. Since many of those libraries come from long-running, open-source projects, developers often assume they’re getting well-written, bug-free code. They’re wrong.

The major patching efforts triggered by the Heartbleed, Shellshock and POODLE flaws this year serve as examples of the effect of critical vulnerabilities in third-party code. The flaws affected software that runs on servers, desktop computers, mobile devices and hardware appliances, affecting millions of consumers and businesses.

However, these highly publicized vulnerabilities were not isolated incidents. Similar flaws have been found in libraries such as OpenSSL, LibTIFF, libpng, OpenJPEG, FFmpeg, Libav and countless others, and these have made their way into thousands of products over the years.

Among the reasons why these bugs end up in finished products is a belief by developers that the third-party code they choose to integrate is secure because it has already been used by many others.

The shallow bugs myth

“There is a myth that open source is secure because everyone can review it; more eyes reviewing it making all bugs shallow,” said Jake Kouns, CISO of Risk Based Security, a firm that specializes in tracking vulnerabilities. “The reality is that while everyone could look at the code, they don’t and accountability for quality is deferred. Developers and companies that consume third party libraries are not allocating their own resources to security test ‘someone else’s code.’ Right or wrong, everyone seems to think that someone else will find the vulnerabilities and what is published is secure.”

The reality is that many open source projects, even the ones producing code that’s critical to the Internet infrastructure, are often poorly funded, understaffed and have nowhere close to enough resources to pay for professional code audits or the manpower to engage in massive rewrites of old code.

OpenSSL is a prominent example of such a case, but far from the only one. After the critical Heartbleed bug was announced in April, it was revealed that the OpenSSL project had only one full-time developer and that the project was being primarily funded through contract-based work that other team members did in their spare time for companies in need of SSL/TLS expertise.

The developers of OpenBSD criticized OpenSSL for maintaining old code for platforms that few people care about and decided to fork the project to create a cleaner version of the library dubbed LibreSSL.

The flaws in open source libraries are often the result of one or more of these reasons: old code or low code maturity, insufficient auditing or fuzzing — a process of finding vulnerabilities by automatically feeding unexpected input to applications — and too few maintainers, said Carsten Eiram, the chief research officer of Risk Based Security. “We see that many vulnerabilities being found in these libraries are by researchers simply running some of the latest fuzzers against them, so it’s often something the maintainers or companies using said libraries could do themselves. Software vendors are quick to implement libraries into their products, but rarely audit or even fuzz these first or help maintaining them.”

It’s all marketing

The Heartbleed, Shellshock and POODLE vulnerabilities raised a lot of interest among software developers and system administrators, partly because of the attention the flaws received in the media. Some vendors are still identifying products affected by these flaws and are releasing fixes for them, months after they were first announced.

Eiram believes that the primary reason why these vulnerabilities stood out was not their impact, but the way in which they were advertised by their finders — with fancy names and logos. The sad truth is that flaws of similar importance are regularly found in widespread libraries, but manage to fly under the radar and are rarely patched by the software vendors who use them.

“A lot of vulnerabilities — 18 — have been addressed in OpenSSL since Heartbleed, and we haven’t remotely seen the same attention to issuing fixes quickly — or at all — from the vendors,” Eiram said. “We see fixes of varying severity to libraries on almost a daily basis, but rarely see vendors bundling these libraries in their products issue fixes, even though we know these libraries are heavily used.”

One example of that is a vulnerability discovered in 2006 by Tavis Ormandy, a security researcher who now works at Google. The flaw was among several that affected LibTIFF and were fixed in a new release at the time. It was tracked as CVE-2006-3459 in the Common Vulnerabilities and Exposures database.

“In 2010, a vulnerability was fixed in Adobe Reader, which turned out to be one of the vulnerabilities covered by CVE-2006-3459,” Eiram said. “For four years, a vulnerable and outdated version of LibTIFF had been bundled with Adobe Reader, and it was even proven to be exploitable.”

Adobe Systems has since become one of the software vendors taking the threat of flaws in third-party components seriously, Eiram said. “They’ve made major improvements to their process of tracking and addressing vulnerabilities in the third-party libraries and components used in their products.”

Another one of those vendors is Google. Aside from just keeping track of vulnerabilities in the third-party code it uses, the company’s researchers are actively searching for flaws in that code.

“We’ve seen two of Google’s prolific researchers, Gynvael Coldwind and Mateusz Jurczyk, finding more than 1,000 issues in FFmpeg and Libav, which is used in Chrome, and they’re currently looking at other libraries like FreeType too,” Eiram said. “OpenJPEG also seems to receive some scrutiny by Google at the moment, which is used in PDFium that in turn is used in Chrome. Obviously, Google also put a lot of effort into securing WebKit, when they started using that as the engine for Chrome.”

Making such contributions helps to improve the code maturity of those libraries for everyone, and is something that all software vendors should do.

If vendors would at least use fuzzing to test the libraries that they use and help fix the issues they find in the process, it would make a significant difference, Eiram said. Much more so than the bug bounty programs for critical Internet software, like those run by Hacker One or Google, which so far have had little effect at drawing researchers toward finding vulnerabilities in libraries, he said.

An accurate bill of materials

Unfortunately we’re a long way from that happening, as many software developers fail to even keep track of which third-party components they use and where, not to mention vulnerabilities that are later found and patched in those components.

Veracode, a security firm that runs a cloud-based vulnerability scanning service, found that third-party and open source components introduce an average of 24 known vulnerabilities into each application and that in the case of some enterprises, 40 percent of the applications they use have one or more critical vulnerabilities introduced by components.

Hey, devs! Those software libraries aren't always safe to use
“Most companies learned lessons from trying to patch Heartbleed and Shellshock,” said Chris Eng, vice president of research at Veracode. “One of the challenges was that it involved not only patching servers, but patching vulnerable hardware and software products. Answering the question ‘Which of my products rely on a vulnerable version of OpenSSL?’ was difficult for many organizations due to lack of visibility into the composition of their software products.”

