hacking

CIA Employees First Victims of The U.S. OPM Hack

Evgen — Thu, 01 Oct 2015 09:24:36 +0000

Irony came back to the shores of the United States in the month of September as the CIA was forced to recall a number of undercover agents working in China. The agents’ names and identities were part of the millions of records exposed by the hack of the U.S. Office of Personnel Management earlier in 2015.

The OPM hack was called, “the gift that keeps on giving for years” by the Director of National Intelligences, James Clapper.

A subsequent audit of the OPM’s security practices and posture demonstrated that the infrastructure was in shambles, lacking logging and monitoring, systems updates and patches, with some systems not having been reviewed in several years. Also, some of the most critical databases and back-end systems lacked multi-factor authentication and many of them were not even authorized to be on the network!

The breach affected tens of millions of past and current government employees, exposing medical history and background investigations forms and details about the individuals, including CIA agents and embassy staffers.

As CIA agents do not usually show up on diplomatic manifests and lists of staffers, Chinese intelligence could deduce that missing names would be strong indicators of CIA operatives or other secret activities performed by the individuals in question.

According to the Washington Post, Clapper told a congressional panel that the OPM breach was not so much an attack as a form of espionage, and that both nations engage in this behavior. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

Clapper said that the OPM hack “has very serious implications . . . from the standpoint of the intelligence community and the potential for identifying people” who may be undercover.

Tagged with

AshleyMadison.com Hacked – Customer Service Lying To Members About Security

Evgen — Tue, 21 Jul 2015 08:59:35 +0000

by Deric Lostutter

We all know that AshleyMadison.com – the dating site who’s slogan is “life is short, have an affair” was recently compromised by a group of hackers calling themselves Impact Team

Ashley Madison released this statement pertaining to the unauthorized access of the site.

“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

Impact Team threatened to release all of the information of more than 30 million users if they didn’t take AshleyMadison.com and EstablishedMen offline. The hackers chose to release 2,500 records to show they mean business. The mirrors were taken down by use of the “Digital Millennium Copyright Act” or “DMCA” requests on behalf of Avid Life Media, the parent company of AshleyMadison. It is unclear just how much information Impact Team has obtained, but the information could include credit card numbers and other financial information.

Impact Team left this message behind:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Below is a snippet left behind by Impact Team verbatim:

AshleyMadison customer service has been slammed busy in their call centers, reassuring clients that their information is secure and that only 2 records were ever compromised – a claim that was obviously false due to the evident leak that they worked so hard to take offline. Some customers are even taking advantage of a “full delete” option that rolled out because of the hack, which AshleyMadison claims will remove all user information, however, they refuse to acknowledge if it also deletes the damning credit card transaction information associated with user profiles.

With AshleyMadison lying to it’s users, one can only be sure that information is safe in corporate hands, if you never give it to them in the first place.

Tagged with

Hacking Team Scrambling to Limit Damage Brought on by Explosive Data Leak

Evgen — Tue, 07 Jul 2015 11:30:58 +0000

Who hacked Hacking Team, the Milan-based company selling intrusion and surveillance software to governments, law enforcement agencies and (as it turns out) companies?

A hacker who goes by “Phineas Fisher” claims it was him (her? them?):

The hacker has also previously compromised UK-based Gamma International, another provider that sells their spying wares to governments, and which has also been named an “enemy of the Internet.” Phineas Fisher says there will be more similar hacks in the future:

In the meantime, Hacking Team is scrambling to minimize the damage this hack and data leak is doing to the company.

According to Motherboard‘s Lorenzo Franceschi Bicchierai, the company has sent out emails to all its customers, requesting them to shut down all deployments of its Remote Control System software (“Galileo”) – even though it seems they could do that themselves, as the customer software apparently has secret backdoors.

Perhaps they chose the first route because they hoped to keep that fact hidden from the customers? And because every copy of Hacking Team’s Galileo software is secretly watermarked, the leaked information could allow researchers to link a certain backdoor to a specific customer?

