Archive for the ‘hacking’ Category

A mystery agent is doxing Iran’s hackers and dumping their code

April 21st, 2019
Stylized photo of desktop computer.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images)

Nearly three years after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open Web, Iran's hackers are getting their own taste of that unnerving experience. For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping its secret data, tools, and even identities onto a public Telegram channel—and the leak shows no signs of stopping.

Since March 25, a Telegram channel called Read My Lips or Lab Dookhtegan—which translates from Farsi as "sewn lips"—has been systematically spilling the secrets of a hacker group known as APT34 or OilRig, which researchers have long believed to be working in service of the Iranian government. So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group.

"We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran's neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," read the original message posted to Telegram by the hackers in late March. "We hope that other Iranian citizens will act for exposing this regime's real ugly face!"

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, hacking, Iran | Comments (0)

British police arrest Julian Assange on behalf of the US government

April 11th, 2019
Julian Assange gestures to the media from a police vehicle on his arrival at court on April 11, 2019 in London.

Enlarge / Julian Assange gestures to the media from a police vehicle on his arrival at court on April 11, 2019 in London. (credit: Jack Taylor/Getty Images)

British police arrested Wikileaks founder Julian Assange on Thursday. He had been hiding in the Ecuadorian Embassy in London since 2012 and was arrested after the Ecuadorian government invited the Metropolitan Police Service into the embassy to remove him. Assange was initially arrested for jumping bail in 2012, but the Metropolitan Police Service subsequently announced that he had been "further arrested on behalf of the United States authorities."

After Assange's arrest, the US Justice Department unsealed its indictment against him. The indictment focuses on Assange's role in helping Chelsea Manning steal classified information from the US military.

In 2010, "Assange agreed to assist Manning in cracking a password stored on United States Department of Defense computers," the indictment charges. Manning allegedly provided Assange with the the hash of a password and asked Assange to crack it.

Read 5 remaining paragraphs | Comments

Posted in chelsea manning, hacking, Julian Assange, Policy, WikiLeaks | Comments (0)

British Microsoft, Nintendo hacker given 18 month sentence

March 29th, 2019
British Microsoft, Nintendo hacker given 18 month sentence

Enlarge (credit: Rural Learning Center)

Two men were given suspended prison sentences in a London court yesterday after entering guilty pleas to hacking charges that saw both Microsoft and Nintendo breached.

Zammis Clark, now 24, broke into a Microsoft server in early 2017 and for about three weeks had access to part of Microsoft's network. He copied some 43,000 files relating to as-yet unreleased versions of Windows, accumulating substantial information about build numbers, code names, and unreleased products. He subsequently shared access to the servers with others over IRC.

One of those others appeared alongside Clark in court: Thomas Hounsell, now 26, performed numerous searches for product information over a 17-day period. Until earlier this year, Hounsell operated BuildFeed, a site tracking internal Windows build numbers and releases, even those that were not made public.

Read 5 remaining paragraphs | Comments

Posted in crime, hacking, microsoft, Policy, Tech, uk, Windows | Comments (0)

Critical flaw lets hackers control lifesaving devices implanted inside patients

March 21st, 2019
An X-ray showing an cardio defibrillator implanted in a patient.

Enlarge / An X-ray showing an cardio defibrillator implanted in a patient. (credit: Sunzi99~commonswiki)

The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

No encryption, no authentication, and a raft of other flaws

Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, an exploit that's rarely seen affecting most medical device vulnerabilities to date.

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, defibrillators, exploits, hacking, medtronic, pacemakers, vulnerabilities | Comments (0)

How hackers pulled off a $20 million bank heist

March 17th, 2019
How hackers pulled off a $20 million bank heist

Enlarge (credit: Buyenlarge | Getty Images)

In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here's how they did it.

At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico. The hackers' affiliation remains publicly unknown. Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico's domestic money transfer platform run by central bank Banco de México, also known as Banxico.

Easy pickings

Thanks to security holes in the targeted bank systems, attackers could have accessed internal servers from the public Internet, or launched phishing attacks to compromise executives—or even regular employees—to gain a foothold. Many networks didn't have strong access controls, so hackers could get a lot of mileage out of compromised employee credentials. The networks also weren't well segmented, meaning intruders could use that initial access to penetrate deep into banks's connections to SPEI, and eventually SPEI's transaction servers, or even its underlying code base.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, hacking | Comments (0)

Report: Bezos-hired sleuth suspects sexts stolen by “government entity”

February 8th, 2019
Jeff Bezos.

Enlarge / Jeff Bezos. (credit: Drew Angerer/Getty Images)

Yesterday Jeff Bezos alleged that David Pecker, CEO of the company that publishes the National Enquirer, attempted to blackmail Bezos by threatening to publish nude photos of Bezos. The married Bezos allegedly sent the explicit photos to another woman, broadcaster Lauren Sanchez.

One of the big unanswered questions in the story is how the National Enquirer obtained the photos. One obvious possibility is that someone hacked Bezos' phone—or possibly Sanchez's.

