Friday 23 January 2015

Computer with Patients’ Personal Information Stolen

HARLINGEN - Thousands of people throughout the Rio Grande Valley are in a vulnerable position because of a burglary.
Sunglo Home Health Services has thousands of patients across the Valley. Their personal information is in the hands of a Harlingen burglar.
He walked away with sensitive information and it was all caught on surveillance video.
Steven Means with Sunglo Home Health Services said, “We're covering from Rio Grande City all the way to Brownsville - including Raymondville as well.”
He said their patients include the elderly and the disabled. The company drives patients across the Valley in their vans. The vans are kept in a parking lot at the corporate office in Harlingen.
Means said the parking lot was the scene of a burglary early Monday morning.
Harlingen police said the suspect broke into a truck full of tools. Means said the thief was able to find a set of keys to one of the vans inside the truck.
The thief took the tools and some other gear, placed it in the van and then drove away.
Surveillance video showed the burglar return to take more property.
According to Means, the man broke a window with a fire extinguisher and stole a computer.
That computer contained the Social Security numbers and personal information belonging to thousands of their patients.
“We're just worried about the safety of the patients themselves because of the information. We had to contact local police to see what we could do,” said Means.
Sergeant Dave Osborne with the Harlingen Police Department said they are looking for the public’s help because the bad guy may not have been working alone.
Thousands of patients are now waiting to see if thieves log on and download their personal information.
Means, the IT director for Sunglo, said they have contacted all of their patients to let them know about the security breach. He said he will continue to monitor the computer in case someone decides to power it up.
There are specific steps you should take if you think someone has stolen your personal information.
The Better Business Bureau said to contact all the major credit reporting agencies. They also said you should ask them to put a fraud alert and credit freeze on your accounts.
Keep a close watch on your credit card and bank accounts to make sure no one is making charges or taking your money.
They also suggest filing an ID theft kit from the Texas Attorney General.

Symantec data centre security software has security holes

Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
"Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level," Viehböck wrote in an advisory
"Furthermore attackers can manage all clients and their policies.
"It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved."
Hackers with access to the SDCS:SA server could potentially pivot within the corporate network and could bypass client protections.
Four flaws were reported including an unauthenticated SQL injection (CVE-2014-7289) granting attackers read and write access to database records and SYSTEM code execution privileges.
A reflected cross-site scripting (CVE-2014-9224) was dug up allowing attackers to steal other users' sessions and gain access to the admin interface.
Information disclosure (CVE-2014-9225) was possible with a script that spewed internal server application data without requiring authentication, including file paths on the web server, and version information (OS, Java).
Multiple default security protection policy bypasses were discovered that were tempered by the requirement for administrator permissions. These included persistent code execution via Windows Services; remote code execution via remote procedure call; extraction of Windows passwords and hashes; privilege elevation via Windows Installer, and privilege elevation and code execution via Windows Management Instrumentation.
Proof of concept codes were published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.
Viehböck first tipped Symantec off to the holes in November under a disclosure time line that appeared to run smoothly between bug hunter and vendor.

Stratfor hacker and FBI-harasser Barrett Brown gets five years inside

Barratt Brown

Barrett Brown is going to be spending a little longer inside than he thought after a Dallas judge threw the book at him on charged related to the hacking attack on private US intelligence firm Stratfor.
Lawyers for Brown had been hoping their client would get off with time served, as he has spent the last 28 months in federal prison. Instead he got five years and three months for aiding and abetting, attempting to hide evidence, and threatening a Federal officer, and will have to pay a fine of $890,000, most of which will go to Stratfor.
"For the next 35 months, I'll be provided with free food, clothes, and housing as I seek to expose wrongdoing by Bureau of Prisons officials and staff and otherwise report on news and culture in the world's greatest prison system," Barrett said in a statement.
"I want to thank the Department of Justice for having put so much time and energy into advocating on my behalf; rather than holding a grudge against me for the two years of work I put into in bringing attention to a DOJ-linked campaign to harass and discredit journalists like Glenn Greenwald, the agency instead labored tirelessly to ensure that I received this very prestigious assignment. Wish me luck!"
Brown came to prominence in 2011 as a journalist with a close relationship to some members of the hacking group Anonymous. He set up the Project PM wiki to analyze leaked information from events like the HBGary hack and appeared on the media as a self-declared Anonymous spokesperson.
In March 2012 federal investigators raided his and his mother's house as part of an investigation into the HBGary affair and others like it. Several laptops were seized and taken away for investigation.
In September 2012 he posted a trio of 15-minute rants on YouTube in which accused the FBI of going after him and his mother and threatening to release identifying information on a certain officer. During the rant Brown admitted he was weaning himself off opiates at the time of filming.

