Deciphered server data provides precise locations in a handy Google Map.
By Kyle Orland
One of Pokémon Go's defining characteristics is that you never
quite know the precise location of nearby Pokémon, since the game only
gives an imprecise "radar" with general distances. A group of hackers
has set out to change that situation, exploiting Pokémon Go's server responses to create an easy-to-use map that reveals those hidden Pokémon in your immediate area.
The hack is the result of efforts by the PokemonGoDev subreddit, which is working to reverse engineer an API using the data sent and received by the Pokémon Go servers. So far, the group has managed to parse the basic server responses sent by the game, which can be acquired through an SSL tunnel and deciphered using relatively basic protocol buffers.
From there, a little bit of Python scripting work can convert the
usually hidden data on nearby Pokémon locations into an easy-to-use
Google Maps picture of your augmented reality surroundings.
There are step-by-step installation instructions for anyone with even a basic understanding of a command line, as well as recent attempts at a self-contained desktop app and Web-based app for those who want a one-step Poké-mapping solution.
Already, people are trying to use this mapping data to crowdsource a complete, worldwide map of all in-game Pokémon. Other apps in the works can notify players when rare Pokémon pop up nearby, spoof GPS coordinates to fool the game into thinking you're in other locations, or even automatically "farm" Pokémon from Pokéstops.
Accessing Pokémon Go data in this way is explicitly against the game's terms of service,
which prohibit any "attempt to access or search the Services or
Content, or download Content from the Services through the use of any
technology or means other than those provided by Niantic or other
generally available third-party web browsers." That means your
account could be banned if developer Niantic detects you using one of
these tools and that you should probably create a new dummy account if
you're just curious about seeing the hacks for yourself.
Niantic could also take steps to further obfuscate its server data in
the future or attempt to block access by unapproved sources from
outside the game. Such moves would no doubt lead to a programming arms
race between Niantic and hackers eager to keep the game's hidden bits
exposed (Niantic Labs wasn't immediately available to respond to a
request for comment from Ars Technica).
While mapping previously hidden Pokémon is obviously a good way to speed up advancement in the game, it also robs you of some of the serendipity of discovery that makes Pokémon Go
special. Simply walking to a set point on a map ends up being a little
less satisfying than stumbling on the hidden critters yourself.
This kind of mapping also has the potential to hamper some of the
social interactions that have helped the game become an instant hit.
After all, why bother asking a nearby player if they found any good
Pokémon nearby when you can just call up an app that tells you their
location instantly?
That said, developer Ahmed Almutawa, who first posted his Pokémon Go mapper on Saturday evening,
doesn't seem worried about these kinds of tools damaging the game
experience. "Ever since I've made this, I've had a lot more fun," he
said in an interview with The Verge, "mostly because I could see where all the lures are and go to where all the people are hanging out."
That said, Almutawa added that he realizes "it is Niantic's game and
they're free to do with it whatever they do. I do hope that they're fine
with the map itself [and] it's not causing them any issues."
Showing posts with label Hacking. Show all posts
Showing posts with label Hacking. Show all posts
Thursday, July 21, 2016
Friday, April 15, 2016
‘Blackhole’ Exploit Kit Author Gets 7 Years In Jail
By Brian Krebs
A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit. Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.
According to Russia’s ITAR-TASS news network, Dmitry “Paunch” Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole.
According to Russian security firm Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The image above shows Paunch standing in front of his personal car, a Porsche Cayenne.
First spotted in 2010, BlackHole is commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.
The price of renting the kit ran from $500 to $700 each month. For an extra $50 a month, Paunch also rented customers “crypting” services; cryptors are designed to obfuscate malicious software so that it remains undetectable by antivirus software.
Paunch worked with several other cybercriminals to purchase new exploits and security vulnerabilities that could be rolled into Blackhole and help increase the success of the software. He eventually sought to buy the exploits from other cybercrooks directly to fund a pricier ($10,000/month) and more exclusive exploit pack called “Cool Exploit Kit.”
As documented on this blog in January 2013 (see Crimeware Author Funds Exploit Buying Spree), Paunch contracted with a third-party exploit broker who announced that he had a $100,000 budget for buying new, previously undocumented “zero-day” vulnerabilities.
Not long after that story, the individual with whom Paunch worked to purchase those exclusive exploits — a miscreant who uses the nickname “J.P. Morgan” — posted a message to the Darkode[dot]com crime forum, stating that he was doubling his exploit-buying budget to $200,000.
In October 2013, shortly after news of Paunch’s arrest leaked to the media, J.P. Morgan posted to Darkode again, this time more than doubling his previous budget — to $450,000.
“Dear ladies and gentlemen! In light of recent events, we look to build a new exploit kit framework. We have budgeted $450,000 to buy vulnerabilities of a browser and its plugins, which will be used only by us afterwards! ”
The Russian Interior Ministry (MVD) estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunch’s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.
For more about Paunch, check out Who is Paunch?, a profile I ran in 2013 shortly after Fedotov’s arrest that examines some of the clues that connected his online criminal persona with his personal social networking profiles.
A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit. Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.
According to Russia’s ITAR-TASS news network, Dmitry “Paunch” Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole.
According to Russian security firm Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The image above shows Paunch standing in front of his personal car, a Porsche Cayenne.
First spotted in 2010, BlackHole is commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.
The price of renting the kit ran from $500 to $700 each month. For an extra $50 a month, Paunch also rented customers “crypting” services; cryptors are designed to obfuscate malicious software so that it remains undetectable by antivirus software.
Paunch worked with several other cybercriminals to purchase new exploits and security vulnerabilities that could be rolled into Blackhole and help increase the success of the software. He eventually sought to buy the exploits from other cybercrooks directly to fund a pricier ($10,000/month) and more exclusive exploit pack called “Cool Exploit Kit.”
As documented on this blog in January 2013 (see Crimeware Author Funds Exploit Buying Spree), Paunch contracted with a third-party exploit broker who announced that he had a $100,000 budget for buying new, previously undocumented “zero-day” vulnerabilities.
Not long after that story, the individual with whom Paunch worked to purchase those exclusive exploits — a miscreant who uses the nickname “J.P. Morgan” — posted a message to the Darkode[dot]com crime forum, stating that he was doubling his exploit-buying budget to $200,000.
