Man Pleads Guilty To Leaking US Military Aircraft Blueprints

When it comes to security and privacy, there is little more protected than military details. As a result, the information is often protected by several layers of protection, and even if these are breached the chances of it going unnoticed are even slimmer than being able to gain access in the first place. Something Su Bin found out the hard way when he pleaded guilty to leaking US military aircraft blueprints. Su Bin, a Chinese national, has pleaded guilty to illegally accessing sensitive military data and distributing this material to China for financial gain. Bin’s role in the scheme was to obtain access to Boeing and other companies servers, in the process retrieving information about their military aircraft

Su Bin, a Chinese national, has pleaded guilty to illegally accessing sensitive military data and distributing this material to China for financial gain. Bin’s role in the scheme was to obtain access to Boeing and other companies servers, in the process retrieving information about their military aircraft such as the C-17 and even fighter jets. Once he obtained access, he told two associates, un-named in his plea deal, which servers to hack and what information was useful on the projects. He even provided a translating service, converting the documentation from English to Chinese before sending it back to China, all at a cost.Sending both server details and names of US executives (and their emails)

After being caught in Canada in 2014 and then extradited to the US last month, Bin will now be charged with stealing data listed on the US Munitions List contained in the International Traffic in Arms Regulations.

With countries becoming more and more aware of the risks and dangers regarding the digital world, catching anybody is a stark warning that just because you can do something, doesn’t mean that you will get away with it.

FBI Hacking Case Judge Doesn’t Understand Computing

A US Judge, during a case regarding the FBI’s use of Network Investigative Technique (NIT) – effectively a form of hacking – was found to have little knowledge or understanding of the concepts being discussed.

During a hearing in Seattle on Friday (15th March), Judge Robert J. Bryan presided over the case of Jay Michaud, a public school administrator in Vancouver, Washington, who was charged with possession of child pornography. Michaud was caught in a sting operation by the FBI, during with the law enforcement agency seized a hidden Tor service called Playpen, hosted it from its own server, and used NIT to bypass the Tor encryption to obtain his real IP address. The use of NIT in the case is being contested.

During the hearing, Judge Bryan appeared confused as to how NIT works: “I am trying to understand,” he told the court. Below is a transcript from the hearing (via Vice Motherboard), during which Judge Bryan fails grasp how NIT is implemented:

Judge Bryan: “Do the FBI experts have any way to look at the NIT information other than going to the server?”

Colin Fieman (Michaud’s public defender): “Your Honor, they don’t go to the server.”

JB: “Where do they go? How do they get the information?”

CF: “They get it from Mr. Michaud’s computer.”

JB: “They don’t have his computer.”

CF: “That’s what the NIT is for.”

Struggling to wrap his head around NIT, Judge Bryan later said, “I suppose there is somebody sitting in a cubicle somewhere with a keyboard doing this stuff. I don’t know that. It may be they seed the clouds, and the clouds rain information. I don’t know.”

While, on the face of it, Judge Bryan’s comments are amusing – though, to be fair, the ideas being conveyed during the case can be impenetrable to people without an inclination toward technology and computing – it is worrying that someone without a grasp of the subject being discussed is then expected to make a ruling on the matter, and that Judge Bryan’s ignorance, though not necessarily his fault, does not automatically recuse him from presiding over the case.

Or, as Vice Motherboard puts it:

““If a smart federal judge still has trouble understanding after hours of expert testimony what is actually going on,” then the average judge signing warrant applications has little hope of truly understanding what the FBI is proposing, Nate Wessler, staff attorney at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview.”

Image courtesy of HackRead.

John McAfee Explains How He’d Hack the Pentagon

John McAfee, paranoid billionaire hacker and future President of the USA, is at it again. Not content with boasting about how easy it would be for him to hack an iPhone, McAfee has decided to crank it up a notch, telling Tech Insider not only that he could hack the Pentagon, but explaining exactly how he would do it.

“You want to find the weakest link,” McAfee said in a phone interview with Tech Insider. “You’re in and out, and you have everything.”

On Wednesday, the Pentagon announced that it would be inviting hackers to test its systems for security. McAfee claims that, given the opportunity, that he could compromise the intelligence organisation’s systems within a month.

“I would exclusively use social engineering,” he said. “I would most likely use an ‘audit authorization letter’ on [Department of Defense] letterhead.”

“This technique seldom fails,” he added.

McAfee’s plan to hack the Pentagon relies less on coding and more on hustling, pulling a Danny Ocean-esque confidence trick. He envisions himself bluffing and sweet-talking his way into the building, supported by fake IDs and hacked phone lines, following weeks of surveillance to identify the ideal marks and copy official ID badges.

The caper itself begins with McAfee himself, suited up, entering a Pentagon data centre with an official-looking letter.

“The last thing on your mind is going to be ‘Can I see your credentials?’” McAfee explains, “Because what credentials [am I] going to have? [We] are going to have this letter and say ‘Call the general.’

“The people you hand this letter to are terrorized,” he adds. “Why? Because they know they fucked up. They know that they have problems. They know that they have flaws in the system.”

“If they do call the number, it’s even worse. The operator,” who is a plant, according to McAfee’s plan, “says, ‘Yes, this is extraordinarily important. Tell them they’re late and they better get [the audit report] in now. You have no idea how pissed off the general is.'”

Sadly, John has blown his load by revealing his plan in public. But maybe it’s a double-bluff, or he’s so confident that he thinks he can pull the heist off anyway. Either way, I can’t wait until the “Hack the Pentagon” initiative begins this April.

