Monthly Archives: October 2016

How did one contractor steal 50TB of NSA data? Easily, say former spies

The massive theft of secret NSA data, thought to be the largest breach of classified data in US history, happened over two decades.

NSA whistleblower Edward Snowden might be the most well known leaker of secret government files. But it’s contractor Harold Martin who may have carried out the biggest theft of classified information in US history.

Martin, 51, was arrested during an FBI raid on his home in late August. He was accused of stealing dozens of computers and thousands of documents, according to his recently unsealed indictment. The contractor siphoned off more than 50 terabytes of data — or 50,000 gigabytes — from government computers over two decades. What was initially a misdemeanor was quickly raised to espionage — in part because of the vast amount of data stolen he allegedly stole.

He faces 10 years in prison on each guilty charge.

It’s not known how the authorities caught Martin. But what’s an even bigger question is how he stole so much data — and stayed undetected — for so long.

Former employees at the NSA, who spoke on the condition of anonymity, said that Martin likely stole the files by simply walking out of the front door.

“The security folks there conduct random bag and purse checks on people leaving, but nobody does pocket checks,” said one former employee, who spent almost 30 years at the agency in various jobs, before leaving late in the last decade.

“Anything that could fit in a pocket could go out undetected,” the employee said.

A second employee, who left the agency at around the same time, agreed.

Practically, it wouldn’t scale to scan all of your employees,” said the employee. “Think TSA at Ft. Meade,” the employee said, hinting at how bad the system would be. About 30,000 employees work at NSA headquarters in Ft. Meade, Maryland, ensuring that it would take hours to screen every person leaving the building.

The second employee also noted that the vast majority of employees go through extensive vetting, so there’s an inherent amount of faith in staff at the agency. James Clapper, the director of national intelligence, said in 2014 that there were no “mousetraps” to catch another leaker in the wake of the Snowden affair, because the agency’s security is “based on personal trust.”

The indictment didn’t say exactly how Martin stole the data from NSA computers and servers because how those systems work are a closely-guarded national security secret.

When asked, the former employees gave their insights.

“Based on what he took, it would seem that [Martin] would’ve had to use USB drives,” said the first employee. The size of USB storage has exponentially increased over the past two decades, according to market data, ensuring that Martin’s alleged theft would have been a painstakingly slow process.

The second employee said it wouldn’t be difficult to steal data — noting that the NSA has “some of the best hackers on earth.”

Almost anyone looking at this case has drawn parallels with the Snowden case because it’s also not known how he smuggled out the trove of data from NSA systems. But according to one report, multiple intelligence community sources said all Snowden needed was “a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system.” One source was quoted as saying that the NSA in 2013 was “stuck in 2003 technology.”

“I’m pretty sure they could find a way to do it [remove files] without detection,” the employee said, without going into details, adding that the systems would likely not stop “a serious or mildly skilled insider.”

An NSA spokesperson could not be reached on Friday.

In his indictment, Martin is said to have boasted in a letter found by the FBI about how he has “seen pretty much all [the NSA’s] tech secrets [with regards to] to compusec.” He added, hinting that the NSA’s systems were not as secure as generally thought: “You are missing most of the basics in security practice, thinking you are the best. It’s the bread and butter stuff that will trip you up. Trust me on this one.”

Still, little is known about Martin. According to his LinkedIn page, he spent many years as a contractor and consultant, and worked as an engineering advisor for the Dept. of Defense.

It’s also not known exactly what Martin took, given the majority of the data is classified, according to the indictment, or if he leaked any of the files to anyone else. It’s no surprise that prosecutors want to keep Martin behind bars.

A hearing is expected later Friday in Baltimore on whether Martin will remain in prison or not.

 

ProtonMail strikes out at Google for crippling encrypted email service searches

Google removed ProtonMail from search results and as a consequence, the company almost went under.

screen-shot-2016-10-28-at-09-35-23.jpg
ProtonMail

ProtonMail has accused Google of hiding the company from search results in what may have been an attempt to suffocate the Gmail competitor.