He was arrested the same day and charged with threats, conspiracy and retaliation against a federal law enforcement officer shortly afterwards. Then in December 12 more charges were added, related to the hacking of secretive US data investigations outfit Stratfor.
On Christmas Day 2011 Strafor's website went dark and Anonymous announced it had comprehensively pwned the firm and stolen 200GB of data. Stratfor emails published via WikiLeaks showed that the US government had already drawn up secret charges against Assange and revealed that the security firm was storing credit card details and passwords in plain text.
That credit card data was used to make donations to various charities. Brown published a hyperlink to some of the stolen credit card files from wikisend.com from the Anonops IRC to his own channel. The Feds insisted this was a form of identity theft, a position Barrett's lawyers opposed.
In January two more charges were added against Brown for trying to conceal laptops during the March FBI raid, bringing his maximum possible time inside to over 100 years if found guilty. His mother was also charged and received a six month suspended sentence and a small fine.
The case was placed under a media gagging order in September 2013 and two months later Jeremy Hammond, the hacker who cracked Stratfor, got the maximum sentence of ten years in prison for his role.
In a plea bargain arranged last March the government agreed to drop most of the charges against Brown relating to his posting of the hyperlink. But the remaining charges stuck, and now he's off to prison until 2019 at the latest, although he'll be eligible for parole in a year.

Tuesday 20 January 2015

Cops arrest another man after Christmas PlayStation/Xbox DDoS

UK police have arrested an 18-year-old man in Southport in connection with the Lizard Squad's Grinch-like, Christmas-time Distributed Denial of Service (DDoS) blockage of PlayStation and Xbox systems.
Besides suspicion of unauthorised access to computer material, he was also arrested in connection with threats to kill and with swatting.
The South East Regional Organised Crime Unit (SEROCU) tweeted the arrest and gave a few more details in a release, saying that UK law enforcement worked closely with the FBI in the ongoing investigation.
SEROCU tweet
Our Cyber Crime Unit has arrested an 18-year-old in connection with the #DDOS attach [sic] on #Xbox & #Playstation this morning working with @FBI
In further tweets, SEROCU said that the suspect was arrested under the Computer Misuse Act 1990 in an operation that focused not just on the gaming DDoS, but also on swatting: the practice of making bogus emergency calls, as pranks or acts of revenge against someone, that result in the dispatch of emergency services that can wind up with law enforcement surrounding innocent people's homes with guns drawn.
Arrest. Image courtesy of Shutterstock.Craig Jones, Head of the Cyber Crime Unit at SEROCU, said that the swatting took place in the US, with hoax emergency calls coming in via Skype and resulting in a "major incident" in which SWAT (Special Weapons and Tactics) teams were dispatched.
We don't yet know whether in fact this teenager was associated with Lizard Squad - just that police are investigating his involvement with the gaming attack.
What is Lizard Squad? It's often referred to as a 'hacking group', though as Naked Security's Mark Stockley has pointed out, the attack on millions of adults' and children's Christmas-day gaming fun doesn't qualify as a "hack" in the sense that it required no skills at penetrating Microsoft's or Sony's networks whatsoever.
In the final Chet Chat podcast of 2014, Mark explains [10'00"] that all the cyber vandals did was to cyberishly squat in front of the games so that few could get in to play:
This isn't a hack in the sense that we normally use the word hack to refer to some sort of breach or unauthorised entry. Lizard Squad didn't gain entry to any Microsoft data or Sony data. They didn't breach any Microsoft systems or Sony systems. They weren't picking the lock; they were barricading the door from the outside.
This is the second arrest connected with the attack, following which the Lizard Squad has been blowing raspberries at authorities and shilling its takedown-for-hire DDoS service.
The first arrest was of Vinnie Omari, a 22-year-old who was bailed out on 30 December.
Two arrests? Pah. We haven't seen anything yet, Jones assures us:
We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with the FBI to identify those to who commit offences and hold them to account.
SEROCU, supported by the National Cyber Crime Unit (NCCU) and working closely with the FBI, arrested the teenager this morning in Southport.
Agents also seized a number of electronic and digital devices.

