Month: April 2015

Canadian Hacker Arrested for Spying Through Webcams

Posted on

Ottawa – Federal police arrested a Canadian woman Wednesday accused of remotely taking over people’s computers and spying on them using their own webcams.

The 27-year-old suspect, who allegedly leads on online hacker forum with 35,000 members worldwide, used malicious software to infect and take over others’ computers, the Royal Canadian Mounted Police said in a statement.

She is believed to be “at the origin of a botnet, i.e. a group of computers infected by a virus and remotely controlled by a hacker,” police said, declining to identify her.

Canadian Hacker Arrested for Spying Through Webcams
Canadian Hacker Arrested for Spying Through Webcams

From her home in Saint-Alphonse-Rodriguez, Quebec, the woman allegedly eavesdropped on private conversations and communicated with victims through the speakers of their infected computers.

Police said she also “frightened her victims,” including children, by taking over control of their computers and logging on to extreme pornography websites.

Police also seized control of her web forum and shut it down.


PayPal Inc Bug Bounty – JDWP Remote Code Execution Vulnerability

Posted on Updated on

In the last weeks a new security researcher “Milan A Solanki” was activly reporting security bugs to paypal and ebay inc. One of his valid and verified issues was exclusivly disclosed by the vulnerability laboratory infrastructure. In april Milan A Solanki discovered a remote code execution vulnerability in the marketing online service web-application of paypal. The issue was marked as critical with a cvss count of 9.3.

The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server.

The tool that he used to disclose was the well known io-active script jdwp-shellifier. He scanned the marketing site and had opened port 8000 (pre-auth) than he just executed after the accepted connection his own codes/commands and finally disclosed a remote code execution issue to the official paypal inc bug bounty program. Within one week the paypal security team verified the vulnerability and patch the bug within two weeks after disclosure.

Vulnerable Protocol(s):
[+] JDWP

[+] 8000

The security researcher recorded a security video to demonstrate the vulnerability by a live hack session. The video is also available in our fresh feed and demonstrates the security risk of the vulnerability.


Researchers hijack teleoperated surgical robot: Remote surgery hacking threats

Posted on

When could a denial of service attack have lethal consequences? It could be fatal if it is launched at a “crucial point” during a surgery which is being conducted over the Internet by a surgeon via a teleoperated robot.

When a surgeon cannot physically be in a specific location, but a robot could, then telesurgery could allow a surgeon to operate via a robotic system from a remote location; teleoperated surgical robots could be used to save lives in underdeveloped rural areas, locations affected by natural or human-caused disasters and battlefield scenarios. Yet security has not been a concern for telerobotic surgery, even though there is a 20% yearly increase in the number of robots sold. The authors of a recent research paper asked, “What if the computer systems for these robots are attacked, taken over and even turned into weapons?” They referenced Stuxnet as an example of what can happen when a cyber-physical system, aka embedded system, is targeted.

A team of bright minds from the University of Washington Departments of Electrical Engineering and of Computer Science and Engineering identified “a slew of possible cyber security threats.” During research supported by the National Science Foundation, they were able to “maliciously control a wide range of robots functions, and even to completely ignore or override command inputs from the surgeon.” But those aren’t the only attacks theydemonstrated in “To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots.” They also found “that it is possible to abuse the robot’s existing emergency stop (E-stop) mechanism to execute efficient (single packet) attacks.”

The researchers set out to determine how easily an attacker could compromise a teleoperated surgery system and what cyberattacks could be successfully launched. For their analysis, they used the robotic surgery platform Raven II which was developed by the University of Washington and was featured in the film Ender’s Game.

Teleoperated surgical robot remote surgery hacking threats
Teleoperated surgical robot remote surgery hacking threats

The Raven II has “two winglike arms that end in tiny claws” which were designed to hold surgical tools in order to perform surgery via commands sent over the Internet. “A surgeon sitting at a screen can look through Raven’s cameras and guide the instruments to perform a task such as suturing,” explained UW. The Raven II robot runs on a PC running the Robot Operating System (ROS), which isopen-source control software. The Raven communicates “with the control console using a standard communications protocol for remote surgery known as the Interoperable Telesurgery Protocol,” a publicly available protocol that the researchers were able to easily hijack. “We effectively took control over the teleoperated procedure,” they wrote (pdf).

In hijacking attacks, a malicious entity causes the robot to completely ignore the intentions of a surgeon, and to instead perform some other, potentially harmful actions. Some possible attacks includes both temporary and permanent takeovers of the robot, and depending on the actions executed by the robot after being hijacked, these attacks can be either very discreet or very noticeable.

While some people do die on an operating table, death on an operating table due to a denial-of-service attack is hard to imagine. However, in another hijacking attack, the researchers were able to abuse the robot’s safety mechanism that is meant to prevent the robot’s arms from moving too fast or outside of the allowed area. “Every time the Raven’s arms are commanded to move too fast, or go to an unsafe position, the robot’s software imposes a system-wide halt, referred to as a software E-stop.” Yet they found “that it is possible to abuse the robot’s emergency stop (E-stop) to execute efficient (one packet) denial-of-service attacks.”

The research team added:

By sending a leading packet to the robot, where at least one of the changes in position or rotation is too large, and would cause the Raven to either go too fast or to go to a forbidden region, we are able to E-stop the robot. Moreover, by repeatedly sending a malicious leading packet as the one just described, we are able to easily stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible.

