Month: February 2015

Hacker Who Leaked Madonna’s “Rebel Heart” Album Indicted in Israel

Posted on

Adi Lederman, 39, is accused of hacking into the cloud storage accounts of three individuals (Sara Zambrano, Angie Teo and Kevin Antunes) that work with the artist and have access to unreleased music files.
Financial gain seems to be the goal

According to the court document obtained by The Hollywood Reporter, Lederman also pilfered an office email account called “osearyoffice,” suggesting that it was used by Madonna’s manager, Guy Oseary.

The hacker was arrested after a month of investigative efforts from a private investigation company, the FBI and the cyber-crime unit of Lahav 433, Israel’s equivalent for the FBI that investigates national crimes.

The data obtained illegally was sold to different third-parties for amounts between several tens of dollars and $1,000 / €890, and sometimes even more, as per the court documents.

It is unclear how the hacker managed to gain access to the private cloud storage accounts, but spear-phishing is used in most such cases. The victim receives a fraudulent email containing a link to a fake log-in page for the service, which captures the credentials and sends them to the attacker.

Hacker Who Leaked Madonna’s “Rebel Heart”
Hacker Who Leaked Madonna’s “Rebel Heart”

Unless two-factor authentication (2FA) is supported and enabled, the perpetrator has unfettered access to the account based on the stolen username and password.
Hacker tried to erase some incriminating evidence

Lederman has been charged with computer trespassing, prohibited secret monitoring and additional computer trespassing, copyright infringement and obstructing investigation.

The last accusation has been formulated on the fact that the defendant contacted one of his buyers, identified as Craig Lunti, via email and asked him to delete all correspondence between them since authorities would initiate an investigation into the matter.

Some of the songs Lederman managed to steal were leaked to different websites last year, which would spoil the release of the album, scheduled for March 6.

Upon the arrest, the police seized multiple items from Lederman’s house, all of them believed to be stolen material from other artists.


Alleged Aussie Anon hauled in for Indonesia phone tap hacking spat

Posted on Updated on

A Melbourne man has been charged with instigating an Indonesian-led hack of Australian intelligence websites as an alleged member of the Anonymous collective.

Matthew John Hutchison, 21, faced Melbourne Magistrates Court this week over allegations he convinced Indonesian Anonymous hackers angry over October 2013 revelations that Canberra spied on Jakarta to rip into the websites of ASIO, the Defence Signals Directorate (ASD) and ASIS.

After the Indonesian hackers brought down web properties for Australia private businesses such as Danny’s Dry Cleaning in the strikes, Hutchison is alleged to have published a video urging his apparent colleagues to target the government assets and threatening retaliation if they did not “leave innocent bystanders out of it”.

Alleged Aussie Anon hauled in for Indonesia phone tap hacking spat
Alleged Aussie Anon hauled in for Indonesia phone tap hacking spat

Hutchison’s alleged multimedia threats escalated to potential “cyberwar” in a second video.

It is unknown if the allegations suggested Hutchison was linked to the @Op_Australia Twitter account responsible for much of the Anonymous’ Australian rhetoric.

Entities using the name and iconography of Anonymous (EUTNAIOA) then claimed to have attacked Indonesian web presences and a social media keyboard bashing frenzy ensured.

Hutchison is charged with federal offences of “urging unknown person to commit an offence of causing an unauthorised impairment of electronic communication to or from a computer”: and faces a committal mention on 8 April.

Lenovo’s website hijacked, apparently by Lizard Squad

Posted on

Lenovo’s no good, very bad week of security may be getting worse — appears to have been hacked, likely in response to the Superfish scandal. This afternoon some visitors trying to access the site instead get a slideshow of webcam pics of kids sitting at their computer, along with a link to a Twitter account claiming to represent the hacker group Lizard Squad — all set to the sounds of “Breaking Free” from High School Musical. The HTML code says this “new and improved rebranded” site is featuring Ryan King and Rory Andrew Godfrey — two people that some internet posters have identified as members of Lizard Squad.

Update: It gets worse — Lizard Squad’s DNS hijack meant it was able to intercept Lenovo email as well, until Cloudflare shut it off. Ars Technica spoke to the company, which said it seized the account used and was able to update the MX records used for email to cut off the email interception. One message apparently caught claimed that Lenovo’s Superfish removal tool had bricked a customer’s Yoga laptop. That may not be the end though, as the group claims it will be combing through the “dump” of captured data soon.

Lenovo's website hijacked by Lizard Squad
Lenovo’s website hijacked by Lizard Squad

[Thanks, Mark]

Not everyone is seeing the replacement page though — for our staff it only appears over certain connections, but not others — so it could be a DNS redirect that hasn’t hit everywhere. Security researcher Jonathan Zdziarski points out that the DNS entry is now redirecting to a Cloudflare server, which explains what’s going on, although it doesn’t fix it for anyone still trying to reach the site. We’ve contacted Lenovo about the situation, but have not received a response yet.


More than 1 million WordPress websites imperiled by critical plugin bug

Posted on

More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that’s used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

1 million WordPress websites imperiled by critical plugin bug
1 million WordPress websites imperiled by critical plugin bug

“If your website uses a vulnerable version of the plugin, you’re at risk,” Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. “Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).”

The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database.

WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately.


Como protegerse de Ingeniero Social

Posted on

Acuerdo con profesionales de servicios de seguridad informática, técnicas de Ingeniería Social están siendo utilizados por los inescrupulosos para obtener acceso a las instalaciones y activos, tanto en línea como fuera de línea. De ser engañados para que den su contraseña de correo electrónico en el teléfono, a cavar a través de sus contenedores para el papeleo descartado, hay muchas maneras en las que alguien puede poner en peligro la seguridad de su empresa.

Ingeniero Social y experto de forense digital Jorge Rios sugiere que se debe emplear “pensamiento crítico” para hacer frente a estos intentos de ingeniería social. El pensamiento crítico significa pensar dos veces acerca de lo que está haciendo o se le pide que haga. Armado con este enfoque y un poco de preparación, debe poder protegerse de estos intentos de hackers.

Durante el curso de hacking ético en México enseñan como protegerse deIngeniero Social. La información que las empresas consideran sensibles se lanza hacia fuera todos los días en los botes de basura normales. Los atacantes pueden recuperar correctamente estos datos, literalmente, la escalada en los contenedores de basura de la empresa. La información como nombres, números de Seguro Social,

servicios de seguridad informática
servicios de seguridad informática

direcciones, números de teléfono, números de cuenta, saldos, y así sucesivamente se lanza a cabo todos los días en alguna parte.

