Friday 26 July 2013

Security industry mourns death of ATM hacker Barnaby Jack ahead of Black Hat conference

Renowned security researcher Barnaby Jack has died unexpectedly under unknown circumstances, one week before he was due to give a talk at the Black Hat security conference.
Jack was famous for demoing on stage how ATM cash machines could be hacked at the 2010 Black Hat conference.
He was due to retake the stage at Black Hat next week to demonstrate a new hack that could deactivate heart pace makers from 30-yards away, similar to the fictional attack shown on popular TV show Homeland.
Outside of his famous hacks, Jack was known as a skilled bug hunter, with his research covering multiple fields and areas.
Jack's death was confirmed by his employer IOActive via Twitter, although no details of how he died were given.

IOActive, Inc @IOActive
Lost but never forgotten our beloved pirate, Barnaby Jack has passed. He was a master hacker and dear friend. Here's to you Barnes!

Jack's death has resulted in a sea of comments from the security community with numerous ethical hackers and researchers praising his contributions to the field.
Sophos technology director James Lyne praised Jack, saying his animated live demonstrations and energy while researching should act as an example to all security researchers. "It is a sad day to learn that Barnaby Jack has passed away," he told V3.
"Barnes had a substantial contribution to the field - not least kicking off a mass of interest and research in to the less considered devices in security like ATMs.
"His demonstrations and research inspired many (and were awesome) and I truly hope that up and coming security professionals continue his work and passion."
Other contemporaries like Apple zero-day hunter Charlie Miller and chief research officer at penetration firm Rapid7, HD Moore, expressed their admiration via Twitter.
To see Jack's famous ATM hack check out the video below.
http://www.youtube.com/watch?v=v-dS4UFomv0&feature=player_embedded

Pacemaker hacker @barnaby_jack dies in hospital

The hacker Barnaby Jack has died in San Francisco, a week before he was due to show off his hacking techniques on attacking implanted heart devices that could kill a man from 30 feet away.
he San Francisco Medical Examiner's office said he died in the city on Thursday. It gave no details.
Jack, a security expert, became one of the most famous hackers on the planet after a 2010 demonstration in which he forced ATMs to spit out cash, dubbed "Jackpotting," (reut.rs/gIGXVq )
The hacking community expressed shock as the news of his death spread via Twitter early on Friday. Jack was due to appear at the Black Hat hacking convention in San Francisco next week, demonstrating how he could attack heart devices.
"Wow ... Speechless," Tweeted mobile phone hacker Tyler Shields.
Jack's most recent employer, the cyber security consulting firm IOActive Inc, said in a Tweet: "Lost but never forgotten our beloved pirate, Barnaby Jack has passed."
Jack had served as IOActive's director of embedded device security.
Jack's genius was finding bugs in the tiny computers that are embedded in equipment such as medical devices and banking machines. He received standing ovations at hacking conventions for his creativity and showmanship.
"You grimy bastard. I was just talking up about your awesome work last night," Tweeted Dino Dai Zovi, a hacker known for his skill at finding bugs in Apple products. "You'll be missed, bro."
Friends and fans alike Tweeted memorials to Jack's Twitter handle, @barnaby_jack.
Dan Kaminsky, an expert in Internet security, Tweeted that he had hoped the news of Jack's death was a prank: "God, the stories. Nobody caused such hilarious trouble like @barnaby_jack."