The free encrypted email service, which caters to nearly one million users worldwide, has enjoyed an increasing user base and popularity over the past few years as governments worldwide seek to increase their surveillance powers.

However, the growth of the company was severely impacted when, without warning, ProtonMail vanished from Google search results — for 10 months.

In August, ProtonMail sent a number of vague tweets to Google, accusing the company of “intentionally hiding ProtonMail from search results,” and even if unranking was unintentional, ProtonMail said it had proof that there was a “major bug” and “all previous contact attempts have been ignored.”

screen-shot-2016-10-28-at-11-22-08.jpg
Screenshot via Twitter

According to the secure emails provider, Google hid ProtonMail from search results for queries including “secure email” and “encrypted email” — a change which the company deemed “highly suspicious.”

Between the beginning of summer and the fall of 2015, ProtonMail released ProtonMail 2.0, went open-source, launched mobile apps in beta, and changed domains from .ch to .com, which is more likely to appear in search results.

Together with a boost in users which pushed ProtonMail from half a million to the best part of one million users, this should have improved the company’s search results.

However, by November, ProtonMail realized something was wrong. After consulting SEO experts, the firm found that there was an anomaly which was limited to Google searches and did not impact other services, such as Yahoo! or Bing

With all other major search engines, ProtonMail’s rankings sent them to page one or two for the terms “secure email” or “encrypted email,” but when it came to Google, there was nothing.

screen-shot-2016-10-28-at-11-35-43.jpg

In the early part of 2016, ProtonMail tried in vain to get in touch with Google, going so far as to contact Google’s president of EMEA Strategic Relationships.

Around the same time, in April, European regulators were taking Google to task for allegedly reducing the ranks of competing companies. As ProtonMail is an email rival, this news was concerning.

It was August by the time communication channels opened, prompted once ProtonMail users and the company itself took to Twitter to complain. Google eventually responded — saying little more than the company had “fixed something.”

screen-shot-2016-10-28-at-11-37-03.jpg

As shown in the image above, once Google issued a “fix,” ProtonMail’s search ranking immediately recovered. Now, the company is ranked at number one and number three for the search terms at the heart of the situation. ProtonMail said:

“Without any additional explanation from Google, we may never know why ProtonMail became unranked. In any case, we do appreciate Google finally taking action to resolve the issue, we just wished it happened sooner.”

ProtonMail says the battle highlights what it calls “Search Risk” — the reliance of companies on search engines which, if a relationship turns sour, can result in suppression or even force the closure of a business.

The company says that due to Google’s alleged meddling, growth rates worldwide were reduced by at least 25 percent over the course of 10 months, which in turn sliced income from users by a quarter.

ProtonMail claims that this put financial pressure on the email provider and, instead of being able to manage monthly expenses comfortably, the company was forced to turn to emergency funds just to stay afloat.

In total, ProtonMail believes that the removal from Google ranking resulted in losses reaching several hundred thousand dollars, of which ProtonMail will never recover.

“The more we get the word out about the importance of online privacy, the more we make it impossible to suppress, ban, or otherwise pressure encrypted email services such as ProtonMail,” the company says. “We believe online privacy is critical for an open, democratic, and free future, and regardless of the obstacles ahead of us, we will continue building the tools necessary to protect this future.”

Remove Bitmessage Ransomware Permanently

Research on Bitmessage Ransomware

In case your Microsoft Office files, images, videos, audios, emails and databases are injected with an .1999, .bleep, or .ccc extension, it indicates that your computer has been infected with file-encrypting Ransomware such as TelsaCrypt, RSA-2048 or Bitmessage , which is destructive virus made by hacker for robbing money online. Similar to common ransomware, Bitmessage mainly sneaks into your system via spam email attachments. Such suspicious emails will disguise as normal email sent by your friends, families or from famous companies, and they usually contain a document, photo or video file needed you to download. As soon as you download the attachments and open it, your files will be ruined by Bitmessage within a sec. Most of your files are changed into weird name with .1999, .vvv, or .ccc extension, and you will see a unknown TXT file in the infected folders or a popup photo on your screen, which is used to show you the warning message asking you to pay ransom fees to buy the decryption key.

delete Bitmessage

Bitmessage is definitely an evil tool used by hacker to make money illegally. After it locks your files, it charge lots of money for recovering your files. Some people think that they can call the police or FBI to catch the hackers and get the files back, but unfortunately, no one can track these top hackers so far, because they use encrypted tunnel with fake name to contact the victims, and their accounts for receiving the money are Bitcoin account, thus they can rob your money without being punished.

