Month: January 2015

Critical DNS hijacking flaw affects D-Link DSL router

Posted on

Critical DNS hijacking flaw affects D-Link DSL router, the flaw affects the ZynOS firmware that is used also by other vendors, including TP-Link and ZTE.
A security vulnerability affects DSL router model from D-Link, the flaw could be exploited by a remote attacker to change device DNS settings and hijack users’ traffic. The Bulgarian security expert Todor Donev, member of the Ethical Hacker research team, explained that vulnerability is found in the ZynOS firmware, which is present in many other devices from other vendors, including D-Link, TP-Link, ZTE.

At least one D-Link router is affected by the flaw, the D-Link’s DSL-2740R ADSL modem/wireless router, but every manufacturer using the same firmware is potentially exposed to remote hacking.


Todor Donev published a proof-of-concept exploit for the D-Link DSL-2740R model, which has been already phased out, but might still receive support if covered by warranty.

By exploiting the flaw, the attacker can access the D-Link device’s Web administration interface without authentication. The attacker can then modify the DNS settings to redirect users to phishing websites or domain used to serve malware. Even if the Web administration, it’s not exposed on the Internet, the attacker can access the router’s interface from within the local area network with a cross-site request forgery (CSRF) technique.

“If the administration interface is exposed to the Internet — routers are sometimes configured in this way for remote administration — the risk of exploitation is higher. But even if it’s only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router’s interface. CSRF attacks hijack users’ browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers. Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.” reported ComputerWord.

Donev hasn’t notified D-Link of the vulnerability, but the availability of the exploit in the wild urges all vendors that adopt the flawed firmware to check if their products suffering the same security issue.


Silk Road paid thousands in shake-downs from malicious hackers

Posted on

When operating outside of the law, you can’t rely on the police to protect your illegal enterprise from other criminals.

The Silk Road marketplace founders likely learned this lesson in 2012 and 2013, after paying thousands of dollars to cyber extortionists who threatened to expose serious site vulnerabilities or hit it with denial of service attacks, according to evidence presented in federal court in Manhattan on Wednesday.

The extortion information emerged during testimony from U.S. Internal Revenue Service special agent Gary Alford, who had subpoenaed the emails of defendant Ross Ulbricht as part of his investigation. Ulbricht is on trial at the U.S. District Court for the Southern District of New York for narcotics and criminal enterprise charges in relation to Silk Road.

According to prosecutors, Silk Road facilitated the exchange of $1.2 billion in illegal goods, mostly drugs, and generated $80 million in commissions for the operators from 2011 until October 2013, when the site was shuttered by law enforcement. Like an eBay for unlawful goods, Silk Road matched sellers with buyers, who used bitcoins to pay for goods that were delivered through the mail.

On at least two separate occasions, Silk Road operators paid malicious attackers ransoms in exchange for keeping the site up and secure.

Silk Road malicious hackers
Silk Road malicious hackers

During his testimony, Alford showed an email received by Silk Road in November 2012 claiming to have found a serious vulnerability in the site’s software. The e-mail, from an anonymous sender, asked for $5,000 in exchange for not exposing the flaw, or $15,000 to offer full details on how the flaw operated and how it could be exploited.

A spreadsheet found on the computer Ulbricht was using at the time of his arrest suggested that $15,000 was paid out shortly after the email was received. An entry for a debit for that amount was annotated with the phrase “pay off hacker.”

Chat log files between the Silk Road admin identified as Dread Pirate Roberts — whom prosecutors have alleged is Ulbricht — and another administrator of the site, also indicate the extortion fee was paid. The fellow administrator consoled Dread Pirate Roberts by writing: “You’re still way richer than he is.”

In April 2013, Silk Road was subjected to another shake-down. An anonymous party had hit the site with a distributed denial of service (DDOS) attack, which can congest servers to the extent that legitimate users can’t access the targeted site. Silk Road paid $10,000 to stop the attack, according to the site’s ledger. However, the attack continued even after the money was deposited to an anonymous account, according to Dread Pirate Roberts chat logs.

In addition to drugs, Silk Road also sold hacking tools, according to prosecutors. Alford testified of buying, undercover, a “Hacking Pack,” that included 115 “hacking tools and programs” from the site. When the pack was purchased, the vendor emailed a list of links that the buyer could follow to download the programs, including some that supposedly offered the ability to remotely take control of a Web site.

Federal prosecutors maintain that Ulbricht was the mastermind behind the Silk Road site. Ulbricht was charged with narcotics conspiracy, engaging in a continuing criminal enterprise, conspiracy to commit computer hacking and money laundering. The narcotics and criminal enterprise charges carry maximum penalties of life in prison. Ulbricht has pled not guilty to all charges.

Ulbricht’s defense lawyer, Joshua Dratel, argues that Ulbricht handed off the site to other operators shortly after he started it, and that he rejoined immediately prior to his arrest, lured back in by the new operators to serve as a fall guy.


Cuidado con spear phishing

Posted on

La mayoría de los profesionales de servicios de seguridad informática están familiarizados con el término “phishing”, que describe la práctica de enviar correos electrónicos que imitan la correspondencia de empresas famosas con el fin de obtener información personal como contraseñas o números de tarjetas de crédito de los destinatarios.

Spear phishing es una evolución de este fenómeno – hackers se dirigen en línea como los pescadores con una estratagema sofisticada que funciona como una lanza proverbial. En lugar de enviar un número masivo de e-mails y ver lo que viene de vuelta, los spear phishers tienen un objetivo específico en mente. Y ese objetivo específico podría ser nada menos que su empresa y los datos sensibles de sus servidores poseen según expertos de forense digital.

BLOG curso de hacking ético en México, forense digital
curso de hacking ético en México, forense digital,servicios de seguridad informática

Spear phishing hackers pueden enviar correos electrónicos o mensajes de redes sociales a cualquier empleado de la empresa, por lo que es importante educar a toda su fuerza de trabajo acerca de la amenaza con capacitaciones como curso de hacking ético en México.