In October 2013, shortly after news of Paunch’s arrest leaked to the media, J.P. Morgan posted to Darkode again, this time more than doubling his previous budget — to $450,000.
“Dear ladies and gentlemen! In light of recent events, we look to build a new exploit kit framework. We have budgeted $450,000 to buy vulnerabilities of a browser and its plugins, which will be used only by us afterwards! ”
The Russian Interior Ministry (MVD) estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunch’s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.
For more about Paunch, check out Who is Paunch?, a profile I ran in 2013 shortly after Fedotov’s arrest that examines some of the clues that connected his online criminal persona with his personal social networking profiles.
Tuesday, March 15, 2016
Sunday, December 27, 2015
Sanders Campaign Hints 'Hacker' Who Accessed Clinton Data May Have Been a DNC Plant
By Tom Boggioni, Raw Story
In an interview with Yahoo Politics, an adviser to the campaign of Sen. Bernie Sanders hinted that the data breach that resulted in the campaign losing access to the DNC servers may have been the result of a employee planted in the campaign by the DNC.
Following the controversy that saw Sanders staffers blocked from accessing some of their own voter data after it was revealed that proprietary information belonging to the Clinton campaign was being viewed, the Sanders campaign apologized and fired the “hacker,” national data director, Josh Uretsky.
However, an unnamed adviser to the Vermont independent’s campaign for the 2016 Democratic presidential nomination is suggesting that Uretsky maybe have been a plant by both the DNC and the technology company that hosts the data.
The campaign had called for a “a full investigation from top to bottom” of the data breach and how it was allowed to happen.
In an interview with Yahoo Politics, an adviser to the campaign of Sen. Bernie Sanders hinted that the data breach that resulted in the campaign losing access to the DNC servers may have been the result of a employee planted in the campaign by the DNC.
Following the controversy that saw Sanders staffers blocked from accessing some of their own voter data after it was revealed that proprietary information belonging to the Clinton campaign was being viewed, the Sanders campaign apologized and fired the “hacker,” national data director, Josh Uretsky.
However, an unnamed adviser to the Vermont independent’s campaign for the 2016 Democratic presidential nomination is suggesting that Uretsky maybe have been a plant by both the DNC and the technology company that hosts the data.
“It’s
not as if we conjured this guy Josh from thin air. This is an
individual … who was recommended to us by the DNC and NGP VAN,” the
adviser said.
According
to the adviser, Uretsky provided references to the Sanders campaign
from the DNC’s National Data Director Andrew Brown, who works closely
with the shared voter file program.
“Andrew
Brown spoke to us and gave him a positive review, as did this guy Bryan
Whitaker,” the adviser said, identifying Whitaker as the COO of
technology group NGP VAN. Whitaker is no longer with the company, having
taken a similar position with another group.
Supporters
of Sanders have complained that the DNC favors Clinton — the
establishment favorite — noting that the Democratic debates have been
scheduled on weekend evenings when viewership would be down, limiting
exposure for the populist message of Sanders.
Thursday, December 24, 2015
Fail0verflow to announce a PS4 Jailbreak next week?
By wololo · December 23, 2015
Some
hints at a potential PS4 hack form popular group Fail0verflow just came
to my attention. This is just at the rumor level at this point and
could turn out to be something entirely different, but the evidence is
quite compelling.
I was just contacted with a link to the CCC Wiki, indicating that Marcan, one of the main members of Team Fail0verflow (known for having hacked the Wii U, and, before that, the PS3), will be having a talk at the CCC event this year. The talk is entitled: “Console Hacking 2015: Penguins on Aeolia”
So how does this point to a PS4 hack? Well, let’s rewind a bit.
Every year a bunch of hackers meet at the CCC and talk about hacking and security. Console hacking, every year, is a big part of the conference. This year, Smealum will be there to talk about his work on the 3DS, and apparently fail0verflow will be here too.
CCC is big, back in the days, Tyranid also explained the PSP Prometheus project at the CCC. The Prometheus project resulted in what is known today as the Pandora batteries for PSP, a way to mod the PSP batteries so that the PSP will enter “maintenance mode” and make it possible to install custom firmwares and downgrades.
That screenshot is from their presentation at the CCC in 2010, when they explained how they had hacked the PS3.
Defeating the PS3 encryption was definitely not Fail0verflow’s only successful hack. They were also the first ones to run unsigned code on the Wii in 2007, and hacked the Wii U two years ago.
So in general, when these guys have a presentation at the CCC, you know something heavy is going to happen.
This new entry in the Wiki however indicates a full presentation from Marcan. And it strongly hints at a PS4 hack, specifically, installing Linux on the PS4.
Looking at the content of the talk again, we see: Console Hacking 2015: Penguins on Aeolia – To boldly go where no penguin has gone before.
What do we make of this? Well, it’s going to be a presentation about console hacking (duh), and it’s probably going to be about installing Linux (penguins). Because the presentation states “where no penguin has gone before”, it is safe to assume we’re talking of one of the new generation consoles (Wii U, XBO, or PS4).
The last, and probably most crucial part of the title, is “Aeolia”.
WTH is Aeolia? Well, digging into the PS4 Dev Wiki (thanks John!), we find lots of references to Aeolia in the PS4 Boot process log. At this point, it is now very likely that Marcan’s talk is going to be about installing Linux on the PS4.
Now, the talk is short (5 minutes), so Fail0verflow will probably only showcase that they have Linux running on the console, without going into details of the hack. That part might, or might not, happen next year.
It’s unclear at this point if this PS4 Jailbreak will be running on the latest firmware, or 1.76 and below just like the most recent announced PS4 Kernel exploit. So, do you think this will be a huge reveal, or just some kind of troll?
Many thanks to John who sent me the wiki link!
I was just contacted with a link to the CCC Wiki, indicating that Marcan, one of the main members of Team Fail0verflow (known for having hacked the Wii U, and, before that, the PS3), will be having a talk at the CCC event this year. The talk is entitled: “Console Hacking 2015: Penguins on Aeolia”
So how does this point to a PS4 hack? Well, let’s rewind a bit.
What is the CCC?
Wikipedia tells us: The Chaos Communication Congress is an annual conference organized by the Chaos Computer Club. The congress features a variety of lectures and workshops on technical and political issues related to Security, Cryptography, Privacy and online Freedom of Speech.Every year a bunch of hackers meet at the CCC and talk about hacking and security. Console hacking, every year, is a big part of the conference. This year, Smealum will be there to talk about his work on the 3DS, and apparently fail0verflow will be here too.