Lakeland hack proves government cyber security health checks are vital

Hacker
Of all the UK highstreet brands for hackers to target, the home appliance and cutlery retailer Lakeland was probably not seen by many as an obvious target.
Yet this week the firm admitted it was hit by a 'sophisticated cyber attack’ on two databases. This was done via a Java flaw and as a precautionary measure the firm reset all customer passwords, in a move praised by security professionals.
The Lakeland hack – carried out with "concerted effort and considerable skill" – on a relatively small and unglamorous (sorry guys) company proves that businesses of all shapes, sizes and sectors face serious cyber threats.
As news of this attack spread across the media there must have been some civil servants rubbing their hands with glee; not because they had anything to do with the hack, of course, but because the timing of a letter they were preparing to send out about cyber security would look highly prescient.
The letter, which was sent on Thursday to the UK’s biggest FTSE 350 firms, was offering the chance for free cyber security audits to be carried out by six consultancy firms: PWC, KPMG, Ernst & Young, Deloitte, Grant Thorton and BDO International.
The audit will take place after the firms fill out questionnaires on their cyber security practices before the information is sent back, anonymously, for assessment. With the Lakeland hack in the headlines, the message from the government should carry some real weight.
Furthermore, the fact the letter offering the free audits has been signed off by the chiefs of the UK’s top spy agencies of GCHQ and MI5 only underlines how serious the issue is, and the government really wants to drum this home.
Deloitte's European head of security and privacy services, Mike Maddison, agrees with this, arguing it was vital for all firms to assess their cyber security procedures, and the approach by the government was a vital step in this direction.
“With cyber threats acknowledged as one of the four major risks to national security, Deloitte supports the UK Government’s Cyber Governance Health Check to help understand, at board level, how prepared UK plc actually is,” says Maddison.
“Just trying to prevent an attack is no longer a realistic strategy. Today it is about being aware, preparing and being able to respond effectively if a breach does occur.”
However, so far, many firms have failed to show any interest. BT, TalkTalk, Vodafone, Sage, Barclays and M&S had all failed to reply to a request for their thoughts on their initiative when contacted by V3, or said it was not something they would be talking about.
Perhaps this is not surprising as many firms are unwilling to talk about anything to do with cyber security practices, given the risk that the information could, potentially, be used by hackers or influence rivals.
However, perhaps the open attitude taken by Lakeland marks a change in the stance firms will take on cyber issues, and perhaps encourage others to be more open with attacks they suffer in the future for the benefit of the whole of the UK.

PRISM: European business should be more concerned with local snoops than NSA

European businesses should be more concerned about local intelligence agencies' data-collection campaigns than the US NSA's PRISM programme, according to ex-Navy Seal and Silent Circle chief executive Mike Janke.
Janke (pictured right) told V3 he is surprised media and businesses have taken such a myopic view to the National Security Agency (NSA) PRISM scandal when there is a more pressing, immediate threat on their doorstep.
"Every one of them wants to ask about the NSA but if you're in Europe you're surrounded by about 12 NSAs – the Russians, the Chinese, nation states that are using their NSA-level capabilities to hack companies to give their country's economic value a leg up. There's also companies that are hacking other companies, that pay 'consulting firms' to go in and steal intellectual property," he says.
The Silent Circle chief said that, given the increased number of threats and attacks targeting businesses, he was actually surprised it took a scandal like PRISM for the uproar to manifest: "All these things have been known entering the 2000s and it became very prevalent with national state hacking in 2007. There's a known understanding of what we call data collection by nation states. Then there's IP theft and criminal hacking for monetary gain and its been going on for so long that I'm actually surprised it took so long for something like PRISM for it to come to light."
PRISM, the data collection campaign run by the NSA, was revealed earlier this year when ex-CIA analyst Edward Snowden leaked documents confirming the NSA had been siphoning user information from Microsoft, Facebook and Google. Following PRISM's exposure, several other intelligence agencies have been accused of mounting similar campaigns. Within the UK the GCHQ has been accused of collecting vast reserves of data by tapping into global telecoms cables, under an operation called Tempora.
The operations have led to concerns the world is on the brink of a full-blown cyber cold war. Janke downplayed these suggestions reporting most military agencies are still playing catch up with intelligence agencies when it comes to cyber: "I found militaries are so dysfunctional and they are always behind the times. They have no understanding that every young 25-year-old has two or three devices they want to use and they've got policies that are 10 years old and only relate to a laptop."
"They are aware of the problem but they're so slow to act they'll be hacked for three to four years before reacting thanks to the bureaucracy. We see that in Europe and America, they're really, really slow to move to fix things even though they're aware there are serious issues. They spend a year evaluating a technology, so by the time they pay for it, it's obsolete. Where we see the best is actually in special operations and intelligence agencies. They're always up to speed."
Janke believes, despite the seriousness of the revelation, it has helped improve businesses' security awareness in Europe: "It wasn't really until recently that people understood that metadata is so dangerous; that government agencies and criminal organisations can collect your metadata."
"We see that Europe has a good level of security-threat awareness in enterprise, but what we don't see is good policy. European companies have weaker corporate policies where they let people bring any device they want, they let them use that device, yet they don't have a very good way of controlling the devices."
He adds that the trend is a marked departure from that seen in most US firms: "In America you have good policies but not good security awareness, that's the difference. We definitely find that European companies have weaker policies about how to control the communications going in and out of their offices."
Janke's comments mirror the findings of the UK government, which has launched several initiatives designed to help businesses implement more robust security policies. Most recently, the UK Home Office launched a new £4m cyber awareness campaign, designed to educate businesses and citizens about the cyber threats facing them.