“Having an accurate ‘bill of materials,’ so to speak, for all software projects is critical to the patching effort,” Eng said. “This has always been true, but Heartbleed and Shellshock both amplified the issue thanks to the ubiquity of both OpenSSL and Bash.”

For system administrators the situation is even more complicated, because they rely on software vendors for fixes and their response to flaws in third-party components varies greatly from fairly quickly to none.

“We do sense that the software industry has recognized the threat and is trying to deal with it — at least many major companies — but properly mapping libraries used in the code and tracking and triaging vulnerabilities in these requires significant resources,” Eiram said.

Be prepared for more

If there’s one thing that Heartbleed and Shellshock changed it is that researchers now have a model for advertising the flaws they find so they reach a wider audience. Even though many in the security industry don’t agree with this approach, because it tends to hype the risks, it does seem to put pressure on vendors to act. It also seems to attract the attention of even more researchers, leading to increased scrutiny of some libraries, even if for short periods of time.

“Researchers looking to find the most impactful vulnerabilities will naturally be drawn to software that is widespread and baked into a wide range of products,” Eng said. “I think this will continue, because many researchers are motivated — at least in part — by the media attention that comes with discovering high-profile bugs.”

From a business perspective, being forced to unexpectedly reallocate resources that are planned for something else in order to deal with flaws like Heartbleed, which involves identifying affected products and issuing patches, is likely a burden for software vendors. If faced with highly publicized flaws on a regular basis, vendors might naturally be pushed to adopt more proactive strategies that involve tracking, patching and even finding vulnerabilities in third-party components themselves as a matter of course.

“It does seem like more and more software companies are discussing the challenge of dealing with third party libraries and components, and have recognized how these are an Achilles heel,” Eiram said. “The vast majority of them still need to implement a proper policy and approach for dealing with this challenge.”

Companies should map which of their products contain third-party libraries, should define policies for who may add such components to products and how, should consider the security state of a library before using it by consulting the various vulnerability databases and should create an in-house vulnerability tracking solution or purchase a subscription to a commercial one with strong library coverage.

“Longer term we may see a shift, but developers may still view Heartbleed and Shellshock as isolated events rather than a trend,” Eng said. “On the other hand, automated solutions are now making it easier for enterprises to identify components with known vulnerabilities in their application portfolios, so I think we’ll see the proactive approach becoming a best practice over time.”

On the enterprise side, “Organizations need to recognize that bugs of the magnitude we’ve seen in 2014 will continue into 2015 and put the processes in place to quickly identify where they are vulnerable, have a sound procedure to prioritize the issues and efficient processes to patch systems when bugs are discovered to reduce risk of exploitation,” said Gavin Millard, technical director for EMEA region at Tenable Network Security. “When the next ‘Bug du Jour’ hits, the rapid response to deal with it needs to be a well oiled, tested and efficient machine.”


Misfortune Cookie Crumbles Millions of Security Systems

Posted on

Check Point Software Technologies recently revealed a flaw in millions of routers that allows the devices to be controlled by hackers.

The company’s Malware and Vulnerability Group detected 12 million Internet-connected devices that have the flaw.

The vulnerability, which Check Point dubbed “Misfortune Cookie,” can be found in the code of a commonly used embedded Web server, RomPager from AllegroSoft. A system attacker can exploit it to take control of a router and use it to steal data from both wired and wireless devices connected to a network.

Fixes for the flaw have been available since 2005, but 98 percent of the devices using RomPager haven’t been updated and still contain the vulnerable version of the software.

Even if device makers had been on the ball and kept the embedded subsystems on their hardware up to date, chances are there still would be lots of vulnerable devices connected to the Net, observed Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.

“Most people don’t install upgrades to their firmware,” he told TechNewsWorld. “That’s why we believe this vulnerability will stay around for months and years to come.”

Thing Attacks

Infected routers aren’t a new attack vector for Net marauders. A widely reported incident early this year included routers in a malicious email campaign that flooded the Internet with 750,000 junk messages. Thousands of other gadgets also were used to disseminate the spam — things like home media centers, televisions, and at least one smart refrigerator.

Proofpoint, which discovered that caper, explained that it didn’t take rocket science to compromise the devices. Attackers simply exploited misconfigurations or factory-set passwords to crack them.

Billed as the first large-scale attack using the Internet of Things, the Proofpoint discovery may be a sign of things to come down the road.

“I don’t think this will be widespread in 2015, and we don’t expect that IoT devices will be main targets, but it will start to evolve next year,” said Cathal McDaid, head of data intelligence and analytics for AdaptiveMobile.

A number of things make IoT devices ripe for hacking. They’re not monitored by people as a phone or computer would be. They don’t get upgraded often, and they may reside in out-of-the-way locations.

Attacks on IoT devices in 2015 likely will mirror the Proofpoint incident.

“Next year, we may see some of these mobile IoT devices compromised to send spam,” McDaid told TechNewsWorld. “Spam generated might be email — or if they are able to send text messages, then spam SMS.”

Misfortune Cookie Crumbles Millions of Security Systems

Asleep in the Corner Office

Since the limelight has shone on information security at Sony, a multitude of sins have been exposed, including a tidbit about the company’s CEO, Michael Lynton, being regularly reminded in insecure emails of secret passwords for his personal and family mail, banking, travel and shopping accounts.

Security naivete isn’t limited to Sony’s corner office. Many CEOs are disconnected from the cyberthreats hurled at their companies every day.

For example, 80 percent of CEOs in corporate America don’t have any idea their company’s systems are being attacked on a regular basis, suggests a survey released earlier this year by Lancope and the Ponemon Institute.

Recent events at Sony may be changing that level of awareness, though.

“They are changing their behavior now, but it’s a painful process,” Lancope CTO Tim “TK” Keanini told TechNewsWorld.

Lack of awareness isn’t limited to the corner office, either — not when companies have to be told by outside parties that systems have been breached.

“Defenders need to detect a threat in its early stages, not when the Secret Service calls you — not when your source code is posted to Pastebin,” Keanini said. “If that’s your form of detection, we’ve got worse things coming.”