Verizon rushes fix for email account open season security flaw

glowing-keyboard-hacker-security-620x465.jpg
A security researcher has discovered a vulnerability in the API used by Verizon's My FiOS mobile application which allowed any user access to any Verizon email account -- and a fix has been rapidly pushed out. As reported by ThreatPost, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr disclosed the vulnerability. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours.
The security researcher, who is a Verizon FiOS customer, disclosed details of the vulnerability once a fix was issued for customers. Westergren said he discovered a vulnerability in the API which allowed a user to access any Verizon email account, scan their inbox, read individual emails and send messages on their behalf. Naturally, this is a severe problem as so many of us connect other accounts to our email addresses -- ranging from social media accounts to e-commerce and banking -- and Verizon is a large provider of Web and email services in the United States.
While proxying requests from his device, Westergren noticed an interesting call to fetch when pulling emails in. There were two references to his username, one being:
getEmail?format=json&uid[hisusername]
The response to call was a JSON object containing header information for the emails in his inbox. However, Westergren then stumbled upon something interesting.
"Altering the uid parameter and specifying another username shouldn't have an effect, since I'm logged in and my session is maintained through my cookies," the researcher noted. "Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected."
Once the security researcher prepared a proof-of-concept exploit, Westergren realized that playing with different parameters also allowed him to send and delete email from another user's email inbox.
Westergren tested his exploit against the API, confirming the system was vulnerable. He also believes all the API methods for the software's widget within the app were vulnerable, and so if the API has been re-used by Verizon, other apps released by the US carrier were not secure.

The security researcher recognized how serious this flaw could be, and reached out to Verizon's corporate security after failing to get a worthwhile response on Twitter. Within two days, a fix had been prepared, confirmed by the researcher and released to the public.
"Verizon's security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. "They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude."

Video nasty: Two big bugs in VLC media player's core library

A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others.
The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
"VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV" or M2V file, Hatas said.
"This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code."
He said both were high severity holes.
VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.
The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.
Videolan Software claims to have clocked up millions of downloads for Windows and Mac operating systems alone across various versions and more than 1.5 billion downloads in total.

Possible Lizard Squad members claims hack of Oz travel insurer

SQLi kid pops Aussie Travel Cover, dumps 800k records

Nearly 900,000 client records including names, addresses, and phone numbers have been stolen from travel insurer Aussie Travel Cover by a suspected member of the Lizard Squad hacking crew.
The hacker released databases including those detailing customer policies and travel dates along with a list of partial credit card information.
The company discovered the hack December 18 and informed agents five days later, but did not inform policy holders or customers.
The company told the ABC it was working with police but made no comment on the hack.
Hacker @abdilo_ took credit for the breach.
The supposed Queenslander has goaded police by claiming on their Twitter feed to have hacked various websites using SQL injection.
Cybercrime reporter Brian Krebs thought Adbillo was affiliated with Xbox One and Playstation hacking group Lizard Squad and its DDOS-as-a-service offering.
The hacker has issued a series of invective and antisec-flavoured tweets claiming to have popped agencies, businesses and hospitals using mainly SQL injection. In one illustrated tweet he appeared to state his lack of concern for his possible arrest.
The failure to inform customers of the breach has prompted scorn from the technology community which largely follows that hacked entities should notify those affected as soon as possible.

NSA: We're in YOUR BOTNET


The NSA quietly commandeered a botnet targeting US Defence agencies to attack other victims including Chinese and Vietnamese dissidents, Snowden documents reveal.
The allegation is among the latest in a cache of revelations dropped by Der Spiegel that revealed more about the spy agency.
The "Boxingrumble" botnet was detected targeting the Defence Department's Nonsecure Internet Protocol Router Network prompting NSA bods to redirect the attack to a server operated by the Tailored Access Operations unit.
A DNS spoofing attack tricked the botnet into treating the spies as trusted command and control agents. The NSA then used the bot's hooks into other victims to foist its own custom malware.
Much of the bot-hijacking attacks dubbed "Quantumbot" by the NSA was conducted under its operation DEFIANT WARRIOR which utilised XKeyscore and infrastructure of Five Eyes allies including Australia, New Zealand, the UK and Canada to identify foreign bots ripe for attack.
The work granted broader network exploitation, attack and vantage points, NSA Power Point slides revealed (pdf).
It was part of what appeared to be the NSA's dream of having "a botnet upon which the sun never sets", a goal noted under the slide title "if wishes were ponies".
Bots found in the US would be referred to the FBI for cleansing, but infected victims in other countries were considered collateral.
The documents also revealed the NSA's Tutelage program (pdf), a sister to Turmoil and part of the Turbulence family of surveillance and exploitation kit, was used to block distributed denial of service (DoS) attacks by the Anonymous collective.
Tutelage was successful in identifying and blocking internet protocol addresses linked to the Low Orbit Ion Cannon DDoS software when US Defence agencies were attacked.
The documents also revealed NSA spies at Remote Operations Centres exfiltrated data through compromised machines owned by innocent victims that the agency dubbed 'Scapegoat Targets'.
The theme continued under its mobile phone infection efforts designed to plunder data from businesses. Staffers with NSA-infected handsets were referred to as "unwitting data mules", a nod to drug-dealer slang.