Anímelos para tratar los correos electrónicos y mensajes de redes sociales con duda, incluso si contienen información personal. Enseñe a los trabajadores que phishers utilizan páginas de redes sociales y sitios web de la empresa para obtener dichos datos, por lo que deben tener siempre en guardia. Eso es especialmente cierto para la correspondencia que se refiere al caso de noticias o pide acción inmediata, ya que estos son trucos comunes de spear phishing según investigadores de forense digital.

Los recipientes deben tener en cuenta el tono de toda la correspondencia que reciben y si es lo que cabría esperar de remitente. Spear phishers podrían ser capaces de averiguar el nombre y dirección de correo electrónico de un colega, pero no van a ser capaces de imitar su estilo de escritura. Por ejemplo, un empleado debe oír las campanas de alarma si un compañero de trabajo normalmente hablador envía un correo electrónico de una línea que indica “Haga clic en este enlace.”

Los empleados deben tomar los cursos como de curso de hacking ético en México y aprender nunca para descargar un archivo adjunto a menos que sean positivas que hemos llegado desde la fuente que esperan, y para escribir las direcciones URL en el navegador en lugar de simplemente hacer clic en enlaces enviados por correo.

electrónico. Enseñe a los trabajadores que se ciernen sobre los enlaces para verificar su autenticidad en mensajes de correo electrónico y navegadores web. Su negocio, sin duda debe centrarse en la prevención para evitar los ataques de spear phishing, pero también es importante concentrarse en la detección para minimizar el impacto de cualquier violación de la seguridad con ayudad de servicios de seguridad informática. Spear phishing es una amenaza cada vez mayor a través de la Web, pero estas medidas importantes pueden asegurar que su empresa no se convierta en la próxima víctima. Su empresa ha estado alguna vez en una víctima de los ataques de spear phishing?

GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems

Posted on

A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.

The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.

“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.

The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.

According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list.

Respective Linux distributions will be releasing patches; Red Hat has released an update for Red Hat Enterprise Linux v.5 server. Novell has a list of SUSE Linux Enterprise Server builds affected by the vulnerability. Debian has already released an update of its software addressing the vulnerability.

“It’s everywhere, which is kind of the urgency we have here. This has been in glibc for a long time. It was fixed recently, but it was not marked as a security issue, so things that are fairly new should be OK,” said Josh Bressers, a member of the Red Hat security response team. “From a threat level, what it comes down to is a handful of stuff that’s probably dangerous that uses this function.”

Unlike past Internet-wide bugs such as Bash, patching glibc may not be the chore it was with Bash since so many components made silent Bash calls.

“In this instance, you just apply the glibc update, and restart any services that are vulnerable,” Bressers said. “It’s not confusing like Shellshock was.”

Qualys, in its advisory, not only shares extremely in-depth technical information on the vulnerability, but also includes a section explaining exploitation of the Exim SMTP mail server. The advisory demonstrates how to bypass NX, or No-eXecute protection as well as glibc malloc hardening, Qualys said.

GHOST glibc Remote Code Execution Vulnerability
GHOST glibc Remote Code Execution Vulnerability

Qualys also said that in addition to the 2013 patch, other factors mitigate the impact of the vulnerability, including the fact that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is “impossible” and those programs are safe.

There are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. “These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,” the advisory.

“It’s not looking like a huge remote problem, right now,” Bressers said.

However, while the bug may have been dormant since 2000, there is no way to tell if criminals or government-sponsored hackers have been exploiting this vulnerability. Nor is there any way to tell what will happen once legitimate security researchers—and black hats—begin looking at the vulnerability now that it’s out in the open. With Bash, for example, it didn’t take long for additional security issues to rise to the surface.


Wingstop, Metropolitan State University Hit by Hackers

Posted on

Vividly demonstrating how wide a range of organizations can be breached by hackers, both the restaurant chain Wingstop and Minnesota’s Metropolitan State University acknowledged data breaches in the past week.

In response to reports of suspicious activity, Wingstop says it retained the digital forensics firm Stroz Friedberg to review the PoS systems at all of its U.S. locations. The investigation found that four of its independently owned and operated franchise locations in Texas had suffered point-of-sale (PoS) breaches during separate time periods in 2012 and 2014.

The company says Wingstop locations in Corpus Christi and Union City, Texas had malware on their PoS systems between June 4, 2014 and July 31, 2014; 20 customer payments cards that had been used at a location in Lubbock, Texas experienced fraud around the same timeframe; and one franchise Grand Prairie, Texas had malware on its PoS system between May 5, 2012 and June 27, 2012, and again between November 11, 2012 and December 9, 2012.

Metropolitan State University Hit

The data potentially exposed includes cardholder names, payment card account numbers and expiration dates.

“In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems,” the company said in a statement. “Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location. The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.”

All affected customers are being offered 12 months of free identity theft protection services from AllClear ID. Customers with questions are advised to contact (877) 615-3744.

And Metropolitan State University recently acknowledged that that a hacker appears to have breached its Web server in mid-December 2014 and accessed a database containing the personal information of faculty, staff and students. The university hasn’t yet determined who may have been affected.

“We do not believe this server contained any financial data or credit card information, but several databases included employees Social Security numbers,” the university said in a statement [PDF].

“To date, we have established the validity of the claimed attack, disabled the vulnerability that we believe permitted this breach, isolated the risk from other servers, and notified law enforcement,” the statement adds. “The university is also taking additional measures to minimize future security risks.”

Several recent articles at eSecurity Planet have offered advice on how to respond to a data breach, from conducting a security audit to consulting with data privacy counsel.


Adobe patches one Flash zero-day vulnerability but Angler Exploit Kit remains a threat

Posted on

Adobe has patched a zero-day vulnerability in its Flash Player software which was being actively exploited by criminals but the company has yet to address another zero-day flaw in the same software which is being used in the Angler Exploit Kit.

Earlier this week security researcher Kafeine revealed that a vulnerability in Flash was affecting people using Internet Explorer on Windows XP, Windows Vista, Windows 7 and Window 8 with the criminals using the Angler Exploit Kit to install the Bedep malware, which is used in ad-fraud campaigns.