Pirates Identify Booty by Hacking Shipping Company

When people talk about “pirates” and “hacking” together, it usually refers to those who release versions of software with the digital rights management systems removed or disabled. In this case, it was different. Revealed as part of Verizon’s 2015 Data Breach Investigation Report, Verizon’s RISK security response team were called in to assist a global shipping company who had fallen victim to network intrusions that were in turn used to assist in high-seas piracy.

The incident first came to light when the shipping company noticed an odd pattern in the attacks of pirates on their vessels. Instead of the typical approach of ransoming the crew and cargo of a target ship, the pirates instead operated hit-and-run attacks, seizing specific high-value shipping containers and making off with it alone.

The response team discovered that the shipping company had used a “homegrown” Web-based content management system to manage the content of their cargo ships. Upon analysis, it turned out that a malicious shell script had been uploaded to the server via a vulnerability in the software. The script gave the pirates backdoor access to the server, allowing them to upload and download files, including the bills of lading for the ships, as well as compromising a number of user passwords.

Mistakes made by the hackers allowed the hack to be uncovered easy by the response team, the primary one the script’s use of plain HTTP instead of making use of the server’s support for SSL encryption. This exposed every transmission of data to and from the server by the pirates when using the script. When put together, the team were able to see every command issued by the hackers, including a large number of spelling mistakes made in their commands. So while these cyber-attacks were certainly effective while paired with the physical attacks on the ships, those perpetrating the attacks were seemingly amateur. The biggest flaw in their hacks, however, was a complete disregard for operational security, using no proxies or other intermediaries, instead connecting directly from their home network. As a result, all it took to end the attack was the banning of the pirate hacker’s IP address.

Cyber-crime may be a serious threat in the world today, however, events like this have proven that attacks that combine both cyber and physical elements can be the most effective. Thankfully in this incident, the hackers proved themselves to have a level of incompetence that allowed them to be thwarted, but companies should be sure, more than ever, to defend themselves, not just in the physical world, but the online too.

Apple and FBI Go Before Congress In Privacy Talks

Apple vs the FBI has been and looks to be, one of the biggest legal debates of 2016 with large groups like Microsoft even speaking out in defence of the iPhone developer in their bid to stop what they call a “dangerous precedent” from being set. The discussion has gone to a higher power with both parties now presenting their discussions to Congress.

Apple’s general counsel, Bruce Sewell, started with an opening point that has been used in every discussion since. Forcing Apple to unlock, or create software that lets the government bypass security, would do nothing but set a troubling precedent for the entire tech industry. In his opening remarks, Sewell said, “building that software tool would not affect just one iPhone. It would weaken the security for all of them”.

The big surprise came when FBI director James Comey agreed in part with this statement. “Sure, potentially. Any decision of a course about a matter is potentially useful to other courts”, these comments come just days after it was revealed that a New York judge had ruled that same act could not force Apple to unlock an iPhone.

The big surprise is that this response from Corney is different to those given previously by the FBI, who have claimed it was never about a precedent and they just wanted this one phone unlocked.

The conversations are just starting and soon governments and companies alike could be looking at new ways of handling encryption, either together or in hopes of protecting people from the other party.

GCHQ Hacking Deemed Legal by Tribunal

Today it has been announced that computer and smartphone hacks used by the intelligence agency GCHQ are legal according to the UK’s Investigatory Powers Tribunal. The inquiry was launched after the extents of the agency’s hacking was uncovered by whistleblower Edward Snowdon, which led to GCHQ revealing that they had agents hack into devices both within the UK and aboard.

At the conclusion of the inquiry, the senior judges on the panel ruled that they were satisfied that GCHQ’s ability to forcefully gain access to devices in order to gather intelligence was striking a proper balance between safeguarding the privacy of individuals and the ability to investigate crime and protect the public. Understandably, Privacy International, the civil liberties group who launched the investigation said they were “disappointed” with the outcome and would continue to combat state-sponsored hacking.

GCHQ’s hacking efforts were reported to the tribunal as covering computers, smartphones, servers, routers and more. They were told that it was possible for the hackers to remotely enable microphones and cameras, log keyboard input, install malware, track locations and even copy documents from target devices. Currently, the only restrictions on hacking in place are laid out in the Home Office’s code of practice for hacking, or “equipment interference”, which is set to be expanded as part of the Government’s Investigatory Powers bill which is currently being drafted. These documents dictate that a warrant must be issued before any hacks can take place. The judges agreed that these codes had the right balance between the “urgent need for the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression”. These restrictions did not exist when the investigation was originally launched, however, which brings GCHQ’s previous actions into question.

Once again, the cyber security and privacy of citizens are under threat from government agencies, who strive to increase their own power and supposedly the safety of their people at the cost of their freedom. While in future GCHQ’s hacking is expected to be kept in check by codified legal rules, the fact that their previous actions were ruled to be lawful could set a dangerous precedent if a security agency tried to take advantage of the circumstance to work outside these laws.

Innocent Tormail Users May be Victims of FBI Hacking

In 2013, the dark web email service Tormail was seized by the FBI and the contents of their servers taken with them. It was also suspected that the FBI had made use of a network investigative technique (NIT), an FBI term for a hacking tool to compromise some users of the service. A report by the Washington Post on the FBI’s use of NITs confirmed these suspicions but also opened many more questions, such as the scope of the hacking.