One of the reason for this shutdown request is that the data leaked contains source code of the company’s surveillance solutions, and they are worried that this information will allow targeted users to discover who’s spying on them.

“Another concern [by the wider security community] with this breach is that there is now source code available for some pretty nasty malware including what would appear to be functional exploit code,” points out Craig Young, Security Researcher, Tripwire.

“Although most users would not know what to do with the source code release, it would be surprising if we don’t very quickly start seeing underground malware authors branching and repackaging the HT malware and selling it without restriction. A more responsible action may have been for the hackers to release a document dump while sharing the malware source code only with reputable security vendors for the purpose of creating detection routines.”

All the stolen information was likely accessed via the compromised computers of Christian Pozzi and Mauro Romeo, two Hacking Team’s sysadmins. Christian Pozzi was apparently the first one who realized on Monday that the company was hacked, panicked and started threatening a researcher who pointed out his lousy password choices on Twitter. He also falsely claimed that the leaked torrent file contained a virus in an attempt to prevent people from downloading it.

The leaked cache is already being analyzed by many researchers and activists around the world, who are dropping the choicest morsels of information on Twitter and spreading them widely.

This is how we now know that the US FBI, DEA and Army, but also many governments with a poor track record of respecting human rights are/were Hacking Team customers, and that they have sold their software to the Sudan government (thus violating UN sanctions) and have been stonewalling the UN as they try to investigate the matter.

Also, that they can apparently bypass certificate pinning and the HTTP strict transport security mechanisms and were worried about EFF’s HTTPS Everywhere browser extension spotting their rogue certificates and send them to the EFF SSL Observatory, and that they used public exploits to compromise targets.

The Tor Project commented the leaked documents by saying that they knew Hacking Team was actively trying to break their software, but that so far they haven’t found any actual exploits.

Some of the leaked documents and screenshots seem to indicate that the hackers compromised the company’s infrastructure half a year ago, in January 2015, and possibly even earlier.

Tagged with

Hackers Stole All Federal Employees’ SSN And Private Data

Evgen — Fri, 12 Jun 2015 08:53:37 +0000

A federal worker union claims that the massive Office of Personnel Management hack reported last week is even bigger and more damaging than the government cares to admit. The American Federation of Government Employees believes the hackers stole the social security number of every current federal employee and retiree, along with the SSNs of up to a million former workers.

Associated Press has also obtained a letter addressed to OPM and written by AFGE’s president, J. David Cox, where he listed the other types of info stolen from OPM’s database: military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data. Meanwhile, the Wall Street Journal reports the hackers were inside for more than a year before a sales demo by a tech firm discovered malware in the network.

In the same letter, Cox accused the agency of failing to take the proper precautionary measures to protect federal workers: it keeps up to 780 separate pieces of information on each person, after all. “We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” he wrote.

Take note, however, that Cox and his team don’t have access to the investigation and are only basing all these from OPM’s sketchy and limited responses to their questions. An OPM spokesperson has denied allegations that the breach is bigger than the agency reported, though, telling NBC News that the official number of affected people remains the same: 4.2 million overall, including 1 million retirees, 2.1 million active civilian federal employees and 1.1 million separated workers.

If you recall, some authorities, including Sen. Harry Reid and Sen. Susan Collins, revealed that the government believes China is behind this security breach. The stolen data could be used for anything, from identity theft to blackmail. So if you’re a government employee and you receive a warning email from Homeland Security, take advantage of the credit monitoring and identity theft protection services the agency promised to offer.

This story written by Mariella Moon for Engadget

Tagged with

U.S. Federal Agency Reports Massive Data Breach, Blames China

Evgen — Sat, 06 Jun 2015 11:28:26 +0000

US gov't assesses big data breach of Fed
personal: Reports

CNBC's Sue Herera reports on the scale
and scope of a massive data breach against the U.S.
government.

