Defence contractor Lockheed Martin provided intelligence services before Black Friday.
Walmart has recruited aerospace, defence and security concern Lockheed Martin to comb open source intelligence in the lead up to Black Friday union protests, Bloomberg reports.
The super-colossal retailer has a difficult history with unions and engaged the defence contractor to keep tabs on its employees in the run up to the national fire sale.
Organisers at workers’ rights advocate OUR Walmart were encouraging staff to join its movement to protest against what it claims are poor wage conditions at the retailer that force some workers to rely on supplementary government assistance for basic clothing, food, and housing.
The allegations, found in more than 1000 pages of emails, reports, and testimony produced in discovery ahead of a National Labor Relations Board meeting between the OUR Walmart effort and the retail giant, and handed to Bloomberg Business Week.
Lockheed Martin sells the LM Wisdom open source intelligence service but it is not known if Walmart uses the product.
Monitoring activity through Walmart’s so-called Black Friday Delta Team produced intelligence about OUR Walmart union activity including planned disruption at various Walmart stores.
This included a map of how protestors on five buses would be travelling from their locations to Walmart stores.
“With some assistance from LM [Lockheed Martin] we have created the attached map to track the caravan movements and approximate participants,” emails show risk program senior manager telling colleagues.
When the team created in the lead up to the recent sales blitz learnt of potential involvement of members of the Occupy sit-in movement, the retailer contacted the FBI.
The monitoring allowed the company to stay ahead of some planned protests, foiling some disruption efforts and ensuring management would report news of union efforts.
LinkedIn has invited a security researcher to join its private bug bounty programme after he identified a novel exploit involving the site’s cascading style sheets (CSS).
Ruben van Vreeland, CEO of BitSensor, discovered that he could use CSS to bypass LinkedIn’s security systems which filter attributes and event handlers that could be used to launch cross-site scripting attacks.
By referencing existing CSS already hosted onLinkedIn, he was able to create a proof of concept to publish a page and hijack the links to redirect users to an external site.
LinkedIn published an example to prove the case, based on a user creating a new blog entry.
A JSON request can be used to create a new HTML page with an image tag and a URL:
Used in this way, li_style makes the entire page clickable and will redirect to the URL of the attacker’s choice.
Writing on the LinkedIn security blog, information security engineer Jovon Itwaru wrote: “This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles.”
The FBI has linked a hacker to the theft of 1.2 billion internet credentials – the largest heist of its kind.
A hacker known as “mr.grey” is named in court documents filed by the bureau last year, according to the Reuters news agency.
The hacker was linked to the stolen logins via a Russian email address.
Previously, “mr.grey” had advertised the credentials to Facebook and Twitter accounts for sale online.
It was the American cyber security firm Hold Security that initially reported the theft of the credentials and an additional 500 million email addresses last year.
The Russian crime ring responsible for stealing the data – dubbed CyberVor – had breached more than 420,000 websites, according to Hold Security.
The hacker had advertised Facebook and Twitter logins for sale
In August, the firm said, “To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords.”
Hold Security then began marketing a “breach notification service” to users concerned that their details had been affected, for $120 (£71) per month.
Botnet breach
Whatever the identity of the perpetrator behind the CyberVor breach, the method used was something of a departure from how botnets – large networks of computers linked together maliciously – are usually used, according to Dave Palmer, director of technology at security firm Darktrace.
“What’s interesting about this is botnets are usually used to harness their massive scale to attack an individual target – like taking computer games consoles down last Christmas for example,” he told the BBC.
“It’s instead been used as a massive scanner scanning websites all around the world for weaknesses.”
Mr Palmer added that the vulnerabilities which allowed computers to be drafted into such botnets as well as the flaws in websites which meant login details could be hacked were preventable.
“We’re still getting caught out by these attacks,” he said.
PowerView is a PowerShell tool to achieve network information on Windows domains for cyber security services and ethical hacking training professionals. It implements diverse practical meta-functions, including some user-hunting functions which will discover where in the network explicit users are logged in. It can also find which machines in the domain network the user has local administrator access. It also includes a number of functions for the enumeration and abuse of domain trusts. You can easily find function descriptions for suitable usage and accessible options mentions ethical hacking training professor.
It also includes a set of PowerShell replacements for diverse windows “net *” commands, which employ PowerShell AD hooks and essential Win32 API functions to execute useful Windows domain functionality as per cyber security services researchers. To run on a machine, start PowerShell with “powershell -exec bypass” and then load the PowerView component with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1
For comprehensive output of original functionality, add the -Debug flag to the functions. For functions that enumerate several machines, add the -Verbose flag to obtain a progress status as each host is enumerated. Most of the “meta” functions acknowledge an array of hosts.
How to use PowerView to exploit Active directory
AdminSDHolder is a unique Active Directory object positioned at “CN=AdminSDHolder,CN=System,DC=domain,DC=com“. The declared intention of this object is to protect certain privileged accounts from unintentional alteration. Every one hour, a unique process called SDProp recursively enumerates association for a specific set of protected groups, revises the access control lists for all accounts found, and clones the ACLs of the AdminSDHolder object to any protected objects with a different ACL mentions ethical hacking training professor. If we alter the permissions of AdminSDHolder, that permission template will be removed from all protected accounts automatically by SDProp. So we can add an unprivileged user even with no group membership to the ACL of AdminSDHolder, and have a backdoor mechanism implemented that allow us to alter the membership of groups like Domain and network admin.
Any account/group which is or was a part of a protected group has their AdminCount property set to 1, even if the object is not any more in that protected group. With PowerView, we can effortlessly enumerate all users and groups with AdminCount=1 with Get-UserUser -AdminCount and Get-NetGroup -AdminCount, respectively. Thus it lets us speedily find all high value accounts, even if those accounts are not a part of a protected group. With Invoke-UserHunter we can use AdminCount flag, to effortlessly hunt for all high valued users in the domain.