Germany has three Prism programs running

After a special meeting of the Parliamentary Control Panel, the Government considers that the allegations against the intelligence services need to be cleared. In fact, black and yellow is relieved at one point.
The expectations before the visit of the Chancellor's Office chief, who is ultimately responsible for the coordination of the German intelligence services, was great: The opposition made pressure and demanded, among other things, education about the allegations of the past weekend, according to which the cooperation between local services and the American NSA much more closely shall be deemed accepted. The federal government had come more and more pressed to explain the affair.

On the other hand, there was about the intelligence services. They hoped to finally come out of the firing line.Pofalla pruning should provide details that stand before the services. And after almost three and a half hour session you have to say: task is fulfilled - but only as far as the limited information, have arrived from the USA.
For the Chairman of PMB, Thomas Oppermann (SPD), is therefore clear: "We have progressed no piece." Many questions are unanswered. Therefore, it will be in the coming weeks, two more meetings of the supervisory body.
However, many now seems clearer. This has also helped that the NSA has first issued an opinion since the beginning of the affair. Thus, there is - as the Federal Intelligence Service (BND) had reported - several programs named Prism.

Relief in respect of a complaint

This detail relieves the government at least in terms of an allegation: In the meantime it was said that the army was aware as early as 2011 by Prism and fed information about Afghanistan.
The document is available to the "world" and is stamped with "official use only", is now available, however, that this is actually a program other than the much discussed. In total there are even three different tools called Prism.
With the spyware detected by Snowden, according to NSA paper, the data of German citizens would thereby not collected millions. "The NSA and the rest of the U.S. government can not use this to randomly collect the contents of private communications of citizens of other nations," it says.
"Using this program is focused, purposeful, rather than on a legal basis and is anything but flat." The aim was to terrorism and cyber-defense and the fight against the proliferation of nuclear weapons.

A third, completely independent program

The second program is a prism occupied by the U.S. Department of Defense in Afghanistan tool to gather intelligence information and to search for them. Furthermore, there is a third, also occupied by the NSA Prism information portal, which is operated completely independently of the monitoring program described by Snowden.
The government thus seems to come from the defensive. There, it is believed to have cleared all the disputed points. Pofalla told how important the work of the intelligence services to "protect German citizens" was. The "ChefBK" also vehemently denied that the German services, the U.S. supported in bugging unlawful.
"The German intelligence services are working according to the law," Pofalla said. He dismissed reports that BND President Gerhard Schindler had called for a more lax data protection practices and the transfer of data to other services. It had been no such request.Schindler had confirmed in writing that he had not called for this.
Oppermann turn, saw it differently: Schindler had confirmed that it had tried to a looser interpretation. However, almost all the other participants were sure: a breach of law could be the BND chief no longer blame.

Stanford University warns of threats from user hacks


Security threats - password theft
Stanford University is asking users to reset their passwords following the discovery of an attack that has left users and staff vulnerable to potential identity theft.
“Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyber attacks,” the university said. “Like many institutions, the university repels millions of attempted attacks on its information systems each day. In recent months, a range of large organisations have also reported attacks involving their information systems.”
The company is currently unable to provide details on the scope and range of the attack, though the breach is believed to be confined to the university's campus and is related to a series of security breaches on US companies.
A hallmark of the US education system, Stanford has emerged as a top source of information technology entrepreneurs in Silicon Valley. The university has produced technology leaders including Sergei Brin, Jerry Yang and Larry Page among other.
The hack comes in the wake of numerous other high profile data thefts and password breaches at numerous firms. Earlier this week UK retailer Lakeland admitted hackers had accessed two databases, forcing the firm to reset all user passwords.
In response the government has issued letters to the top FTSE 350 companies offering them the chance for a free cyber security audit against their peers to see how they are performing.

