Month: February 2016

Grandpa Turned Hacker Tried to Send Malware to US DOE Employees

Posted on

Former US NRC employee sent spear-phishing emails to 80 other US DOE employees containing an inert virus.

Charles Harvey Eccleston, 62, has pleaded guilty to sending spear-phishing emails to US Department of Energy (DOE) and the US Nuclear Regulatory Commission (NRC) employees in an attempt to infect them with malware that could be leveraged by foreign intelligence agencies to hack into US government computers.

The whole story starts in 2010 when Eccleston was laid off from the US NRC, and moved to Davao City, Philippines, one year later, in 2011.

According to the US Department of Justice, three years later, in 2013, Eccleston entered the embassy of an unnamed country in the Manila, Philippines, and offered to sell 5,000 email accounts belonging to employees of the US DOE.


Eccleston tried to sell a list of government email addresses to a foreign state

Eccleston said he wanted $18,800 (€17,200) for the emails accounts, which he said were “top secret,” and if the embassy would not buy them, he would go to the embassies of China, Iran or Venezuela instead.

Embassy officials tipped off the FBI, who sent an undercover agent to negotiate a deal with Eccleston.

During subsequent meetings, Eccleston sold a thumb drive containing 1,200 email addresses to the undercover FBI agent for $5,000 (€4,600). This happened on November 7, 2013, and the FBI agent confirmed that most of the email addresses were publicly available.

In the same meeting when this transaction took place, Eccleston also highlighted the fact that the email list would allow attackers to infect computers with a virus that would allow a foreign country to access sensitive government information, or even shut down NRC servers.

Eccleston tries his hand at running a spear-phishing campaign

On June 24, 2014, Eccleston had a second meeting, with a different undercover agent. Eccleston said he had another 30,000 email addresses belonging to DOE employees, and even offered to craft a spear-phishing campaign to target some of the individuals on the list.

The former DOE employee selected a few individuals from his list and crafted a spear-phishing email that advertised a conference which he knew DOE employees would be interested in.

On Jan. 15, 2015, Eccleston sent 80 spear-phishing emails to his former colleagues containing an inert virus he received from the FBI agent. The emails reached individuals across the US and even laboratories associated with nuclear materials.

Philippine authorities arrested Eccleston on March 27, 2015, when he was meeting with the undercover agent to receive an $80,000 payment for his endeavor. He was later deported to the US and has now admitted his crimes.

Eccleston faces a maximum of ten years in prison and financial penalties, but because of his age and previous records, according to the advisory federal sentencing guidelines, he’s likely to receive a prison term of 24 to 30 months and a fine of up to $95,000.

The grandpa turned hacker will receive his sentence in Washington on April 18, 2016.



Arquitectura de seguridad de VoIP

Posted on

Voz sobre IP (VoIP) ha estado alrededor durante mucho tiempo. Es omnipresente en los hogares, centros de datos y redes. A pesar de esta ubicuidad, la seguridad no suele ser una prioridad y por esa razón hay muy pocas empresas de seguridad informática trabajando en esta área.  Según la experiencia de profesor de hacking ético,  con la combinación de unos protocolos estándar, es posible hacer que sea seguro e implementar cifrado en llamadas VoIP.


TLS es el protocolo de seguridad entre los puntos extremos de señalización de la sesión. Es la misma tecnología que existe para los sitios web SSL; comercio electrónico, correo web cifrado, Tor y muchos otros utilizan TLS para la seguridad. A diferencia de los sitios web, VoIP utiliza un protocolo diferente llamado el Protocolo de Iniciación de Sesión (SIP) para señalización: acciones como sonar un dispositivo, respondiendo a una llamada y colgar. SIP-TLS utiliza las autoridades de certificación estándar para definir las claves. Esto implica la confianza entre el emisor del certificado y los extremos de la llamada.

Para añadir una pequeña complejidad, el contenido de las llamadas tiene sólo una pequeña relación con SIP. Según experto de empresa de seguridad informática, el protocolo para definir clave para contenido P2P VoIP se llama ZRTP. En un sistema de P2P, el acuerdo de clave y cifrado del contenido de la llamada ocurre en las aplicaciones de extremo. Una distinción importante entre VoIP y otras comunicaciones en red es que todos los dispositivos son cliente y servidor a la vez, así que tenemos sólo “extremos” en lugar de “clientes” o “servidores”. Una vez que los extremos están de acuerdo en un secreto compartido, la sesión termina ZRTP y la sesión SRTP comienza menciona el profesor del curso de hacking ético. Cuando, todo el contenido audio y video sobre la red está encriptado. Sólo los dos pares extremos que establecieron una sesión con ZRTP pueden descifrar la secuencia de los medios de comunicación. Esta es la parte de la conversación que no puede ser interceptada ni pueden espiar los metadatos de sesiones.