CCC is big, back in the days, Tyranid also explained the PSP Prometheus project at the CCC. The Prometheus project resulted in what is known today as the Pandora batteries for PSP, a way to mod the PSP batteries so that the PSP will enter “maintenance mode” and make it possible to install custom firmwares and downgrades.
Who are Fail0verflow?
Fail0verflow are the group who hacked the PS3. You might remember the screenshot below:Defeating the PS3 encryption was definitely not Fail0verflow’s only successful hack. They were also the first ones to run unsigned code on the Wii in 2007, and hacked the Wii U two years ago.
So in general, when these guys have a presentation at the CCC, you know something heavy is going to happen.
Penguins on Aeolia == Linux on PS4?
Fail0verflow had announced earlier on the CCC wiki that they would be hosting an event to talk about console hacking in general, hinting more at some Wii U follow up and existing hacks than anything else.This new entry in the Wiki however indicates a full presentation from Marcan. And it strongly hints at a PS4 hack, specifically, installing Linux on the PS4.
Looking at the content of the talk again, we see: Console Hacking 2015: Penguins on Aeolia – To boldly go where no penguin has gone before.
What do we make of this? Well, it’s going to be a presentation about console hacking (duh), and it’s probably going to be about installing Linux (penguins). Because the presentation states “where no penguin has gone before”, it is safe to assume we’re talking of one of the new generation consoles (Wii U, XBO, or PS4).
The last, and probably most crucial part of the title, is “Aeolia”.
WTH is Aeolia? Well, digging into the PS4 Dev Wiki (thanks John!), we find lots of references to Aeolia in the PS4 Boot process log. At this point, it is now very likely that Marcan’s talk is going to be about installing Linux on the PS4.
Now, the talk is short (5 minutes), so Fail0verflow will probably only showcase that they have Linux running on the console, without going into details of the hack. That part might, or might not, happen next year.
It’s unclear at this point if this PS4 Jailbreak will be running on the latest firmware, or 1.76 and below just like the most recent announced PS4 Kernel exploit. So, do you think this will be a huge reveal, or just some kind of troll?
Many thanks to John who sent me the wiki link!
Linux on PS4: More confirmation bubbling up from the scene
by wololo · December 25, 2015
We revealed yesterday that Fail0verflow might have a surprise for the scene at the end of the year: They probably have Linux running on the PS4.
Our article apparently triggered some reaction from the scene, as we’re now receiving more and more data confirming that our guess was indeed true (I want to thank John once again for pointing me to this information yesterday).
Since we revealed the upcoming “Penguins on Aeolia” presentation from Fail0verflow and how it means they have Linux running on PS4, people have shared more confirmation with me:
Zecoxao, who’s very close to the PS3/PS4 dev scene, shared a screenshot on Twitter,, showing some reverse engineering work on what appears to be PS4 system files:
More and more compelling evidence is showing up that we’ll see Linux running on the PS4 this year. Please keep in mind that no release date has been hinted. Fail0verflow, although they did hack the Wii U 2 years ago, never released their Wii U files. It is likely the same could happen for the PS4.
Earlier today, PlaystationHax shared a screenshot of a dump of the PS4 filesystem root. But our understanding is that the Filesystem dump and Fail0verflow’s work are not directly related.
Since we revealed the upcoming “Penguins on Aeolia” presentation from Fail0verflow and how it means they have Linux running on PS4, people have shared more confirmation with me:
Zecoxao, who’s very close to the PS3/PS4 dev scene, shared a screenshot on Twitter,, showing some reverse engineering work on what appears to be PS4 system files:
@frwololo i hope that is confirmation enough for you
— José Miguel (@zecoxao) December 23, 2015
People also contacted me to let me know that Fail0verflow had posted a suggestive screenshot on their twitter account last week:
pic.twitter.com/4ZjufJrV2p — fail0verflow (@fail0verflow) December 16, 2015
More and more compelling evidence is showing up that we’ll see Linux running on the PS4 this year. Please keep in mind that no release date has been hinted. Fail0verflow, although they did hack the Wii U 2 years ago, never released their Wii U files. It is likely the same could happen for the PS4.
Earlier today, PlaystationHax shared a screenshot of a dump of the PS4 filesystem root. But our understanding is that the Filesystem dump and Fail0verflow’s work are not directly related.
Anonymous Gives 10 Reasons For Backing Bernie Sanders - Speaks Against Donald Trump, Hillary Clinton
By Danny Cox
The different candidates in the 2016 presidential election
all have backing from different people, different groups, and different
supporters. When it comes time for the final vote tallies to be made,
the bigger the group of supporters, the more votes that can come in.
Well, Bernie Sanders
may have just gotten the biggest boost when the the backing collective
known as Anonymous backed the Democratic candidate and gave 10 reasons
for it.
Meanwhile, they spoke out against other candidates, most notably Hillary Clinton and Donald Trump.
Anonymous took to their website to list the ten reasons that will convince voters that they should cast their ballot for Bernie Sanders. Not only is Anonymous looking to get people to vote for Sanders, but they feel he deserves much more mainstream media coverage as well.
Each of their reasons are explicitly detailed get people to see what Sanders and his campaign are all about. Some of the reasons that are easier to put forth are that he wants to break up big banks and that he opposes both the TPP and NAFTA.
Anonymous has been known for numerous things over the past years; some have been considered good and some have been considered bad. They’ve also been blamed for a lot of things that never ended up being their fault whatsoever.
Still, they may have some incredibly detailed points about backing and voting for Bernie Sanders. At the same time, they are making sure to point out that the other two leading candidates to capture the presidency are doing some things in the exactly opposite fashion.
Not always, though.
Anonymous gives the reasoning of “decriminalizing the use of marijuana” as a reason for backing Sanders. They also let it be known that Clinton is against decriminalizing it while Trump is more in favor of legalizing marijuana for medical uses.
One thing that is really bothering Anonymous is the lack of mainstream coverage that Bernie Sanders is getting while Donald Trump gets much more even though they are polling similarly. Anonymous believes the mainstream media hates Sanders and actually censors him so it looks like he endorses Clinton.