Prior to its takedown by the FBI, the Tormail service ran on the dark web, only accessible through the Tor network. Such hidden email services are typically used by those in need to privacy, whether for legitimate reasons, such as journalism, or less than legal activities such as drug dealing, trading on Silk Road and other activities that could draw the attention of the FBI. The agency had supposedly obtained a warrant to hack the accounts of certain people thought to be associated with the distribution of child pornography.Despite this, at the time Freedom Hosting, a web host providing dark web services including Tormail, was seized by the FBI anyone accessing a page hosted by Freedom Hosting was served an error page. This error page was designed to serve malicious code that took advantage of a security flaw in the Firefox browser to transmit the user’s real IP address to a Virginia server.

An ex-user of TorMail told Motherboard that the error page and malicious code “appeared before you even logged in.” This brings into question whether the FBI was acting within its claims of targeting specific users if the real IP address of every single person to access TorMail was reported to them. And while there were certainly criminals making use of the service, many users were not engaging in criminal activity, regardless of their reason for wanting privacy.Christopher Soghoian,

Christopher Soghoian, a technologist for the American Civil Liberties Union, told Motherboard “If the government, in fact, delivered an NIT to every single person who logged into TorMail, then the government went too far.” Not to mention, if the FBI were hacking everyone accessing the service with the only justification being their usage of a privacy service, it could be considered unreasonable and may not respect boundaries for international users. And with NIT orders not being publicly released, even years after the fact, there is no concrete information as to what the judge actually authorized the FBI to do.

Cases like this are worrying to anyone who is concerned about online privacy. With Tor recently suspected to be compromised by the FBI and their director decrying the use of encryption without backdoors, it is unclear where the power of the FBI truly reaches. This lack of public accountability could be a threat to those who desire privacy for innocent reasons and may harm unbiased journalism should the tools it uses put it under threat.

Is There a Connection Between ISIS and UK Government IP addresses?

Information has been both circulating and updating over the last 48 hours concerning a possible link “that a number of Islamic State supporters’ social media accounts are being run from internet addresses linked to IP addresses from the Department of Work and Pensions” This possible connection has been traced and subsequently exposed by well-known hacking group VandaSec.

Reports have also stated that, as is the norm in the digital age, been unearthed by four teenage computer hackers who claim to have traced “IP addresses from their supposed Saudi Arabia location back to the United Kingdom’s Department of Work and Pensions after using a set of specialized tools to track the IP addresses”. These accounts are at first glance noteworthy due to being utilised to recruit new ISIS members online.

It’s a conspiracy! Probably not, after further analyses by an external source, it has so far been concluded that these IP addresses were part of an unpublicized set of transactions between Britain and Saudi Arabia. It has been discovered that the British government sold a large number of IP addresses to two Saudi Arabian firms (Saudi Telecom and the Saudi-based Mobile Telecommunications Company). After the sale had been finalised around October of this year (2015) extremists piggybacked onto these and utilized the protocol to spread the standard message synonymous with the group.

Jamie Turner, an expert from a firm by the name of PCA Predict, confirmed the trace back to the UK government was more obvious than first thought owning to the fact that records for the IPs had not as yet been fully updated.

At the very least it’s certainly embarrassing for Whitehall, yes, as the government has stated it had no control over what happened to the IP addresses after they had sold them, but, perhaps further vetting of potential clients needs to take place in order to mitigate against unlawful use at the extreme end. I wonder where other sold IP addresses will end up in the future?

Image courtesy of wired

The Hilarious Relationship Movies and TV Have With Technology

We live in a world full of technology, that much is obvious, but when it comes to movies and TV, the actors live in a completely different dimension to conventional technology, one where almost none of it makes any sense. Obviously, sitting and clicking a mouse is a little boring to watch, so movie and TV producers, writers, directors, etc, come up with more and more imaginative ways to make it more involving, often with hilarious consequences. Just look at the image above, flip a PC chassis on its side, stick a microscope on top, instant science equipment!

Take this iconic scene from NCIS for example, and wow are there are lot of NCIS examples I could pick from. There’s so much wrong with this scene it’s hard to even quantify. Two people sharing a single keyboard, windows flying all over on the screen and let’s not forget that they stopped the hacker by pulling the plug… like the entire database that was being hacked was only on that one PC? Effectively they cut themselves off and left the hacker to carry on, or at least that’s what would have been the case in real life.

Why bother to get appropriate props to fit the scene when you can pull a power supply out of your bag and call it a hard drive. This one really makes my brain hurt, but it’s also one that makes me laugh my ass off every time I see it.

Why use a keyboard when you can use VR and gloves. This is futuristic as hell, but imagine holding your arms out and about 1-foot above your desk for extended periods of time just to use a computer! That’s a future I don’t want to live in.

The whole “zoom and enhance” thing has been played out a lot, but CSI really pushed things to ridiculous levels. Zooming into insane levels of detail from some crappy security camera footage. OH COME ON! And pay close attention to the sound effects, computers don’t do that? It would be incredibly irritating after about… five minutes?

It seems to be a fascination of TV and movies to make everything a computer does “beep”, from typing, moving a cursor, copying a file, deleting something, you get that constant *beep boop beep boop* and I have yet to see a real PC that does anything like this, with the exception of a kids V-Tech toy.

Need to hack something? Don’t worry, all it takes is some dancing, a lot of screens, furious typing and the smarts to solve a digital Rubix cube. Hacking is boring in real life, it’s just code and commands, so movies add visuals to make it look interesting, but it’s still completely absurd.

Don’t even get me started on the whole Hackers movie. I loved it, but this scene is far more interesting than it should be, without even getting started on how they were generating cool text graphics on the TV network in real time.

There’s little I need to say here, “Is that a 12-core!?” is possibly the funniest “tech” moment in TV history. One that I feel won’t be topped for a long time, or until the next season of NCIS.