Amazon, Xbox Live, PSN and more: Hackers leak 13,000 passwords

Posted on

13,000 login details including payment card numbers an expiry dates have leaked from online services including Amazon, Xbox Live, Playstation Network and more, according to Tech Crunch.

The hackers posted a document with details of username and passwords, along with some credit card numbers and expiry dates to Ghostbin – a text storage website.

Websites affected included not only gaming related organisations such as Xbox, Playstation, Twitch, EA Games and Ubisoft, but also shopping chains such as Amazon and Walmart and TV streaming website Hulu Plus. Pornography websites were also included in the breach. Amazon, Sony and Microsoft have “yet to confirm whether the leak is legitimate”, according to Metro.

Amazon, Xbox Live, PSN and more Hackers leak 13,000 passwords

The wide-ranging mix of websites attacked has led the Daily Dot to suggest that not all of the websites have necessarily been breached, and that login information may have been acquired – at least in some of the cases – by “malware installed onto users’ personal devices or other nefarious methods.”

It has been a bad Christmas for gaming services, with this following swiftly on from the extended outages for the Xbox Live and Playstation Network online gaming services from DDoS attacks, as reported by We Live Security here. At the time of writing, Microsoft has reported that the Xbox Live service is back up and running, though Sony’s Playstation Network is still experiencing outages.

The news got worse for Sony, as the hackers leaking the log-in information – the Anonymous collective have taken credit, according to the Daily Mail – also claimed to have uploaded a pirate copy of ‘The Interview’, which has been in the news as the possible cause of the hacking of Sony Pictures.


XSS Issue in MSN Online Service Allows Loading Local Programs

Posted on

A cross-site scripting (XSS) issue in Microsoft’s MSN online service has been discovered by a security researcher to allow launching of software installed locally by injecting commands via URI handlers.

Web browsers can be used by developers to call local programs in order to perform certain tasks. This is done via a URI (universal resource identifier) scheme that requests the specific program available on the computer it has been designed for.
Special method used to bypass filtering

In a conversation over email, Nicholas Lemonias, who found the glitch, said that a special method was used to bypass the filtering mechanism that would prevent regular XSS attacks to be executed through the website.

“The technique we have used to get to the point is using the JavaScript String fromCharCode() method, which converts Unicode values into characters. We use this to get past the filtering,” he said via email.

The launch of the targeted programs would be triggered on mouse over action on certain elements in the page, such as the list of videos in MSN; since there is no mouse click on the page, the is unaware of the initiation of the process.

By doing so, he was able to abuse a trusted URI scheme, like “mailto,” “callto,” “irc” or “skype” to launch programs associated with them and pass some parameters.

For instance, he managed to start a window of Outlook email client with the recipient field, subject line and message body already filled in. In the case of Skype, the program was launched and initiated a call.

When opening programs via a URI scheme, web browsers generally offer the user the possibility to repeat such future action without notifying them first. This aspect is important because the user won’t be informed if an installed application is launched without their consent.
Risk of redirection to a malicious site

Lemonias said that malicious actions could be carried out, such as sending out an email without the user noticing anything, but he did not provide evidence that would prove this possibility. As per the specifications of the “mailto” URI scheme, only a new message window is opened, with the address of the intended recipient already filled in.

XSS Issue in MSN Online Service Allows Loading Local Programs

However, he did provide proof that visitors of MSN could be redirected to a different website through the XSS attack. Given that MSN is a trusted website, it is safe to assume that an attacker would be more successful in achieving their goal by taking the visitor to a malicious location.

Another consequence stressed by the researcher in the event of such an attack was causing a denial-of-service condition on the application called through the URI scheme. It is important to note that Outlook or a different email client is not the only program affected.
Researcher promised to be added on hall of fame list

The researcher notified Microsoft about his findings and the company removed the security risk through an update to the service.

No monetary compensation has been received by Lemonias for disclosing the bug, but Microsoft asked for his details to include him on the Online Researcher Acknowledgement page for 2014. He is not listed at the moment of writing, but his name is expected to appear at the next update of the list.


DNS attacks putting organizations at risk, survey finds

Posted on

More than 75 percent of organizations in the U.S. and U.K. have experienced at least one DNS attack, and 66 percent of organizations in the U.S. experienced a DNS attack within the last 12 months, according to new research undertaken by Vanson Bourne and commissioned by Cloudmark.

The DNS Security Survey is based on interviews with 300 IT decision-makers – 200 in the U.S. and 100 in the U.K. – who work for organizations with at least 1,000 employees in the financial services, IT, manufacturing and production, and retail, distribution and transport sectors.

Of those that experienced at least one DNS attack, 74 percent of respondents stated that their organization has been affected by a distributed denial-of-service (DDoS) attack aimed at causing an internet outage or service disruption, according to findings emailed to

In a Tuesday email correspondence, Tom Landesman, a security researcher with Cloudmark, told that attackers are able to launch DDoS attacks through DNS amplifications and resource exhaustion.

“They set up a malicious domain with very large resource records with the goal of executing a DNS amplification attack,” Landesman said. “Once the malicious domain is created, queries going to open DNS resolvers with a spoofed IP are directed to a spoofed IP address of target servers causing a DDoS attack.”

Landesman said DDoS attacks are likely the number one DNS attack because of the minimal effort and resources required on the attacker’s end. He added that DDoS attacks create a scenario where the organization is focused on mitigation, while malware infections and data theft may be happening elsewhere on the network.

DNS attacks putting organizations at risk, survey finds

Of other types of DNS attacks, 46 percent of respondents said their organization experienced DNS exfiltration, or leaking data out via DNS; 45 percent said DNS tunneling, or using DNS to bypass network access or security controls, to create reverse tunnels allowing infiltration, or to bypass Wi-Fi billing; and 33 percent said DNS hijacking, or attempts to reroute DNS traffic to malicious domains or phishing sites.

As a result of DNS attacks, 63 percent of organizations experienced lost internet, 42 percent experienced more customer complaints, 34 percent experienced lost business-critical data and confidential customer information, and 30 percent experienced lost revenue.