Según investigadores de forense digital Jorge ríos, conozco personalmente a una empresa de alquiler de películas reconocido a nivel nacional que sigue utilizando papel carbón en su máquina de fax. Una vez que el rollo se agota simplemente tiran la totalidad en el contenedor de basura. La información sobre ese rollo tiene precio, incluyendo nombres, direcciones, números de cuenta, números de teléfono, de lo mucho que realmente pagan por sus películas, y así sucesivamente.

Otro ataque de ingeniería social que también demuestra ser muy exitoso acuerdo con expertos de servicios de seguridad informática es cuando un atacante vestidos con el uniforme de ese personal considerado “honesto” y “importante” o incluso “caro”. Por ejemplo; un atacante compra/ roba el uniforme de un portador, empleado de empresa de teléfono o gas o eléctrica y aparece cajas que transportan, herramientas, etc., y tal vez incluso una tarjeta de identificación “apariencia oficial” o un carro de carga “equipo”.

Estas atacantes suelen tener acceso indiscutido en todo el edificio. ¿Cuándo es la última vez que desafió uno de este personal para verificar sus credenciales? Una solución viable contra ingeniería social es los empleados deben tomar los cursos como de curso de hacking ético en México.Para saber mas contacta con instituto internacional de seguridad cibernética o

Last Year’s Celeb Hack Haunts Kris Jenner, Hacker Blackmails Her

Posted on

The details are scarce at the moment, and they are likely to remain so at least for a while, since they are to be revealed in the 10th season of the reality show Keeping Up with The Kardashians.
Sheriff’s department has been alerted

According to TMZ, which learned about the alleged blackmail, Kriss Jenner tells her family that she’s the victim of a hacker who has videos with her naked, captured by surveillance cameras in the house.

It appears that she even filed a criminal complaint with the L.A. County Sheriff’s Department about all this.

Last year’s celeb hack, dubbed “The Fappening,” exposed private pictures of a good deal of celebrities on anonymous image boards and some individual even created separate websites offering access to the private content stolen from iCloud.

Hack Haunts Kris Jenner, Hacker Blackmails
Hack Haunts Kris Jenner, Hacker Blackmails

Because of a major security flaw, an individual who knew the username of the victim could run a brute-force attack on the iCloud log-in page to learn the corresponding password. Only users with two-factor authentication (2FA) would be protected against this attack.
Software can connect IP cameras to iCloud

Until more details emerge, we cannot but speculate about how the hacker managed to access the private data; and many may think that Jenner’s story sounds a bit strange and it is nothing but a stunt to promote her show because the data from the incident had been uploaded from an iDevice.

However, there are applications that can upload video from IP cameras straight into someone’s iCloud storage, which could have been hacked.

The one we found has some limitations, though, and it supports a total of three IP cameras, whose video stream can be automatically uploaded to Apple’s cloud and can be watched from a mobile device.

On the other hand, many users fail to properly secure access to surveillance cameras and maintain the default credentials from the manufacturer, at the same time keeping them reachable from the web.

This would be unlikely in Jenner’s case, but a phishing attack tricking a user into providing the log-in details for the administration console of the IP camera is a likely possibility.


Google Vietnam back to normal after apparent ‘Lizard Squad’ hack

Posted on

The Vietnamese site of Google was inaccessible around noon on Monday as a group of hackers called Lizard Squad appeared to have taken over and disrupted the popular search engine service.
Many Internet users in Vietnam said they were unable to go to from 12:30 p.m., with a message on their computer screens saying the site was no longer safe.
Those who chose to bypass the warning and attempt to access the site would see a picture of a man apparently trying to take a selfie and the following message: “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas)”.
The problem was fixed at 2:30 pm and the site seems to be running as usual.

Google Vietnam back to normal after apparent 'Lizard Squad' hack
Google Vietnam back to normal after apparent ‘Lizard Squad’ hack

The Twitter account of the group, @LizardCircle, gained some 500 new followers within those two hours.
Some angry tweets demanded the hackers to back off.
Google Vietnam told Thanh Nien that the company “acknowledged that Google Search’s interface was redirected,” but refused to comment further.
It is uncertain if this Lizard Squad group of hackers is also the one who claimed responsibility for recent high-profile cyber attacks, including the attacks that took down the Sony PlayStation Network and Microsoft’s Xbox Live network last December.
Lizard Squad also claimed that it was behind the January 27 attack that temporarily blocked several major web sites, including Facebook and its photo-sharing app, Instagram.
But Facebook later denied, saying an internal software networking error was to blame.


Visual Hacking Is Highly Successful At Getting Sensitive Information

Posted on

In an experiment sponsored by 3M carried out by the Ponemon Institute over a two-month period last summer, it was discovered that companies are not prepared against “visual hacking” attempts.

Sensitive info obtained in 88% of the cases

Visual hacking consists in a threat actor collecting information by simply walking in an office and snooping into confidential documents or taking pictures of computer screens. This type of activity could help with better preparing a cyber-attack on a targeted organization as well as lead to unauthorized access to company secrets.

For the study, Ponemon Institute recruited eight US-based companies that allowed a visual hacker to roam in the building and determine the type of information that could be exposed this way; except for the company liaison, the rest of the employees were unaware of the true mission of the hacker.

Walking through the offices the hacker could have harvested personally identifiable information, data about customers, consumers and employees, business correspondence, log-in credentials, confidential documents, designs, presentations and financial information.

Visual Hacking Is Highly Successful
Visual Hacking Is Highly Successful

In 88% of the trials the haccker was able to obtain sensitive data. In most cases (51%) it would be found on the desk of a “fellow co-worker.” The hacker also managed to copy sensitive details from computer screens, print bins or copiers.
Important data sitting in plain sight could be collected

During the experiment, a total of 168 pieces of information were stolen, 34 of them (20%) being marked as having a high value (i.e. access log-ins, confidential or classified documents) due to the security risks involved in losing it to unauthorized persons.

Computer screens and vacant desks were the places where most of the high value data was collected from.

The time needed to spot the assets ranged from less than 15 minutes in 45% of the cases, to two hours in 2% of the cases.

Even if the hacker was spotted to be engaged in collecting data, most of the times the other employees kept quiet and did not intervene. Only in 13 cases out of 43 someone asked questions about the dubious activity.

Although the experiment does have some limitations since the companies participated voluntarily in the research and collecting data depends on the skills of the visual hacker, the risks are still valid and organizations should implement stricter policies as far as protecting the information on and around the desk is concerned.