Not even the mighty Batman can escape the absurdity, using mobile phones to feed vast amounts of information like this. I’ve no idea why they need so many odd looking displays with huge gaps, even a 1cm bezel is distracting on multi-monitor setups, so this is a terrible configuration. Also, how did they stream so much data to his HUD? I don’t recall seeing a super-power Wi-Fi antenna sticking out his butt.

Buzz words are a great way of making it sound like you did something technical, or really anything at all.

Then again, we’re saved by the IT Crowd who know how silly tech can be on TV, but embrace it to give us comedy gold such as this.

Got a favorite movie or TV tech moment you want to share with us? Feel free to leave it in the comments section below.

FCC Speaks Out Regarding Router Hacking Laws

Back in September, the US Federal Communications Commission revealed proposals for new laws governing software requirements for Unlicensed National Information Infrastructure (U-NII) devices, the draft for which suggested that the government agency could outlaw router hacking, like flashing the device with third-party firmwares DD-WRT, Tomato, and OpenWRT.

The FCC has now spoken out regarding the proposed rules, specifically the section asking router manufacturers to explain “how [its] device is protected from ‘flashing’ and the installation of third-party firmware such as DD-WRT”.

“This particular question prompted a fair bit of confusion – were we mandating wholesale blocking of Open Source firmware modifications?” Julius Knapp, Chief of the Office of Engineering & Technology for the FCC writes. “We were not,” Knapp clarifies, “but we agree that the guidance we provide to manufacturers must be crystal-clear to avoid confusion.”

There we have it: no ban on router hacking. Knapp, however, does acknowledge how misleading the previous draft may have been, writing, “today we released a revision to that guidance to clarify that our instructions were narrowly-focused on modifications that would take a device out of compliance.”

He adds, “The revised guidance now more accurately reflects our intent in both the U-NII rules as well as our current rulemaking, and we hope it serves as a guidepost for the rules as we move from proposal to adoption.”

The revised section now reads [PDF]:

“Describe, if the device permits third-party software or firmware installation, what mechanisms are provided by the manufacturer to permit integration of such functions while ensuring that the RF parameters of the device cannot be operated outside its authorization for operation in the U.S. In the description include what controls and/or agreements are in place with providers of third-party functionality to ensure the devices’ underlying RF parameters are unchanged and how the manufacturer verifies the functionality.”

Image courtesy of Polygon.

Anonymous to Start OpKKK

The internet is a place where lots can happen. People can have their details exposed, like those that were taken in the latest breaches at TalkTalk or they could have them misused in SWAT’ings. Some people believe though that this means that not only can the internet be misused, it can also be used for good. To represent and defend the common people, one such group is Anonymous.

Famous for their operations against governments and controversial groups, Anonymous are already acting on their next operation, titled Operation KKK. Designed to target the Klu Klux Klan, who are listed as a hate group by the Anti-Defamation league and is said to have anywhere between 5,000 and 8,000 members. Anonymous wants to unmask around 1,000 of these in the next phase of their operation, an action called Hoods Off on November 5th.

Not one to shy away from the public, Anonymous have been updating their twitter reporting already that many sites related to the KKK have already been taken offline, and that more will come.

A hacker going by the name of Amped Attacks has already helped out with this by taking down the Westboro Baptist Church’s website as well as several KKK websites. In doing so they have apparently also gained access to a list of identifying information for a range of people including Mayors and Senators.

Anonymous Attacks The Canadian Government and Leaks Classified Data

In the real world, the establishment counteracts instances of criminality by an extensive array of resources and a structured organisation. In cyberspace, groups such as Anonymous are organised, well versed in operational hacking activities and are able to use tools which are inexpensive, perhaps this is why governments and companies have yet to get a grip on data which has metaphorically walked out the door, hitched a plane and ended up on someone else’s computer.

The fore mentioned Anonymous have looked to be using techniques to again prise open the gates to documents, as reports have begun to circulate over the leaking of yet another high-level federal document concerning the redevelopment of Canada’s key diplomatic centres in Britain. This alleged leak is the second in a campaign against the Canadian government with the information purporting to include budgetary deficits and the “selling, relocating and refurbishing of Canada’s diplomatic buildings in London”

The documents belong to the Treasury Board of Canada and are dated 6th February 2014, or if this is as many are believing to be authentic, a now very irritated Treasury Board of Canada. These leaks are an attempt by the Cyber infiltration group “to pressure the government over the fatal shooting of a protester in B.C. and the passing of Bill C-51, the controversial anti-terrorism bill that gave expanded powers to police and Canada’s spy agency”.

Meanwhile, sources say that federal authorities are comparing versions of the documents and scanning for discrepancies that may help track down from whose hands it may have slipped.

Have I any sympathy for the Canadian government? Well, you know me don’t you; it demonstrates poor Cyber awareness and a lack of safe practise in the storage of classified documents, remember, the infrastructure has not been breached by a country attacking another state but by a hacktivist group.

Governments are losing the argument when it comes to attacking the criminality of these acts, after all, the actions by this group are against the law, but for me, so are the increased surveillance capabilities of agencies and the implementation and recruitment of external hacking teams, as in the case of, well Hacking Team to be precise.

“Freedom is never more than one generation away from extinction. We didn’t pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same”. Ronald Regan

Thank you nationalpost for providing us with this information.

Image courtesy of occupycorporatism

Data from Hacked Bug Database used to Target Firefox Users

Using data and information obtained through another hack, hackers were able to target Mozilla Firefox users through vulnerabilities in the popular browser. What is most interesting about this whole debacle, however, was that the attackers first hacked Bugzilla, Mozilla’s bug and vulnerability tracking system to find working exploits.