Active Directory access rights are a somewhat unexplored area from an offensive cyber security perspective. Network admins should start auditing and monitoring the access rights of all privileged domain objects, particularly the domain root and AdminSDHolder. You can this manually, through PowerView’s Get-ObjectACL, or through help of cyber security services and ethical hacking training professionals.
‘ModPos’ kernel monster threatens haul during festive shopping blitz.
The world’s most complex sales till malware has been discovered … after it ripped millions of bank cards from US retailers on the eve of post-Thanksgiving shopping frenzies.
The ModPOS malware has pilfered “multiple millions” of debit and credit cards from the unnamed but large retail companies incurring millions of dollars in damages.
The attackers have operated in a low-key, ultra professional manner since late 2013 and has only come to light after weeks of painstaking reverse-engineering efforts by malware experts.
They have kept mum, too. Cybercrime forums are entirely devoid of references to the malware.
“This is POS [point-of-sale] malware on steroids,” iSight Partners senior director Steve Ward says. “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.”
Ward says his team took three weeks to debride one of ModPOS’ three kernel modules. By contrast it took the same experts 30 minutes to reverse engineer the Cherry Picker POS malware revealed last week.
The “incredibly talented” authors have done an “amazing job” and have such an understanding of security that the work has impressed the white hat engineers.
“It is hard not to be impressed,” Ward says.
He says the criminals have spent a “tonne” of time and money on each packed kernel-driver module which behaving like a rootkit is as difficult to detect as it is to reverse.
That approach to the 0module build is novel.
The anti-forensics componentry is highly-sophisticated, meaning most businesses that the advanced Eastern European attackers have popped will not know the cause of the attack.
It is clearly a tool targeted designed for large-scale revenue generation and return on investment.
Ward and his colleagues have briefed more than 80 major retailers across the US, all of which are on high alert for infection.
He says the attack group will need to change parts of its codebase to re-gain some of its now lost obfuscation, but adds that some changes will be much harder to implement than others.
The encryption used for network and command and control data exfiltration and communication is protected with 128 bit and 256 bit encryption, with the latter requiring a new private key for each customer.
This makes it much more difficult to know what data is being stolen, unlike other sales register malware that slurp details in cleartext.
“We will see disclosures and compromises in the future that point back to this framework.
PowerView es una herramienta de PowerShell para obtener información situacional de la red en dominios de Windows para profesionales de hacking ético y servicios de auditoría de seguridad informática. Contiene un conjunto de comandos PowerShell para varios “net *” comandos de windows, los cuales utilizan ganchos de PowerShell AD y las funciones de API de Win32 para llevar a cabo la útil funcionalidad de dominio de Windows explica expertos de servicios de seguridad informática.
Según los profesionales de hacking ético e investigadores de servicios de auditoría de seguridad informática PowerView implementa varios metafunciones útiles, incluyendo algunas funciones por cazar usuarios que se identifican donde los usuarios específicos se registran en la red. También puede comprobar cuál de las máquinas en el dominio tiene acceso de administrador local. Además existen varias funciones para la enumeración y el abuso de confianzas de dominio. Podemos ver descripciones de las funciones para el uso apropiado y las opciones disponibles en la herramienta.
Para ejecutar en una máquina, iniciar PowerShell con ” by-pass -exec powershell ” y luego cargar el módulo PowerView con: PS > Import-Module.\powerview.psm1 o carga el script PowerView por sí mismo: PS> Import-Module.\powerview.ps1
Para el resultado detallado de la funcionalidad, pase la bandera -Debug a la mayoría de las funciones. Para funciones que enumeran varias máquinas, pase la bandera -Verbose para obtener un estado de avance que cada host se enumera. La mayoría de las funciones de “meta” acepta un conjunto de hosts acuerdo con profesor de hacking ético y auditoría de seguridad informática.
Cómo utilizar PowerView para explotar Active directory
AdminSDHolder es un objeto de Active Directory especial situado en el “CN = AdminSDHolder, CN = System, DC = domain, DC = com”. El propósito de este objeto es proteger ciertas cuentas privilegiadas de modificaciones accidentales. Cada 60 minutos, un proceso especial denominado SDProp recurrentemente enumera la pertenencia de un conjunto de grupos protegidos, comprueba las listas de control de acceso para todas las cuentas descubiertas, y clona las ACL del objeto AdminSDHolder a cualquier objeto protegido con ACL diferente acuerdo con profesor de hacking ético.
Cualquier cuenta o grupo que es (o era) parte de un grupo protegido tiene su característica AdminCount a 1, incluso si el objeto se mueve fuera de ese grupo protegido. Con PowerView, usted puede fácilmente enumerar todos los usuarios y grupos con AdminCount = 1 con Get-User-AdminCount y Get-NetGroup – AdminCount, respectivamente. Esto le permite encontrar rápidamente todas las cuentas de alto valor, incluso si ha mudado fuera de un grupo protegido. Invoke UserHunter también acepta una bandera – AdminCount, permitiéndole cazar fácilmente a todos los usuarios valorados alto en el dominio.
Si modifica los permisos AdminSDHolder, esa plantilla de permiso será empujada a todas las cuentas protegidas automáticamente por SDProp explica experto de servicios de seguridad informática. Así que usted puede añadir un usuario sin privilegios (incluso sin la pertenencia al grupo) a la ACL de AdminSDHolder y tienen un mecanismo de puerta trasera que permite modificar la pertenencia a grupos como dominio y administradores de la red.
Los accesos de Active Directory es un área relativamente inexplorada de desde una perspectiva ofensiva. Los defensores deben comenzar auditoría y monitoreo de los derechos de los objetos de dominio privilegiado específico, sobre todo la raíz del dominio y AdminSDHolder. Esto se puede hacer de forma manual o a través de PowerView Get-ObjectACL o tomar ayuda de expertos de servicios de seguridad informática.