Most of victims may choose to compromise and send the ransom fees to exchange their precious files but are you sure that these cyber criminal who created Bitmessage virus will recovere your files after you pay? Our research team found that there is no guarantee on such payment, lots of victims paid lots of money but still lost all files. Therefore, we suggest not to pay money to these hackers. It is a huge risk, not only on your money , but your private information such as banking accounts. Your credit cards and banking accounts may even be hacked by Bitmessage if you pay the ransom money.

In such a situation, the right things you need to do is: 1. Remove all malicious files, codes of Bitmessage and related threats from your system completely; 2. Restore your files with your back-up (if available), or use third party legitimate data recovery software to recover your files. In case you are a victims of Bitmessage ransomware, follow the guide below to cure your computer now and try your luck with the data recovery tools to save your files. We hope this tutorial will be helpful to you.

Bitmessage Removal Tutorial

First Method – Manually Remove Bitmessage (For Users with Expert Skills)

Second Method – Automatically Remove Bitmessage Quickly and Safely (Easy For All Computer Users)


First Method – Bitmessage Manual Removal

Step 1 – End Bitmessage process in Task Manager.

1. Press “Ctrl+ Shift + Esc” keys to call out Windows Task Manager
2. Click Processes > find Bitmessage process or suspicious processes and select End process.
remove Bitmessage virus

Step 2 – Uninstall Bitmessage and suspicious programs from Control Panel.

Windows 10 : Click Start Menu >> Click All Apps >> Find out Bitmessage and other unwanted programs, then right-click on it and select Uninstall:
get rid of Bitmessage

delete Bitmessage

Windows 8
  • Move the mouse to the lower-left corner of the screen and clicking the Start button;
  • Type “control panel” in search box and then click Control Panel.
  • Find Bitmessage and unwanted programs >> click Uninstall

Bitmessage removal

how do i remove Bitmessage
Win 7 / Vista / XP
  • Click Start button >> click Control Panel in Start Menu
  • Click Uninstall a program to open Programs and Features
  • Find Bitmessage and unwanted programs >> click Uninstall

 

how can i get rid of Bitmessage
how do i delete Bitmessage

Step 3 Remove Bitmessage related registry files in Registry.

  • Press Win + R keys together to open Run window
  • Type “regedit” and click OK
  • Find out all related registry files of Bitmessage:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_Machine\Software\Classes\[adware name]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\random
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\random
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0


(Note – This guide is only provided as an reference to help you get rid of Bitmessage ransomware to make your PC healthy and prevent new files being infected. We cannot promise that the recommended tools can recover every user’s files which have been encrypted by the most dangerous ransomware such as Bitmessage. Wish you with good luck!)

———————————————————————————
Tips on Prevent Virus and Malware Such as Bitmessage
If you want to keep your PC from all kinds viruses and malware active online, you need to always follow these rules while using your PC:
1. Always choose Custom Installation while installing freeware so that you can deselect unwanted options or cancel unauthorized change;
2. Always scan attachments in emails before you open it; never open any attachment or click links on emails which you do not know if it is safe;
3. Do not visit any porn website because most of porn websites embedded with malicious codes from cyber criminal;
4. Always scan torrent files and other files downloaded from third party website before you open them;
5. Never update any of your software from third party website; make sure the software update alert appearing on your screen is from official website;

6. Do not click ads (e.g. “Ads by “, “Ads brought by “, “Ads powered by “, etc. ) which do not belong to the websites you visit.

India experiences catastrophic cyberattack, 3.2 million debit card account details stolen

screen-shot-2016-10-20-at-09-42-59.jpg
Wikimedia Commons

India is dealing with one of the worst data breaches ever to hit the country with as many as 3.2 million debit card details stolen from multiple banks and financial platforms.