Bug trackers and vulnerability databases serve important roles in maintaining secure software. As researchers and whitehats find and discover bugs and vulnerabilities, they report it to either a third party or directly to the vendor. In this case, it was through Bugzilla to Mozilla. This allows a common platform to share the information required to demonstrate and fix the bug. Even if there is no outside facing infrastructure to report bugs, more developers probably have their own internal system for keeping up with, detailing and cataloguing bugs. For widely popular software, an attacker may not need to spend time researching their own zer0-days. Instead, they can simply hit one of these bug repositories and grab a whole host of vulnerabilities and use them as needed before they are patched.

In this case, Bugzilla got hit via as a privileged user account had the same password for Bugzilla as on another site that got hacked. Due to this, attackers were able to break into Bugzilla undetected for at least a year. They managed to get away with 185 non-public vulnerabilities of which 10 were unpatched at the time. Given how many users tend not to patch, and that Mozilla is unsure when the attackers first got in, it’s possible many users were vulnerable. In fact, one of the vulnerabilities was exploited widely for a while. In response, Mozilla is implementing steps to shore up security by things like restricting access and two-factor authentication.

Once again, it shows that security can be pretty hard and even systems introduced to better protect users can severely backfire. Given the wealth of information stored within bug repositories on various vulnerabilities, they can become a juicy target for blackhats. Just like major retailers and  the recent US government data breaches, the sensitive information means these systems are guaranteed to be attacked at some point. Another major lesson is that if you want good security, not reusing passwords, keeping patched and using two-factor authentication is key.

NCA Website Temporarily Taken Offline by Lizard Squad DDOS Revenge Attack

The National Crime Agency is a UK body which tackles online cyber attacks and recently arrested 6 people for using Lizard Squad’s DDOS tool. In an act of retaliation, the hacking group conducted a DDOS attack on the NCA website. The team mockingly used the NCA’s logo in a Twitter post and publicly announced the DDOS attack. An NCA spokesperson said about the incident:

“The NCA website is an attractive target. Attacks on it are a fact of life. DDoS is a blunt form of attack which takes volume and not skill. It isn’t a security breach, and it doesn’t affect our operational capability. At worst it is a temporary inconvenience to users of our website. We have a duty to balance the value of keeping our website accessible with the cost of doing so, especially in the face of a threat which can scale up endlessly.”

Hacking via a DDOS method doesn’t usually result in long-term chaos and the majority of sites can be up and running within 1-2 hours. Of course, this greatly depends on the scale and complexity of each hacking attempt. The NCA spokesperson emphasized this and argued:

“The measures we have in place at present mean that our site is generally up and running again within 30 minutes, though occasionally it can take longer. We think that’s proportionate.”

However, Dave Larson, CTO at Corero Network Security explained the more sinister impact of DDOS attacks on network infrastructure:

“The recent reports indicating that the National Crime Agency website has been taken offline by DDoS attack, seemingly by the increasingly popular DDoS-for-hire site, Lizard Stresser is a classic example of cyber-warfare taking aim in retaliation of the recent arrests of individuals associated with the service.  

“DDoS attacks can be a nuisance, cause temporary or long term service disruptions, and take down IT security infrastructure in any organization. What is even more distributing is the potential for even greater damage in the form of smokescreen diversions allowing hackers to run additional attacks aimed at breaching sensitive data and further impacting operations.

“DDoS mitigation strategies must be viewed as more than just protecting your website, it is protecting the business, your intellectual property and your customers.” 

In my opinion, this particular hack was nothing more than an inconvenience and predatory response to the 6 arrests. Arguably, Lizard Squad hopes this sends a warning message out to government bodies trying to infiltrate the group and arrest its leading members. Personally, I feel this is more of a PR stunt and not a valid attempt to make the NCA’s website inoperable.

What do you think of Lizard Squad?

https://twitter.com/LizardLands/status/638617494702399488

Thank you The Register for providing us with this information.

Ashley Madison Ex-CTO Hacked Competing Website

Adultery website, Ashley Madison is at the forefront of a hacking scandal despite reassurances about the site’s confidentiality. The data released includes information on members, their activity and the CEO’s e-mail correspondence. In an ironic twist, leaked documents show that the CTO in collaboration with employees, and the CEO of parent company Avid Life Media, discovered a security flaw in rival site, Nerve.com.  The company accessed the competitor’s entire database and had the ability to change records for their own purpose. A snippet from the e-mail exchange provides an insight into their ruthless strategy:

“They did a very lousy job building their platform. I got their entire user base,”

“Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

In a hilarious twist, Raja Bhatia, the founding chief technology officer outlined the company’s own security problems before allegedly hacking a competing site:

“With what we inherited with Ashley[Madison.com], security was an obvious afterthought, and I didn’t focus on it either,”

“I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.”

Ashley Madison is a very devise website, and its CEO isn’t the most lovable of characters. Furthermore, if the company conducted hacking as suggested in the e-mails, they could be prosecuted under the Computer Fraud and Abuse Act. Personally, I have very little sympathy for a company which promotes cheating, and supposedly engages in the behaviour it becomes outraged by.

Thank you Wired for providing us with this information. 

Not Cool – Samsung Smart Fridge Flaw Makes Gmail Open to Attacks

Security research team, Pen Test Partners has uncovered a MiTM (man-in-the-middle) vulnerability during an IOT hacking challenge. The hack was achieved on a RF28HMELBSR smart fridge which contributes to Samsung’s Smart Home appliances line-up. In theory, the Smart Home App downloads data from Gmail Calender to an on-screen display and protected by SSL credentials. However, it’s possible for hackers to gain access to this network and steal your information. Ken Munro, a security researcher at Pen Test Partners explained:

“The internet-connected fridge is designed to display Gmail Calendar information on its display,”

“It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”

“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example.”