Microsoft Outlook PENETRATED by Chinese 'man-in-the-middle'

Great Wall of China

Microsoft suffered a "man-in-the-middle" attack on its Outlook email service in China over the weekend, according to Greatfire.org.
The assault on its mail systems apparently lasted around 24 hours before returning to normal. It came after Google's Gmail was blocked in the People's Republic late last year.
Greatfire.org said that it had tested IMAP and SMTP for Outlook on Saturday and found that both protocols were under a MitM attack in the country.
The China censorship watcher said:
"This attack comes within a month of the complete blocking of Gmail (which is still entirely inaccessible). Because of the similarity between this attack and previous, recent MitM attacks in China (on Google, Yahoo and Apple), we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack or have willingly allowed the attack to happen.
"If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor

Wednesday 14 January 2015

Crayola's Facebook Page Got Hacked, Brand apologizes for 'offensive content'


Photo: Getty Images
If any brand is less deserving of an adult-themed paint job, it's Crayola.
Yes, the crayon company is synonymous with childlike innocence. But it was anything but on Sunday, when its Facebook page was hacked by unknown deviants. Once inside the brand's account, the perpetrators shared click-baity links to R-rated sites throughout the day, sending poor Crayola into a panic. 
Below are images of some of the posts. While most are relatively tame—containing dirty drawings and innuendo—some of the images are NSFW. 





Crayola eventully took back control of the page and posted this update on Twitter:

Park 'N Fly Confirms Data Breach -- Payment Card Information Exposed

Park 'N Fly Confirms Data Breach
 
Park 'N Fly is notifying an undisclosed number of customers that their payment card information was exposed following a compromise of the company's e-commerce website.
The data breach follows a security incident at parking facility provider SP+, formerly Standard Parking Corp., which involved the compromise of a POS system vendor and exposed payment card details (see: 
Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards, says one card issuer who asked not to be named. "These cards are favored by fraudsters because of high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders," the issuer says.
Park 'N Fly, an offsite airport parking operator based in Atlanta, says that it has hired data forensics experts to assist with its investigation of the breach, which has been contained.
"While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF's e-commerce website is at risk," the company says in a Jan. 13 statement.
Compromised information includes card numbers, cardholder names, billing addresses, card expiration dates and security codes. Other loyalty customer data that may have been exposed includes e-mail addresses, Park 'N Fly passwords and telephone numbers.
Impacted customers are being offered free credit monitoring and identity protection services for one year. Park 'N Fly says it's working with law enforcement and credit card brands to investigate the incident.
"PNF is committed to protecting its customers and their information and will continue a comprehensive response to thoroughly investigate and respond to the incident and improve its data security," the company says.
The company did not immediately respond to a request for comment. News of a possible breach at Park 'N Fly was first reported by security blogger Brian Krebs

Warning: Using encrypted email in Spain? Do not pass go, go directly to jail

Seven people have been detained for, among other allegations, using encrypted email, a civil-rights group has said.
Spanish cops investigating bomb attacks raided 14 homes and businesses across the country last month and arrested 11 people: seven women and four men, aged 31 to 36, from Spain, Italy, Uruguay, and Austria.
Since then, four people have been released, and the remaining seven were charged with belonging to a "criminal organization of an anarchist nature with terrorist ends."
That organization has been linked to explosives placed at cash machines, and in the Almudena Cathedral in Madrid and the Pilar Basilica in Zaragoza last year, according to Spanish journalists.
Lawyers defending the accused said investigating Judge Javier Gómez Bermúdez partly chose to further detain the seven due to their use of “emails with extreme security measures” – specifically, freedom-fighting RiseUp.net’s email servers.
Civil liberties group Access said this decision is tantamount to criminalizing encrypted communications.
“The suggestion that somehow protecting one’s privacy is akin to a terrorist act is a new low,” said Josh Levy, advocacy director at Access. “Using it as an indicator of criminality is disingenuous at best, and at worst an attack on anyone who depends on digital security to operate safely.”
RiseUp.net is a Seattle-based, volunteer-run service that provides web hosting, mailing lists, email accounts, among other things. Unlike some email providers, it does not log users’ connecting IP addresses, and all mail is stored in encrypted form. On its website it also vows to “actively fight any attempt to subpoena or otherwise acquire any user information or logs.”
Access says the investigative judge's move to “criminalise people for using privacy tools” could have wide-reaching consequences since all email providers have “an obligation to protect the privacy of its users.” Many of the “extreme security measures” used by RiseUp are best-practices for online security that everyone should follow.
"Encryption is a vital technology for all people to maintain their privacy and security,” said Jamie Tomasello, tech director at Access. “We cannot allow Spain to criminalize the use of basic digital security practices that are relied upon every day by users and corporations alike."
Meanwhile, in the UK, Prime Minister David Cameron has said governments must be able to easily read citizens' email, post, electronic messages and other communications to keep people safe – implying he will strip or backdoor encryption in software if reelected