Although respondents pointed to customer retention and brand reputation as the biggest concerns following a DNS attack, remediation and operational costs were also considered a burden. Landesman said that the strain DNS attacks put on an organization’s infrastructure and resources can lead to the lost revenue.

“Cybercriminals are able also to bypass Wi-Fi payments, as well as tunnel subscriber traffic through DNS to avoid roaming fees,” Landesman said. “Telecommunication providers may face revenue loss in the millions of dollars as a result.”

Nearly 70 percent of respondents said their organization has a DNS security solution implemented to protect against DNS attacks.

“It’s critical that organizations incorporate DNS protection into their overall security strategy,” Landesman said. “Just as all organizations have addressed traditional internet vulnerabilities with firewalls and anti-virus solutions, it is important that they protect their DNS infrastructure with a flexible, comprehensive solution that can stay ahead of the bad guys.”

The retail, distribution and transport sector experienced the most DNS instances, with 74 percent of respondents stating that their organization had experienced a DNS attack within the last 12 months.


Cybercrime group steals millions from Russian banks, targets US and European retailers

Posted on

A sophisticated group of cybercriminals has stolen more than $25 million by hacking into the infrastructure of numerous financial institutions in Russia and former Soviet Union countries, as well as into point-of-sale systems belonging to U.S. and European retailers.

Researchers from Russian cybercrime investigations firm Group-IB and Dutch security firm Fox-IT have dubbed the cybercriminal group Anunak, after the primary malware program in its toolset.

Unlike most cybercrime operations where attackers target the customers of financial institutions, the Anunak group targeted the institutions themselves, compromising their internal networks, workstations and servers. This access allowed them to transfer funds to accounts under their control and in some cases even to compromise ATMs, which they then used to withdraw money fraudulently.

“Since 2013 they have successfully gained access to networks of more than 50 Russian banks and 5 payment systems, and 2 of these institutions were deprived of their banking license,” Group-IB said in a report released Monday. “To date the total amount of theft is over 1 billion rubles (about 25 million dollars), most of it has been stolen in the second half of 2014.”

The Anunak attackers start by infecting the computers of regular employees with malware and then move laterally inside the network by compromising servers and active domain accounts. The group uses network scanners, keyloggers, password crackers, SSH backdoors, remote control programs and often the Metasploit penetration testing framework.

However, their primary tool is a computer Trojan dubbed Anunak, based on Carberp, a malware program designed to steal online banking credentials and whose source code was leaked online in June 2013. The Group-IB researchers believe that some members of the Anunak group were previously members of the Carberp gang which split up in 2013 following internal conflicts.

The attackers use several methods to infect computers with the Anunak Trojan. These include drive-by downloads through exploit kits (the group is believed to have injected malicious code in the site in 2013 to attack its visitors), spoofed emails with malicious attachments that claim to be sent by the Central Bank of the Russian Federation and installation through other malware programs as part of pay-per-install agreements.

Cybercrime group steals millions from Russian banks, targets US and European retailers

“The criminal group keeps in touch with several owners of large botnets that massively distribute their malware,” the Group-IB researchers said. “The attackers buy from these botnet owners the information about IP addresses of computers where the botnet owners have installed malware and then check whether the IP addresses belong to financial and government institutions. If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware.”

Starting in the second quarter of 2014, the Anunak group also targeted retailers in the U.S., Australia and Europe with the goal of infecting point-of-sale (POS) terminals with malware that can steal payment card data during transactions.

At least 16 possible breaches have been identified at retail organizations — 12 of them in the U.S. — and theft of credit card data was confirmed in three of those cases, the researchers said in their report. The group also compromised computers at three U.S.-based PR and media organizations, possibly with the intention of obtaining trading advantages on the stock market, they said.

“We have no evidence of compromises against banks in Western Europe or United States, but it should be noted that the attackers methods could be utilized against banks outside of Russia as well,” the researchers warned.


Mark Cuban: Hollywood Won’t Change Until The Next Major Hack

Posted on

The Sony hack revealed Mark Cuban’s personal email address, as well as several confidential emails between himself and executives detailing his displeasure with a salary offered to him for ABC’s hit show Shark Tank.

On Sunday, the billionaire told CNN’s Reliable Sources that prior to the hack, he had already stopped using email to conduct confidential business interactions and had instead moved to his app Cyber Dust, which he has described as “What’s App meets SnapChat.”

Cuban was unequivocal about how the hack would affect Hollywood, which has been shocked by the hack, and if it would happen again.

Here’s what he had to say:

STELTER: Do you think that will profoundly change in Hollywood as a result of this hack?

CUBAN: Not until the next one. And there will be a next one.

STELTER: It takes one more to change…

CUBAN: Yes, because everybody will think, look, that’s not going to happen to me. It happens. Right. It can’t – that’s just the way people think.

And now that the hack has gotten so much notoriety and it’s had such an impact, you know, that’s a chip for any hacker. That’s a trophy hack, and people – hackers are going to want more trophy hacks just to put the trophy on their mantle.

“Whoever you send it to now controls that message.”
Cuban went on to make statements about the vulnerability involved in all major social media platforms:

STELTER: It seems like this hack might have been a good thing for you, because you’re using it as a chance to promote your app Cyber Dust.

CUBAN: Right.

STELTER: You say you’re in touch with Sony via this app now.

CUBAN: Right.

STELTER: So, you’re really negotiating them via an app.

CUBAN: Sony – well, actually, Mark Burnett’s people do most of the negotiations, right? And so but we also have to incorporate Sony into it.

Mark Cuban Hollywood Won't Change Until The Next Major Hack

What went from and Steve and Holly Jacobs and all the whole Sony crew has turned into, OK, I’m only doing it on Cyber Dust. But I started this before the hack, before there was any awareness of the hack. It wasn’t something in response to the hack. It something that I had already pushed them to do in the first place, knowing that, look, when you hit send on a tweet, a Facebook post, a text, or an e-mail, the minute you hit send, you lose ownership of it.

Whoever you send it to now controls that message. They can do whatever they want. They can put it anywhere they want in any context and you have no idea.


12 million home and business routers vulnerable to critical hijacking hack

Posted on

More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.