Files show agency just moved surveillance offshore.
Newly revealed documents (not from Snowden this time) show that the NSA has continued to collect Americans’ email traffic en masse using overseas offices to get around curbs introduced domestically.
Shortly after the September 11 attacks, President Bush authorized the NSA to collect bulk metadata on emails sent by Americans (although not the content) to help The War Against Terror (TWAT). The surveillance was authorized by the US Foreign Intelligence Surveillance Court, which mostly rubberstamped such requests.
But the collection was stopped in 2011, the NSA said, although it still monitored emails from Americans to people outside the nation’s borders. However, a Freedom of Information Act lawsuit started by The New York Times against the NSA’s Inspector General has uncovered documents showing that the NSA carried on collecting domestic data.
To get around the restrictions on operating in the USA, the NSA simply started using its overseas offices to do the collection. Stations like RAF Menwith Hill in Yorkshire were tasked with collecting the metadata and feeding it back to the NSA headquarters in Maryland.
There’s no evidence that the content of emails was being examined by NSA analysts. Instead the metadata was used to try and divine linkages between individuals the agency was looking to monitor. But that metadata is very useful.
“We have known for some time that traffic analysis is more powerful than content analysis,” said Dan Geer, chief information security officer of the CIA’s venture capital firm In-Q-Tel.
“If I know everything about you, about who you communicate with, when, where, with what frequency, what length, and at what location, I know you. The soothing mendacity of proxies from the president that claim that it is only metadata, is to rely on the profound ignorance of the listener.”
Xindi botnet still well alive and kicking after one year
Online advertisers are at risk of losing billions by the end of 2016 if they don’t find a way to stop the Xindi botnet from spreading, a botnet that leverages flaws in the OpenRTB advertising protocol to boost its owner’s ad revenues.
OpenRTB is a protocol used for internal communications in online advertising. The protocol, in a simplified explanation, is used to interconnect advertisers, ad servers, and websites where ads need to be displayed.
The Amnesia bug, a flaw in the OpenRTB protocol
For the past year, a flaw in OpenRTB (CVE-2015-7266 – also known as the Amnesia bug) allowed (and still allows) an attacker to listen to OpenRTV ad messages but hold back receipt notifications for hours.
When weaponized inside malware, like the one used with the Xindi botnet, the Amnesia bug allows an infected machine to request numerous ads from the same advertiser and hold back notifications, making the ad network believe the ad failed and did not show. Later, when the notifications are released, the ad network is on the hook to pay all the impressions, even if not all ads were rendered inside a Web page.
Pixalate, an enterprise security and analytics platform, estimates that between 6 and 8 million computers have been infected with this malware, in more than 5,000 organizations.
Xindi botnet going after “reputable” targets
The Xindi botnet operators seem to be specifically targeting machines that are part of reputable Fortune 500 companies, universities or government agencies.
This is for two reasons. Advertising networks usually don’t expect to see ad fraud from these targets and have fewer monitoring tools pointed at them, and all the aforementioned organizations have access to superior broadband connections when compared to home users.
Xindi botnet is active for more than a year
First signs of Xindi-powered attacks were recorded as early as October 29, 2014, and then again in quick bursts in following months like December 2014, March 2015, and August 2015.
Most infected targets are in the US and are usually running Windows 7 or Windows XP. The list of top affected advertisers includes big names like Uber, Home Depot, McDonald’s, Honda, Pandora, Monster, Verizon, and Nissan.
Pixalate estimates that if ad networks don’t fix the OpenRTB protocol flaw that permits this type of attack to be carried out, online advertisers could lose up to $3 billion / €2.8 from fake ad impressions by the end of 2016.
Web scum build command and control mountain; bods mulls pending large-scale attacks.
Exploit kits are dominating the criminal hacking industry, but even though code fiends prefer colour-by-numbers cracking kits that isn’t stopping them from assembling a vast command and control army domain name servers linked to popular kits are up 75 percent in the third quarter compared to 2014, according to a report.
It could lead to a flood of attacks should web scum take advantage of the available command and control infrastructure
Angler was the worst offender among exploit kits while the Matsnu domain generation algorithm played the biggest hand in the new command and control infrastructure.
Magnitude, Neutrino, and the popular Nuclear exploit kits helped bump the figures along in what was an increase on last year but a slight fall on the second quarter of 2015.
“The Infoblox DNS Threat Index in 2015 continues to remain well above the average for the previous two years, indicating that cybercriminals are continuing to expand their infrastructures,” say the authors of the Infoblox and IID report.
“Exploit kits and phishing remain significant components of the index because these techniques have been successful for malicious actors.”
The cost of buying into the exploit game has dropped from more than US$10,000 to about $1000 or less, depending on the kit.
As this reporter noted in June, security bods at Trustwave reckon web crims can clear a whopping US$84,000 a month for a paltry US$5400 outlay through the use of exploit kits to deliver malware and ransomware.
Crims would need to shell out US$3,000 for the ransomware, US$1800 for a hacked high traffic site, US$500 for an exploit kit like RIG and US$600 for anti-anti-virus fuzzers over a month to hit their profit targets.
Analysis: The question shouldn’t be if encryption should have backdoors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.
It took about three days for the CIA director and former intelligence officials to reignite the debate over the use of encryption, with some speculating that it may have been the reason why French and other Western intelligence agencies were unable to prevent the Paris attack earlier this month.
The attack, the greatest assault on French soil the end of World War II, left 129 dead and hundreds injured.
French prosecutors leading the investigation said Saturday that the final body count may rise. The motives of the attackers and whether or not they used encryption were not confirmed by authorities.