En primer lugar es SIP (Protocolo de inicialización de sesión). Este protocolo se cifra con TLS. Contiene las direcciones IP de los extremos que deseen comunicarse pero no interactúa con la secuencia de audio o vídeo.

En segundo lugar, hay ZRTP. Este protocolo entra en la mezcla después de un exitoso diálogo SIP establece una sesión de llamada por localizar los dos extremos. Transmite información de acuerdo clave sobre un canal SRTP no verificado. Los extremos usan sus voces para hablar un secreto que verifica que el canal es seguro entre sólo los dos extremos.

En tercer lugar, introduzca SRTP. Sólo después de que el intercambio de claves de ZRTP tiene éxito se cifra el contenido de la llamada con el protocolo seguro de Tiempo Real. Desde este punto en adelante, todo el audio y el vídeo son seguros y únicamente con llave para cada sesión individual menciona Mike Smith, profesor de forense digital de IICS.

Según expertos de empresa de seguridad informática, VoIP es complejo en comparación con HTTP y el entendimiento de la corriente principal de los elementos de seguridad a menudo omite el contenido SRTP/ ZRTP, más bien se centra sólo en la señalización SIP-TLS. En el próximo artículo cubriremos más sobre la arquitectura de seguridad de VOIP con la ayuda de profesor de curso de hacking ético y forense digital de IICS.

Documents Leaked Following U.S. Police Union Hack

Posted on

Hundreds of documents stolen from the systems of the Fraternal Order of Police (FOP) were leaked online last week, and the individual who made them available claimed to be in possession of much more information.

According to its official website, the FOP is the largest police union in the United States, representing more than 325,000 sworn law enforcement officers organized in 2,100 local chapters.

The hacker or hackers who breached the organization’s systems allegedly provided 18TB of data taken from the FOP to UK-based researcher and activist Thomas White, who uses the online moniker “CthulhuSec.” White, who claimed the data was provided to him by an anonymous source, said he has to conduct some research before releasing more of the files in his possession.

In a statement posted on Facebook, FOP President Chuck Canterbury said the documents leaked so far are just bargaining contracts that have already been publicly available on the Web. However, he has confirmed that the attacker appears to have gained access to all of the organization’s records, which has resulted in the official FOP website being shut down.


“Our professional computer experts have identified how the hackers made access but that information cannot be distributed at this time for obvious reasons. Suffice it to say that the level of sophistication was very high,” Canterbury said.

Canterbury blamed the attack, which allegedly originated from outside the US, on Anonymous hacktivists. Some reports also claimed the attack involved the use of a zero-day vulnerability.

In response to Canterbury’s statement, White said the attack was not conducted by Anonymous or a sympathiser of the movement, and pointed out that hacktivists only retweeted the files he initially released.

Furthermore, White denied that a zero-day exploit was used to breach FOP’s systems and noted that it was not a sophisticated attack.

“From what I know of how the attacker conducted it, you should be ashamed of how trivial it was that your servers were rooted. If your ‘computer experts’ have identified the flaw as you claim to have, you should realise you are either lying or have not hired experts if they call it sophisticated,” White said.

Experts who discussed the incident on Hacker News pointed out the existence of serious vulnerabilities on FOP’s website that could have been exploited to access sensitive information. They also found that the donations section on the police union’s website uses HTTP when transmitting payment card data.

White, who allegedly received death threats due to leaking the data, said he is not “anti-police” and advised against using the information to attack law enforcement. He claims that the purpose of the leak is to have corruption and other wrongdoing exposed.

As security researcher Scott Arciszewski pointed out, authorities in the United States could charge White under the Computer Fraud and Abuse Act (CFAA), a controversial piece of legislation that has been used to prosecute many hackers over the past years. However, White says he is not concerned because he is in the United Kingdom and his legal advisors are confident that he hasn’t broken any laws.

Authorities in the United States have reportedly launched an investigation into the matter. White says he is prepared to answer any questions and is even willing to meet in person, but only in the United Kingdom.