Android malware hijacks power button, empties wallet while you sleep

Posted on

Security biz AVG has spotted an outbreak of a new kind of Android malware that will come alive even when the phone is supposedly switched off. The software nasty is able to do this by hijacking the mobe’s power-off sequence.

“After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on,” said the firm’s mobile security team in an advisory.

“While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.”

Once the malware is installed by the user – it’s typically bundled within an innocent-looking app, but AVG isn’t naming names – it asks for root-level permissions and injects code into the operating system’s system server. Specifically, it hijacks the mWindowManagerFuncs interface so it can display a fake shutdown dialog box when the power button is pressed – and display a fake shutdown animation too. It then blanks the screen to make the mobe look like it’s switched off.

Android malware hijacks
Android malware hijacks

The malware is then free to send lots of premium-rate text messages and make calls to expensive overseas numbers. The code shown by AVG appears to contact Chinese services.

This nasty is killable, and AVG has signatures for its files so it can be detected, but in the meantime the firm suggests taking the battery out of your phone – aka the engineer’s reset – is the only way to be sure. Unfortunately, that’s not an option on many phones these days.

Don’t panic, though. So far the outbreak in small and localized: around 10,000 cases have cropped up almost exclusively in China, none of which work on Android 5.0. But code spreads so fast these days and something so useful is bound to be popping in malicious apps from dodgy online stores in the near future.


Major Adult Website Gets Hacked, Malicious Iframe Leads to Angler EK

Posted on

ust like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.
Exploit flung at visitors with outdated Flash Player versions

Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.

The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where Angler browser-based attack tool is hosted.

According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.

Major Adult Website Gets Hacked
Major Adult Website Gets Hacked

Until the fix became available in Flash, the security bug had been leveraged in the wild through Hanjuan exploit kit.
RedTube confirms the attack

The researchers say that the end goal of the cybercriminals is installation of a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.

“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes says on Wednesday.

It is not clear how the RedTube compromise occurred but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.

On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.


Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet

Posted on

The last two years have been filled with revelations about NSA surveillance activities and the sophisticated spy tools the agency uses to take control of everything from individual systems to entire networks. Now it looks like researchers at Kaspersky Lab may have uncovered some of these NSA tools in the wild on customer machines, providing an extensive new look at the spy agency’s technical capabilities. Among the tools uncovered is a worm that appears to have direct connections to Stuxnet, the digital weapon that was launched repeatedly against centrifuges in Iran beginning in late 2007 in order to sabotage them. In fact, researchers say the newly uncovered worm may have served as a kind of test run for Stuxnet, allowing the attackers to map a way to targeted machines in Iran that were air-gapped from the internet.

For nearly a year, the researchers have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date, surpassing even the recently exposed Regin platform believed to have been created by Britain’s GCHQ spy agency and used to infiltrate computers belonging to the European Union and a Belgian telecom called Belgacom, among others.

Raiu says he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success. Notably, the first version of Stuxnet, believed to have been unleashed in late 2007, didn’t use zero-day exploits to spread; instead it spread by infecting the Step 7 project files used to program control systems at Natanz. Fanny was subsequently compiled in July 2008 with the two zero-day exploits. When the next version of Stuxnet was unleashed in 2009, the privilege-escalation exploit from Fanny was added to it. Then in 2010, the .LNK exploit from Fanny was added to a version of Stuxnet unleashed that March and April.

Fanny may have been used initially as proof-of-concept to test the viability of getting Stuxnet onto air-gapped machines in Iran. Or it could have been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation.

Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget.

Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t konw where the Fanny file came from—possibly another anti-virus firm’s shared collection.

The new platforms, which appear to have been developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers. The researchers, who gave WIRED an advance look at their findings and spoke about them today at the Kaspersky Security Analyst Summit in Mexico, have dubbed the attackers the Equation Group and consider them “the most advanced threat actor” they’ve seen to date.

The researchers have published an initial paper on their findings and plan to publish more technical details over the next few days, but there’s still a lot they don’t know about the Equation Group’s activities.

“As we uncover more of these cyber espionage operations we realize how little we understand about the true capabilities of these threat actors,” Costin Raiu, head of Kaspersky’s Global Research and Analysis Team told WIRED.

NSA Connections?
Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by that name. There are other connections to an NSA spy tool catalog leaked to other journalists in 2013. The 53-page catalog details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel.

Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium-enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it.

But the newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet.

It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet. The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air-gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines.

The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly.

Kaspersky has found 500 victims in some 30 countries infected with EquationLaser, EquationDrug and GrayFish components. But having been active for more than a decade, it’s likely the spy tools have infected tens of thousands of systems. Each time a machine is infected, the malware places a timestamp in the victim’s registry along with a counter that increases with each victim. Based on counters found on victim machines, the victims appear to increase at a rate of about 2,000 a month.

The largest number of victims have been targeted in Iran, but there are also victims in Russia, Afghanistan, Pakistan, Belgium, Germany, Sudan, Lebanon, the Palestinian Territories, the United States and the UK. They include military, government and diplomatic targets, as well as telecoms, nuclear research facilities and individuals, Islamic activists and scholars, the media, and those working on nanotechnology and encryption technologies. Victims found in the U.S. and UK are all Islamic activists or scholars, Raiu says, some with known extremist leanings.

Kaspersky researchers discovered the first component belonging to the Equation Group last March while investigating the Regin malware. The first piece of puzzle found was a driver file that showed up on a system in the Middle East that was also infected with Regin and several other known families of nation-state malware Kaspersky recognized. This apparently high-value target was cluttered with so much malware Kaspersky dubbed it the “magnet of threats”.

They initially believed the driver was part of Regin or another malicious family. It used very advanced stealth techniques to avoid detection and was only discovered because of the way it tried to hijack a specific Windows function to sniff network traffic. This triggered an alert in the Kaspersky software. It was using “some nasty techniques to hook into Windows,” says Vitaly Kamluk, principal security researcher for Kaspersky. The techniques, in fact, had been described years before in a 2005 book titled Subverting the Windows Kernel. “[The attackers] were following the instructions that were uncovered in the book,” Kamluk says.

After adding detection for the driver to their security products, Kaspersky found the malicious driver on other machines as well as additional components related to it. As they collected modules and pieced them together, they also found an extensive network of command-and-control servers—more than 300 in all—that the attackers had set up to communicate with their malware. Kaspersky managed to sinkhole about a dozen of the domains so that traffic that would have once headed from victim machines to the attackers’ domains got re-routed to a server the researchers controlled instead. In this way they were able to uncover more victims. The attackers had allowed the registration for a number of their domains to expire. Kaspersky monitored the domains and simply bought up each as it expired.