Technological advancements in household appliances are designed to enhance user convenience and provide useful information. Unfortunately, this makes rather ordinary devices prone to software bugs or hacking. Samsung has acknowledged the situation and released the following statement:

“At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”

Do you own any smart appliances?

Image courtesy of Gizmodo

Thank you The Register for providing us with this information.

Has a 14-Year-Old Hacker Enabled iOS 4.2.1 on an Apple Watch?

Billy Ellis is a 14-year-old designer and iOS developer with a keen interest in hacking. His latest project shows an Apple Watch booting into iOS 4.2.1 and displays the signature main menu. At first glance, the video appears to be genuine but I’m pretty sceptical that an entire OS could be hacked onto the Apple Watch. Perhaps, he has created an App which emulates the iOS boot process when loaded. However, if the video is legit, then I cannot imagine how this was achieved.

By default, the Apple Watch operates on a custom version of iOS and almost seen as a supplementary device to existing Apple products. The concept of running the default iOS software is interesting, but I’m guessing the user-interface would scale horribly on such a tiny screen. Whatever the case, I have to commend a developer of such a young age for engaging in coding projects.

The Apple Watch is a very polarizing product and I honestly cannot see the appeal. Although, if the device can be modified to run custom software, it would become a more attractive proposition. Furthermore,  if any documentation arises about this particular hack, I would proceed with caution as it will undoubtedly void your warranty and might be a visual forgery. Wearable technology is becoming increasingly popular and it’s only a matter of time before we see a number of software hacks from developers.

https://twitter.com/bellis1000/status/634125587867660289

Thank you Wired for providing us with this information.

DDOS Attacks Reach Record Numbers in Q2 2015

The State of the Internet report from Akamai has revealed an alarming statistic concerning the prevalence of DDOS attacks. Shockingly, there was a 7 percent increase compared to the last quarter and up 132 percent from the same time last year. More worryingly, Q2 2015 contained, 12 “mega attacks” which features a peak of 1,000 gigabits per second and 50 million packets per second. One example lasted a total of 13 hours at 240 Gbps whilst most attacks revolve around a time period of 2-3 hours.

Interestingly, the data pinpoints the main source of DDOS attacks to China followed by the USA. Attackers are prioritizing their focus on online gaming networks and trying to cause utter destruction. More specifically, 35 percent of DDOS victims experienced attacks whilst using a gaming network such as Xbox Live. John Summers, VP of the Cloud Security Business Unit at Akamai said,

“The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,”

“Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated.”

Any DDOS attack is difficult to contest with and they’re starting to become an epidemic. Some websites are hit for political reasons, and others appear to be from vindictive people wanting to leave their mark. Whatever the motive, DDOS attacks are on the rise and a major problem for internet users.

Thank you Digital Trends for providing us with this information.

Running Mac OS 6.0.1 On The Amiga 500 Computer

The perception among the tech industry is one of constant updating, but retro tech certainly has its place within fans minds if this fun hack is anything to go by. A Reddit and Imgur user by the username of wowbobwow (yippi yo yippy yay) Sorry but that sprang to mind, used an emulator called “A-Max” which in turn allowed the Mac ROM OS 6.0.1 to run on the Amiga 500.

For a minute let’s talk uber tech with regards to this application, emulation is any other faster computer program which mimics the behavior of a piece of computer hardware. The problem with this process is that when a program is run via emulation, said program becomes slower and therefore is unable to run at full speed due to the lack of bandwidth when imitating another system.  Therefore this project is not true emulation but is rather defined by a statement from the clever Hacker which is as follows,

“Worth noting that this is not “software emulation” like how you might run Mini vMac on a modern computer. This setup literally connects two Apple Macintosh ROM chips (from a Mac Plus, in this instance) to the Amiga’s floppy drive, and via some unholy alliance of A-Max controller software + Apple ROM code + the Motorola 68000 CPU in the Amiga (the same chip that powered all the early Macs), this is a “hardware” emulation system. Interestingly, the Mac boot disk I have is too old to be 32-bit compatible, so while it “sees” the full 9 megs of RAM in the Amiga, it can only access 512k of it.”

This project has been coined CoMacintosh by the author and it again conveys little limitation of what can be achieved by a skilled ethical hacker.

Thank You to Techworm for providing us with this information.

US Wont Regulate Hacking Software – For Now

We all know about hackers. They’ve been in the news a lot in the last few years, from the Xbox and Sony Christmas Day hacks to the large databases of customer details being hacked on a nearly monthly basis. One hack was actually targeted on a hacking group, the Hacking Team and ended up with 400GB of their data being taken. This included everything from their hacking tools and the information required to use them to target companies and everyday users. After this, a small piece of legislation was developed and marketed to the US government, a piece of legislation which is now possibly going to be scrapped following concerns from pretty much everybody in the IT security industry.

The Department of Commerce first put the legislation forward and stated that the development and testing of exploits, zero-day and intrusion type software should not only be limited and controlled but also made illegal in some aspects. Say hello to the outcry from professionals who not only deal with writing but also stopping software like this from being used for malicious means, who even stated that not only would it limit and criminalise the research into nasty software, but also mean that all those nasty bugs and exploits that you don’t want people using, would be pushed onto the black market.

While the department of commerce stated that “a second iteration of this regulation will be promulgated”, it’s clear that while they may not be able to get away with vague descriptions and tight control on security software, they will still attempt to get some form of control pushed regarding what they call “weaponised software”.