Anonymous Massive cyber attack on Venezuela government

Several government websites were the target of a massive cyber-attack on the Venezuelan regime on Tuesday and Wednesday (24th).
The group "Anonymous Venezuela" and "Venezuelan hacker" did  the attack while in their opinion were  fraud in the presidential elections of 14 April and demanded simultaneously the resignation of President Nicolás Maduro.
Some of the web sites (ministries, local authorities and universities) were unavailable for hours.
The action is not over yet,It is time to remove the blindfold. No chance, Nicolás Maduro. The time of fraud comes to an end, "tweeted the" Venezuelan hacker.
So far there is no any Venezuelan government statement about the attacks.

Verzion Started Data Breach Investigations Report db

Vezrion Enterprise start a Free, public data breach repository to aid research and help companies fight cyber-attacks say in a press release.
Verzion as one of leading company in ICT industry find one of the most effective ways to fight cyber-attacks is through the open sharing of information.
Currently, there is no publicly available, comprehensive raw dataset on security incidents that is sufficiently rich to support both community research and corporate decision making.
Public data exists in a variety of forms and areas, but there is no central location where data is organized in a way that lends itself to the level of manipulation and transformation required for research.
Even in the publicly-accessible places where this information resides the underlying data is not freely and publicly available for use. This has made it difficult for researchers to effectively study security incidents and hampered risk manager’s ability to make well informed assessments using publicly available data.
Verizon is addressing this need by launching a new initiative to collect, organize and publish all publicly disclosed data breaches. The data is coded into VERIS format and available in an interactive dashboard via Tableau Public as well as in individual files in JSON format in a GitHub repository. Both can be reached from the VERIS Community site as well.
The VERIS Community Database goes live this week with more than 1,200 reported incidents from the last few years. This initial batch of data comes from the Department of Health and Human Services (HHS) incidents, the sites of the various Attorneys General that provide breach notification source documents, media reports and press releases. The goal is to continue to augment this dataset to capture as many incidents as possible so that others can benefit.
This data is provided as a resource to benefit the industry at large, as the ability to access and query data breach information improves everyone’s ability to protect their organizations and data. Researchers can identify trends and provide thoughts on how to combat future breaches.
Corporations can compare their internal incident monitoring with what is happening in the public at large. There is no cost or contribution requirement to access and use the data. Verizon’s belief is that as more organizations contribute to this initiative, the data contained in the database and the insights the industry will be able to glean will improve. Ultimately, greater availability and sharing of data will improve overall industry intelligence and create a more secure world.

Cyber attack hit Turkey Istanbul International Airport

The passport control system at Istanbul Ataturk Airport's International departure terminal is now restored after being locked due to an alleged cyber attack on Friday, while another airport in the Turkish largest city was also affected.
Local Dogan news agency reported that passengers stood in lines for hours and some lashed out at airport officials, as planes' departures were delayed due to the collapse of the system.
Meanwhile, local media said the passport control system at the Sabiha Gokcen International Airport in Istanbul also broke down due to the malfunction of the Istanbul provincial security directorate's Polnet data system.

Snowden makes the european girls get hot

The tension, the passion and the secrecy makes the girls go wild for the whistleblower Edward Snowden. In Germany there is a underwear store that just loves to make fun of NSA PRISM project - so they decided that there is still a lot to uncover. PRISM is a clandestine mass electronic surveillance data mining program operated by the United States National Security Agency (NSA) since 2007.

The Blush company has an Facebook group online which shows several images from good looking females in trendy and stylish underwear. The German newspaper also reported on this case.