The federal government is notifying millions of employees as it works to assess the impact of a massive data breach involving the agency that handles security clearances and employee records.

A foreign entity or government is believed to be behind the cyber attack. U.S. officials are investigating whether Chinese hackers were involved, Reuters reported, citing a source familiar with the matter.

“The FBI is working with our interagency partners to investigate this matter. We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace,” an FBI spokesman told CNBC.

A congressional aide familiar with the situation, who declined to be named because he was not authorized to discuss it, says the Office of Personnel Management and the Interior Department were hacked. A second U.S. official who also declined to be identified said the data breach could potentially affect every federal agency.

The OPM plans to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised in the breach, the agency said in a release.

“Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary,” the release said.

The White House was considering a public announcement of the breach Thursday night or Friday morning, the second official said.

The OPM is the human resources department for the federal government, and issues security clearances.

The federal division said it has recently worked on an “aggressive effort” to update its cybersecurity. As a result of these initiatives, in April the department detected the breach affecting its IT systems and data, the OPM release said.

The hacking “predated the adoption of the tougher security controls,” the release said.

Dow Jones reported that a government source called the breach one of the largest thefts of government data ever.

Tagged with

Sabu is Back From Probation, Pisses Off Everyone Within Minutes

Evgen — Sat, 06 Jun 2015 11:27:01 +0000

Hector Monsegur, the Anonymous hacker who became a super-informant on the activities of his former pals, returned to Twitter this week. The results were unsurprising.

Having walked free from court just over 12 months ago, Monsegur, better known as by many as Sabu, celebrated the end of his probation by returning to Twitter.

Monsegur’s has repurposed the @AnonymousSabu account which was last seen in March 2012, just before it was revealed that Monsegur was working with the FBI.

Clearly there is a lot of pent up anger within Anonymous about Monsegur’s perceived actions, but he claimed that now he was back, the truth was going to come out.

“The best part of coming back is witnessing the rage once the truth starts coming out. You’ve all been bamboozled. Enjoy the show,” he typed. His messages to Anonymous members suggest that there will be revelations which will show that he is not the villian many make him out to be.

In May, Monsegur walked free from a New York courtroom despite pleading guilty to taking part in cyber-attacks on the likes of Sony, Nintendo, Visa and Mastercard. The reason he avoid a jail sentence was what the court described as Monsegur’s “extraordinarily valuable and productive” co-operation with the FBI.

Many believe this suggests Monsegur helped sell out his former colleagues in Anonymous and LulzSec in particular.

However in his tweets since returning to the social network, Monsegur says that this “extraordinarily valuable and productive” co-operation saw him helping the FBI stave off 300 cyber-attacks – three of which posed dangers to national security – and it was this that helped him avoid jail, rather than his help in identifying fellow LulzSec hackers.

Anonymous protests

The rest of Anonymous is not taking his return lying down. It has already started attacking the website of The Sabu Files, dedicated to investigating Monsegur’s role as an informant for the FBI, using the tried and tested Anonymous method of distributed denial of service attacks.

Elsewhere, Sabu will speak at a cyber-security conference called Suits and Spooks on 20 June, and some Anonymous hacktivists have called for a protest at the event, taking place in New York.

Anonymous is looking to protest Sabu’s appearance at the Suits and Spooks cybersecurity conference in New York(Facebook)

The call to arms says: “We want everyone to come out in solidarity with not only Jeremy, but the other members of LulzSec who were persecuted because of Sabu’s betrayal. Bring signs, noisemakers, and banners – we will hold a gathering outside of Soho House to remind the attendees of those who are still suffering while Sabu profits from his cowardly actions. No room for snitches and informants. We do not forget Jeremy Hammond.”