In another of the three types of cyberattacks studied, the researchers said an attacker could directly impact a surgeon’s intended actions by modifying his/her messages while packets are in-flight to make the robot’s real-time responsiveness movements jerky and difficult to control. Some of the attacks included changing the surgeon’s packets on-the-fly by “deleting, delaying or re-ordering” commands before sending them to Raven, such as commanding the robot to change position or rotation. The team wrote, “Most of these attacks had a noticeable impact on the Raven immediately upon launch.”

Besides increasing awareness of security issues in cyber-physical systems, the researchers showed attacks against Raven II resulted in breaching “several concerning elements of the system over a wide attack surface, and some extremely efficiently (with a single packet).” They concluded that “some of these attacks could have easily been prevented by using well-established and readily-available security mechanisms, including encryption and authentication.” Yet “encrypting and authenticating video feedback will likely cause an unacceptable decrease in packet throughput rate.”

Lastly, the researchers believe that the concerns they presented “are not unique to teleoperated surgery, but are common to all teleoperated robots. Because of the wide variety of physical and digital capabilities these systems wield, telerobotic security needs to become front-and-center.”


How to do satellite jamming

Posted on

Satellite jamming is a kind of censorship, whereby the government or hackers or criminals prohibit access to satellite and prevents the free flow of information. It is also referred to as intentional technical interference. Satellite jamming is a breach of law of Article 15 of Radio Regulations of the International Telecommunications Union as explained by ethical hacking course expert of International Institute of Cyber Security, Mike Stevens.


If any government like china where right of free speech is not allowed and government wants to control the media and communication done over other modes of communication like satellite then sometimes government can seek option of satellite jamming. This can help government or an organization to get a tight grip over the media and all modes of communication and control satellite television broadcasts from outside the country.

Satellite jamming incidents have occurred in various countries like Russia, Cuba, Iran, China and even in US as per information security training expert, James Taylor. International Satellites transponder receives information from uplink stations, which might be television stations or companies and then satellites broadcast the signal across various downlink stations on the ground.

Orbital jamming involves the criminal o hacker sending contradictory signals directly towards a satellite through his own or hacked uplink station. When these jamming signals are sent, frequencies mix with each other and the original feed is disrupted and nobody can hear the original signal/channel.

As satellite system works in groups of channels, when one channel is jammed, all others channel in the group are also disrupted. Orbital jamming done by some government causes censorship not only in their country but for other countries and continents too. For example, if Democracy oriented radio suffers an orbital jamming attack in China, all Indian viewers tuned into the same frequency from the same satellite will not be able to access that radio channel. As per ethical hacking course expert, neighboring channels can also be affected by jamming.

Terrestrial jamming occurs in a specific location and involves equipment. Rather than targeting the satellite itself, as is the case in orbital jamming, terrestrial jamming involves sending contradictory signals directly towards the local consumer-level satellite dish. The contradictory frequencies are area-specific, interfering only with the signals of satellite in a specific location. Small, portable terrestrial jammers have a range of 5 kilometers in urban areas. Big terrestrial jammers have range up to 50 kilometers. Terrestrial jammers also interfere with radio frequencies, thus affecting radio communications between the police, hospitals etc. Consumers will not find out whether they are experiencing terrestrial or orbital jamming. Information security training expert explained that the technology required for satellite jamming is fairly standard, easy to purchase, use and conceal and cost is around 4000 to 30000 USD.

Como hacer Interferencias satelitales o Jamming de satélites

Posted on

Interferencias de satélites o Jamming de satélites es un tipo de censura, por lo que el gobierno o los hackers o delincuentes prohíben el acceso al satélite e impide el libre flujo de información. También se refirió a la interferencia técnica como tipo intencional. Interferencias de satélites es una violación del derecho del artículo 15 del Reglamento de Radiocomunicaciones de la Unión Internacional de Telecomunicaciones según ha explicado maestro de hacking ético, Mike Stevens de Instituto Internacional de Seguridad Cibernética.

Si algún gobierno como China, donde no está permitido derecho de expresión libre y gobierno quiere controlar los medios de comunicación y la comunicación realizadas sobre otros modos de comunicación como vía satélite entonces a veces el gobierno puede buscar la opción de interferencias de satélites. Este puede ayudar gobierno o una organización para obtener un control sobre los medios de comunicación y control de las emisiones de canales de televisión o radio por satélite desde fuera del país.

Incidentes de interferencias de satélites o satélite jamming se han pasado en varios países como Rusia, Cuba, Irán, China e incluso en los Estados Unidos de acuerdo con información de experto de escuela de capacitación de seguridad informática, James Taylor. Transpondedor de satélites internacionales recibe información vía las estaciones de enlace ascendente, que podrían ser las estaciones de televisión o empresas y luego satélites transmiten la señal a través de varias estaciones de enlace descendente en el suelo.

Como hacer Interferencias satelitales o Jamming de satélites
Como hacer Interferencias satelitales o Jamming de satélites

Interferencias orbital de satélites implica el hacker o delincuentes envían señales contradictorias directamente hacia un satélite a través de su propia o hackeada

estación de enlace ascendente. Cuando se envían están señales fuertes de interferencia, las frecuencias se mezclan entre sí y la señal original se interrumpe y nadie puede oír la señal o canal original.