Critical US Infrastructure Remain Vulnerable to Cyberattacks

Cybersecurity researchers next week will demonstrate how hackers can potentially wreak havoc on critical US infrastructure, even causing explosions by altering the readings on wireless sensors used by the oil and gas industry.
The presentations at the Black Hat conference beginning in Las Vegas show how key industries remain vulnerable to cyber attacks, in part because companies are reluctant to replace expensive equipment or install new safeguards unless ordered to do so by regulators or offered economic incentives, experts say.
“We’ve got this cancer that is growing inside our critical infrastructure.
When are we going to go under the knife instead of letting this fester?” said Patrick C. Miller, founder of the nonprofit Energy Sector Security Consortium. “We need to restructure some regulations and incentives.”
The new research on wireless sensors found flaws in the way they handle encryption, Lucas Apa and Carlos Mario Penagos of security consulting firm IOActive Inc. said.
They said they could contact some of the sensors with radio transmissions from as far as 64 km away and alter pressure, volume and other readings. If the overall control systems act on those readings without a failsafe, the researchers said, they could permanently disable a pipeline or plant.
The sensors typically cost $1,000 or $2,000 and are deployed in the hundreds or thousands at a single oil, gas or water processor. The researchers said the flaws were found in devices supplied by three of the largest vendors in the field, but declined to identify them.
Penagos said most refineries that have the capability to monitor gas levels or temperature probably have the vulnerable devices in place. In some cases the sensors have a design flaw, while in other cases the customers installed them insecurely.
Either way, “the entire industrial process could be disabled or modified by disrupting the physical sensors,” Apa said.
Since the 2010 disclosure of the US-developed Stuxnet virus that attacked an Iranian nuclear facility, countries have intensified efforts to defend their own infrastructure while developing the capability to attack such equipment elsewhere.
In the United States, a February executive order by President Barack Obama directed the Department of Homeland Security to work with industry to develop security standards, but their adoption would be voluntary. The White House is now weighing possible incentives, while Congress mulls legislation that would be more forceful.
For now, DHS issues warnings of attacks and adviseries on how to fix flaws of extra concern. The IOActive researchers said they had been working with DHS and equipment makers to develop fixes.
A DHS spokesman declined to comment on the research or the state of security in the energy industry.
The department’s industrial control systems cybersecurity arm responded to more than 200 incidents in critical infrastructure in the first half of the current fiscal year, more than in all of the previous year. More than half of the latest incidents were in the energy sector, according to a recent DHS newsletter.
Apa and Penagos said they had spent months on their project and it would take a fair amount of specialized experience for someone to mount a destructive attack. But it might also take a long time for patches to be physically installed, they said.
Shawn Moyer, an Accuvant Labs researcher who has found similar problems with radio communications in industrial controls, said Apa and Penagos’ work showed that utilities are still learning the best practices for security. He also noted that interception and alteration of data form just one part of a successful cyber attack.
“You have to know enough about the target to know to look for it,” Moyer said.
Another cybersecurity company plans to demonstrate at Black Hat how hackers can remotely blow up a water tank using a combination of known vulnerabilities.
Eric Forner and Brian Meixell of the consulting firm Cimation said they would simulate an attack that causes a tank to be overfilled, causing a spill or blowout.
They said a modest copycat effort by malicious hackers could produce destruction at random, while targeting a specific facility would take more effort. For instance, hackers can use tools such as Shodan, a specialized search engine that lets anyone look for specific types of devices that are connected to the Internet, along with the names of their owners and their physical locations.
“For us it was an overnighter it took 16 hours for two people,” Forner said.
“There are systemic problems in the industry with bad protocol implementation.”

#opIslam hackers leak 48000 user accounts in fight against #opIsrael

The war between the #opIslam and #opIsrael operations are showing their damage. Today Cyberwarzone received an message from one of the #opIsrael fighters. The message contained a link to a PasteBin file which included a link to a file that has over 48 000 user accounts from the hec.gov.pk domain.

The leaked file contains the following tables

  1. E-mail 
  2. Username 
  3. Password

Russian security agency FSB talking with the FBI over ‪#‎Snowden

Resources have provided the news that the Russian security agency FSB is currently talking with the FBI about the Snowden situation. A Kremlin spokesman said that he is sure that Edward Snowden - one of the ex-NSA contractors will stop harming the United States when he is granted asylum in Russia.
Russian President is not handling the case of the former CIA employee Edward ‪#‎Snowden‬, as “Snowden has not made any request that is subject to consideration by the head of the state,” said Vladimir Putin’s spokesman Dmitry Peskov.