On Thursday, the Economic Times reported that malware was used to compromise the Hitachi Payment Services platform, used to power India’s ATM, point-of-sale (PoS) systems and other financial transactions.

This infection then affected the State Bank of India (SBI), ICICI, Yes, Axis and HDFC, which are said to be the hardest hit. The Visa and Mastercard networks are also allegedly affected by the data breach — which took roughly six weeks to detect.

Little is known beyond feedback from several victims who claim that their cards are being used fraudulently in China.

According to people familiar with the matter, SBI has blocked and will reissue 600,000 debit cards.

SBI chief information officer Mrutyunjay Mahapatra told the publication:

“Based on the complaints we have received, we are suspecting a compromise on the non-SBI ATM network which could include various white-label ATM service providers.”

Financial security specialist SISA is investigating the case alongside the banks affected. In the meantime, customers have been asked to change their PIN numbers as a precautionary measure.

Yahoo, ACLU press US feds to disclose email snooping orders, surveillance laws

credyahoo.jpg
Yahoo

Yahoo has asked the US Director of National Intelligence James Clapper to declassify a surveillance demand the company received which resulted in a special program being set up to monitor customer emails for certain keywords.

The program, which operated in early 2015, forced Yahoo to build a tool which automatically scanned Yahoo Mail user messages for key words and phrases — a general order from either the NSA or FBI, rather than a targeted spying mission on particular users.

According to Reuters sources, Yahoo ran the software secretly before the firm’s engineers and security teams discovered the tool. Believing that the software was the work of external cyberattackers, they took the software down.

This secret data collection and Yahoo CEO Marissa Mayer’s decision not to appeal the order have thrown the company into a quagmire of criticism, of which Yahoo is unable to respond “in detail” due to the order, according to a letter sent by Yahoo general counsel Ron Bell to Clapper, which has now been posted online.

The letter (.PDF), revealed on Wednesday, asks Clapper to release the Yahoo order from classified status. The request reads:

“We urge your office to consider the following actions to provide clarity on the matter; (i) to confirm if such an order, as described in these media reports, was issued; (ii) declassify in whole or in part such order, if it exists; and (iii) make a sufficiently detailed public and contextual comment to clarify the alleged facts and circumstances.”

Yahoo previously called Reuter’s report “misleading” and denied the email scanning tool was present on the company’s systems, but declined to comment further. If Clapper agrees to Yahoo’s request, however, the tech giant will be at greater liberty to explain itself.

The letter comes as Yahoo deals with the aftermath of revelations concerning a security breach which took place in 2014, leading to the theft of at least 500 million user accounts.

 

Separately, the American Civil Liberties Union (ACLU) has filed a motion (.PDF) in the US Foreign Intelligence Surveillance Court asking judges not only to release Yahoo’s spying order, but over 20 additional rulings made over the last 10 years.

These rulings, based on the court’s opinion, affect everything from how the US government uses malware, bulk data collection, and the constant battle between technology firms and law enforcement when it comes to encryption standards and how far vendors must go to assist the police in accessing mobile devices. As these court opinions are secret, there is no right of appeal and they are kept out of the public arena — despite their far-reaching implications.

In a post-Snowden era, it seems that tolerance for such practices and a lack of transparency is wearing thin.

Malwarebytes snaps up PC scrubber AdwCleaner

screen-shot-2016-10-20-at-07-34-48.jpg

Malwarebytes has acquired AdwCleaner in a deal designed to improve the capabilities of the firm’s Malwarebytes Anti-Malware product.

The cybersecurity firm revealed the purchase on Wednesday. In a blog post, Malwarebytes said snapping up AdwCleaner is part of the company’s mission to become “more aggressive” in the hunt for Potentially Unwanted Programs (PUPs) which are often a nuisance and can be frustrating for consumers.

PUPs, often bundled into legitimate downloads, include bloatware which siphons off PC resources, adware which forces users to deal with continual adverts and pop-ups, and crapware which could install further programs you do not want, such as shopping applications or games.