Como sistema de satélites trabaja en grupos de canales, cuando se atasca un canal, todos los otros canales en el grupo también se interrumpen. Interferencias orbital realizado por algún gobierno hace que hay censura no sólo en su país sino también para otros países y continentes también. Por ejemplo, si la radio orientada a democracia sufre un ataque de interferencias orbital jamming orbital en China, todos los espectadores en India conectados en la misma frecuencia del mismo satélite no podrán acceder a ese canal de radio. De acuerdo con experto de curso de hacking ético, canales vecinos también pueden ser afectados por interferencia.

Interferencias terrestres o jamming terrestre se produce en un lugar específico e involucra dispositivo. En lugar de fijar el satélite, como es el caso de Interferencias orbital, interferencias terrestrial implica envío de señales contradictorias directamente hacia la antena parabólica a nivel de consumidor local. Las frecuencias contradictorias son área específica, interfiriendo sólo con las señales de satélite en una ubicación específica. Jammers terrestres pequeños y portátiles, tienen un rango de 5 kilómetros en las zonas urbanas. Jammers terrestres grandes tienen alcance de hasta 50 kilómetros. Jammers terrestres también interfieren con las frecuencias de radio, lo que afecta a las comunicaciones de radio entre la policía, hospitales, etc. Los consumidores no saben que está pasando interferencia terrestre o orbital. El experto de capacitación de seguridad informática explicó que la tecnología necesaria para interferencia de satélite es bastante estándar, fácil de adquirir y el costo es de alrededor de 4.000 a 30.000 dólares.


Hackers hijack Tesla’s website, Twitter account and email – but how?

Posted on

Tesla Motors is famous for its high performance, gadget-filled, electric cars – but that doesn’t necessarily mean that it’s a master of all technology.

This weekend, to the amusement of some on social media, Tesla’s website and Twitter account was hijacked by hackers.

Visitors to found that in place of the normal sexy imagery of electric automobiles, hackers had added their own images and messages.

Meanwhile, the company’s Twitter account (@TeslaMotors) had also suffered at the hands of hackers, who renamed it #RIPPRGANG and told the firm’s half a million followers that they should call a phone number if they wanted a free Tesla.

To add insult to injury, Tesla CEO Elon Musk’s personal Twitter account was also hijacked by the hackers, proving that being an internet billionaire isn’t necessarily a guarantee that you don’t suffer from first world problems.

Twitter user @rootworx, who was referenced in many of the tweets posted by the hackers, denied any connection with the breach, and said that the attackers had given out his home phone number as the one that users should call for the mythical free Tesla.

Hackers hijack Tesla’s website, Twitter account and email – but how?
Hackers hijack Tesla’s website, Twitter account and email – but how?

The logical assumption is that @rootworx has really really upset someone, or at the very least they’re getting much amusement from pranking him when they hack accounts.

Tesla is far from the only high profile organisation to have its website hijacked recently. A similar fate, for instance, recently befell Google in Vietnam and Lenovo as Hot for Security reported a couple of months ago.

So, how are the hackers doing this?

Well, the first thing to realise is that – despite appearances – the websites of Tesla Motors, Google and Lenovo were not actually hacked. At no time did the hackers manage to gain unauthorised access to servers belonging to these companies.

Instead, the hackers were able to give the appearance that a web server breach had occurred by changing the site’s DNS records to point to another server, hosting the images and messages that they wanted visitors to to see.

Quite how the hackers managed to gain control of Tesla’s DNS records is unclear, but it could have been a failure at the registrar the company chooses to look after its DNS entries.

But there’s more. We know that the hackers also managed to gain control of Tesla’s Twitter account, and that of its billionaire boss Elon Musk. How did they do that?

Well, it appears that as well as changing the DNS records for Tesla’s website, the hackers may have also altered the MX mail server records for That would mean that they could send any emails directed to to a mail server under their own control.

In short, the hackers could now read any emails sent to Tesla Motors.


With that in place, all that the criminals had to do was request a password reset for the Twitter accounts and wait for the confirmation email to be sent to the appropriate addresses at

Of course, if Tesla had login verifications enabled on their Twitter accounts chances are that the hackers would have found it tricky to tweet under the company’s name.

It’s worth remembering that any form of two factor authentication is better than having no additional security layer at all.

We should also be grateful that whoever compromised the Tesla Twitter accounts and hijacked the firm’s website appears to have been more interested in childish pranks rather than using the opportunity to spread money-making malware, phish for credentials or cause other harm to innocent consumers.


My Freedom Smokes Website Burnt by Malware

Posted on

The nefarious, encrypted strings were discovered on March 16, 2015, but following an investigation into the incident the administrators determined that the initial date of the breach may go as far back as February 11.

Payment card information may be at risk

Once the unauthorized code was discovered, the admins proceeded to removing it and strengthening the security measures on the website for increased protection of the data stored.

The security improvement efforts were assisted by a specialized company. As part of this process, My Freedom Smokes changed the method for taking online orders, although it had already relied on encrypted communication with the clients and the card processor gateway machine was encrypted during the breach period.

My Freedom Smokes Website Burnt by Malware
My Freedom Smokes Website Burnt by Malware

According to a notification from the company, the financial information that may have been grabbed by the attacker includes names, physical addresses, email addresses, telephone numbers, credit card numbers, expiration dates and the card verification value (CVV) code.

Basically, all the data needed for placing an order on the website (or on any other online store) during the aforementioned period may have been exposed.

Customers incurred fraudulent charges

The company informs that the payment card numbers it stores are only partial and that CVVs are not saved on its infrastructure.