Adobe patches one Flash zero-day vulnerability
Adobe patches one Flash zero-day vulnerability

On Thursday Kafeine updated his blog to reveal the hackers had adapted the exploit kit to also attack users of the Firefox browser, meaning millions more people were vulnerable to attack.

The researcher also added that a fully-patched version of Internet Explorer 11 on Windows 8.1 was now also vulnerable, having previously been protected.

Adobe patch

In an advisory also published on Thursday (22 January), Adobe announced an update to its Flash Player software which patched a vulnerability (CVE–2015–0310) that would allow hackers to “circumvent memory randomisation mitigations on the Windows platform”. This is not the flaw which is being used by the Angler Exploit Kit.

Adobe said however that it was aware of this issue and would issue a patch next week.

“We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below. Adobe expects to have a patch available for CVE–2015–0311 during the week of January 26.”

Wanting of the dangers of integrating this vulnerability into the Angler Exploit Kit, Pedro Bustamante from Malwarebytes said:

“The zero-day vulnerability in Flash Player, as discovered by Kafeine, could provide a big security risk for Internet users, effectively opening an unguarded window onto PCs worldwide. The fact that it has seemingly been integrated into the Angler Exploit Kit shows that criminals are keen to use it to target people and businesses en-masse.

“Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites.”

Richard Cassidy from Alert Logic says that exploit kits are an attractive tool for criminals, particularly those without a huge amount of technical expertise:

“From an attacker perspective exploit kits make the task of gaining access to a user’s system through web based exploitable vulnerabilities very easy indeed, you simply don’t need a great deal of security to technical expertise to effectively use them and can gain access to compromise systems in a very short period of time.


Internet attack could shut down US gas stations

Posted on

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.

The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.

“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”

In the worst case, an attacker could cause the gauge to report a leak, which would shut down the pumps, Chadowitz said.

The vulnerability of the gauges used to monitor gasoline tanks is the latest security issue plaguing consumer and industrial devices that are increasingly being connected to the Internet. Often called the Internet of Things, connecting such technology to the wider Internet poses security risks because many of the devices were created without much thought to security. Most gas stations are independently owned, have razor-thin margins, and tend to be run by owners who are not very technically savvy, said HD Moore, chief research officer at Rapid7.

“If you look at these gas stations, they are using off-the-shelf home routers from Best Buy,” he said. “By connecting them to the Internet, mom-and-pop gas station owners are going to get hit with the same problems that regular consumers have. The problem is that these devices are doing something important, moderating tank levels of these gas stations.”

Because most gas stations are not owned by gas companies but by independent operators who are very focused on the bottom line, reliable Internet connections are not common. Connecting tank gauges to the Internet allows fast monitoring of inventories, but can be complex, requiring a serial-to-TCP/IP card, configuring of port forwarding on the station’s router, and requiring a more expensive static IP. Because gas station owners use consumer-level Internet providers, the network configuration at gas stations will often change, causing operational issues for monitoring services and components, such as tank gauges, BostonBase’s Chadowitz says.

For that reason, most gas stations use a polling service that calls into a modem connected to their gas-tank gauge, rather than have the gauges always connected to the Internet. Those gauges were not detected by the Rapid7 scans, but are likely vulnerable to an attacker dialing directly into the service, Rapid7’s Moore said.

The most common type of tank gauges are manufactured by Simsbury, CT-based industrial-technology maker Veeder-Root. While they can be protected by a six-character password, most are not. Moreover, the password is communicated in the clear and can be gleaned by eavesdropping, according to BostonBase’s Chadowitz.

Internet attack could shut down US gas stations

Veeder-Root is currently assessing the claims, but stresses that the company is serious about security and has notified customers.

“Security, accuracy and reliability are top priorities at Veeder-Root,“ Andrew Hider, president of Veeder-Root, said in a statement sent to Ars. ”We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no breaches of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”

Like many other types of industrial control systems, the fundamental problem is that the communication protocols for the tank-monitoring equipment were created about two decades ago, a time when security was an afterthought. As more security researchers focus on operational technology and as more industrial professionals gain security expertise, similar issues will likely be found, Rapid7’s Moore said.

“I think these type of issues will become more common, especially as you see experts in these fields getting involved in security,” he said. “This is a good example of an industry that has not really grown up, security-wise.


Data breaches and hacking attacks rise as Irish firms wrestle with rules

Posted on

The figures show that data breaches, including employee mishaps and hacking attacks, have risen in the last year among Irish firms.

External attacks have shot up here, with almost one in five Irish companies saying that they were the victim of some kind of malicious external attack. The survey also shows that one in three Irish companies has no corporate data breach policy and that almost half are poorly trained for data breaches.

The survey, which was conducted by Fresh Perspectives on behalf of the Irish Computer Society, also shows that only two in five Irish firms have any internal sanctions for non-compliance with data protection rules.

And most Irish companies have no guidelines on transferring data outside the country, despite a majority engaging in such transfers. However, the research shows that Irish companies’ biggest threat continues to be “negligent employees”, with one in five singling out bungling staff as the biggest issue they face in keeping sensitive information secure.

Data breaches and hacking attacks rise as Irish firms wrestle with rules

Hackers are the next biggest worry (14pc) while staff losing unsecured phones, laptopsor USB keys comes third (12pc).

“Insecure third parties”, including some commonly used cloud services, are a data security concern for one in ten Irish companies.

But companies have become far less worried about “malicious employees”, with just 2pc of respondents saying that such people were a primary threat to compromising their firm’s data privacy.

And there is rising satisfaction with the level of training and understanding that staff possess relating to broad IT security policies outside of data breaches.

Around 60pc say that staff are “well” or “very well” trained when it comes to “information security” policies.

And despite a third of Irish workforces not being sufficiently familiar with data breach policies, two out of three companies say that they have implemented data breach policies in some or all of their business units.

Furthermore, there is a rising number of people who believe that they would be notified if a data breach occurred that affected their personal information.

More than three-quarters – 78pc – thought that it was “very likely or somewhat likely that this would happen, with just 8pc doubting they would be informed. The majority of data breaches suffered by Irish companies involve fewer than 100 records, according to the survey.