These unwanted programs can also be a security risk as they may act beyond their original scope to perform functions such as browser injections, data collection, and installing root certificates without consent.

Financial terms of the deal were not disclosed.

Founded in 2011 by three French students, AdwCleaner has been downloaded over 20 million times and averages at 200,000 downloads per day worldwide. AdwCleaner is free software which scans PC systems to remove PUPs, adware, browser hijackers, and other nuisance software.

In the short-term, Malwarebytes says AdwCleaner will be given a “facelift” and the company will work to enhance its detection and analysis abilities. While AdwCleaner will remain free as a standalone product, in the long-term, the company wishes to learn from the software “and integrate the technology into our flagship product,” Malwarebytes Anti-Malware.

Two AdwCleaner founders, Jerome Boursier and Corentin Chepeau, will join Malwarebytes in engineering and research roles.

“While dangerous malware is still on the rise, there is a growing trend for programs that operate in a legally gray area to achieve questionable ends,” said Marcin Kleczynski, CEO of Malwarebytes. “We have seen some PUPs that are blatantly illegal; most are simply unethical and abusing privilege, which is why we are taking such an overt stance against them. The acquisition will help further this cause.”

In October, Akamai Technologies acquired Soha, a specialist in cloud and endpoint security for the enterprise.

Feds catch hacker allegedly responsible for LinkedIn hack

(Image: file photo)

The hacker allegedly responsible for the 2012 hack on LinkedIn has been arrested in the Czech Republic.

The Russian man, 29, whose name was not released, is wanted by the FBI to face charges in connection with hacking targets in the US. A police statement said he was arrested in the country’s capital, Prague, after Interpol issued a red notice earlier this month for the suspect’s arrest.

LinkedIn said in a statement, via Reuters, that the business social network has been “actively involved with the FBI’s case to pursue those responsible” for the attack, which led to the theft of over 100 million accounts.

“We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity,” the company said.

The suspect is not said to be connected to recent politically motivated cyberattacks in the US.

A court will now determine if the suspect will be extradited to the US. Russia is said to be fighting the attempt.

The attack on LinkedIn resurfaced this year after four years of lying dormant, after the number of accounts stolen in the breach rocketed from over six million to over 117 million accounts.

A seller, known as Peace, was the source of the leak. The seller also made a name for himself for selling accounts associated with dating sites Fling and Badoo, and Russian social networking giant VK.com.

 

White Papers provided by HPEnterprise

He later claimed as many as 1.1. billion accounts associated with Yahoo. Months later, the company announced it was hit by “state sponsored” actors, which led to the theft of over 500 million accounts.

Peace, who would only speak over encrypted chat, couldn’t be reached on Wednesday.

VeraCrypt audit reveals attacker treasure trove of critical flaws

malware-analysis-category-965x395credmalwarebytes.jpg
Anatoliy Babiy | Malwarebytes

An audit of VeraCrypt has uncovered critical vulnerabilities which could be exploited by attackers to compromise user data.

VeraCrypt is open-source security software. The successor to TrueCrypt, the encryption software is used worldwide to encrypt single files, folders or full disks and builds on the original project with security enhancements and new, modern features.

However, no software is completely safe from attack, and according to the software’s recent audit, conducted by cybersecurity firm QuarksLab and sponsored through the Open Source Technology Improvement Fund (OSTIF), VeraCrypt 1.8 and its bootloaders contained a total of eight critical vulnerabilities, three medium flaws and 15 additional bugs of low importance.

The security problems discovered by the audit include memory corruption issues, dead code, inconsistent data reads, unsecured zip libraries and encryption cipher bugs.

One of the main problems that TrueCrypt has in relation to security is the new Unified Extensible Firmware Interface (UEFI) now in use. TrueCrypt, as legacy software, never supported this and so the new UEFI-compatible bootloader not only has to cope with bugs caused by this but security flaws which are present due to the feature being new — having only been released in August.

The majority of these problems have been fixed in VeraCrypt 1.19 and users are asked to update as soon as possible. However, they are not completely protected from the security issues raised through the audit.