Some of the My Freedom Smokes customers have reported fraudulent charges on their payment cards during the breach period. However, it is unclear if the illegal activity was due to the compromise of this retailer or a different one.

Unlike in the case of other data breach incidents, My Freedom Smokes does not offer complimentary subscription to an identity protection service; this step is not mandatory, though.

On the other hand, it provides tips on keeping safe from malicious activity and recommends reviewing the bank account statements for irregular transactions.


Wi-Fi SSID names could allow to crash or hack mobile devices

Posted on

In an e-mail published on the Open Source Software Security (oss-security) mailing list, a user reported a serious vulnerability that could allow attackers to crash devices or even potentially inject malware into their system by using crafted P2P SSID names.

The flaw was discovered by the security team at Alibaba and reported to wpa_supplicant maintainer Jouni Malinen by the Google security team.

The attack occurs via a malicious wireless peer-to-peer network name, the attack relies in how wpa_supplicant “uses SSID information parsed from management frames that create or update P2P peer entries” in the list of available networks.

The experts explained that the flaw is similar to the Heartbleed bug, with the difference that the wpa_supplicant vulnerability could allow an attacker to access the contents of memory and modify it.

Wi-Fi SSID names could allow to crash or hack mobile devices
Wi-Fi SSID names could allow to crash or hack mobile devices

The flaw is related to wrong validation of data, in particular, the check for the length of transmitted data. An attacker can use a P2P SSID names that exceed the valid 32 octets of data to memory allocated and writes information beyond this memory space. The attack allows hackers to write data in memory causing wpa_supplicant and Wi-Fi service to crash resulting in a DoS attack on affected devices. The attacker just has to send responses to Wi-Fi probe requests or P2P network Public Action messages. The attacker could exploit the flaw also to expose memory contents during the three-way handshake of a peer-to-peer network negotiation or potentially run arbitrary code on the target system.

SSID information “is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,” Malinen wrote, and the code “was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.”

While the attack is very difficult to run if the target device isn’t actively using P2P Wi-Fi connections, it is possible use a malicious SSIS,  “evil SSID”, to cause denial of service without a P2P network. The good new is the availability of a patch for the vulnerability, Google will include it for its Android system in one of the next security updates.

It is important to remark that the vulnerability in the Wi-Fi security could leave also Windows and Linux devices open to DoS attack.


Malware used in White House and State Department hacks possibly linked to Russia

Posted on Updated on

The group of attackers behind cyberintrusions at the White House and the Department of State last year used malware that bears strong similarities to cyberespionage tools suspected to be of Russian origin.

Security researchers from Kaspersky Lab dubbed the cyberespionage group CozyDuke and said that it has blatantly targeted high-profile victims since the second half of last year. Its toolset includes malware droppers, information-stealing programs and backdoors that have antivirus evasion capabilities and make use of cryptography, the researchers said Tuesday in a blog post.

More importantly, technical evidence suggests that some of the CozyDuke malware has strong “functional and structural similarities” to known components of the MiniDuke, CosmicDuke and OnionDuke cyberespionage tools, the Kaspersky researchers said.

Those three threats have been used to attack NATO members and European governments over the past two years and are believed to be related.

While the Kaspersky researchers did not discuss CozyDuke’s possible origins in their blog post, researchers from other companies who analyzed MiniDuke, CosmicDuke and OnionDuke in the past believe they are the work of the Russian government.

Malware used in White House and State Department hacks possibly linked to Russia
Malware used in White House and State Department hacks possibly linked to Russia

In a January blog post, researchers from F-Secure noted that none of the high-profile CosmicDuke or OnionDuke targets were from Russia. The only victims detected in Russia had links to illegal substances, suggesting that those spyware tools might be used in support of law enforcement investigations in the country.

“Considering the victims of the law enforcement use case seem to be from Russia, and none of the high-profile victims are exactly pro-Russian, we believe that a Russian government agency is behind these operations,” the F-Secure researchers concluded.

The possible link between the State Department security breach last year and Russian hackers has been noted before. In February, the Wall Street Journalreported that five unnamed people familiar with the intrusion had seen or had been told of links between the malware used in the attack and the Russian government.


Naval Academy Midshipmen Win NSA Hacking Contest

Posted on

Midshipmen from the United States Naval Academy in have won the National Security Agency’s Cyber Defense Exercise (CDX) for the third time.

Between April 13 and 17, the CDX pits the U.S. Naval, Air Force, Coast Guard, Merchant Marine and Military Academy and the Royal Military College of Canada against one another in a hacking contest designed by the NSA’s Information Assurance Directorate. The five-day contest takes place entirely on virtual private networks at a Maryland facility. CDX is part of the NSA’s broader mission to raise awareness about cybersecurity within the military.

Naval Academy Midshipmen Win NSA Hacking Contest
Naval Academy Midshipmen Win NSA Hacking Contest

Cadets and midshipmen are tasked with defending their own networks, which they designed during the academic year at their respective schools, against attacks perpetrated by NSA security professionals. Ultimately, the goal of the competition is to ensure network stability and operability while detecting, responding to and recovering from a series of compromises.

“CDX is a competition singular in its scope, its execution, and in training opportunities,” said Alex Gates, an IAD senior leader. “It provides to those who are constructing, managing, and defending networks the skills and ability to develop more knowledge in the cyber defense arena. Not only do the students benefit by being on the defensive side, but those who are participating from NSA on the offensive side are also able to share information that can help us, as a nation, better protect our networks.