Irish companies also believe that the carrot is a better tutor than the stick when it comes to better implementation of IT security and data breach policies.

Almost two-thirds – 61pc – say that formal training and awareness programs are the best way to improve observance of best practice in the area, with just 2pc saying that more punitive measures for breaches were the answer.


Man Pleads Guilty to Hacking Microsoft, Video Game Firms

Posted on

Leroux has pleaded guilty to conspiracy to commit computer intrusions and criminal copyright infringement for his role in the theft of information from the networks of Microsoft and video game companies such as the Valve Corporation, Zombie Studios and Epic Games.

The data stolen by the man and his co-conspirators includes technical specifications and other information on Microsoft’s Xbox One console (before it was released) and the company’s Xbox Live system, pre-released versions of games developed by Epic Games and Activision, and even an Apache software simulator developed for the US army by Zombie Studios.

Leroux, who was apprehended by authorities in June 2014 while trying to flee to Canada, admitted taking part in the conspiracy between January 2011 and September 2012. During that period, the hackers stole intellectual property and other proprietary data worth over $100 million from the targeted companies. If the money spent by victims as a result of the hack attacks is also taken into consideration, the damage caused could be as high as $200 million, US authorities said. Law enforcement has seized more than $620,000 in cash and other criminal proceeds.

Man Pleads Guilty to Hacking Microsoft, Video Game Firms

The suspects are said to have used the stolen Xbox One information to build their own version of the console before its official release. In July 2013, Leroux attempted to send one of these counterfeit gaming consoles to someone in the Republic of Seychelles. The package was intercepted at the time by the FBI.

Leroux is also accused of developing an exploit designed to generate in-game currency for the Xbox Live version of the FIFA video game. The software allowed the suspect and others to generate millions of such “coins.”

Leroux is one of the four suspects in this case and the third to plead guilty. Sanadodeh Nesheiwat, 28, and Canada-based David Pokora, 22, both currently in custody, pleaded guilty to conspiracy to commit computer fraud and copyright infringement in late September. Nesheiwat and Pokora will be sentenced in April 2015. Leroux’s sentencing hearing is scheduled for May 14, 2015.

The fourth suspect is 19-year-old Austin Alcala of McCordsville, Indiana. Charges against him remain pending.


One in nine Dorset residents have personal information stolen by internet hackers

Posted on

SHOCK figures reveal that one in nine Dorset residents have had private information stolen and sold to crooks by internet hackers.

A staggering 81,326 personal information files ranging from names and addresses to credit and debit card details of Dorset residents are available for sale on “The Deep Web”, according to internet security experts C6 Intelligence.

Members of the public are now being urged to beef up their internet security, including changing passwords and email addresses, as the intelligence firm warns there are likely to be more information files out there, and cyber criminals are now starting to hack into our mobile phones and tablets to steal our personal details.

The Deep Web, also called the Dark Web and Hidden Web, is the layer of Internet underneath what we can see through our normal Internet browsers such as Internet Explorer, Google Chrome or Mozilla Firefox. It is impossible to see through these browsers, and can only be accessed by specific encryptions users have to download.

The majority of files, a huge 47, 648, have been obtained from residents living in DT1 to DT11 postcodes, with the rest from Bournemouth and Poole.

Darren Innes, chief executive of C6 Intelligence, said Internet crooks are hacking into the internet pages where we enter our personal information, from social media sites such as Facebook and Twitter to online shopping sites, copying the information we enter and then selling it to criminal gangs on The Deep Web.

The figures, obtained by the Echo from the intelligence firm, show that in south and west Dorset, 3,591 of the personal information files are considered “high risk”.

This means that the files may have already been sold to the gangs who are now using them, meaning one-in-13 people in the area have already had their identity stolen.

Passwords and emails have been obtained from 1,620 people and 1,391 credit and debit card details from people in south and west Dorset are now available online.

Account numbers, addresses, dates of birth and “secret answers” – a question people are asked if they forget their password – are also part of some of the information files.

Mr Innes said his firm and other national internet security agencies are fighting a constant battle to try and prevent internet hackers stealing identities.

Mr Innes said: “People have to realise the internet is like an iceberg, what the majority of people see on the internet, through search engines such as Google and Yahoo, and the sites they visit on standard browsers, is only about four per cent of the whole internet.

“The rest is sites and areas only accessible by passwords and encryptions that you just don’t see and this is where the information is traded.

“The belief of our governments, and of C6, is that is where a lot of criminality takes place, from buying and selling drugs, to paedophilia and ordering hitmen.

One in nine Dorset residents have personal information stolen by internet hackers

“It’s really where the terrorist group ISIS, now called IS, came into its own and this is where the stolen identities are for sale.

“We have been able to penetrate around 50 sites that sell this information and found these figures for Dorset, but there are far more out there.

“If your information has been stolen, you are incredibly vulnerable.”

Dorset Police and Action Fraud, the national fraud reporting centre, is constantly fighting to find and prosecute fraudsters who steal identities online.

A spokesman for Dorset Police said: “Dorset Police takes the issue of identity theft seriously and it’s important that people take precautions to protect themselves online.

“Action Fraud is the National Fraud Reporting Centre and co-ordinates police forces across the country to ensure cyber criminals are brought to justice.

“We work hard to investigate these crimes, however it is important for members of the public to actively prevent fraud happening to them by protecting their details both online and offline.”

C6 Intelligence has now launched a new website for people to check if their identity has been stolen and for more information visit

COMPUTER specialist Zak Fowler has urged people to frequently scan their computers for viruses and malware programs to try and protect themselves against identity fraud.
Mr Fowler, 19, works at Weymouth-based computer repair company Quick Click, and said one of the main methods cyber criminals use to gain access to someone’s computer system is by viruses and malware pop-ups. He said Quick Click often deal with customers who have downloaded malware or viruses and that the only solution was to “wipe” the computer’s system.

Mr Fowler said: “Malware and viruses are common. The main difference between malware and a virus is that malware pops up on your screen, but you won’t see a virus.