On Twitter, security firm Idrix, which worked on the VeraCrypt audit, clarified that the latest update resolves all issues relating to the software itself and also solves one security flaw inherited from TrueCrypt.

The remaining problems present have all come from the days of TrueCrypt, and fixing them at the moment could cause issues with backward compatibility.

The VeraCrypt team have also disabled the GOST 28147-89 encryption standard as it is deemed unsafe. While existing content based on this standard can still be decrypted, users cannot use this algorithm for future encryption projects.

“Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt,” the researchers added. “VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”

What happened to Yahoo’s traffic after it revealed it was hit by hackers?

(Image: file photo)

It’s been almost a month since Yahoo announced that it was hit by “nation state” attackers, leading to the theft of over 500 million user accounts.

As reported in its third-quarter earnings on Tuesday, the company said that in the immediate aftermath of the attack, more people visited Yahoo’s sites than in the four weeks prior.

A graph in the earnings slides shows that page views to Yahoo properties went up marginally in the week after the breach announcement on September 22, before leveling off slightly, but still higher than the previous period.

screen-shot-2016-10-18-at-4-41-21-pm.png
(Image: Yahoo)

Exactly why remains a bit of a mystery.

In a press release, Yahoo chief executive Marissa Mayer didn’t say specifically why engagement is up, only that the company is “working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends.”

A Yahoo spokesperson would not comment on the record.

Reading between the lines in the meantime, there are a couple of reasons to draw from the small spike in user engagement.

Yahoo is more prevalent in our lives today than you might think. It may not be as hip as Gmail, but hundreds of millions of customers still use their legacy email accounts. (Also, don’t forget that it’s fantasy football season, and Yahoo has a major stake in the space. Ask any media company and they’ll tell you that sports drives traffic probably more so than news.)

 

The other is factor is inertia. Do you really see a mass exodus from a service when they announce a hack? More often than not, the clear-up after a hack is a mitigation exercise. Given the impending deal that will see Yahoo sold off to Verizon for $4.8 billion, the web giant will bend over backwards to appease its customers. Mayer probably isn’t far wrong: it’s not so much loyalty as it is an apathy towards yet another data breach.

Of course, it almost goes without saying that the other and entirely opposite explanation is that people logged on to try to delete their accounts.

Yahoo’s profits topped Wall Street’s expectations, with shares rising slightly in after hours trading.

Trump Organization is using horribly insecure email servers

trumpf.jpg
(Image: CBS News/File photo)

If you thought Former Secretary of State Hillary Clinton’s private email server was a mess, Donald Trump’s company is running email servers that look like a dumpster fire by comparison.

Security researcher Kevin Beaumont said in a tweet on Monday that the Trump Organization, the parent company of the alleged billionaire’s portfolio of realty, steaks, golf, and hotels, is running a set of email servers that are horribly outdated and long past the end-of-life, meaning they haven’t received security patches in over a year.

Beaumont said he found that the company’s email system is running the decade-old Windows Server 2003 and Internet Information Servers 6, both of which haven’t been supported in over a year.

Both sets of software are so old that Microsoft no longer patches even known security vulnerabilities. Instead, users should upgrade. Patches remain as one of the best ways for preventing hackers from exploiting security flaws.

A spokesperson for Trump, now the Republican presidential candidate, could not be reached on Tuesday.

Beaumont, a British citizen who can’t vote in the upcoming US election, was summarily hounded by Trump supporters on Twitter, who among other things accused him of hacking. (The data he gathered is publicly accessible; many web browsers, including Chrome, allow users to check what software is running on a web server.)

Among the tweets of abuse he received, one pro-Trump user claimed to have reported Beaumont to the FBI.

In his own set of tweets, Michael Morisy, founder of investigative outlet MuckRock, said that the unsubstantiated accusation that Beaumont in any way did anything illegal “misses some fundamentals of modern security”.

“If your posture is that bad, you’re already pwned,” he said. “There’s good reasons that infosec talks openly about security holes, and framing frank discussion as malicious hurts security in the long run,” he added.

Disclosing improves the chances of fixing the issues, said Morisy.