Apple’s fix didn’t close Rootpipe backdoor

Posted on Updated on

When TrueSec researcher Emil Kvarnhammar discovered a privilege escalation bug affecting OS X that could allow attackers to gain complete control of the target’s Mac machine, he disclosed details about it to Apple.

It took the company over half a year to issue a patch, due to the amount of changes required in OS X to plug the hole. For this reason, they only released a patch for OS X Yosemite (10.10.3).

Phoenix; RootPipe Reborn from patrick wardle on Vimeo.

But, it seems that even that long a period was not long enough to thoroughly address the issue, as Patrick Wardle, Director of Research at Synack, recently discovered “a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system.”

“I the spirit of responsible disclosure, (at this time), I won’t be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk,” he said in a blog post, and shared a demonstration of the exploit.


Fraudsters ‘Punk’ Windows Point of Sale Terminals with New Malware

Posted on

An advanced strain of malware is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.

Researchers from Chicago-based security vendor Trustwave discovered the new strain, calling it “Punkey,” while handling a recent investigation with the U.S. Secret Service. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.

Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.

“If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server,” said Karl Sigler, manager of Trustwave’s SpiderLabs research center. Essentially, Punkey operates like a typical Botnet.

The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.

The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.

A year ago, security vendors warned retailers against using Windows XP at the point of sale, sinceMicrosoft stopped supporting Windows XP with security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk, Sigler said.

“Punkey just runs like any Windows binary would,” Sigler said. “Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.”

Many retailers use remote desktop support software, which fraudsters take advantage of, Sigler said. “They steal a password and install malware like a technician would install any software,” he said.

Fraudsters 'Punk' Windows Point of Sale Terminals with New Malware
Fraudsters ‘Punk’ Windows Point of Sale Terminals with New Malware

While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices, Sigler said.

Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary, Sigler said. “If your POS terminals looks like it is browsing the Web for somewhere in Eastern Europe, that is not quite right and should tell you something is going on.”

Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks, Sigler said.

Earlier this month, Singapore Telecommunications Ltd agreed to acquire Trustwave in a move designed to better position the telco in cyber security.


Como asegurar puntos de venta (POS) contra malware y hackeo.

Posted on

Existen múltiples controles de seguridad requeridos para cubrir los ataques contra los sistemas de punto de venta, incluidos los controles para sus aplicaciones, servidores y redes. Estos incluyen las aplicaciones web y los servidores. La organización international institute of cyber security que proporciona el curso de hacking ético, recomendó los siguientes controles para mantener seguridad de puntos de ventas:

  • Restringir la comunicación dentro y fuera de su entorno para sólo lo que es requerido esta ejecutando .
  • Asegúrese de que está constantemente protegido contra vulnerabilidades tanto en sistemas y aplicaciones, incluso durante los ciclos de parches.
  • Identificar cuando un componente del sistema ha cambiado.
  • Proteger contra el malware y URLs maliciosas.
  • La comunicación cifrada entre las aplicaciones y los datos. Continuamente escanear las aplicaciones web para vulnerabilidades potenciales. Para resolver a los riesgos dentro de su centro de datos, experto forense digital sugiere, una solución de seguridad que está abierto, automatizada y altamente escalable, que se adapte a su infraestructura existente. Los cambios en los archivos del sistema pueden ocurrir por muchas razones, muchas de las cuales no están debido a un ataque contra el sistema. Dicho esto, la vigilancia de los sistemas de punto de venta para cambios es cada vez más crítica para los controles de seguridad. Eso puede proporcionar una indicación temprana de un problema, en realidad es requerido por diversas normas de cumplimiento como el PCI DSS.

Experto de servicios de seguridad informática sugiere que solución de monitoreo de integridad de los archivo como archivos del sistema operativo y de las aplicaciones críticas como directorios, claves registro y valores. Esos sistemas detectan y reportan cualquier cambio malicioso e inesperado en tiempo real en los sistemas de punto de venta.

Como asegurar puntos de venta (POS) contra malware y hackeo.
Como asegurar puntos de venta (POS) contra malware y hackeo.


Las soluciones ensenadas durante curso de hacking ético en México pueden restringir la comunicación dentro y fuera de su entorno a través de políticas de firewall que pueda adaptar requisitos específicos de los servidores y proteger contra ataques desde adentro o afuera. Además pueden asegurarse que su firewall ofrece servicios de alertas que ayude en manejar y solucionar problemas.

Los servicios de seguridad informática en México sugiere el uso de las capacidades del sistema de prevención de intrusiones que protegen contra las vulnerabilidades potenciales y exploits. Una capacidad importante del sistema prevención de intrusiones es la capacidad de actualizar automáticamente políticas de seguridad para garantizar que se aplique el derecho de protección, incluso antes de haber tenido la oportunidad de remendar.

Por último, señalo experto de análisis forense digital Mike Stevens que el uso de anti-malware y anti-spyware que incluye reputación web para la protección contra la detección de malware, sino también detectar los spyware y proteger contra URL maliciosas en tiempo real es importante. IIcybersecurity ofrece proporciona d seguridad para web apps, un completo e integrado Software-as-a-Service (SaaS) que ofrece continuamente que la detección de vulnerabilidades.

Punkey, a new POS Malware in the criminal ecosystem

Posted on

Malware researchers at Trustwave have detected a new point of sale (PoS) malware dubbed Punkey that was used by criminal crews to compromise payment systems of some organisations.