Thank you Reuters for providing us with this information.

Image courtesy of the Art of Add.

Hacking team and Boeing Built a Surveillance Drone

The hack of Hacking team was hilarious but serious at the same time, to contemplate a freelance company hell-bent on hacking any target for a variety of employers seemed, well not surprising, but certainly a disappointing period for the ideological view of democracy. But at least the Italian surveillance team only hacked computers, I mean it’s not like they were developing any weaponry… oh my god they planned a Drone!

According to the released emails which became public thanks to Wikileaks, the firm have been planning for just over a year to develop a drone by the name of ‘Snoopy” which was capable of intercepting data from users smartphones through spoofed wireless networks. The emails also reveal that both Boeing and Hacking Team want unmanned aerial vehicles (UAVS) with the aim to carry out attacks which inject spyware into target computers or mobile phones via Wi-Fi.

The plans also reveal that public Wi-Fi networks would also be used to intercept targets internet traffic before injecting malicious code into said machine, with the aim of installing spyware which was developed by Hacking team. This news is also accompanied by techniques which makes use of “man in the middle attacks” and exploits to fish for information.

Well, I am not sure I particularly want surveillance drones which have the ability to spy on computers belonging to anyone. This news also highlights the line which blurs the view of good and evil, if governments were contemplating this concept, how does this make them any better than criminals? Yes, it’s technically for a noble cause by catching alleged targets, but who are the targets? This also goes back to the same question of transparently, governments quite happily inform us that money is tight for essential facilities for example hospitals, yet could well have been planning to purchase eyes in the sky which intercepts data at taxpayers expense.

Thank You The Hacker News and Wkileaks for providing us with this fascinating information

Hackers Gain Access To Government Data On 21.5 Million People

Hackers stole crucial information on 21.5 million people in a cyber-attack carried out in June this year. The Office of Personnel Management (OPM) are responsible for 90% of federal background checks in the United States and I’m sure you can only imagine the quantity of sensitive data stored in their network. According to Sky News, this body confirmed the scale of the data breach and clarified the date of attack was on Tuesday. Shockingly, this follows a cyber-attack from last month which compromised information on 4.2 million government staff members. This even includes individuals who no longer work at a government position and  changed their employment direction. The OPM have just released a statement which doesn’t make pretty reading and suggests the records stolen contain information on people’s mental health and financial history.

“If you underwent a background investigation through OPM in 2000 or afterwards … it is highly likely that you are impacted by the incident involving background investigations.”

“If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely.”

Certain branches of US media are suggesting that Chinese hackers are behind the attacks. For example, ABC News argued:

“FBI Director James Comey said today he’s one of the millions and millions of Americans victimized by what U.S. officials suspect was a Chinese-sponsored heist of sensitive government records.”

This is still pure speculation and perhaps the bigger question is, were they funded by the Chinese government? According to the FBI Director James Comey,

I’m sure the adversary has my SF-86 now,”

“My SF-86 lists every place I’ve ever lived since I was 18. Every foreign travel I’ve ever taken. All of my family, [and] their addresses.” 

Unfortunately, there isn’t any additional information disclosed which is expected given the secretive nature of citizen’s data. What is evidently clear is we all rely on networks which store vital information and these attacks are going to become more commonplace. Is the answer to research better security measures? Or perhaps the government should only collect small quantities of data and adopt a less Orwellian society.

Thank you Sky News for providing us with this information.

Lizard Squad Hacker Convicted of 50,000 Counts of Computer Crime

A Finnish hacker, and member of the notorious Lizard Squad, has been found guilty of 50,700 charges of hacking, according to the nation’s newspaper, Kaleva. The hacker, 17-year-old Julius “zeekill” Kivimaki, was given a 2-year suspended sentence, meaning he will avoid prison on the proviso that help “to fight against cybercrime”. Any failure to meet this condition will see Kivimaki serve his 2-year sentence in prison.

Kivimaki was charged with crimes related to data breaches, felony payment fraud, telecommunication harassments, plus a number of other computer fraud and violation of privacy crimes. He was identified as a member of Lizard Squad – the perpetrators of the Xbox Live and PlayStation Network DDoS attacks last Christmas – by cybersecurity journalist Brian Krebs late last year. Shortly after, Kivimaki conducted an interview with Sky News, using the alias “Ryan”, to discuss the Xbox and PlayStation DDoS attacks.

One of Kivimaki’s victims, Blair Strater, has been left “utterly disgusted” by the court ruling, feeling that the sentence is far too lenient. Strater was a regular victim of the practice known as “swatting” – fake calls to US law enforcement that result in a SWAT team being dispatched to an address – at the hands of Kivimaki.

“I’ve lost complete faith in the justice system, and that includes the FBI. He’s harmed American targets and the FBI should have stepped in by now,” said Strater. “The reality is, Julius Kivimaki will never be made to pay for his crimes.”

Thank you The Daily Dot for providing us with this information.

Hackers Took Up Residence Inside Government PC for a Year!

I recently wrote an article which looked at the Cyber attack and subsequent theft of 4.2 million American Federal data of employees which was transferred from the Office of Personnel Management to an external source. At the time it seemed to be a well orchestrated planned attack which granted criminals access to a government network for a brief period of time, the word brief in this case is very much redundant now, as  new information has come to light.

This attack on the Personnel Management’s security-clearance computer system which is slightly different to the personal database was first breached in June, 2014 according to new information. This effectively means that hackers had access to a sensitive system for at least a year. Hackers had access to the personal database for 4 months before this intrusion was detected. The confirmation came from Stewart Baker who is a former National Security Agency general counsel. There is also strong speculation that these Hacks had originated from China, which means if true, this is one of the most sensitive pieces of information to be reached by state-sponsored hackers.  If these virtual intruders stayed any longer, officials would be asking them to pay rent.