Australia tries to ban crypto research – by ACCIDENT


While the world is laughing at UK PM David Cameron for his pledge to ban encryption, Australia is on the way to implementing legislation that could feasibly have a similar effect.
Moreover, the little-debated Defence Trade Control Act (DCTA) is already law – it's just that the criminal sanctions it imposes for sending knowledge offshore without a license are being phased in, and don't come into force until May 2015.
As noted in Defence Report, the lack of an academic exclusion in the law, which passed parliament under the previous Labor government in 2012, could mean “an email to a fellow academic could land you a 10 year prison sentence”.
The control of defence research isn't new or surprising, and in fact this law was put into place to align Australia's regime with that of the USA (the International Traffic in Arms Regulations), but the haste with which it was implemented means someone forgot that academic researchers routinely discuss sensitive technologies.
While consumer-grade encryption is excluded from control by the Defence and Strategic Goods List (the 350 page-plus regulation that describes what's prohibited by the DCTA), researchers are warned off 512-bits-plus key lengths, systems “designed or modified to perform cryptanalytic functions, or “designed or modified to use 'quantum cryptography'” (the latter, in an explanatory note, also covering quantum key distribution).
Hence after May, the various quantum labs in Australian universities will have to think twice before collaborating with overseas partners.
At least systems protecting personal data are allowable, so long as the users have no control over the cryptographic capability (section 5A002 of the strategic goods list).
As Defence Report notes:
"Without the exclusion for academics, as enjoyed by the US and UK, university researchers would need prior permission from a Minister at the Department of Defence (DoD) to communicate new research to foreign nationals or to publish in any research journals."
Was the government warned that it was making a mistake? Apparently so: Vulture South has had its attention drawn to several submissions made to the Senate committee overseeing the bill's implementation.
Air Power Australia's Peter Moon and retired Air Commodore Edward Bushell describe the bill as “clearly defective”. Even the ITAR regime has been problematic for researchers, they note, since academics have to partition conferences according to whether or not they're ITAR-compliant.
Even though “public domain” technologies are exempted, the Moon/Bushell submission notes, a defendant is required to prove that the technology they're discussing is in the public domain, rather than the regulator having to do the research for themselves.
The law, they write, represents “censorship controls on all publishing on all topics covered by the DTCA, embracing:
  • All open-sourced research on any topic related to DSGL technologies.
  • All open-sourced research on any topic impinging upon military operations.
  • All open-sourced research impinging upon military technological strategy, as this cannot be conducted in the absence of capability analysis.
  • All applied research in areas of DSGL and related technologies.
  • All submissions to parliamentary inquiries covering any matters involving defence operations, strategy or technologies.
Universities Australia was no less critical in its submission, saying the bill as it now stands would impact everything from what universities are allowed to teach (and who may teach them) through to whom researchers can contact and what they're allowed to publish

Sunday 11 January 2015

Meet Reuben Paul: 8 year old CEO, Cyber Security Ambassador and Haxpo Highlight Speaker

http://haxpo.nl/haxpo2015ams/wp-content/uploads/sites/4/2014/12/reuben-paul.jpg
This year's HITB Haxpo in Amsterdam features Reuben Paul, an 8 year old CEO, as one of the highlight speakers.
Taking place at De Beurs van Berlage from the 27th till the 29th of May, HITB Haxpo 2015, will be a free-to-attend technology exhibition featuring the latest hacker and maker goodies along with it's own set of talks and briefings by a variety of speakers. There will also be a Capture the Flag competition run by the HITB.nl CTF Crew, a Lock Picking Village by TOOOL Netherlands and in addition to featuring various EU based hackerspaces there will also be an area featuring hacker and maker startups!
Reuben is 8 years old today and a 3rd grader at Harmony School of Science in Austin, TX. When asked by his 1st grade teacher to illustrate his future career, he drew on a sheet that he wanted to become a Cyber Spy. Reuben Paul is an example of what we're trying to achieve with HITB Haxpo - to show the world that anyone can be a hacker, maker, breaker or builder. As an eight year old CEO and hacker, he sets an example for a lot of us and we are thrilled to have Reuben join us as one our highlight speakers for this year's Haxpo.
In it's first podcast episode of the year, Paul Assadoorian and the guys at Security Weekly interviewed Reuben and spoke to him about a variety of topics including his adventures in 2014, his plans for the year ahead and what it's like being the 'The Kung Fu Kid'!

Thieves Jackpot ATMs With ‘Black Box’ Attack

http://krebsonsecurity.com/wp-content/uploads/2015/01/blackboxskimmer-285x318.png
Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.
At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.
In this particular attack, the thieves included an additional step: They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.