According to the Hill, a recent poll from Quinnipiac University shows that Bernie Sanders actually demolishes Donald Trump in a general election, and it wasn’t even close. Sanders actually had a 13 percentage point victory over Trump in that poll by way of 51 percent to 38 percent.
When detailing their 10 reasons for backing Bernie Sanders, Anonymous focuses a lot on how much he doesn’t discriminate.
Bernie Sanders has seen his support grow in the 2016 presidential polls over the past few months, and Hillary Clinton has seen hers drop some. Donald Trump has kept a consistently big lead in the GOP race, but many say he would get destroyed by the Democratic candidate. The backing of Anonymous for Sanders may have simply pushed his support even higher.
[Image by PYMCA and Getty Images]
Meanwhile, they spoke out against other candidates, most notably Hillary Clinton and Donald Trump.
Anonymous took to their website to list the ten reasons that will convince voters that they should cast their ballot for Bernie Sanders. Not only is Anonymous looking to get people to vote for Sanders, but they feel he deserves much more mainstream media coverage as well.
Each of their reasons are explicitly detailed get people to see what Sanders and his campaign are all about. Some of the reasons that are easier to put forth are that he wants to break up big banks and that he opposes both the TPP and NAFTA.
Anonymous has been known for numerous things over the past years; some have been considered good and some have been considered bad. They’ve also been blamed for a lot of things that never ended up being their fault whatsoever.
Still, they may have some incredibly detailed points about backing and voting for Bernie Sanders. At the same time, they are making sure to point out that the other two leading candidates to capture the presidency are doing some things in the exactly opposite fashion.
Not always, though.
Anonymous gives the reasoning of “decriminalizing the use of marijuana” as a reason for backing Sanders. They also let it be known that Clinton is against decriminalizing it while Trump is more in favor of legalizing marijuana for medical uses.
One thing that is really bothering Anonymous is the lack of mainstream coverage that Bernie Sanders is getting while Donald Trump gets much more even though they are polling similarly. Anonymous believes the mainstream media hates Sanders and actually censors him so it looks like he endorses Clinton.
According to the Hill, a recent poll from Quinnipiac University shows that Bernie Sanders actually demolishes Donald Trump in a general election, and it wasn’t even close. Sanders actually had a 13 percentage point victory over Trump in that poll by way of 51 percent to 38 percent.
When detailing their 10 reasons for backing Bernie Sanders, Anonymous focuses a lot on how much he doesn’t discriminate.
“Sanders doesn’t degrade racial and religious minorities, nor does he inflame the majority- he comes right out and tells us that the elite are to blame. He said this at a rally: ‘they’re always playing one group against another. Rich got richer — everybody else was fighting each other. Our job is to build a nation in which we all stand together’. Hillary has an “abysmal” racial justice record and Trump… well, he’s said enough about that topic to fill a phone book.”As a bonus, Anonymous says that for every list that comes out telling people not to vote for Sanders, it actually brings him more attention and supporters.
Bernie Sanders has seen his support grow in the 2016 presidential polls over the past few months, and Hillary Clinton has seen hers drop some. Donald Trump has kept a consistently big lead in the GOP race, but many say he would get destroyed by the Democratic candidate. The backing of Anonymous for Sanders may have simply pushed his support even higher.
[Image by PYMCA and Getty Images]
Saturday, December 19, 2015
How To Hack Your 360
So you want to hack your XBox 360.
Have no idea where to start?
This thread should give you a general idea on what you can do with your 360.
Have no idea where to start?
This thread should give you a general idea on what you can do with your 360.
Wednesday, November 4, 2015
Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge
Posted
by
Soulskill
MojoKid writes:
Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive.
As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure.
The team gave themselves a week to root out vulnerabilities, and to keep everyone sharp, the researchers made a contest out of it pitting the North American and European participants against each other.
Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.
MojoKid writes:
Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive.
As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure.
The team gave themselves a week to root out vulnerabilities, and to keep everyone sharp, the researchers made a contest out of it pitting the North American and European participants against each other.
Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.
Friday, October 30, 2015
ARK-3 Source Code released
By Acid_Snake
A while ago Coldbird and I decided to finish the ARK project for good and add all the missing features that need to be added. So we began working on its next iteration, ARK-3.
However things got cold and little to no information has been released
so far about the project. This is mainly because Coldbird and I don’t go
out publicly too often and because we have problems finding time for
the project.
ARK-3
is a Custom Firmware (eCFW) for the emulated PSP on the Vita (ePSP). It
is essentially a reworked version of PROVita/ARK-1, a port of the Pro CFW for the PSP.
It’s features include:
– Full compatibility with PSP home brews and games.
– ISO and CSO support through the Inferno ISO Driver as well as compatibility with the M33, ME and NP9660 drivers.
– Compatibility with PSX games under PSP exploits with partial sound through PEOPS.
– Partial compatibility with PSX exploits.
– Compatible with up to firmware 3.52
–
Built in menu with advanced features like PMF playback, FTP, CFW
settings and more. It is also compatible with other popular menus such
as ONEmenu and 138Menu.
There’s still a lot of things to do here, most importantly:
– Finish porting ARK-3 to PSX exploits.
– Finish the PEOPS port by improving compatibility and adding game-specific configurations to the built-in database.
– Port 3.5X kernel exploits.
Hopefully
releasing the source code calls the attention of other developers that
might want to contribute to the project. Anyone is now free to do so.
The project is hosted in the following bitbucket repository: https://bitbucket.org/Coldbird/ark3
Friday, October 23, 2015
Firefox Find My Device Service Lets Hackers Wipe or Lock Phones, Change PINs
A variation on an older Samsung Find My Mobile attack
Vulnerabilities in
Mozilla's Find My Device service enabled hackers to carry out attacks
that locked the screens of smartphones running Firefox OS, change PINs,
make the devices ring, and even wipe all data with only a few clicks.
The Firefox Find My Device service allows users
who've lost their Firefox OS phone to lock it or see its location on a
map and retrieve it or direct law enforcement to the thief's location.
The service is extremely usable and is a similar feature to what Apple
has been offering for years for iPhone users.
A variation of CVE-2014-8346 that affected the Samsung Find My Mobile service
Egyptian security researcher Mohamed A. Baset is
"guilty" of discovering this flaw, which seems to be a variation (but
it's not) of CVE-2014-8346, a security vulnerability that affected the Samsung Find My Mobile service.