As they pieced together components, they were able to establish a timeline and see that EquationLaser was an early-generation implant the attackers used between 2001 and 2004, while EquationDrug was the next-generation tool that came into use sometime around 2003. It was continuously developed and expanded by the attackers until 2013. Over time, it became a robust and full-blown platform composed of numerous plug-ins or modules that could be remotely slipped on to an infected system at will, once the attackers established a foothold on it.

EquationDrug was supplanted by the even more sophisticated GrayFish. Two versions of GrayFish have been uncovered—the first apparently developed in 2008 and the second in 2012, based on compilation timestamps. EquationDrug stopped being used in mid-2013 right around the time the first leaks from NSA whistleblower Edward Snowden were published. The first evidence of GrayFish 2.0 being used in the wild appeared shortly after those first leaks.

Enter GrayFish
GrayFish works on all the latest Windows operating systems as well as Windows 2000. It’s the most sophisticated platform of the three. Its components all reside in the registry of infected systems, making the malware nearly invisible to detection systems.

GrayFish uses a highly complex multi-stage decryption process to unpack its code, decrypting and executing each stage in strict order, with each stage containing the key to unlock the subsequent one. GrayFish only begins this decryption process, however, if it finds specific information on the targeted machine, which it then uses to generate the first key to launch the decryption. This allows the attackers to tailor the infection to specific machines and not risk having it decrypt on unwanted systems. The magic key that initiates this process is generated by running a unique ID associated with one of the computer’s folders through the SHA-256 algorithm 1,000 times. The final hash becomes the key to unlock the malware and launch the nested decryption scheme.

It’s very similar to a process used by Gauss, another piece of malware believed to have been created by the team behind Stuxnet that Kaspersky discovered in 2012. Gauss had a mysterious payload that has never been unlocked because it can only be decrypted by a key generated by running specific data on the targeted machine through the MD5 algorithm 10,000 times. The scheme, as used in both GrayFish and Gauss, not only serves to prevent the malware from unleashing on non-targeted machines, it also prevents security researchers and victims from unlocking the code without knowing the specific data needed to generate the hash/decryption key.

In addition to the encryption scheme, GrayFish uses a sophisticated bootkit to hijack infected systems. Each time the computer reboots, GrayFish loads malicious code from the boot record to hijack the booting process and give GrayFish complete command over the operating system, essentially making GrayFish the computer’s operating system. If an error occurs during this process, however, the malware will immediately halt and self-destruct, leaving the real Windows operating system to resume control, while GrayFish quietly disappears from the system.

Suite of Sophisticated Nation-State Attack
Suite of Sophisticated Nation-State Attack

But the most impressive GrayFish component is one that can be used to reflash the firmware of hard drives. Firmware is the code resident on hardware that makes the device work. Kaspersky uncovered two versions of a module used for reflashing or reprogramming firmware—one version for the EquationDrug platform the other for GrayFish. The EquationDrug version appears to have been compiled in 2010 while the GrayFish one bears a 2013 timestamp. The module reflashes the firmware with malicious code that gives the attackers a persistent foothold on the system even if the owner reformats the hard drive or wipes the operating system and reinstalls it in an attempt to clean the machine of malware. Between them, the two versions can reprogram 12 different brands of hardware drives, including ones made by Samsung and Seagate. To pull off this feat, the modules use a slew of undocumented commands that are specific to each vendor, which the Kaspersky researchers call “an astonishing technical accomplishment” that is a testimony to the group’s high-level skills.

The attackers did make one mistake, however. It appears that one of the developers of the GROK trojan left his username—rmgree5—behind in the file.

Method of Infection
To infect victims, the attackers used multiple methods—such as the Fanny worm or infected USB sticks and zero-day exploits. They also used web-based exploits to infect visitors to certain web sites. The researchers counted at least seven exploits the attackers at least four of which were zero-days when the attackers used them. Notably, one of the exploits had been used before in the so-called Aurora attack that struck Google in late 2009. That hack was attributed to China, but the Kaspersky researchers say the Equation Group apparently recycled it to use in their own later attack against government targets in Afghanistan.

One of the most interesting cases of infection, however, concerned a scientist who was targeted after visiting the U.S.

Trouble in Texas
The scientist had attended an international scientific conference in Houston, Texas sometime around 2009 and received the infection on a conference CD-ROM sent to him after he returned home. The disk contained a slideshow of photos from the gathering. But it also contained three exploits, two of them zero-days, that triggered malware from the Equation Group to load to his machine. Kaspersky software on the scientist’s machine triggered an alert and sent a sample of the malware to Kaspersky’s archive, but the researchers only discovered it last year when they began investigating the Equation Group’s operations. They were able to identify and contact the victim. Raiu won’t name the scientist or indicate his area of research, but he likened the attack to a recent one that occurred against noted Belgian cryptographer and academic Jean-Jacques Quisquater. Quisquater’s computer had been infected with the Regin spy tool.

It’s unclear how the attackers infected the CD-ROM sent to the scientist, but documents leaked by Edward Snowden describe NSA and CIA interdiction efforts that involve intercepting computer hardware as it’s in transit from a factory or seller and then implanting it with spy tools before repackaging it and sending it on to the customer. The same method might have been used in this case. It’s not known if other conference attendees received infected disks.

Although the Equation Group findings are significant, they still represent only a very small subset of nation-state malware out in the wild from not only the U.S. but other actors as well. And given that the samples Kaspersky found are at least a year old, they may not be state-of-the-art any more.

“The thing that scares me the most is that we don’t have any samples from the Equation Group from 2014,” Raiu says, suggesting the group’s capabilities may have already been surpassed by even more sophisticated wares.

PoS malware infected payment systems at the Jefferson National Parks Association

Posted on

Jefferson National Parks Association announced on Friday about malware found on Point-of-Sale (POS) Systems deployed by two gift shops named Gateway Arch located in St. Louis. So far, it has been confirmed that most of the Credit card details are compromised while using credit cards on compromised Point-of-Sale (POS) systems. Information like Credit Card Names, Credit Card Numbers, and Credit Cards expiration dates was hampered with the PoS Malware.

In time I’m writing the Jefferson National Parks Association was unable to specify exact number of credit cards being compromised.

Jefferson National Parks Association responded to this incident immediately by suspending the use of its networked payment systems. The malware has been deactivated from Point-of-sale (POS) systems, by covering & deleting all possible payloads off the systems and instead, stand-alone payment processing system is now being used to continue their business operations. The investigation on the incident is still in progress.