WhatsApp users top 700 million, could hit 1 billion in a year

http://en.wikipedia.org/wiki/WhatsApp
Mobile messaging platform WhatsApp has accumulated more than 700 million monthly active users and seems on track to reach 1 billion in about a year, a target Facebook set when it acquired the company in 2014.
The announcement comes about 11 months after Facebook acquired the app for $16 billion, a move that reflected the importance that Facebook places on mobile users.
The latest WhatsApp milestone is significant because it also highlights the recent rise of messaging apps as a more popular and economical option than SMS text messaging, which has suffered declines of nearly 5 percent in countries such as the U.K. In France operators saw SMS traffic on Jan. 1 decline by 10 to 20 percent compared to last year, while the use of MMS, messaging apps and other data traffic rose, according to local media.

Lizard Squad's Stresser Is Mostly Powered By Hacked Home Routers

Lizard Stresser
Lizard squad, the infamous hacker group who knocked Xbox live and PSN Offline has released a paid DDoS tool, lizard stresser, after the christmas eve. Now the security expert Brian Krebs of KrebsOnSecurity says the Lizard stresser tool draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.
Krebs says LizardSquad’s botnet is not made entirely of home routers. It also makes use of commercial routers at universities and companies as well as other devices.
The malicious code that converts vulnerable systems into stresser bots not only turns routers into attack zombies, but also uses the infected system to scan the internet for more devices that use factory default settings.
His research states that, there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.
So the existence of such botnets is not only a threat to internet society but also remindes us to change our default router passwords.

Security Vulnerability Found In North Korea's Own OS

Security Vulnerability Found In Red Star OS
In a technological perspective, North korea is a country that runs on their own Operating System, that is, Red Star OS, first introduced in 2003, was originally derived from Red Hat Linux to improve level of security against outside attacks.
Now an anonymous security researcher have identified a mistake (Flaw) in permissions settings on a key file that allows anyone with access to the system to run commands as root. "Red Star 3.0 desktop ships with a world-writeable udev rules '/etc/udev/rules.d/85-hplj10xx.rules' which can be modified to include 'RUN+=' arguments executing commands as root by udev.d," the researcher wrote.
The flaw would allow any user to elevate their privileges and bypass North Korean government's security policies.
Udev.d is a generic kernel device manager that can identify hardware "hot-plugged" into a Linux system. The rules file determines how to handle the events associated with the connection of a new device and can include commands to be launched when certain devices are connected—commands that are run with system-level privileges. The "85-hplj10xx.rules" file is the ruleset associated with drivers for a USB-connected devices and is common to most Linux distributions.
The permissions on that file are set as "world writable," any user regardless of permission levels could make changes to the rules to activate it for any device and execute any command they wanted with system-level privileges.
Researcher also discovered a similar file permission error in Red Star OS 2.0's desktop version, which is easier to abuse - the system configuration file for Linux's rc utility, which manages the operating system's boot-up. That vulnerability would allow anyone to add commands to be executed during system boot--a great way to ensure that surveillance software or other malware loads up persistently.
This story reminds us a fact - "Nobody is fully protected from cyber attacks".

Cal State San Bernardino to hold Cyber Security Summit

Cal State San Bernardino will hold a Cyber Security Summit 7:30 a.m. to 4:30 p.m. Jan. 20 at Cal State’s Santos Manuel Student Union.
The summit will cover a variety of topics related to cyber security and feature a number of experts in the field.
Sessions are “Cyber security is the new business priority,” “The cyber security skills shortage no one is talking about,” “How secure is your bank information,” “Hacking gets physical: Who turned off the power” and “Women in cyber security.”
Scheduled speakers include Betsy Bevilacqua, information security risk manager, Facebook; Lesley Piper, cyber security engineer, MITRE Corp.; Lea Deesing, chief innovation officer, city of Riverside; Vaughn Book, chief information officer, Arrowhead Credit Union; and Corrine Sande, computer information systems officer, Whatcom Community College.
The luncheon speaker will be B. Lynne Clark, division chief, IAD Education, Training and Academic Outreach, National Security Agency.
The summit is sponsored by Cal State San Bernardino, the CSUSB Business Alliance and the Cal State College of Business and Public Administration.
Organizations and company participants include Facebook, City National Bank, National Security Agency, Federal CIO Council, Accent Computer Solutions, Ahern Adcock Devlin LLP and the city of Riverside.
The summit is free and open to the public.
To register, visit eventbrite.com or call 909-537-5771.
Parking on campus is $5.
For information, contact the Cal State Office of Public Affairs at 909-537-5007 or visit news.csusb.edu.