For that vulnerability, also revealed by Mr. Baset,
the National Institute of Standards and Technology gave a CSVV (Common
Vulnerability Scoring System) score of 7.8 out of 10, but got a 10 for
exploitability, meaning it was quite easy to carry out, without too many
technical skills being needed by an attacker.
According to Mr. Baset's findings, by loading the
Firefox Find My Device website inside a hidden iframe on other sites,
via basic clickjacking techniques, a hacker would have been able to
carry out attacks that would lock or unlock the phone's screen, set a
new PIN only known by the attacker, or make the phone ring at maximum
volume for one minute, even if set in vibrate or silent mode.
While these actions seem more like bad pranks, they
would allow criminals who stole phones to craft a Web interface through
which they could unlock PIN-protected phones with the push of a button.
Some differences exist, attackers can wipe phones clean of their data
As Mr. Basat told Softpedia, despite having similar
outcomes, "the two vulnerabilities are not related. Even the
vulnerabilities themselves are different, Samsung's was vulnerable to a
CSRF attack but Mozilla's is vulnerable to a ClickJacking attack."
Unlike the Samsung Find My Mobile vulnerability, the
one affecting Firefox's service also allowed attackers to wipe the
phones clean, which poses more risk since valuable data can be lost if
not properly backed up.
The good news is that this attack needs users to be
logged in on the service with their Firefox account, which very few
people use. Additionally, more clicks are needed to perform the attacks,
ranging from 2 to 4, based on the desired malicious action.
The vulnerability was reported to Mozilla back in March, and it was patched yesterday.
Below is a YouTube video of the Samsung Find My Mobile hack. The Mozilla Find My Device attack should work in a similar fashion.
UPDATE: The article was updated with Mr. Basat statement, which clarified how the two attacks were different.
Sunday, September 20, 2015
Poker players targeted by card watching malware
Online poker players are being targeted by a computer virus that spies on their virtual cards.
The software shares the cards with the virus's creators who then join the same game and try to fleece the victim.
The sneaky malware has been found lurking in software designed to help poker fans play better, said the security firm that found it.
The software also targets other useful information on a victim's computer such as log in names and passwords.
Card counter
The malware targets players of the Pokerstars and Full Tilt Poker sites, said Robert Lipovsky, a security researcher at Eset, in a blogpost.When it infects a machine, the software monitors the PC's activity and springs to life when a victim has logged in to either one of the two poker sites. It then starts taking screenshots of their activity and the cards they are dealt. Screenshots are then sent to the attacker.
The images show the hand the player has been dealt as well as their player ID. This, said Eset, allows the attacker to search the sites for that player and join their game. Using information about a victim's hand gives the attacker a significant advantage.
"We are unsure whether the perpetrator plays the games manually or in some automated way," wrote Mr Lipovsky.
Eset found the Windows malware lurking in some well-known file-sharing applications, PC utilities as well as several widely used poker calculators and player databases.
Eset said the spyware had been active for several months and most victims were in Eastern Europe, particularly Russia and the Ukraine.
Thursday, August 27, 2015
Who Hacked Ashley Madison?
By Brian Krebs
AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.
It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.
Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.
I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.
After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.
On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.
The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”
I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?
Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”
A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.
WHO IS THADEUS ZU?
As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).
Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media counts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.
A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.
Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.
That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here.
Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).
Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.
Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).
Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.
Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu tweeted:
“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange
A month later, on Feb. 7, 2014, Zu offered this tidbit of info:
“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”
To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.
But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations.
People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.
Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.
It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.
KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.
AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.
It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.
Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.
I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.
After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.
On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.
The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”
I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?
Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”
A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.
WHO IS THADEUS ZU?
As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).
Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media counts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.
A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.
Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.
That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here.
Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).
Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.
Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).
Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.
Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu tweeted:
“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange
A month later, on Feb. 7, 2014, Zu offered this tidbit of info:
“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”
To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.
But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations.
People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.
Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.
It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.
KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.
Sunday, August 2, 2015
At Least 6 Ways To Hack The 2016 Election
By Brad Friedman
While we have, for more than a decade, covered the extreme vulnerabilities of voting machines and electronic tabulators and broken numerous exclusive stories about it on both The BRAD BLOG and The BradCast, my guest on today's show offers a number of additional ways - some of which had largely never even occurred - by which bad actors could disrupt U.S. elections.
Michael Gregg, IT security expert and COO of the private, Houston-based computer security firm, Superior Solutions wrote about some of those concerns recently at Huffington Post. He joins me today to discuss several of the ways that U.S. democracy could be disrupted by political hacktivists, election insiders or even foreign entities and how we might not ever even know about it if they did - thanks to the type of electronic voting systems we now use in all 50 states and the different ways in which the public is now being blocked from overseeing our own elections and election results.
"Attackers could potentially get in and do these things and it would be very hard to prove. The scary part is, by the time any of this is worked out, the election is over with, so it's too late," he tells me. I ask him how elected officials in his home state of Texas - much of which forces voters to use 100% unverifiable electronic voting systems - react when he points out these concerns. "We've brought that up multiple times, but that seems to be the powers that be, how they want to do things."
Gregg, who I've never spoken to previously, concludes, as I have, that paper ballots (hand-marked and hand-counted, in my case) are the most secure way to run elections. "I agree with you 100%," he says. "If you have a paper-based system, it's very very hard to attack, it's very much easier to be able to detect those types of things."
As to Internet Voting, well, you'll want to tune in for this computer security professional's opinion on whether or not the Internet can ever be secure enough to use for the most important aspect of our representative democracy.
Also today: New York Times digs deeper still on their inaccurate Hillary Clinton reporting (as we covered in great detail on yesterday's show); Incurious global warming trolls fall, once again, for the old "Earth is cooling" scam; The racist Charleston, SC church shooter pleads "not guilty"; And Shell Oil evades activists to try and begin drilling in the Arctic...
Download MP3
While we have, for more than a decade, covered the extreme vulnerabilities of voting machines and electronic tabulators and broken numerous exclusive stories about it on both The BRAD BLOG and The BradCast, my guest on today's show offers a number of additional ways - some of which had largely never even occurred - by which bad actors could disrupt U.S. elections.