The vulnerability resides in “RomPager” software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point’s malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the “fortune” of an HTTP request by manipulating cookies. They wrote:

If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.
Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don’t display identifying banners when unauthenticated users access them, and when such banners are presented, they often don’t include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

Check Point has uncovered no evidence the vulnerability has been actively exploited, but researchers couldn’t rule out such attacks, either. In-the-wild exploits might at least partially explain a rash of hacks earlier this year that remotely hijacked hundreds of thousands of routers on twoseparate occasions. What’s more, Thursday’s disclosure is likely to spur blackhats to begin exploiting the vulnerability.

12 million home and business routers vulnerable to critical hijacking hack

The critical vulnerability was introduced in 2002, and a fix was made available three years later. As demonstrated by Check Point’s finding that 12 million devices are susceptible to Misfortune Cookie attacks, the fix has yet to make its way into a significant number of routers. The bug has been assigned the identifier CVE-2014-9222.

The most sure-proof way for readers to make sure their devices aren’t vulnerable is to make sure they are running RomPager version 4.34 or higher, although as noted earlier, it’s possible routers running earlier versions may have been manually patched. Ars isn’t immediately aware of any services end users can deploy to detect for vulnerable routers. This post will be updated if that changes. In the event a device is vulnerable, it’s up to the end user to locate an update and flash the router, a process that’s not always straight forward. Users may also want to consider alternative firmware. Administrators who oversee large fleets of vulnerable devices can consult this whitepaper made available by Check Point. If a router is believed to be vulnerable but can’t be updated, users can also put it in bridge mode and deploy a secure device as the Internet dialer/gateway.

The risk stemming from the vulnerability goes well beyond attackers being able to monitor unencrypted data. It also includes attackers using a hijacked router to infect connected computers and Internet-of-things devices. Normally, routers act as a firewall that filters out such remote attacks. In the event it’s affected by the Misfortune Cookie bug, they could become beachheads for attacking the rest of a local network.


Sony hacking sparks worldwide alert

Posted on

Companies across the world are on high alert to tighten up their network security to avoid being the next firm brought to its knees by hackers like those who carried out the dramatic cyber-attack against Sony Pictures Entertainment.

The hack, which, a US official has said, investigators believe is linked to North Korea, culminated in the cancellation of a Sony film and ultimately could cost the studio hundreds of millions.

That the hack included terrorist threats and was focused on causing major corporate damage, rather than on stealing customer information for fraud, such as in the breaches at Home Depot and Target, indicates a whole new frontier has emerged in cyber-security. Suddenly every major company could be the target of cyber-extortion.

“The Sony breach is a real wake-up call even after the year of mega-breaches we’ve seen,” said Lee Weiner, Boston security firm Rapid7’s senior vice president of products and engineering.

“This is a completely different type of data stolen with the aim to harm the company.”

This should signal to all US businesses that they need to “take cyber-security as serious as physical security of their employees or security of their physical facilities,” said Cynthia Larose, chairwoman of the privacy and security practice at Boston law firm Mintz Levin.

The breach is particularly troubling in Hollywood, where secrecy is supposed to be paramount to insure that movie secrets worth millions are not leaked.

“Movie studios have, by and large, behaved as high-security intellectual property purveyors; prints have been tightly controlled, screeners are watermarked, and bootleggers are prosecuted wherever possible,” said Seth Shapiro, a professor at the University of Southern California’s School of Cinematic Arts.

He said what made it so surprising was that email leaks showed Sony executives apparently gave out passwords in unencrypted emails and made other security blunders.

“The apparently laxity of Sony IT security – given the history of prior hacks – is unprecedented in the history of media technology,” he said. Sony’s PlayStation network was hacked in 2011.


Studios are trying to tighten up procedures in the wake of the Sony attack. Warner Bros. executives have ordered a company-wide password reset and sent a five-point security checklist to employees advising them to purge their computers of any unnecessary data.

“Keep only what you need for business purposes,” the message, in an email seen by The Associated Press, said.

Even so, some say there is little corporations can do to prevent such a sophisticated attack. The key may lie more in detection and limiting damage.

“There are very few companies that can withstand that kind of large assault,” said Rich Mogull, an analyst with security firm Securosis in Phoenix, Arizona. “But a lot of companies do need to improve what they’re doing on security, I see it every day with companies I work with.”

Companies also need to invest in identifying vulnerabilities on their networks and work quickly to address them.

Jonathan Sander, strategy and research officer at data security firm Stealthbits in Hawthorne, New Jersey, recommends a comprehensive review to ensure outdated files, such as digital copies of old contracts and electronic conversations that occurred years ago are no longer being stored on the corporate networks.

“We used to have to lead people to the idea that you need to protect this kind of data,” he said. “Now we walk in and they’re asking, ‘How can I keep my data from ending up on the internet like Sony’s did?’.”

Some customers have been wondering if they should reduce their reliance on email and switch to other digital forms of communication, such as messaging systems that do not store the data.

Most importantly, companies need to focus on the ability to detect hacks quickly and limit them as fast as possible. Currently, the average amount of time it takes a company to detect a breach is 200 to 230 days, Rapid7’s Mr Weiner said, adding: “That allows the attacker time to gain a lot of knowledge and do a lot of damage.”

One example companies could follow is in the technology sector, where most firms have been tightening their security measures during the past 18 months in response to revelations about the digital spying tactics of the US government.

Documents leaked by former National Security Agency contractor Edward Snowden revealed that the government had been tapping into the computer networks of Google, Yahoo, Facebook and other technology companies in search of emails and other electronic communications that might uncover terrorist plots and other illegal activity.

The government has maintained that it has never collected the kind of highly personal details stolen in the Sony Pictures breach. But tech companies being targeted by the NSA have since tried to thwart the surveillance by encrypting their internal email systems as well as the free accounts available to the general public.

Both Google and Apple, the makers of the world’s leading software for mobile devices, are also automatically encrypting the data stored on smartphones so the information is indecipherable to unauthorised users, including government authorities.