Sony post-mortem: Obama lobbies for new legal powers to thwart hackers

Moon on stick proposals include cheaper broadband access Hacker image
In the aftermath of the massive hack attack on Sony Pictures – which the US government continues to insist was carried out by North Korea – President Barak Obama is expected to lobby hard for legislative overhauls to battle online threats.
He will reveal those proposals early next week, an unnamed White House spokesperson told reporters today, according to Reuters.
It's understood that Obama will set about attempting "to improve confidence in technology by tackling identity theft and improving consumer and student privacy" during a visit to the Federal Trade Commission.
Later this month, during the president's first State of the Union address since the Republican party snatched control of the Senate last November, Obama will apparently push for laws and executive powers to specifically crack down on hackers and ID thieves.
As part of his moon on a stick cyber security lobbying effort next week, Obama will drop in on the FTC, lay out his plans to cross-party Congress members and visit Iowa to push for faster, cheaper broadband connections across the country.

Zappos must pay $106K post-breach

Zappos must pay nine states $106,000 in a settlement reached after a 2012 data breach potentially exposed data on a server that contained information on the online shoe retailer's 24 million customers.
Intruders gained access to parts of the company's internal network in 2012 through one of its servers in Kentucky.
Investigators believed the hackers harvested names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers. Because the hackers stole hashes for customer accounts, all access codes to the website were reset, and customers had to create new credentials.
The settlement requires Zappos to pay up within 30 days and hire a third-party provider to audit its security policies and systems. Any shortcomings must be presented to the states along with a plan to correct them.

Mr Cameron goes to Washington for PESKY HACKERS chinwag with Pres Obama

Yo, Barak, how do we tackle naughty Norkers, then?

U.S. President Barak Obama will end his week of lobbying for more powers to fight hackers online, by hosting Britain's Prime Minster David Cameron on Thursday and Friday, when the two leaders will discuss internet security.
Thwarting malefactors who attack companies' computer systems, such as the recent, devastating assault on film studio Sony Pictures, is a topic that is expected to dominate the conversation between the pair.
The confab will come after a GCHQ report on threats from hackers has been released by the UK's eavesdropping nerve centre, a spokeswoman at Number 10 confirmed to The Register today.
Cameron and Obama are also expected to talk about national security and counter-terrorism, the global economic outlook and growth and free trade, Downing Street said.
Blighty's Sunday papers were briefed on the upcoming GCHQ report, which apparently revealed that more than 80 per cent of UK firms had tackled an internet security breach in 2014.
The agency's boss Robert Hannigan was quoted as saying that "the scale and rate of these attacks show little sign of abating."

Paris terror attacks: ISPs face pressure to share MORE data with governments

Government ministers from European states, who met in Paris today in the wake of the atrocious attacks that stunned the French capital's population last week, have called on internet firms to do a better job of cooperating with spooks and police to help them fight terrorism.
In a joint statement (PDF) from a number of Europe's interior ministers including France's Bernard Cazeneuve and Britain's Home Secretary Theresa May, the politicians said:
We are concerned at the increasingly frequent use of the internet to fuel hatred and violence and signal our determination to ensure that the internet is not abused to this end, while safeguarding that it remains, in scrupulous observance of fundamental freedoms, a forum for free expression, in full respect of the law.
With this in mind, the partnership of the major internet providers is essential to create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible.
The missive followed a march attended, not only by the politicos, but also by millions of French citizens in a show of democratic defiance against the terrorist acts, which started at the offices of satirical magazine Charlie Hebdo when 12 people were murdered last Wednesday. It was signed in the presence of U.S. Attorney General Eric Holder.
But privacy warriors were quick to hit out at the proposals on Sunday.
Tory MP and former Secretary of State for Defence Dr Liam Fox, meanwhile, took to the pages of the Sunday Telegraph today to lobby for more powers for the UK's spies. He argued:
In 1993, there were only 130 websites in the world. By the end of 2012 there were 654 million – a lot of haystacks in which terrorist needles can hide.
That is why our security services need to be given access to the data they require to help to keep us safe. It is also why the appalling misjudgement of those such as the Guardian newspaper in helping Edward Snowden, now residing with the Russian secret service in Moscow, is so unforgivable.
When Snowden took data to China and Russia, some 58,000 files came from GCHQ, information that had played a vital role in preventing terrorism in Britain over the past decade.
Separately, the U.S. administration confirmed it would convene a meeting on 18 February to discuss tackling the global fight against Islamic extremism.
The take-away from politicians on both sides of the pond today, once you set aside the posturing about freedom of expression: demands for greater surveillance of citizens' movements online are back on the agenda in a big way.