PoS malware infected payment systems at the Jefferson National Parks
PoS malware infected payment systems at the Jefferson National Parks

On Dec. 17, 2014, Jefferson National Parks Association was informed by federal authorities about potentially compromised Point-of-Sale (POS) systems. The malware appears to be most active during early August 2014 to Dec. 17, 2014, to steal credit cards details through compromised Point-of-Sale (POS) Systems. The malware was installed before November 2013, when the Point-of-Sale (POS) systems were physically located at other sites: the Old Courthouse and U.S. Grant National Historic Site.

“The method of malware infection is unclear. Investigators believe that the malware may have been installed as early as November 2013, when these terminals were physically located at other sites, specifically the Old Courthouse and U.S. Grant National Historic Site.”

Other payments at the Arch, including tram and movie ticketing, and riverboat excursions, are not affected. Online purchases and donations made at the Jefferson National Parks Association website are not affected. Other personal information – such as addresses CVVs and PINs – was not captured because that information is not collected. The method of malware infection is still unclear.

“We took immediate steps to address this unfortunate issue and conduct a thorough investigation,” David Grove, president and CEO of Jefferson National Parks Association, was quoted as saying in a notification posted to the Jefferson National Parks Association website.


Hackers Steal Up To $1 Billion From Banks

Posted on

A hacking ring has stolen up to $1 billion from banks around the world in what would be one of the biggest banking breaches known, a cybersecurity firm says in a report scheduled to be delivered Monday.

The hackers have been active since at least the end of 2013 and infiltrated more than 100 banks in 30 countries, according to Russian security company Kaspersky Lab.

After gaining access to banks’ computers through phishing schemes and other methods, they lurk for months to learn the banks’ systems, taking screen shots and even video of employees using their computers, the company says.

Once the hackers become familiar with the banks’ operations, they use that knowledge to steal money without raising suspicions, programming ATMs to dispense money at specific times or setting up fake accounts and transferring money into them, according to Kaspersky. The report is set to be presented Monday at a security conference in Cancun, Mexico. It was first reported by The New York Times.

The hackers seem to limit their theft to about $10 million before moving on to another bank, part of the reason why the fraud was not detected earlier, Kaspersky principal security researcher Vicente Diaz said in a telephone interview with The Associated Press.

The attacks are unusual because they target the banks themselves rather than customers and their account information, Diaz said.

The goal seems to be financial gain rather than espionage, he said.

“In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

Most of the targets have been in Russia, the U.S., Germany, China and Ukraine, although the attackers may be expanding throughout Asia, the Middle East, Africa and Europe, Kaspersky says. In one case, a bank lost $7.3 million through ATM fraud. In another case, a financial institution lost $10 million by the attackers exploiting its online banking platform.

Kaspersky did not identify the banks and is still working with law-enforcement agencies to investigate the attacks, which the company says are ongoing.

The Financial Services Information Sharing and Analysis Center, a nonprofit that alerts banks about hacking activity, said in a statement that its members received a briefing about the report in January.

Hackers Steal  $1 Billion From Banks
Hackers Steal $1 Billion From Banks

“We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimize any effects on their customers,” the organization said in a statement. “The report that Russian banks were the primary victims of these attacks may be a significant change in targeting strategy by Russian-speaking cybercriminals.”

The White House is putting an increasing focus on cybersecurity in the wake of numerous data breaches of companies ranging from mass retailers like Target and Home Depot to Sony Pictures Entertainment and health insurer Anthem.

The administration wants Congress to replace the existing patchwork of state laws with a national standard giving companies 30 days to notify consumers if their personal information has been compromised.


Zero Day Weekly: Thousands doxed by Jeb Bush, Obama’s cybersummit, Facebook’s ThreatExchange

Posted on

This week U.S. President Obama visited Stanford for a cybersecurity summit with Silicon Valley’s corporate technorati, Jeb Bush doxed 12,000 unsuspecting victims, cloud security research got aggressive, Sony argued to dismiss its eight class-action lawsuits, NIST announced updates, Microsoft had a rough Patch Tuesday, Facebook launched ThreatExchange, and much more.

This week’s Microsoft Patch Tuesday release includes three updates rated Critical, including a massive security update that fixes more than 40 flaws in Internet Explorer. A recently disclosed XSS vulnerability remains unpatched, however, and one Windows Server 2003 bug won’t be fixed.
On Tuesday, iSIGHT Partners and Invincea disclosed an attack on, assumed to be the work of actors from China conducting an espionage campaign. But the way the disclosure was handled, including a sensational news cycle and required registration for actual details, makes it look as if both vendors are using the incident to increase their sales channel.
The Washington Post reported this week that there will be a new agency to sniff out threats in cyberspace: The Cyber Threat Intelligence Integration Center, modeled after the National Counterterrorism Center. Some infosec professionals think it’ll likely fail, because “the President continues to ask the wrong questions of the wrong people.”

President Obama is expected to unveil executive actions today designed to increase information sharing among private sector companies and federal law enforcement, at a cybersecurity summit at Stanford University. Chief executives from four major technology companies will not attend a cybersecurity summit in California on Friday. Instead, senior security staffers from the invited companies, Facebook, Google, Yahoo, and Microsoft, will go in their boss’ places. Bloomberg hinted that the reason why the tech executives are not turning up are in part due to a recent back-and-forth between the US government and their companies.
Florida governor (and potential U.S. presidential candidate) Jeb Bush has had his team hurriedly [after-the-fact] redact the social security numbers and other identity details of 12,000 people from emails he released online covering the putative presidential candidate’s eight years. The emails contained names, sensitive healthcare and employment information, birthdates and social security numbers — the three pieces of information key to identity theft. Bush had opened up the 332,999 emails to public scrutiny, seeking to portray himself as a tech-savvy executive.

Cloud security: Reports slam data protection, national Internets, access myths: “Security is often compared to an arms race — a constant grind of building the newer, the better, and the more effective.” We’re told in Leviathan Security Group’s revelatory whitepapers released this week. Leviathan’s research shows why organizations urgently need to understand that “This comparison is inaccurate.”
Around 16 million mobile devices worldwide were infected by malware at the end of 2014, while attacks on communications networks rose during the year, according to new research by Alcatel-Lucent.