General Motors says it has bolstered cyber-security in the past two years by bringing information technology in-house from outside vendors. The auto giant has a cybersecurity chief on staff to prevent hackers from getting into GM vehicle computers and has consolidated electronic data storage from 23 centres around the world into two near Detroit.

Tom Chapman, head of cyber-operations at EdgeWave Security in San Diego, California, said in the past, people were looking for a firewall or an individual product for protection.

“Now, they’re realising there is a human element. They need to understand who might be after them. By better understanding your likely adversaries, you can better craft your defence,” the retired US Navy intelligence officer who specialised in hunting down hackers said.


Delta Says Boarding Pass Hack Had No Impact on Flight Safety

Posted on

Delta Airlines said Tuesday that a security vulnerability on its mobile boarding passes has been fixed without causing any “impact to flight safety.”

The boarding pass vulnerability was first found Monday by a BuzzFeed intern who also runs a site about technologists. In apost on Medium, Dani Grant detailed how she was able to access other passengers’ boarding passes simply by changing a single digit in her pass’ URL. She was also able to log in to Delta’s site as those other passengers, from which point she could’ve changed their seating assignments or accessed other details about them.

Delta Says Boarding Pass Hack Had No Impact on Flight Safety

Grant was also able to access boarding passes belonging to non-Delta passengers, most likely because airlines share some technology that powers mobile boarding passes.

“After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring,” Delta spokesperson Paul Skrbec said Tuesday afternoon. Delta is still investigating the problem, but Skrbec’s statement added that Delta is “not aware of any compromised customer accounts.”

It’s unlikely that the flaw could have posed a threat to aviation safety. While Grant suggestedon Twitter that it would have been possible to take advantage of the vulnerability for nefarious purposes, airport safety procedures should have prevented any security lapses.


Anonymous Hacker Sabu First Interview after becoming an FBI Affiliated Hacker

Posted on

Members of the biggest vigilante group online “Anonymous” operates in complete secrecy. They choose to have their lives in shadows as they are wearing masks in protesting publicly. Its members are hacking government and companies computer systems.

Few years ago, one of the members of “Anonymous”, Hector Monsegur also known as Sabu was caught by FBI and started to work as undercover agent of the US government. And for the first time, he is breaking his silence with the public interview now.

Sabu opened up to “CBS This Morning” co-host Charlie Rose about his journey from hacktivist up to informant. He led cyber-attacks resulting to $50 million damages, which made his escape to his harsh life of poverty in New York.

According to Monsegur, he educated himself for all the things that he knows. “You know everybody around me was into something, but it wasn’t computers” he thought.

The moment Sabu got his hands on a used computer; he already had so much passion with computers. For a boy raised in housing project in New York by his grandmother, the internet was his gateway to the world and provided him something bigger.

Monsegur sad, “We were poor, so I needed to find ways that is cheap or free so I could be able to access the internet without giving burden to my grandmother.”

Stated in court documents, Sabu at first had been stalling credit card information and sell the numbers or use them in paying their own bills. In the long run, he joined a hacker’s group and get involved with “Anonymous”, which is a notorious group focusing with social justice and playing with computer systems to uncover their flaws.

According to Monsegur, “Anonymous is an idea, an idea where we could all be anonymous.” “We could all work together as a crowd, united, we could rise and fight against oppression.”

As “Anonymous” grew, Monsegur and his hacker colleagues take the group into a worldwide level.

He hacked the prime minister’s website during the Arab Spring in Tunisia, and posted a letter supporting the protestors. According to Monsegur, it was amazing! “I saw finally the I was able to do something that contributed to society regardless if I was at home in the Lower East Side, in the projects behind a computer” he said.

Sabu confessed he was behind those thousand hacks. While he was at work with “Anonymous” and his own group Lulzec, he also targeted MasterCard, Visa Card, Paypal, FBI and US Senate. Though he acknowledged the hacking is illegal, he said he was not bothered about being caught.

“After you’re hacking for so long, you reach point of no return” he thought. “Regardless if you fear that they’re going to get you one day, it’s too late,” he added.

Anonymous Hacker Sabu First Interview

In June 2011, Sabu led a blatant attack on InfraGrad, an FBI connected website. Days after, FBI found him at the house where he used to grow up.

Recalling what the FBI said to him, ‘Well, we know who you are, we know what you’re doin’, and we also know you have two kids in the house. You make the decision.’ He thought that they FBI know his weakness and that was the kids.

Sabu decided right away to become FBI informant to avoid the near possibility of serving so many years in prison. In the next 3 years, he constantly communicates with his co-hackers. However, this time, every move is followed by the FBI. Sabu helped the FBI to prevent as much as 300 cyberattacks from the systems controlled by NASA and Military to name a few.

Sabu said “I was able to intercept attacks that were happening against the government and share it with the government so they could fix these issues.”

Monsegur also has a big role played for the arrest of the group co-conspirators. Seven of them pleaded guilty along Jeremy Hammond, the most wanted cybercriminal of FBI.

Until some of his fellow hacktivist had found out Sabu’s cooperation with the FBI as an ultimate betrayal, he was labeled a traitor snitch by his co-hackers.

Monsegur said that he was not in the situation of identifying anyone; he did not point his fingers to anybody. “My cooperation entailed logging and providing intelligence. It didn’t mean ‘Can you please tell me the identity of one of your mates?’” he said.

Sabu insisted that hackers would not even reveal that information since the members in the group will remain as what the name implies, “Anonymous”.

Sabu emphasized the vulnerabilities of the critical systems keeping America online; but threat do still exist. “In all reality there is no security” he said. “Hackers could break right into the airport, the phone systems, obviously, the water supply systems – shut them down.

It may sound alarming; Sabu said that this should be a motivation to the US government to make actions focusing to the country’s infrastructure.


Researcher identifies XSS vulnerability affecting Citibank website

Posted on Updated on

A security researcher who goes by the name ‘E1337′ identified a cross-site scripting (XSS) vulnerability affecting the website belonging to Citibank – – and reported it on Friday to, an archive where researchers can report XSS vulnerabilities impacting websites.

