Monday 31 October 2016

Report: NSA hushed up zero-day spyware tool losses for three years

NSA
Investigation shows staffer screw-up over leak
Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know.
Multiple sources told Reuters last night that the investigation into the data dump released by a group calling itself the Shadow Brokers had determined that the NSA itself wasn't directly hacked and the software didn't come from exiled whistleblower Edward Snowden. Instead it appears one of the NSA staffers got sloppy.
It appears at this stage that the staffer, who has since left the NSA for other reasons, stashed the sensitive tools on an outside server – likely a bounce box – after an operation. Miscreants then found that machine, raided it and hit the jackpot. The staffer informed his bosses after the incident, but rather than warning companies like Cisco that their customers were at risk, the NSA kept quiet.
The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them. It monitored the world's internet traffic to try and catch sight of the tools or someone using the software or the holes it exploited. Since no signs appeared the agency didn’t tell anyone of the loss.
According to US government guidelines the NSA is supposed to assess the seriousness of zero-day flaws it finds and inform companies if it feels they are serious enough. Documents obtained by the EFF stated that the NSA told manufacturers about 91 per cent of the flaws it found.
That didn't happen, and a lot of security people are going to be asking why not.

Vote of confidence for IT security made in Germany

Where is your IT manufacturer based? What used to be a trivial matter of image has now become a security issue. Three years after Edward Snowden’s revelations, CEOs understandably feel uncomfortable when their IT infrastructure consists of routers and switches from Cisco and Juniper. Both companies are known to have been affected by the efforts of the American National Security Agency (NSA) either through code manipulation or backdoors in certain products. In relation to these developments, the quality label of IT security made in Germany carries even more weight. The chance of buying a product which has been compromised by government agencies is significantly lower with devices which have been developed and manufactured in Germany rather than abroad. In IT security, the country of origin has become a critical factor.
Foreign companies are already noticing this trend. In the first half of 2016, the export of communications equipment from Germany grew significantly. The digital association Bitkom reported that exports of communications equipment, telephone systems and network technology have risen by 2.8 percent to EUR 6.6 billion. “Germany has taken a strong international role in the field of communication technology,” says Bitkom President Thorsten Dirks. The main buyers of ICT products from Germany in the first half of the year were France (EUR 1.30 billion), the Netherlands (EUR 1.29 billion) and Poland (EUR 1.27 billion). There are still many opportunities in this market. “Only 55 percent of ICT SMEs in Germany are active abroad,” says Dirks. “SMEs are often limited to local business; even national markets can be too much of a challenge for them”.
IT security is no longer a peripheral task in the IT department. In many industries, IT security has become the central concern of digital infrastructure. Beyond legal and industry requirements, companies have become almost completely dependent on their information systems and this has spiked high demand for IT security. While little attention has been paid in the past to the manufacturer as a potential security risk, many managers are now concerned about unwittingly allowing NSA code into their data centers. Nobody really believes that the USA is the only country who are willing to get their hands dirty. China and Russia also have active intelligence services and a strong interest in the innovative technology of German companies. Incidentally, the mission of the Canadian intelligence service is quite revealing “Protect our secrets, uncover theirs”.
Policies and procedures are also a key part of IT security along with products and devices. Sensitive data must be identified and classified, risks assessed and security measures prioritized. However, all of this cannot be achieved without devices and technology. Sadly, it is no longer to dismiss the belief that IT security products may no longer be secure as paranoia. The representative study by Pierre Audoin Consultants “IT Made in Germany – What do German companies want?” shows that two thirds of IT decision makers in German companies want to use strengthened IT solutions “Made in Germany” as a result of the ongoing security scandals surrounding the NSA wiretapping affair. German technology companies such as NCP engineering GmbH were a good choice for IT security long before Edward Snowden and the present increased awareness of IT security. The Nuremberg-based company is one of the world’s leading remote access vendors. For NCP, the German location attracts highly skilled employees. They secure NCP’s leading position through developing innovative technology which is reliable and secure. Small and large companies are in safe hands at NCP and it goes without saying that NCP solutions are free from backdoors ­­­− true to the concept of IT security made in Germany.