That didn’t stop sister-site CBS News contributor and former CIA deputy director Michael Morell from stating, on little more than a hunch — apparently, that the perpetrators of the attack “used encrypted apps to communicate.” (Disclosure: ZDNet is also owned by CBS.)
He said:
“Commercial encryption. . . is very difficult — if not impossible — for governments to break. The producers of this encryption do not produce the key for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.”
He, like many others before him, laid the blame at the steps of the companies who, inclined by or regardless of Edward Snowden’s leak to journalists two years ago of classified materials detailing the intelligence community’s mass surveillance programs, want to keep users’ data secure and protected.
To Morell’s credit, his remarks were somewhat tame compared to Fox News contributor Dana Perino, who said on Twitter about Snowden: “F**k him to you know where and back.” (Fox News’s slogan is “fair and balanced.”)
Wired’s Kim Zetter, who wrote a strong rebuttal of the anti-encryption brigade’s controlled and often contradictory rhetoric, pointed to vague comments made by incumbent CIA director John Brennan, who said on Monday:
“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it. I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve.”
He added:
“And in the past several years because of a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability collectively internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call, particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence security services are doing by some quarters that are designed to undercut those capabilities.”
The “too-long, didn’t read” version is, it’s Snowden’s fault the tech companies are pushing for stronger security, and he hopes that terrorist attacks will shift the public opinion in favor of open, unencrypted, and readable communications to both the intelligence agencies and hackers alike.
He neglects to mention that in the months prior to the September 11 attacks, al-Qaeda was known to have used encryption in which “may lie the… blueprints of the next terrorist attack against the US or its allies.”
It’s no wonder that intelligence officials, who have since the attacks in 2001 striven for a “collect it all” mantra about data collection on law-abiding citizens, are calling for backdoors in strong, uncrackable encryption.
Traditionally, when terrorists were successful, it used to be a “failure” by an intelligence agency or government.
After the September 11 attacks, people said the government did not not know anything about them in advance which former insiders called an intelligence failure. British intelligence agency MI5 said it was a “lack of resources” that the five suicide bombers were not caught prior to their attacks on the London subway system in 2005. After the chaos of the Boston bombing, the biggest terrorist attack on US soil since 2001, the FBI was accused of intelligence-sharing shortcomings.
Since 2013, when you first heard Edward Snowden’s name, the government finally had a scapegoat. Any person or company who acts in his name, or doubles-down on security in the wake of the leaks is now to blame, accused of being traitorous, or impeding investigations or intelligence gathering.
Yet, in the latest attack, encryption has yet to be determined as a cause — or even a factor.
As Vice notes, there are more than enough reasons why intelligence failures happen — in spite of strong encryption: a lack of sharing intelligence across borders, a lack of language-speaking translators, and a deluge of data that authorities struggle to sift through.
Even former National Security Agency employees turned whistleblowershave said the daily deluge of data drowns analysts in too much information, meaning finding that needle in the vast haystack of intelligence is impossible.
Yet that bulk dragnet of metadata may not be the answer. It may have been “designed to detect a Mumbai/Paris-style attack,” according to a tweet by former NSA general counsel Stewart Baker, but as intelligence expert Marcy Wheeler notes, simply, “it didn’t.”
With a number of reportedly missed opportunities from sifting through so much intelligence that they can’t identify potential attackers before they struck, the notion of wanting access to even more intelligence is weak, and diversionary at best.
The intelligence community is fighting a public debate it never wanted in the first place. The question shouldn’t be if encryption should have backdoors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.
If the administration’s intelligence directors are demanding access to even more data than their agencies know what to do with, that points to a failure of leadership rather than a fault of intelligence.
Inaudible sounds, the future of online user tracking
CDT (Center for Democracy & Technology) has alerted the FTC (Federal Trade Commission) about the existence of a privacy-intrusive, hidden high-frequency audio cross-device tracking technology.
According to an official complaint filed by the CDT, the privacy watchdog is tattling on advertisers like SilverPush, Drawbridge, and Flurry, online companies that deploy ads that squeal high-frequency sounds from the devices they’re loaded on.
The CDT says that these ultrasonic sounds scan the room for other devices like phones, tablets, TVs, computers, and wearables, effectively tying their presence to a browser cookie, an IP, and indirectly a user.
Whenever the device owner accesses a page with an ad from these companies from other handsets, the ad network will be able to recognize him based on the device’s fingerprint in their database and the presence of some tracking code left behind by the ultrasonic sounds emanated from previous visits via other nearby devices.
The entire technology is quite questionable and would allow advertisers to track users even if they don’t want to be tracked. Additionally, the practice also doesn’t include any options that users can tick and be left out of the tracking program.
A questionable practice, unknown to many, even the FTC
While advertisers are actively interested in delivering more efficient ads, users may not see it as such. A tracked user may not want personal Web browsing and TV watching habits stored in such fine detail on an advertiser’s unsecure server somewhere online.
The CDT says that as of April of 2015, SilverPush’s ultrasonic tracking software (SDK) has been embedded in 67 mobile apps, allowing the company to track 18 million smartphones and an unknown number of nearby devices.
“CDT is unaware of the existence of any current process for users to identify when probabilistic tracking is being used or meaningfully opt out. This represents a significant infirmity for any type of privacy protection,” say CDT representatives. “As such, the entities engaged in probabilistic tracking merit careful scrutiny from the FTC.”
The FTC has officially reviewed CDT’s complaint today, and will be making a formal announcement in the following days.
The NSW Police Force illegally hacked the private Facebook account of a Sydney man in a move branded a reprehensible and “criminal offence” by a magistrate.
After four months of illegal police surveillance on a closed Facebook page, Rhys Liam Halvey was arrested and charged with three counts of using a carriage service to offend police and a further three counts of publishing an indecent article.
The surveillance tactics were later supported in court by one of the highest ranking police officers in the state.