SURPRISE: Norks Linux disto has security vulns

Photo of Kim Jong-un using an archaic computer
Well, that didn't take long: mere days after North Korea's Red Star OS leaked to the west in the form of an ISO, security researchers have started exposing its vulnerabilities.
According to this post at Seclists, the udev rules in version 3.0 of the US and the rc.sysint script in version 2.0 are both world-writable. Both of these have root privilege.
Because of the slack file permission management in Red Star 3.0, the device manager for HP 1000-series LaserJet printers, /etc/udev/rules.d/85-hplj10xx.rules, can be modified to include RUN+= arguments. These commands will run on on the udev daemon as root. There's a demonstration at github.
Udev's main job is to watch the /dev (devices) directory, and when a device is plugged into a USB port, it loads the appropriate ruleset.
By writing to the rc.sysint file in the older Red Star 2.0, an attacker can execute commands as root (demonstration).
HackerFantastic's demo of the Red Star vulnRooted: "HackerFantastic's" Red Star 3.0 vulnerability demo
Both vulnerabilities provide privilege escalation for local users.
As The Register noted when the OSX-skinned operating system first leaked, there's also an error in the OS's Software Manager. Although root access is denied by default, users can install unsigned software. Developer RichardG has created an RPM that gets around the default restrictions.
The OSX-like skin put on top of Red Star OS's Linux innards was first seen in February after Will Scott spent time in Pyongyang teaching computer science and returned with screenshots.
El Reg expects the current crop of vulns will by no means be the last to emerge in the OS.

Saturday 10 January 2015

FBI fingering Norks for Sony hack: The TRUTH – by the NSA's spyboss

Feds warn of 'evil layer cake' of online villainy – yes, really

NSA Director Admiral Michael Rogers The head of the NSA has confirmed his agency gave the FBI top-secret intelligence that led the Feds to blame North Korea for the Sony Pictures mega-hack.
The bureau has been strangely silent on how it came to finger the Nork government for the comprehensive ransacking of the Hollywood movie studio. So silent, in fact, seasoned computer security experts refused to believe the claims until they see more evidence.
Now it appears the FBI has been quietly handed high-level signals intelligence allegedly pointing towards North Korea.
"Sony is important to me because the entire world is watching how we as a nation are going to respond to [the attack on Sony]," NSA Director Admiral Michael Rogers told the International Conference on Cyber Security (ICCS) at Fordham University, Time reports. "If we don't name names here, it will only encourage others to decide, 'Well this must not be a red line for the United States.'"
The NSA had examined the malware used in the Sony hack, and had played a supporting role in the FBI investigation, he said, while declining to give more details.
Rogers said attacks in the online world won't necessarily have an online response, and he welcomed the new sanctions being brought against North Korea by President Obama, which were instituted after the FBI pointed the finger of blame. Rogers added that the NSA would be around to help with similar investigations in the future.
"I don't think it's realistic" for private companies "to deal with [cyberattacks] totally by themselves," he said.
Just what level of commercial hacking attack would be needed to bring NSA spies running wasn't specified by Rogers, nor what the price would be. But he made it clear that the NSA intends to be spending more time sorting out problems like Korea.
"I remain very confident: this was North Korea," Rogers stated, although many in the security industry are much more skeptical. But doubters should shut up, according to government officials also at the conference.
Lisa Monaco, President Obama's Homeland Security Adviser, said the many experts who dispute the government's claim of Norks nobbling Sony don't have enough evidence for their conclusions – and questioning the official FBI narrative was “counterproductive," the Wall Street Journal reports.

FBI director gets surreal

The NSA spymaster's comments came the day after the FBI Director also addressed ICCS and gave a somewhat bizarre presentation in which he asserted North Korea was behind the Sony hack, and was part of an "evil layer cake," of internet criminals.
Director Comey said the Sony hackers had been "sloppy." While they had used proxy servers to mask their location, there had been times when direct connections had occurred and been spotted, he claimed.
"Several times, either because they forgot or they had a technical problem, they connected directly—and we could see them," he said. "They shut it off very quickly before they realized their mistake, but not before we saw it and knew where it was coming from."
The attacks against Sony had begun in September, he said, with a flurry of tightly focused phishing attacks against key individuals. This was then used to gain full access to the company's servers and steal data.
Comey warned that North Korea was just the tip of the iceberg – or, as he put it, the topping on an "evil layer cake." The descending layers included terrorists, organized criminal actors, sophisticated worldwide hackers and botnets, “hack-tivists,” weirdos, bullies, pedophiles, and creeps, he said.
The problem for the FBI was miscreants' ability to attack globally, Comey explained. He likened it to the 1920s, when the invention of the automobile and paved roads (not to mention easy access to firearms) allowed the formation of inter-state bank-robbing gangs.
“[Cybercrime] is that times a million. Dillinger or Bonnie and Clyde could not do a thousand robberies in all 50 states in the same day in their pajamas, from Belarus. That’s the challenge we face today,” Comey told attendees.