Celebgate hack: Collins sentenced over nude photos theft

US actress Jennifer Lawrence poses before the Christian Dior 2017 Spring/Summer ready-to-wear collection fashion show, on September 30, 2016 in Paris. 
A Pennsylvania court has sentenced a man to 18 months in jail for hacking into the accounts of celebrities and stealing nude photos and videos.
Ryan Collins, 36, pleaded guilty to the charges in May.
He had stolen the usernames and passwords of more than 600 people.
Collins tricked his victims - including actresses Jennifer Lawrence, Kate Upton, Scarlett Johansson, and Kirsten Dunst - by sending emails appearing be from Google or Apple.
Collins was charged with accessing the photos between 2012 and 2014, in a case known as "celebgate". But was not charged with releasing them.
A statement by prosecutors said: "Investigators have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained."
Collins accessed at least 50 iCloud accounts and 72 Gmail accounts.
Court filings said he had used fraudulent email addresses designed to look like security accounts from service providers, including email.protection318@icloud.com, noreply_helpdesk0118@outlook.com and secure.helpdesk0119@gmail.com.
Collins was originally charged in Los Angeles, but sentenced in Pennsylvania, his home state.

Shadow Brokers dump reveals NSA targets

Accompanying gibberish encourages disrupting US election

Shadow trio, image via ShutterstockThe Shadow Brokers hacking group has posted a fresh dump containing a list of servers compromised by an NSA-linked group.
The list contains historic targets of the Equation Group. Mail providers, universities and targets in China make up the bulk of the roster. Each were targets of INTONATION and PITCHIMPAIR, codenames for cyber-spy hacking programmes.
Documents leaked by whistleblower Edward Snowden provide strong evidence that previous dumps by the Shadows Brokers feature malware and exploits that originated at the NSA, as previously reported. The latest Shadow Brokers dump was signed using the same key as the initial dump of NSA exploits, which the Shadow Brokers unsuccessfully tried to auction off. A message accompanying the latest dump somewhat incoherently calls for attempts to disrupt the forthcoming US presidential election.
This poorly argued rabble-rousing has been met with some derision. Security experts have questioned the value of the leaked target list, at least outside the realm of cyber-espionage historians. "The list of servers is nine years old. [Many] likely no longer exist or [are] reinstalled," said security researcher Kevin Beaumont, in an update on Twitter.

Sunday 30 October 2016

Major Security Flaw Targets Industrial Computer Systems

A major security vulnerability affecting one of the world’s largest manufacturers of computerized industrial control systems, Schneider Electric, has recently been identified, according to a leading cybersecurity firm.

Researchers at the Israel-based Indegy Corporation Tuesday publicly announced their identification of the security hole and details of how it could have been exploited. The security threat has since been filled by engineers at Schneider Electric.

"This vulnerability is unique for Schneider Electric systems," said Mille Gandelsman, Indegy’s Chief Technology Officer and co-founder. "Vulnerabilities traditionally are found around executable codes that the attacker builds without having permission to do so, and that’s exactly what we found," he said.
Industrial control systems, such as the type that Schneider Electric manufactures, are used in nearly every modern automated factory or processing plant.

"Everything from the manufacture of soda drinks and pharmaceuticals to electricity generation or oil and gas transfer," said Gandelsman.

Unlike IT systems that protect a computer or mobile device’s software, ICS networks were built largely by mechanical engineers to monitor and control actual physical things, such as temperature gauges, pressure flow valves, or containment chambers.

Headline grabbers

Because of the potential for catastrophic damage, some hackers have long targeted ICS networks in hopes of grabbing headlines. Just last month, an anonymous hacker detailed a successful hack of a Schneider Electric system that controls building heating and cooling systems.

These systems, as Indegy’s CEO Barak Perelman previously told VOA, can last for decades and were created long before cybersecurity was even a concept. “Practices like authentication, logging in with passwords, it doesn’t even exist…” in many ICS networks, Perelman said.

These industrial control systems often are hard to find, and more difficult to log in to, via another computer operating at a remote site than standard desktop-type computer systems more familiar in the home or office. But once inside, gaping security holes such as the type discovered by Indegy can give hackers the potential ability to destroy machinery, create widespread havoc, and even take lives by altering the physical industrial automation systems.

"Engineering stations were targeted; that’s where the various control parameters for the industrial systems can be changed," Gandelsman told VOA. "It was these workstations with specialized software [called Unity Pro] that communicate with the controllers that were made totally vulnerable…" by this recently discovered security flaw.