Michael Gregg, IT security expert and COO of the private, Houston-based computer security firm, Superior Solutions wrote about some of those concerns recently at Huffington Post. He joins me today to discuss several of the ways that U.S. democracy could be disrupted by political hacktivists, election insiders or even foreign entities and how we might not ever even know about it if they did - thanks to the type of electronic voting systems we now use in all 50 states and the different ways in which the public is now being blocked from overseeing our own elections and election results.
"Attackers could potentially get in and do these things and it would be very hard to prove. The scary part is, by the time any of this is worked out, the election is over with, so it's too late," he tells me. I ask him how elected officials in his home state of Texas - much of which forces voters to use 100% unverifiable electronic voting systems - react when he points out these concerns. "We've brought that up multiple times, but that seems to be the powers that be, how they want to do things."
Gregg, who I've never spoken to previously, concludes, as I have, that paper ballots (hand-marked and hand-counted, in my case) are the most secure way to run elections. "I agree with you 100%," he says. "If you have a paper-based system, it's very very hard to attack, it's very much easier to be able to detect those types of things."
As to Internet Voting, well, you'll want to tune in for this computer security professional's opinion on whether or not the Internet can ever be secure enough to use for the most important aspect of our representative democracy.
Also today: New York Times digs deeper still on their inaccurate Hillary Clinton reporting (as we covered in great detail on yesterday's show); Incurious global warming trolls fall, once again, for the old "Earth is cooling" scam; The racist Charleston, SC church shooter pleads "not guilty"; And Shell Oil evades activists to try and begin drilling in the Arctic...
Download MP3
Wednesday, June 17, 2015
Head of hacked U.S. agency says problems 'decades in the making'
Related Stories
- Fed agency blames giant hack on 'neglected' security system Associated Press
- Data compromised by US federal agency hack reportedly spans three decades The Verge
- Data hacked from U.S. government dates back to 1985: official Reuters
- China under suspicion as US admits huge data hack AFP
- China suspected in massive breach of federal personnel data Associated Press
Katherine Archuleta, director of the Office of Personnel Management, said problems exposed by the cyber attacks discovered in April and linked by U.S. officials to China were "decades in the making."
Although she said her agency thwarts hackers 10 million times per month, members of the House Committee on Oversight and Government Affairs insisted that the successful hacks showed data security could not have been a priority for the OPM.
Some suggested that top officials resign.
"You failed. You failed utterly and totally," said Republican Representative Jason Chaffetz, the committee's chairman.
U.S. officials have said they suspect China, but the administration has not yet publicly accused Beijing.
China denies any involvement in hacking U.S. databases.
Tuesday's congressional hearing was the first since U.S. officials announced early this month that hackers had broken into OPM computers and the data of 4 million current and former federal employees had been compromised.
Since then, they revealed another security breach that put at risk the personal information and intimate details of many millions more Americans - and their relatives and friends - who had applied for security clearances.
NEW DEFENSES BREACHED
Archuleta said the two breaches were discovered and contained because of new security measures taken in the last year. The attacks occurred before the measures were fully implemented.
"I want to emphasize that cyber security issues that the Government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure," she said.
Archuleta, who was appointed to head the agency two years ago, said 4.2 million employees were affected by the first OPM hack. Even more had been affected in the other attack, she said, but would not provide an estimate.
She also declined, despite repeated questions, to say how many years' records had been compromised.
The committee's top Democrat, Elijah Cummings, said he was concerned about how many people were affected, what the government was doing to help them and what foreign governments could do with their information.
Archuleta, OPM Chief Information Officer Donna Seymour, Homeland Security Secretary Jeh Johnson and other administration officials held a classified briefing on the cyber attacks for lawmakers later on Tuesday.
Suggestions
of Chinese involvement could further strain ties between Washington and
Beijing, which are holding an annual "Strategic and Economic Dialogue"
in Washington next week involving senior government officials.
Lawmakers
expressed frustration at the refusal of Archuleta and other
administration officials at the hearing to answer many questions,
frequently justifying their silence by saying they could not discuss
classified information.
"I
am gonna know less coming out of this hearing than I knew coming in,"
said Democratic Representative Stephen Lynch. "You're doing a great job
stonewalling us, but hackers, not so much."
(Editing by David Storey, Lisa Shumaker and Grant McCool)
Sunday, June 14, 2015
The Hacking of Federal Data Is Much Worse Than It First Seemed
By Adam Chandler
To truly understand just how rigorous and intrusive the process to get security clearance for the federal government is, take a look a Standard Form 86.
Formally known as the Questionnaire for National Security Positions, the document requires that an applicant disclose everything from mental illnesses, financial interests, and bankruptcy issues to any brush with the law and major or minor drug and alcohol use. The application also requires a thorough listing of an applicant’s family members, associates, or former roommates. At the bottom of each page, a potential employee must submit his or her social security number. Given the questionnaire’s length, that means if you’re filling out this document, you will write your social security number over 115 times.
On Friday, it was revealed that all of the data on Standard Form 86— filled out by millions of current and former military and intelligence workers— is now believed to be in the hands of Chinese hackers.
This not only means that the hackers may have troves of personal data about Americans with highly sensitive jobs, but also that contacts or family members of American intelligence employees living abroad could potentially be targeted for coercion. At its worst, this cyber breach also provides a basic roster of every American with a security clearance.
"That makes it very hard for any of those people to function as an intelligence officer,” Joel Brenner, a former top U.S. counterintelligence official, told the AP. “The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."
What’s particularly stunning about this development is how quickly it grew into something so severe. Last week, officials estimated that the personal data of 4 million current and former federal employees had been compromised. Then that figure ballooned to as many as 14 million.
Speaking to The Washington Post, one official ominously likened this new revelation to cancer, “Once you start operating on the cancer, you find it has spread to other areas of the body.” The subtext here is that we may not have even hit the apex of this scandal yet.
In the meantime, China continues to deny that it stole the information and the U.S. Office of Personnel Management isn’t saying much either. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” said OPM spokesman Samuel Schumach.
Given the reach of the data thought to be stolen, it might be easier for the OPM to contact those whose information hasn’t been compromised.
Cyber-attacks
linked to China appear to have resulted in the theft of
security-clearance records with sensitive data about millions of
American military and intelligence personnel.
To truly understand just how rigorous and intrusive the process to get security clearance for the federal government is, take a look a Standard Form 86.
