Friday 15 July 2016

Experts found a government malware on the Dark Web

 Lorenzo Bicchierai from Motherboard reported a disconcerting news, a sophisticated strain of government-made malware was found on a forum on the Dark Web. The tool was designed to target critical infrastructure, it is a reconnaissance malware that could be used in a first stage to attack against an energy grid system.
The disconcerting aspect of the story is that the such kind of malware are not available in the black market, they are a prerogative of well-founded ATP groups.
Recently security experts from security firm SentinelOne have spotted a malware dubbed Furtim that was involved in an attack against one European energy firm. The threat is highly sophisticated that could be used to exfiltrate data from target systems and “to potentially shut down an energy grid.”

Udi Shamir, chief security officer at SentinelOne told to MotherBoard that is very strange to find a so complex malware on a hacking forum.
it was very surprising to see such a sophisticated sample” appear in hacking forums, he explained to Motherboard.
Shamir pointed out that the Furtim malware is the result of a significant effort of state sponsored hackers involved in cyber espionage operations.
The authors of the Furtim threat designed the malware to avoid common antivirus solutions, as well as a virtualized environment and sandboxes used to analyze malicious codes.

Unfortunately critical infrastructure worldwide are still too vulnerable to cyber attack, the recent NIS directive passed by the EU establishes minimum requirements for cyber-security on critical infrastructure operators.
In the past malware-based attacks already targeted critical infrastructure, let’s think of the Stuxnet virus used against the Iranian enrichment program or the BlackEnergy malware used to target company in the energy industry. Experts speculated that the BlackEnergy was also involved in theUkrainian outage.
Who it behind the Furtim  malware, Shamir confirmed that is the work of a government, likely from Eastern Europe. The unique certainly it that this group has significant resources and skills.

Thursday 14 July 2016

Chinese businessman gets nearly 4 years in US prison for hacking case

Image result for fighter jet cockpit
A Chinese businessman has been sentenced to nearly four years in prison for conspiring to hack the computer systems of Boeing and other US defense contractors to steal military technical data.
Su Bin, a Chinese national and the owner of a Chinese aviation technology company, was sentenced Wednesday in US District Court in Los Angeles to 46 months in prison. Bin, 51, had faced up to 30 years in prison before pleading guilty in March to a federal charge of conspiracy to unlawfully access computers in the United States. The sentence comes amid heightened tensions between the two nations over computer espionage.
Su worked with the two unidentified hackers in China between 2008 and 2014, instructing them on what data to target and transmit to state-owned Chinese companies. The trio stole 65 gigabytes of sensitive information related to fighter jets such as the F-22 and the F-35 as well as Boeing's C-17 military cargo aircraft program, the Justice Department said.
"Su Bin's sentence is a just punishment for his admitted role in a conspiracy with hackers from the People's Liberation Army Air Force to illegally access and steal sensitive U.S. military information," Assistant Attorney General Carlin said in a statement. "Su assisted the Chinese military hackers in their efforts to illegally access and steal designs for cutting-edge military aircraft that are indispensable to our national defense."