Zero Day Weekly: Thousands doxed by cybersummit, Facebook's
Zero Day Weekly: Thousands doxed by cybersummit, Facebook’s

The security hiring crisis: In a whitepaper released by Leviathan Security Group this week, the firm revealed infosec’s problematic hiring arc — where current solutions appear ruinous, at best. Leviathan’s research team reports that, “With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn’t be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow.”
On Monday, Sony Pictures Entertainment offered its first substantive response to the eight class action lawsuits that have been filed by former employees in the wake of a large-scale hack. The company isn’t arguing that the hack was unforseen, but instead Sony believes that victim harm can’t be proven because no one — so far — has filed complaints of identity theft, fraudulent charges, or misappropriation of medical information. Research and experience shows, however, that unless the employees are in a bubble of statistical anomaly, this is just a matter of time.
10 million passwords and usernames published: This week, Mark Burnett, a security consultant and researcher, released 10 million passwords and linked usernames in a data set compiled from existing information. In order to stop the FBI coming after him, Burnett explained why the information was divulged: The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.
HSBC’s Swiss banking arm helped wealthy customers dodge taxes and conceal millions of dollars of assets, doling out bundles of untraceable cash and advising clients on how to circumvent domestic tax authorities, according to a huge cache of leaked secret bank account files.
Facebook launched ThreatExchange on Wednesday, a social network of sorts designed to allow companies to share threat information and intel. The move is the latest example in how an age of cooperation may be emerging as companies increasingly battle cyberattacks of various stripes.


How to hack Facebook photo album of every user

Posted on

A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated.

According the security expert Laxman Muthiyah the vulnerability resides in Facebook Graph API mechanism.

“a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.” said Laxman.

The Indian security researcher has discovered a way to delete Facebook photo albums of every Facebook users in a few seconds.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he explained.

Facebook vulnerability  hack accounts
Facebook vulnerability hack accounts

The researcher discovered that by using his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any other Facebook User despite theoretically Facebook Graph API requires an access token to access and modify data.However, Muthiyah

“Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here. ” wrote Muthiyah in a blog post.

The researcher demonstrates that it is quite easy for an attacker to delete a the Facebook photo album from the victim’s Facebook account, the attacker only needs to send an HTTP-based Graph API request customized victim’s photo album ID. In this way the attacker’s own access token generated for ‘Facebook for android’ app.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.” said the researcher.


Hacked Hollywood Mogul Amy Pascal on Sony Attack: “All I Did Was Get Fired”

Posted on

Amy Pascal broke her silence today at the Women in the World conference at the St. Regis Hotel in downtown San Francisco, in an onstage interview with journalist Tina Brown.

“All the women here are doing incredible things in this world. All I did was get fired,” said the departing Sony Pictures Entertainment co-chairperson, settling in for a free-flowing conversation with Brown. “Everyone knows everything about me. What am I doing here?”

Brown answered that for her.

“None of us can imagine …” Brown said.

“No, you cannot,” Pascal said.

Pascal’s digital record came into the spotlight when North Korea hacked Sony in retaliation for producing “The Interview,” a slapstick comedy about journalists sent to assassinate that country’s supreme leader, Kim Jong Un. The hackers exposed thousands of internal emails, including Pascal’s ALL-CAPS-laced missives about celebrities and a racially charged joke about President Obama. This week, she announced she’ll be stepping down to join the “Spiderman” production team in May (and receive close to a $40 million production/parachute package over the next four years).

During cocktails before she took the stage, Brown said Pascal decided to speak publicly in San Francisco for the first time because, “The timing was good. And in her home town, it’s a little too hot right now.”

After a dramatic video intro that featured footage of an explosion to indicate the hacking, Brown asked Pascal to recount the moment when she first realized that her emails would be exposed.

Hacked Sony by Amy Pascal
Hacked Sony by Amy Pascal

“I ran this company and I had to worry about everybody who was really scared … People were really scared … But nagging in the back of my mind, I kept calling [IT] and being like, ‘They don’t have our emails, tell me they don’t have our emails,’” she said. “But then they did. That was a bad moment. And you know what you write in emails.”

We know exactly what she writes in her emails.

Pascal — who dressed casually in clog heels and a leopard print wrap tied around her waist — said her off-the-cuff emails with Sony producer Scott Rudin were the result of a 30-year-relationship, an “ongoing fight” and playful “role-playing” since the day they met.

Brown brought up the Obama emails right away: “They accused you of being a racist,” she said.

“It was horrible. That was horrible,” Pascal said, tossing her hair and then brushing it out of her face, looking almost teary-eyed for a moment.

“As a woman, what I did was control how everybody felt about themselves and about me … and there was this horrible moment when I realized there was absolutely nothing I could do about whether I’d hurt people, whether I’d betrayed people,” she said. “I couldn’t protect anyone … It was horrible because that’s how I did my job.”

She paused and then said something surprising.

“It was also strangely freeing,” she said, looking at Brown. “Because all of a sudden, that was just what it was.”

Pascal continued: “There is nothing you can do. You can’t say anything. You can’t explain anything. It’s just there.”

Brown mentioned that “The Interview” was actually a pretty bad movie (no “Citizen Kane,” she said). Pascal had a quick retort: “You don’t get to choose what you stand up for.”

Relationships had been less damaged than people outside Hollywood may think because it is a unique kind of town, Pascal said.

“Everybody understood because we all live in this weird thing called Hollywood,” she said. “If we all actually were nice, it wouldn’t work.”

For example, even though Rudin called Angelina Jolie a “minimally talented spoiled brat,” Pascal said: “Angie didn’t care.”

Was she surprised that the press were so harsh?

“I’m not supposed to say anything about that,” she said, looking out at the audience coyly. “But I will say that I was. People found reasons that going through my trash and printing it was an ok thing to do. They found a way to justify that. And they have to live with that.”

Among the leaks was detailed payment information that showed women were paid less than men: “I’ve paid [Jennifer Lawrence] a lot more money since then, I promise you … Here’s the problem: I run a business. People want to work for less money, I pay them less money … Women shouldn’t work for less money. They should know what they’re worth. Women shouldn’t take less. ‘Stop, you don’t need the job that bad.’”

She said she’s learned a lot from the hack about how to relate to people.

“You should always say exactly what you think directly to people all the time,” she said. “In the moment, the first time.”

Brown said this might be hard to do given how vulnerable Hollywood stars can be.

Pascal unleashed a little of the energy found in those emails.

“They’re bottomless pits of need. You’ve never seen anything like it,” she said, adding sarcastically: “They are so great. They’re this magical thing that no one else can be. They’re filled with the need to be loved … but that’s because they’re magical.