Red Team Testing: Debunking Myths and Setting Expectations

The term "cyber" seems to be overused in every corner of the information security industry. Now there is a new buzz phrase in computer security, "red team engagements.” Supposedly (to get "cyber" on you), you can have a red team test, and it will help move your organization in the correct “cyber direction.” But what is red team testing really? And what is it not? In this post I’ll try to make some sense of this potent term.
The red team concept has been around for ages. It started as a military term for a team dedicated to simulating all of an enemy’s activities, including everything from methodology to doctrine, strategy, techniques, equipment, and behaviors. The red team was tasked with mastering how the adversary thinks and operates, and then executing the enemy’s strategies and tactics in the field. This allows your own forces to experience what it would be like to combat this enemy in real life − without the risk of getting injured or killed. 
 
Fast forward 10-12 years and red teams are being used in civilian industry as well as in the military. In private industry, red teams simulate adversaries (not necessarily foreign armies) that could impact the organization. The adversary could be criminals vying to get your money, competitors trying to get their hands on your latest designs, or random attackers who want to exploit, destroy, or simply harm your organization. Their motivations can range from social activism, political strategy, financial gain, and so on.
 
When IOActive is asked to conduct a red team test, our main goal is to accurately and realistically simulate these types of adversaries. So the first, and probably most important, element of a red team test is to define the threat model:
 
·      Who is your adversary?
·      What are their motivations?
·      Which adversaries are you most afraid of? (This is usually any party that wants to put you out of business.)
 
Defining the threat model is crucial to the success of a red team engagement, because it determines the value your organization will get from the project.
 
After we articulate the threat model, the fun part of the engagement begins.
 
Fun? Yes, because in the real world most tests, such as penetration tests do not really depict a persistent adversary. Instead, engagements such as pen tests simulates specific strategies that a persistent adversary will use as part of an overall attack.
 
The red team engagement, on the other hand, includes all possible elements that an adversary might use in such an attack (which is why it is often referred to as "no scope” or "full scope” testing).
 
In this context, everything including your employees, your infrastructure, the physical office locations, your supply chain − that's every third party you use as part of your ongoing operations  − and more. When developing attack scenarios for red team engagements, every element has to fit in perfectly. 
 
Think of it as an "Ocean's Eleven" type of attack that can include:
 
·      Social engineering
·      Electronic and digital attacks
·      Bypassing physical controls
·      Equipment tampering
·      Getting into the supply chain to access your assets
·      And more
 
This is full scope testing. Unlike in other types of engagement, all or almost all assets are “in scope".
 
Note: Red team engagements do commonly use "reverse scoping" techniques to identify assets that are critical to operations and the types of tampering, access, or removal that are off limits for these assets. These sensitive assets are still in scope. But reverse scoping defines and restricts actions that may substantially disrupt operations.)
 
So far this sounds like a fun game. But hold on, it isn’t just about the attack. What I like the most is seeing how an organization’s ongoing security operations handle red team attacks.
 
In a red team test, very few people in the organization know about the test, and even fewer actually know when the test will happen. This means that from an operational security view, all red team activities are treated as if they involve a real adversary.
 
We gain a lot of insights from the actions and reactions of the organization’s security team to a red team attack. These are the types of insights that matter the most to us:
 
·      Observing how your monitoring capabilities function during the intelligence gathering phase. The results can be eye opening and provide tremendous value when assessing your security posture.
·      Measuring how your first (and second) responders in information security, HR, and physical security work together. Teamwork and coordination among teams is crucial and the assessment allows you to build processes that actually work.
·      Understanding what happens when an attacker gains access to your assets and starts to exfiltrate information or actually steals equipment. The red team experience can do wonders for your disaster recovery processes.
 
These are some of the rewards and benefits of a red team test. As you can see, they go well above and beyond what you would get from other types of focused tests.
 
I hope this explanation eliminates some of the confusion about red team testing that I have seen lately in Internet discussions. I am not saying that there is no value in pen tests, social engineering engagements, physical assessments, or anti-phishing campaign. However, to see how all of these different types of security considerations work in the real world, they also need to be considered as part of a larger (and relevant) context so that you can see how well your organization is prepared for any type of attack.
 
Last but not least, if you'd like to get hands-on training in how red team engagements are conducted, considering attending our two-day Red Team Training (https://www.blackhat.com/us-13/training/red-team-training.html) at BlackHat 2013 in Las Vegas.