FDIC was hacked by China, and CIO covered it up


A report published by the House Committee on Science, Space and Technology today found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015.
The FDIC failed at the time of the "advanced persistent threat" attacks to report the incidents. Then-inspector general at the FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg's chances of confirmation.
The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October "Florida incident." On October 23, 2015, a member of the Federal Deposit Insurance Corporation's Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC's data loss prevention system of a significant breach of sensitive data—more than 1,200 documents, including Social Security numbers from bank data for more than 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC's Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at the FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.
However, Gruenberg told Science, Space and Technology Committee Chairman Rep. Lamar Smith (R-Texas) in a February letter about the breach that only about 10,000 "individuals and entities" were affected by the leak and that the former employee was cooperative. That claim was contradicted by the FDIC's Office of the Inspector General after it used that breach for an audit of the FDIC's security processes—indicating that the actual number was several times larger and that there were other breaches that had not been reported. One of those was a similar breach in September when a disgruntled employee in New York left with a USB drive containing the SSNs of approximately 30,000 people. That breach had been glossed over by the FDIC's CIO, Lawrence Gross, and had only been mentioned in an annual Federal of Information Security Management Act (FISMA) report, despite its classification as a "major" breach. This was in addition to a similar, reported breach in February when another departing employee in Texas "inadvertently and without malicious intent" downloaded 44,000 records.
Then in May, the FDIC "retroactively reported five additional major breaches" to the committee, according to the report. Only after a Congressional hearing on those breaches did the FDIC offer credit monitoring services to the more than 160,000 individuals whose personal information was included in the data leaked.
The committee's report accuses Gross—who took over in 2015 after former FDIC CIO Barry West disappeared on "administrative leave" in June of last year for unknown reasons—of creating a "toxic workplace" for FDIC's IT team and of sabotaging efforts to improve the agency's security footing. Nearly 50 percent of FDIC employees can use portable storage devices such as USB drives or portable disk drives, and the only thing assuring the FDIC that data was not being disseminated by former employees are signed affidavits. Gross is also the driving force behind an initiative to purchase 3,000 laptops for FDIC employees, arguing that laptops are more secure than desktops

Wednesday 13 July 2016

VPN provider claims Russia seized its servers

Road Closed sign

VPN provider Private Internet Access (PIA) says its servers have been seized by the Russian government, so has quit the country in protest at its privacy laws.
The company has sent an e-mail to users claiming some of its servers have been seized, even though the enforcement regime – in which all Internet traffic has to be logged for a year – doesn't come into effect until September 2016.
A paying user has forwarded the company's e-mail to The Register, which was reproduce at the bottom of this story. The customer also told The Register the Russian gateways disappeared automatically from “older versions of the PIA client” in the last week.
Russia has been progressively cracking down on Internet services with a particular focus on encryption, and in June laws landed in the Duma that would also outlaw apps like Messenger and WhatsApp.
The crackdown already demands registration of any blog, publisher or social network site with more than 3,000 readers, and requires them to store data on Russian soil.
The e-mail, which is available in 'View as Web Page' mode, says:
“The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider.
“Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure.
“Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.
“To make it clear, the privacy and security of our users is our number one priority. For preventative reasons, we are rotating all of our certificates. Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place. In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.
“All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page.
“We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies.
“In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure. “If you have any questions, please contact us at helpdesk@privateinternetaccess.com.
“Thank you for your continued support and helping us fight the good fight.”

Twitter CEO Jack Dorsey's Account Hacked By 'OurMine' Hackers


Hacker group ‘OurMine’ is in news again. The professional group has now hacked the account of Twitter CEO Jack Dorsey, after previously hijacking the social media accounts of Google CEO Sundar Pichai and Facebook CEO Mark Zuckerberg and former Twitter CEO Dick Costolo.

The group shared a few videos and then sent a tweet that read, “Hey, its OurMine, we are testing our security”, along with a Vine clip that has since been deleted. The tweets were reportedly scrubbed by 3:25 a.m. Eastern, but tech website Engadget grabbed screenshots.

"All of the OurMine messages posted to Dorsey's account (which, as of 3:25 am or so appears to have been scrubbed of the hacker's tweets), came through from Vine”, Endgadget reported.

A warning pops up from Twitter if one tries to access the OurMine website, advising that it is probably not safe, according to the report.

"The link you are trying to access has been identified by Twitter or our partners as being potentially harmful," it said.

In the Zuckerberg and Costolo hack, OurMine accessed Twitter accounts through connected third-party applications or through old or recycled passwords. But in Dorsey’s case, it is suspected that OurMine had access if Dorsey had an old/shared password on his Vine account or somehow connected it to another service that was compromised.

The motivation for compromising Dorsey’s account remains unclear. Though OurMine has laid claim to large thefts, the group’s main goal seems to be harassment