There lays the murky layers of state organized crimes, if true, China will deny responsibility, but as we all know, China has farmed hacking and infiltration out to factory designed hackers who are still on the payroll, but the Chinese government can deny this as it was not directly them.

Perhaps it’s time for the US government to invest in protecting its citizens rather than placing them under virtual surveillance, if this information leakage continues; private citizens will find themselves virtually held in a different country.

Thank You The Washington Post for providing us with this information

Image courtesy of huffingtonpost

This Is Why New Software Comes With Old Flaws

You are probably wondering why we hear that legacy flaws are still present in new software. Well, the answer is simple. Developers have a habit of reusing old code for most of their projects and the code is not reviewed for all potential flaws, but rather the approach tends to be similar to the slang ‘if it works, then don’t try to fix it’.

This does not mean that developers are lazy. The approach is favourable even by top-notch programmers because of the tight deadlines they have to meet, so time will always be above everything else when shipping new software.

However, this comes at a hefty price. While we hear of many hacking incidents, only a few of them are complex enough to break even the most impenetrable systems. Most of them were done by exploiting the already ‘implanted’ flaws in all software products. Everything except the operating systems can be deemed ‘hackable’ by most people with some knowledge of hacking.

The flaws go so deep that even some government departments are at high risk. Security analyst found out that some software in government departments is still based on older programming languages. But is this the future of programming? Of course not.

Security analysts in the field say that the problems with legacy flaws may likely increase, but they don’t have to. The real problem is that, by focusing exclusively on shoving new software on the market, companies forget about security completely. A better approach here is to split project development into two major components, development and testing, which could work in parallel. This way, a lot of bugs could be fixed and major security bugs flagged before the software hits the market.

Thank you CNET for providing us with this information

Image courtesy of nikopik

Parental Spyware Firm Hacked by Blackmailers

Spy software firm MSpy has just found out what it feels like to have its privacy violated. Creator of various mobile spying software, the firm has been approached with predatory demands by blackmailers over customer information. However, MSpy is claiming that any such allegations that they had been hacked and customer data stolen is on the web is false. Separate desktop monitoring software created by MSpy has not been found to be impacted by this alleged hack.

Word of the hack first came out via noted security expert Brain Krebs. Krebs received word from an anonymous source who notified him of a data dump. Hosted on a Tor Hidden Service site, the data weighed in at over several hundred gigabytes. The information spanned emails, conversations and photos taken from devices purportedly running MSpy’s mobile products as well as customer support emails to MSpy.  As the data has now been removed from the Hidden Service, it is hard for anyone to verify the legitimacy of the data to determine if it did indeed come from a breach of MSpy, as it is possible the data could be fake or come from a non-MSpy source.

MSpy markets its spying applications as a way to monitor children or employees activity on mobile devices. It captures movements, messages and calls of any mobile device it is installed onto. Unlike malware, MSpy products do require permission to install and spy. While limiting abuse, it does mean anyone with physical access and the passkey can install, someone like a jealous partner or spouse. While the company has denied itself has been hacked, it is possible the mobile applications themselves contain vulnerabilities that could be exploited to obtain said customer information. Hopefully, researchers will be able to get to the bottom of this to prevent more abuse if it is occurring.

Thank you BBC for providing us with the information.

UK Government Changes Law Covering Digital Surveillance

Edward Snowden exposed a world which some speculated, but few publically acknowledged. A world where every piece of information we send, be it through phone or computer, is monitored and recorded among thousands of others all searching for that one thing. The public has since been in an up cry about it, asking if it was even legal due to the severe invasion of privacy it entailed in order to do the most basic monitoring without legally requesting permission from a judge. From the use of the stingrays to intercept mobile communication, to the ruling stating that the mass collection of phone data in America was illegal, the law and digital monitoring has been at heads for a while now. The UK government has a simple answer, change the law.

GCHQ is the UK government’s digital branch in charge of monitoring electronic communications. It would seem that the Computer Misuse Act, one of the biggest pieces of legislation regarding hacking and the legality of using computers to access networks, was quietly rewritten on the 3rd of March 2015. The change in the legislation would essentially make the intelligence services exempt from legal action regarding hacking because they would be exempt from the legal areas outlining what is legal hacking.

Several large companies, including internet and communication services, filed complaints back in 2014 stating that the GCHQ’s activities would be considered unlawful under the Computer Misuse Act and that there was no legal authority that could be used to make their practices in line with the law.  This is a problem, especially given that hacking is an invasion of privacy, something considered a fundamental human right.

The legislation involved is called the Serious Crime Bill 2015, and came into effect on the 3rd May 2015, only two months after it was quietly passed amongst government groups without any public consultation. So not only does GCHQ now have the ability to hack people, they are practically immune to legal action regarding this (even though they have been found to be in breach of several sections of Law), this also means however that all current cases against GCHQ would be rendered null given that they now covered under a separate law. Also given that the code has not be subject to parliamentary process such as debates or discussions the changes have effectively rendered their illegal practises legal and their control over hacking (even those who have not been found as a threat to national security or suspected in a crime) exempt from legal process in what is turning out to be the biggest threat to the rights and laws of the 21st Century.

What do you think of this? I will refrain from commenting for fear that this post will be intercepted and my communications monitored. Personally, I really dislike that they have done this.

Thank you Privacy International for providing us with this information.

Image Courtesy of Reuters.