The experts discovered Punkey during a law enforcement investigation and since its discovery the PoS malware was improved in a significant way by its operators and the researchers discovered three different variants of the agent.

Trustwave speculates that different criminal crews used the Punkey for their campaigns tailoring it for specific targets in the retail industry.

Punkey, a new POS Malware in the criminal ecosystem
Punkey, a new POS Malware in the criminal ecosystem

Punkey implements common features of other PoS malware, but experts were surprised by its ability to update and alter its capabilities remotely.

“A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself. This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.” reads a blog post published by Trustwave SpiderLabs blog.

The malicious code also implements reconnaissance and hacking abilities.

“This traffic is AES encrypted, base64 encoded, then URL encoded. After reversing the process the data sent looks like this (no, it’s NOT a valid payment card number):”

punkey Pos malware 2

“This is where the naming fun comes into play! The combination of P(OST)unkey and calling the malware author a punk was just too sweet to pass up.” continues the post.

Data transferred by the Punkey PoS malware to C&C servers includes payment card numbers and data collected by the Keylogger module.

In the following table are listed the principal differences in the operation of Punkey versus the other malware variants.

punkey Pos malware 3

Since 2013, POS malware is rapidly evolving, the most interesting evolutions are related to evasion techniques and exfiltration methods.

The number of data breaches is growing at a fast pace and security experts sustain that measures to prevent cyber attacks against systems in the retail industry are still not adequate, for this reason it is important to monitor the evolution of this kind of threats.


Could a hacker *really* bring down a plane from a mobile phone in seat 12C?

Posted on

The US Government Accountability Office (GAO) publishes an eclectic range of documents at a fair clip.

Indeed, the GAO’s website is an impressive source of documents zeroing in on a wide range of public service issues.

In just the past week, for example, we’ve had coverage of: how to deal with the implementation of the Helium Stewardship Act of 2013; the adoption of an incremental approach to Amphibious Combat Vehicle Acquisition; management challenges for the National Nuclear Security Administration; and gender equality, or the lack of it, in STEM research (Science, Technology, Engineering and Mathematics).

But no recent document has caused quite as much media stir as GAO-15-370, boldly entitled Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.

NextGen, in case you are wondering, means, at least in this context, the Next Generation Air Transportation System, an extended project to update and improve the software, hardware and operational procedures surrounding air travel in the USA.

As a result of this report, published earlier this week, you’ve probably seen headlines all over the web giving prominence to concerns about hackers taking over planes, with various degrees of implied drama.

Wired had an eye-catching but reasonably non-commital headline:

So, what’s the truth?

Could a hacker *really* bring down a plane from a mobile phone in seat 12C?

The answer is, “That’s very, very, unlikely.”

Nevertheless, hats off to the GAO for adopting the computer security principle that we informally refer to as never say never.

The complete document, at 56 pages, is actually much more interesting than you might at first think, and doesn’t actually ask you to imagine planes raining out of the sky thanks to tablet-wielding terrorists in tourist class.

But, as the document points out, the Federal Aviation Administration (FAA) is now ten years into the abovementioned NextGen modernisation programme.

A detailed review of where the FAA has got to, where it is going, and how it ought to get there was requested, and the GAO obliged.

The ten-year timeframe seems particularly pertinent given the recent news that a voting system in Virginia, USA – one that you would have been forgiven for calling comically insecure ten years ago – has only just been reviewed, found wanting and decommissioned.

Ironically, one of the serious insecurities in the Virginia Comedy Voting Machine story was Wi-Fi related: the reliance on Wired Equivalent Privacy (WEP), a cryptographic protocol that seemed OK at first, but was soon found to be fundamentally flawed and automatically crackable in minutes.

Of course, on many modern airliners, passengers don’t need to hack into the Wi-Fi network at all, because it’s offered as a service you’re encouraged to connect to, albeit at the same sort of cost as a month’s worth of bandwidth on the ground.

In short, Wired’s headline pointing out that “in-flight Wi-Fi is a ‘direct link’ to hackers” is unexceptionable; what isn’t so certain is whether in-flight Wi-Fi is also a transitive ‘direct link’ to the control systems of the plane.

If that were so, perhaps hackers really could cause seriously scary situations, like unauthorised barrel rolls, right from their seats?

But with two completely separate networks for in-flight entertainment and for aircraft control, you might reasonably be willing to say “never” after all…

…at least, until you get to Page 23 of the GAO’s report, where you will find this network diagram:

Could a hacker *really* bring down a plane from a mobile phone in seat 12C?
Could a hacker *really* bring down a plane from a mobile phone in seat 12C

I’m not alarmed – I have no doubt that occasional air travel is significantly safer than my daily rush-hour bicycle commute, which brings a whole new dimension to Warbiking – but that particular diagram did make me alert.

I don’t know about you, but a single blue box labelled “ethernet router” between seat 12C and the pointy end of the plane certainly gives me pause for thought.

When the GAO next produces a Cybersecurity in the NextGen Project report, I’d be a lot happier to see two separate red lines providing network service inside the plane.


WikiLeaks republishes all documents from Sony hacking scandal

Posted on

WikiLeaks has republished the Sony data from last year’s hacking scandal, making all the documents and emails “fully searchable” with a Google-style search engine.

The move provides much easier access to the stolen information. Searching the name of, for example, former Sony Pictures chief Amy Pascal, whose controversial comments were revealed by the hack, immediately yields nearly 5,700 results.