Tagged with

Medical Robots Can Be Hacked During Surgery, Researchers Find

Evgen — Sun, 26 Apr 2015 10:19:04 +0000

Researchers at the University of Washington in Seattle have just hijacked a teleoperated surgical robot, demonstrating major security weaknesses in the machines that may eventually replace a surgeon’s hands in hospitals worldwide. Yikes.

When trained surgeons are a plane ride away, remotely operated surgical bots can save lives.
Doctors have been performing telesurgical procedures since 2001, when a surgeon in New York successfully removed the gall bladder of a patient in France. While telesurgery is by no means the status quo yet, it may well be in the future, given that the medical industry is quickly embracing robots in many aspects of patient care.

The advantages of remote surgery may be obvious, but like any tool that relies on the telecommunications, there are inherent security risks. Communication between the surgeon and the robot typically takes place over public networks, and in some cases, poor internet connections. To explore how cyberattacks could disrupt a surgical robot, security researchers used the Raven II, a medical bot with two surgical arms that are manipulated through a state-of-the-art control console that includes a video feed and haptic feedback. The researchers controlled the robot over a standard network connection, using it to move rubber blocks from one part of a peg board to another.

MIT Tech Review describes the researchers’ experiments:

The team tries out three type of attacks. The first changes the commands sent by the operator to the robot by deleting, delaying or re-ordering them. This causes the robot’s movement to become jerky and difficult to control.

The second type of attack modifies the intention of signals from the operator to the robot by changing, say, the distance an arm should move or the degree it should rotate and so on. “Most of these attacks had a noticeable impact on the Raven immediately upon launch,” say Bonaci and co.

The final category of attack is a hijacking that completely takes over the robot. This turns out to be relatively easy since the Interoperable Telesurgery Protocol is publicly available. “We effectively took control over the teleoperated procedure,” they say.

They even worked out how to generate movements that triggered an automatic stop mechanism built in to the robot….By constantly sending commands that triggered this mechanism, the team were able to carry out a kind of denial of service attack. “We are able to easily stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible,” they say.

So yea, that all sounds pretty bad. As a final coup de grâce, the researchers note that the robot’s video connection was publicly accessible, meaning basically anyone could watch the operation in real time.

Many types of cyberattacks could be prevented by encrypting communications between the control console and the robot. But as we’re all well aware, crafty hackers can sometimes find ways around even the most sophisticated security systems. It’d seem that medical practitioners, policy makers and the public have to make some tough choices about what level of telesurgery security is acceptable. And if we’d like to avoid a Saw-esque horror scene, this is probably a conversation we ought to have sooner rather than later.

Tagged with

Homeland Security and FBI Issue Fake Emergency Hacker Warning For Cops – For Legal Activities!

Evgen — Wed, 22 Apr 2015 10:26:44 +0000

by Virgil Vaduva

Updated at 2:12 PM EST.

In what appears to be an all-out fear mongering and intimidating announcement, IC3, the Internet Crime Complaint Center, which is a website maintained by the FBI, issued an emergency alert stating that “family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity.”

While re-packaging the announcement as a brand new Internet Security emergency, the fear-mongering is little more than a copy and paste from an announcement made in January 26, 2011 by the United States Computer Emergency Readiness Team (US-CERT) emergency “Security Tip” titled “Staying Safe on Social Networks.” While masquerading as a “national emergency,” the emergency alert is little more than a poorly-written list of activities or steps that anyone could take to increase their online privacy rather than just law enforcement or police officers.

Without citing any specific threat, Mindi McDowell wrote in 2011 that law enforcement personnel are at risk of having personal information unveiled and exposed on social media networks and other public web sites. Yesterday, April 21 2015, the FBI, using their IC3 website issued a newly re-packaged alert re-stating the same warning, with the exception of going into a bit more detail but still not quoting any credible threat and sticking to very generic language:

“Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.”

To make matters worse for the average reader of this release, the IC3 advisory is even explaining “doxing” as being one of the main reason for issuing this advisory, except doxing is a perfectly legal activity and it largely involves gathering publicly and legally available information about a particular topic or individual. Their alert however defines doxing as follows:

“The act of compiling and posting an individual’s personal information without permission is known as doxing.”