Seguridad y cifrado de alámbrico de casa

Posted on

Hay diferente tipos de cifrado Wi-Fi que se pueda utilizar en los routers de Internet. Así que uno debe utilizar según curso de seguridad informática ? Muchas personas ni siquiera utilizan el cifrado, y los que sólo eligen un tipo de cifrado al azar sin saber lo que hacen. La mayoría de los tipos de cifrado son mejor que nada en absoluto, pero algunos son más adecuados que otros. Durante mucho tiempo, WEP se considera que es un muy buen método de cifrado de conexiones inalámbricas. El acrónimo significa simplemente Wired Equivalent Privacy. Originalmente sólo estaba disponible en la configuración de 64 bits, pero poco después de 128 bits e incluso el cifrado de 256 bits se hizo disponible dice experto de curso hacking ético . Introducción de una clave WEP de Wi-Fi de 64 bits era tan sencillo como elegir un número hexadecimal de diez caracteres. Cada caracter representa 4 bits, por lo que 40 bits en total, y luego se añadieron 24 bits para completar la clave de 64 bits. Según instituto internacional de seguridad cibernética de.

certificaciones seguridad informática
certificaciones seguridad informática

certificaciones seguridad informática WEP sin embargo, se ha demostrado tener muchos defectos que involucran principalmente el tamaño de la clave a corto, que eran relativamente fáciles de romper.

WEP también no da la seguridad frente a los paquetes alterados – un proceso en el que los paquetes de información es interceptada por un intruso y luego alterados antes de enviarlos de vuelta, haciendo que parezca que el intruso es usuario válido según curso de seguridad informática.

Ahorita, WPA (Wi-Fi Protected Access) y WPA2 completamente han tomado el relevo de los métodos de encriptación WEP. Es probable que todavía encuentra WEP disponible en la mayoría de los routers, pero está siendo descontinuado y algún día probablemente no va a estar disponible en absoluto. La principal ventaja WPA tiene sobre WEP es que emplea una poderosa nueva característica llamada TKIP, o más bien Temporal Key Integrity Protocol que enseñan durante curso de certificaciones seguridad informática. TKIP es de 128 bits, pero en lugar de la clave es estática, se genera una nueva clave para cada paquete de información que se envía, lo que significa que es mucho más seguro. WPA2 va aún más lejos y lo reemplaza con TKIP CCMP. CCMP es un método de encriptación AES basada en que es mucho más fuerte incluso que TKIP.

Tanto WPA-SPK y WPA-Enterprise están disponibles en WPA2, es decir, incluso los usuarios domésticos pueden ahora beneficiarse de cifrado AES sobre sus conexiones Wi-Fi. Acuerdo con experto de curso hacking ético Todos estos métodos se pueden transmitir datos a la velocidad máxima, y usted no notará ninguna diferencia de velocidad entre cada tipo de cifrado.

Military Spouses Hacked, Threatened by Alleged ISIS Sympathizer

Posted on

A Hacker purporting to be an ISIS sympathizer breached the social accounts of a U.S. Marine’s wife Tuesday, threatening her then using her Twitter feed to threaten at least four other military spouses and the Obama family, two of the spouses confirmed to NBC News.

The FBI is investigating the breach and the online threats, said Liz Snell, a Marine wife, whose Twitter and Facebook accounts were hacked. Snell’s husband was deployed to Iraq or Afghanistan five times.

The FBI pulled down Snell’s Twitter account on Tuesday morning, she said, and Snell removed her compromised Facebook profile. NBC News contacted the FBI, seeking confirmation that the agency is investigating the matter. The agency has not yet responded to that query.

In a separate tweet from Snell’s account to the Obamas, the hacker claimed the President and his family are being watched and mentioned Valentine’s Day, according to screen shots obtained by NBC News.

Snell as well as at least three of the threatened spouses all were quoted in a Jan. 14 article that explored how military families were rethinking their online lives following the Jan. 12 hacking of social media accounts at the U.S. military’s Central Command.

That article seems to be the lone common thread among the hacking victims, Snell said.

In that breach, CENTCOM’s Twitter and YouTube accounts were compromised and hackers posted pro-ISIS messages and images similar to those tweeted by a hacker Tuesday. In January, the unknown hacker caused the CENTCOM accounts to be taken down for hours.

“Ultimately, my feeling is that I don’t want anyone [who follows her on social media] to feel that they are unsafe,” Snell told NBC News. “I feel some level of responsibility … This does make me nervous.”

Snell said she was in touch Tuesday with other named spouses to check on their safety. She operates the non-profit website Military Spouses of Strength, a hub for military-family members grappling with mental-health issues in the wake of two long wars.

The hacker also sent Facebook messages to Snell and to at least one other military spouse, claiming to know details about their lives, and the lives of their husbands and children. The hacker also claimed to be in close proximity to both Snell and the other spouse.

“It was a ‘We know where you are’ kind of thing,” Snell said. “We [my family] are taking precautions just to ensure safety measures are in place.”

One of the five military spouses threatened Tuesday is Ashley Broadway-Mack. Her spouse is an Army officer. She was also quoted in the story about the impact the CENTCOM breach had on military families.

“I’m not going to lie. It’s shocking to actually see your name along with some type of threat,” Broadway-Mack told NBC News. “This has me a little on edge.”

Broadway-Mack immediately notified the members of her spouse’s chain of command to alert them to the breach, she said.

“In the same breath, if I were to shut down my Twitter, shut down my Facebook, to me, they [the hacker] won,” she said. “I refuse to do that. Will I put up extra protection on my social media? Yes. I have.

“Whether this is ISIS directly or someone posing as ISIS, I don’t know. I trust the FBI and any other agencies that may be working on these types of threats. I trust them. And I refuse to live my life in fear.”

Amy Bushatz, a third military spouse who received online threats from the same breach, blogged about the experience Tuesday. Her husband is an Army officer who deployed to Afghanistan.

“Military spouses are used to being brave. We’re used to standing up for ourselves. We are married to somebody who is living, often, in a very scary situation – deployed with their life is in imminent danger. That’s unnerving. We’re used to those feelings. We’re not people who are easily bullied by terrorists,” Bushatz told NBC News.

Military Spouses Hacked
Military Spouses Hacked

Being contacted directly by a purported ISIS sympathizer, Bushatz said, “is a little frightening.”

“That being said, there is a difference between being afraid and living in fear. The question is, really, what are you going to do with that [feeling]?”

“There’s no reason to be running around town with a sticker on your car saying that you’re an Army wife,” she said. “That does not mean you have to be living in fear, though. This is not a reason to delete your Facebook account,” Bushatz said.

“It might be a reason to take that loud-and-proud picture of your husband in uniform off of a place where everybody and their terrorist friend can see it. But it’s not a reason to go into hiding.