Julian Assange, WikiLeaks’ editor-in-chief, said: “This archive shows the inner workings of an influential multinational corporation. It is newsworthy and at the centre of a geopolitical conflict. It belongs in the public domain. WikiLeaks will ensure it stays there.”

But Sony accused WikiLeaks of contributing to the damage done by the data theft, which it condemned as “a malicious criminal act.”

“The attackers used the dissemination of stolen information to try to harm SPE and its employees, and now WikiLeaks regrettably is assisting them in that effort,” a Sony spokesperson wrote in an unbylined statement.

 US intelligence officials asserted that the hack was sponsored by North Korea, something other experts have cast doubt upon. Photograph: Robyn Beck/AFP/Getty Images
US intelligence officials asserted that the hack was sponsored by North Korea, something other experts have cast doubt upon. Photograph: Robyn Beck/AFP/Getty Images

“We vehemently disagree with WikiLeaks’ assertion that this material belongs in the public domain and will continue to fight for the safety, security, and privacy of our company and its more than 6,000 employees.”

Former senator Chris Dodd, chairman of the MPAA, also spoke out against the republication of the material. “This information was stolen from Sony Pictures as part of an illegal and unprecedented cyberattack,” he wrote in a press statement. “Wikileaks is not performing a public service by making this information easily searchable. Instead, with this despicable act, Wikileaks is further violating the privacy of every person involved.”

WikiLeaks said the stolen files shed light on cooperation between government agencies and entertainers. “The connections and alignments between Sony Pictures Entertainment and the Democratic party are detailed through the archives, including SPE’s CEO [Michael] Lynton attending dinner with President Obama at Martha’s Vineyard and Sony employees being part of fundraising dinners for the Democratic party.”

The hacked Sony documents were originally not much more than hard-drive images converted into common compressed file formats, meaning that anyone curious about the information could download it from a filesharing service like BitTorrent.

But, if interested in company emails or financial data, users needed to wade through spreadsheet-like directory trees or run memory-taxing searches stretching the abilities of most personal computers. The files, in total, comprised several terabytes of material, including video ranging from movies to high-resolution promotional spots. The video material appears to have been redacted from the searchable files on WikiLeaks.

The new site removes the processing burden from users’ PCs and means that anyone will be able to look through the data available with a minimum of trouble. It is possible there is information there that no one has publicized before because of the difficulty of searching through the original leaks.

A group calling itself Guardians of Peace distributed the files originally in November last year by seeding the files to peer-to-peer filesharing services across the internet; the files spread quickly and affected the release schedule for several movies, in particular the Seth Rogen-James Franco comedy The Interview, which made fun of North Korean leader Kim Jong-un.

US intelligence officials asserted that the hack was sponsored by North Korea, something other experts have cast doubt upon.


Arkansas cops send malware to whistleblowers’ lawyers

Posted on

An Arkansas lawyer representing ex-cops who blew the whistle on corruption in the Fort Smith Police Department says that when he gave the police brass a blank hard-drive for discovery documents, they returned it laden with sneaky malware, including a password-sniffing keylogger and a backdoor that would let the police department spy on their legal opponents.

According to court documents filed last week in the case, Campbell provided police officials with an external hard drive for them to load with e-mail and other data responding to his discovery request. When he got it back, he found something he didn’t request. In a subfolder titled D:\Bales Court Order, a computer security consultant for Campbell allegedly found three well-known trojans, including:

* Win32:Zbot-AVH[Trj], a password logger and backdoor
* NSIS:Downloader-CC[Trj], a program that connects to attacker-controlled servers and downloads and installs additional programs, and
*Two instances of Win32Cycbot-NF[Trj], a backdoor

All three trojans are usually easily detected by antivirus software. In an affidavit filed in the whistle-blower case, Campbell’s security consultant said it’s unlikely the files were copied to the hard drive by accident, given claims by Fort Smith police that department systems ran real-time AV protection.

Arkansas cops send malware to whistleblowers' lawyers
Arkansas cops send malware to whistleblowers’ lawyers

“Additionally, the placement of these trojans, all in the same sub-folder and not in the root directory, means that [t]he trojans were not already on the external hard drive that was sent to Mr. Campbell, and were more likely placed in that folder intentionally with the goal of taking command of Mr. Campbell’s computer while also stealing passwords to his accounts.”



Email Phishing Attacks Take Just Minutes to Hook Recipients

Posted on

IF YOU WORK in IT security, you’ve got one minute and 20 seconds to save your company from being hacked. This is not a drill. It’s the median time it takes for an employee to open a phishing email that lands on a company’s network and in their inbox, setting in motion a race to prevent data from leaking. That’s according to the new Verizon Breach Investigations Report, which is due to be released publicly tomorrow but was previewed to reporters today.

It’s no surprise that in the race to protect networks from hackers, the adversaries outnumber and outpower the defenders. But now we know just how rapidly the protectors have to act before their systems are lost to attackers.

“How long do you suppose you have until the first message in the campaign is clicked?” the authors of the report ask. “Not long at all, with the median time-to-first-click coming in at one minute, 22 seconds across all campaigns. With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.”

Verizon noted that 23 percent of recipients open phishing messages. But simply opening an email won’t necessarily install malware on a machine. More dangerous are the 11 percent of recipients who go so far as to click on malicious attachments.