"That means that every system that uses this specific software for Schneider Electric systems would be vulnerable,” he said, entailing everything from the manufacture of yogurt and automobile parts to the control of urban sewage treatment and storage of highly toxic chemicals. "In a very real, physical sense, a cyberattack [in this situation] could create enormous damage."

No comment

Neither Indegy nor Schneider Electric will say whether any of its systems had been hacked prior to the recent release of a software patch.

But Gandelsman said it’s clear that other such vulnerabilities may currently exist with Schneider products, or those of other ICS vendors, like Siemens, Rockwell or others.

"These systems… are the crown jewels of industrial production," he cautioned. "Once you have access to these systems, you can do anything you want."
"Some of these control companies are very cybersecurity aware and doing their best to avoid, or at least fix, vulnerabilities," Gandelsman told VOA. "Unfortunately other vendors are not aware of the risks. These are systems that can be around for decades, so these things unfortunately continue to exist all around the world."

Would You Click on These Fake Gmail Alerts?

The months-long espionage campaign against US political targets allegedly orchestrated by hackers working for the Russian government hinged on a simple, yet effective, hacker trick: booby-trapped emails.
In some cases, such as with the hack on John Podesta or Colin Powell, the phishing emails were designed to look like Gmail alerts containing a Bitly link that led to a fake webpage to harvest the victim’s password. Podesta and Powell were fooled, but don’t think only baby boomers aren’t good at spotting malicious emails.
In fact, one in two people click on phishing links, according to some estimates. And, of course, some look more credible than others.
For example, you probably wouldn’t click on this email I got a few weeks ago, even if it contained the name of your mother, as it’s the case here.
Last week, the journalists who work for the independent investigative project Bellingcat received a series of messages that looked like legit Google security alert emails. They didn’t click on them, but would you have been able to spot that they were malicious?
This one used Google’s own style and look for a security alert. To a distracted or untrained eye, there would be no difference between this and the real thing. Imagine you get this in the middle of the day, while you’re stressed at work. Would you have clicked on it? Would have spotted that the hackers misspelled “Montain View” and “Amphithaetre”?
The hackers actually used three different types of phishing attempts, in an attempt to fool the targets. All of them prompted the would-be victims to change their passwords, and enter them in a website under the control of the hackers.
Ask yourself: would you have clicked on these emails?
Luckily, if you’re worried about phishing emails like that, and you don’t trust yourself, there’s an easy way to make these attacks much harder to pull off. Turn on two-factor authentication on Gmail or your webmail provider of choice (and do it for your social media accounts too).
With two-factor or two-step authentication, even if you click on a booby-trapped link and then give up your password to the hackers, they still can’t get in, unless they have hacked your phone too or have control of the phone network—something not all hackers can do.

Florida man ran $1.35m hack-and-spam racket with 50m-plus addresses

The wages of sin include a Ferrari F430

SpamThe leader of a spamming gang that took over corporate servers and private email accounts to send out spam has pled guilty to charges of computer hacking and identity theft.
Timothy Livingston, 31, of Fort Lauderdale, Florida, worked with two other partners to run A Whole Lot of Nothing, LLC. The shell company pulled in hundreds of thousands of dollars between January 2012 and June 2015 with spamming campaigns for illicit drugs, and also targeted some legitimate companies.
According to court documents [PDF], Livingston had experience running a spamming company called AWLN before setting up this operation. With the new company he charged advertisers between $5 and $9 for every spam email that resulted in a sale.
Livingston admitted hiring Tomasz Chmielarz to write spamming software that pumped out the digital junk mail that evaded commercial spam filters. Chmielarz, 33, of Rutherford, New Jersey, also hacked into corporate servers to subvert them into sending out the spam and to harvest email addresses from staff.
At the time of Livingston's arrest, police found at least 50 million email addresses in the group's database.
The third partner, Devin James McArthur, worked for Comcast and provided 24.5 million email addresses from the firm's database. The 28-year-old also worked with the other two men to grab more from other companies. Chmielarz and McArthur, of Ellicott City, Maryland, pled guilty to the scam in June.
As part of the plea deal, Livingston has agreed to return $1,346,442 in illicit funds and property the company purchased using spamming revenues. He has also handed over his car collection, including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.
Livingston faces charges that could put him in the Big House for up to 25 years – but is unlikely to receive a maximum sentence after cooperating with the authorities.