“Facebook porn Trojan” – here’s how NOT to get caught

Posted on

The malware cat is amongst the Facebook pigeons again, in the wake of a posting to the well-known Full Disclosure mailing list.

Self-proclaimed to be a “quirky list” that “provides some comic relief and certain industry gossip”, Full Disclosure does pretty much what is says, and more.

Notably, it’s a place where you are welcome to publish full descriptions of exploits and working proof-of-concept code that lets others to unleash those exploits for themselves, and there is no requirement to give anyone else a heads-up first.

Fortunately, in the case we’re looking at here, the original poster didn’t give so much away that others could take his information and turn it into a new attack without even bothering to understand what was going on first.

→ Proponents of full disclosure, where “full” really means “full”, and where you don’t even give vendors a head start, say that it’s the only way to avoid politics and favouritism. Opponents note that full disclosure often makes it far too easy for copycat attackers who would otherwise be stymied by their own ignorance or inability.

The story is simple, and sadly so often effective.

You receive a Facebook posting that offers you porn; you click through to the website; you see what looks like the promised content, but…
guess what?

You need a software update before you can view this particular video.

→ The crooks have various different schpiels they can trot out at this point, from insisting that you need a Flash upgrade, perhaps even for “security” reasons, to advising that the video uses a new form of compression or encoding, and needs a custom codec. That’s short for coder/decoder and refers to a plugin that handles specific file and compression types.

In this latest “Facebook porn Trojan” malware case described by Mohammad Faghani on Full Disclosure, the malware you are seduced into downloading doesn’t just infect your computer.

It can download additional components with additional functionality, so you may end up affecting or infecting other people, too.

"Facebook porn Trojan"
“Facebook porn Trojan”

Faghani says that one side-effect of this particular malware is to post a Facebook message via your account, and then tag 20 of your friends in the post.

Not only does that as good as turn the malware into a self-spreading virus, it also leaves you with even more egg on your face that a plain post would.

Sophos products block this malware as Troj/ExtenBro-A, as well as blocking the web pages to which it connects.

That should be enough to stop you getting infected in the first place.

Or perhaps we should be blunt enough to say, “in the third place.”

After all, if you didn’t click on the free porn in the first place, and on the bogus video player update in the second place, you wouldn’t need an alert in the third place!

What to do?

• A video link that suddenly needs additional software is almost certainly a bait-and-switch scam. You’re promised X but that’s just so the crooks can foist Y on you. If you can’t resist the initial bait, at least avoid the switch!

• Take the time to review your Facebook privacy and security settings. That way, if you do make a blunder on Facebook, you will probably limit the effects on other people (and on your own reputation).

• Be aware before you share. Even when there is no malware involved, it’s easy to share things you later regret, especially in scams that offer you content that you can only see after you’ve Liked it.

• Consider running network gateway protection at home. Defence-in-depth says to have another layer of protection to bolster the security software on your computer. Sophos UTM Home Edition is our full business-grade product, 100% free to use at home.


Cyber attacks force a defence strategy re-think at major companies

Posted on

A barrage of damaging cyber attacks is shaking up the security industry, with some businesses and organisations no longer assuming they can keep hackers at bay, and instead turning to waging a guerrilla war from within their networks.

US insurer Anthem last week said hackers may have made off with some 80 million personal health records. Also, Amy Pascal said she would step down as co-chairman of Sony Pictures Entertainment, two months after hackers raided the company’s computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, offer a chance for younger, nimbler companies trying to sell customers new techniques to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone.

“Suddenly, the music has completely changed,” said Udi Mokady, founder of US-based CyberArk. “It’s not just Sony, it’s a culmination of things that has turned our industry around.”

Worldwide spending on IT security was about $90 billion last year, estimates Gartner. ABI Research reckons cybersecurity spending on critical infrastructure alone, such as banks, energy and defence, will reach $140 billion by 2020.

Several things are transforming the landscape. Corporations have been forced to allow employees to use their own mobile phones and tablets for work, and let them access web-based services like Facebook and Gmail from office computers. All this offers attackers extra opportunities to gain access to their networks.

And the attackers and their methods have changed.

Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, says Bryan Sartin, who leads a team of researchers and investigators at Verizon Enterprise Solutions, part of Verizon Communications. “They want to hurt the victim, and they have hundreds of ways of doing it,” he said in a phone interview.

The result: companies can no longer count on defending themselves with decades-old tools like firewalls to block traffic and antivirus software to catch malware, and then assume all traffic that does make it within the network is legitimate.

Research by IT security company FireEye last month, for example, found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

“Once an attacker has made it past those defences they’re in the gooey centre, and getting around is relatively simple,” said Ryan Wager, director of product management at vArmour.

Attackers can lurk inside a network for half a year before being detected. “That’s like having a bad guy inside your house for six months before you know about it,” says Aamir Lakhani, security strategist at Fortinet, a network security company.

Security start-ups have developed different approaches based on the assumption that hackers are already, or soon will be, inside the network.

Canada-based Camouflage, for example, replaces confidential data in files that don’t need it, like training databases, with fictitious but usable data. This makes attackers think they have stolen something worthwhile. US-based TrapX Security creates traps of ‘fake computers’ loaded with fake data to redirect and neutralise attacks.

Cyber attacks force a defence strategy
Cyber attacks force a defence strategy

California-based vArmour tries to secure data centers by monitoring and protecting individual parts of the network. In the US Target breach during the 2013 holiday shopping season, for example, attackers were able to penetrate 97 different parts of the company’s network by moving sideways through the organisation, according to vArmour’s Wager.

“You need to make sure that when you close the door, the criminal is actually on the other side of the door,” he said.

Funding these start-ups are US- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $US22 million ($28.3 million) in ThreatStream in December, while Bessemer Venture Partners last month invested $US30 million in iSIGHT Partners. Both companies focus on so-called ‘threat intelligence’ — trying to understand what attackers are doing, or plan to do.

Clients are starting to listen.

Veradocs’ CEO and co-founder Ajay Arora says that while his product is not officially live, his firm is already working with companies ranging from hedge funds to media entertainment groups to encrypt key documents and data.

UK-based Darktrace, which uses maths and machine learning to spot abnormalities in a network that might be an attack, has a customer base that includes Virgin Trains, Norwegian shipping insurer DNK and several telecoms companies.

But it’s slow going. Despite being open for business since 2013, it’s only been in the past six months that interest has really picked up, says Darktrace’s director of technology Dave Palmer.

“The idea that indiscriminate hacking would target all organisations is only starting to get into the consciousness.