The issue has yet to be patched, according to the post, which shows the latest check for a patch as being performed on Monday.

Researcher identifies XSS vulnerability affecting Citibank website

The XSS bug puts users, visitors and administrators at risk of having their cookies, personal data, authentication credentials and browser history stolen by attackers, the post indicates, adding these are “probably the less dangerous consequences of XSS attacks.”

According to the post, increasingly sophisticated XSS attacks are being paired with spear phishing, social engineering and drive-by attacks.

A Citi spokesperson was not immediately available for comment.


Sony hacking highlights challenge to CEO Hirai’s ‘One Sony’ vision

Posted on

Leaked emails reveal a cultural gulf between Japan’s Sony Corp and Hollywood subsidiary Sony Pictures Entertainment, highlighting the challenge of CEO Kazuo Hirai to turn around the money-losing company under the slogan One Sony.

The Japanese conglomerate is heading for its fifth net loss in six years, raising questions about its ability to hold on to businesses ranging from making television sets to movies. While activist hedge fund investor Daniel Loeb has given up his call for Sony to spin off its entertainment arm, others believe it should exit weak product lines such as TVs.

Bilingual Hirai is linked to both sides of Sony, having experience at both the video games and music businesses. He is therefore widely considered one of the company’s few executives capable of bringing together the manufacturing and movie-making cultures of Tokyo and Hollywood.

But along with racial jokes related to U.S. President Barack Obama and disparaging remarks about top actors, leaked emails from Sony Pictures executives reveal tension between Hirai and the film studio.

The emails were leaked following a cyberattack on Sony’s computer systems last month by a group demanding the company pull upcoming film “The Interview”, a comedy criticized by North Korea for depicting the assassination of its leader. They show Hirai ordered the film to be toned down and encountered resistance from the film’s creators including co-director and actor Seth Rogen. Sony Pictures co-chairman Amy Pascal tried to mediate.

Sony hacking highlights challenge to CEO Hirai's 'One Sony' visionSony hacking highlights challenge to CEO Hirai's 'One Sony' vision

The emails also show film executives viewed Hirai and Chief Financial Officer Kenichiro Yoshida with trepidation ahead of cost cuts aimed at increasing profit margins.

Sony Pictures Chief Executive Officer Michael Lynton in October forwarded to Pascal an email from Yoshida, marked “confidential” and seeking “serious consideration to modifying the Entertainment executives compensation plans”.

“This is also what I am now dealing with,” he wrote.

Sony declined to comment for this article and Hirai was not made available for interview.

Company sources said Sony Pictures was taking the lead in the investigation and that Hirai was briefed frequently. People close to the investigation told Reuters the North Korean state is a principal suspect.


The hack comes as Hirai is trying to prove Sony is better off with all of its businesses including cameras, films and insurance under one roof.

Last year, Loeb called on Hirai to sell part of the entertainment business to fund restructuring in its electronics arm. That, Loeb said, would also force the market to assess the value of the entertainment business more highly.

That business has recently been helping to partially offset weakness in smartphones. Last month, Hirai forecast sales at the Sony Pictures to rise to as much as $11 billion in three years, 36 percent more than current business year.

“The entertainment segment has maintained profitability for 18 years straight, and as a generator of stable profit, it is a major pillar of the Sony Group,” Hirai told investors on Nov. 18, days before the hack became apparent.

Sony shares have risen around 18 percent this year in recognition of Hirai’s turnaround efforts. In September, however, Sony cut its outlook for the sixth time on Hirai’s watch.

Many investors and analysts now believe Hirai should make more drastic cuts in its electronics arm.

Jefferies analyst Atul Goyal said Yoshida’s appointment this year spurred change, such as an exit from personal computers. Goyal said Sony could eventually sell its TV set business.


U.S. accounts for most Mac OS X attacks and websites seeded with malware

Posted on

This year was a tough one for U.S. Apple users and U.S.-run websites, according to Kaspersky Lab’s year-in-review blog post.

U.S. Apple users accounted for the largest portion of attacks on Mac OS X this year with 98,077 users being attacked, which accounted for 39 percent of all Mac OS X attacks Kaspersky documented.

This trend toward U.S. users could be for an obvious reason, said Patrick Nielsen, senior security researcher, Kaspersky Lab. Put simply, Americans use Apple computers more than other documented countries.

“As Macs have grown in market share we have seen a matching correlation with attacks,” he said. “It’s just that they’ve become much more interesting to attackers.”

More than 3 million attempts to infect Mac OS X-based computers were blocked this year, as compared to 1,363,549 blocked attempts on Android-based devices.

The U.S. also topped the list of countries where online resources were seeded with malware. The U.S. accounted for 27 percent of infected online resources. Germany came in second at 16 percent. Again, Nielsen said, that could simply be attributed to many of the most popular websites being based in the U.S, which would offer a wealth of possible victims.

U.S. accounts for most Mac OS X attacks and websites seeded with malware

Although attacks continue to trend upward on all devices, one specific method did see a decrease in infection attempts: SMS trojan attacks.

Attacks on Russian citizens, in particular, dropped. The country had previously been a major target. The blog post says this drop could be attributed to mobile operators in Russia having to use an Advice of Charge mechanism, which requires the operator to inform a device owner of the cost of the service and get confirmation of the payment whenever a message is sent.

This doesn’t mean mobile isn’t lucrative for attackers, noted Nielsen, as evidenced by Android attacks.

More than anything, however, this year was marked by the proliferation of sophisticated malware, Nielsen said.


Now at the Sands Casino: An Iranian Hacker in Every Server

Posted on

Most gamblers were still asleep, and the gondoliers had yet to pole their way down the ersatz canal in front of the Venetian casino on the Las Vegas Strip. But early on the chilly morning of Feb. 10, just above the casino floor, the offices of the world’s largest gaming company were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt.

Now at the Sands Casino An Iranian Hacker in Every Server

Computer engineers at Las Vegas Sands Corp. (LVS) raced to figure out what was happening. Within an hour, they had a diagnosis: Sands was under a withering cyber attack. PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. The company’s technical staff had never seen anything like it.