But in an interview on MSNBC, Washington Post reporter Manuel Roig-Franzia pointed to a different possibility. The Post is owned by Bezos, and while Roig-Franzia says he hasn't talked to Bezos directly, he has talked to Gavin De Becker, a legendary security consultant who is working for Bezos. "Gavin De Becker told us that he does not believe that Jeff Bezos' phone was hacked," Roig-Franzia said. "He thinks it's possible that a government entity might have gotten hold of his text messages."

Read 4 remaining paragraphs | Comments

Posted in AMI, blackmail, David Pecker, hacking, Jeff Bezos, national security, Policy | Comments (0)

Fire (and lots of it): Berkeley researcher on the only way to fix cryptocurrency

February 4th, 2019
Marines use flamethrower to spectacular effect in field.

Enlarge (credit: US Marine Corps)

Nicholas Weaver made no bones about it: he really, really dislikes cryptocurrencies.

Speaking at the Enigma security conference in Burlingame, California, last week, the researcher at UC Berkeley's International Computer Science Institute characterized bitcoin and its many follow-on digital currencies as energy-sucking leeches with no redeeming qualities. Their chief, if not only, function, he said, is to fund ransomware campaigns, online drug bazaars, and other criminal enterprises.

Meanwhile, Weaver said, there's no basis for the promises that cryptocurrencies' decentralized structure and blockchain basis will fundamentally transform commerce or economics. That means the sky-high valuations spawned by those false promises are completely unjustified. He also said investors' irrational exuberance just adds to the unviability of cryptocurrency.

Read 18 remaining paragraphs | Comments

Posted in Biz & IT, Blockchain, cryptocurrency, hacking, scams | Comments (0)

Nine defendants charged in SEC hacking scheme that netted $4.1 million

January 15th, 2019
Nine defendants charged in SEC hacking scheme that netted $4.1 million

Enlarge (credit: Brendan Smialowski / Getty Images)

Federal authorities have charged nine defendants with participating in a scheme to hack a Securities and Exchange Commission database to steal confidential information that netted $4.1 million in illegal stock trade profits.

Two of the defendants, federal prosecutors in New Jersey said, breached SEC networks starting in May 2016 by subjecting them to hacks that included directory traversal, phishing attacks, and infecting computers with malware. From there, the defendants allegedly accessed EDGAR (the SEC’s Electronic Data Gathering, Analysis, and Retrieval system) and stole nonpublic earnings reports that publicly traded companies had filed with the commission. The hackers then passed the confidential information to individuals who used it to trade in the narrow window between when the files were stolen and when the companies released the information to the public.

“Defendants’ scheme reaped over $4.1 million in gross ill-gotten gains from trading based on nonpublic EDGAR filings,” SEC officials charged in a civil complaint. It named Ukrainian nationalist Oleksandr Ieremenko as a hacker, along with six individual traders in California, Ukraine, and Russia, and it also named two entities. A criminal complaint filed by federal prosecutors in New Jersey charged Ieremenko and a separate Ukrainian named Artem Radchenko with carrying out the hack.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, edgar, hacking, SEC, Securities and Exchange Commission | Comments (0)

Pwn2Own contest will pay $900,000 for hacks that exploit this Tesla

January 15th, 2019
Image of a blue sedan against a white background.

Enlarge (credit: Tesla)

Pwn2Own has been the foremost hacking contest for more than a decade, with cash prizes paid for exploits that compromise the security of all manner of devices and software. Browsers, virtual machines, computers, and phones have all been fair game. Now in its 13th year, the competition is adding a new category—a Tesla Model 3, with more than $900,000 worth of prizes available for attacks that subvert a variety of its onboard systems.

The biggest prize will be $250,000 for hacks that execute code on the car’s gateway, autopilot, or VCSEC. A gateway is the central hub that interconnects the car’s powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm.

These three systems represent the most critical parts of a Tesla, so it’s not hard to see why hacks that target them are eligible for such huge payouts. To qualify, the exploits must force the gateway, autopilot, or VCSEC to communicate with a rogue base station or other malicious entity. Meanwhile, a denial-of-service attack that takes out the car’s autopilot will pay $50,000.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, cars, hacking, PWN2OWN, Tesla | Comments (0)

Thousands of sensitive emails stolen in intrusion of Republican campaign arm

December 4th, 2018
Thousands of sensitive emails stolen in intrusion of Republican campaign arm

Enlarge (credit: Getty Images | Chris Clor)

An email intrusion targeting a key Republican campaign committee allowed unknown people to steal thousands of sensitive emails from four senior aides, Politico reported Tuesday.

The attack on the National Republican Congressional Committee, the main group that works to elect Republicans to the US House of Representatives, allowed the person or group responsible to monitor the aides’ email accounts for several months, Politico said. The intrusion was detected in April by a managed security services provider the NRCC had retained to monitor the security of its network.

The unnamed provider informed NRCC officials, who in turn alerted security firm Crowdstrike. Crowdstrike, which was called in to investigate the Russian government’s 2016 hack of the Democratic National Committee, had already been retained by the NRCC when the intrusion was discovered in April, Politico said.

Read 5 remaining paragraphs | Comments

Posted in email, hacking, National Republican Congressional Committee, Policy, republicans, unauthorized access | Comments (0)