“The best thing people can do is make sure they have a fire wall on their computers or laptops, and on the wireless router if they have one.

“If they do have a wireless router, they should also make sure it has a high level of encryption to WPA2 which will stop people getting into the system.

“People should be constantly checking that their Windows programme is up to date, regularly changing passwords, and regularly scanning their computers, at least once a week as this will detect problems.”

Mr Fowler added that people should be “careful” when downloading any sort of programme or attachment online, and urged people to double check what personal information they put on to social media sites such as Facebook and Twitter.

He said: “Don’t open attachments in an email that you are unsure about and never download anything unless it’s from a genuine website.

“Even when downloading something from a genuine website, like Google Chrome, always un-tick every box for add-ons when you are downloading it as that is how the viruses and malware get into a system.

“Also, always check the terms and conditions of any program you are downloading. People often just skip it but even if they skim read it they might see something which could have an effect on their computer.


US tapped N Korean networks years ago, providing proof of Sony hack – reports

Posted on

The US National Security Agency began tapping into North Korean computer networks in 2010, an effort that ultimately helped provide evidence that Pyongyang was behind the cyber attack on Sony Pictures, the New York Times reported on Sunday.

Citing former US and foreign officials and an NSA document, the Times said the spy agency was able to penetrate North Korean systems with the help of South Korea and other allies after first tapping into Chinese networks that connect North Korea to the rest of the world.

The newspaper quoted officials as saying the program grew into an effort to place malware that could track many networks and computers used by hackers in North Korea.

Such activity proved crucial in persuading President Barack Obama to implicate the North Koreans in the Sony attack, the officials told the paper.

North Korean leader Kim inspects the Artillery Company under the KPA Unit 963, in this undated photo released by North Korea's KCNA in Pyongyang

It was the first time the United States directly accused another country of a cyber attack of such magnitude on American soil.

Obama “had no doubt” in this case, a senior US military official told the Times.

North Korea has described the accusation as “groundless slander”.

Sony’s network was crippled by hackers in November as the company prepared to release The Interview, a comedy about a fictional plot to assassinate North Korean leader Kim Jong Un. The attack was followed by online leaks of unreleased movies and emails that caused embarrassment to executives and Hollywood personalities.

U.S. officials could not immediately be reached for comment.


Arrest in Britain in Hacking of Microsoft’s Xbox and Sony’s PlayStation Networks

Posted on

LONDON — An 18-year-old British man was arrested on Friday in connection with a hacking attack that temporarily shut down the computer networks for Microsoft’s Xbox and Sony’s PlayStation 4 video game consoles on Christmas Day.

The man, who was not identified, was arrested in the north of England for potentially providing false information to law enforcement agencies in the United States, according to a statement by the British police, which was working on the case with the Federal Bureau of Investigation of the United States. He was arrested on charges of unauthorized access to computer material, the British police said.


British police said those activities included so-called swatting, in which someone informs the American police of false threats that lead to tactical S.W.A.T. units being deployed.

The attack against the computer networks run by Microsoft and Sony, for which the hacker activist group known as Lizard Squad had claimed responsibility, led to many gamers’ complaining worldwide on Dec. 25 that they could not access their accounts.

The online hacks came on the same day that Sony Pictures began streaming “The Interview,” a film at the center of a separate online attack against Sony’s computer network linked to North Korea, through online portals like Microsoft’s Xbox service.
It is unclear what the man’s role may have been in the cyberattack against Microsoft and Sony’s video gaming services. The attacks included a denial of service attack, in which servers are flooded with Internet traffic until they collapse under the load.

“We are still at the early stages of the investigation, and there is still much work to be done,” said Craig Jones, head of cybercrime at the South East Regional Organized Crime Unit in Britain. “Cybercrime is an issue which has no boundaries and affects people on a local, regional and global level.”

A spokeswoman for the British police declined to comment on how long the country’s enforcement agencies had been working with the F.B.I. on the case.


Google AdWords Campaigns Hijacked by Malvertisers

Posted on

A malvertising scheme has hijacked at least two distinct Google AdWords advertising campaigns, redirecting users who had browsed to the sites hosting the poisoned ads without those visitors even clicking on them. Some of the sites in question service more than a million monthly users.

Last week, website security firm Sucuri noticed a substantial uptick in requests to scan sites for malware. Oddly enough, the malicious redirects did not discriminate among platforms nor browsers, but some visitors were not redirected while others complained that impacted sites became barely usable. The reason for that has to do with the way online advertising firms use mined data to target ads toward supposedly relevant customers. In extreme cases, advertisers deploy real-time ad-bidding, in which groups compete for seconds or minutes ad space on particular sites at specific times.

The problem, Securi says, seems to have begun in mid-December but ramped up last Friday before Google seemed to have resolved it by the end of the weekend.

A pair of @Google #AdWords campaigns were hijacked by malvertisers from mid-December through last weekend

Google AdWords Campaigns Hijacked by MalvertisersGoogle AdWords Campaigns Hijacked by Malvertisers
The infected ads redirected users to convincing-looking but ultimately fraudulent magazine websites with articles containing fake comments and endorsements for health secrets and intelligence boosting tricks. Some of the landing pages masqueraded as real magazines, like Forbes.

The redirects occurred even in the Google AdReview center, a sort of administrative panel where site operators can review the advertisements that AdWords intends to post on their site.

Eventually, the Sucuri researchers managed to isolate the bad ads: Anonymous advertiser adv-2646721236434373 with ads pointing toward adwynn[dot]com and Blackburn ART where ads pointed to rgeoffreyblackburn[dot]com. Each ad firm, the researchers say, seemed legit and must have been hijacked at some point by the people perpetrating the scam.

“I don’t know what prevented Google to suspend those accounts right away,” Sucuri wrote. “Maybe their budgets? According to the reports in [a Google production forum], quite a few large sites with millions of monthly page views suffered from those malicious ads. And I suspect those banners may have been displayed more than a million times since December across all the sites with AdSense ads.”