The “indecent” posts included a raunchy image of the American pop star Miley Cyrus that had been superimposed on a photograph of a serving officer. After Sydney magistrate Roger Brown warned that a “criminal offence” had been committed by the “unauthorised access”, a senior member of the NSW Police hierarchy attempted to intervene with two sworn affidavits “supportive” of the actions.
But all six charges have now been withdrawn and dismissed. In ordering costs against police, Magistrate Brown described the conduct as “reprehensible” and the charges as “trivial.”
“Exactly how widespread is this snooping?” asked Mr Halvey’s barrister, Andrea Turner, in a formal complaint to the Police Integrity Commission, which has now been referred back to the police, by the NSW Ombudsman, for investigation.
“There is no difference to the police trespassing on a Facebook page for four months and my steaming open my neighbour’s mail in the hope of one day finding something, anything, to report to police.”
NSW Council of Civil Liberties president Stephen Blanks said public confidence in the police was being “undermined” by an inability to acknowledge the occasions when “it does the wrong thing.”
“How deep in police culture is this willingness to break the law?” he asked. “Even after they have been caught out, it would appear no adverse consequences are going to be suffered by those responsible because the illegal actions are supported by police at the most senior level.”
On November 29, 2013, NSW Police Senior Constable Daniel Moss began spying on a closed Facebook page belonging to a “Rhys Brown” using someone else’s user name and password. The prying continued until March 31 last year, when several “derogatory” posts appeared. They featured a NSW Police infringement notice together with photographs of several serving officers, taken in a Sydney street setting.
One image carried a large sum of cash and words to the effect of: “Here’s my $25,000 for your $101 fine.” Another image depicted Miley Cyrus “twerking” in front of an officer.
Though he denied being Rhys Brown and the owner of the posts, Mr Halvey was charged. During a hearing in April, Magistrate Brown said to Constable Moss: “You use the term ‘monitored’ the Facebook account of Rhys Brown … you went into that account frequently?”
“Yes, I did” replied the officer.
“So … you didn’t obtain a Supreme Court warrant … you didn’t obtain any judicial authorisation to invade the privacy of Rhys Brown’s Facebook, did you?”
“No.”
It was under cross examination that he admitted to using someone else’s user name and password.
When the police prosecutor sought an adjournment so the Crown could argue the “public immunity aspect” of certain police “methodology” used to “access data”, Mr Brown said: “Police methodology doesn’t permit the police to commit crimes, it’s as simple as that.”
Several weeks later, a senior police official stepped in with with one “confidential” affidavit and another open in which he relayed previous support for the investigation. He also requested the officer be excused from further cross examination “about how certain Facebook posts were obtained”, adding it would be “injurious” to the public interest if “those questions were to be answered”.
Mr Brown rejected the immunity application. In September, the case was withdrawn and dismissed with $14,429 in costs ordered against the police. A NSW Police spokesman said on Friday an investigation was “currently running.”
La capital y el Edomex reúnen 53% de estos delitos. Quienes los cometen apuntan principalmente a operaciones comerciales.
Una persona decide comprar algo por internet. Días después, se da cuenta de que la tarjeta de crédito con la que pagó fue usada sin su consentimiento para otras operaciones. En resumen: se ha convertido en víctima de un ataque cibernético.
El Instituto Internacional de Seguridad Cibernética (IICybersecurity) define los ciberataques como aquellas acciones que buscan desestabilizar los dispositivos o sistemas conectados a la red. La diferencia con el ciberterrorismo es que este último se enfoca en atacar los sistemas vinculados con la infraestructura y los servicios críticos para una nación: comunicaciones, defensa nacional, energía eléctrica, suministro de agua, transporte, etcétera.
David Thomas, gerente del organismo en México, señala que en lo que va del año en el país se han registrado más de 11 millones de ataques cibernéticos. De ellos, 53% se concentra en el Distrito Federal y el Estado de México.
Para el experto, algunas razones por las que ambas entidades encabezan la lista son que en las dos hay más de 120 mil empresas que manejan datos personales y confidenciales, lo que las hace un blanco atractivo para los hackers, y que en la capital están asentadas tanto oficinas del gobierno local como sedes de los poderes federales.
Otros motivos, según explica Thomas, son que en la Ciudad de México hay más dispositivos móviles y equipos conectados a internet que en otras localidades del país, y que cada año más de 13 millones de turistas llegan a territorio capitalino.
“Los viajeros usan, en gran medida, tarjetas de crédito, y éstas resultan un blanco ideal para los hackers, quienes emplean ataques de malware POS [en puntos de venta] para robar datos bancarios”, dice.
Seguridad rezagada
Según el Índice mundial de ciberseguridad y perfiles de ciberbienestar, publicado en abril de 2015 por la Unión Internacional de Telecomunicaciones (ITU, por sus siglas en inglés), México está rezagado en seguridad cibernética, lo que representa una amenaza para el resguardo de la información en comparación con otros países.
Los datos de 2014 colocaron a México en el lugar 18 de 29 en el listado de la ITU, que evaluó un total de 100 países, muchos de los cuales empataron en las mismas posiciones. Lo anterior significa que México está debajo de naciones de América Latina como Costa Rica, Ecuador, Brasil y Uruguay.
Por otra parte, de acuerdo con el IICybersecurity, México es el segundo país con mayor número de ataques cibernéticos en la región, sólo después de Brasil.
En 2015, los ataques cibernéticos a nivel nacional crecieron 63% respecto de 2014, detalla Thomas. El ataque denegación de usuario (DDoS), el malware POS, la publicidad con malware, el fraude electrónico comercial, el robo de identidades y la extorsión con ransomware han sido las formas más usuales de ataques cibernéticos.