Formally known as the Questionnaire for National Security Positions, the document requires that an applicant disclose everything from mental illnesses, financial interests, and bankruptcy issues to any brush with the law and major or minor drug and alcohol use. The application also requires a thorough listing of an applicant’s family members, associates, or former roommates. At the bottom of each page, a potential employee must submit his or her social security number. Given the questionnaire’s length, that means if you’re filling out this document, you will write your social security number over 115 times.
On Friday, it was revealed that all of the data on Standard Form 86— filled out by millions of current and former military and intelligence workers— is now believed to be in the hands of Chinese hackers.
This not only means that the hackers may have troves of personal data about Americans with highly sensitive jobs, but also that contacts or family members of American intelligence employees living abroad could potentially be targeted for coercion. At its worst, this cyber breach also provides a basic roster of every American with a security clearance.
"That makes it very hard for any of those people to function as an intelligence officer,” Joel Brenner, a former top U.S. counterintelligence official, told the AP. “The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."
What’s particularly stunning about this development is how quickly it grew into something so severe. Last week, officials estimated that the personal data of 4 million current and former federal employees had been compromised. Then that figure ballooned to as many as 14 million.
Speaking to The Washington Post, one official ominously likened this new revelation to cancer, “Once you start operating on the cancer, you find it has spread to other areas of the body.” The subtext here is that we may not have even hit the apex of this scandal yet.
In the meantime, China continues to deny that it stole the information and the U.S. Office of Personnel Management isn’t saying much either. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” said OPM spokesman Samuel Schumach.
Given the reach of the data thought to be stolen, it might be easier for the OPM to contact those whose information hasn’t been compromised.
Friday, May 8, 2015
Malwarebytes: look out for PUPS masquerading as the GOG Galaxy client
By james_fudge
Less than 30 hours after GOG.com launched its Galaxy beta client, scammers were lining up to trick gamers into infecting their computers with malware, according to a new blog post from security research firm and anti-virus software maker Malwarebytes. Malwarebytes security analyst Jovi Umawing details how some users are getting tricked in a new blog post today.
Once a scammer tricks users into visiting their fraudulent download site and jumping through several web pages, they give them access to a fake client download. Once executed, the file displays a dialog box claiming that it is initializing, followed by an error window. Ultimately, nothing is stalled, save a PUP.
What is a PUP? The short answer is a "potentially unwanted program." The long answer can be found on the Malwarebytes web site. You can learn about this GOG Galaxy related scam here.
Of course, the only real place you can get the GOG Galaxy client is on GOG.com.
Less than 30 hours after GOG.com launched its Galaxy beta client, scammers were lining up to trick gamers into infecting their computers with malware, according to a new blog post from security research firm and anti-virus software maker Malwarebytes. Malwarebytes security analyst Jovi Umawing details how some users are getting tricked in a new blog post today.
Once a scammer tricks users into visiting their fraudulent download site and jumping through several web pages, they give them access to a fake client download. Once executed, the file displays a dialog box claiming that it is initializing, followed by an error window. Ultimately, nothing is stalled, save a PUP.
What is a PUP? The short answer is a "potentially unwanted program." The long answer can be found on the Malwarebytes web site. You can learn about this GOG Galaxy related scam here.
Of course, the only real place you can get the GOG Galaxy client is on GOG.com.
Friday, April 17, 2015
WikiLeaks Republishes Hacked Sony Data In Searchable Database
Cache
of data stolen in crippling hack includes emails, company documents,
and personal information of studio employees and celebrities.
WikiLeaks
has republished the data stolen in last year's crippling hack of Sony
Pictures Entertainment, making all the documents and emails available in
a "fully searchable" format.
Although hackers had released the data in raw, bulk form last fall, WikiLeaks -- best known for the release of classified government and military documents - announced Thursday it has published the information in a searchable database called "The Sony Archives." The release of the data cache, which includes 30,287 documents, 173,132 emails, and other sensitive information, proved a disruptive and embarrassing security gaffe for the studio - one that the Japanese electronics and entertainment giant is still trying to contain.
"This archive shows the inner workings of an influential multinational corporation," WikiLeaks editor in chief Julian Assange said in a statement on the website. "It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. WikiLeaks will ensure it stays there."
Sony representatives condemned WikiLeaks' republishing the data, calling the initial cyberattack a "malicious criminal act."
"The attackers used the dissemination of stolen information to try to harm SPE and its employees, and now WikiLeaks regrettably is assisting them in that effort," Sony Pictures said in a statement. "We vehemently disagree with WikiLeaks' assertion that this material belongs in the public domain and will continue to fight for the safety, security, and privacy of our company and its more than 6,000 employees."
The security breach, which Sony discovered in late November, turned out to be more serious and pervasive than initially believed, forced Sony to shut down its computer network for several weeks and delay issuing its quarterly results. A group calling itself #GOP, aka "Guardians of Peace," claimed responsibility and said it had obtained internal information. Hackers leaked the personal information -- including Social Security numbers - of more than 47,000 celebrities, freelancers. and current and former Sony employees. They also leaked then-unreleased movies, as well as embarrassing emails between Sony Pictures executives, among other internal documents.
The hackers, which the FBI traced to North Korea, were apparently trying to prevent the release of the satirical movie "The Interview," which depicts actors Seth Rogen and James Franco as TV journalists drawn into a CIA plot to assassinate North Korean leader Kim Jong-un.
In a sternly worded letter sent to news organization in December, Sony Pictures general counsel David Boies referred to the leaked Sony documents as "stolen information" and warned them against any use of the leaked data. Later that month, Boies sent a similar letter to Twitter, warning that if "stolen information continues to be disseminated by Twitter in any manner," Sony "will have no choice but to hold Twitter responsible for any damage or loss arising from such use or dissemination by Twitter."
Despite the negative attention generated by the hack, Sony said in January that it didn't expect the security breach to have a substantial impact on its earnings. While some reports pinned Sony's cost to overcome the hack as high as $100 million, Sony's preliminary fiscal third-quarter financial results in February revealed that the company planned to take a $15 million charge in the current quarter to cover "investigation and remediation costs" related to the breach.
Although hackers had released the data in raw, bulk form last fall, WikiLeaks -- best known for the release of classified government and military documents - announced Thursday it has published the information in a searchable database called "The Sony Archives." The release of the data cache, which includes 30,287 documents, 173,132 emails, and other sensitive information, proved a disruptive and embarrassing security gaffe for the studio - one that the Japanese electronics and entertainment giant is still trying to contain.