GE Multilink Switches affected by critical vulnerabilities

Posted on

GE MultiLink managed switches are affected by two vulnerabilities which could be exploited to gain unauthorized access and run DoS attacks on the device.
Managed Ethernet switches produced by GE include the hard-coded private SSL key in a number of network devices. The Ethernet switches that present the security hole are designed for use in industrial and transportation systems. The presence of hard-coded private SSL key could allow an attacker to extract it from the firmware of the switches remotely, as explained by researchers at IOActive who discovered the flaw. The attacker can descrypt SSL traffic by stealing the SSL private key from the firmware.

According to the advisory from ICS-CERT, the affected devices belonging to the GE Multilink Ethernet switch family:

GE Multilink ML800/1200/1600/2400 Version 4.2.1and prior, and
GE Multilink ML810/3000/3100 series switch Version 5.2.0 and prior.
The ICS-CERT also warned about a denial-of-service attack on the switch embedded Web interface, it is possible in fact to degradate the performance of the network device by targeting it with specifically crafted packets.

“The GE Multilink ML800 is subject to unauthorized access via hard-coded credentials. In addition, availability can be impacted through attacks composed of specifically crafted packets to the web server resulting in switch performance degradation. If attacks continue, the web server will be subject to a denial of service,”

“The RSA private key used to decrypt SSL traffic in the switch can be obtained from the firmware allowing malicious users to decrypt traffic.”

GE Multilink Switches affected by critical vulnerabilities

The ICS-CERT and GE advisory include recommendations to mitigate security issues, regarding the “HARD-CODED RSA PRIVATE KEY” they suggest to update the firmware of the switches, while to address “MITIGATION OF SLOW DATA TRANSFER/DOS” it is recommended to disable web server in a production environment.


“GE recommends that its customers update the switch firmware to the latest published version to enable new keys to be calculated and exchanged. The latest firmware is Version 4.2.1 for the ML800, ML1200, ML1600 and ML2400 and Version 5.2.0 for the ML810, ML3000, and ML3100. Firmware updates are available from GE through the “Resources/Software” link in the product brochures. ICS-CERT and GE recommend updating the switch over a serial connection to prevent an attacker from capturing the new key.”


“This denial-of-service attack affects the web interface used to configure the device with a web browser. It is recommended that when deploying the device into a production environment that the web server be disabled in order to effectively mitigate this vulnerability. After disabling the web interface, a user remains able to configure the device locally or remotely through the command line interfaces without risk of this attack. By connecting to the command line interface through serial terminal or telnet, it is possible to disable the web server.” reads the advisory.

The Product Bulletin issued by IOActive provides more details on the security flaws, including the instructions on deploying the updated firmware.


Vulnerabilities in Corel programs allow attackers to execute malicious code

Posted on

Several photo, video and other media editing programs from software maker Corel contain DLL hijacking vulnerabilities that could allow attackers to execute malicious code on users’ computers.

According to vulnerability research firm Core Security, when opening a media file associated with one of the vulnerable Corel products, the product will also load a specifically named DLL (Dynamic Link Library) file into memory if it’s located in the same directory as the opened media file.

DLL files contain executable code so they can be used to install malware on computers.

The vulnerable products are CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, CorelCAD 2014, Corel Painter 2015, Corel PDF Fusion, Corel VideoStudio PRO X7 and Corel FastFlick, the Core Security researchers said in an advisory published Monday. Other versions might be affected too, but they haven’t been checked, they said.

In order to exploit these client-side vulnerabilities, an attacker could, for example, send a ZIP archive to a Corel user containing a media file associated with vulnerable Corel software and a specifically named malicious DLL. When the user opened the legitimate Corel file, the DLL would run as well.

Cut fence

In a corporate environment an attacker with access to a file sharing server could place the rogue DLL file alongside legitimate Corel files on an existing network share to infect workstations that use those files.

The specific name that the rogue DLL needs to have varies depending on the targeted Corel program. For example, wintab32.dll will work for CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 and Corel PDF Fusion, according to the Core researchers. For CorelCAD 2014, the file would have to be named FxManagedCommands_3.08_9.tx or TD_Mgd_3.08_9.dll.

DLL hijacking vulnerabilities, which result from an insecure DLL search path declaration in software programs, are not uncommon. The Stuxnet sabotage malware, which was used to attack Iran’s nuclear program, exploited a DLL hijacking vulnerability in Siemens’ SIMATIC STEP 7 and SIMATIC PCS 7 industrial automation software, among other flaws.

On its site, Corel claims that its software has more than 100 million active users in over 75 countries. Many of those are probably businesses that use photo and video editing or computer-aided design (CAD) software in their operations.

Core Security claims that it contacted Corel about these vulnerabilities on Dec. 9, but that the company did not respond. As a result, it decided to make information about the flaws public.

“Corel is reviewing its products on a case-by-case basis to safeguard dynamic loading of DLL files, which is a common vulnerability in many Windows applications,” said Jessica Gould, senior communications manager for Corel, in an emailed statement Tuesday. “Corel makes frequent updates to our applications and these changes have been made a priority for the next update of any affected Corel product. We would like to assure our users that we are not aware of any exploits of this issue with our software.”


A cheap USB charger can record keystrokes wirelessly

Posted on Updated on

Security researcher Samy Kamkar has designed a USB wall charger dubbed KeySweeper, which secretly logs keystrokes from Microsoft wireless keyboards nearby.
Security researcher Samy Kamkar has designed a cheap USB wall charger that can eavesdrop on almost any Microsoft wireless keyboard.

The stealthy Arduino-based device, dubbed “KeySweeper“, works like a generic USB mobile charger, but he has the capability to sniffs, decrypts and send back keystrokes from a Microsoft wireless keyboar in the vicinity. KeySweeper can send captured data back to the operator over the Internet or using an optional GSM chip.

“KeySweeper is a stealthy Ardunio-based device camouflaged as a wall charger that wirelessly sniffs, decrypts, logs and reports-back all keystrokes from any Microsoft wireless keyboard in the vicinity,” explained Kamkar.

Kamkar has also detailed the steps to build the KeySweeper USB wall charger explaining that it is easy and cheap to assemble the spying device, the unit cost ranges from $10 to $80 depending on functions included. The instructions on how to build the device are available online on GitHub.