Juan Carlos Montesinos, director de la Unidad de Ciberdelincuencia de la SSPDF, explica que la policía capitalina da orientación a los ciudadanos afectados y que quien investiga estos delitos es la Policía Federal.
Víctimas de los hackers
Los principales segmentos afectados por ciberataques en la Ciudad de México durante este año han sido las empresas privadas, las instituciones de gobierno y las organizaciones académicas, de acuerdo con el IICybersecurity.
Del total de ataques registrados este año, 45% estuvo dirigido a empresas privadas (bancos y hoteles, por ejemplo) y 35% a distintas dependencias de gobierno. El resto corresponde a la academia y a particulares.
Algunos expertos, sin embargo, sostienen que la mayoría de las transacciones que se realizan en línea es segura.
Las principales barreras para combatir los ataques cibernéticos, señala Thomas, “son falta de soluciones de seguridad informática, la carencia de una legislación adecuada y la falta de conciencia entre la población general sobre seguridad cibernética”. Para evitar ataques cibernéticos, las agencias de gobierno y empresas privadas deben trabajar en conjunto para llevar a una mejor colaboración y comunicación.
A pesar de lo anterior, comparada con otras naciones, la cifra de ataques cibernéticos en México aún es muy baja. EU recibe la mayor cantidad de ciberataques en el mundo, con un millón de incidentes diarios y la ciudad más bombardeada del planeta: Florida.
Para Thomas, en México es importante promover la cultura de la prevención y la denuncia ciudadana. Además, “el gobierno debe trabajar para desarrollar capacidades técnicas e investigativas integradas avanzadas, con una legislación estricta en el ámbito de seguridad cibernética, para utilizar plenamente tales capacidades”.
Ideas para legislar en la materia
Durante la actual Legislatura del Congreso, que inició el 1 de septiembre, legisladores han presentado dos iniciativas en este tema. Una de ellas fue la planteada por la diputada María Eugenia Ocampo Bedolla, del Partido Nueva Alianza. Dicho proyecto busca modificar el Código Penal Federal y aún está pendiente de análisis. La otra iniciativa fue la impulsada por el senador priista Omar Fayad, quien la retiró de comisiones tras la polémica que generó. Los opositores de la propuesta la tacharon como un intento por censurar contenidos en la red.
Sometimes just a few lines of access logs can tell a whole story…
Many ongoing attacks against WordPress and Joomla sites use a collection of known vulnerabilities in many different plugins, themes and components. This helps hackers maximize the number of sites they can compromise.
Google Dorks
Do you ever think about how hackers find vulnerable websites? Probably the most common way to do it is using “Google Dorks” – special Google queries that use search operators to return sites that use specific software. For example, this inurl operator will help find [improperly configured] WordPress sites: [inurl:”wp-content” “index of”]
Almost every published exploit has its own dork that helps to find vulnerable sites.
Hackers just need to enter search queries and then parse search results. Sounds easy? Not really. There are quite a few obstacles.
Obstacles to Automated Searches for Vulnerable Sites
Even if your search returned millions of web pages, you can’t get more than the first 1,000 of them from Google.
Out of those 1,000, not all sites are vulnerable. Some use a patched version, some use a website firewall or a different means of protection that will make the attack fail, or Google has outdated information about the site that might have already removed the vulnerable software. All in all, hackers may expect that less than 20% of the search results will be really vulnerable (It may be more for new zero-day attacks and less for old and already patched vulnerabilities).
To compile a big enough list of vulnerable sites, hackers either need to use multiple dork modifications for one exploit, or use multiple dorks for multiple exploits. Both methods assume a significant number of requests to Google search engine. However, as you might know, Google prohibits automated requests. They block IP addresses that submit many requests in a relatively short time. Even human visitors see this CAPTCHA from time to time.
So how do hackers overcome these obstacles?
Enter Access Logs
A few days ago my colleague Rodrigo Escobar checked access logs of one compromised site and shared a very short excerpt with me. Here are the three lines of logs that tell the whole story about how hackers scan the web for vulnerable sites:
If you are not fluent in the language of web server access logs, I’ll translate the story for you.
PHP Proxy
All three lines request the “includes/freesans.fr.php” file, which appeared to be an uploaded copy of the open source PHPProxy script. The proxy provides you with a web interface to open web pages from the server’s IP, instead of your local IP address. It’s normally used to bypass country and other IP-based restrictions.
Requests to Google
In our case, the proxy is being called with the following parameters:
These are the URLs someone tries to open via the proxy. As you can see, they are URLs of Google search results pages.
Dorks
Our three lines of logs correspond to the following three queries:
[wp-content revslider site:mobi]
[com_adsmanager +logo site:dj]
[wp-content +revslider site:mobi]
The first and the third queries look for WordPress sites with the Slider Revolution (revslider) plugin – vulnerabilities in revslider were responsible for a good number of the WordPress hacks we saw last year. Even one year later we see hackers exploiting the vulnerabilities in sites that still use old versions of this extremely popular premium plugin.
The second query looks for Joomla sites with theAdsManager extensions, some versions of which have an arbitrary file upload vulnerability.
Site: Trick
You might have noticed that the Google queries contained the site:mobi and thesite:dj operators, which limit search results to websites on .mobi and .dj top level domains. Does it mean that hackers only want to attack WordPress .mobi blogs and Joomla .dj sites? Of course, not!
Hackers use the site: operator only to bypass the Google’s 1,000 results per querylimitation. If they find 1,000 vulnerable .mobi sites, 1,000 vulnerable .com sites, 1,000 vulnerable .org sites. 1,000 vulnerable .net sites, and so on for every possible TLD, they’ll get far far more results than a mere one thousand that they could expect searching just for any WordPress site with the revslider plugin.
Distributed Search
The only downside of this trick is it requires more requests to Google which maximizes risks of getting blocked for automated queries. To work around this, hackers use these two methods:
The &num=100 parameter that increases number of search results to 100 per page, which effectively decreases number of required requests by 10.