"This archive shows the inner workings of an influential multinational corporation," WikiLeaks editor in chief Julian Assange said in a statement on the website. "It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. WikiLeaks will ensure it stays there."
Sony representatives condemned WikiLeaks' republishing the data, calling the initial cyberattack a "malicious criminal act."
"The attackers used the dissemination of stolen information to try to harm SPE and its employees, and now WikiLeaks regrettably is assisting them in that effort," Sony Pictures said in a statement. "We vehemently disagree with WikiLeaks' assertion that this material belongs in the public domain and will continue to fight for the safety, security, and privacy of our company and its more than 6,000 employees."
The security breach, which Sony discovered in late November, turned out to be more serious and pervasive than initially believed, forced Sony to shut down its computer network for several weeks and delay issuing its quarterly results. A group calling itself #GOP, aka "Guardians of Peace," claimed responsibility and said it had obtained internal information. Hackers leaked the personal information -- including Social Security numbers - of more than 47,000 celebrities, freelancers. and current and former Sony employees. They also leaked then-unreleased movies, as well as embarrassing emails between Sony Pictures executives, among other internal documents.
The hackers, which the FBI traced to North Korea, were apparently trying to prevent the release of the satirical movie "The Interview," which depicts actors Seth Rogen and James Franco as TV journalists drawn into a CIA plot to assassinate North Korean leader Kim Jong-un.
In a sternly worded letter sent to news organization in December, Sony Pictures general counsel David Boies referred to the leaked Sony documents as "stolen information" and warned them against any use of the leaked data. Later that month, Boies sent a similar letter to Twitter, warning that if "stolen information continues to be disseminated by Twitter in any manner," Sony "will have no choice but to hold Twitter responsible for any damage or loss arising from such use or dissemination by Twitter."
Despite the negative attention generated by the hack, Sony said in January that it didn't expect the security breach to have a substantial impact on its earnings. While some reports pinned Sony's cost to overcome the hack as high as $100 million, Sony's preliminary fiscal third-quarter financial results in February revealed that the company planned to take a $15 million charge in the current quarter to cover "investigation and remediation costs" related to the breach.
Wednesday, March 25, 2015
Malicious user hides trojan links in cloned Steam Greenlight pages
Malware links briefly appear in fan-voting section despite $100 submission fee.
By Kyle Orland
A malicious user exploited the somewhat open submission structure of Steam's Greenlight section over the weekend to briefly hide malware links in cloned versions of legitimate game pages.
Polygon reports that a Steam user going by the handle bluebunny14 posted copies of pages for five games to the Steam's Greenlight section over the weekend. The cloned pages copied the text, screenshots, and videos of existing Greenlight games, including Melancholy Republic and The Maze, to look exactly like legitimate titles seeking attention in Steam's fan-voting area. But the cloned versions of the pages also included links to purported "beta version" links for the games that instead linked users to what Polygon calls "a known Trojan."
After being posted Sunday, the malicious links were reportedly removed by early Monday, and the cloned game pages themselves reportedly removed by Monday afternoon. "Community members alerted us of the situation over the weekend by flagging the content," said Valve's Doug Lombardi in a statement. "Our Community Moderators responded quickly by removing all malicious links from the fake Greenlight material and then we banned the submissions. We are taking further steps to deal with anyone involved in posting the links. We'd like to thank those who reported the issue in addition to our Community Moderators, and we encourage everyone to report any suspicious activity in the future by using the flag icon located throughout the Steam Community."
Steam Greenlight launched in the summer of 2012 as a clearinghouse allowing the community to vote on game concepts and in-progress projects it would like to see offered for sale on Steam. But the section was quickly flooded with spam submissions for fake and offensive listings, and misleadingly sourced clones of copyrighted and trademarked games.
To "cut down on the noise" of these fraudulent submissions, Valve instituted a one-time, $100 fee for Greenlight developers
in September of 2012. "It was obvious after the first weekend that we
needed to make some changes to eliminate pranksters while giving folks
in the community the ability to focus on 'their kind' of games," Valve
UI designer Alden Kroll told Ars at the time. While that fee apparently
didn't stop bluebunny14's malicious submissions over the weekend, it
will likely slow down the same user from continuing to post more
malicious links under different accounts.
Open app marketplaces, like those on many smartphone platforms, are often plagued with fake listings purporting to be popular games and software, sometimes hiding malware behind the legitimate-seeming facade. Since its launch in 2003, though, Steam has cultivated a reputation as a more carefully curated marketplace of the best of the PC gaming marketplace, without risk of viruses or other malware.
Steam's curated image has been diluted somewhat in recent years, though, as the number of games available on the service has skyrocketed, doubling in the last 18 months to encompass over 4,000 distinct titles. Over 3,200 submissions have garnered enough user votes to be officially "greenlit" by Valve in the last two years, and over 570 of those games have been officially released on Steam.
Open app marketplaces, like those on many smartphone platforms, are often plagued with fake listings purporting to be popular games and software, sometimes hiding malware behind the legitimate-seeming facade. Since its launch in 2003, though, Steam has cultivated a reputation as a more carefully curated marketplace of the best of the PC gaming marketplace, without risk of viruses or other malware.
Steam's curated image has been diluted somewhat in recent years, though, as the number of games available on the service has skyrocketed, doubling in the last 18 months to encompass over 4,000 distinct titles. Over 3,200 submissions have garnered enough user votes to be officially "greenlit" by Valve in the last two years, and over 570 of those games have been officially released on Steam.
Tuesday, February 17, 2015
NSA hiding Equation spy program on hard drives
By JOSEPH MENN
Equation infection: Kaspersky Labs says the highest number of machines infected with Equation programs were in Iran, Russia and Pakistan.
The US National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyber-espionage operations.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.
Kaspersky Labs - The areas of government Equation has been able to infect by nation.
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines declined to comment.
Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.
The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of US technology products abroad.
The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.
"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PC's, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital, Seagate, Toshiba, IBM, Micron Technology and Samsung.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a road map to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series of high-profile cyber attacks on Google Inc and other US companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big US tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive US agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.
- Reuters
Subscribe to:
Posts (Atom)