The KeySweeper also includes a web-based tool for live keystroke monitoring, it could be used by an attacker to send back SMS alerts triggered by specific typed keystrokes, like usernames or URLs. While the device is logging the keystrokes he is able to continue working, it will continue to sniff data also after it is unplugged because of its rechargeable built-in battery. KeySweeper is able to store the sniffed keystrokes both online and locally on the device.

KeySweeper, a cheap USB charger can record keystrokes wirelessly

“Even if we do not know the MAC address, we can decrypt the keystroke. Using a few-dollar Arduino and a US$1 Nordic RF chip we can decrypt these packets and see any keystroke of any keyboard in the vicinity that’s using the Microsoft wireless keyboard protocol and it doesn’t matter what OS is used.”

Kamkar explained to have discovered several vulnerabilities that could be exploited to decrypt data transmitted by Microsoft wireless keyboards, the researcher hasn’t tested the Aduino-based KeySweeper on every Microsoft wireless keyboard, but he is confident that almost every Microsoft device is vulnerable.

“We are aware of reports about a ‘KeySweeper’ device and are investigating,” is the comment of Microsoft spokesperson to VentureBeat.

The hardware necessary to build the devices is reported below:

$3 – $30: An Arduino or Teensy microcontroller can be used.
$1: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz.
$6: AC USB Charger for converting AC power to 5v DC.
$2 (Optional): An optional SPI Serial Flash chip can be used to store keystrokes on.
$45 (Optional): Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
$3 (Optional if using FONA): The FONA requires a mini-SIM card (not a micro-SIM).
$5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.


Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity

Posted on Updated on

Twitter and YouTube accounts belonging to the military’s US Central Command were hacked on Monday. Hackers supportive of the terrorist group Islamic State, also known as ISIS, took credit and issued a warning to the US military.

“AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS,” the hackers tweeted through the account for the US Central Command, which is the military command for the Middle East, North Africa, and Central Asia. The tweet included a link to a statement that read in part:

“While the US and its satellites kill our brothers in Syria, Iraq and Afghanistan we broke into your networks and personal devices and know everything about you,” it read. “You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. With Allah’s permission we are in CENTCOM now. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!”

The group also replaced the Twitter profile image with an image of a person wearing a black and white keffiyeh, and the text CyberCaliphate and “i love you isis.”

Forty minutes after the first hacked tweet, Twitter suspended the account.

Central Command?s Twitter Account Hacked?As Obama Speaks on Cybersecurity

According to news reports, the hackers also posted images of spreadsheets that purported to contain the home addresses and other contact information for retired US Army generals and other images purporting to be US military maps and plans. The Pentagon appeared to confirm the authenticity of the information, telling reporters that the exposed information was not classified and that the images came not from the government but from the Massachusetts Institute of Technology.

ISIS threatened Twitter last year, after the social networking site deleted an account it was using to publish videos showing the beheading of journalist and aid workers in the Middle East. In this case, it’s likely that the person responsible for maintaining CENTCOM’s social networking accounts was probably hacked, giving the hackers access to the Twitter and YouTube accounts.

The hack on Monday coincided with an address President Obama was giving about cybersecurity and identity theft at the Federal Trade Commission. His speech, meant to bolster cybersecurity legislation that the White House wants Congress to pass, called for better data protection and better disclosure about breaches. The White House hopes Congress will pass a bill that would require companies to notify customers within 30 days if their personal information is stolen in a breach. The president cited the recent hacks at Target, Home Depot and Sony as primary reasons why Congress should pass the Personal Data Notification and Protection Act. The bill would help unify a multitude of state breach laws that currently exist. Lawmakers have tried for nearly a decade to pass a federal bill to replace the patchwork of state laws, but have repeatedly failed, in part because either the laws didn’t go far enough or went too far.


Amenazas de seguridad informática en México para los bancos

Posted on

Año tras año, los reguladores de certificaciones seguridad informática han dicho los bancos que su análisis de riesgos de seguridad de tecnología de información es insuficiente. Incluso con orientación revisada por Instituciones Financieras del Consejo Federal, algunos bancos todavía están buscando claridad sobre lo que un buen análisis de riesgos debe ser y como pueden evaluar los riesgos asociados con todas las formas de banca electrónica según expertos de curso de Seguridad Informática. Aquí están los pasos que demuestran cómo construir un mejor análisis de los riesgos y amenazas con ayuda de técnicas como de curso hacking ético.

Su primer paso en la realización de certificaciones seguridad informática es un análisis de riesgos debe determinar qué tipo de metodología de evaluación de riesgos que le gustaría seguir, como el NIST (Instituto Nacional de Estándares y Tecnología) o OCTAVE (Amenaza Operacionalmente crítico, activo y Evaluación de la vulnerabilidad).

Según expertos de curso de Seguridad Informática, es muy importante identificar todos los procesos que apoyan su negocio. Esto podría ser cualquier cosa, desde el procesamiento en cajero automático hasta banca en línea. Listando sus procesos de negocio le ayudará a identificar las áreas en las que tienen que iniciar el proceso de evaluación de los riesgos de seguridad de la información.

National Security Agency logo is shown on computer screen at NSA in Maryland

La realización de un análisis de las amenazas le ayuda a identificar las posibles amenazas que podrían dañar o perturbar los activos de banco que usted ha identificado. Una amenaza es simplemente cualquier actividad que podría dañar o perturbar un sistema informático, la aplicación de software o cualquier otra operación. Acuerdo con maestro de curso hacking ético las amenazas pueden variar y pueden incluir el robo de datos; desastres naturales como huracanes, terremotos y tornados; amenazas humanas como incendio, robo o el terrorismo o amenazas técnicos como un software / mal funcionamiento del hardware, calefacción, ventilación o aire acondicionado falla o corte de energía.