The distributed system of proxies on compromised sites.
We can always tell that hackers don’t care about the sites they break into. They do it only to take advantage of the sites’ resources – be it visitors, server space, bandwidth, CPU, etc. In this case, the resource they need is the unique server IP along with the ability to install and run the PHP Proxy script.
So they have multiple hacked sites on servers with unique IP addresses where they installed the proxy script. To get results from as many Google queries as they want in a relatively short time, they need to make requests via the distributed network of their proxies rather than directly to Google.
This explains why we only see 3 such requests to the proxy script in the logs and why they requested search results in the middle of the result set (e.g. &start=300 or&start=600). Other search requests went to similar proxy scripts on other hacked sites.
Different User Agents
To make the search requests look even less suspicious to Google, hackers change the User Agent headers of each requests. This makes it look different as people share the same IP address (this may be a company behind a corporate firewall or users of an ISP with a dynamic pool of IP addresses).
Indeed, if you take a look at the logs the User Agent look the same at the first glance (Firefox on Windows 7), but if you look more carefully, you’ll notice that versions of Firefox vary:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406Firefox/23.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011Firefox/23.0
This resembles a corporate environment were most people use computers with similar configurations (with insignificant variations).
Conclusion
This was a story told by 3 lines of web server access logs. It helped us demonstrate
Why hackers no longer focus on just one vulnerability and try to exploit multiple different security holes
Why it is important to update and patch every single element of your site software
How hackers find thousands of potentially vulnerable sites in a short time
How they use compromised sites to find their next potential victims
Why your server IP address is a valuable resource for hackers
Help the Internet — keep your site secure. Don’t let hackers use it to hack even more sites.
We know that it’s hard to keep track of all the newly discovered vulnerabilities in every CMS, theme and plugin, and update them in a timely manner, let alone the zero-day vulnerabilities that don’t even have any patches. Don’t worry! We have you covered!
Our website firewall protects websites by blocking requests that try to exploit both known and even unknown security holes so that they don’t reach your site and can’t do them harm, even if you still use some vulnerable software (it’s still a very good idea to update everything ASAP). Here you can learn more about how it blocks all vulnerability exploits.
Encrypted email provider ProtonMail is still being hit by a DDoS attack from what appears to be a nation state, as well as a secondary and separate lower-level assault from an identified assailant. However, the service is now operating normally, it seems.
Switzerland-based ProtonMail offers an encrypted webmail system able to withstand intelligence agency-level surveillance. However, since last Tuesday the company has continued to be hit by DDoS attacks from two attackers.
Talking to The Register, ProtonMail CEO Andy Yen explained: “We have been attacked every day since 3 November, so we’re now entering the sixth day of attacks.”
“There are two attackers,” said Yen. “Since 4 November, we have been mostly battling the second attacker. They are highly sophisticated and have a lot of resources. The first group that attacked us, the Armada Collective, is largely irrelevant compared with the power of the second attacker.”
ProtonMail has stated that the second-attacker’s malicious efforts had all the hallmarks of a state-sponsored attack, both in its complexity and in its willingness to cause large-scale damage to achieve its aims.
The CEO added that the “attack volume is high, but especially the mix of attacks being used, and the highly coordinated fashion in which they are employed point to an extremely sophisticated attacker”.
However, as of the time of publication ProtonMail has provided no concrete proof of a nation going after its servers, which it is still working to protect.
Yen told The Register that “many of the world’s largest tech companies have offered to assist in analysing and tracking the attack”.
Late last week the company paid a bitcoin ransom worth £3,500. A company statement explained:
We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
Again, explaining the situation to The Register, Yen said that “the second attackers impacted many other companies who lost access to mission critical infrastructure. From the start, ProtonMail has always been opposed to paying, but after discussions with other impacted companies, and considering the sheer amount of collateral damage, we respected the group decision to pay.”
The transfer had to come from our Bitcoin account as we were the ones that received the extortion email.
The people attacking us now are not the ones the ransom was paid to, but at the onset, it was not clear there were two attackers involved.
A donation campaign was established for ProtonMail with a goal of raising $100,000, although this was later reduced to $50,000, which has almost been reached as of the time of writing.
Yen explained that “the goal was reduced because once the magnitude of the attack became realised, and it became apparent who the target was, one of the world’s top DDoS protection companies offered to step in at significantly reduced prices in order to support our mission. They understand that ProtonMail being down means large numbers of activists, dissidents, journalists, and regular users will have lost the ability to communicate”.
“In addition,” said Yen, “some of the world’s top networking experts volunteered their time to help us recover. Together with our team, they accomplished the impossible and brought us back online in three days with the capability to withstand the largest cyber attack which has ever hit Switzerland. The support from our users has also been amazing, they donated nearly $50,000 in just two days.”
ProtonMail, which published a transparency report, refers all foreign requests for information to the Swiss federal police, according to Yen.
“At that point, an inquiry may be opened and passed to the Swiss court system. It is only after receiving a valid Swiss court order that we are permitted to share any user information. Due to the end-to-end encryption that we employ, we can only hand over encrypted copies of user messages,” he added.
What are black swans? In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors.
A black swan is an incident that you didn’t participate. It’s a sign for the irrational way of human thinking. When you see only white swans, you don’t think there is a black one. In the cyber domain, there are black swans in defence and offence.
In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors. Edward Snowden is a good example. Other examples are Angler Exploit Kit, Taomike SDK or the latest ransomware that would publish your files if you don’t pay.
In offence, a black swan is a way that a hacker has been caught in a way he didn’t predict. It could be a trap or another mechanism that exposed him before he got what he wanted. Worst, it could be a way that the defender applied to attribute the attack to him.