The people who make the company work, from accountants to marketing managers, were staring at blank screens. “Hundreds of people were calling IT to tell them their computers weren’t working,” says James Pfeiffer, who worked in Sands’ risk-management department in Las Vegas at the time. Most people, he recalls, switched over to their cell phones and personal e-mail accounts to communicate with co-workers. Numerous systems were felled, including those that run the loyalty rewards plans for Sands customers; programs that monitor the performance and payout of slot machines and table games at Sands’ U.S. casinos; and a multimillion-dollar storage system.


Hackers Trick Keurigs Into Making Uncopyrighted Coffee

Posted on

When we last checked in with Keurig, the coffee machine maker had just turned itself into a big, fat target for copyright reform activists. The problem: Keurigs’s promise to make its 2.0 machines incompatible with any single-serving coffee pods it hadn’t licensed. Critics compared the approach to the DRM restrictions that hobble the sharing of digital music.

Hackers Trick Keurigs Into Making Uncopyrighted Coffee

And as with DRM, it now appears that Keurigs have been hacked.

Not that getting the Keurig 2.0 to brew non-compliant coffee pods seems to have required the same kind of technical savvy required to reverse-engineer digital copyright protections. Instead, according to, it takes one piece of tape and “not much aim.” (And maybe some scissors.)

In a video accompanied by Darth Vader’s theme music, an anonymous hacker snips a small section of the lid from a Keurig “K-cup” and tapes it over the lid over what the video calls a “rebel” pod. The strip seems to fool the machine into thinking the cup inside is a member of the Keurig “empire.”

Alternately, the video suggests attaching the strip to the machine itself to permanently fool it. “Just tape it in there, up in the left: over the open rectangular space.” (We’ve reached out to Keurig Green Mountain to get their take on whether such a hack is possible—and whether it voids the warranty.)

If Keurigs are so easy to spoof (a bunch of other people have figured this out), why would its makers bother with coffee DRM at all, especially considering the barrage of negative publicity and more than a dozen lawsuits the protections have prompted? Think of it as the inkjet printer business model applied to coffee: The money isn’t in the printer. It’s in the ink.



Posted on

A security researcher has uncovered four cross-site scripting (XSS) vulnerabilities on travel site Uber, a day after an XSS vulnerability was found on the website of private car service Uber, according to posts on

The Uber vulnerabilities, reported by a security researcher that goes by the handle Nasrul07, made it possible for hackers to modify page contact and execute attacks to steal user credentials and post false reviews on the site. As of the researcher’s post on Tuesday, the vulnerability remains unpatched.


The flaw reported on Uber, by a researcher that goes by E1337, would allow the theft of visitors’ cookies, personal details and browser history as well as authentication credentials.

The discovery comes at an inopportune time for Uber, which recently announced a $50 billion financing round in preface to its IPO.


150 Million PayPal Accounts In Danger of Hijacking

Posted on

A vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal has been patched, resulting in a $10,000 bounty for the white-hat that found it.

Worth every penny, too: the flaw put 150 million PayPal customers in danger of having their accounts hijacked with a low-effort, simple gambit.

The flaw was publicly disclosed by Egyptian researcher Yasser Ali, after he saw that the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The CSRF token for authorization of users is changed with every request made by a user as a security precaution. But, Ali found that the ‘CSRF Auth’ token is reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged in user.

150 Million PayPal Accounts In Danger of Hijacking

Ali detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that user. So, if an attacker is not logged in and tries to make a ‘send money’ request then PayPal will ask the attacker to provide his email and password. When he plugs in an email and any type of password, valid or not, he can then capture the request, which will contain a valid CSRF Auth token, which is reusable and can authorize this specific user requests.

From there, the next hurdle is to get past the security questions, since an attacker cannot change the victim’s password without answering them. This boiled down to the fact that the initial process of setting security questions in the first place is not password-protected and is reusable, so it can simply be initiated to reset the security questions, without providing the password at all.

Taken in total, an attacker can conduct a targeted CSRF attack against a PayPal user and take a full control over his or her account. This involves requests including: Add/remove/confirm email address; add fully privileged users to business account; change security questions; change billing/shipping address; change payment methods; change user settings (notifications/mobile settings).

Given the level of havoc that the exploited flaw could wreak, it’s no wonder that “the vulnerability is patched very fast and PayPal paid me the maximum bounty they give ;),” Ali said.

PayPal itself offered some feedback to Infosecurity: “One of our security researchers recently made us aware of a potential way to bypass PayPal’s Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern.


Sony’s PlayStation hit by hack attack

Posted on Updated on

A hacker group has claimed responsibility for attacking Sony’s online PlayStation store, which is down on Monday.Visitors to the site are greeted with a message that says “Page Not Found! It’s not you. It’s the internet’s fault”. A group called “Lizard Squad” has taken credit for the outage, posting “PSN Login #offline #LizardSquad” as their Twitter status.

Inside The 2014 E3 Electronic Entertainment Expo

The outage is the most recent in a series of attacks on tech giant Sony.

The Japanese firm’s Hollywood film studios’ corporate network was hacked into last month, followed by an online leak of unreleased movies, along with confidential information such as actors’ salaries.

Sony Entertainment Network has responded by tweeting that they are aware of the issues that users are having in connecting to the PlayStation network.


German courts blocks extradition of top hacker

Posted on

A top German court has blocked the extradition of a Turkish man accused of stealing close to $60 million in cyber attacks against credit card companies.

The U.S. government claims that Ercan Findikoglu led a hacking group and helped hack into the networks of payment processing companies, including EnStage and ElectraCard, to raise the limits on prepaid credit cards and then withdraw money, according to Sophos’ Naked Security blog. The attacks reportedly took place between 2011 and 2013. Findikoglu could face 250 years, and the German court said the possible sentence was too extreme.

German courts blocks extradition of top hacker

He was arrested at Frankfurt Airport in December 2013 and has been awaiting an extradition decision ever since.

One of the group’s biggest attacks targeted the Bank of Muscat, Oman, and led to the theft of $40 million with 36,000 ATM transactions occurring within 10 hours.