 Algunas buenas fuentes con el fin de aprender más acerca de las amenazas emergentes son las bases de datos de amenazas de organizaciones como el FBI, CERT, etc; sitios Web de seguridad, tomar curso de Seguridad Informática,publicaciones de tecnología de la información o los proveedores de seguridad de información que rastrean estos datos. Al identificar las posibles amenazas que pueden dañar los activos de banco, crear escenarios de amenazas con ayuda de experto con certificaciones seguridad informática de que incluyen acciones para controlar la amenazas. Por ejemplo, una amenaza puede ser un hacker y la acción amenaza podríaser un malware instalado en el sistema de su banco por un hacker.

 Las vulnerabilidades son áreas en las que los controles no son adecuados para proteger contra las amenazas. Auditorías de TI, pruebas de penetración, revisiones de seguridad,curso hacking ético etc., son varios los procesos que le ayudan a identificar vulnerabilidades. Después de haber identificado una posible vulnerabilidad, determinar si existen amenazas viables para explotar esas vulnerabilidades. Analizar y clasificar cada vulnerabilidad que usted identifique y resolverla.

Vulnerability Causes Android Devices to Crash

Posted on Updated on

A flaw in the manifest file for Android apps can be exploited to trigger memory exhaust by the Package Parser and cause a denial of service (DoS) condition on the device.

The glitch persists even after the phone has been restarted, thus sending it into a reboot loop. According to security researchers, removing the buggy app causing the trouble is not possible and the reboots continue until the battery is completely drained.
Package parser depletes memory resource

The manifest file for Android apps is in XML format, whose structure is defined using a document type definition (DTD) declaration.

It appears that the DoS condition occurs in the case of apps that include in the manifest a reference to a huge string. This can be achieved by assigning the reference to different tags, such as permission name.

The Package Parser would then need more resources to go through the entire string and if more memory is needed than it is available, the consequence is a crash of the parser. A chain reaction is initiated by this, including stopping all running services, thus forcing the device to reboot.

Researchers at Trend Micro discovered the glitch and witnessed its effect on multiple versions of Android, including KitKat and LolliPop.
Removing the reboot cause is not too easy

Considering that the culprit app cannot be eliminated because the device is restarting continuously, the only option is to flash the ROM or to re-install the operating system, researchers say.

Either of these operations requires some technical knowledge as it involves working with Android Debug Bridge (ADB) tool, and leads to removing the data stored on the device, unless there is support for a removable memory card.

Vulnerability Causes Android Devices to Crash

Booting into recovery mode and resetting the device to its factory defaults should also do the trick.

The researchers said that they managed to reach the same DoS result through another method, which involves using an intent-filter that is also included in the manifest file.

“An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter. If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting,” said Simon Huang, mobile security engineer at Trend Micro.

The potential risk incurred by the user is data loss, if a backup is not available. There is no financial gain involved with an attack leveraging an Android app with a malformed manifest file, but pranksters could upload them to third-party marketplaces just to have a few laughs.


Hacking an ATM with a Samsung Galaxy 4 Smartphone

Posted on

Hackers hit ATM systems forcing them to dispense the cash stored in their money cases relying on certain commands sent through a smartphone.
Cybercriminals can hack ATM systems and force it to dispense the cash using a smartphone, in the specific case a Samsung Galaxy 4 phone.

The model of smartphone is not important, the mobile devices are used only to send commands to the ATM remotely once the attacker has physically connected it to the machine.

Poorly protected ATMs result more exposed to this type of attacker, hackers compromise their case in order to connect the mobile device.

Security expert Brian Krebs has published an interesting post titled “Thieves Jackpot ATMs With ‘Black Box’ Attack” to describe this kind of attacks belonging to “a new class of skimming scams aimed at draining ATM cash deposits”.

The “black box” ATM attack described by Brian Krebs relied on a smartphone and a USB-based circuit board.

“At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.” states Krebs.

Resuming, the criminal crews isolate the cash dispenser from the ATM PC and connected it a PC they control using the smartphone. Krebs reported that the “black box attacks,” have been conducted against ATMs made by the NCR vendor.

“NCR says the crooks then attached a smart phone (a virgin, out-of-the-box Samsung Galaxy 4), which they used as a conduit through which to send commands to the cash dispenser remotely. According to Harrow, the mobile phone was set up to relay commands through a dynamic IP service.” said Krebs.

In one case, the attacker used a circuit board with USB connection to hook it to the ATM controller in order to trick the computer into believing it was still connected to the cash dispenser. Krebs highlighted that anyway the supplementary circuit was unnecessary for the “black box” ATM attack.

Hacking an ATM with a Samsung Galaxy 4

“They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.” states the post.

It’s not the first time that NCR ATMs have been targeted by hackers, in the past we discussed another attack technique that relies on a malware injected through a CD-ROM inserted the ATM core.

In October 2014, criminal gangs in Eastern Europe conducted several attacks against ATM machines, not only tampering them with card skimmers which steal debit card data, but also using malware.

The malicious code used by cyber criminals allows hackers to steal cash from the ATM without using cloned credit cards. The Interpol conducted a joint operation with experts at Kaspersky Lab, which allowed them to detect the Tyupkin malware on nearly 50 machines. As explained in a blog post on SecureList, Tyupkin submissions to Virus Total were mainly from Russia (20), but other samples (4) were reported also from the United States, India and China.

At the moment, researchers at NCR was informed only about two black box attacks, for this reason the company issued a firmware update to its machine that improve the encryption for the communication between the cash dispenser and the core system. The update also includes a feature that block the possibility to roll-back the version of the firmware, the downgrade could be exploited by hackers to make the ATM vulnerable again.

“The company also recently shipped a software update for its ATMs that strengthen the encryption used to manage communications between the cash dispenser and the ATM core. More importantly, the update changes the system so that the encryption key exchange between those two components is only done when the dispenser receives a specific authentication sequence.”

The experts at NCR confirmed that this kind of attack is very easy to organize and are very cheap.

“All things considered, this is a pretty cheap attack,” said Charlie Harrow, solutions manager for global security at NCR. “If you know the right commands to send, it’s relatively simple to do. That’s why better authentication needs to be there,”

Another modification included in the update refers to blocking the possibility to roll-back the version of the firmware so that the machine becomes vulnerable again.