To make the discussion clearer, let’s look at basic assumptions in both offence or defence. The defender assumes that the attacker is already in his network. From the defence perspective, the operating space is divided to perimeter and the internal network.
Tools like Firewalls, IDS/IPS and Anti-DDoS are examples to perimeter defence. Behavioural analytics solutions are the most common for the internal network. The defender is looking to create black swans in the attack vector path that would expose/block the attack in the external/internal domains.
A hacker assumes that the attacking vector will be exposed by the defender. From the offence perspective, there are no external/internal domains. the hacker has a goal, collect information or cause a damage. to do it, all options are on the table, including HUMINT and digital methods.
When I talked to Israeli hackers about their definition for a black swan, the most common answer is an exposure they didn’t predict.
“When you plan an attack, you should think for every move that you will be exposed. the question is what do you do then [What-If scenario]”, Said a well known Israeli hacker.”In some scenarios, the defender will get an alert in the SIEM, but will dismiss it as not important. In others, you will be exposed inside the defender network, and a decision should be taken – to abort or use deception. In some cases, a black swan can be a backup procedure you didn’t predict up front”.
As mentioned before, a black swan is something that you can’t predict. if, for example, the hacker is bribing or blackmailing some of your information security stuff in advanced, that’s a black swan for you.
If the attacker is implementing a malicious electronic chip in the network equipment that you bought from a known manufacturer [As did the NSA with Cisco equipment], that’s a black swan for you. If your CEO of is hiring a “Cyber mercenary” from the darknet to hack your company, that’s a black swan for you. Another could be a mini computer with Kali Linux hidden in your network pretending to be a legitimate network entity.
A recent black swan scenario happened at DISA [Defense Information Systems Agency] by the contractor that hired Russian programmes. They implemented a code that apparently led to the presence of viruses in the U.S. military’s communications systems.
There is no doubt that in today’s cyber domain, it’s all about black swans. The defender wants to surprise the hacker and vice versa. that’s the reason why defence solutions companies are looking for hackers, and hackers are looking for experience in defence procedure – it’s take one to know one. Writing code is not enough. If you don’t think as a hacker [or defender], you won’t be able to see your black swans.
Two US military contractors have agreed to pay substantial fines for employing the services of Russian programmers for software that was delivered and installed on the computer network of the US Department of Defense.
According to a statement issued by the U.S. Attorney’s Office, District of Columbia, the two companies are NetCracker Technology Corp. headquartered in Waltham, Mass., and Computer Sciences Corp. (CSC) headquartered in Falls Church, Va.
Back in 2008, CSC, an information technology services company, won a DoD contract for building communications software for DOD’s DISA (Defense Information Systems Agency).
From 2008 to 2013, CSC subcontracted some of their work to NetCracker, a company specialized in telecom software and services.
To keep costs down and provide the software under the deadline, NetCracker used individuals without security clearances, living outside the US.
While the U.S. Attorney’s Office declined to name their nationality, a complaint from 2013 by John Kingsley, a former NetCracker manager, said the programmers the company hired were living in and nearby Moscow, Russia, as SC Magazine is reporting.
Unlike Snowden, “whistleblower” Kinglsey will receive $2 million
Mr. Kingsley made his complaint under the whistleblower provision of the False Claims Act. This provision allowed him to file a complaint on behalf of the US government against the two companies.
For this breach of contract clauses and national security, NetCracker agreed to pay $11.4 million while CSC agreed on $1.35 million.
The same provision that allowed Mr. Kingsley to break his confidentiality clause and report his company also warrants he’ll receive a portion of the damages. According to official documents, Mr. Kingsley will collect $2,358,750.
The two companies resolved their lawsuit by reaching an out-of-court settlement that also guarantees that no legal liability was determined, which means that nobody has to go to jail.
US officials did not provide details on the status of the “corrupt” software installed on DoD computers, but common sense points us to believe it was removed back in 2013.
Bank card slurping malware discovered in casino chain’s tills.
A casino owner in Michigan is warning its players after detecting bank-card-stealing malware in its payment systems.
The Four Winds Casino Resort, which operates three casinos and a service station on tribal lands in the state, said it found the software nasty after banks alerted it to fraudulent transactions.
According to Four Winds, the malware specifically sought out payment card data including cardholder name, number, expiration date, and verification numbers. The data would have been collected from cards swiped at sales terminals at the various resorts.
“It is possible that any card that was used in person at the Four Winds casino properties in New Buffalo, Hartford, or Dowagiac, or the Bent Tree Market service station on the Dowagiac property, between October 2014 and October 21, 2015, could have been copied by the program,” Four Winds said.
“We do not have sufficient information to identify the name and address of individuals who swiped their payment card at our properties during this time frame.”
Four Winds said it is working with the cops to investigate the security breach, and a third-party infosec biz has been brought in to check its networks and prevent any further infection. The company has alsoset up a site for customers who were possibly exposed in the breach.
Anyone who visited the casinos in the last year or so is being advised to keep a close eye on their bank statements and credit monitors for any suspicious or unauthorized activity. The resort has yet to say whether it will be offering affected customers a credit monitoring service.
The Four Winds resort company is one of several to have fallen victim to point of sale (POS) malware infections aimed at collecting payment card information. Big names including Hilton, Mandarin Oriental, and Trump have fallen prey to malware infections that harvest card data from cash registers and point of sale (POS) terminals. The stolen card data is typically sold off and used for fraudulent charges.
SocialMiner doesn’t play nice with China’s popular WeChat.
Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.
That’s the slightly embarrassing bug Cisco’s just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.
It means some unfortunate support staffer who’s not paying close attention to what they’re receiving could get tricked into clicking a malicious link.
SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.
Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.
“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”
While it only has a relatively low CVSS score of 4.3, there’s no fix as yet, nor are there workarounds.
However, it’s probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things.
Cyber Security 