Not only is this blatant fear-mongering on the part of FBI and Homeland Security, but as I mentioned above, doxing is in fact completely legal activity and it involves little more than the simple ability to use online search tools like Google and other search engines to find and compile information legally available!

The brand new “fake” security alert was picked up by other government agencies and was sent out to millions of information security and IT professional subscribers late yesterday:

IC3, NCCIC and US-CERT have all been tasked with maintaining awareness about ongoing cyber threats to our national defense systems and Internet infrastructure, however it appears that these organizations and the alerting mechanisms they are using to create awareness about serious threats are now being used to instigate fear about actual legal activities which are being used every day by millions of Americans for research work.

One notable FBI case related to doxing was the case of the Steubenville, Ohio rapists who were exposed by an Anonymous hacker Deric Lostutter. Working under the handle KYAnonymous, Lostutter was interviewed for this article related to doxing and said,

“…as far as the legality of doxing goes, it is perfectly legal should you use data gathered from public sources such as google, spokeo, linkedin etc. The problem the feds have with the practice is they dont hold the people who leave all of their information freely on the internet accountable. When the FBI raided me in april of 2013, I explained to agent bixby of Ohio that Spokeo had an address that I lived at that was a safe house. He stated “well that just seems illegal”. Seeming illegal and being illegal are two different things. It was my fault, as it is the fault of the target, that the information is publicly obtainable. Information on the internet grows exponentially.”

In that case, Lostutter claims to have spent a substantial amount of time researching legally accessible information which was publicly available to identify the rapists and expose them. Shortly thereafter he was raided by an FBI SWAT team, arrested and his computer equipment was confiscated. As a result he is now facing more time in prison than the rapists he helped expose.

His closing statement to TruthVoice about doxing and his message to the FBI was,

“I can find anything out, about anyone, dead or alive. cop or not. all legal, they can suck my left nut“

Unfortunately FBI’s methodology of pushing announcements about doxing via emergency notifications channels may be having the opposite effect and may be detrimental to maintain awareness about Information Security topics by lowering the bar for what constitutes a true cyber security emergency and desensitizing the security industry to real threats and risk factors.

If the folks at Homeland Security, IC3 and NCCIC (who are largely former law enforcement officers) truly believe doxing to be such a danger to the general public, they should issue a general advisory for all Americans who may be at risk of having their privacy violated, not just to cops or current law enforcement members. The issuance of this alert is illustrating that the current channels used for emergency alerts are little more than a joke and are now seemingly being used for what appears to be political motives and reasons.

You can read the original advisory here: https://www.us-cert.gov/ncas/tips/ST06-003

You can read the re-packaged advisory here: http://www.ic3.gov/media/2015/150421.aspx

Virgil Vaduva is a Libertarian security professional, journalist, photographer and overall liberty freak. He spent most of his life in Communist Romania and participated in the 1989 street protests which led to the collapse of the Ceausescu regime. He can be reached at vvaduva at truthvoice.com.

Tagged with

The 10 Biggest Bank Card Hacks

Evgen — Sat, 28 Feb 2015 10:09:44 +0000

Wired magazine has just released their list of the 10 biggest bank card hacks and some of the names on the list are somewhat unknown, considering the size and importance of the hack. Here is the list:

10. CardSystems Solutions – 40 million cards

9. TJX – 94 million cards

8. Heartland Payment Systems – 130 million cards

7. RBS WorldPay – 1.5 million cards

6. Barnes and Noble – unknown

5. Canadian Carding Ring

4. Unknown Card Processor in India and U.S. – unknown

3. Cisero’s Ristorante and Nightclub – Unknown

2. Global Payments Inc – 1.5 million

1. The Next Big Breach: Like death and taxes, the next big card breach is an assured thing.

Tagged with