Email Phishing Attacks Take Just Minutes to Hook Recipients
Email Phishing Attacks Take Just Minutes to Hook Recipients

Verizon’s annual report, now in its eighth year, analyzes breach intelligence and data from multiple sources, including customers of Verizon’s forensics response division and customers of FireEye, the firm that investigated the recent hack of Sony Pictures Entertainment. It also examines data from cases investigated by law enforcement agencies, and from government and industry computer incident response teams around the world. This year, Verizon analyzed data involving nearly 80,000 breaches contributed by 70 different organizations.

The report each year rarely offers surprises but instead focuses on providing a broad view of trends and developments in criminal hacking and cyberespionage as well as trends and improvements in defensive efforts. The takeaway from the report is rarely encouraging, as hacking attacks increase in number and sophistication each year.

This year’s report shows, for example, that once inside a victim’s network, the siphoning of data occurs rapidly in some cases before companies can react. In 24 percent of breaches examined, for example, the intruders began siphoning data within minutes and seconds of gaining entry, giving defenders little time to detect the theft and respond. Though there is some indication that response times are improving. In 37 percent of the breaches examined, defenders were able to contain the attack within hours. And in an additional 30 percent of cases, they were able to contain the adversaries within days. The problem, however, lies in the fact that while organizations may be quick to respond when they discover an attack, it still takes them a long time to uncover a breach.

“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise,” Verizon notes in the report.

Typically, it takes months if not years to uncover a breach. In 2012, for example, FireEye reported that the average cyberespionage attack continued unabated for 458 days before the victim discovered the hack. Prior to this, it was normal to find attackers had been in a network two or three years before discovery.


FighterPOS malware strikes over 100 terminals in Brazil, captures info for 22K cards

Posted on

Analysts believe that recent point-of-sale (POS) malware attacks targeting more than 100 terminals in Brazil were the handiwork of a single person – who managed to steal more than 22,000 unique credit cards numbers in a little over a month.

The malware dispatched, “FighterPOS,” was also standout because, in addition to collecting credit card track 1, track 2 and CVV codes and featuring RAM scraping functionality, it allowed threat actors to launch distributed denial-of-service (DDoS) attacks against targets.

According to Trend Micro, which detailed the operation in a Monday blog post, FighterPOS appeared to be a modified version of older malware called, vnLoader, with features malware auto-update functions, file download and execution, and transfers credit card and keylogged data from infected hosts to criminals. Researchers also believed that FighterPOS was constructed from older malware since samples of the threat were written in Visual Basic 6, programming language “considered outdated and antiquated,” though still functional with fully patched systems, the blog post explained.

The threat could spread to the U.S., Trend Micro warns, as the sole perpetrator of the attacks is selling the malware.
The threat could spread to the U.S., Trend Micro warns, as the sole perpetrator of the attacks is selling the malware.

Between late February and early April, 113 terminals running Linx MicroVix or Linx POS systems were infected with FighterPOS. More than 95 percent of the malware attacks were in Brazil, but a very small number were detected in the U.S., UK, Mexico and Italy.

According to Jon Clay, senior manager of global threat communications at Trend Micro, who spoke to in a Monday interview, other attackers will certainly want to take advantage of the new POS malware &ndash and my now have the opportunity to do so.
Clay pointed out that the sole perpetrator of the attacks in Brazil was actively selling the FighterPOS control panel and malware code for 18 bitcoins, worth around $5,250 – not an outlandish sum considering the potential payout for fraudsters. Furthermore, its suite of malicious capabilities may make it more appealing to buyers.

“He did add a DDoS capability, possibly to make it more saleable, or he was using it to obfuscate his own [activities],” Clay said of the FighterPOS perpetrator, who may be leveraging the DDoS feature as a diversion while quietly capturing card information.

“This was very targeted to Brazil, but it was a wake-up call for organizations with retail accounts in [international] regions,” he added later.

According to Clay, the attacks outside of Brazil were likely “collateral damage,” meaning malware that had spread to other branches of retail organizations, either through an infected thumb drive or other means. Trend Micro included indicators of compromise (IOCs) in its blog post for the threat, which it detects as “TSPY_POSFIGHT.SM.


Bulgarian Bill Gates blagger busted, banged up, again: report

Posted on

A Bulgarian carder has been arrested withdrawing money from stolen cards four years after he was accused of plundering the bank account of Microsoft mogul Bill Gates.

Bulgarian national Konstantin Simeonov Kavrakov, 31, was arrested last Thursday in the Philippines pulling cash from ATMs, local media report.

Kavrakov was jailed in Paraguay in 2011 for stealing thousands of dollars from Gates’ account in The Philippines’ densely-populated Quezon City.

He was busted with three other Bulgarians trying to shop on Gates’ dime and was linked to a sophisticated carder ring in the US and Europe since 2004.

Bulgarian Bill Gates blagger busted, banged up, again: report
Bulgarian Bill Gates blagger busted, banged up.

PhilStar reports that agents of the Presidential Anti-Organised Crime Commission and the National Police bagged Kavrakov yanking cash at a PS Bank branch.

Kavrakov had seven credit cards, nine ATM receipts, and P76,570 (US$1715) in hand at the time of his bagging under Operation Jugador (‘Gambler’) which targets foreign carders and online gamblers.

Crime Commission boss Reginald Villasanta said Kavrakov faces charges under the country’s Access Device Regulations Act.

Unspecified European police agencies tipped off the local forces to the carder scam, and Kavrakov says the agency is still hunting the carders’ companions who landed in Manila.